[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

November 27, 2007

Hilton Embassy Row Hotel
2015 Massachusetts Avenue, N.W.
Washington, D.C.

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway
Fairfax, Virginia 22030
(703)352-0091

TABLE OF CONTENTS


P R O C E E D I N G S [9:10 a.m.]

Agenda Item: Call to Order, Welcome and Introductions DR. COHN: Okay. Well, good morning, everyone, and happy post-Thanksgiving. Please be seated. Okay. I want to call this meeting to order. This is the first day of two days of meetings of the National Committee on Vital and Health Statistics. The National Committee is a statutory public advisory committee to the U.S. Department of Health and Human Services on national health information policy. I am Simon Cohn. I’m Associate Executive Director for Kaiser Permanente and Chair of the Committee. I also want to welcome Committee members, HHS staff and others here in person and, of course, those calling in on the Internet. Let’s have introductions around the table and then around the room. For those on the National Committee, I would ask if you have any conflicts of interest related to any issues coming before us today, would you so please publicly indicate during your introduction. I want to begin by observing that I have no conflicts of interest. Marjorie? (Introductions around the room) MS. GREENBERG: Good morning. I’m Marjorie Greenberg from the National Center for Health Statistics and Executive Secretary to the Committee. DR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine, member of the Committee, no conflicts. DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of the Committee, no conflicts. MR. REYNOLDS: Harry Reynolds, Blue Cross/Blue Shield, North Carolina, member of the Committee, no conflicts. MR. HOUSTON: Good morning, John Houston, University of Pittsburgh Medical Center and a member of the Committee, and I don’t have any conflicts. DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Committee, no conflicts. MR. LAND: Garland Land with NAPHSIS, member of the Committee, no conflicts. DR. WILLIAM SCANLON: Bill Scanlon, Health Policy R&D, member of the Committee, no conflicts. DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the Committee and no conflicts. DR. FRANCIS: Leslie Francis, University of Utah, member of the Committee and no conflicts. DR. GREEN: Larry Green, University of Colorado, no conflicts. DR. STEUERLE: Gene Steuerle, Urban Institute, member of the Committee, no conflicts. DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and Quality, staff of the Subcommittee on Standards and Security, liaison to the Full Committee. MR. BLAIR: Jeff Blair, Lovelace Clinic Foundation, member of the Committee, no conflicts. DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the Full Committee. DR. SCANLON: Jim Scanlon, HHS, Office of Clinical Evaluation, Executive Staff Director for the Full Committee. DR. HORLICK: Gail Horlick, Center for Disease Control and Prevention, staff to the Subcommittee on Privacy and Confidentiality. MS. KAHN: Hettie Kahn, National Center for Health Statistics, CDC, staff to the Subcommittee on Privacy and Confidentiality. MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, Committee staff. DR. HEFFERNAN: Henry Heffernan, NIH. DR. MCANDREW: Sue McAndrew, Office for Civil Rights. DR. FRIEDMAN: Maria Friedman, RX Hub. DR. RAYBURN: John Rayburn, Healthcare Leadership Council. MS. GRANT: Erin Grant, Booze Allen Hamilton. MS. DEWIRE: Sheila Dewire, American Ophametric Association. MS. JONES: Katherine Jones, CDC, National Center for Health Statistics. MS. BENNING: Denise Benning, Office of eHealth Standards and Services, CMS and lead staff to the Subcommittee on Standards and Security. DR. RODY: Dan Rody, American Health Information Management Association. MS. AMATAYAKUL: Margret Amatayakul, Contractor to the Ad Hoc Workgroup. DR. COHN: Okay, well, welcome, everyone. Before we move into the agenda review, I want to make a couple of opening comments. First of all, I do want to apologize to a number of you, and I actually share, I think, in some of the angst. I know that because of the holiday weekend this past weekend, many of you received your agenda books very late or, in some cases, not at all. So we do want to apologize for that. I think the good news is that the action item for today was actually emailed out a week before. So everyone has that and obviously has had time to consider it. I guess there are some extra agenda books if people, I know, for example, Paul Tang doesn’t have one either, and surely if others don’t have one, we have copies for you. Obviously, what we will do is to redouble our efforts to make sure these things get out in time. This was actually in time. It’s just that with the holiday week and offices being closed, I know that mine was sequestered somewhere in my administrative suites, but not anywhere close to me, unfortunately. I will comment that we will also take particular care for the February meeting because I was just noting that the February meeting also occurs right after a holiday weekend. And so we’ll just make sure to get these things out in time so that we aren’t at risk for not having people have it. Anyway, we will deal with that and make sure it doesn’t happen again. But beyond that, I actually do want to sort of begin by congratulating everybody on I think what’s been a very productive 2007, assuming, of course, you make it through the meeting today. From my view, it’s certainly hard to believe that we are at the last meeting of the year. Certainly so far this year, as I look at our work, we’ve been advising HHS and exceptionally on I think a variety of what I would describe as important and timely health information policy issues. And we reflect on them, I think we should be proud. In terms of HIPAA and HIPAA transaction, we sent letters and held hearings and advised on both the NPI which we’ll continue to monitor as well as the issue of moving to a more stable update process for the administrative and financial transactions, and I think you will remember the letter at the last meeting which talked about moving to a 5010 transaction. So I think, once again, moving forward and beginning to institutionalize the HIPAA update process now that we are ten years into HIPAA, five years into the actual implementation for administrative and financial transactions. Now our Quality Workgroup has held hearings and came out with a report at the last meeting looking at the issue of quality measurement in what I would describe as a time of transition and recommending approaches that deal with both clinical and administrative data, and I think we’ll be looking at the best way to get that out into the public hopefully over the course of the meeting today and over the next couple of weeks so that actually does get published and out. Privacy and Confidentiality has had two letters and has been obviously monitoring HIPAA privacy and confidentiality, and we’ll obviously be talking about the work that they’ve been doing on individual control, sensitive health information, accessible by the NHIN, Paul Tang’s term from the letter, which is, I think, an improvement over the previous title. Populations and Don will actually be showing up, I think, around noon. We received an email from him that he just returned from Budapest about midnight last night. No comment. But certainly this year they developed a letter on data linkages and federal databases and have obviously been doing more work planning for 2008, and we’ll look forward to sort of seeing where they are on that later on at this meeting. Now finally, and we will be discussing this at length today and potentially tomorrow, is a report that we’re bringing forward for action at this meeting being brought forward by the Ad Hoc Workgroup on Uses of Health Information, a report on enhanced protections for uses of health data. As I look at this altogether, it actually speaks of a fair amount of work and advising that we’ve been doing for the Secretary and for HHS this year, and obviously from my view we have a lot to look forward and probably we will get busier as we move into 2008. I should comment, and this is just reflecting on previous work that we’ve done, and I think Karen will eventually arrive and I know she’s been delayed at this point, will be, I think, also commenting on this one. CMS recently has announced that the ePrescribing standards that we were all involved with helping the Secretary and CMS identify for piloting are now at a stage where they’re moving into actual regulation, and I think that that’s an exciting development. Obviously, I think that we should be pleased to have been part of the effort to identify those standards. I think we do have to step back for a moment and realize that standards are critical and necessary, but probably not necessarily fully sufficient in the sense of more needs to be done to move ePrescribing forward. But certainly I think without the standards, we run the risk of basically stovepipe implementations, lack of interoperability, and I think we’ve done an exceptional job of providing that foundation, and it’s nice to see that work beginning to come to fruition. I should also remind you of the fact that some of our other previous work, and I’m thinking of the NHIN privacy and confidentiality letter from last year as well as our work on functional requirements continues to be appreciated and used within HHS, was referenced by the Office of the National Coordinator in their recent request for proposals, and I know John Loontz will be talking about that tomorrow in terms of efforts. Jeff Blair, I know, is involved in one of those efforts in New Mexico. But once again, these documents and, I think, our thinking is being referenced and utilized by HHS. So the hard work at the end of the day is worth it, and it is making an impact. Today, we will be spending, as I’ve commented, considerable time talking about the work of the Workgroup on Uses of Health Information that is being brought forward by consideration. This work is undertaken at the request of the Department and the Office of the National Coordinator. Specifically, the work involves developing an overall conceptual and policy framework to balance risk, benefits, obligations and protections of various uses of health data. From there, the work also develops recommendations to HHS on needs for additional policy, guidance, regulation and public education related to expanded uses of health information in the context of developing nationwide health information network. And, of course, I think as all of you will remember, this was done in the context with particular, I guess, emphasis or attention on uses of health data for quality measurement, reporting and improvement. We brought this up earlier in June as work to be started. I want to thank obviously all of you – I mean, everyone who’s been involved which has been most of the Committee in one way or another. We held eight days of hearings. I want us to take a moment and sort of signal basically both Harry and Justine as having as the co-vice chairs as being critical – I think we should give them a round of applause for their efforts. [Applause] DR. COHN: For what’s been really, I think, a Herculean effort in a very short time span. Now I think we all see this as sort of phase one of this effort, and we’ll talk through today and tomorrow. But there will be – well, there are additional issues that I think we recognize that we have not – that need further investigation. Oh, yes, well, we’ll get to Margret A in just a second. We haven’t even voted on this thing yet. So, well, okay, I will turn around and I think we just need to acknowledge Margret A. without whom we would not be where we are with a document at this stage. We’ll give her a round of applause. [Applause] DR. COHN: Now I have someone to thank, Paul Tang, both for his participation on the Committee as well as his most recent editing, and you’ll see some of the fruits of that effort as we go further today. But also Bill Scanlon, Marc Overhage who’ll be calling in late on, Mark Rothstein and Kevin Vigilante. Kevin will also be calling in today, had to go out of town, I think, on some urgent business. I obviously want to thank you all for spending a very busy and productive summer and fall. I don’t think we’re in quite winter yet, on this activity, and I think once again we’ve come up with, I think, a document we can be proud of. I also should mention our liaison representatives and support. I know Steve Steindel, Mary Jo were involved, and I guess there’s a whole list actually, Mike Fitzmaurice, Debbie Jackson, people from Booz-Allen, including Erin Grant and Christine Martin Anderson who I don’t think is here today, and I’m sure I’m missing a variety of other people here. But let’s give them – we’ll reflect on them because they’re all listed in the back of the document. But once again, I think we really want to thank everybody for I think what’s been a fairly sustained and focused effort. Obviously, I mentioned this both because I think we should be proud of the effort. Hopefully, as I said, as we look at it, we will think this document is worthy of being thoughtful word and being able to accept during our session today and tomorrow. I also mentioned to you both because as an example of flexibility of the Committee, and I think we’ve talked about that over the years of way that we can rapidly mobilize to do something of importance for the department, and I think this is a good example. It’s also an example of ways that we can bring together, I think, a really unique competencies around population health, privacy and confidentiality standards and quality in sort of a rapid fashion to really sort of leverage all of the expertise that we have in the NCVHS. Now with that, let me move on to the agenda review, and I think I’ve got it right here. This morning, we begin with Jim Scanlon, our Executive Director, who will be talking both about department update as well as, I think, reflecting some on the transition as we move into the end of the terms for a number of the Committee members, and I think he’ll be talking about next steps on that. Now Karen Trudel is next on the agenda, but I think she’s been detained, and we will either squeeze her in today or tomorrow sometime as is appropriate and works for her and the schedule of the Committee. Following the morning break, we will begin a discussion of the report that I’ve just been discussing at length, and obviously this will be bought forward as an action item for this meeting. Now I should comment, and I’ll mention this again when we get into the document, I think the ground rules for that conversation will be that we obviously gratefully accept wordsmithing, but would prefer to be done off line. However, there is obviously a line between wordsmithing and content, and what we want to do is to make sure that we are surfacing and reconciling any content issues we have with all of this. And so, as we go through it from section to section, once again, I mean, Margret, I, Justine, Harry will take wordsmithing things off line. But if you think you have an issue or concern about how this is worded that bears on content, we do really need to surface that today. Now after lunch we will be probably continuing for a little bit on the report, and from there then moving into the discussion of the privacy and confidentiality document on individual control, sensitive health information which will be more of a discussion item being brought forward to help advise the Subcommittee in their meetings from four to six this afternoon and hopefully will come forward as an action item for our February meeting. At three o’clock, we are pleased to have a briefing on an invitational meeting sponsored by the Robert Graham Center which was on harmonizing primary care standards. This was supported by ARC. Larry Green was one of the – was described as principals on this, and I think you’re the one actually putting together the various discussions and producing the document. I did notice I think you’re not presenting, however. You preferred not to present. But I’m sure Larry will be making comments. We have Bob Phillips and Michael Klinkman presenting to give us sort of an overview of that work because I think it is germaine and relevant to the work of the Full Committee. I should also mention that Marjorie presented there, and obviously we want to thank you for presenting the National Committee at that session. Before our break outs, we will discuss plans for Wednesday. I do, however, want to remind everybody that we are scheduled to adjourn at 2:45 tomorrow – actually three, somewhere between 2:45 and 3:00 tomorrow, so just to keep that in mind as you make your travel plans and other plans for tomorrow. Now with that, why don’t I – oh, actually, yes, we do have a dinner. That was actually going to be my final comment. We have a dinner tonight which is going to be about 6:30 at a place called Lauriol Plaza which I actually know where it is, although I don’t exactly know how to walk from here to there. But I am told it’s five to six blocks away. So either it’s a short cab ride or a nice walk which we’ll probably need by about six o’clock this evening. It is sort of Central American and Mexican cuisine as how best I would describe it both having looked at the menu and actually it was highly recommended by our staff, and I think they’ve been very good so far, I mean, with some of the other restaurants we’ve gone to over the last while. Anyway, that’s the plan for the evening. I think we do need a number from the Committee of those who would likely be joining us for dinner. Maybe at this point we’ll just have you raise your hand if you’re interested in coming and staff obviously also. Okay, okay, well, with all of that being handled at this point, let me turn it over to Jim Scanlon for a department update. And Jim, thank you. Agenda Item: Department Update – Data Council DR. J. SCANLON: Thank you, Simon and good morning, everyone. Let me say I want to update the Committee on a couple developments that have occurred since we met in September, and they deal with sort of the policy priorities, legislative developments, where we are with our budget which kind of affects all of our planning and projects, and then I’ll talk a little bit about our transition in terms of new members for the next few months. So let me start. I think I’ve left out your place, and I’m not going to go through these. But is this working all right? Is that better? At any rate, I’ve left before you at your places and I’m not going to go through this, the revised HHS priorities for – these are really policy priorities. They’re nine areas ranging from health insurance coverage, value driven healthcare information technology, personalized health care prevention and preparedness. Again, these are the nine priorities that the leadership of the department is spending most of its time on and probably for the remainder of this term as well, these are the areas that will get most attention. And I think you’ll see that virtually every one of them is reliant both on data and on information technology and health information technology, and one of them involves health information technology per se, the Secretary’s initiative. I’ve also left before you the update of the department’s strategic plan. This was just went through all of the review process and is now on the web. So it’s official. Basically, four overall goals, and you’ll see a number of objectives. This is the strategic plan for the next five years. And, again, these are at the policy and strategic plan level. These are the activities that will be receiving the attention of agency heads and HHS leadership in the months ahead. That’s not to diminish all of the other activities that HHS carries out in terms of program operations, but in terms of new policy and new areas, these are the ones that will receive the Secretary’s attention. And, again, I think much of what the NCVHS is involved in supports these either directly in the health IT area and indirectly in terms of data and other areas. On the legislative front, there are – I think everyone thought we might have some further developments. This will be a short report. There were several health IT bills, as you know, introduced and being considered in the 110th Congress. An example was the Wired for Health Care Act in the Senate which would codify the Office of the National Coordinator, the AHIC and a public/private partnership, and it would establish a number of grant and loan programs. There are a number of privacy concerns have been raised, as you’re aware of. There are other bills as well. I don’t think anyone expects that anything will occur between now and the end of the first session, but HIT would be expected to be a priority in the second session of the 110th Congress. Similarly, on the budget, again we were hoping that we would have a full budget for Fiscal Year ’08 and I could talk a little bit about priorities and plans and where we were with investments. But at the moment we have a continuing resolution through the middle of December. So our rules basically are that we have to spend no more than at a pro rated basis as we did last year. So we can’t really start any new projects, and the picture is still somewhat murky in terms of what the actual amounts will be for health IT as well as for some of our population health data. I think we’re all hoping that we’ll have a level of resources at least at the ’07 level and even some breathing room for new activities. But we just won’t know and possibly won’t know until February as last year. So we just have to proceed week to week and month to month. Our Data Council actually has been reviewing where we are, what will be the budget impact on our Fiscal Year ’08 statistical activities and health IT activities. But again, we’re sort of looking at various contingencies depending on where the budget levels come out. But we, again, it’s a little difficult without some finality to the budget to know where we’re coming out. And on the ’09 budget is under development, and the budget proposal for ’09 is being developed now. And, again, the Data Council has taken a very active role there. It has looked at all of the proposals that the agencies are putting forward relating to health IT and statistics and the population data and actually made some recommendations to fill in gaps and keep everything on it sound and sound footing. But again, basically it’s a question mark until we get a budget for the remainder of the year. There are some specific activities I wanted to bring to the Committee’s attention. The Data Council in December will be looking at several assessments on follow up on Hurricane Katrina evacuees. We have a study that HHS has supported at Harvard Medical School that’s following – this is Ron Kessler’s study. They’re following up a sample of Katrina evacuees over a long period of time. Ron will be briefing the Data Council on where things stand there with that group. We have some other studies that our agencies have done and others have done looking at where are we almost two years later. And similarly, the Data Council had a previous meeting in November, looked at and is continuing to look at what are the capabilities of our agencies for state and local data. This comes up particularly in the context of state health reform, you know, a number of states are coming forward with their own health reform programs. Many of them have approached HHS for data and assistance. So we’re looking at what capabilities we have and, again, we’re looking at gaps and where we might put some resources when they become available hopefully this year. And a couple other things I wanted to follow up on. You’ll remember that we had a workshop at the National Center for Health Statistics earlier this year, and we were looking at what is the potential of electronic health records for in this case it was public health statistics. And, again, this falls into the secondary uses category broadly. But here, we were looking specifically at what is the current penetration and capability of electronic health records in health care settings that might provide a basis for at least partially supporting the national statistics and state and local statistics. And I think we found that the penetration at the moment at any rate was too low and not systematic enough in terms of EHR adoption to support national sampling. On the other hand, there were clearly instances of deep and rich electronic health record information. So the question came up, well, how can we move forward in this area. I think the thinking was, and several of you were there obviously, we might proceed with some pilots where such systems did exist and sort of model through how would we use that kind of information, what would be the options when the adoption is on a broader scale. So we’re thinking of what exactly could we look at in ’08. The National Library of Medicine has offered some of its grantees as a possibility. Obviously, around the table several of your organizations have well established electronic health record systems that could help here as well. But we’re open to some ideas as a follow up. I think I mentioned at the last meeting some of the projects we just started at the end of the last fiscal year. A survey of preparedness in emergency departments. We’re doing this through the National Center for Health Statistics Emergency Department Survey. I think I mentioned that we had just begun just really at the end of September an evaluation or assessment of electronic personal health records in Medicare pilots both on the fee for service side and in a project with ARC on the health plan side. So these are just getting started. It took a while to get things going. So we’ll probably be asking the Committee for some advice as we move along. But, again, these are Medicare pilots, and we’re trying to do a good evaluation. We also initiated an assessment of the health IT capabilities and information exchange in the health safety net, particularly the Community Health Centers and primary care, and that’s now got started as well. We are thinking of some new possibilities. Agencies have approached us. Others have approached us both on the population side and the health IT side. I’ll mention these only with the caveat that obviously the resources would have to be available for us to undertake any of these. But one request we received is that we look at the capability available to HHS for modeling health and human services modeling. As you know, we support several models at HHS where we contract for models. There are not many of them, but I think we – the issue’s come up, and we thought we might, if possible resources available, we’d look at what’s the current capabilities state of the art, and where would we want to go. Secondly, this is very interesting. You recall that the Secretary announced within the month a planned demonstration program of electronic health records in an ambulatory setting, and this is projected. It would be a five-year demo. I think the Secretary announced it at the AHIC and other places as well. We’ve been asked, my office particularly, has been asked to assist with an evaluation of sort of the valuation site of that demo. So we’re working with CMS and others now in terms of what the possibilities might be. We’re also thinking of revisiting the state of the art in how you measure the health and economic impact of illness. You’re all familiar with all of the studies that have been done. Folks take one diagnosis whether it’s heart disease or cancer and then try to look at what the economic and the health impact on society and the economy is. They often tend to amount to so much that they almost approach the gross national product each one of them. So that’s obviously not when you look across those, and I think our interest is not on individual disorders. It’s looking at across what’s the total burden and impact on society and the economy. I think we’re going to try to look at what’s the current state of the art, and is there a way of looking across these in an integrative way and trying to get it within some control measures in terms of national health accounts and other areas so we really understand in a more realistic way what the burden might be. We have another interesting project that we were approached by the VA and the VA has asked if we could help with a pilot and evaluation that would involve information exchange between the VA and veterans who are transitioning to outside the military system and the VA system and who might be going to private sector sources for health care, and could we – there are some demos already between the DOD and the VA and the Indian Health Service who are looking at transitions to the private sector as well for health information exchange. And then finally in a way related to that, we were looking at – the issue’s come up several times now. Is it possible to look at some of the electronic health record systems and repositories that people believe are available in the private sector, and is it possible to be able to use some of those for certain public health activities including drug safety monitoring. This was actually in the FDA Reauthorization Act, but in other areas as well. So this would involve, if we could again resources to begin looking in this direction, not just the public reporting systems, but in terms of the health plan and health system repositories and data resources. Is there a possible way to look at data. Folks use the term data mining. Actually, it’s somewhat different than that. But what potential do they have to provide systematic information after the drug is approved, for example, on drug safety, on some other public health issues as well. So that’s kind of where we are. It’s an ambitious plate of planning. But, again, none of this will happen until we are clear about the budget. Questions on that, and then we’ll talk a little bit about transition to new members. DR. GREEN: Jim, could you say a little more about this five-year EHR demonstration in ambulatory settings? DR. SCANLON: Well, I can say, Larry, only what the Secretary’s already announced. But this would be, and I should probably get you a good summary in the press release. But just earlier this month, Karen, you probably know more than I do. But this would be a, I think, 1200 ambulatory care practice, small and mid-size ambulatory care practices would be part of a fairly structured pilot and evaluation. There would be a comparison group. Now again, it’s not clear what capabilities the ambulatory care office would have to have. Obviously, some sort of EHR capability. But the look would be what are the – can you compare ambulatory care offices with EHRs to a comparison group. Can you measure improvements in quality and outcomes and probably efficiencies as well. I think it’s envisioned as a five-year pilot, fairly large as pilots go, and there is some an evaluation site at any rate. There would be some fairly structured evaluation so that we knew what measures we were trying to look at, what measures we were trying to influence, and have sufficient size so that we could detect differences. It’s only in the planning stages as I recall. It probably wouldn’t get started and there wouldn’t be much more detail til the spring. And, again, obviously this is a budget issue as well. But it would be within the context of the Medicare demo program, and I can provide the Committee with a little – with as much as we have on it so far. DR. FRANCIS: I had a question about state initiatives. As I understand it, there are a number of states on Massachusetts, Maine, I think, is the leader in this, that have been trying to get cost data – actual cost data so people can compare in state level reforms, and they haven’t been able to get CMS data. I may be wrong about that. But they can only get private care data. DR. SCANLON: Well, I think that the issue may be physician specific data, and that’s still, as you know, in the courts. Some states require in their states that individual physician specific information be available and posted. That was challenged in the courts. And now I’m not a lawyer, but as I understand it now, it is still in the courts and under appeal whether or not that information could be made available. CMS was approached to make that data available, but again it was challenged in the courts. And I just don’t have – we don’t have any way of predicting how that will come out. But obviously that would be a critical part. I mean obviously institutional care, you know, quality measures and cost measures for institutional care are important. That’s where most of the money goes. But this would be the ambulatory side. And if this information – and this is part of the Secretary’s value driven health initiative as well, you know, the assumption that if folks, decision makers knew what the quality and cost options and outcomes were, they could make more informed decisions. But we’re in the courts at the moment. Marjorie. MS. GREENBERG: Thank you, Jim. So many interesting things that we could have a second advisory committee of things and work on some of them, not that I’m volunteering you all. But particularly since Don is not here yet, I can certainly volunteer him. I was really interested in the study you mentioned on the economic impact of illness, and I assume disability as well. Would that be included for CDC and NHS in particular have done quite a bit of work related to burden of disease and summary measures and all of that. And I think that I assume you are going to have a population focus on that. DR. SCANLON: Exactly. MS. GREENBERG: So that would, I think, really – I know the Population Subcommittee has a list of things that it’s looking at for the future. But I would really encourage you to involve them and discuss it with them. DR. SCANLON: Oh, absolutely. And I think we’re trying to – we’ll start out as we normally do with kind of what’s literature review and state of the art and what are people doing now. But from what I gather, and I’m not an expert here, the cost of illness and burden of illness state of the art have gotten to a point where it was largely disease specific, and everyone approached it in a certain way, and it was actually the way that Dorothy Rice sort of got started in the ‘70s. So we’re a little – and we’re looking more at a comparative approach as well and how does it fit into at least in the cost side of – how does it fit into a national health account, or when you control for what you think the total expenditures are, how does it all come out. And we’d actually like – I think we’d actually like to look at what are we getting out of the inputs as well, but that may be the next step. DR. STEUERLE: Just to add on to Marjorie’s comment, it seems to me that the Population Subcommittee is very interested, as you know, in integrated data sets and the accommodation of social security record which would give you earnings background of the person combined with Medicare records combined with DI records would be a tremendous source of information for examining not only sort of in the broad sense what’s going on. But to the extent you could do it and you could follow what I consider one of the really big issues which is sort of these – I’m sure it’s disease specific, but it’s almost like issue specific movements. Like all of a sudden, you see huge amounts of money moving into some particular type of health care. You know, who’s actually getting it. You know, I think an integrated data set could give you tremendous leverage in answering those questions. DR. SCANLON: And there is other work – and, again, we just don’t know. There’s been talk about this for quite a while now. But the department, HHS mostly, has asked the National Academy of Sciences to put together a panel to look at – you’ve heard this before, national health accounts. And what this tries to do in economic terms, Gene, this is familiar to you, and other sectors do this. You can literally try to analyze the sectors so that you can see what the inputs to that activity are, and what the outputs are, and now again it’s often reduced to dollar terms, but it doesn’t have to be, and then actually look at sort of what’s going in and what input’s connected with that output. Tremendous data needs, as you can imagine, in this area, but there is at least a group looking at that now, and we’ll see how far they get. Then again I’m going to focus on process. Obviously, we’re not discussing individual members or cases or anything like this. But as you all know, as of December we have – my count was about, we will have six members, and I might even be short there, whose terms will expire of the Full Committee. Now we will ask you all, and there is within the department the process has been underway for a little while now to find new members, and a package will be making its way to the Secretary – seven. So we will and process wise we will be asking all of you to – we have the authority to extend to all of you whose term’s expiring for six months which would take us through June, I believe. So I think we will be asking all of you if you’re willing to – beginning of June – to see what the exact date was – to stay with the Committee until then probably another couple months during the transition. We’ve gotten some good nominations for new members. But again it’s hard to predict what the outcome will be. Sometimes in the process of proposing members, other names come up. In general, the Secretary has followed our recommendations. But we’ve certainly had other names introduced. The department always looks at geographic diversity and other diversity. So it’s a little hard to predict what the outcome will be. But we do have some good nominees. It just takes a while to get this through the process. So I think, number one, we’ll hope you’ll be willing to stay on beyond that term for probably until June, it would be. And if individuals have any questions, please see Marjorie or me as well. In terms of reappointments, the department generally doesn’t make routine reappointments. I think we found that out the last couple times, though just as a rule they want to give most folks the chance to serve. So we always provide the full slate of current members when we submit the package to the Secretary, but probably can’t routinely make reappointments. It just generally doesn’t happen. So process wise, I think that’s kind of where we stand. Marjorie, want to add anything more? MS. GREENBERG: Well, just that, you know, first of all, if you’re not willing to serve through June 1st let us know. I think we probably already submitted – yes, we have. But you know, you’re not required to. In summary, unfortunately we cannot extend you beyond six months. This is new in the last year or two. It used to be we could extend people until they were replaced. So that means we really need to get going on the nomination packages so that we won’t have a period in which we don’t have any members, you know, or don’t have half of our members which because we won’t be meeting in June until after all these positions, these terms expire. As you also probably realize, we will be needing to look for a new chair as well. So we’d welcome – we attempted a lifetime appointment for Simon. He’s as close as we’ve ever come. But even that won’t fly. So we’d welcome, you know, your suggestions of either current or other members or others who might be able to step into those big shoes. And if you are really interested in serving another term, even though as Jim said we can’t guarantee it and we know we couldn’t reappoint everybody, you should let one of us know. And then if you think of people who are – know of people who you think would be good members, I think you’re probably the best judge of that, having seen what it was like to serve. And just one other thing. As you’re all meeting as subcommittees and workgroups over the next two days, particularly as you identify your work plans for the next few years, if you see certain areas of expertise just even coming out of what we’ve talked about this morning but really you see that you’re lacking or will lack when somebody goes off the Committee, let us know that, too. DR. COHN: And I guess I should sort of jump in on this one. Obviously, I asked Jim and Marjorie to talk about this a little bit just because I was getting a lot of questions like what happens. So at least now you know what you’re going to be doing for the next six or eight months. I will be mobilizing the Executive Subcommittee to begin to sort of have conversations around what are described as transition planning, and obviously the intent here is to make sure that as we move into new members and the transition that the Committee remains vital, strong and active and the traditions continue. So we’ll be asking for their assistance and help on that as well as if all of you have ideas about how we can best ensure that since there’s going to be, as I said, a thoroughly – yeah, there’s going to be a lot of members sort of transitioning over a relatively short period of time. I would also, I think, ask the Subcommittee and workgroups, and we’ll talk about it as you meet in your workgroups and subcommittees, as you begin to look at your work plans over the next while to sort of judge what you think you can get done over the next February and maybe a little beyond with the idea being that it probably isn’t a very nice thing to do to be in the middle of a project, bring a finished report to a group that hasn’t been part of the report generation. And so everyone just needs to be mindful of that sort of process step as we go forward. Now John Paul, I see you have a question. MR. HOUSTON: I do have a question. When, in June is the timing for reappointment. MS. GREENBERG: Well, right now I think all these appointments end on December 1st. So we can, you know, a few days from now. So that’s why we’ve already processed the extensions. But that means we can only extend people who haven’t been reappointed for a maximum of 180 days, I believe. MR. HOUSTON: The reason why I bring that up is that we have future meetings on February 21 and then June 17 and 18 which means they fall outside of – MS. GREENBERG: June 17and 18 is already past that time. Now is it possible that we could get an exception for just that meeting, or we could certainly bring chairs maybe back, you know, in their private capacity. We’ve done that before if a report or something is going to be presented. So we have ways to bring people in. But I think they probably would not be voting members unless we were actually able to extend people’s date of that meeting. I mean, we could think of moving that meeting to the end of May, I guess. MR. HOUSTON: I’m just – practically speaking, I think there’s a number of things that need to get wrapped up. I know there are privacy letter and things like that. I mean, I assume we’re going to get that done in February, but – MS. GREENBERG: Well, February’s not a problem. MR. HOUSTON: I understand that. But I’m just thinking – MS. GREENBERG: You all are going to be extended. That’s – MR. HOUSTON: I’m verbalizing it past February because, you know, if it doesn’t get done in February, that’s really the last meeting where there’s going to be a group of people here who are coming off the committee, and I’m just MS. GREENBERG: Let us look into this issue of June 1st versus June 17th because we have always traditionally met in June, and this is a little unusual that these appointments were December 1st. Usually, they’re like June to June or something. I don’t exactly know how that is. It just happened. MR. HOUSTON: They were just assigned, I think, on those dates. MS. GREENBERG: It was after the November meeting, obviously. But so we’ll look into that. I mean, one possibility is to try to move this meeting to the end of May, the June meeting, or see if we can at least extend people through the June 17th meeting. We’ll look into that. MR. HOUSTON: Yes, I think the other thing, too, I know we want to try to finish things up. But I think probably get some collective wisdom from the people who are leaving on what the future agenda needs to be. I know in privacy, we’re sort of cleaning up some stuff. But, you know, if Marc’s not going to be here past June, I think there’s a lot of things that – MS. GREENBERG: And he’s served two terms. So that’s a reasonable assumption, yeah. Okay, well, it’s good. I mean there’s nothing like a deadline, you know, to spur you on. MR. HOUSTON: It makes voting quicker. MS. GREENBERG: I understood it – DR. COHN: Of course, some people may decide to filibuster, though, too. MS. GREENBERG: I will only tell you just, you know, this is the mother in me. But having now worked with this Committee, I guess, since 1982, it’s always painful when people go off the Committee and particularly the Chairs of either the Full Committee or the Subcommittees. But we have been now in existence almost 60 years, and we’ve survived. So it’s what I think keeps the Committee vital. But the other good news is that since we will be observing our 60th anniversary in 2009, we will certainly bring you all back for that, and we should really start thinking about – I know it’s hard for those of you who are going off the Committee to think about helping us plan this celebration. But I’d say if you can pull off the Ad Hoc reports you have, this celebration will be a piece of cake. But we really should plan something for the 60th, and I think we should start talking about that. And, of course, we will invite all of you back. I just want to say one other thing on the previous subject, and that is that I meant to mention that I think the Board of Scientific Counselors of NCHS would be very interested in that, you know, cost and burden and all that study as well, and particularly it’s now chaired by an economist who was liaison to this Committee. She’s a demographer? Okay, actually the previous – you’re right. The previous liaison was an economist. But in any event, I think they would be interested as we look at joint projects. You’re right about that. But I think they may have at least one economist on their board, more than one. DR. TANG: Just a follow up to Marjorie’s mention about deadlines that we should heed our own advice like the NPI. MS. GREENBERG: Is this physician heal thyself? DR. COHN: Okay. Well, with that, as I said, there will be additional conversations, both formal as well as informal about the transition. But I wanted to make sure that everybody, as I said, had a view of all this as well as to mark your calendars as we move into next year and obviously don’t assume that you’re, as I said, transitioning off starting in four days or some such Now, with that actually, Karen Trudel, welcome, pleased to have you join us. And obviously, I know you have an update from CMS, and happy post-Thanksgiving. Agenda Item: CMS Update MS. TRUDEL: Thank you. I’m going to start by talking about the NPI – I mean, not the NPI, the ePrescribing because there’s a lot going on there, and then I’ll move to the NPI and some less interesting things. I believe there was some mention made about the proposed rule for the additionally prescribing standards having been published on November 16th. The comment period will end then on January 15th, and we’re proposing a one-year implementation period. The publication for the final rule is, again, to be determined after we see the nature of the comments that we have to deal with and how long it will take to process a final rule through. Anyone who looked at the report to Congress will not be surprised at what we’re proposing. We’re proposing the adoption of standards for the formulary and benefits and medication history standards which the pilots indicated were definitely ready for implementation, and the formulary which actually carries information from the plan to the prescriber so that they can see what’s on formulary. It is intended to help make economic decisions at the point of prescribing from the research that we’ve seen will hopefully increase generic uptake and, as a result, both save money and improve patient compliance. The medication history information which goes, again, from the plan to the prescriber will give the prescriber information about what other medications have been prescribed for that patient which obviously is, we feel, is going to make a huge difference in terms of adverse drug events. We’re requesting comments on the RX Fill standard which actually would send a message from the pharmacy back to the physician indicating that the prescription had been picked up. The pilot showed that the standard itself worked, and that it carried the information very well. There seemed to be some question about whether there was a business case for it, whether physicians actually wanted the information, what they would do with it if they had it, and whether indeed they would wind up being inundated with messages and not be able to actually sift through them and figure out what to do with them. So we’re soliciting comment on that. We’re not proposing it as a standard. We’re also proposing retiring the first version of the script standard that we adopted in 2005 which is version 5.0, and we would move forward to use version 8.1 as the sole standard. At this point, 8.1 is available for voluntary use. We would make it mandatory, and we’re again soliciting comment on that. We’re also proposing the use of the NPI to identify providers in ePrescribing transactions that aren’t HIPAA transactions. They already need to use the NPI in HIPAA transactions, but we would move this over so that the provider’s identification in, for instance, the script standard would also be required to be the NPI. Some additional ePrescribing activities that are going on, the issues related to ePrescribing for controlled substances which this Committee is well aware of are beginning to gain some interest. The Senate Committee on Judiciary is going to hold a hearing next week called Electronic Prescribing of Controlled Substances addressing health care and law enforcement priorities, and this is a result of some interest in particular by Senator Whitehouse and others on the Committee. CMS will be testifying. DEA will be testifying, and some industry groups will also testify about the need to address the concerns of the DEA in terms of diversion and the requirements of health care in terms of moving ePrescribing forward and the barriers that not being able to ePrescribe controlled substances could potentially raise so that that will occur next week. Also, at the AHIC meeting earlier this month, there was a great deal of interest in ePrescribing, and Scott Serota of Blue Cross/Blue Shield Association moved to have the Committee make a recommendation to the Secretary that ePrescribing should be made mandatory under Medicare. The workgroup on electronic health records is at this time developing a proposed recommendation letter. The AHIC will meet in public conference call tomorrow to discuss the letter and to presumably vote whether to move it forward or not, and they would be making mandatory, ePrescribing mandatory as a condition of participating for physicians, participating in the Medicare program. It also contains some other recommendations, and the letter has undergone a number of iterations as you can imagine. And so at this point I think it’s still in a state of flux, and we’ll see what it actually looks like when it hits the air waves tomorrow. But there has been discussion about issues relating to the DEA. There have been discussions related to the fact that making ePrescribing mandatory for physicians can create unintended consequences if the pharmacies are not all able to conduct ePrescribing as well. And so those are some of the things that the members have been discussing. So stay tuned. That will be tomorrow. Some other ePrescribing miscellaneous issues. Much as we love to publish regulations and recommend standards, we realize that that’s only a part of what our job is in trying to move ePrescribing along. And we have at CMS developed a roadmap where we’ve identified some of the key drivers. We’re looking at defining the value proposition for ePrescribing, addressing interoperability and work flow issues, defining and reaching what people call the tipping point, and talks about how CMS is going to support these key drivers by data gathering, research, provider education, standards and certification and leveraging industry partnerships. So we’ve got our roadmap, and we’re beginning to move down that road looking for partnerships, those within the department and outside, looking to pilots and new standards, ways to educate providers about ePrescribing, looking at our own program authorities and what we can do within Medicare Part D. So that is a larger part of our strategy which sometimes we tend to think is only publishing proposals for new standards. Let me move on to the NPI. As you know, the Mary 23rd, 2008 deadline for implementation of the NPI is quickly approaching, and for Medicare at least we’re seeing a steady increase in compliance. We’re seeing many more claims with NPIs on them. We’re seeing that we can match those NPIs to our legacy files and process the claims. And in an effort to continue to move in that direction, we will begin on January 1st to reject institutional claims, Medicare Part A claims that do not have an NPI on them. And then on March 1st, we will begin to reject professional claims, Part B claims, with no NPIs. And we’ve been very closely week by week actually looking at our statistics at the number of claims that have NPIs, at our match rates, at the problems we’ve been trying to address some of the confusion that providers have had where they’ve been matching the wrong NPI to the wrong person, and we believe we’re making really good progress. These are activities that will take us one step closer to full compliance in May. And then I’d like to talk about HIPAA security for a moment. We have begun to be more proactive in our enforcement approach, and we have recently contracted with PriceWaterhouseCoopers to help us do security on its end reviews. We will be doing those this year, and we will be targeting covered entities where a complaint exists. So we won’t be just doing random audit. We’ll be going out to covered entities where there is a complaint, and in some cases we will be reviewing their corrective action plan to make sure that it’s really doing what it needs to do. In other cases where there are complaints that haven’t been resolved yet, we will go out and do fact finding to actually assist us in assessing and resolving the complaint and determining what corrective action will be needed. We also hope to use these audits, and we will be working very closely with our colleagues in OCR. We’ll be working also to come up with some lessons learned from these processes that we can actually put out on our website which is something that OCR is already doing with their actions that will help us educate covered entities by saying this is a problem, this is what someone did to fix the problem to provide vignettes, if you will, of compliant situations. And this is something that we’ve been hearing from our industry contacts is very much needed and will be very, very helpful. That’s all I have. I’d be glad to take questions. DR. COHN: Jeff and then John Paul. MR. BLAIR: Thank you, Karen, and actually ePrescribing has really moved pretty quickly in spite of the fact that most of us who were in it always felt like it wasn’t moving quickly enough. The area – there’s one piece in what you briefed us on that I don’t quite understand, and maybe you could help us understand that a little better. I had understood that one of the reasons that the Justice Department did not –- was wary of ePrescribing was because it needed data for its court cases, and if it didn’t have nonrepudiation in there, that would be an area where it was concerned. Fill status notification, however, I had understood that a number of people in the Justice Department felt like, gee, with the fill status notification in there, they can prove that the prescription was actually dispensed. It was filled, and that would give them their legal justification. I noticed that on the tests, it passed all of the pilot tests. So to wind up saying that now we’re going to check it for business justification and notification, that confuses me because the justification as I saw it never was business. It was to provide the legal annotation for the Justice Department. So from the fact that that is not in there seems, at least on the surface, contradictory to our efforts to try to get controlled substances, including ePrescribing, and satisfy the Justice Department. So I’m confused that the criteria will be a business justification rather than a legal one. MS. TRUDEL: Actually, it’s interesting that you made that point, Jeff, because there had been some discussions with the DEA about whether the fill status transaction could provide some additional audit capability because it does prove that the prescription has been picked up. But what it does not do is prove that the physician who allegedly wrote the prescription actually did write it. The fill status is – it’s not a totally mitigating factor. It simply proves that someone picked it up. So I think, and I don’t want to speak for the DEA, but I do know that they do have concerns about not being able to have an actual signature to rely on particularly when they’re prosecuting cases of diversion and trying to prove who did or who did not actually sign the prescription in the first place. When we talked to industry about the fill status, what we heard was that it has a lot of potential, that pharmacies would perhaps have to do some restructuring of their business flows because there’s a question of when do you count something as picked up or not picked up. Do you send a message that something was picked up, or do you send a message when it wasn’t picked up. Is it an opt in or an opt out kind of thing. MR. BLAIR: Okay, okay. MS. TRUDEL: And what we heard from some practitioners is that if you send me a response every time my patient picks up a prescription, it’s like alert overload, and I don’t know how to make useful information of that. I can’t turn it into usable knowledge. So there is some question again about, and we’re hoping that we hear this in the comments, perhaps the intended recipients will say it’s useful to me but only when something isn’t picked up, or it’s useful to me to know that it has been picked up. We may get some comments from law enforcement saying, yes, we think it’s a good tool. And so we’re looking into all of those things. But we really didn’t want to jump into proposing the standard when we weren’t sure how it was supposed to work. So essentially that’s the rationale. MR. BLAIR: Thank you for the clarification. DR. COHN: John Paul. MR. HOUSTON: As a – being responsible for information security for an extremely large health system, I’m very interested in your comment about PriceWaterhouse being engaged to do audits. No, no, we don’t. But and we’re already required to go through a lot of different audits frankly, whether it be on the financial side or because we’re SOX compliant, things like. And the reason why I’m couching these terms, is there an audit plan being established as part of this audit process, and will it be made available because I’ll sort of play my hand out here and say that most of us covered entities would love to see an audit plan so we understand the type of information that might be asked as well as what the standards are because that level of transparency probably makes it easier on you, and it also makes it easier on covered entities that really in good faith want to comply to have all our ducks in a row. Now I understand the security rules are supposed to provide all of us all that guidance. But the reality is, it doesn’t. MS. TRUDEL: Excellent point. I’ll take that back. One of the things that we’re working on and we’re in the middle of developing the security plan, audit plan at this point is how tailored each one might be to the specifics of the organization that we’re going in to audit, and we’re still having discussions about that. But to the extent that we have something that we can publish and share, your point’s well taken, and I’m mindful of the fact that the 32 or 42 criteria that the OAG was looking at in the Piedmont audit have been disseminated widely and appear to be useful to people. MR. HOUSTON: And I would think that, you know, obviously these audits are going to be based on specific issues, compliance issues related to the security rule. And so even if PWC went in or you went in and said we’re going to look at this particular area, I think that could all roll up into an overall audit plan that you might choose to only execute pieces of it in an individual covered entity, but would be a great roadmap for covered entities to take on the whole and say, okay, where are gaps overall because when the Piedmont audit, you know, information about the Piedmont audit came out, one of the things I had my organization do was to look at the payment information being asked of and I said do we have any gaps based on what was going on at Piedmont just because we thought that’s a good barometer. And you know, that served us well, and I think a lot of covered entities that want to in good faith comply and say the more information we have, the more transparent it is, the more structured it is, the easier it will be for us to ensure that we do comply. And then when you walk in the door, it can as much be we can provide you the information that we’ve already compiled because we want to have that information gathered anyways. MS. TRUDEL: Okay. You make a good point. Thank you. DR. COHN: Okay, Gene? DR. STEUERLE: Karen, I was also very interested in this real approach to ePrescribing. Way back when I was asked to join this Committee, I was asked to think about incentives and might try to jump start, at least move along this whole area. And I’ve often thought that financial incentives should be considered, and I’m just curious whether this group has considered financial versus regulatory approaches such as deciding that where there’s ePrescribing that meets certain minimum standards that Medicare would pay something more than it would where there was not such ePrescribing as opposed to just sort of a blanket regulatory approach. And the related question to this is my guess is that no matter how you set up whatever rules or regulations on this right now, a year or two from now there’s going to be some new, improved set you would like to implement. But now you’re going to have to deal with whether people have set up systems according to your old rules and regulations, and whether they will then fight against the add-ons and how one thinks about those future transactions and how to deal with them because I’m not sure they’re going to be coming along. MS. TRUDEL: I know the workgroup has discussed the issue of financial incentives, and in at least one iteration of the letter that I have seen, that is a corollary regulation for consideration. In every version I’ve seen, the main recommendation is to move forward to request legislative authority to make ePrescribing mandatory in Medicare. But this was one of the corollary discussions that’s very definitely in the workgroup’s mind. As far as incorporating later advancements, we’re already coordinating with the CCHIT to move any subsequent Part D standards into the ambulatory EHR criteria for the next CCHIT turn of the crank as the Secretary’s called it. DR. COHN: And Karen, thank you for that actually that final bit of clarification because I was actually going to ask – my understanding that CMS actually didn’t have the regulatory, the legislative authority to actually do the things that were being suggested. And I think the fact that you’re describing that the recommendation would be basically that HHS encourage the legislative branch to give it the regulatory authority is obviously a very different conversation than just necessarily go forward, and that is a correct – my statements are correct. MS. TRUDEL: Right. DR. COHN: Okay. Michael. DR. FITZMAURICE: Two questions, both of them may be correct. Under HIPAA, there are long lags in updating the transaction that could set standards. How will the electronic prescribing standards be changed by regulation, for example, prior authorization or this fill status, how do we add something, how do we change it? Does it have to go through the same regulatory process that we do for HIPAA. MS. TRUDEL: That’s a two-pronged answer because some of the standards under ePrescribing are also HIPAA standards. Those are required to go through the HIPAA update because they apply to the industry as a whole and not just Medicare Part D. So the eligibility transaction is a HIPAA standard and has to go through that process. The scripts standard is not which is why we were able to move forward with the voluntary adoption of the backwards compatible version 8.1. The formulary standard is likewise a stand alone NCPDP. It is not a HIPAA standard. The medication history standard that we’re proposing is part of the script standard and is therefore not a HIPAA standard. If we move forward with a prior authorization standard, that would have the HIPAA overlap, and we would need to work with that. So that is an issue that we will be grappling with for some time until we get everything synced up and hopefully get a better way to move forward on the HIPAA modifications area. DR. STEUERLE: Good answer. Second question. Under the President’s Executive Order of August 22nd, federal agencies’ interoperability standards, those that are recognized by the Secretary of the HHS must be adopted by federal agencies. The HHS Secretary is expected to recognize 303 use case domain interoperability standards in December with a January 1st compliance date. Within CMS, is this part of OESS’s responsibility, and then what is CMS doing to prepare for these health data standards. The rest of the agencies would like to know what’s going to be expected. MS. TRUDEL: We basically have been working with the remaining, the other department agencies with the Office of the National Coordinator to develop whatever roadmaps are necessary to move forward. I think it’s called a Green Plan, and ONC has the responsibility to coordinate. Each agency needs to figure out what these standards mean to them. It’s very different for CMS to look at standards than it is for IHS, the Indian Health Service to look at them because the Indian Health Service actually has electronic health record technology. They run facilities. And so this means something very different for them than it does for CMS where we’re mostly looking at this in terms of our contracted health care, our Part D and Part C plans. So we basically are looking at these just like everybody else and trying to figure out what we need to do to get there. DR. STEUERLE: So your office will be the point person for CMS on this? MS. TRUDEL: We coordinate with the department, right. DR. COHN: Bill, you have a comment that I didn’t – DR. WILLIAM SCANLON: It was a comment on Gene and it was kind of a question on why Gene’s comment is probably an issue of language, and it’s this rule of regulation and incentive, and I think that one of the things that we sometimes do which is unfortunate is we refer to what Medicare is doing as regulation because that’s the legal construct. But the reality is that what they’re doing is they’re specifying the purchasing requirement. In order to be sort of a Medicare provider, you have to the following. But being a Medicare provider is not a requirement. It’s a voluntary thing that I want to be a Medicare provider. In some respects, the incentive is that if to be a Medicare provider you have to do X, and I want to be a Medicare provider, then I’m going to do it. And I think in particular we want to think about incentives other than financial ones because of the whole issue of do we have enough money in this system or not, or if we answer that with sort of saying that we do have enough money in the system, then the question is spending it more wisely. And the more wisely part may come through specifying here’s the services that we want, and we’re not going to pay unless we get those services. DR. STEUERLE: Or you can pay less for the services you don’t get. DR. WILLIAM SCANLON: Right. DR. COHN: Well said. Now Judy and then Paul, and then we’re going to give everybody a break. DR. WARREN: I actually have two questions. One is about the infamous signature for DEA. Every time we hear information about this, I keep thinking what I’d really like to see is someone writing up why a wet signature is any more important than an electronic one, and look at it. This time you brought up the fact of the legal or the tort representation of the signature as well as one for following whether or not medication is being diverted, et cetera. So I’m wondering if in either the AHIC deliberations or these meetings that you’re talking about if one of the byproducts could be maybe just a quick description of dual electronic signatures legally stand for things, why is a wet signature superior to one, or are we just looking at outdated laws? I mean, so I think that might help us move forward because I keep hearing the same question coming up for the last three years that we’ve been working on this. MS. TRUDEL: You’re absolutely right, and there are other areas of industry and even health care and government where there has been a move away from actual pen and ink signatures. There are two aspects to the issue. There’s the question about whether you can put compensating controls in place that will prevent diversion. And then there’s the question of if diversion occurs how does the lack of a pen and paper signature affect the prosecution and the legal aspects of that. So I really think there are two, those two things are really different. Are you trying to avoid diversion, or are you trying to address the legal aspects of it, and I think the requirements are different. DR. WARREN: Because I think until we get either some harmonization between those requirements or at least a better understanding of when one comes into play and the other one does, we’re probably always going to be stick in this discussion. The second question I had is you were talking about looking at the business of some of the standards on ePrescribing, on whether or not the prescribers would know what to do with the information. Is there any effort being done to solicit what patients think the business case is of this data? I mean, it just seems to me when you were talking about it, it was something I hadn’t thought about before is we’re only looking at one side of the business case. We’re not looking at the patient’s side of the business case of whether or not they find that information to be valuable to them as their physician or nurse practitioner or whoever is caring for them. MS. TRUDEL: That’s a good point, and I suppose we’ll what we get back in the comment process. It is a public comment process, and we may get some groups representing patient organizations providing us with feedback. I have heard anecdotally that some patients may feel that that’s an invasion of their privacy, that their physician doesn’t have a need to know whether they picked that prescription up or not, or whether they ever even put it in to be filled in the first place. DR. WARREN: And are your comments mainly about the fill status notification, that people are wondering if that’s where the business case? MS. TRUDEL: Yeah, I didn’t get a sense that even with the pilots there was any concern about the business case for formulary and medication history. But, of course, you know, we’ll get comments that completely cover the map. DR. WARREN: Thank you. DR. COHN: Paul, last question. DR. TANG: That was a very helpful update, Karen. Thank you. NCVHS had a role in providing input on the ERX standard. Might NCVHS have a useful role, given this new recommendation about mandating that electronic prescribing be used, would NCVHS have a role in providing input on the desirability of that policy that accompanies the ERX standards. MS. TRUDEL: I’m going to punt on that one, Paul, because it’s a recommendation from another HHS advisory committee, and how the advisory committees link together in interfaces is always something that I find perplexing as well. DR. COHN: Well, Paul, you asked a good final question, and I think Karen actually has given you I think a very reasonable answer on that one. Without trying to in any way further discuss it, I think we’re running a little bit late. But I think obviously we’ll make up time as we go through the day. First of all, I want to thank Karen for her presentation. Obviously, Jim, I’m sorry that we thank him that he’s not sitting here any longer. I’m going to suggest we take about a ten-minute break, and then we’ll start talking about the report for today. [Break] Agenda Item: Ad Hoc Workgroup – Enhanced Protections for Uses of Health Data: “Secondary Use” Report Action November DR. COHN: Okay, why don’t we get started. Will everyone please be seated. Now the topic of the next section or next session anyway is basically to discuss a report being brought forward by the Ad Hoc Workgroup on Electronic Health Information entitled Enhanced Protections for Uses of the Health Data. I think we will spend — we will certainly go up to lunch and maybe even beyond lunch a little bit going through this. We have talked about it during my introductory remarks, and I obviously want to thank everyone again for their participation and involvement. The one thing I neglected to comment on and I did want to mention before we started going through the document has to do with our public comment period, and I think that this has turned out to be a very useful thing. It’s something we did with the NHIN functional requirements last year. I just want to mention to everyone that obviously in addition to our almost 60 testifiers, eight days of hearings, and testimony that we took on this topic and admittedly this is a controversial area that we went into, we actually produced a draft report that we circulated publicly in mid-October and from there actually held another open conference call, took additional testimony, both written and verbal, received somewhere around 1,000 comments from a wide variety of stakeholders and individuals, all of whom I want to thank publicly. And I think the input and comments have actually helped make the document much better. Now you all received a copy of this document about ten days ago. I’m hoping that you’ve had a chance to review it, and indeed as we go through the document which we’ll be going from sort of section to section reviewing, it’s really with the assumption you have reviewed it. I know we’ve received at least one sort of redlined version. That was from Paul which I want to again thank, and we will show you some additional wording changes in certain areas that I think identified through Paul’s effort that needed further clarification and tightening. But as I said, beyond that what we’re really primarily interested in is content and to make sure that people are okay with the content knowing that we can handle offline wordsmith issues like the wrong comma, the wrong word. As we read through this one, we discover sometimes that it’s a passive tense, and it needs to be the active. So there are things that we can handle offline even after passage of the report. Now as I said, I’m going to actually turn it over to Harry and Justine. But I think the intent here will be to go through section by section to get comment and go from there. And I guess, Harry, do you have any other comments before we get started? MR. REYNOLDS: No. Justine’s going to start. DR. COHN: Okay, Justine, you’ll lead off here. DR. CARR: Great. I want to again thank the Committee, the workgroup, the staff writer. This was a tremendous effort that was very impressive to me. Before we start, I want to give you an overview just briefly if you’ll bear with me. I think since we last met, one of the major changes in the document is the inclusion of the guiding principles for making recommendations. And I’d like to just – DR. COHN: Page? DR. CARR: I’m sorry, on page 17. Even let me back up for a minute and say I want you to also pay attention to the fact that the title is called enhanced protections for uses of health data: a stewardship framework, and I think that that is a very important change and focus. It’s not a change, but it’s a focus of what we’re trying to do. So this is about stewardship. And as we pulled our information together, we used these guiding principles. So just to briefly read them, protections should maintain and strengthen individuals’ health information privacy, number one. Number two, enable improvements in the health of Americans and the health care delivery system of the nation. Number three, facilitate uses of electronic health information. Four, increase the clarity and uniform understanding of laws and regulations pertaining to privacy and security of health information. Five, build upon existing legislation, regulations whenever possible. And six, not result in undue administrative burden. And developing these, borrowing heavily from Minnesota helped us to balance the diversity of input that we heard. And so just to again frame what did we do, we began with HIPAA. HIPAA was our first giant step towards stewardship, and it is the cornerstone of this report. We strengthened some dimensions of HIPAA, the accountability, the chain of trust agreement. We strengthened transparency, notice of privacy, clarity and education for the community, strengthened security. So in addition to strengthening, we want to expand because we know that not everybody is a covered entity. And so even though we have great things within HIPAA, if you’re not a covered entity, they don’t apply. So we’re looking to expand that We’re also looking that in the interim or when we have non-covered entities that they have additional protections on their health information including authorization. So we’re strengthening, we’re expanding, and then we’re introducing because HIPAA doesn’t really talk in contemporary terms about data quality, data integrity and oversight of uses of data. And so we have introduced those elements. Using all my adjective words, we also want to explore something that was specifically excluded from HIPAA, and that is de-identified data. You heard a lot about that, and we felt we had some ideas about it. But thanks in part to the feedback that we got on the October 31st posting, we realized there’s a lot we don’t yet understand about de-identified data. And so that’s on our list of something important, but something that we want to explore. So with that overview, I’ll now go back to the organization of the letter. Any questions about that? Okay. I think that we’re not going to do high level. I’ll read through the title. So our introduction just talks about the purpose and scope of this report we’ve discussed at our previous meeting. The next section is on terminology where we make clear that – DR. COHN: Justine, did you want to go over the whole section, or do you want to go by section by section and ask people for input? DR. CARR: Okay, right, right. Got ahead of myself. DR. COHN: Okay. That’s fine. DR. CARR: The purpose and scope. In the absence of reading it, were there any questions or concerns about purpose and scope? Hearing none, oh, sorry. DR. FITZMAURICE: On line 94, you talk about electronically available health data, and not only claims data. Are we concerned about how they’re available, that is, they’re available to a covered entity, are they available from a non-covered entity. Are they available on a website, or does it matter. Are we concerned about all data that passes electronically. DR. CARR: Are — DR. FITZMAURICE: My concern is are they available. If they’re already restricted in somewhat like being covered by HIPAA, are we less concerned than data that aren’t covered by HIPAA but available for anybody to access and see. Is there a qualification on this? DR. CARR: I think we’ll reflect on that. I think the point of this paragraph was simply to say what’s new and different. We’re not just talking about claims any more. We’re talking about very rich data that is available electronic. It’s simply setting the stage. So I think you’ll see that we get into this in much greater detail. Are there other questions or comments? Hearing none, we will move to terminology. And under terminology, we have two subsections. The first is entitled secondary use of health data, and it is in this paragraph that we record the NCVHS position that we don’t want to use the term secondary use of data for all the reasons outlined. Are there any questions or comments about that. Moving on, the next is terms describing health data. Now you’ll see Margret’s done a great job. Actually you won’t see because we distributed the glossary. Margret has developed a glossary with the relevant terms used in this and related documents. However, we wanted to highlight four of them, and those are protected health information, individually identifiable health information, personal health information or data, and HIPAA de-identified health information. So each of those terms is defined. We felt they were important enough to the document to have them not in the glossary. John? MR. HOUSTON: One thing I thought was odd was that on the fourth definition I read through it, you’re using HIPAA de-identified health information and HIPAA de-identified health data. Why isn’t we just standardize on one phase to describe it and then replace it throughout the document so it’s just – DR. CARR: Yes, thank you for that. We’ll do that. My only comment, too, was that we might move individually identified health data, health information in front of protected health information so that it’s understandable. So we then just have an outline of the report. Are there questions? Okay, hearing none, we’ll move on now to report background. And the subsections of the report background include one, our coverage of the topic. In other words, the history of – well, let me just take it one at a time. NCVHS coverage of the topic, and this includes the work that NCVHS has done through the years on topics related to uses of health data. Are there any questions or comments on that section? All right, continuing, on report background, the next section talks about NCVHS process and how we met and took testimony. Any questions or comments. Moving on, now we have – having completed report background, we’re now on to major themes from testimony about uses of health data. And here, we have one, two, three, okay, we have about several major themes. The first one is the benefits from uses of health data enabled by health information technology and health information exchange and the outline includes the benefits that occur at the point of care, the benefits that accrue for quality measurement reporting and improvement, and benefits for clinical and population research and benefits for disease control and prevention. I think Paul had a couple of benefits here that we found helpful. Yes, Mike? DR. FITZMAURICE: We may be missing one benefit that I would suggest we add, and that is for the person to have control over their healthiness, that is, they can use for their education, for their monitoring their own healthiness. So I’d like a personal health record would help them. DR. CARR: All right. Other comments on Mike’s suggestion? So the recommendation was that we add another example of personal wellness. So it would be a benefit from uses of health data enabled by HIT and HIE is personal wellness as in personal health records. DR. FITZMAURICE: If I understand my own healthiness, my own conditions and what the Internet, what the literature says about it, I’m better able to control things that influence my healthiness, my health habits, for example. And if I know what my blood pressure is, in other words, I can access it and I can see it, that reinforces my good health habits, so I benefit from that. If I never see it except to go to the doctor’s office, I know your blood pressure’s a little bit lower this one. DR. CARR: So you’re saying in a personal health record where you can have your blood pressure over time, you can see a trend, and Steve has – DR. FITZMAURICE: All I’m saying is this is a benefit. DR. STEINDEL: But I think we have to look at the overriding title, and that’s themes from testimony, and I don’t recall how much testimony we actually heard on that. Obviously, it’s a benefit that we’re all well aware of. We’ve written a report on that. DR. CARR: Right, right. What I’m going to do is put an asterisk there and ask for us to come back to that unless there are additional comments. Marjorie? MS. GREENBERG: Well, I think we always – these reports always involve what you hear in testimony and what this illustrious committee brings to the discussion, et cetera, and I think personal wellness or however you want to phrase it, is really an important element, and I would encourage you to include it. DR. CARR: Yes. I think what I’m trying to think through is the title being health information technology, health information exchange. And so I was just trying to tie it back to that. Yes? DR. DEERING: I’m Mary Jo Deering. I think that perhaps this personal health management covers all of the above. DR. CARR: Okay. DR. DEERING: And it’s wellness, prevention, financial records under NHSA, and that exactly is the HIT value. DR. CARR: I like that. DR. COHN: Yes, and it sounds like we’re talking about one sentence basically, something on that line. DR. CARR: Yes. Thank you, Mike, for bringing that up. Gene? DR. STEUERLE: A voice awakes sometimes in these documents. We hardly use language like research and I know things that for instance like clinical population research can be strengthened. For researchers, it’s immediately intuitive why that’s so important. But believe me, it’s not for a lot of policymakers. And I don’t know whether you have time or you want to do this. But can you fit in, for instance, I think it really – for instance, it’s been modeling for some time that HIT or information might help us detect or even solve problems like why is autism increased or if HIV’s increasing in certain parts of the country more quickly than others, if we have early warning signals are just examples, you know, such things just help improve, might make it very clear to people like the Secretary that we’re talking about lives being saved or being much better and make explicit what all of us knows is implicit. DR. CARR: Thanks, Gene, and that has been our – we found that to be very useful, and I’m going to ask you to develop an example that we can include under this section. DR. STEUERLE: Okay. DR. CARR: Are there any other – oh, yes. Donald? DR. LAND: Just a minor point, but disease, control and prevention, maybe to be more complete would be to include surveillance. It’s part of control and prevention, but you might just add that one word. DR. CARR: Yes. So it would be disease, surveillance, control and prevention. Any further comment on that? Okay, hearing none, I think we will now move on – so that was the first major theme, benefits. Now we’re moving on to the theme potential harm from uses of health data enabled by HIT and HIE, and I’ll just give you the headlines. They include erosion of trust, compromise to health care when individuals not trusting, and risk of discrimination and personal embarrassment. So, yes, Leslie? DR. FRANCIS: The discrimination one is individualized. And one point, and I don’t know whether this was in the testimony, but at one point that was distinguished between discrimination against an individual and risks of groups stigmatization which was relevant when you have de-identified data sets. For example, if the data suggests that immigrants are more likely to have a certain kind of disease or something, and I don’t know if that came out as a theme. But it was at one point in the report. DR. CARR: Right. So I’ll comment on that and invite others. One is first on line 354 it should say risk of discrimination, and that was a recommendation. And then with regard to stigma of a particular group, I think there were two parts to that. We’ve addressed the concern that misinformation would be generated about a group by amplifying the importance of structure and rules for data aggregation, data integrity and quality so that the information could not be – so you would avoid the risk of using fractured information to draw an incorrect conclusion. Now you’re raising a risk that is actually is not limited to health information exchange. It’s true in research, in publications, throughout medical and health fields that when a condition is associated with a group, and I’m not sure that that is unique to this focus, and so I invite other comments. John, you had your hand raised? MR. HOUSTON: Yes, this is more of a generalized comment throughout the comment, but I first noticed it in this section, and it relates to the examples. I’m a little concerned that some of the examples either seem to be weak or are almost things you would put in the text of the document. DR. CARR: Okay. MR. HOUSTON: Or on point, and I mean I can – I don’t want to keep bringing them up. DR. CARR: Right. MR. HOUSTON: But it really seems like the document, other than examples, is really good. But when you get to some of the examples, I say, geez, it’s either a really bad example or it just doesn’t need to be there. DR. CARR: John, that’s a very helpful recommendation. Would you note on your copy which are the examples that you think should be strengthened and/or deleted. MR. HOUSTON: Sure, I’d be happy to, and again some of them by the way, too, are also almost repetitive just in the text. DR. CARR: Okay. MR. HOUSTON: And in other cases, I’m not sure necessarily whether examples are really just intended to be part of the body. So I don’t want to keep bringing it up, but I also know that – DR. CARR: Right. You know, as we’re going through, if you could just make a note of that and perhaps there’ll be a time at the end we could get a little summary of here are the examples that added value and here are the ones that – MR. HOUSTON: As we’re going through it, I’ll mark mine up more completely and give it to you. DR. CARR: Thank you. Marjorie. MS. GREENBERG: Yes, I really had the same reaction. DR. CARR: Okay. MS. GREENBERG: Some cases I thought well now this example is really helpful, and in others I thought it’s kind of a strange one. And I must say this one here on the bottom of page nine was in the latter category because I felt like – I mean, what you don’t want an example to do is make someone think of something else. And what I thought of here is I’d be less concerned if my personal condition was being exposed than why didn’t they publish this sooner before I ended up knowing this, having this – DR. CARR: Okay. So my question then is do you think any example is necessary or a different example or no example? MS. GREENBERG: It’s hard to say, but this one – DR. VIGILANTE: The point is well made. It’s not a complex concept. So the examples of the most useful ones. It’s really not clear what you’re talking about and needs an example. In this case, I think it’s almost intuitive. DR. COHN: That’s you, Kevin, Right? DR.VIGILANTE: Yes, I’m sorry, yes. DR. CARR: Hi, Kevin. DR. COHN: Thank you for joining us. DR. VIGILANTE: Yes, I was on at 1:10, but I didn’t want to interrupt. DR. CARR: Right. So – DR. COHN: All right, hang up for just a second so Kevin can introduce himself. Kevin, do you have any conflicts for the issues today? DR. VIGILANTE: No, I do not. DR. COHN: Okay. DR. CARR: Is there anyone else on the line? Okay. Yes, Marc. DR. ROTHSTEIN: I want to go back to the point that Leslie made a few minutes ago, and that is about the importance of mentioning potential risks of de-identified information. In the document, there are several places where it recommends additional protections for de-identified information. We say that business associates even if they use the information in de-identified form have to comply with the HIPAA requirements, and it has to be in et cetera, et cetera, et cetera. And therefore, I think it’s important for us to make the case as to why there are risks even associated with de-identified information, and one of the ones that we heard testimony about the risk of group based harms. We heard others as well, the ease of re-identification, et cetera. But I think this would be a good place to add the group based harm. DR. FRANCIS: Can I follow up on that. Just remember that this is about secondary uses of someone’s health data, and that’s why it’s different from just the general research question. DR. CARR: Any other comments? DR. COHN: Are there additional comments on this particular point? Mike, on this particular point? DR. CARR: On group risk of group based harms? DR. COHN: On the group based harms. Can we come to resolution on that one. DR. FITZMAURICE: No, not on group based harm. DR. COHN: Okay. So I just want to make sure we’re – because we talked about this one. I actually sort of agree. I think there needs to be something in here that will – I guess we need to figure out how that gets written. Margret, is there something you can – MS. AMATAYAKUL: We had some language before. We had some previous language that we took out. So we can bring that back and rework that. DR. COHN: Okay, and maybe we can ask Mark and Leslie to review it for – DR. CARR: And also an example. Okay. To see what I think an example would be helpful. Now, Mike, you had a question? DR. FITZMAURICE: Yes, I wanted to go back to the two examples on page nine. It’s one of the things about the examples that kind of grates a little bit, it’s like I’m standing in a grocery line is that words like there may be surprise and concern, or providers may become suspicious of what other uses can be made. It’s the becomes suspicious. It’s the emotional words as opposed to – D DR. CARR: Right. Emotionally laden adjectives. We’ve all agreed to take it out. So I think we’re done with that. Other comments? We’re a potential for harm – yes? DR. COHN: And I guess I should sort of comment. I think what I’m sensing is that there’s going to be enough changes here that what we’re going to do is to come back with a redlined version showing all of the changes, recognizing that we’re not going to go through all the things that you’ve already accepted. Is everybody okay with that? So we’ll have a version that will have all of this new stuff in it. DR. CARR: Okay. Continuing on the major themes, we talked about benefits. We talked about risks, potential harms. We’re now onto another theme which was HIPAA privacy and security rules. And here, we talk about what’s covered by HIPAA and what is not, what is a covered entity, who is a business associate. John? MR. HOUSTON: I will, even though I said I wasn’t going to comment about examples, I think here’s a couple cases, though, where I think these types of things that are examples are more I think appropriate simply in the body of this document. DR. CARR: Incorporate them into the body and not have them as examples? That’s what you’re saying? MR. HOUSTON: Yes. DR. CARR: So that’s the HISPC and business associate contracts and their lack of specificity and business and agents. Okay, so not have them as examples. MR. HOUSTON: And to a specific point on line 380 which starts with “HIPAA covered entities do not include organizations and their agency perform function involving protected health information on behalf of covered entities.” I think it would be more appropriate to say HIPAA does not directly cover or apply to organizations, and their agency may perform functions involving protected health information on behalf of a covered entity. DR. CARR: Okay. Could you forward that on to Margret? MR. HOUSTON: Yes. MS. GREENBERG: John Paul and I seem to be like a team here, but what he says triggers my thoughts. But the one thing that I think, though, is positive about interest versus the examples and italics, it really helps the readability. DR. CARR: Yes. MS. GREENBERG: This is a dense report. I’m not saying that as a criticism. DR. CARR: Yes, it is. MS. GREENBERG: There’s just a lot of content here, and I do think that kind of does help with the readability when it’s appropriate. DR. CARR: So we agree that it adds value and how it’s configured will work off line? Are there other comments on HIPAA privacy and security rule. Mike? DR. FITZMAURICE: In reading through the top example around line 380, vague statements such as, well, I’m wondering if you say such as permitted by law to really parse that out, you’d have to make a lawyer out of all of the patients and explain it. And it leads to a general statement that it’s really the covered entity that’s responsible for this chain of use of data through business associates. And probably somewhere along the line we should say the Secretary should remind covered entities that they are responsible for this, that the responsibility comes back to them. And if it’s a lot of work to follow this daisy chain, that’s what’s required by the law is to do it. That’s where their responsibility lies. MR. HOUSTON: Mike I think you’ll see that in our recommendations. DR. CARR: Yes. Again, as we’re going through, as you can see, I’m trying to keep us on case, and if you have something that you feel is valuable wordsmithing and you write down, give it to us at the end. We’ll be working on this probably for the rest of the day. Okay, any other comments on HIPAA privacy and security? Seeing none, we’ll move on to importance of health data stewardship. And here, we have some definitions of stewardship, and we introduce the concept and talk about what was in the privacy rule. Are there comments on this section? Okay, seeing no hands and hearing no voices, we’ll move on to – yes? DR. FITZMAURICE: Just a suggestion that the paragraph beginning on line 345 that it might contain a footnote or a reference. It says there has long been legitimate concerns that personal health information has been used to make decisions that adversely affect the individual as an implied benefits coverage. There must be an article that says something like that. That would add legitimacy to our saying it’s legitimate. DR. CARR: What line? DR. FITZMAURICE: Line 345. DR. COHN: Go back a couple, right? DR. FITZMAURICE: Whoops, did I – oh, I have these out of order. All right, I’ll just turn this in, and you can see it on my handwritten stuff. DR. CARR: That would be great. I’d appreciate that. Okay, importance of health data stewardship. Any comments? Okay. We’ll now move on. This section now talks about specific uses of health data, and we begin with uses of health data for treatment, payment and health care operations as permitted under HIPAA, and it’s basically a description of what’s already permitted. John? DR. VIGILANTE: The second line where it says when providing access to the individual, should that be providing care to the individual? DR. CARR: What line are you talking about, Kevin? DR. VIGILANTE: I’m not sure if I have the same one. In mine, it’s 479, but it may be a different number. But it says HIPAA – DR. CARR: Wait, yes. DR. VIGILANTE: — covered entities to use and disclose protected health information without authorization from the individual when providing access to the individual. DR. CARR: Yes. DR. VIGILANTE: Or do I have an earlier copy? DR. CARR: No, no, you’re right. I’m looking at that. Privacy rule permits covered entities to use and disclose protected health information without authorization from the individual when providing access to the individual. What does that mean? DR. COHN: Why don’t you simply strike when providing access to individuals. DR. CARR: It’s line 478. Line 478 reads the HIPAA privacy rule permits covered entities to use and disclose protected health information without authorization from the individual. DR. VIGILANTE: The phrase “when providing access” didn’t make sense to me. It probably should be “providing care,” I would imagine. DR. CARR: Margaret will answer. MS. AMATAYAKUL: This is a statement that is a list of things that comes from the regulations. So maybe it would benefit from having some numbers on there. They’re not exact quotations, but it’s an enumeration of when you don’t need an authorization. So it’s when you’re providing access to the information to the individual for treatment, payment, operations, incident to, et cetera. MR. HOUSTON: It might mean that you need a colon there. DR. STEUERLE: Just a colon instead of a semicolon. MR. HOUSTON: Colon after individual and between when, maybe when is one of the enumerations. DR. CARR: Okay. So it sounds like we need either citations or quotations to make it clear that we’re – yes. DR. COHN: I think Kevin’s point, if you take out the word “when providing access to individuals,” if you take that out, that’s what HIPAA really says. DR. VIGILANTE: Yes. DR. CARR: Yes. Okay. DR. VIGILANTE: Yes, otherwise it’s confusing. DR. CARR: Right. That line, so the recommendation is to strike “when providing access to the individual.” So Margret, can you just look at that and see if that compromises the – DR. CARR: We’re going to move on from punctuation. John? MR. HOUSTON: Yes, there were two separate sentences in this section that I had concerns about. DR. CARR: Okay, what line? MR. HOUSTON: The first one starts on 503, and the second one starts on 531. The one on 503 says the area of health cooperation was observed to be broad in scope and not well understood by individuals. And then the one on 531 says use of health data for quality improvement while permitted under HIPAA in identifiable form are not well known or understood by individuals. They’re both sort of dangling thoughts, and I guess when I read HIPAA, even though I know HIPAA, I’m not sure how much clearer you can get it for one thing. And then later on this letter, you talk about trying to further enumerate what would be acceptable health care operations purposes, and that concerns me greatly because if we try to enumerate too much, there’s too many cases where we didn’t think of the enormous amount of – DR. CARR: Your time ran out. MR. HOUSTON: Under health care operations, and I just – I’m not sure you can make it any clearer, and if you try to be more clear or more specific, I think you may jeopardize the uses, the secondary uses, I know I’m not supposed to call it that, that are bona fide and are necessary within a hospital environment. It is a complex concept, and I don’t know how much clearer you make it. DR. CARR: Harry? MR. REYNOLDS: Clear to who? Everybody that – I mean, the people and the entities that are related to HIPAA might get it. But do the individuals get it. DR. CARR: I think these comments are foreshadowing a later recommendation around transparency, and I think – just let me finish. That the issue is not, you know, that there are a lot of uses and they’re undoubtedly referenced somewhere in the NPP. But in general, there’s a need for education around uses and benefits. I think – MR. HOUSTON: But I believe there was some recommendation or something later that spoke to further clarifying or defining quality improvement or health care operations. I forget which one, and when we get it, maybe I can point it out. It just concerns me that if you put too much definition around these concepts, I think we’re going to find more things to fall out than was ever intended, and that could jeopardize a lot of what are reasonable and bona fide purposes. So I’m just cautioning. This concept scares me a little bit. DR. CARR: Kevin, is that you? DR. VIGILANTE: I was just going to say that, you know, this is just an apparent description of the themes that we heard. And I would say that or it’s fair to say that one of the themes that emerged is that some of these nuances are not well understood at least by individuals as opposed to groups. I would just say that they’re reserved reward and scope are often not well understood, and I think that covers a multitude of things. DR. CARR: Okay. Simon? I think, yes, these are very helpful because you’re right. Some of this is covered over, and we probably need to punch it out a little more clearly or tighten it up and not be too prescriptive where we’re not being asked to be too prescriptive. DR. FRANCIS: The “who” there is really patients, right? So you might want to put in not well understood by patients. DR. VIGILANTE: It could also be providers, and I think a lot of people still grapple with the nuance understanding of HIPAA even though it’s been around for a while. MR. HOUSTON: I did find a reference in line 1245, and I apologize for getting out of order a little bit, but it is relevant here. It says NCVHS was asked by ONC to consider whether there were or should be boundaries around what quality activities are included in HIPAA’s definition of health care operations and which may be outside of that definition and may call for greater choice by individuals whose data are included. I think it goes to my concern that you might create a boundary that was not intended and could really be problematic for trying to carry out the bona fide – DR. CARR: Right. And so that was teeing up the recommendation, and as you’ll see as Harry will get to recommendation 7.1, it basically says that data uses for quality measurement, reporting and improvement, and we’re changing that word from “are” to “remain” within the scope of health care operations. But thank you for pointing that out. Let’s note it, and then let’s make when we get to that line that we have tied out all of these foreshadowing’s. Okay, so we were talking about specific uses of health data, uses for treatment, payment and health care operations. Are there other comments on that section? All right, we’ll move on now to uses of health data for quality measurement, reporting and improvement, and this identifies – it talks about the benefits of quality measurement, the challenges and organizations that link health data have an important role in promoting quality but must not violate trust. So pharmacy benefit manager issues are raised there. Are there questions or comments about this section on uses of data for quality measurement and reporting? Okay. DR. COHN: Yes, John Paul, you had the same issue in this section as you did in the other section. MR. HOUSTON: Yes, but I don’t think I need to restate – DR. COHN: Okay, I just wanted to make sure that Margret has it. DR. CARR: You got that, Margret? Thank you. All right, we are now moving on to the next use of health data which is uses of health data in research. John? MR. HOUSTON: Sorry for monopolizing this, but on 573, it talks about research studies. You have evolution of quality improvement and the research they may violate the HIPAA privacy rule. I’m not sure whether that’s the case as much as it might violate the Common Rule because the HIPAA really does defer to the IRB’s structure and the Common Rule to govern the oversee research. So I think you have a problem with the Common Rule. DR. COHN: Could we say and/or the Common Rule? MR. HOUSTON: I think it’s the Common Rule, though. DR. FRANCIS: It is the Common Rule. DR. TANG: But the privacy rule says that it would be – it needs to go through the research pool if it’s going to be research. DR. COHN: The microphone, please. DR. TANG: In some sense, HIPAA is deferring to the Common Rule. But if you try to “escape” it through the operation – DR. COHN: Then maybe we should say both. It violates the Common Rule which would in turn or just however you want to word it. But people who look at that who understand the balance and will say that’s wrong. So we want to be clear. DR. CARR: Okay, I had some wordsmithing on this as well which is on line 576, for example, a review of cases for quality assurance may reveal that administration of a new drug, and then I just change it here to say is causing previously – oh, I can’t read my writing, but unanticipated consequences, and that public safety necessitates publication of the information even though it was not originally collected under IRB oversight. Is that helpful? Very lengthy flight down from Boston last night. For example, a review of cases for quality assurance may reveal that administration of a new drug is causing previously something about unanticipated consequences and public safety necessitates publication of the information even though it was not originally collected under IRB oversight. We’ve heard a little bit about that, the VIOXX risk and so I just feel that to John’s point, really punching this out to a very real life experience, and we actually – there’s been a whole issue with a protein and cardiac surgery now, you know, that’s coming out of exactly these kinds of evaluations. So I think giving it a little more texture if you permit me some wordsmithing there. Are there other comments or questions about uses of health data in research? DR. DEERING: Justine? DR. CARR: Yes, Mary Jo. DR. DEERING: Actually, it’s just a simple request, and I’m happy to work with someone on it to add some sort of an opening sentence to this section because we’re jumping directly into the issue of research regulations. It leads the reader to anticipate that that’s the sole thing. So I think it’s a simple thing of just leading off the section. DR. CARR: That’s great. Did someone just join us? No? Or they hung up. Kevin, are you gone? DR. VIGILANTE: I’m still here. DR. CARR: All right, other comments on research? Hearing none, we’ll move on to uses of health data for public health. Any comments on this section? DR. VIGILANTE: I have one. I can’t see the hands. DR. CARR: Yes, Kevin, go ahead. DR. VIGILANTE: So it’s really just a construction issue. So one 602, 603, the example needs to be – it’s sort of an awkward construction of things. Many individuals are unaware of requiring reporting. Others are aware to the extent that they may see the caregiver under a false name to avoid consequences of reporting. I think it just needs to be reframed as – DR. CARR: Right, we will do that. DR. VIGILANTE: And then a new paragraph begins because then you sort of launch into what the CDC is doing. DR. CARR: Okay, we’ll incorporate that. Other questions about public health? Michael? DR. FITZMAURICE: I would also suggest a public health operations efficiency. Often you have scarce money for public health, and so you use this health data to decide where you put your money, what services you provide to the people, and that’s an important use of data for public health. You’re making presentations to a budget committee, you need to put money here because it has a greater effect on the population than putting money over here. You bolster your arguments for data. DR. CARR: Thank you. Leslie? DR. FRANCIS: This may be more than you can do. But there are real differences between the kind of surveillance collecting it for public health where we’re worried about disease spread and where we’re worried about interventions to help people take better care of themselves like the diabetes one. And this doesn’t separate that out. I don’t know whether it should or how it could. DR. CARR: I think we can incorporate that. That’s a good comment. And Michael, if you have language that you’d like about your comment about the efficiency and operations budgetary allocations, that would be helpful. DR. LAND: The example bio sense may or may not be the best. As I understand, bio sense is under considerable reconsideration right now, and I don’t know if it’s actually going to be going forward as an example like this. DR. CARR: Does he have an alternative? DR. LAND: I don’t have the answer to that. DR. CARR: Do you have any alternative recommendation or example for here? DR. LAND: Not at the moment. DR. CARR: Steve? DR. STEINDEL: I think it should remain. It’s a specific example at a point in time. And while Garland is quite correct that the program as conceived of today may not move forward, I suspect what might move forward is going to move forward in a similar fashion. DR. CARR: That type of surveillance, yes, and I think – DR. VIGILANTE: Probably right. It’s very likely to have natural disease surveillance. DR. CARR: And I think that when we had discussions about this, a point was raised that this is different from the traditional public health reporting of existing disease, and it’s more on the surveillance information. So we’ll work with that and take your point into consideration. Are there other comments on public health? Moving on, using public data involves information change. This really ended up being only two paragraphs and an example. But I would say it represents about 500 hours of discussion. I think it was raised – actually AMIA raised it in their meeting in June about commercial uses, and we talked about it in our meeting in October about when there is monetary exchange, is that necessarily undesirable. And so we’ve summarized it somewhat here, and I think we later point to the fact that we need more attention on it. The example here, John, yes? Yes, did I miss that? Oh, that’s right, sorry. MR. HOUSTON: There’s a new second paragraph. DR. CARR: That’s right. Paul made some significant improvements to this. I’ll read as it appears on the screen. These privacy protections are not – well, I think I better read both paragraphs. So the topic is uses of health data involving monetary exchange. First paragraph, an increasing concern relates to the sale of data where financial benefit accrues to someone other than the individual who is the source of the data. HIPAA requires an authorization for any use by covered entities of protected health information or marketing except if the communication is face to face by the covered entity to an individual or if it is in the form of a promotional gift of nominal value provided by the covered entity, and the other citations. That could maybe be two sentence. HIPAA also specifies that if marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved. These privacy protections are not available to individuals when dealing with organizations that are not HIPAA covered entities or that de-identified protected health information or for selling it. There is a need for sustainable business models to maintain and use data for patient care, research, public health, personal health records and other expected purposes. If other unanticipated uses of personal health information are not disclosed to individuals, they may cease to trust the system which would potentially harm patient care and other beneficial uses of health information. Paul, did you want to comment on that? DR. VIGILANTE: I think that’s fair. DR. CARR: Yes, what you did was very helpful and helps us focus. Okay. Marjorie? MS. GREENBERG: This may be wordsmithing. And if so, don’t worry about it. But to me, in this example, I think the first sentence, I would take off that last phrase because it’s confusing as to whether there’s actually advertising in the EHR or what. I would just say an individual may benefit from a provider using a EHR. In turn, the provider may be able to give better care to an individual by using an EHR. But when the EHR vendor mines the data to supply advertising to the provider book, blah, blah, because that is, EHR being subsidized through the use of advertising, I found quite confusing as to what you meant by that. DR. VIGILANTE: Yes, I agree. DR. CARR: Oh, yes, you’re right. MR. HOUSTON: Do you want me to read an alternative? DR. CARR: Do you want to – I have it here. Do you want to read that? I’ll read it. So the example then as revised by Paul’s recommendation to say an individual may benefit from a provider using an EHR. However, the provider’s use of an EHR may be subsidized by the use of advertising to the physician. Alternatively if the EHR vendor mines the data to supply advertising to sell products directly to the individual or to sell information to a third party for other uses, the individual’s trust in the provider may erode and concerns about privacy increase. DR. VIGILANTE: I think the phase about advertising detracts from the main – it’s really about the mining of the data and getting right to that without that intermediate sentence or phrase, I think, gives it greater impact. DR. CARR: So Mary Jo? DR. DEERING: And my question was not seeing it and only hearing you read it, it sounded like the second – I didn’t know what to make of the second sentence. I didn’t know if it was a statement of approval, but it began with the word however. DR. CARR: Yes, provided use of an EHR – DR. DEERING: So I wasn’t – DR. VIGILANTE: Let’s take it out. DR. COHN: Yes, and I actually – this is one where actually I think Marjorie clarified it better. I guess I’m sort of thrown off by the word alternatively which I’m not quite sure what to make of that transition through there. I actually think that with the changes that Marjorie was suggesting here, it actually comes away as being a relatively compelling example. DR. CARR: So Simon, if we took out the word alternatively, then it would be – I’ll read it again. An individual may benefit from a provider using an EHR. However, the provider’s use of an EHR may be subsidized by the use of advertising to the physician. If the EHR vendor mines the data to supply advertising to sell products directly to the individual or to sell information to a third party for other uses, the individual’s trust in the provider may erode and concerns about privacy increase. Yes, Jeff? MR. BLAIR: Maybe there’s an example of this somewhere. I’ve just never known of this. So I’ve known of areas where advertising might be included, but it isn’t the EHR vendor. So I don’t mind if it’s used as an example, but I think there should be something to say like if this occurs rather than because it almost implies that it is occurring. DR. FITZMAURICE: And it could also be illegal. How does an EHR vendor get access to this protected health information. DR. CARR: Business associate? DR. FITZMAURICE: It’s still illegal. DR. COHN: Why don’t you let Margret talk? MS. AMATAYAKUL: We actually have a specific example of a vendor that is doing this today. I didn’t cite that vendor. I don’t know whether it’s appropriate to do so. But – DR. COHN: Now is it a vendor of EHR systems? MS. AMATAYAKUL: Yes. DR. COHN: Or is it – MS. AMATAYAKUL: Two vendors. MR. BLAIR: So there’s two examples of something like this has happened. Then I’d like to know is it where it’s a stand alone, or is it an ASP model where it’s a service that’s being provided. MS. AMATAYAKUL: An ASP, I believe. MR. BLAIR: That’s exactly what I was thinking, and that can give – the way it’s worded it gives a very different impression because I think most people think of EHR vendors as ones that provide software as opposed to those that provide a service. And so I think that I have no problem with your including the example. But let’s either add that it’s a service as opposed to just a generic term vendor and maybe indicate that is not common. DR. COHN: Jeff, if I may jump in, but is the word vendor the one that’s bothering you, and would you rather have that maybe be like service provider? MR. BLAIR: Yes, thank you. DR. CARR: All right, I saw a number of hands. Harry? MR. REYNOLDS: Yes, again, as we go through this and as we get deeper and deeper in the document and start zeroing on certain things, one of the key points that this is continuing to show that there are people outside of the HIPAA world right now, whether it’s services, whether it’s vendors, whether it’s these other things, they are in free space in many cases. And so we’ve got to be – we’ve just got to keep that message. So remember to keep – every once in a while keep looking back at the guiding principles because those are the things that we have to keep that consistent message throughout this. I’m not picking on anything that anyone just said or anybody’s going to say in the future. I’m just saying that’s the one thing that we continue to hear clearly, and that’s why we want to – there may not be as many examples as people would want, but there is a group of people out there that are non-covered who are offering services in today’s world that are outside the stream of what we want to protect. DR. CARR: John Paul? MR. HOUSTON: Just a little comment. I guess one of the challenges I’m having with sort of the organization this reports to is the recommendations are sort of separate from this overview or this background section of the report. And I guess one of the areas that I know one of the recommendations involve the FTC and oversight of these types of activities. I know it’s later on in the report. I’m not sure whether you do – whether you can do any changes. Maybe I’m just sort of stating it. I keep looking at different sections of the report, and there’s a little bit of a disjoint between – there’s a section that talks about the background, and there’s an entirely separate section that almost restates some of these things with the recommendation. DR. CARR: I agree that there’s an inconsistency of where we draw the line from the amount of data in the background and the amount of data in the observation. Would you favor – MR. HOUSTON: Let me ask a question. Do these sections lend themselves to be moved so that they go along with the section at the recommendation? Are they really organized in a way that would make that incompatible? I don’t want to make people go through a lot of rework. I’m just noticing – DR. CARR: Right, we have an earlier draft we could show you. MR. HOUSTON: Really? Okay. I just thought I’d bring it up because, again, this is the FTC recommendation which is later on, and I’m thinking, okay, where is that recommendation. DR. CARR: Let’s hold that thought, and then I’m just going to go around and make sure we get everybody. Paul, did you have a comment? DR. TANG: So as you pointed out, this topic is probably the thing that once stimulated the expiration of this content area and generated the most controversy. Yet it may occupy the least amount of space in the entire document on a relative basis. I don’t think we want to short change it by not fully describing the concerns that were raised and being able to characterize them in a tribute, you know, and identify the root causes of the concerns so we can deal with them. So to that – there seems to be two concerns of use of data. One is in using the data to influence the decision making of physicians that may turn around obviously and influence the care the patients receive. And the second is to use personal health information to influence patients or consumers’ decisions or choices, and those are both things that you tried to bring out in this example. Another example I circulated just yesterday that came out of the news was the example of a PBM, and PBMs covered? Okay, they just businesses, okay. MR. REYNOLDS: They’re either business associates or covered entities depending upon whether they dispense drugs. DR. TANG: Okay. So in this example, a PBM obtains information for its authorized use, then turns around and sells it to data miners who then turn around and sell it to pharmacy companies. And so we have this clearly involves this use of health data including monetary exchange, and it clearly deals with the interface of covered entity, business associates and other uses of health data. That might be another example and, again, I’m saying I don’t think we need to be too concerned about lengthening this very, very short section since it is the major concern of – DR. CARR: And I have a question, too. What we didn’t talk about in this write up is that there are exchanges are data for monetary exchange that promote quality and things like that. Is it necessary? MR. BLAIR: It may or may not promote quality. But I think it’s valid that that is a possibility that it could be good or not good. DR. CARR: Yes, we’re immediately jumping into the situations that are concerning. But I think a part of our discussion was that to simply say monetary exchange does not equate with nefarious purposes, and so I wonder if there would be – MR. BLAIR: That’s a good point. That’s right. DR. CARR: Yes. So perhaps we could add something about that as well because I think that we started with the assumption that it was something to be managed. Okay, Leslie. DR. FRANCIS: Another kind of use that I was a little surprised I didn’t see here or somewhere is use by an entity for its own advertising or to persuade people to come get care from them. That’s different from direct consumer advertising of drugs, but it could also be sold. You know, data could be sold as an advertising mechanism. DR. CARR: Right. Mike? DR. FITZMAURICE: Two suggestions. One is involving monetary exchange, the example doesn’t talk about a monetary exchange. It’s subsidizing, it’s a thing of value. So you might want to say exchanges of value including monetary exchanges. And secondly, I’m bothered by when the EHR vendor mines the data. The EHR vendor isn’t a covered entity. So it must be a business associate if it’s dealing with a covered entity. And I don’t understand how a business associate can mine the data to supply advertising to the provider unless the provider argues that something I can do for myself and I’m hiring this vendor to do it for me. Absent that, it’s illegal in my opinion. I of course am not a lawyer. DR. CARR: Well, in the example that Paul sent out last night, I think it was de-identified data – no? DR. TANG: So it was sold in identifiable format, and it didn’t get de-identified until it sold the second time. DR. FITZMAURICE: So then the vendor would have had to have hired that second stage to de-identify the data. You can’t just do it without the provider’s authorization. It’s illegal, and they could be prosecuted. DR. CARR: Yes. John? MR. HOUSTON: Can I say one thing here? By the way, it is a very common practice for EHR vendors to try even non ASP vendors to try to get ownership or rights to de-identified data. I do contracts constantly, and I strike it out of probably about 20 percent of the contracts I do. So this is a very common practice, and they’re very successful about it. DR. CARR: All right, Jeff and then I think Jeff has the final comment. MR. BLAIR: Right. And what Michael was just commenting on where sometimes the entity that’s providing service might appear to be a professional association, and that’s why I feel as if – and that’s the one where, you know, there’s really a real concern about either – and the secondary use of the data may be for good purposes. But there’s where the deceit and the transparency – the deceit is such a concern, and the transparency is so important. And that’s why I was concerned that we get this on target, that we get it focused towards the area of concern. DR. CARR: Thank you, John. I have one question. We don’t really call out de-identified data in the background. We get into it in the recommendations and observations. So I wonder if we need to tee it up a little bit in the background as we do for other things. So a note about that. The next section then is the guiding principles. In the interest – DR. COHN: Well, hang on a second. What are we doing with this section now? I heard you throw out a bunch of things. So what’s going on with this section? DR. CARR: Yes, okay, so what I’ve asked a number of folks to make their – DR. COHN: This section, uses of health data and monetary exchange, that section. DR. CARR: Oh, okay, that needs additional work. DR. COHN: Explain to me what additional work is going to occur. DR. CARR: Well, it sounds to me like we need more detailed or more precise language in the examples. And as Paul, one of the things we heard is that we didn’t break out in more detail. We heard three uses, uses of data to influence an MD which might downstream influence a patient. Two, use of data directly influencing a consumer. And then three, the example we heard about last night about the PBM has an authorized use and sends it to a data miner who sends it to multiple exchanges. There’s three areas that are not specified in this but are areas of concern. So I would say that that was one thing that we heard. I think Jeff asked for some clarification in the example. And then I mean how much more do we want to expand this? Let me put it back to the group. DR. COHN: Well, I think I also heard a sentence that needs to be something along the lines of while not all uses of health data that involve whatever is Congress now exchange of – DR. CARR: Value including monetary. DR. COHN: Yes, value including monetary – MR. BLAIR: Exchange of value. DR. COHN: Should be of concern or something like that. The NCVHS did hear some areas that were of concern, something like that. DR. CARR: Okay. DR. COHN: Margret, you were going to make a comment? MS. AMATAYAKUL: I was listening. DR. TANG: And maybe just to add to that list of things to explore, it stated that it sold for monetary exchange that have the potential to cause harm that you previously enumerated like discrimination, et cetera. It’s clearly another way to do it is to find ways of excluding people from insurance. That would be a use of mining data sets, and that’s one of the things you’d want to address as well. DR. FITZMAURICE: Justine, I’d also suggest addressing the fact that some of these things may be illegal. And so the illegality is an avenue is pursue as well. DR. CARR: That’s already covered under HIPAA. DR. FITZMAURICE: Under HIPAA or state law? HIPAA goes so far, and then the rest is contracts that would be covered by state law. Business associate agreements, for example. DR. CARR: Right, right. So I mean I think we talked later in the recommendations about strengthening and pursuing the business associate agreement. So presumably that implies if you break the contract or do something illegal that it should be, and I think we do say that in the recommendations. DR. FITZMAURICE: But my point here would be some of these things are illegal. And so the illegality of it raises great concern. DR. COHN: Well, I think, Mike, you’re making an assumption that may or may not be the case. I think what we all heard in testimony and I’m sorry obviously you weren’t part of it was that in some cases the ambiguity of the business associate contracts actually allows it legally. DR. FITZMAURICE: Not if the vendor is doing something the provider can’t do for him or herself. DR. CARR: Okay. I think that we need to move on to the next section, but I don’t want to lose sight of that comment, and I’ll circle back with my Marjorie because you are the executive secretary. You may have the final – MS. GREENBERG: Well, I don’t like to use that too often. But I would have to say that from the very beginning I have had a problem with this concept of the sale of health data where financial benefit accrues to someone other than the individual who is the source of the data. I really don’t think that’s the problem. Jim just leaned over to me and said NCHS sells public use data tapes which includes information about – de-identified, but about individuals, and they’re not getting any monetary benefit. I think the issue has to do with marketing or other types of things. But this is so – mostly the sale of anything doesn’t necessarily accrue to the person who’s the source of it. I mean, and I can’t even imagine how the sale of the data would accrue to the person who’s the source of it. So I’ve always had a problem with that conceptualization. But I’ve mentioned this now over a period of months. So if everyone else is comfortable with it, then I – DR. CARR: Well, is everyone else comfortable with it? MS. GREENBERG: I really don’t have it. DR. CARR: Is it taking us down a road that we don’t need to go? Steve? DR. STEINDEL: I think we’ve discussed this topic repeatedly in the group, and I’m happy with that sentence because it’s not putting a value judgment. It’s just saying that there is concern, and then we go on in the recommendations section we address the concerns. And I think this is a very – you know, I think you brought this up a couple of times, Justine, in discussing people’s comments. In that this section is a background section, it is introducing thoughts. And I’m leery about expanding those thoughts outside of where we start going into specific recommendations. DR. CARR: Yes. Simon? DR. COHN: You know, this is just a suggestion that maybe rather than increasing concern, it’s more like NCVHS heard concerns. I think that more objectifies it. DR. SCANLON: I would even make – it’s just not a well-defined. It sort of raises an alarm about something that may or may not exist, and we’re not sure what exactly the situation is. And I would just feel more comfortable with few – and, again, many organizations sell data including our own agency, and some of it’s identifiable under certain circumstances. DR. VIGILANTE: Well, maybe we can put that in one of the examples to show sort of the gradation of some things that really are concerning and some that might be concerning. DR. SCANLON: Well, I would just make it more exploratory like this jump came up and it needs further investigation. DR. CARR: Yes, okay and frame it that it was raised. Yes, because it’s written a little bit like it is an absolute. And what we want to say is it represents the opinion of someone. Yes? MR. BLAIR: I think this is not a question whether it’s done or whether it’s legal to resell data. I think that this is getting, laying the foundation for the issue of whether the public understands this or not. It’s the transparency issue. That’s what it’s laying the foundation for. So I would agree with Marjorie that we don’t want to say that this is necessarily a bad thing. It may be done for improving the quality, in patient safety, for good reasons. So it’s not that in itself it’s a bad thing. The issue is whether or not the public is aware. DR. CARR: Okay. With that comment, I believe we will conclude this section. I think in the interest of time, having already covered the guiding principles, I will not go to that but turn it over to Harry. DR. COHN: And I’m going to ask – we’re going to do a late lunch break obviously and sort of try to go through the recommendations. Marjorie, do you have a comment, and then I’ll let Harry get started. MS. GREENBERG: I thought we probably were going to do that. But we do need to keep to our schedule later in the afternoon. But I wanted to – I’m sorry, but to ask if anyone else is on the phone line. DR. VIGILANTE: It’s Kevin. MS. GREENBERG: I know Kevin. Is anyone else on the line? Okay. I’ve been emailed that someone else was on the phone. DR. COHN: If they mute themselves, we wouldn’t hear them, but they would hear us. Larry? DR. GREEN: I wanted to just raise one concern about the guiding principles before we go by them. They’re at page 17 in the letter. In my view, this is some of the most important words in the whole letter, and I think we have widespread agreement about that. But I don’t want to be dismissive of them, and I want to raise just one issue. On line 650, it says that the recommendations reflect the ability to support benefits from users of health data while protecting their privacy. In my view, having studied the simple times now front to back, this is the closest line we have to a goal statement in this letter, and I believe these words are hugely important. We don’t have anywhere in the letter a statement of what NCVHS’s goal is in submitting this other than come and ask us to write a report. So here’s the report sort of thing. I’m just wondering if we might not want to in this guiding principle statement make explicit that our goal is to make recommendations that will reap benefits to this nation from the uses of health and not at the cost of reasonable privacy protections. That’s really what we’re trying to make recommendations for. I really like this language. I like these words, and I’m wondering if they could be almost held out as a goal since they are goals to do this. And then we say in our guiding – in these protections, our principles are that these protections should do these things, elevate and clarify it because this is a complicated letter to understand. DR. CARR: And even more to write. Are we comfortable with the guiding principles appearing just before the observations and recommendations in that sequence? DR. GREEN: Oh, yes. I think that’s a very important development, a very good development. DR. CARR: I like your idea, though, because you’re right. The introduction is we were asked to do this. And I think it would be – it is really our intent that the goal as outlined here is the goal of all this work. So we will work to put something very strong in the opening. DR. STEINDEL: Can I just ask that like in the very first sentence of the document you throw the word balance back in this also. DR. CARR: Yes. DR. STEINDEL: Because some of these, they require trade offs. DR. GREEN: And just one small thing. I think it will be very important in principle number three to put the word appropriate in front of uses. DR. CARR: Number three, facilitate appropriate uses, okay. I apologize because I read them, but I didn’t ask for comments back, and that was my mistake. Are there other comments about the guiding principle? Michael? DR. FITZMAURICE: And we say these are guiding principles against which each recommendation should be evaluated. Then under observations and recommendations, we say NCVHS believes that data stewardship principles should be applied. Are these the same principles, and if so we probably should call them the same thing. They’re not the same thing. Okay. Then they go to say what those data stewardship principles are. DR. CARR: Yes, and we do in that closing sentence, but I’ll leave that to Harry. Marc? DR. ROTHSTEIN: This is just that tiny wordsmithing, but this is now the most important section of the document. So I’ll take the liberty of doing that and recommend on line 662 delete the word uniform. DR. CARR: Okay, increase the clarity and understanding of laws. DR. ROTHSTEIN: Right. DR. CARR: And regulations pertaining to privacy. We’ll delete that word. MR. REYNOLDS: Okay, to give you a brief mental break from that, I think one person that we haven’t recognized, we haven’t recognized in this process and just remember we’re just going through what we’ve heard so far. We haven’t gone into what we’re recommending, and that would be Simon. His leadership through this especially as we’ve worked with so many different entities and as you can see, this is a power packed emotionally driven assignment that we’ve had, and a lot of the other things we tended to have haven’t gotten quite this far in quite this breadth in some of the things that we’ve looked at. So I would like to have an equal round of applause, if not a bigger one, for anybody that so far – [Applause] MR. REYNOLDS: Now that you’re applauding, I take that as approval for the recommendations. [Laughter] MR. REYNOLDS: Okay, moving right along. As we move into observations and recommendations, we have nine major areas of recommendations. And so I’m going to do these recommendations. When we get to number one, we’ll make sure that we then go through all the way through the whole section, 1.1, 1.2 and so on and make sure because, remember, everything’s that numbered that way is about that same subject. So it’s a message, and it’s broken into pieces, and those pieces again tie back to the guiding principles, and they tie back to that particular one. So as we touch one, you know, a sub-bullet, we may be touching the theme. So let’s be very pragmatic in the fact that we look at this because we lumped these things together purposely in that way. So with that, we’re starting on 17, observations and recommendations. So I’d like to take any comments through number one if anybody has any there. Michael? DR. GREEN: Again, I’m puzzled by NCVHS believes that data stewardship principles should be applied to all organizations. Do we know what those principles are that we think should be applied. MR. REYNOLDS: Yes. If you read on later, data stewardship principles include accountability, transparency, individual participation and control, de-identification, security, safeguards, controls. DR. GREEN: Well, principles aren’t just a listing of terms normally. They’re statements of the goal that you want to achieve. If you will data stewardship issues include those. MR. REYNOLDS: Okay, well, give me a word then because the rest of the document talks about data stewardship in many, many pieces in many ways. So you need to give me a word — DR. GREEN: or data stewardship issues include attributes. MR. REYNOLDS: Fine. Thank you. Anything else before we get to number one? Okay. MS. GREENBERG: I’m a little uncomfortable – excuse me for interrupting here. But getting rid of the word principles which is a very nice solid word, and I think you could just say include assuring all of these things. I think those are principles to assure accountability, to assure transparency, whatever. DR. GREEN: I would go along with that if you say data stewardship should assure. But I don’t see the statement of principles yet. MR. REYNOLDS: Marc? DR. ROTHSTEIN: Or you could say the principle of data stewardship includes – DR. GREEN: Oh, that’s good. DR. CARR: Yes, I think we actually began with data stewardship without principles, just data stewardship, and we did get push back on testimony after we published it. But I would like to raise it again because I would be very comfortable with us saying data stewardship. DR. GREEN: But I like the suggestion that was just made, the principle of data stewardship includes the following attributes. I mean, data stewardship can be a principle. DR. FITZMAURICE: I would say it’s a burden. It’s a responsibility. But I don’t see that it’s a statement of principle, a statement of how you want to proceed by doing something whereas the principle’s the one through six before says here’s how we want to do something, and here’s how we’re going to do it. Data stewardship is a responsibility. DR. FRANCIS: What there’s a kind of confusion here about, I think, is whether this is something you have to bear in mind in how you are a steward of data, or whether this is something you ought to do. For, example, you have to de-identify when you ought to, but that doesn’t mean you always ought to de-identify, and that’s what I think may be the confusion underlying how to read this. So you might say the principle of data stewardship includes appropriate attention to each of these matters or something like that. MR. BLAIR: But I think that Michael really made a really good point in – it took me a little while to digest it. But referring to data stewardship as a responsibility, and you can still wind up having the same attributes underlined or things, and it makes it clearer because it says data stewardship is a responsibility. MR. REYNOLDS: Steve? DR. STEINDEL: I think there’s a difference here when you – and a confusion. I think in this document, we’re talking about data stewardship as a principle. We’re not talking about it as an absolute. This person is the data steward. This is what the person does. We’re talking about this as an abstract quantity, that these are things that any organization that’s handling data has to do. And then they will probably, if it’s a large enough organization, they will appoint somebody to be a data steward that has the responsibilities to do this. And I think we were very careful in trying to frame this as not responsibilities but as attributes. I don’t mind the word attributes. I prefer the word principle. But I have no problem really with the way it’s been worded. DR. FITZMAURICE: I kind of agree with what you said. A person who is designated as the data steward should follow the following principles. Data stewardship isn’t a principle, but it should follow the following principles. I’m not sure that I see them listed, but I agree that these are attributes of data stewardship that are listed here. DR. STEINDEL: Why isn’t data stewardship a principle as well as a person? DR. FITZMAURICE: It’s two words together. It doesn’t tell me how to act, how to act responsibly. MR. REYNOLDS: Okay, Larry, you had your hand up. DR. GREEN: It may have been Margret. I’m not sure. In our last meeting, someone actually projected, I believe, the definition of stewardship. I may have missed it, but I don’t think in our glossary we have the word stewardship. And on page 48 on Appendix D where we have the health data stewardship conceptual framework, it seems to me this gives us a location in which we could address this issue. It’s definitional, and what do we mean by stewardship. It’s a non-trivial issue because this is one of our fundamental conclusions from all the words. This is our fundamental recommendation, and it seems to me we should have a definition — DR. COHN: I think there actually is one in here. I think it’s on 435, on line 435. MS. AMATAYAKUL: It’s 442. I’m sorry, 435. DR. GREEN: Is that satisfying to everyone in this corner of the room over here? MR. REYNOLDS: Okay, so does this page stand as written, or do you still want it changed? DR. FITZMAURICE: Well, I don’t see – data stewardship is not a principle. It has attributes. On line 684, we say a framework of health data stewardship. So it’s part of the framework. MR. REYNOLDS: Judy? DR. WARREN: Well, what I’m wondering listening to all of this is if it shouldn’t be reformatted into the same format that the above protection’s format is and then take each one of those attributes and turn them into a principle because I don’t think it would be that difficult to flesh them out. Because as I go this, if we don’t do that, then the rest of the document has to be rewritten. The framework has to be redone because it doesn’t flow. So – and I guess I think those are principles. They’re just not worded that way. MR. REYNOLDS: Okay, do we want to take this offline and work on this? I think we’ve heard enough comments on it. Simon, are you good with that? DR. COHN: Yes. I’m just trying to think of what it is we’re doing because I’ve heard about four different – so basically this is going to be either reformatted ala Leslie’s comment about – I mean, you had some wordsmithing here that was – DR. FRANCIS: What I was just trying to say is these are the topics about which we’re developing principles, and the rest of it is the principled recommendations. So there isn’t a principle that says maximize individual participation and control. But there’s a principle that says you have to have a set of principles about what levels are appropriate and stuff. MR. REYNOLDS: I think, Simon, what we’ve heard is rearranging either a changing of a couple words or rearranging those words all the way to call it some kind of table like Judy talked about. DR. COHN: Well, I guess that’s one reason why I’m bringing this up because I think there’s ways, for example, Leslie sort of commented about paying appropriate attention to da, da, da, which is like way different than trying to make definitive statements about each of the pieces that relate here because I mean we are – in each of them, we’re sort of, there’s a reason why we have 1.1, 1.2, 1.3. This gets to be a little bit complex in terms of how we do that. But I – DR. FRANCIS: And this is really just an outline. It’s a list of what we’re going to be developing principles about. MR. REYNOLDS: Does anybody have any concern with Leslie’s approach? Does that answer what we have been talking about? Okay. All right, let’s go to number one, and that’s the observations and recommendations on the principles of data stewardship for accountability and chain of trust within HIPAA. The first thing, we’ll answer questions between this and 1.1, and then we’ll get into the serious nature of 1.1. Yes, John? MR. HOUSTON: Yes, I have a couple comments. On 713, it states HIPAA privacy and security rules only apply directly to health payers, clearinghouses, providers of electronically transmitted health information in connection with transactions for which HHS has a standard. I thought it was simply that it was in conjunction with the electronic transmission of health data in that standards part of thing came in insofar as they were only then permitted to use the standard format. So long as they electronically transmitted it, I don’t know how to say this, but this doesn’t seem correct. The transaction relates to the payer provider. MR. REYNOLDS: In the standard format. MR. HOUSTON: Right. But I think we need to be careful because health information transmission by an HL-7 or something else would not cause this to occur. So it’s just a standard transaction is what causes HIPAA to apply. The use of the payment or the processing of claims or whatever by a standard transaction is what causes HIPAA to apply, and I don’t think this sentence is necessarily technically correct, I guess, is my point. MR. REYNOLDS: Margret, we can validate that in the rule, right? MR. HOUSTON: And the second thing is on line 722. MR. REYNOLDS: Well, hold on. Karen, do you have a comment on that one? MS. TRUDEL: Yes, that’s absolutely correct. It’s a transaction for which the Secretary has adopted standards under the HIPAA regulations, not under other authority. And when the HIPAA law was passed, that was the only authority the Secretary had. That’s now standard. MR. HOUSTON: All right, so what we need to say is that if he’s adopting – the Secretary’s adopted or identified the standard, if you’re going to do that type of transaction, you have to use that standard and then HIPAA does apply. MR. REYNOLDS: Is that wordsmithing? MS. TRUDEL: I’ll talk to Sue McAndrews. MR. REYNOLDS: All I’m saying is look up on the screen. Here look at the screen. Michael? DR. FITZMAURICE: I can’t quite read that. But if we strike out everything after transactions and say electronically transmit health information in connection with HIPAA transactions, I think that nails it. MR. REYNOLDS: You don’t like what’s up there> DR. FITZMAURICE: I can’t read it. MR. REYNOLDS: Well, yes, but you’ve got to read that before you – I like it. DR. CARR: I’ll read it. The HIPAA privacy and security rules only apply directly to health care payers, clearinghouses and providers who electronically transmit health information in connection with transactions for which HHS has adopted standards under HIPAA. DR. FITZMAURICE: I think that’s perfect. MR. REYNOLDS: Okay, good. Any other comments? Mark? DR. ROTHSTEIN: Does it permit covered entities to enter into contracts? I think it requires. That’s one line 722. MR. REYNOLDS: It’s 722. MR. HOUSTON: It says permits. It should be requires. The HIPAA privacy and security rules permits covered entities to enter into, and I think it needs to say the HIPAA privacy and security rules requires covered entities to enter into. MR. REYNOLDS: Marc, do you have a comment on that? DR. ROTHSTEIN: Yes, I just wanted to – not what John said. MR. REYNOLDS: Well, let me finish this one. Are we okay with requires? DR. FRANCIS: That’s only if they’re transmitting electronic health records? MR. HOUSTON: No, no, no, this is for business associates, and my only point is that it’s not a permissive, it’s required. Once somebody is doing something on your behalf, it’s required that they enter into a business associate contract. MR. REYNOLDS: Marc, next comment. DR. ROTHSTEIN: I just want to go back to the definition of who’s a covered entity. I mean, if you – MR. REYNOLDS: What line are we talking about? DR. ROTHSTEIN: Uhm, 715. I mean, if you want to be technical, we should include sponsors of prescription drug card. Congress amended the Act to include them under HIPAA. Did that expire? Okay, never mind. MR. REYNOLDS: Your comment was correct. It was just not timely. DR. ROTHSTEIN: It used to be correct. MR. REYNOLDS: Anything else on the section between now and when we get to 1.1. And this is our area of our observations and recommendations after we’ve heard all of the testimony. DR. TANG: Are you going paragraph by paragraph? MR. REYNOLDS: No, I’m going through that whole area until we get to 1.1. DR. TANG: So I have a number of comments from lines that – MR. REYNOLDS: Okay, they are now on the screen. They are what lines, Margret? MS. AMATAYAKUL: Seven forty-one to 759 on the original document. And Paul, just we had separated that big paragraph into several smaller paragraphs. That’s why it doesn’t look the same. DR. TANG: So what am I – MR. REYNOLDS: Do you need to comment? DR. TANG: I’m submitting those. MR. REYNOLDS: Well, I guess we need to read them because it’s changed it pretty dramatically. So – yes. Margret, why don’t you go and read them. MS. AMATAYAKUL: Sure. So – MR. REYNOLDS: So this replaces 741 to 759 in the document in the book? MS. AMATAYAKUL: Right. So furthermore, since HIPAA de-identified data are not protected health information under HIPAA, business associates or their agents may use de-identified data for purposes not required to be described in the business associate contract. There are also no assurances that the de-identification process used by the business associate will be consistent with that required by HIPAA. NCVHS heard testimony concerning varying ways protected health information may be de-identified. Without assurances of proper de-identification methods being employed or without an awareness of the uses made of de-identified data, covered entities – I’m sorry, without an, it might be good to make this or an and – without assurances of proper de-identification methods being employed and without an awareness of the uses made of the de-identified data, covered entities are unable to describe what uses may be made of individual’s data and are not able to confirm whether proper and reliable methods of de-identification are being used. The risk of information being re-identified continues to increase as more public databases become available and techniques for re-identification become more sophisticated. The ability to re-identify information that was previously believed to be – I’m sorry, we just changed that – believed to be de-identified constitutes a use of protected health information not described in and in violation of the business associate contract as re-identification occurs further down the chain, it is more difficult for the business associate to identify such a violation and report it to the covered entity. Consequently, these issues open up an individual’s data to uses that the individual does not anticipate and for which the individual may or may not be in agreement. DR. REYNOLDS: Comment? DR. TANG: So the rationale behind making those changes is a second major theme we found is that this whole notion of de-identification has evolved just in the ten years that HIPAA’s been around, and we know more and more, and the risk increases every day that more and more without complete de-identification there’s a certain risk of being re-identified. So that’s why one Karen said HIPAA de-identified, i.e., de-identification by the HIPAA method from others that claim to be de-identified. And, again, if we go back to the example I circulated yesterday, that’s another example where the letter that PBM submitted saying we’re going to stop this and we used non-identified data was probably a way of expressing that they didn’t use the HIPAA prescribed de-identification. MR. REYNOLDS: Any questions? Michael? DR. FITZMAURICE: I wonder if what Paul just said doesn’t lead to consideration of a recommendation that HIPAA be changed, the privacy rule be changed to require the person receiving de-identified information to promise not to re-identify it. Before we didn’t think it was possible. But it might be possible in some cases. MR. REYNOLDS: Well, I think one thing at the end of the recommendations we do say as far as it relates to de-identified, we will hold additional hearings. DR. FITZMAURICE: Okay, so then out of that, after that – MR. REYNOLDS: Could come whatever recommendations we would or would not want on de-identified further than we have. DR. FITZMAURICE: That’s good enough. DR. REYNOLDS: Okay, moving along, let’s go to the next main paragraph which is organizations providing data transmission services. Margret? Who had their hand? Oh, Jeff, put it up a little higher next time for me. I can’t see you down the end of the line. MR. BLAIR: I was putting it up just as I think you were about to read the document. I’m sorry. Is re-identification of de-identified data, is that legal or is that illegal? DR. FITZMAURICE: The burden, as I understand, the burden is on the covered entity not to release the entity and de-identified unless it’s re-identified. MR. BLAIR: I mean, has there ever been a legal ruling that re-identifying de-identified information, is that still legal? DR. FITZMAURICE: I’m not sure. I would refer to a lawyer on that. But my lay opinion is that the burden falls on the covered entity, and if somebody else does it, then you have a chain of contracts enforceable by state law that lets you file suit for harm. Steven, again? DR. STEINDEL: We actually did have a comment about that from Maurice Landel in our discussions, and he noted that if a person who has received de-identified data regardless of where it is in the chain and, you know, with the presumption that it’s really down the chain so they don’t have a direct relationship with the original covered entity generating the data and did re-identify the data, they’re now holding PHI. DR. FITZMAURICE: Only if they’re a covered entitled. DR. STEINDEL: Well, yes, that’s the key. So there is a quasi – there’s a strange legal status that’s been undefined about de-identification. DR. FITZMAURICE: And Jeff, it’s clear that going down the chain that the covered entity is responsible for not letting that de-identified data be re-identified. DR. STEINDEL: And that’s, you know, that’s why it led to us saying that we will investigate this further because of the lack of clarity on that. MR. REYNOLDS: I think, Michael, you’re leading right down the chain which will be starting at 1.1 because that chain is a significant issue, significant concern and significant part of this process. Okay, ready to move on to 1.1 which really starts getting into, it’s headed by the recommendation on business associate contract provisions, and then we have 1.1, 1.2, 1.3 and 1.4. Any comments on those? Okay, John. All right, moving on to 1.2 is the recommendation on the confirmation of business associate contract compliance. John? MR. HOUSTON: Yes, specification on line 862, it says under number one, parenthetical one, issuing guidance about practical scenarios where contractual violations by a business associate could result in violation of the HIPAA privacy rule for a covered entity. I’m not sure whether – how there’s a violation of HIPAA by a covered entity through a business associate. I guess if potentially if the covered entity doesn’t take appropriate steps based upon the business associate doing something wrong, there could be a violation of HIPAA. But you might want to clarify that. MR. REYNOLDS: What would you want it to say? MR. HOUSTON: Issuing guidance about practical scenarios where a covered entity fails to appropriately or discipline or appropriately manage a business associate could result in a violation of the HIPAA privacy rule. MR. REYNOLDS: Anybody have any issues with this? MR. HOUSTON: Or something of that sort because it’s the failure to appropriately oversee or discipline – and discipline’s not even the right word. But there’s an obligation to take steps to mitigate and to address any inappropriate activity by a business associate which would give rise to – MR. REYNOLDS: Now we got Jeff and Justine. MR. BLAIR: Because I’ve had some exposure to dealing with state legislators on these privacy issues, one of the things that surprised me because I don’t come to issues in this manner. But I discovered that one and then several state legislators look at these issues in a very different way. I typically looked at it in an overall view in terms of what is the risk, if the risk is small, then I wasn’t going to worry about it. They look at it the opposite way. They wind up coming at it if there’s any risk at all, and I’m coming to the de-identification, then that’s where they zero in. And I’m mentioning that because some of these legislators in my state may have the same mentality that others do in other parts of the country, and therefore, I think we ought to have some statement in this recommendation letter beginning to address the exposure of re-identification because they’re going to zero in on that. MR. REYNOLDS: Well, how about if we do this, Jeff. How about if we include that in and – you know, we’re doing a further hearing on de-identified. MR. BLAIR: Okay, but let’s clearly state that we consider that an issue, and that that issue will be addressed further so that – yes, it is, okay. MR. REYNOLDS: Margret, will you make sure we note that when we get to that recommendation. MR. BLAIR: Thank you, Harry. MR. REYNOLDS: Justine, did you have further comment? DR. CARR: Yes. I just wanted to follow the chain of discussion here or the chain. So going back to 1.1 for a second, we’re saying that you have to in the business associate contracts in 1.1.2, it should include terms that explicitly describe what HIPAA de-identified data may be used and to whom de-identified data are supplied. Okay, and so we’ve been talking about a concern about re-identification. But we’ve also raised the issue that there’s a lot that we need to learn about de-identified data and its uses and so on. So we’re not addressing re-identification in these recommendations, is that right? MR. REYNOLDS: That is correct as it stands right now. It’s an open item. DR. CARR: Yes, it’s a concern that needs – MR. REYNOLDS: Because until we understand de-identified better, we don’t understand the re-identification of it any better. Judy? DR. WARREN: Mine is kind of an editorial comment, and it’s back up on the top of page 22 for 1.2. When I see all this in a paragraph, it’s really hard for me to follow one, two and three recommendations that are under that. I was wondering if they can’t be listed out kind of like in this format where you can see them because it’s hard for me to see issuing guidance, updating business associates, and incorporating confirmation stuff. Look back – what I’m talking about is on line 862, if there could be a carriage return after by, having number one listed, a carriage return after number one, have two. It’s just a formatting issue, but it’s really difficult for me to read those. MR. REYNOLDS: Okay. Michael, I thought I saw another hand up. DR. FITZMAURICE: On 1.1, 1.1.3, I would suggest a word insertion that reads that there must exist a contract. I would insert with protections equivalent to the business associate contract as described above between the business associate and all of its agents. So the contract doesn’t have to be equivalent, but the protections that afford it have to be equivalent. We’re concerned about protecting the data, protecting the individual. MR. REYNOLDS: Does that make a covered – well, the question that it would raise, does that make the covered entity or the business associate or the agent have the same responsibilities as the covered entity. DR. FITZMAURICE: Well, as delegated by the covered entity and as required by HIPAA. MR. REYNOLDS: Okay. Margret? MS. AMATAYAKUL: I’m sorry. So we’re adding as delegated by the – what exactly –- MR. REYNOLDS: Michael, say your words again? DR. FITZMAURICE: That there must exist a contract with protections equivalent to the business associate contract as described between the business associate and all of its agents, and then including agents of agents. MR. REYNOLDS: Okay. DR. FITZMAURICE: The protection follows the data. I’ve got one more suggestion. MR. REYNOLDS: Yes. DR. FITZMAURICE: 1.1.4, that any organization that supplies de-identified health data for a specified purpose will ensure that the de-identification process follows the HIPAA requirements for de-identification. MR. REYNOLDS: Comments? Okay. Did you get that. DR. FITZMAURICE: That any organization that supplies de-identified health information as opposed to any organization that specifies it will use de-identification organization. If I’m going to use, I probably don’t know how it was de-identified. But the person supplying it to me – MR. REYNOLDS: Yes, you just added the word supplies. DR. FITZMAURICE: Yes, that’s right. MR. REYNOLDS: Good. Okay, anything on 1.3 before we move on to 2. Larry? DR. GREEN: Harry, on line 875, it says any organization providing data transmission. So I mean, this one as scoped. So I want to ask for just your clarification of the intent of all three of these now in a row, 1.1, 1.2 and 1.3 and it if applies to anybody to this situation. All over the country, one of the most prevalent ways of pursuing quality improvement now are variations on this theme. There are collaboratives of providers who organize themselves for the purposes of doing a joint project across sites. There are practice-based research networks for covered entities, providers, maybe 100 of them from all over the country get together to do a quality improvement project. There are HMO improvement networks. There’s IHI works. It seems to me there are more and more of these things, and that these are highly desirable. These are one of our most effective ways of getting that quality improvement. With such an entity, and I’ll pick one for the sake of discretion. If there’s 100 practices that have organized themselves into a quality improvement network of some sort, each of the practices is a covered entity. MR. REYNOLDS: Correct. DR. GREEN: Would it be the intention of this recommendation 1.1, 1.2, and 1.3 that there would be business associate contracts amongst all of those practices and wherever the data from the quality improvement project or pool, whatever that organization is, it would be saying this requires a business associate agreement amongst all of them. MR. REYNOLDS: My initial answer would be if they had one entity that was pulling all the data together and consolidating it, that would be the business associate of all of them. But I don’t see them having to be business associates with each other. They’re covered entities. They already know their responsibilities. They already know where they’re sending it, and they – in other words, if I’m sending something to a covered entity, a good example is a payer is not a covered entity of a provider, when providers send all the data to the payers right now. Okay, so we don’t become – no payer becomes a business associate because the reason the definition of covered entity says I know what I’m supposed to be doing, and if I don’t, I’m the one that would be personally in trouble as that organization. So I would say covered entity is the covered entity is my interpretation is that’s not an issue, and it’s not. But if they created a group that pulled the data together, then they would probably need to be a business associate of that whole group. DR. GREEN: So, for example, we heard this morning about CMS green demonstrations of various sorts. If they pulled together cross-cutting learnings from their various demonstrations, are there implications for the demonstration sites about how we’re expecting them to do something further to protect privacy and disease guidelines here in 1.1, 1.2. Would they apply to these, are we expecting them to apply to these already implemented efforts. MR. REYNOLDS: I’m going to seek some help from Karen and a few others that know a little bit more about – I don’t want to step off of – Michael, do you have an answer to that, or do you have another comment? DR. FITZMAURICE: It seems to me that a covered entity can’t just send its protected health information to another covered entity unless they’re both taking care of the same individual. But they can all pull their data in an association, but the association can’t take my data and give it to you, a different covered entity. The covered entities could bind together for quality improvement purposes, turn themselves an organized health care alliance, I think it is in OHCA and then they can share information, personally identifiable information for quality improvement purposes. MR. HOUSTON: As long as they have a common patient population. DR. FITZMAURICE: No. MR. HOUSTON: Yes. DR. FITZMAURICE: No. That’s a legal question that would have to be resolved. I can’t speak on it as a lawyer because I’m not. MR. REYNOLDS: Karen, did you have any comments on that that you could help us with. MS. TRUDEL: Well, two things actually. I was going to suggest that we might benefit from Sue McAndrews. MR. REYNOLDS: Well, I was hoping Sue would – I would see movement out of my right eye here, but I hadn’t see that yet. So you’re the only one close at the moment. She’s walking to the door. MS. TRUDEL: While she’s walking up here, give me a break. No, one important thing and I’m sure she’ll say the same thing is that part of the – the critical part of the definition of a business associate is someone who is doing business on behalf of the covered entity that the covered entity would ordinarily have been doing for himself. So that, for instance, that’s why the health plan and provider are not each other’s business associate. MR. REYNOLDS: Right. Yes, which is the same reason I was answering Larry’s question. MS. MCANDREWS: But in terms of the quality collaboratives, there are provisions that do allow the sharing of that as a health care operation. They can come together and share information for that kind of health care operation without forming a business associate arrangements as between them as long as everyone in the collaborative is a covered entity. MR. REYNOLDS: Yes, we’ll touch base on that again, Larry, when we get into the quality is part of health care operations. You don’t – are you comfortable we’ve answered your question completely, or – DR. GREEN: Why don’t we do the rest just like you proposed. We’ll come back to quality operations and see what happens. MR. REYNOLDS: Okay. DR. GREEN: But I just want to flag it. Our goal here is to improve quality of care in the way it protects privacy, and we want to do this in a way we said that doesn’t create undue regulatory burdens, and there are a lot of quality collaboratives all over the country that I suspect are going to have immediate questions if these recommendations were to be implemented. They’re going to say does this apply to me and what we’re doing. It would be nice if we knew the answer. MR. REYNOLDS: And if I remember correctly, Northern New England was a great example of this that we heard testimony from on this with covered entities grouped up to do this. Okay, observation two. Observations and recommendations on principles of data stewardship or transparency. First, I’ll take any comments through 2.1 – we’ll get to 2.1. Yes, Marc? DR. ROTHSTEIN: I have a proposal on line 932. I would recommend that we delete two sentences beginning with this section originally had and the second one that begins with 2002, and the next sentence dealing with however up to the end of that line which would include the word enabled and substitute just the following, covered entities may be required to follow more stringent state laws, period, and then leave the last sentence in there. I don’t think the sentences that are currently in there that begin on 932 are necessary for the discussion. DR. VIGILANTE: The other thing above that in line 928, it says an authorization is required for other uses and disclosures that are enumerated in 164.208. I don’t know what those are. Maybe we should footnote those or refer to an appendix just so people are interested, and they can see what those are. Otherwise, it has no meaning for the reader. DR. COHN: Okay. So Kevin, your suggestion we just footnote the legal references rather than – DR. VIGILANTE: Yes, yes. I imagine it might be too — DR. COHN: I think that’s fine. DR. VIGILANT: — to put in there. So at least the reader can refer to it. MR. REYNOLDS: Now let’s go back – DR. COHN: Okay. Yeah, Margret on line 938 delete the rest of that line. DR. VIGILANTE: Oh, I’m sorry. DR. COHN: So delete the rest of that line and then start a new sentence with covered entities may be required to follow more stringent state laws, period, and then we have the next list. I mean, you can put them together, but I’m trying to – MR. REYNOLDS: Marjorie? MS. GREENBERG: Yes, I just want to support that because I think that it’s a judgment statement that who considered it, recognized it as being unworkable. It’s obviously workable in some states. So I would agree. MR. REYNOLDS: We had a motion and a second, right. Okay. Anything else before we get to 2.1. Yes, Leslie. DR. FRANCIS: The descriptions of informed consent are odd. MR. REYNOLDS: Where are you? DR. FRANCIS: I’m on particularly 944 to 946. That’s just not a standard at all account of informed consent. I would replace that whole paragraph just with a single sentence that says informed consent or consent is usually – all you want is the contrast between consent and authorization. So that consent is normally viewed as the permission given by an individual to a provider for a variety of healthcare services or something like that. MR. REYNOLDS: You’re eliminating 940 to 946. Is that correct? You say get rid of the paragraph. DR. FRANCIS: No, you might just get rid of beginning with the sentence presenting the provider with implied consent. MR. REYNOLDS: You would replace it with what? DR. FRANCIS: I would just get rid of it. MR. REYNOLDS: Oh, so you’re not adding anything else? DR. FRANCIS: No. MR. REYNOLDS: Are you satisfied that that’s what you said DR. FRANCIS: The point – I took it the point you had that in there was to contrast authorization and consent. MR. REYNOLDS: Yes, you’re correct. DR. FRANCIS: But you actually don’t need anything in that whole paragraph because the real contrast isn’t about informed consent to health care. It’s about the confusion with states statutes that talk about consent to data release, isn’t it? MR. BLAIR: What does the contrast now say that you’ve eliminated that? MR. REYNOLDS: Well, let’s do this first. So as Margret captured what you want to say, then once we can get it to stop moving it on the screen, then we can all get a sense if we agree. DR. FRANCIS: Well, what you could just do is you could just say instead of that first thing, take your sentence, instead of saying, we could just take the sentence it’s also noted the consent and leave that in. But the rest of it is just inaccurate about informed consent. MR. REYNOLDS: So the way it reads is informed consent is usually viewed as permission given to a provider by an individual – DR. FRANCIS: Well, I was just trying to take that out. I was just trying to play with the language there. Just go ahead and use your second sentence, consent in health care more commonly refers to – use that. MR. BLAIR: For our benefit, could you read the whole sentence – MR. REYNOLDS: Hold on, Jeff. Once it stops moving, I will read it for you. DR. FRANCIS: Okay. I’m just using your sentence on 940, consent in health care more commonly refers to – just use that sentence. MR. REYNOLDS: You’ve got to read it. DR. FRANCIS: Exactly what it says. Consent in health care more commonly refers to the permission given by an individual to a provider – no, you don’t need that, and then just delete the rest of it because – delete the part that said presenting to a provider is an implied consent and giving permission after all benefits and risks have been explained. MR. REYNOLDS: So are you satisfied with what’s on the screen now, and then I’ll read it so that Kevin and Jeff can see it. DR. FRANCIS: Yes. MR. REYNOLDS: Consent in health care more commonly refers to the permission given by an individual to a provider for providing health care services (which may include interviewing, examination, specimen collection and treatment of the individual as well as use of health information). DR. VIGILANTE: I don’t even know why you need the parenthesis. Lose the stuff in the parens. I mean, do we have have to go to that level of detail? MR. REYNOLDS: Yes. DR. FRANCIS: Yes, I think you do. DR. VIGILANTE: Yes, everybody thinks we do. DR. VIGILANTE: Then I do, too. MR. REYNOLDS: Then that would be a good thing. Okay, Mary Jo. DR. DEERING: I won’t be able to be as helpful as I’d like to be here. But I remember at one of our prior discussions I raised the issue if you look to what in our current draft is line, it’s at the top of page 24, in summary, the use of the terms authorization and consent and when such uses are required or permitted causes confusion. It seemed to me that that was a very important concluding statement that had been built up very appropriately from above. I didn’t think we really helped resolve it in anything that followed, and I couldn’t figure out how to do it. The only one of our recommendations that begins to get at it, it seems to me, is currently 967 that clarifies that the NPP is neither authorization nor consent. So I think what I’m picking up on here that might be an approach but we can’t probably wordsmith it in real time is to be a lot more succinct than we currently are, and Leslie’s just helped us be more succinct about what is consent and what is authorization so that we are clear on what the appropriate uses of those terms are, and that perhaps the one thing I did suggest is it would be probably down on line 980, again, education and clarity and required documentation, there or somewhere to add something about clarifying the definitions and uses of authorization and consent and using them consistently because I think some of the confusion which is important to mention in this text is not just the legal confusion. It’s in the eyes of all parties to the various activities. And so it’s important for us to state clearly what the issue of this confusion is, to state clearly if we can what we think the intended meanings and uses are, and then show that in our recommendations that we want to reinforce the importance of addressing this issue. So I just think that the way something is a problem didn’t quite get through the so what. DR. COHN: So I’m going to have to jump in here because we are running out of time. So Mary Jo, if you have some wording offline, we have Margret to sort of help with that. So we certainly welcome that. Now we need to break for lunch because it’s one o’clock, and we promised privacy an hour to talk about their letter. We have a presentation at three o’clock. Now I’ve got a problem I want to bring up to the full committee that we really need to go through a first reading of all of this before we finish up today, and I can’t see how we’re going to finish this up if we are basically continuing to discuss the recommendations for the first time tomorrow morning. Now I will offer ideas. I think I will be talking to the Subcommittee chairs that have break outs this afternoon to see if there’s any time we can eek out. But I’m certainly up for suggestions on all this stuff. I also want to remind people the purposes of these conversations is not to do wordsmithing. Wordsmithing can be done offline, and as much fun as it is, we really don’t need to take the Full Committee’s time for wordsmithing. What we are concerned about is content at this point, and are we basically agreeable with the recommendations because, as I said, all the rest we can sort of handle offline. This is just another reminder on that. Now it’s one o’clock. Let’s give everybody a 45-minute break. We’ll get together about 1:45 again. We will at that point move into the security piece and privacy discussions, and I think hopefully at that point we will have a proposal for how to deal with the rest of this at least for our first reading today, okay. So I’ll see you back in 45 minutes. DR. VIGILANTE: Simon? DR. COHN: Yes, Kevin? DR. VIGILANTE: Simone, sorry, I won’t be able to join you this afternoon. But I did want to say I liked the privacy letter and will have no substantive issues with it. DR. COHN: We appreciate that. Will you around, available for a call or otherwise tomorrow morning? DR. VIGILANTE: Yes, depending on the times. I’ll watch the email if there’s any sort of changes in schedule. DR. COHN: Kevin, thank you. I’m sorry you can’t be here in person. DR. VIGILANTE: I’m sorry as well. Talk to you later. [Luncheon recess taken.]


A F T E R N O O N S E S S I O N (2:03 p.m.)

DR. COHN: Okay, will everyone be seated? We want to get started. We want to start out by just sort of going through, I think, some revisions to the agenda based on progress we’ve made so far on the – or lack there of on the enhancements report. I think we’ve been talking with the subcommittee chairs. Now for the next hour, what we’re going to do is to talk about a letter that is being discussed within the Privacy Subcommittee, and certainly that will be unchanged. We’ll give them the floor over to Marc in just a minute or two to review this and begin to elicit conversation. At about three o’clock, we still have the presentation from the Robert Graham Center talking about the session that occurred since our last meeting around harmonization of primary care classifications which I think should be interesting for everyone. Now what’s going to happen, though, is that according to our agenda, at four o’clock we would be dividing up normally into standards and security and populations. And what we’ve done is – I’m sorry, privacy and confidentiality and populations. And because I think we all think that it’s critical that we finish the review of the documents today and get it redlined so that we can properly consider it tomorrow, and so as a result these meetings are going to basically be deferred til tomorrow morning. Instead, what we will do is to reconvene as a full committee at four o’clock and probably go until about six. We will stay convened. We will stay convened after a break with the idea being that we will finish up the recommendations and redline them before we adjourn this afternoon. Now what that means is tomorrow morning, populations and quality are sharing basically an 8-10 slot. MS. GREENBERG: Right, quality is first from 8:00 to 9:00 or 9:15. Populations is in the same room from – probably in this room from 9:15 to no later than 10:15 because then we will reconvene at 10:15 for sure as a full committee. Standards and security has relinquished their break out session and will do their work on conference calls, correct, and email. And privacy and confidentiality as currently scheduled would meet from 8:00 to 10:00. DR. COHN: Questions? MS. GREENBERG: No, either for quality or populations, if there’s anyone who has to call in, they will be able to. I don’t think we have capacity for someone to call in to the privacy and confidentiality, but I don’t know that that’s needed. Okay. DR. COHN: Jeff, you had a question. MR. BLAIR: Yes. If we go straight to six which is fine, will we have – how much time will we have before we hit dinner because – MS. GREENBERG: We were always going to end at six. Dinner is at 6:30. MR. BLAIR: Is it still going to be at 6:30, or could we have a little bit more time then before we hit dinner like if we could hit 7:00 instead of 6:30. MS. GREENBERG: Well, originally, it was 7:00. I mean, we could certainly ask it to be 6:45. Yeah, usually we gather ten, people have a drink or whatever. MR. BLAIR: Okay, that’s fine. MS. GREENBERG: I think we would hope to order our meals by seven. Would that work? MR. BLAIR: Thank you. It’s my opportunity to call back and check my emails somewhere in there. MS. GREENBERG: If someone arrives at seven, they will be accommodated. DR. COHN: And we will make final determinations and commitments around meetings that are occurring tomorrow morning at the end of our session before we adjourn this afternoon, okay. Now with that, I want to turn the floor over to Marc Rothstein to talk about this letter, and we have Mia Bernstein also joining us. Thank you, and please. Agenda Item: Subcommittee on Privacy and Confidentiality –Report Update DR. ROTHSTEIN: Thank you, Simon. Let me mention to the members of the Subcommittee to the Full Committee and to the staff you should have in front of you a copy of two versions of our letter, and you also should have received by email copies of these same two versions of the letter. And just a note to our non-member non-staff guests, because this is a working draft and constantly changing, it’s the NCVHS policy not to distribute to non-members drafts that are not being proposed. So this is a work in progress, and the public certainly will have access to the draft when it is being presented for consideration. Just a little background about where this letter comes from. You’ll recall that in June of 2006, our big letter on privacy and the NHIN set out a whole series of recommendations, and many of them such as R-6 and R-7 which are indicated on your copy were not definitive recommendations. They were sort of setting the stage for follow up clarification. And in June of 2007, we followed up with our letter on covered entities which was a sort of a spin off clarification of our letter, and this is in that same vein. We’ve been working on this for some time. We started in April. You’ll see that this is our tenth draft. So that says something right there. We’re getting close to the point where the Subcommittee will be able to, I hope, sign off on it. MR. BLAIR: The Subcommittee or the Full Committee? DR. ROTHSTEIN: The Subcommittee. We have not voted yet. So I think we’re close in the Subcommittee, but because it’s taken ten drafts so far, we did not want to sort of push the last mile and then bring it to the Committee and have the Committee members have fundamental problems with it and send us back home. So the purpose of this meeting is to primarily give the non-Subcommittee members of the Full Committee an opportunity to review the concepts that we’re proposing tentatively in these drafts and to give us input and feedback and guidance about what concepts, principles, recommendations you like or don’t like or can’t live with or think need improvement or what have you. Please don’t be concerned about wording because the Subcommittee hasn’t even reached that stage yet. And in fact, Paul’s revision contemplates a reorganization of the letter which we’re going to take up ourselves, that is, the Subcommittee, when we meet privately. So don’t even worry about that. So that’s the framework. Let me just briefly discuss with you the highlights included in this letter. And the purpose of the letter, of course, is to deal with the issue of what abilities individuals should have to control their most sensitive health information when that information is being disclosed for treatment purposes. This does not take up the issue of disclosures for other sorts of purposes, some of which are being discussed in what used to be called the Secondary Uses letter and other disclosures will be addressed, I would imagine, by the Subcommittee on Privacy and Confidentiality in the future. But this is just disclosures for the purpose of treatment. In the letter, we try to make the case for why individual control is so important, and basically it’s because the advent of interoperative longitudinal comprehensive records means that it will be possible to disclose to any health care provider all of an individual’s birth on records, and that would include in many cases sensitive information that is unnecessary to any given provider, and we have a partial list here of every physician, nurse, dentist, pharmacist, chiropractor, optometrist, physical therapist, et cetera who requests health records. I think many patients, individuals would be unhappy if they got certain parts of their health record. So how do you control that? How do you protect privacy to a degree where people are not discouraged from seeking treatment promptly for all sorts of stigmatizing and sensitive conditions, and yet still enable the health care providers to practice their profession in a way that they’re not sort of flying blind. And we considered various options, and the letter discusses all the various options we considered. There are no sharing restrictions, restrictions by provider, restrictions by age of information, item by item restrictions, restricting everything but predetermined fields, in other words, starting with nothing and building up. And the letter explains why we did not recommend that and why we did in fact recommend that the Secretary consider the alternative of sequestering information in sensitive categories. And the letter lists several categories as examples of the kinds of sensitive information that people might want to sequester such as mental health information and reproductive health information. Note that this concept is fluid in the sense that the categories might change over time and will require a considerable amount of work to try to figure out what is actually in each of these categories. And so what we are clearly recognizing is that this way of thinking about things is not sort of off the shelf. It’s a work in progress not just for us, but I think it’s a work in progress for the Department and the country if we decide to go down this path. And it’s the same issue, I might add, that many other industrialized nations going to electronic health systems are struggling with. And so the same problems that we’re dealing with, they’re dealing with as well. So the recommendations, you can read them yourself. I hope you all had a chance. It should permit individuals to sequester specific sections of their record in designated categories that are pre-determined, and that there needs to be a process to determine what categories to have inclusion and exclusion criteria, et cetera, and there also needs to be a process by which individuals who have elected to sequester certain information and authorize specific providers to gain access to that information. So you might elect not to have your mental health information available to everybody, but you do want your psychiatrist to have access to it. So there’s obviously some way that needs to be developed to do that, and that should be determined as well. Another point that health care providers, when they access a record in which there has been some sequestration will get a notice that information has been sequestered at the request of the patient, but it will not identify the information or even what field it’s from. We recommend that the issue of clinical decision support be studied. That’s the very difficult one of technically, conceptually and so forth. We’re not making a specific recommendation on clinical decision support at this time. We are recommending that there be a break the glass feature incorporated in the system for emergencies so that in a genuine emergency a provider can get access to everything. And if that happens and there’s a notification process automatically for the institutions for the entity’s privacy officers informed immediately that the break the glass feature was used. The individual or the individual’s representative is notified of the circumstances of that. And then the last set of recommendations deals with the importance of research, development, implementation, pilot testing, not only the technologies but also the human factors that are going to be necessary to adopt this system or some system like it. In other words, the public and professional education as well as studies of the consequences of doing it overall. Is it going to improve health. Is it going to improve privacy. Are there any anticipated consequences, et cetera. So basically those are the recommendations in various categories. The letter has been evolving over time, and at this point we would be very interested in hearing comments from the full NCVHS, not subcommittee members necessarily, to this overall theme that we are contemplating. MR. BLAIR: Marc, it would help me if maybe Paul could go over his modifications first because I’m not sure whether any questions I might have might be covered in Paul Tang’s modifications, and I didn’t get a copy of it. DR. ROTHSTEIN: Paul is out at the minute. If you can hold back until he gets back, I’ll let him speak for himself. If not, then I’ll try to characterize it. MR. BLAIR: Okay. DR. LAND: I saw in the paper today where somebody was suing because they had authorized or requested their employer make a change in their 401K plan, and that change was not made, and they actually lost money. Is there anything in here relating to how you enforce this, how does the patient ensure that the provider does follow through on their request? DR. ROTHSTEIN: We’re not making any recommendations dealing with enforcement at all. Presumably, it would be dealt with in the regular enforcement mechanism that is associated with the NHIN. Now if you take a look at our June 2006 letter, we specifically have a whole set of recommendations regarding enforcement. And so this would be subsumed under that. We did not in our 2006 letter – I can get what we said on recommendations. We did not specifically recommend that there be private right of action or anything like that. We just identified the issues. That was one of the many areas in which we viewed our role as setting a framework for future discussions but not making a recommendation. DR. W. SCANLON: I guess I was trying to put myself in the position of being a physician and how I’d feel about this in the sense that that information that might have been available to me was being concealed. And I guess the area being sequestered was substance abuse, and someone coming to me and convincing me that they’re in pain and they really need Oxycontin. And the best I can learn is that they’ve got some sequestered information, and depending upon the ability of this patient, maybe they can convince it that it’s in another area, that I needn’t worry about it. And I wonder if there’s the right balance there because on the one hand I would think that if a physician does something and there’s sequestered information, what does that change to the liability of the physician in terms if something goes wrong. And yes, maybe sort of a diligent physician wouldn’t have let that happen because they would have pushed to get the relevant information. But we know that there’s a lot of humanity out there, and people don’t go to the extreme in a lot of cases. So that’s kind of my reaction. I’m wondering about the idea that you can sequester things and the physician can only know that something’s been sequestered but not know what area it’s in, that you can only sort of break the glass in terms of an emergency. But I don’t know what exactly constitutes an emergency. I mean, it could be that we could say that if you’re going to get a controlled substance, that there has to be disclosure, something sort of along those lines. But that’s getting into the detail probably beyond where we want to be. But when I read the letter, I was struck by this question of balance. DR. ROTHSTEIN: I think we’ve been wrestling with many of those issues, and let me see if I can give you a sense of how we intend to deal with it. The first question and I like your example about the Oxycontin. I think it’s a very good example. We are not recommending anything at the moment on the issue of clinical decision support. But one possibility would be you would, if you were thinking about prescribing, let’s say, Oxycontin for pain control, the clinical decision support would search both the non-sequestered and the sequestered information and therefore come up with perhaps a drug interaction warning to you, and then you would make further inquiries of the patient. But that has not been approved as a recommendation of the Committee. A second possibility would be, and I think this is probably what most physicians, I’m guessing, would do regardless of how we handle the clinical decision support is I’m not prescribing something as powerful as Oxycontin for you unless I know everything that you’re currently on, and there’s stuff that has been sequestered at your request, and I can’t go that far unless you tell me everything you’re taking. And I think and I would ask my physician colleagues to comment, but I think that might well be a common response, and I think that would be a – I don’t think anything in this letter would preclude them from doing that, and it would not be a violation of the letter or the spirit of this to say I can’t treat you unless I know everything. And that’s no different than it really is today when physicians are given incomplete information by patients, and they say, you know, I’m not going to – I need to know everything to treat you properly. I had recognized Carol and then – wait a minute, I have to get this down. Okay, first I’ll get Carol, then I’ll get everybody else. MS. MCCALL: Two comments in reading this through. The first one was on the same area that you had talked about, Bill, but from a different perspective, and it was from the perspective of a person or patient, and the fact that I might be uncomfortable with my physician even knowing that there was sequestered information, that that may not even be information that you have today that something is sequestered. So you’re actually getting more information than you did before. Today, if it’s not in your record, you just don’t know. And so my question to you is did you guys talk about that, number one, as it being more information than may be available today. And number two, did you collect any testimony where you heard whether or not people were comfortable with that level of disclosure. That was item number one. And then the second has to do on the break the glass feature. I would like to see something that explicitly says that there’s also – please make sure to put in place a replacement glass feature. So you broke the glass, but now you have to come back and fix the glass. So you have to do more than tell me who saw it or that you broke it. But you have to come back and put it all back the way that it was. And so that needs to be in place as well. Those are my two comments. DR. ROTHSTEIN: Thank you. On the second point, we will certainly take up the replace the glass feature in subcommittee. MR. REYNOLDS: Can I ask her a question to explain? Yes, that’s what I was going to ask. Can you explain what you mean by replacing the glass. MS. MCCALL: Yes. If you break the glass and you rip up all the sequestered information so it’s open now, once the emergency’s over – MR. REYNOLDS: One person, one entrance. MS. MCCALL: Okay. But you’re saying that other people can’t, it’s not kind of open forever. DR. ROTHSTEIN: So would it satisfy you if we put in something that says like that information disclosed would then have to be resequestered? Is that what you’re – MS. BERNSTEIN: Well, now you’ve created – I think what she’s saying is you’ve created a – MS. MCCALL: No, now it’s in the emergency record, and there’s a discussion of whatever that information was that was maybe relevant if it was relevant to the emergency. DR. ROTHSTEIN: Okay, she asked another question – yes, on this issue, Steve? Okay. Yeah, Carol raised a very interesting point, and I can see the perplexing nature of it. I mean, obviously if they’ve sequestered information and they’re not allowing it and you do a one shot thing and you say give me access, you know, then the security system goes back into place immediately after. And somebody who comes to the record immediately after that is hitting the same sequestered information as before. I think that’s not the issue that you’re necessarily talking about because now the person in the emergency department has got sequestered information, may have acted on that sequestered information and has put that sequestered information in the record concerning that visit, and I think you’re asking what do we do with that information. MS. MCCALL: Right. DR. ROTHSTEIN: Thank you. I wanted to make sure it was clarified. MS. MCCALL: Right, and just to talk about what that – does it inherit the property of sequesteredness, or whatever. DR. ROTHSTEIN: Okay, I thank you for raising it. And Jeff did you want to comment on that. MR. BLAIR: Yes, and it’s just another example of this, but it starts to make it even more complex. You know, I think that this is addressed in the context of an NHIN where typically a health care provider will wind up putting data on an EdServer if it’s a federated model for the health care provider to access through the NHIN. It gathers up that information from the EdServer. Now if you have this construct the way it is now, whether it’s a break the glass feature or whether it’s six sections, you know, six different categories or four, you have – I can’t see technically of a way to change these things because you’re looking not at – it’s like the Internet. You know, once that information is in one format and it’s out there, how do you reconstruct it and remove or replace limitations once the data is out there. And it’s going to be the same thing with the categories. Once health care providers have organized things in one set of categories, you had a phrase in there saying that of course these things will change over time. Well, and it’s not that I’m against the idea of it conceptually. If I look at it privacy and legally, I’d love to have all of these freedoms to be able to protect data. But technically I can’t imagine how it’s possible to either change the categories or, you know, after you’ve broken the glass to put the glass back. By the way, the letter was beautifully written. I really wanted to preface everything I said with how impressed I was with the letter. So this is a technical issue. This is a technical issue, but the letter’s excellent. DR. ROTHSTEIN: Thank you, Jeff. Carol wants to address this – MS. MCCALL: On this very specific issue, I guess I would – we can have an offline discussion, Jeffrey. But I will tell you there are in fact technical solutions to this matter, and I have seen them play out and have been introduced to them in the intelligence industries where it is possible to do things that are simultaneously open, yet secure. So I would be very comfortable in this letter addressing the replace the glass type issue and leave it ot the technicians and the technologists. I know that they’re there. MR. BLAIR: They’re there if you’re a single entity. But when you’re talking about a thousand different entities and integrating that and pulling it together, okay. DR. ROTHSTEIN: And Harry, did you have a question on this particular point. Then we go to – MR. REYNOLDS: Carol, back to your point again about replacing the glass because I’m just like Jeff. I implement things, so I want to make sure I understand this. Once it goes into that entity that breaks the glass, then it’s in their medical record. It’s in the lab. It’s in everything. I mean, it’s all through there. So it’s within that entity. Now as I understand the philosophy of the NHIN and whether that entity has information about me, then the next time it goes out, it’s sequestered anyhow because now it’s back. You know, I’m using the same rules. But I agree with your point. I’m using the same rules every time I’m pulling data from ten places, I’m using the same rules in sequestered the same stuff. But are you saying that that entity that broke the glass and has all that data has to make it go away? MS. MCCALL: No. MR. REYNOLDS: Okay, well, replace the glass to me could mean that. MS. MCCALL: I’ve never said pretend it never happens. What I’m saying is that if it has been made available for a specific use, that it needs to be recovered. And what you’ve told me is that that was always the intent. MR. REYNOLDS: Yes, right. MS. MCCALL: Right? That has always been the intent. MR. REYNOLDS: But again, having listened to a lot of testimony and a lot of the doctors in the hospital side of this, one they have it in their records, then that’s how they treated the patient. They knew that data, and that’s what they used to treat the patient. So it has to be able to stay available to them because that’s their whole audit trail. But when it goes back on the NHIN again, I agree with you. It’s back locked. So the next person that touches it somewhere else, it’s locked the same way as it was locked before. MS. MCCALL: Right. MR. REYNOLDS: Okay, good. I just wanted to make sure I understand. DR. ROTHSTEIN: Okay, let me just say that first I want to recognize Justine. And then Paul, while you were out, Jeff asked if you could explain the revisions that you made to him, okay. So I’ll just alert you to that end, and then we’ll take other comments in order. Justine? DR. CARR: Thanks, Marc, and also I agree. The letter is written very, very clearly. It’s just the content of it. DR. ROTHSTEIN: Maybe it would have been better off not so clear. DR. CARR: Well, I have a question of clarification. I know that one of the candidate sequestrates is medications, and at the current time JCAHCO has just implemented a requirement that every encounter be begun and ended with a reconciliation of medications. That means that every provider needs to know every medication a patient’s on, and then when it’s over, they have to add to the list, take the ones off. Let me say it has been an enormous initiative to get these online medication things settled, and it’s considered to be highly valuable for the safety of the patient and the knowledge of the next provider. So one question is just how do we reconcile or how do we balance privacy in this situation. And the second is I was thinking perhaps a little bit differently about the break the glass, replace the glass concept. But if someone comes in with abdominal pain and you don’t know about their reproductive history and you have to break the glass, and now you’re writing your history and you’re saying this gravita to para to woman has, you know, signs and symptoms of what could be ectopic pregnancy or something like that, that becomes part of the narrative. I don’t know how you could say this blank blank woman has a blank blank, and it could be a blank blank. I mean, I just don’t understand how medicine can be practiced if this information can’t be then part of the history of the present illness. So I’ll put that in the history of the present illness, and everybody else who reads it will now know it. Even though it’s sequestered, it’s in my notes. DR. WARREN: Yes, I guess I have some of the same concerns that Justine is experiencing. I mean, if I have to break the glass to treat the patient, then does that mean that my entire encounter has to be sequestered because it has some of that information in it. Or do we do something like a blank blank which then makes you wonder about that. But I always get worried about you have a patient who comes in with a mental health history. They’re on pretty powerful medications, and now you’re getting ready to prescribe something or do some therapy. And if you don’t know about those psychoactive drugs, you could make some pretty severe errors in your treatment of that patient. And your example, too, of the OB history, if you don’t know about other kinds of OBGYN history, again, you could start prescribing treatment that can be very detrimental. But then once you start doing that, I mean, how do you redo the glass. I mean, this is data that’s out there that you’ve documented your treatment on. DR. ROTHSTEIN: We’re going to – on this point, then we’ll take new points. Carol? MS. MCCALL: Actually, I think what you’ve described isn’t a break the glass situation. I actually think it’s the first question I asked which is what if there’s something that I don’t want you to know, and yet there’s a flag on it that says something’s hidden here, but I’m not going to tell you what. Isn’t that the situation today where something is not known to you, and yet there’s not even a little flag on it that says dig here. DR. WARREN: Then tort law handles that differently than if you start making decisions with the little flag on it. MS. MCCALL: That’s what I’m saying. So I may be uncomfortable with you knowing that there’s a flag there. That’s actually more information than you have today. MR. BLAIR: Yes, but it says a flag somewhere. It doesn’t say the particular area. MS. MCCALL: Yes, but then that goes back to what Bill was bringing up. That could actually create a liability, you know, for a physician that says if there’s a flag and you didn’t dig, you didn’t get him to reveal all that stuff, then does that create a liability for the physician. And in fact, did you hear anything, testimony from patients that said that they like having some sort of indicator, or they don’t want to have some sort of indicator. DR. ROTHSTEIN: We didn’t. I’ll defer to my colleagues on the Subcommittee. But I don’t remember any of our witnesses particularly addressing that issue. DR. FRANCIS: I think the flag came actually, it was an attempt to respond to the physician concern about not knowing that something had been sequestered. DR. ROTHSTEIN: Not even knowing – DR. FRANCIS: I mean, that something had been sequestered. That’s where that came from. And you know, I don’t know, I guess the question that I’d ask people like Justine and Jeff and others to help us reflect on a little bit is whether the perfect is sort of the enemy of the good. I mean, we’re not at all trying to figure out what would be a perfect system of protecting all the information that people want protected. What we’re trying to do is figure out what’s a reasonable balance between protecting privacy with the knowledge that people might actually not go see providers if they don’t think that some things could be sequestered. So we’ve got that on the one hand, and then we’ve got safety on the other. And one of the ways we were trying to create some of that balance was break the glass because it seemed important in emergency. Another was the flagging device. So what I’m wondering is whether you just think the whole idea is off the table, or whether you’re pointing out what we perfectly well agree with which is that there’s some problems here. I mean, I’m just trying to push you about where you’re coming from. DR. CARR: I mean, you know, you raise a good point. I think it’s hard for us who have practiced in a certain way, at least it’s hard for me to envision what this is like, what it would be like. I mean, I think in a lot of ways maybe it’s analogous to, I guess, if a comatose patient is transferred in from somewhere, you just do the best you can, and you order all the lab – I mean, in a way, it undermines the availability of data because if it’s fractured data, maybe you just start all over again. You build your own data set. You know, I have this feeling that part of this solution is breaking what is working in the care of patients, and you know, I have immense respect for the work and very thoughtful reflection that’s gone in this. So I’m just reflecting back. I’m not offering an answer. But I just worry that, you know, especially this image of JCAHCO requiring this incredible effort to get all these med lists available and a part of every encounter throughout the hospital, all the consultants, all the outpatient, all this work is going into that. And yet, by the same token, we have all of this work that will make that all not possible or not usable or not – DR. ROTHSTEIN: Well, I wanted to ask you about that for just a second. So you’re seeing a patient, and now at the end of the encounter you want to make sure that you know all the meds that that patient is on, both the ones that you’ve prescribed and other people have prescribed, okay. So now if a patient is seeing other doctors somewhere, you have to rely on them coming forward and saying and telling you what other things there are, right. DR. CARR: Right. So there’s an electronic medication list that exists, and it’s available to every provider. And you see the patient. You say, okay, let’s go through the list. DR. ROTHSTEIN: But it’s outside of your system. It’s not in your – DR. CARR: Right. No, you’re right. I mean, this is part of the challenge of it. We’re getting everybody on the system as we live in a world that’s part paper and part electronically different systems. DR. ROTHSTEIN: Couldn’t you tell your patient verbally under this hypothetical system I need to know all the meds that you’re taking, even stuff that may not be reflected in here, or I can’t treat you. DR. CARR: Yes, I mean, what I’m saying is that the trajectories of these two initiatives seem to be going in different directions. DR. ROTHSTEIN: I understand. It’s not – DR. CARRL: And so what we’re struggling with is getting these electronic lists correct is a lot of work over time. If we have to keep rolling this boulder up this mountain, what’s the point of having electronic at all. DR. ROTHSTEIN: Okay, let me just take a time out for a second and let Paul answer Jeff’s initial question which was what’s the difference between the version that Mia sent out and Paul’s revisions. And then the floor is back open. Don is on the top of the list, then we’ve got Mary Jo and Bill and Marjorie. DR. TANG: So presumably, you don’t want to know all of the changes, but I’ll just focus in on this same topic which is the sequestering of data. Is that fair? MR. BLAIR: What are the major changes that you made? DR. TANG: Probably the major category is sequestered information, and the suggestion instead of having an open ended, you can sequester anything that can be deemed in a category, my suggestion was that we actually have an enumerated set so that everybody’s playing on a level playing field particularly since it’s a quote NHIN, and you can’t just go by tape. It rules. So one was uniformity. Two was a pre-enumerated set. The idea was so that people could already be used to what that set is like psychoanalytic progress notes, or come to understand what’s included in this so-called category. So, for example, genetic information might be one of those things that people could learn to say, oh, that’s in a special place, and I know that it’s going to be in this special place, and it is or is not available. Mental health mostly is defined in the psychoanalytic notes. Maybe I just know California law. So I can’t make that statement. One of the things certainly is true in California and I think is true in most states is that medication and the entering of problem list is not excluded. So in other words, psychoactive drugs would appear on an active medication list. It’s not excluded because it is quote in mental health category. Social and family history, I think a number of members have said is too broad. And so I would definitely exclude that as it not be one of those categories that you could sequester. Drug abuse and abuse of chemicals is another area that people already know are often –- are by law excluded without special consent from the patient. So the goal was to have an enumerated set of categories that physicians either already are familiar with or could be educated on what would be in that category. That was sort of the major change in this area. DR. ROTHSTEIN: Jeff, does that – MR. BLAIR: That helps me a lot, and please put me on your queue to ask additional questions. DR. ROTHSTEIN: Okay, you are. You made it to the bottom of the list. DR. TANG: maybe the only other major change was to group all of the recommendations, all the ones that are together, I made them 1, a, b, c, through f. And the reason is you can’t take one recommendation on its own without the others because partly doesn’t make sense. And two, you do need all of them together to make the whole set. DR. ROTHSTEIN: So the Subcommittee is going to be working to reconcile Paul’s revisions with the original document that was sent. But the table is open or the floor is open for all sorts of issues. Don? DR. STEINWACHS: There were two things that came to mind and like others it’s a great letter. The break the glass phenomenon, it seems to me, patients may have different thresholds for that. And so one thing at least I find appealing and may reflect my bias is the concept of looking at patient safety or potential harm to patients as a criterion level for breaking the glass. And then you might think about is there an informed consent process that I as a patient might go through and say, well, I want to set that threshold either very high, or I want to set it very low. If there’s a risk of discomfort, I may say break the glass or someone else may say unless there’s a significant risk of mortality. Now the process, like an FDA process of how you decide what goes where, might be different. But I think that idea that there are different thresholds might be a way to try and deal with this. Otherwise, it’s not very clear about, you know, when you break the glass – DR. ROTHSTEIN: So theoretically, are you saying that I could check the lowest level of, you know, I’ve really got a bad headache, breakway versus I’m drugged and unconscious. DR. STEINWACHS: Yes, and so you can’t talk to me. You can’t communicate with me, and only then if there’s a risk to my life will you get access to all that information. But I would just think about some way that a person could be an informed consumer or an informed patient in this process, and there would only be two or three thresholds. I don’t know how you’d exactly do it. But it seems to me that makes it less than just zero, one, on, off. The other thing that raised, I remember at our institution I asked a question the other day is how long do they hold on to email, and the electronic health record might sometime look like a collection of all the email in your life. And so here it is, you know, Don’s wife described in email. And so I sort of think of the record the same way. There are lots of things in there that it would be hard to go back and always interpret. So rule out diagnoses if they don’t actually result in something become kind of garbage of information. There may be other things, and many of you could talk about it better than I could about random elevated values of things and so on. So what I didn’t hear, and I didn’t have a chance to read in a lot of detail was, is there anything that sort of retires information or sets it in a different category that is probably no longer useful and relevant. I was at a lecture the other day talking about the stability of psychiatric diagnoses, and they aren’t. And so having schizophrenia once or twice years later, it may no longer be. Or bipolar. And so things can change. And I keep getting a sense here sometimes that the electronic health record, it’s written in stone. And so when I’m 95, they’re still pulling up something that might be an interesting diagnoses at age six or ten. And so it’s not sequestering as much, I guess, as the question of are there categories of things that should be put into a class possibly so that they don’t immediately pop up all the time unless indeed they should. DR. ROTHSTEIN: We actually did consider sort of time issue. A sort of limited time on certain information. We were, I think, persuaded that there are certain kinds of illnesses and certain kinds of treatments and so forth that would not be appropriate to wipe off. And rather than trying to come up with a list of things that would drop off and things that would stay on forever, we just said all right, we’re not going to slice the pie on the basis of age of the data. We’re going to slide it by the nature of the information. And certainly the older stuff has a certain appeal to drop off if it’s irrelevant. But who knows whether it’s irrelevant. I mean, that’s – DR. STEINWACHS: Well, you know, a lot of us keep hoping that evidence-based medicine’s going to progress to the point where maybe there’ll will be, you know, some answers to that. The only reason for raising it is that part of the reason you’re talking about having access to every piece of information throughout the lifetime, again, comes back in my mind to patient safety concerns. Is there potential harm. And so you might be able to think of some cross walk here that talks about the timeliness or how recent is this information and the patient safety threat. And so you might have a concept, and it may be one of those things that goes under the research area. But I would as many ways use patient safety as this issue of both for the patient and the system, you know, what are we doing to protect it, and at what risk am I willing to take which people do in the doctor’s office. DR. ROTHSTEIN: I think it’s a very good point. It’s something that personally interests me. The AMA Code of Ethics says that physicians are free to discard information that would not be relevant to a physician seeing a patient for the first time, but certain kinds of information such as history of chemotherapy is the example they use in the Code of Ethics should remain there for the life of the patient. It’s a very hard thing to do. We didn’t go that path because it’s really hard. So let me tell you who’s on my list in what order. I have Mary Jo, then Bill, Marjorie, Jeff, Carol and then Larry. DR. DEERING: Who’s on first, right? DR. ROTHSTEIN: Right. DR. DEERING: Who’s on firs? Mary Jo’s on first. Okay. I wanted to talk to a couple of things, the second of things is the break the glass. But the first is, and I’m sensitive to what Justine says about breaking something that’s working. And I would suggest that a word and a concept that hasn’t been used here that is an extraordinarily high value that most people needs enforcing is communication. It’s my understanding that all docs except maybe surgeons and maybe even them, too, agree that enhanced provider patient communication is what is ultimately, is one of the unalterable factors in positive outcomes. And it seems to me that this document could benefit by an even stronger statement about the fact that this is an essential step toward improving doctor-patient information. It depends on it. It doesn’t have to be complicated. It really would be a natural extension of the sort of communication that you already do. You would never prescribe anything to anybody by just looking at a piece of paper and never looking up at the patient in front of you. You’re always going to probe and ask questions. And it seems to me that the ability of this kind of a step to number one, open up the opportunity to discuss with the patient, you know, this is the information I have about you, and this is the way I think we’re going to go would be extraordinarily valuable. So I think that given, I mean, you tucked it into a footnote that like only one in 10,000 people actually ever opts out. People just want the choice, and I think that you make those points. But maybe they don’t come through strong enough. So in other words, I think that on one hand some of the concerns may be overstated. I think it would be a disaster if NHIN developed into a system where everything was automatic decision support and people only based their diagnoses and prescriptions based on something that automatically cropped up in electronic record. I think that would be negligence as far as I’m concerned as a patient. Anyway, so that’s my horse there. But I do think just strengthening this point that this is a positive step. This is a positive step toward improving care, not just privacy. This is a step toward improving care, I think. Secondly, with regard to the break the glass, I just want to reinforce something that Carol said about the technologies regarding putting it back together again, and the word is metadata in some cases. You know, it’s the metadata about what was sequestered that could follow that data element from wherever it goes. If you’ve got that data element and it had the metadata tag on it that it was sequestered information, then that tag could persevere into the next state. And granted, exactly how you implemented it, the technologist would have to tell you. But, again, you’ve called for research into how to do it. And I do believe that that could address some of the concerns that people have. DR. W. SCANLON: Thank you. It probably goes back to what Mary Jo just said as well as what Carol said earlier. But we are envisioning a world where even if we sequester things, it will mean more information than we currently have, and that’s exactly what we want. We want care to involve a better information base. So there’s a lot of trade offs that are in this. And I think that the concern that probably motivates this letter is from the data uses group, it seems that we were constantly coming back to the issue of what’s the harm that will happen with respect to disclosure of information, or what’s the harm that’s going to occur because people fear that information is going to be disclosed. In other words, when they fear it, they’re going to withhold it, and there’s going to be a consequence in terms of treatment. In data uses, we talked about both of the issue of privacy, but also the issue of security. And I think it would be a good thing to bring into this as well which is the issue of how do we increase people’s confidence that information can be disclosed to people that are treating without it being at risk. And as Mary Jo says, only one out of 10,000 is going to opt out. But if we feel motivated that we have to put into place a system like this, we must feel that there’s a significant enough problem that maybe it’s worth working on the other side of it which is the issue of confidence, confidence in providers that they are going to respect your privacy because they’re going to use that information only as it should be for your treatment at that point in time. DR. ROTHSTEIN: Thank you. Marjorie? MS. GREENBERG: Well, I think the last two comments that were made were both very good, and I think that certainly can be accommodated. And maybe my remarks were somewhat in reaction to some of the earlier comments because what I was going to say was I don’t think – maybe I’m wrong on this. But I was going to say I don’t think anyone would – you’re probably not going to find a clinician who wouldn’t like to have all the information and all the right information. I mean, any of us in our profession, that’s ideal to have all the information that we need to do the best job that we can. That unfortunately isn’t life, but we aim for that, and then, you know, certainly we don’t want to be worse off by whatever new policies come up than we were to start off with. But I think you can take that as a given, but I also think you have to take as a given that this is an issue that has to be addressed. As Marc said, I mean, it’s certainly being looked at in other countries which have actually have made more progress towards something like an NHIN because they have a national health service or because they’re putting a lot of money into it or what have you. And I think that the evidence so far, although that’s why I definitely agree that this needs to be more researched, is that there’s a minority of people who really would want to take this option of being able to sequester certain information. Those are probably the same people many of whom who are not now revealing certain information. So in that sense, maybe it’s a wash. But you’re not better off. And then there’s maybe a larger number of people who want at least the option, but as Mary Jo suggested with communication, education, et cetera as Don suggested might say, well, now that I, you know, I wanted to have that opportunity. But now that I have all this information, I’m going to not take it. And so I think if you come at it that way rather than but we really want all this information which of course one would, then the question really comes down to from my point of view, is this something that the National Committee can constructively provide some guidance on and provide some reasoned recommendations on or not because somebody – it’s not going to go away. If the National Committee doesn’t address this, it doesn’t mean that the issues go away. We could wait until we see how other countries solve it. But I think, you know, there’s a lot of cultural differences, et cetera, so you can’t completely rely on that. So that was just sort of the context I wanted to offer. DR. ROTHSTEIN: Thank you very much. I have five people left on the list, and that will have to close the list because there’s more to go. So I have Jeff, and Carol, Larry, Mia and Gene. MR. BLAIR: I think there’s so much value in the thoughts in this letter that I really want to see it go forward. So some of the things that I’m uncomfortable with I feel pretty strongly about because I don’t want it to derail this. The idea of setting up categories is fine. I like the idea of Paul saying fewer categories would be better than more because the area that I have the greatest concern about is the idea of the patient having the right to change their designations later or change their mind later on stuff because we’re not talking about a hospital any more, and we’re not talking about a network any more. We’re talking about a network of networks, and we’re talking about health care institutions that have certain privacy responsibilities on their own. And all of the stuff in this letter can be accommodated as I could see it. Most of it either in a federated model where basically the basic categories are identified by the health care providers, and the health care networks are agnostic. Are you with me on this? The health care networks are basically conduits assembling the information. They’re not making judgments. The judgment is made by the health care provider at the time that the patient is winding up seeing their provider, and they’re saying, oh, by the way, these are the categories that I want sequestered to not go on the network. That’s when the decision is made. If you wind up having a different model with a centralized database which we have been told could derail everything we have, you then have a different set of technical choices. And if this letter starts to get into the architecture of the networks and exactly where the decisions are made, I think it could derail this and we’ll lose the value of the concept of having an individual have the right to designate that certain sections of their record should be sequestered. So my thought is that with respect to them changing either the categories or changing their minds afterwards, I would say that’s for later exploration. For us to start to include it here, I think, could cause chaos. DR. ROTHSTEIN: Well, thank you, Jeff. I just want to mention one of the things that concerned us was actually the opposite, that thinking ahead in the future ten or 20 years from now, maybe the same stigma wouldn’t attach to mental illness that currently attaches to mental illness. Maybe the same stigma that attaches to genetic diseases doesn’t attach in the future, and therefore we could collapse those categories, not create new ones. But the idea was hopefully that we would eliminate categories. But who knows. MR. BLAIR: Well, that’s why maybe I’m learning towards the wisdom of Paul’s suggestion whereas we could still identify that these are all areas that are valid for sequestering. But for us to have things as simple as possible with one, two or three general categories of sequestration so that over time if somebody wants to—there may be more abuse situations that arise in the future. And if the category is already there for all forms of abuse, then they could fit into that one all forms of genetic issues, all forms of whatever. But I would gravitate towards fewer broad flexible, in other words, another area of criteria in choosing the categories is flexibility to accommodate things in the future so that we’re not looking at having information disseminated and then somebody winds up saying, well I want a new category, and there’s no way to retrieve the information from the network of networks to accommodate them. DR. ROTHSTEIN: Thank you. Carol. MS. MCCALL: A couple of comments, and then a request for the Subcommittee. I guess the first comment is in response to Marjorie. I hear you – I hear you when you say we need to think about whether or not we should opine, and I think we have to. I think we have to opine on this. I think it’s a delightful letter. I think you guys have done a great job. You’re not done, but I think you’ve captured something that’s really vital. To Justine, it is kind of a contradiction, isn’t it? You know, we do all this work to try to make all this stuff available, and then we’re busy trying to figure out way to scrape it out. And yet, I think that’s part of we need to embrace that contradiction. So I don’t – neither one of these efforts, I think, makes – neither one makes the other futile. I think they’re both absolutely vital. And I think what I would ask you to do one thing for the Committee is actually to place even more emphasis. It’s on page two. It’s that second paragraph that leads into the importance of individual control. You have captured something here that I would love for you to even emphasize more which is that the future will be different than the past, that when you say it is now possible for providers to obtain records without any notice or permission, you know, kind of cradle to grave. That is so important, and it really was impossible before. And if it was, it was that kind of Marcus Welby small town feel where it’s not only that you had my cradle to the grave record. You generated the entire thing. And so you already knew. The fact that you wrote it down was just moot, you know. But that’s not the same any more which then brings me to, I guess, a second request which is about this category. And so you said something, Paul, actually that surprised me because I read it another way. I thought the categories were not going to be predefined. I thought that what you had put in here were a sample. And when I look at these categories and think about them being predefined as these, in particular, as a woman my eyes drawn to reproductive health, it’s a big category, and I don’t want to carve the whole thing out. And yet there may be some things within there that are absolutely vital for me to carve out, and they may have to do with an abortion or a miscarriage or sexually transmitted disease, and they’re in the past. And yet I just may not want them coming forward. And yet there are other things in reproductive health that are absolutely vital that docs today know. So talk about those specific things in the group and see how those weigh against each other. DR. ROTHSTEIN: Thank you for your comments. Larry? DR. GREEN: There is no change about the existence of sequestered information in my view. There’s always been sequestered sensitive information in health care. What has changed in my view is we now are entering the information age where what used to be sequestered information may be widely disseminatable somewhat anonymously anywhere on the planet instantaneously. That’s a very terrifying proposition for us as patients in my view. But it is a mistake to think that medical records have somehow or other in the last few days, few years or because of computers suddenly begun to have sequestered information. It is the very nature of doctoring that there is sharing of information that is kept private, and how it is recorded and where it’s recorded and how it’s recorded, this has been being dealt with for centuries. It’s the size and scope and instantaneousness of being able to move this very sensitive information around that is scariness in my view. So very important. One of the assignments I gave myself after our last meeting was to pretend while seeing patients that this had been implemented. So I have a long list which I will spare you. But I do just want to use one example to make a point. I used one of the five largest electronic health records in the country. I’m in a multi specialty group practice. We are so thrilled that we actually work off the same database, 700 doctors, several hospitals, scattered all around. We really like being able to access the database from wherever we are for this patient, whoever’s seeing him or her. Earlier today, we heard from Jim and Karen about plans about electronic prescribing and that sort of thing. Well, my electronic health record will not let me prescribe electronically until I have linked the medication I am prescribing to the problem for which it is intended. So I’m seeing a bipolar patient who has asked that their mental health record be sequestered. Also their social health record. I mean, she’s only the fourth generation to have it in her family, and her kid has it, too. And she doesn’t want anyone to know that. But she is standing there saying I’m down to my last Dolamentil. Give it to me. I actually do not have the mechanism to prescribe Dolamentil until I link it to something. Now I have a choice. I lie, I link it to something that is not sequestered, or I say she has bipolar disorder, and that unsequesters it and it goes back to Justine’s point. Now I have a long, long list not of the perfect being enemy of the good, but the practical being the enemy of the good here. And I don’t want this meeting to end without just being one member of the Committee that agrees with one point and the sense of another. It’s a gorgeous letter. It raises some very important issues that we should wrestle with, and it is a mistake to go very far with this until there’s a great deal more study done about how to do it and its implications. DR. ROTHSTEIN: Larry, I have a question for you. The letter tries to point out the importance of affording individuals some level of control which I think you would agree with, and reviews some of the major options and then says as between the major options we think this is the best prospect at this point, and we are recommending that you do research and et cetera, et cetera, et cetera. I’m wondering where you get off the bus, I mean, of how far did we go beyond where you’re comfortable. DR. GREEN: I don’t think we’re smart enough to go very far is my point. I wish we were. I’m actually not clear, Marc, whether IT and the new world of information technology is positioning us to be able for the first time in human history to empower patients, to respect to their autonomy, give them more control over their health care or if we have just unleashed a technology that makes it almost impossible to protect their autonomy and their privacy. It’s a very important issue. But I really get off the bus is when we decide we know more than we do. Some of the things that we’re proposing that should be considered, I think that Justine and I could in the morning patient care perhaps change everyone’s thinking about what we thought we knew, not from trying to not make it happen, but just trying to take care of the folks, just trying to be a good doctor today for you and your family. This is tough territory that this letter goes into, and where I get off the bus is when it just starts seeing language in here when I say, well, if I go see patients tomorrow and that comes to past, can I do a good job. When I start saying I don’t think I can do it, I’m going to get off the bus. DR. ROTHSTEIN: Okay, because I’m just trying to figure out what we would need to do to get you and Justine to have some acceptability level in this document. So Mia, did you want to say something? MS. BERNSTEIN: I just – I think we’re there, but I just wanted to ask if there’s any issue that has not already arised that somebody is thinking of that can be briefly described just so I have a note that there’s, I mean, the main point of this discussion was just to identify those issues. And if somebody could quickly do anything that hasn’t come up already, if it’s come up, that’s great. DR. ROTHSTEIN: Simon is getting ready to pull the power on my mike. I told Gene that he could speak, and then Harry. DR. STEUERLE: I will be very quick, and I have to say that I find myself, although I’m not a doctor, a little bit in Justine and Larry’s camp in part because I’ve always feared, as you know that on the privacy side we’re going more in the direction of threatening potential gains we can for people. But here’s where I suggest or I think further research can be done. I think your letter is way too quick in waving its hand at the potential problem by pointing to this one out of 10,000 patients in Denmark. And then if you look at the footnote, the 3.2 percent in the Mayo Health Clinic which by the way is 3200 times the one out of 10,000 rate which just shows you that some slight difference in the way they’ve worded it has caused a 3200 fold increase in the number of people who want to do things. And as we know from opt out/opt in, we have things like 85 participation opt out, and five percent opt in or whatever else it is. So the way these privacy conditions would be passed on to patients, is it John, Paul, you know, having them when they’re in the emergency room, sign the 30 page letter that they said on the bottom line to get health care. Nobody reads it because they just want to get it done. And so technically, they’ve opted out. Or is it where the doctor has to sit down and say, oh, to a 90-year-old woman by the way and in the category of what did you call that again, please, reproductive health and what, you know. So the question of how they would work out in practice, I think, probably would be dominated by the lawyers and dominated by sort of how behavior reacts to the way the thing’s set up. And I think the letter’s way too quick there. I could see a lot more research at least given to that. No matter which end of this debate one comes out on, I could see a lot more research on making sure that this process did not become, did not inundate and become very inefficient. DR. ROTHSTEIN: Okay, thank you, and Harry, final word. MR. REYNOLDS: Yeah, Larry and some of the rest of you, one of the things I think you could help us with because what I would add, Larry, to your discussion as to why some of us are still staying on the bus is that the bus doesn’t have any brakes. And the issue right now is there are an awful lot of health information exchanges. There is the NHIN in its infancy. There are pilot projects going on all over the country. And they are not attuned to this discussion. They are not attuned to this issue. They are not as learned as we have been able to become not because of ourselves, but because of the people we’ve listened to. And so consequently the technology is occurring. And being an IT guy, I agree with you. But IT left to itself which it can be right now with some of the things that are going on, also can completely disenfranchise maybe both sides. And so I think we may need to calm it down, and I understand everybody’s point. But if we don’t get this debate into some kind of structure and we don’t get this debate in the game right now, the game is going on and it’s going on with a lot of money in a lot of places. My own state’s been involved in a number of them, and it’s going to continue to go on. And all it’s going to take is a couple more years, and it’s going to be so far outside the gate that having this discussion at that point when people are already implemented, already in production, already spent a lot of money, already doing certain things is the thing that worries many of us because I don’t treat patients, and I’m not a lawyer. But watching the health IT, I don’t think the patients or the doctors want to turn the world over to the IT people either. And I think that’s what these exchanges and other things can quickly become and are becoming. And so that’s why I hope that all of us at least stay on the bus a little longer even if we may not sit in the same seat with each other. But I think that’s really important because this debate is paramount when you look at the timing of what’s going on. That’s the thing that’s driving a lot of us to remain passionate about where we’re going. It’s not whether we have the right or wrong answer. If the right debate doesn’t go on, we have a big problem. DR. ROTHSTEIN: I want to thank all of you for your input. It was beautifully expressed. DR. COHN: Mark, thank you for the beautiful time. We’ve been asked that we have presenters who are outside. They’ve been asked that we take about a five-minute break which I’m you all will be happy to do so they can set the powerpoint presentation. So why don’t we give everybody a couple of minutes, and we’ll get started again. [Break] DR. COHN: Okay, will everyone please be seated. I think we may get started. Okay. This next session, we’re actually very pleased to welcome both Bob Phillips and Michael Klinkman to talk about the results of a symposium or invitational that was sponsored by ARC and hosted by the Robert Graham Center on harmonizing data standards for primary care. As I commented earlier today, Larry Green has been a principal in it. But I think he’s having to recuse himself from the conversation. DR. GREEN: Not from the conversation, but from the presentation. DR. COHN: From the presentation, anyway. And so we’re obviously delighted to have you here to sort of brief us on what sounds like a very interesting set of discussions. So, please. Agenda Item: Robert Graham Center Presentation – Harmonizing Primary Care Standards MR. PHILLIPS: Dr. Cohn, thank you very much. It’s really a pleasure to be here. I understand we’re a break in your business. So we can make it as long as you like or as short as you like. Well, the conference that we held with AHRQ’s support was called harmonizing data standards for primary care. It was really about how do you empower the patients and send them home with health information technology. It was serendipitous that just a few weeks before our conference and right before the Institute of Medicine meeting, the roundtable on evidence based medicine, one of the working groups of the Institute of Medicine came out with its report, and one of the quotations I pulled from that because it was so helpful for our conference was this one. The single most transformational step towards achieving the goal of a learning health care system would be the development and implementation of IT industry standards. I think that fits very well with your introductory statement on your website which says basically the same thing. And we came at this because we had concerns that the largest platform for health care in this country where more than half a billion visits are made every year, several million every day is being left behind in the health IT standards development process. So we wanted to have a conversation with people involved in the standards process and people involved in taking care of the people in primary care settings to understand what are the opportunities for affecting this flow of standards, and what are the strategies we should be looking at to make that happen. Because what we really need in this new era of health as an information business, as an information exchange is the capacity to have standards that are shared, but also be able to tailor our health IT and health information standards within a single setting and make sure that they’re tailored but harmonized. So kind of the big picture in terms of primary care is most people have the usual source of care in this country. Eight out of ten people will say they do, and most of those people, if they name a person, will say it’s someone in primary care. But I would challenge you to find a use case right now in development or published about the physician patient visit, particularly in the primary care setting. The medical home is a construct that has legs right now in legislation and within IT circles, within a lot of circles. It’s a concept that sustaining human relationships are about a place and about a relationship, and that place, this home has a set of functions that it’s supposed to deliver for every patient that relies on that place for their care, and that it has to have an infrastructure, it has to have a team of providers. And one of the things that they talk about in discussions about the medical home is that it has to have a robust IT system, period. There’s not a lot that follows that discussion. And what we really want to talk about how that is critical to the medical home actually functioning and delivering like it’s supposed to. And health care is lagging in the information age, and primary care certainly within health care. And it’s our position, and it was definitely a consensus of the conference is you can’t get to quality, you can’t get to measurement, you can’t get to effective decision support, you can’t get to a synchronous care, you can’t get the connection between personal health record and the EHRs without having these standards operating. And primary care can’t get there without its own information model, without a way of turning its data into information and sharing it with other systems. And the standards process, as I said, has really neglected primary care. Some of what I call in here high level standards, you could call them functions if you want to. But the thing that our information and model in primary care really needs to be able to do is create registries. We need to be able to identify the patients we’re taking care of and know what conditions they have. We need to know who they say their doctor is. We need to know why they come – not just what they’re diagnosed with, but why do they come, what is it that brought them there today, and what are the goals and values in dealing with that condition or whatever conditions that they have in addition to it. And we have to be able to organize those into episodes of care. And episodes mean a variety of things to different people. And an episode for us means when they came in and said I have this problem until there’s a diagnosis attached to that problem and until there’s a resolution to that problem, if ever. So an episode may be one visit. I hurt here, and that hurt goes away. Or it may be I have diabetes, and it’s a life long episode. But unless we can organize the data that way, we can’t understand how symptoms become diseases. We can’t understand how symptoms and diseases and the medications and the way we treat them lead to outcomes. We just can’t understand that pathway. And payers understand it. Payers right now are taking their secondary claims data, and they’re organizing those into episodes like crazy because it’s the only way they can understand where they’re leaking cash and what their best opportunities are for managing care better to reduce their expenses. But they’re working with claims data. We had an economist working on this problem at our meeting. And when we demonstrated what you can do when you have an information model operating, he lit up. He got it. He said, oh, my gosh, if we could do that from the data clinical systems and not from our claims systems, it would be incredible. My clinic is operating with one of the top five EHRs in use in this country, and I can’t do any of these out of box, not a single one of them. We’ve had to retrofit it using our own coding to even get to patient registry. DR. KLINKMAN: So here’s where Bob turns things over to me for a few minutes and lets me dig down. So for the next few minutes, we’re going to talk a little bit more specifically about what we did at the conference. And I start with another quote here. This is from a recent report that many of you may have seen. It’s an ARC publication released in July where people from the Institute for Health Care Improvement had looked at primary care health information technology. Basically, HIT has the potential to enable better care for patients, help clinicians achieve continuing improvements in the quality of care, in primary care. However, simply implementing current health IT tools will not bring about these results. To generate substantial ongoing improvements, health IT adoption must go hand in hand with the implementation of a robust care model and the routine use of solvent proven methods. It’s the care model we’re going to talk about for a bit here because what we realize in the end is and maybe something of relevance to NCVHS is that we may do a great job of identifying individual tools or terminologies that get at a piece of what the health counter price does. But particularly for primary care, those pieces have got to fit together with some structure, and that’s what’s missing. So basic things we need to know. This is from my perspective, I’m a practicing primary care doc who dabbles in some of this stuff when he has spare time. Who has blank, diabetes in my practice. That’s disease registries. They’re necessary for point of care decision support and all the other things you already know about. Who gets something? Patients coming in with fatigue. Who gets cancer? When they come in with presenting and complaint of fatigue. We simply can’t answer that from data that we have in practices in the U.S. because all we have are the diagnostic information. We don’t have the beginning of the episode. That’s basic clinical epidemiology for primary care is missing, and it requires an episode of care for the data for longitudinal stream of services is linked together. What is the context in which that care is provided. What do we know about competing demands? How do we code and follow social problems that impact our ability to deliver medical care? How do we include patient goals and priorities on a routine basis, and how do we manage multi morbidity. And finally, what happened out there? How do you move information retrieval from simply having an isolated retrieval of my practice data to being able to retrieve what happened to my patient when they left my practice and went to the consultant. Now what we passed around before we started the meeting is a single page which gives sort of the beginning of a use case, just talking about how a medical home might work in action in primary care. You all can peruse it at your convenience. But these questions are right at the core of what we try to do in routine health care every day, and it leads to this information model, and I’m going to run through this in a few slides. The basic structure of information in primary care is pretty simple. You need to have information about persons, their problems. We call clinical modifiers, things that would affect how we manage a problem meaning what are the risk factors because we’re moving from managing disease to managing risk factors. What are significant prior events that may not be in a current problem but still affect our management. What actions are taken, what decisions are made when intervention meaning lab tests or other procedures. Time – how do we structure information over time so that we can retrieve it all by pulling on one rope or one pulley. And finally, how do we have consistent and universal data import and export so that we can find out what happened outside of our practice. Those are the structural building blocks of the model that we think probably is necessary for medical care, for primary care. So we take a step back, and given the severe constraints that face primary care physicians and patients, ten-minute visits, ten problems to address in those ten minutes, needing to record information before we move on to the next patient and forget what we did during those ten minutes. Under those constraints, we have to rely on patients to give us some of that information, or as time goes on, to enter it themselves. We can create templates for patients to enter data before they see us or while they’re waiting to see us totally asynchronously from home. That’s the personal health record that you all have heard about. Clinicians also must input data whether it’s through natural language and dictation or structured templates. But there’s a limit to how many templates you can run through in primary care when you have somebody with four problems in front of you. And finally, automated data feeds. We found that there is one classification that enables us to tie together these different strings in different parts of structure. It’s called the International Classification of Primary Care. It’s in use widely in Europe and around the world. It hasn’t had much traction in the U.S. yet. But it brings together in its current form several of these cases to input and structure. So for those of you that have never heard these initials before, ICPC is a very simple classification not a terminology, but a classification that includes 17 chapters. It’s intended for almost mnemonic use by primary care physicians to record patient’s reasons for the visit, why they came in, symptoms, complaints, diagnoses and to tie them together from one visit to the next as long as the problem is being addressed. So it’s organized into episodes. The key features are that it incorporates patient voices. It allows for the use of symptom diagnoses in primary care where they’re appropriate rather than forcing a rule out or premature closure on a specific diagnosis. It accommodates social problems as problems to be addressed. It’s episode based, so it can track the process of care for a problem over time. It is of limited granularity which is an issue if you’re thinking in terms of terminologies that underlie electronic records. But when you’re thinking of data retrieval, lack of granularity can at times be a very good thing. Repeat it again, it’s not a terminology, but it has mapped the standard terminologies including ICD-10, ICD-9CM. It is being mapped now to SNOMED-CT, and it’s also linked to certain controlled clinical terminologies used by folks running medical records in different countries. Belgium and the Netherlands are probably the two best examples. We have created Windows allowing ICPC to be linked to other procedural terminologies such as CBT. We’ve incorporated SF and WONCA cop charts to look at disability or function, and we are exploring how to incorporate ICF, International Classification of Functions, Disabilities and Handicaps into a recording system based on ICPC. So we’ve got inputs. We’ve got structure. We need outputs, and this gets at much of what the ARC Report talks about which is what are the views, what are the data retrieval structures needed. How can you actually work with information in the context of primary care. How can primary care docs own their data and use it in every day practice. There are five basic types of views that are important to have. Aggregate views which provide the kind of fodder for disease registries and heed us determination. There are aggregate longitudinal views that we currently cannot do here in this country from primary care data. There are cross sectional patient views that we all have in our EMRs to a greater or lesser degree giving a dashboard, giving prompts and reminders. And then at the very bottom longitudinal patient views so we can understand how episodes interact over time, and how problems come together or go apart over time, and what comorbidity really means. All of those things are ways that we can structure that information. It may come in simple building blocks. We have some experiences with software. This is probably the best known international version. It’s in use in many practices in the Netherlands and some in Malta. The electronic record does structure itself so that this kind of innovation can be easily retrieved. It gives a very precise picture of primary care epidemiology. We’re just experimenting in my site at the University of Michigan with Klinkotractor which does some of the things here as well. So this last real picture I think warrants a little bit of time. I think this is what people at the conference came to some understanding of how classifications and terminologies could fit together to support primary care health information technology. At the very center is a sort of a structural glue. You can think of something like ICPC which is, again, not extremely granular, but has the correct structure to enable data retrieval and to be able to work with data in episode format. ICPC can be mapped and linked, therefore, to ICD, to ICF for those cases in which we need to have routine functional and disability assessments, to classifications of symptoms or social problems that are not yet fully developed in that next tier. And I think here’s a great opportunity for us to work with NCVHS and National Center for Health Statistics on incorporating reasons for encounter or reasons for visit into ICD. Risk factors and health interventions, again, WHO is interested in working on an international classification for health interventions. We have our own here. At the very floor of all of this stuff is a tremendous role for SNOMED-CT because that provides the granularity, the very precision that you might want for an individual patient record or an individual specific patient problem. But it needs to be retrieved, I think, through the structural capability of something that could put the information I proper perspective so that docs in practice can learn from their data and work with their data in real time rather than depending upon a very complex structure that they may never get to. I think with that, I think we can pass through those. Maybe going back to this, one way to think about this at maybe a 30,000 foot level and one way that we explored by the end of the meeting is to think about the value that can be added by coupling information technology, patients’ own ways of obtaining information with the medical home. So starting at the left, a patient currently and increasingly in the future is going to have all sorts of information whether thrown at them or sought out on the web. But it is not easy for a lay person to assemble, parse, use that information correctly. So without there being some way to synthesize, filter and manage that information, without there being some partnership between a medical home and a patient, that information may or may not lead to better health care use and better health care outcomes. So you see then an activated patient who couples with the medical home in which that information is synthesized, it’s sorted, it’s ordered, it’s recorded at that patient’s medical home so that the patient does not have to parse the information and decide what is given to the specialist, what is given to the primary care doc, what is given to a nurse, and how to figure out which place goes where. Once a patient and a primary care medical home come together, the information can be focused and filtered, and that can lead to very highly structured knowledge transfer to specialists or other providers as necessary. That’s a big, huge vision. But I think we need to put some very simple building blocks in place, and the conference, I think, reinforced that message that without simple building blocks, a system that was intended to support primary care would collapse under its own weight. So now what can you all do to help us from this point forward. DR. PHILLIPS: And we’re filtering. There were probably 40 strategic opportunities that came out of this conference that were recommended by everyone participating. And I’m only bringing a few of those to you that I think NCVHS touches on most primarily. So the first is some form of endorsing of ICPC or some direction to ONC and AHIC to develop a use case. One of the reasons this might be appealing is because the interest of bringing ICD-10-CM into this country, it might be a much easier thing if those two are mapped and primary care physicians are offered a classification scheme of 687 classifications instead of 14,000, and we’re perfectly comfortable using ICD-9 right now. They may not all choose to use ICPC, and that’s fine. But if they’re mapped, it makes it easier for them to start using one and be able to produce the other and meet the needs and interests of NCVHS but also WHO. Another opportunity to integrate, as Mike said earlier, the reason for encounter codes from ICPC into ICD-10-CM, capturing that reason for encounter is so important if you want to understand how symptoms become disease. We’ve got a paper using data from the Netherlands of the probability of breast pain, breast lump, concern about breast cancer actually becoming breast cancer. And you can look at it by age and presentation of symptoms. You can’t do that with data in the U.S. And putting reason for encounter codes into ICD-10-CM would be I think an amazing information opportunity, and then that could also lead to the National Uniform Billing Committee putting into their standards something that gets paid for so that there’s some incentive for actually recording those. You all are the experts on privacy standards. I’m not going to try and wade in to telling you what to do about privacy standards. But some of the opportunities related to that are to make sure that the privacy standards don’t affect the capacity of patients to use their PHR, their personal health record, to put information into their electronic health record. It would be, I think, just a tragedy for them to be managing information on one side and then have to carry it in on paper or some other format to be dumped into their EHR in a format that may not be standardized. I can tell you how frustration it is. I had a 79-year-old patient of mine who carried around his medical record that we had created for him on a thumb drive around his neck between the four providers of other sub-specialty care and the three hospitals, still wound up on an extra calcium channel blocker and going into complete heart block and winding up with a pacemaker he probably didn’t need. The information was around his neck the entire time. I can envision people creating PHRs and trying to carry the information in like that. Another is to avoid privacy standards that don’t permit physicians or payer groups to contract with outside data managers. Just because you construct these databases and organize the data the way we discussed does not necessarily mean that a physician can sit down and use them to understand their practice. In the Netherlands, it created a platform that does that for the physician so that they put in reason for encounter. You know, if this person has belly pain and they’re this age and this gender, here are the ten probabilities. The highest probability is based on our active database right now of what this likely is, and here are the tests you should run to decide which of those it may be or to go to another step. And boom, here’s number one, you’ve made this diagnosis, and now here are the guidelines you’re going to follow with this patient’s care. The only reason that can happen is because there’s a data management platform in place, and EHR can do that if it’s designed correctly. But you may also want to have the capacity for outside data management systems to that for practices, but also to provide them feedback on their quality or to feed your national health information surveys so that you have a national health survey, but you also have this robust database telling you about epidemiology that’s hitting primary care this week. The other thing we really need help with that the conference helped us with a lot because we had a lot of the federal agency folks and standards folks there, but we need help in developing a working relationship with ONC with the primary message being that primary care is – standards for primary care are not, they’re not done, and that they need to be relooked at, and there are some specific options for them to consider. Another is to turn to DHS and request or recommend a standard for primary care data structures for further development in case development just like you did recently with ICF. And if you have suggestions, we’re completely open to them about how to get primary care and its use cases and the HITSP and CCHIT and to vendors and to other places in HHS that might be helpful. We’re not experts at this, and you all are, and we could use help. That’s it. DR. COHN: I think a very interesting set of messages and suggestions. Any comments or questions from the Committee? Larry? DR. GREEN: I’d like to make two. One if Marjorie brought a very interesting panel together for this conference that included representation from Geneva and the National Library of Medicine. Since Carl White started beating up on me about 30 years ago, I’ve held up well, right. I’m not sure I’ve witnessed something quite as electric as what happened when these different segments trying to organize the information world and structure it, when they started seeing how their piece of it and their interest sort of could come together around an integrated platform which worked in this international meeting by clients in medical home. People – those plain English words medical home had a general enough meaning that people could plug in from the piece of the world that they knew. We’re indebted to Marjorie yet again for getting the right people at the right place at the right time to do something, I think. The second point I wanted to make is I was just joking with him about the French again. You know, Coceau is right. The clinic as we know it and as exists in our entire lifetime was invented in France probably around 1830. And there’s been very little change in that clinical model and process in almost 200 years. It’s very dangerous to make predictions about the future, right. But to tread into that thin ice, it sure looks like that clinic is being burned down, and that it’s being replaced with brand new models of clinical care that IT enabled. It’s the information age as opposed to the industrial age coming to bear on clinical care. And in the United States right now, there is nothing that has the political legs as this term medical home. So we were talking about this in our Population Subcommittee in the morning, I guess, again. But there just may be some very promising opportunities that take advantage of this focus on constructing this integrated platform where a person’s health can be pulled together into coherence and make sense across various settings. It’s trying to happen now. And a data model and the appropriate classification and appropriate coding and mapping of those codes is possibly, maybe even probably timely. My own personal answer to the question how NCVHS might help is to at least explore what the data model and the classification and coding structures are that would be necessary to support the medical home that Medicare is testing that a lot of people are interested right now. There’s an amazing silence about this key infrastructure, about the ordering principles for it, and that might be a place where NCVHS could weigh in and provide leadership. DR. COHN: Carol? MS. MCCALL: I would agree with that comment. I think we can provide leadership. I think there’s another place as well. Can you go back one slide, please. When I look at that bottom bullet point, privacy standards that permit outside data management agreements and then I listen to your example, and what I heard you say implied that it was a technical issue, allow somebody else to manage that database, right. And yet before it’s a technical issue, this belongs in enhanced uses, and that may be another place before it’s a technology issue, it’s a policy issue, and it’s about aggregation and permissions and everything we’ve been talking about earlier today. And I think that’s where we can bring things like this specifically into our conversations and make specific recommendations. DR. COHN: I guess I should comment also. I mean, first of all, I’m reminded that we, I believe, have Presuit(?) coming in February, I hope, to talk about ICD since we’re talking about ICD-11. And part of the question, of course, is how all this begins to come together and how this all might look in the tapestry of things in the future around classifications. So I think that’s another way that we can begin to explore some of the questions. I do have a specific issue or question. I think I may have insinuated this on my emails to Marjorie when I discovered I wasn’t going to be able to attend the meeting. But – and maybe you may all have very good answers for this. But you know, I think most of the vision that many of us have, and I realize I’m an emergency physician. I’m not a primary care specialist. But you know, the vision that many of us have about health care is integration across settings of care, specialties, primary care, data information flowing freely, and information readily understandable. We also live in an environment where a lot of specialists deliver some aspect of primary care. If you’re a person with severe chronic congestive heart failure, you may very well have your cardiologist as your primary care giver. So it isn’t –- the medical home obviously is just a primary care term, but it’s – you may have cardiologists delivering five or ten percent of their care as primary care. And yet, I hear this discussion being – a lot being brought forward by primary care. Now maybe you can explain to me in the world where we really seek data flowing back and forth where we’re looking for things that help specialists as much as primary care or patients as much as providers. I mean, what is your vision here? Because I hear the medical home being at least as I’m hearing it, a lot of primary care construct. And yet obviously our health care environment is much more complex than that. Please. DR. KLINKMAN: I can take a stab at that. There are probably two different ways to look at it. But one way is to consider the big picture of a person having some control over basic health information whether or not that person assembles it him or herself. So something like the continuity of care records, something like a basic structure that gives what it is that they have, what it is that they take from one doctor to another so that every doc that might see a patient has a basic understanding of that patient’s medications, allergies, chronic problems, significant events, things that we kind of rolled in the structure. The docs who then see the patient in the chain move information back and forth again using either the vehicle or standards of moving information. So messages about what lab tests were completed, the eco cardiogram that the cardiologist does that you want to get back to the primary care doc, those things can be moved using current information transfer standards. The idea is that there is a kernel, that there’s a place where that information is kept that the physicians who see that patient have access to, and that’s critically important because the medical home isn’t always going to be a primary care home, like you said. Sometimes it’s going to be cardiologist’s office or sometimes the cardiologist will say I want to carve this piece of care, but as in my interactions often with specialists, I want you, Dr. Klinkman, to take care of these other things. I’ll deal with the heart stuff, but you know, you’re still responsible for the preventive care, for other screening. DR. COHN: I guess I was actually maybe quite – I was trying to where ICPCP fit into this. DR. KLINKMAN: The ICPCP part is in the data retrieval. If you’re thinking of trying – we just tried to go through this. For example, we tried to go through our practice identifying which patients had depressive disorders so that we can construct a registry. We did that from the data that we have at the University of Michigan within our Klinkotractor system using ICPCP fairly quickly. When we tried to do that within the health system practices that don’t do that, we had to look at billing diagnoses which were inaccurate. We had to look at a term search within the medical record. We had to a whole bunch of different ways to try to construct the same information and try to bring it together in the same way, and we don’t have the horsepower to do that for one condition after another. I think that the level of aggregation where you get basic conditions that a patient has that move around, that’s where that structural element works. MS. MCCALL: It was a clarifying question to say isn’t it capture before retrieval? DR. KLINKMAN: It’s both. I answered as tailored and harmonized. We’re talking about a particular setting, the one we work at. It happens to be the largest setting of care, and one that it is, we think, being neglected and has options right at hand for tailoring its standards and harmonizing those with other standards. The ER may find ICPCP to be a wonderful way to capture and retrieve data. They may find that there’s a different classification system or way of organizing its data that fits ERs better and lets you retrieve your information in a different way. And we’ve got to figure out how to make sure that the information flows between the two settings. And that’s why ICPC has been mapped to ICD-10 and to SNOMED, and it’s mapping process that lets the information flow. So we’re only talking about one particular setting because it’s the one we know, and we don’t want to preach for yours without your consent. But we think there are many settings that may need tailored options and standards with harmonizing options between them. DR. COHN: Sure. No, I appreciate that. And – oh, I’m sorry, Judy and then Don and hopefully we’ll wrap up and move to our next piece. DR. WARREN: I was intrigued by the data model that you put up there and wondered because of my nursing background where functional status was. The only place I could figure it out was clinical modifiers. But it would seem to me if you were a medical home, that would be one of your primary considerations is how well that person functions. DR. KLINKMAN: Yes, the way it looked when we blow this out, it actually fits under person or under clinical modifiers, either one, and it’s not a disease link thing because it goes across several conditions. DR. WARREN: Right. Some of the reading that I’ve done on medical home is that, and this is showing my assumption about what you’re calling primary care, is that you really are worried about keeping that person at home and functioning. And a lot of what you’re doing is symptom management, not necessarily disease management for a while which I think is one of the problems you have for your information model of trying to come up with one that will allow you to shift from symptom management into disease management whenever that definitive act, you know, occurs. The other thing I was very intrigued with the meeting that you had and wondered if you had any nurse practitioners involved in that, especially University of Michigan. You’ve got a very active nurse practitioner. Do you Joanne Pull? DR. PHILLIPS: Well, I can answer at least one thing. One of the nurse practitioner clinics at U of M is working with this data model now with us trying to work – DR. WARREN: Exactly. That’s what I saw because Joanne and I have had several conversations about what a data model might be for a nurse run clinic. DR. PHILLIPS: We had nurse practitioners there. They weren’t there representing nurse practitioners. DR. WARREN: If they’re there at PCPs, that’s wonderful. I have no problem with that. DR. PHILLIPS: I don’t know if any of you have read Carl Sagan’s book the Demon Haunted World. But what he points out is that we’re back to middle age like experience for most people. We don’t know how our cell phone works. We don’t know how the TV works or the computer works. But I’ve got it better. And we had actually a reaction. The Chair of the Board of the AFP who attended a meeting and looked very stunned the whole meeting stood up finally and said I don’t understand most of what you just talked about today. But I know it’s important, and I know that my practice needs it. One of the experiences we had in recruiting people is we got the data standards people there in spades. The clinicians go, yeah, I want it to work. DR. WARREN: I know, and the work that I’ve done at HL-7, one of our biggest frustrations was trying to get the clinicians there to stave off the engineers so that we could say what you’re designing works just fine, but not within the clinical arena. We needed more of that kind of knowledge basically. But the engineers would scare off the clinicians because they thought they had to know that stuff, too, and that’s not the way we need to be working on standards. DR. PHILLIPS: It’s also stamina, too. I think just the shear weight of the meetings that you need to attend to make progress, it’s hard to take the time away to do. DR. COHN: Don? DR. STEINWACHS: Well, I very much appreciated the integrated model trying to put – I always called it IT PIC, but I guess ICPC sounds better. Just two sorts of comments, you know. It seems to me primary care is in the position of trying to put the pieces together for the person where many times we think about individual encounters or specialties as putting pieces together for a disease in a person. And so it seems like the structure you’re talking about becomes critically important if you’re going to try and put together a profile of the person. It always seemed to me one of the barriers is in the coding process, and even though maybe it’s coding systems and trying to be more user friendly than ICD-10 probably and ICD-11, who knows. But it would be useful to me some of your comments about are there ways either to support, motivate or to provide technological support to make that really happen, and one of them which has always interested me because Carl White used to preach to me about the same time he was preaching to this young man. That’s right, and it was part of our NCVHS recommendations on a uniform minimum data set for ambulatory care that there be the patient’s presenting complaint in the patient’s own words. And so that was always one of the interesting problems to me is that frequently when you look at a chart or other things, you may have a presenting complaint. But it’s not in the patient’s own words. It’s only usually sometimes in the emergency department, I guess, where the nurse or whoever the entry person will copy down a brief summary of that, and that was the other interesting part to me. DR. GREEN: It was only 18 years ago in 1989. DR. STEINWACHS: Just about the time when Larry and I were born. DR. KLINKMAN: Let me respond to last part first. One of the ways that we envision this working if it ever comes to maturity is that a patient will put in their own presenting complaints in their own words. DR. STEINWACHS: Here, here. DR. KLINKMAN: Yes, and you facilitate that with a patient portal into whatever system it is you’re using. But ICPC and about trying to figure out how to make the simpler standard work, one of the things that we did a couple of years ago is create a thesaurus links the codes one to another so that you have a map that works on an electronic basis between picking an ICPC code, figuring out whether the appropriate ICD-9 CM code is A or B because you’ll have a list that pops up with that, and then moving the same thing with ICD-10. And part of, I think, where the benefit for primary care docs may come in transition to the ICD-10 CM when it comes is that if that’s in existence, that makes the transition somewhat painless because there’s a three way conversion already built. DR. COHN: I’m actually going to let Larry make his last comment, and then we’re going to – we need to – DR. GREEN: Well, I’ll just play doctor again and answer it. I want to offer another answer to your question where does ICPC fit in. This is really not about ICPC inherently. ICPC just happens to be the only existing primary care classification that the people at this conference could find that had ever been demonstrated to work. So it elevates the discourse from the theoretical to this actually has been used, you know. It actually works. And playing doctor here for a moment, when I’m teaching and recepting with residents, I resort to the Transhis database all the time because there is no database in the United States I can use to get answers to questions like given that we’ve got this 54-year-old man with his first episode of despurlic drainage, and he’s got this mucosal thickening, what is the probability that any time in the next 12 months that he will have a head and neck cancer. You cannot find the answer to that in the United States. That’s evidenced based. But if you go over to the Netherlands, they produce things like that. So what Mike just threw up there – here’s a 25 to 44-year-old guy, just 973 episodes they have in their database, a 25 to 44-year-old came, said to somebody like me, hey, Doctor Green, short of breath, the final diagnosis for that episode 28 percent of the time, you know, with that entre show, became acute bronchitis. You don’t notice any cancers in there, do you. I mean, this sort of quantitative evidence in the information age in a medical home is so potent to guide portal care decision making, to make the choices about what you test for and how quickly, that’s where an episode architecture like as demonstrated by ICPC fits in to change the book. MR. PHILLIPS: You can see how it differs when you got older codes. DR. COHN: Okay. Well, I want to thank both of you for coming to present, and Larry, thank you for annotating the comments. I was actually amazing that he just didn’t present actually. But it sounds – my understanding is that Populations is going to be discussing some of this during your break out. DR. STEINWACHS: I’ll look forward to creating a medical home for Larry. DR. COHN: Okay. We’re obviously also –- I’m assuming we’ve got Chris coming to talk about ICD-11. I think it’s an interesting perspective and terms to bring up around all of this stuff. Now what I’m going to suggest is we take about a five-minute break again because people need it, and we’ll let Margret get up and get her computer connected and all of that stuff, and then we will jump back into the discussion of the paper. So with that, we will adjourn for our five minutes. [Break] DR. COHN: Won’t you please be seated, and we’ll get started for the last session of the day. I just want to remind everybody that tomorrow morning we’re starting at eight o’clock both Subcommittee on Populations. Quality’s here, will be here. MS. GREENBERG: And Privacy will be in a different room. DR. COHN: Okay, will be secured in a currently private room since we don’t know what it is. And then the Full Committee will start a little bit after ten. Yes? Oh, so this is Privacy. So it’s so private, it’s actually going to be here. And then Populations will start around 9:15 going to 10:00. Okay. Now Margret, you had your arm raised for something. MS. AMATAYAKUL: I was just going to say that I fixed up much of the first part of the document. So what I’m working on is that document so I don’t have to work from two documents tonight so the line numbers will be different. So when you look at your page and you want to say line so and so, could you please also look up there and help me find where you’re talking about. DR. COHN: Okay. So with this one, Harry, we’ll turn it over to you. MR. REYNOLDS: All right. Margret, did we need to go back to that page? Okay, good. Okay, so we’re at 2.1. And again, we’re still under the heading of observations and recommendations on principles of data stewardship for transparency. So we have 2.1 and then where we talk about the recommendation on transparency, then education and clarity and so on as you see down. Anybody have any issues or concerns on anything related to 2.1. Two point one and everything between 2.1 and 3. Yes, Marc. DR. ROTHSTEIN: I have a question in 2.1.3 in my version is line 986, but it’s the fifth line down, and it’s just one word, but it’s important, and that’s the word may. Can you explain to me what exactly we’re recommending? MR. REYNOLDS: What we’re recommending is right now there is nothing in the privacy notices, most of the privacy notices about how the data will be used. And so what we’re saying is if somebody requests that and are you questioning may or should be will or – DR. ROTHSTEIN: Well, yes, that’s what I’m questioning. Are we saying that it should be should, or are we trying to avoid that by saying may to make it vaguer. MR. REYNOLDS: Well, Marc, what do you recommend? DR. ROTHSTEIN: I would recommend should. MR. REYNOLDS: All right, we got a shall, and we got a shall. Comments, concerns? Okay. Anything else in 2.1 or 2.2? MR. BLAIR: I get this uncomfortable feeling that somebody put a may in because there was a concern. We haven’t heard why there was a may. MR. REYNOLDS: No, I don’t think. Jeff, I don’t think so. No, I would agree with you that the normal case I don’t believe there’s any concern on this one. Let’s go to three. What we’re talking about in three is the observations or recommendations on principles for data stewardship for individual participation and control over personal health data held by organizations. I’m on 3.0. MR. HOUSTON: I’m sorry, I did have a comment about 2.1. My apologies. MR. REYNOLDS: Okay, we’re going backwards. MR. HOUSTON: Yes. We’ll go backwards. MR. REYNOLDS: And we’re listening. Yes sir. MR. HOUSTON: Intently. Under 2.1.4, it says that HHS should issue guidance to covered entities to incorporate reference into NPP about what protected health information is disclosed to other organizations such as public health. My concern is that requests from organizations like public health change regularly, and I’m not sure whether in the NPP to me in my mind needs to be a fairly static document. And I’m just wondering how you would go about having this type of notice when it changes readily. It’s an operational kind of – MR. REYNOLDS: Well, no, I agree. Let me see how to read it and maybe a little differently, maybe a little different tone than you read it. And that is that you could standardly put in an NPP that when required you will give that patient’s information to public health. That’s what it’s saying, and we’re recommending it. MR. HOUSTON: Okay, all right. MR. REYNOLDS: That’s a standard statement. We’re not saying, you know, every other letter, every other field. We’re not saying that. We’re saying because, again, the whole point is let the person know that their data may go to public health when it’s appropriate, that your laws are under whatever happens. Judy? DR. WARREN: If you look at that then, public health doesn’t mean anything to me. To a public health department or public health agency. MR. REYNOLDS: Everybody okay with agency? MR. HOUSTON: We could argue governmental agencies. But I don’t know – I mean – well, we might be compelled by other organizations to provide data. DR. WARREN: Think about it, make a recommendation. MR. REYNOLDS: Okay, public health agency. MR. HOUSTON: That’s fine. MR. REYNOLDS: Steve? DR. STEINDEL: I think if we’re going to get picky and define what the definition on public health, we probably should talk about it more as for legally defined purposes regarding the public health or something like that because you know, when we say a public health agency, it may not necessarily be a public health agency that’s covered. It may be – MR. REYNOLDS: So what do you recommend – DR. STEINDEL: I personally would just leave it as public health because public health is in the context of what we are saying here, I don’t think public health is specifically defined. MR. HOUSTON: But we do need to be a little bit careful because I’m assuming that there could potentially be private/public health related organizations. DR. STEINDEL: There are private/public health related institutions. MR. HOUSTON: And those would not have under HIPAA the right to request and get data. DR. STEINDEL: Actually, some of them do. MR. HOUSTON: Okay, then not all of them. Okay, well, that would have some state sanction to it. DR. STEINDEL: Exactly. MR. HOUSTON: So we need to be careful about the metes and the bounds of this, and I understand we’re getting fairly picky here. But there is a – and the reason why I focused on this again was because we get all sorts of requests from our county public health department, and we have a dialogue with them all the time. And so just be careful how we – MR. REYNOLDS: Marc? DR. ROTHSTEIN: Maybe we can change it to incorporate both and make it such as when legally required or public health purposes. MR. REYNOLDS: Is everybody good with that? Okay. All right, are we on three now? Okay, we got too many conversations going on. Okay. Garland? DR. LAND: The last sentence of that same section says this information may be available to individuals upon request. What individuals? MR. REYNOLDS: It’s the individual whose data it is. It’s that patient. DR. LAND: Okay, so maybe that needs to be modified then. It’s not just any individual. DR. W. SCANLON: Is it the health information, or is it the fact of what is going to be disclosed. MR. REYNOLDS: It’s what is going to be disclosed, or that there is a disclosure to public health, yes. It’s the fact that there is. It’s the fact, not the data. DR. W. SCANLON: It’s the fact that information is used in the prior sentence, protected health information, then this information. MR. REYNOLDS: Margret, did you get that? It’s not the information itself that’s available. It’s that it was given – that it would be given to public health would be available. Okay, moving on to three. DR. COHN: Now what did we – what is it? What is it that we’re saying here? I thought that we were basically talking generally about the nature of information consent to public health, not that X’s information on this specific topic was sent. MR. REYNOLDS: Say it one more time. I’m sorry, there was a conversation. DR. COHN: I guess I’m a little confused about the specificity of what we were including here. I thought we were making – DR. W. SCANLON: I agree with you, and I think that we would change the this to such information about such disclosures shall be available to – MS. GREENBERG: Or this disclosure information. DR. COHN: Okay. Thank you, okay. MR. REYNOLDS: Okay, good. Judy? DR. WARREN: Then I’m really confused with the way they’ve edited it because I thought all they were talking about is that guidance to covered entities to incorporate references in their notice for whatever it is, the thing that we required, protected stuff on what protected PHIs disclose to other organizations such as public health. Now the next sentence, the information that’s available to individuals. If they look at the NPP, then are they just getting the information that was disclosed to the specific organization, or are they getting information about what was given to that organization? MR. REYNOLDS: Margret, then Al. MS. AMATAYAKUL: You know, I wonder if we even need this last sentence because if a specific individual asks, this should be in your calling for disclosure. If it’s just general what do you do, then you should be able to tell them you report communicable disease to public health. MR. REYNOLDS: Steve? DR. STEINDEL: First of all, I’ve never looked at this sentence, the last sentence about this information may be available. I never looked at it as referring to public health. I’ve always looked at it as the NPP should contain a list of organizations that you just routinely disclose information to. And what should be made available in the NPP is that list, and that last sentence refers to that list, the list of people that you routinely disclose information. MR. REYNOLDS: Well, let me adjust it. Some of them may be categories. Public health is a category. DR. STEINDEL: It might be a category. MR. REYNOLDS: I’m playing off of John’s comment. So you will give it to public health when it’s appropriate. DR. STEINDEL: I mean, actually what should appear on this list is that you give it to payers. MR. REYNOLDS: All right, any other comments? John? MR. HOUSTON: Back to the – again, it hasn’t changed. Legally required for should be legally permitted for public health – DR. STEINDEL: No, I disagree. I think – MR. HOUSTON: The rule, the rule – DR. STEINDEL: No, this is not referring to the rule. This is referring to the requirement that is placed on the provider. The provider is required to report it. MR. HOUSTON: No. DR. STEINDEL: They are permitted to report it without consent. MR. HOUSTON: Regardless, notice of privacy practice is supposed to describe how information is conveyed or is disclosed or provided. If it is to provide it to public health, it may be provided to public health when required or permitted, then it’s when it’s permitted. It doesn’t have to be required. If you simply said it’s when required by law, then there might be a whole group of disclosures that are curved because they’re permitted that that person would never think are being made. DR. STEINDEL: I disagree. MR. REYNOLDS: Is it when appropriate? MR. HOUSTON: No, when permitted. DR. STEINDEL: I still disagree. MR. HOUSTON: There’s a group of required disclosures. There’s a group of permitted disclosures. And my point is, is if you simply say when required by law, then you would say there’s – people would think, oh, they’re only giving me this – MR. REYNOLDS: Take a look at that. Take a look up there now. It’s legally required or permitted. DR. COHN: Yes. But I guess we stop and figure out what we’re doing with last sentence and that we better just remove it, given the rest of what we’re saying there. MR. REYNOLDS: Does the last sentence go? DR. COHN: I don’t think it’s necessary. DR. STEINDEL: I actually think it adds something because one of the problems right now that we found out was people are not aware of who gets their information, and I think that sentence makes it clear that the NPP should say who gets my information, whether it’s a group or a specific body. And I think that’s the purpose of that last sentence. DR. COHN: Well, no, the NPP – this last sentence is something beyond the NPP. We already talk about the NPP having that information. This is something much more specific that’s a follow on that relates to individual requires based on the NPP. MR. REYNOLDS: Yes, that’s all the last sentence is about, individual inquiry. MS. GREENBERG: This is about – MR. REYNOLDS: Microphone, Marjorie. MS. GREENBERG: I’m sorry. The NPP may say and data are provided to public health as required or whatever, as permitted. But then this would be additional information as just what type of data are provided to what type of organization or public health, correct? MR. REYNOLDS: No. MS. GREENBERG: No? MR. REYNOLDS: No. MS. GREENBERG: I thought the idea was not that the NPP would include every possible disclosure would have maybe more categories of disclosures, but that it would tell people that if you would like more information about this type of data and what organizations in public health get this data – MR. REYNOLDS: Well, Margret’s shaking her head, but we could debate type. MS. GREENBERG: Then you could get it. MR. REYNOLDS: Go ahead. MS. AMATAYAKUL: It might be worth thinking about how we came to this 2.1.4 to begin with. In 2.1.3, we wanted to provide individuals a complete list of all business associates and their agents that we might do business with, we might be doing business with when they request it if there’s some legitimate concern. When we said that, we recognized that public health wasn’t a business associate or an agent. And so we created a second recommendation that was really supposed to be in parallel that would cover things like public health because the notice of privacy practice already says you have to release data to public health, but just exactly what kind of data do you typically release is this further additional information that you would get upon request. DR. COHN: Get to the microphone. DR. LAND: It could be interpreted that there was a disclosure to public health on an injury, or it could be interpreted that there’s a disclosure to public health or could be interpreted there’s a disclosure of these data elements to public health on this particular condition. And I’m not sure what’s intended there. MR. REYNOLDS: Where are we going? DR. CARR: Can we combine it into 2.1.3? MR. REYNOLDS: I couldn’t hear you. DR. CARR: Should it not be broken out and just combined into 2.1.3? MR. REYNOLDS: Steve? DR. STEINDEL: Harry, why don’t we just kind of use the same construct we did before, and instead of making it a separate sentence such as public health comma, and make this information available to individuals upon request so it’s clear we’re talking about the information we’re referring to in the first sentence. MR. REYNOLDS: Margret, why don’t you read it as it is. DR. STEINDEL: Just concatenate the last sentence with the first sentence by putting a comma after such as public health and say and make it available to individuals upon request. Now made available to individuals upon request. DR. FITZMAURICE: You don’t mean all the data given to public health, just that person’s data that was given to public health, right? DR. CARR: I don’t think we mean to imply that we’re going to be able to trace whose data went to which agency. I think what we mean is that we’re going to be able to say the types of disclosures that we have, and then upon request a list of here are all the places that data goes, and your data could have gone to any one of them. DR. STEINDEL: Like for instance, if you’re living in New York City and they have like 120 reportable diseases and somebody asks what do you report to public health, and you say we’re required to report any condition involving one of these 120 reportable diseases. MR. REYNOLDS: Right. DR. FITZMAURICE: I’m an individual, and you reported a venereal disease to the public health department. I want to see the information you sent them to see if my name is on it. If my name’s on it, I don’t get to see everybody else’s name. DR. STEINDEL: And actually that’s covered under the auditing and accounting provisions. MR. REYNOLDS: Okay, we got this up. All right, moving to 3, 3 of 9 just to put you in – I’ve already asked if you needed anything in 2.2, and nobody stopped. So 3.0, and I want you to give any of your comments up to 3.1, look at the text. John? MR. HOUSTON: The first bullet under 3 says providers who do not file claims electronically, they’re not covered entities. Maybe this is sort of a nuance, but I always said it’s not just providers who do not file claims electronically, but those who also don’t accept insurance. But I guess they wouldn’t be filing a claim electronically as well. I’m just wondering whether it would be helpful to put that point in. Providers who do not accept insurance or file claims electronically are not covered entities. MR. REYNOLDS: Okay. MS. AMATAYAKUL: Would that be covered in 1053 or their patients south pay? MR. REYNOLDS: I mean, your 1053 doesn’t match. MR. HOUSTON: Well, except that my change would be in the italicized stuff which I thought was as much a heading for all of this. The italicized portion of it was – oh, providers who do not accept insurance or do not file claims electronically. MR. REYNOLDS: Okay, anything else before we go to – Mike? DR. FITZMAURICE: On that same sentence, this leaves many organizations outside the protections afforded by HIPAA. When I start looking down here like providers who do not file claims, it’s got to be a small percentage of all physicians. And so I don’t know how many “many” is. Do we have an estimate of it, or just say some. MR. REYNOLDS: We got a privacy hearing on that. MR. HOUSTON: There are a lot of them like 50,000? Holy cow. MR. REYNOLDS: Okay. 3.1, recommendation on obtaining authorization for use of personal health information not covered by HIPAA protections. Jeff, I’ll start reading the headings, but I haven’t been attentive enough. I’m sorry. MR. BLAIR: Thank you. MR. REYNOLDS: John? MR. HOUSTON: When I looked at this, and I don’t know why I did this, but I sort of thought 3.2 and 3.1 should be flipped. MR. REYNOLDS: You mean in order? MR. HOUSTON: Yes. MR. REYNOLDS: Well, let’s go – does anybody have any issues with the wording? And if not, I don’t think we’re going to fight over the order. Okay, 3.2 is now 3.1 and 3.1 is now 3.2. Okay, 4.0, observations and recommendations on the principle of data stewardship for de-identification. And I would ask you as you’re thinking about this, remember in here we make the statement later on that we do want to hear more about this. So as we’re looking through this, this is not the final bell that will toll on de-identification as a subject. John? MR. HOUSTON: My only concern was in the examples. They would have example one, and then they say for example halfway through the example which I sort of thought was odd. MR. REYNOLDS: Okay. MR. HOUSTON: Stylistically, I just – each one of those was like that, and I’m thinking an example of an example. So – MR. REYNOLDS: Good. Okay, moving to 4.1, recommendation on de-identification. Justine? DR. CARR: Yes, I just had an example 3, the final sentence there also concerns that such a business – MR. REYNOLDS: An example three of what? Oh, you’re under four, okay. I was at 4.1. Okay, thank you. What do you want to do? DR. CARR: There are, well meant to afford the opportunity for physicians to acquire electronic health record systems. There are also concerns that such a business model may violate individual physician trust as opposed to is potentially taking advantage of. MR. REYNOLDS: Sounds good. DR. COHN: Margret, I don’t think you need to, okay. MR. REYNOLDS: I got some sighs. I don’t have any comments. Justine, what do you want it to say? DR. CARR: No, I thought potentially taking advantage of was less specific. It’s probably wordsmithing. I’ll talk about it later. MR. REYNOLDS: Is it unfair advantage of position? DR. COHN: Are we up to 4.2? MR. REYNOLDS: No, I’m saying did you decide, do you not like the individual physician trust? DR. CARR: It was just take advantage of as opposed to violate. I mean, such a business model as taking advantage. I think it has a negative connotation. Go on. DR. FITZMAURICE: I would replace individual by patient because it’s not the individual physician. It’s the patient physician trust. MR. REYNOLDS: Margret? MS. AMATAYAKUL: We are using individual in the broadest sense to incorporate patients and people who have personal health records, et cetera. MR. REYNOLDS: Do we have defined in the glossary? MS. AMATAYAKUL: I’m going to make sure. MR. REYNOLDS: Leslie? DR. FRANCIS: This is the paragraph 1080, but I’m not sure where it is. Go up a bit. MR. REYNOLDS: Use your paper documents so we can all get on with you. DR. FRANCIS: So it’s the paragraph that’s 1080 to 1084. I just want to be sure that I understand this correctly. There are some examples where people have in fact properly de-identified following the last take away any other unique identifying number that they’re required to do that. But I think there are examples where people have done that, and it’s still been possible to re-identify. But this doesn’t care that – I mean – DR. COHN: Well, isn’t that what that says? DR. FRANCIS: No, well, I would put in an in addition or something because I think we want to convey two different ideas. First of all, there are cases in which people aren’t taking out all of the identifiers. And second, there are cases in which even if they do, it turns out that de-identifying information in fact describes a small enough set that people can read and figure it out. So I would just say in addition, one testifier indicated because that’s a separate point. That’s it. It doesn’t read like it’s a separate point. It makes it sound like the problem is only that people are not appropriately de-identifying. But the problem is both that and that – MR. REYNOLDS: So we’re adding in addition. DR. COHN: This paragraph doesn’t make any sense any more. MR. REYNOLDS: We got two in additions. DR. FRANCIS: Furthermore. DR. COHN: Well, we’re talking about in both cases removal of the 17 elements. DR. FRANCIS: Well, no, there’s an 18th element which is the garbage can. And the first point is that some people aren’t paying any attention to the need to remove the garbage can. And the second point is even if they do pay attention to all of that, it is still possible under some circumstances to re-identify. DR. FITZMAURICE: But under those circumstances means that they didn’t remove that identifying element. Maybe it’s female. Maybe it’s being Asian. That would let you narrow it down on that category. MR. REYNOLDS: Okay, Margret. MS. AMATAYAKUL: In this case, I think LaTonya Sweeney only compared the 17 data elements for photo registration record, although I can double check. MR. REYNOLDS: All right, 4.1 and 4.2. Justine? DR. CARR: On 4.2, in view of the fact that we have acknowledged that we don’t have as much information as we need about de-identification and there needs to be further hearings, I would submit that we ought not anticipate what the recommendations will be until we have had the hearings. And, therefore, on our paper copy beginning at line 1128, I would take some of those recommendations out. So if I can read it, so it’s recommendation 4.2. recommendation on uses of de-identified data. NCVHS believes there is significant concerns surrounding uses of de-identified data, and these warrant more thorough analysis. NCVHS will conduct hearings to determine how to structure guidance for best data stewardship practices. And I would say put a period right there. But in the text, it says which may include but not be limited to requiring statistical de-identification, authorization, sale, specifying. MR. REYNOLDS: Simon? DR. COHN: Yes, you know, I guess my view is, I mean, first of all let me make maybe a slightly different change which is we sort of say NCVHS believes that there are significant concerns. I’m actually going to suggest that maybe NCVHS heard significant concerns which I think objectifies this a little bit. I actually am not sure that I think there’s anything wrong with the examples we’re giving. But I guess that’s my own personal opinion as long as we’re sort of objectifying the first part. MR. REYNOLDS: Well, I’m kind of – the only reason I’m still in the same spot is this letter is going on before we do anything, it at least gives the reader a list of the kinds of issues that we are going to address whether we find anything in them or not, whether we make recommendations on them. DR. CARR: Well, it just seems odd to me that to go to a hearing asking to hear things and you already know what you’re going to say before you’ve had the hearing. MR. REYNOLDS: No, we know what we’re going to talk about. DR. CARR: Well, it says requiring the use of statistical de-identification process. Well, to me that’s certain threshold probability. Authorization for uses involving sale of de-identified data. I mean, do we know that? If we already know that, maybe we don’t need the hearing. I’m getting testy. DR. DEERING: Take the verbs out, requiring and just remove requiring. Remove authorization, and testifying. You can use topics without the action. DR. COHN: That would work. MR. REYNOLDS: That works, and that makes it subjects. 5.0? Margret? MS. AMATAYAKUL: I had a note from earlier this morning that there was an addition to this list that included exposure from re-identification. MR. REYNOLDS: That’s correct based on our earlier discussion today. Yes. 5.0 which talks about security safeguards and controls and just look at everything from 5.0 and 5.1. John? MR. HOUSTON: Yes, under 5.1, one of my concerns is that while this is focused at the covered entities, one of the major issues in the industry is the fact that the vendors of EHRs aren’t necessarily as – some of the products leave a lot to be desired in terms of trying to comply with what’s described here in 5. And my concern is that you can go tell a covered entity to comply, and frankly their suite of the things that they’re running int their shop may be woefully inadequate And I’m not sure whether there is any authority that you can bring upon the EHR vendors. But I think the EHR vendors need to be put on notice that they need to provide a certain level of functionality to support this. Is that something we could put in this document? MR. REYNOLDS: Well taken. Look at the last sentence and see if you think that’s covered. MR. BLAIR: CCHIT has criteria for certifying, and they include their privacy and security requirements. Now, whether those certification requirements are as stringent as we think they should be may be a discussion point. But there is at least a mechanism there to try to set standards for privacy and security and enforce it with EHR. MR. REYNOLDS: Look at the last sentence that we had, and see does that – MR. HOUSTON: No. Under 5.1? MR. REYNOLDS: Yes. MR. HOUSTON: I don’t think it does. MR. REYNOLDS: Look at what Margret just added up there. MR. HOUSTON: My point is that the focus is on covered entities here, covered entities and organizations rather than the vendors themselves who have the products that are necessary for the covered entities and others to comply, I guess, is my point. There’s a need, you know, it’s akin to saying that all consumers will drive cars that give 50 miles to the gallon, but no auto maker makes a 50 miles to a gallon car. MR. REYNOLDS: I understand your point. Tell me – she’s making some changes up there. See if you agree with them. Go ahead, Mary Jo? DR. DEERING: Could I make a suggestion then? I mean, because your point is you want to include the vendors, correct? MR. HOUSTON: Yes. DR. DEERING: So one thing you could do is remove the new sentence from where it is and put it at the end. These approaches should be required in CCHIT criteria for vendors of products because that way it follows the issue of the non-covered entities as well as covered entities. DR. COHN: Yes. Maybe the other part is HHS should issue guidance to covered entities as well as, you know, EHR vendors. DR. DEERING: EHR and PHR? MR. REYNOLDS: Well, but remember EHR – MR. HOUSTON: Or HIT vendors or whatever you want to call them. I don’t know what the catch all you want to use. DR. FITZMAURICE: But there’s no basis for issuing guidance to them. They’re not covered – MR. HOUSTON: I understand that might be outside the scope. But my concern is you’re issuing guidance to a group that may be ill prepared to act on the guidance because they’re reliant upon third parties to provide that functionality, and it is a huge gap in industry. And I understand CCHIT’s out there. DR. FITZMAURICE: I think you’ve got a good point. It’s just that how can HHS issue guidance to somebody that’s not covered by one of its regulations. MR. REYNOLDS: Simon? DR. COHN: Why don’t we just add to the sentence before where it says this should also be directed to organizations that are not covered entities that maintain and/or transport personal health information as well as vendors of HIT products. MR. REYNOLD: Why don’t we say organizations and vendors that are not covered. MR. HOUSTON: I don’t know if we have to wordsmith. I mean, I just – MR. REYNOLDS: Yes, well, okay, I think we’ll work out tonight and make sure we show you tomorrow. MR. HOUSTON: Okay. MR. REYNOLDS: All right, let’s go to 6.0, and this is data integrity and quality. Motherhood and apple pie. Any comments? Michael? DR. FITZMAURICE: On recommendation 6.1, it reads HHS data stewardship guidance should include the data captured aggregated and analyzed for quality measurement, reporting and improvement, ensure that the precision and reliability of quality measures. I don’t know that we can ensure the reliability of quality measures. That’s a measure of research. We can aim for reliability of the data, that the data are valid. But the data can be really valid and the quality measure might not be very good. DR. COHN: I thought we fixed this one. MR. REYNOLDS: Yes, we fixed this a couple times. This keeps going back to old version again. Margret must not like our change fix on this. So she just keeps changing it. It’s the quality of the data. No, that’s what we’re saying. That’s what we’re saying. So it should say – DR. DEERING: Reliability of data reported for quality measures. DR. WARREN: Just leave reliability of data reported for quality measures. DR. FITZMAURICE: Yes, that’s the concept we want to get across. MS. MCCALL: But that’s still not it. This is not about quality measures. This is the data itself – MR. REYNOLDS: This is really about the quality and integrity of the data – of the data. MS. GREENBERG: HHS data stewardship guidance should address the precision and reliability of the data captured, aggregated and analyzed for quality measurement reporting and improvement. MR. REYNOLDS: Period, good. That’s more or less what we said before. More or less, but remember we had 900 calls. MR. HOUSTON: Is the word precision, or is it accuracy? DR. FITZMAURICE: Both of them apply. MR. REYNOLDS: Okay. Steve. DR. STEINDEL: I’m confused. MR. REYNOLDS: Would again be appropriate? I’m kidding. DR. STEINDEL: I think in every way possible right now because as you’ve said, we’ve gone over this many times. And I actually like the way we’re finalizing it now, assuming we are. But I thought one of the intents was that there should be a burden on the data steward that the measure that they’re using is a good measure. What we’re saying now is you can collect crappy data in a reliable and precise fashion. The measure is not good, and that’s what we’re saying is allowed. DR. FITZMAURICE: But the data steward does not have responsibility for the measure. DR. STEINDEL: No, I agree. DR. FITZMAURICE: Only for the data. DR. STEINDEL: That’s why I like the way it is now. But I heard comments that people wanted to – MR. REYNOLDS: Well, good. No, it’s right. Leave it right where it is. DR. STEINDEL: And I want to make sure we understand that – MR. REYNOLDS: Mary Jo, you have your hand up. DR. DEERING: Other than the immediately preceding paragraph, the rest of this section does not focus exclusively on quality improvement and quality measures. So I’m wondering why you need four quality measures because this is in the whole process of health care as I understood the intent of the section. DR. FITZMAURICE: You know, it kind of raises the question that if you don’t have a purpose for being a data steward and collecting this data, then what do you care if it’s bad data or not. But if you’re going to use for quality measures, then you do care. MR. HOUSTON: Actually typically Bear Steward is collecting it for their – MR. REYNOLDS: Okay, are we set? Margret, are we set? DR. COHN: Well, are we saying quality improvement measurement and reporting? MR. REYNOLDS: Judy? DR. WARREN: Are we talking about data integrity and data quality, or are we talking about data integrity and quality improvement? MR. REYNOLDS: Data integrity and data quality. DR. FITZMAURICE: It’s two things. We’re talking about the quality of the data that is used for quality improvement or for quality measures. DR. WARREN: But then you – I mean, quality measures to me is that data set that gives you the information about the quality that you’re looking at. DR. FITZMAURICE: You see, the reason why you want it to be accurate and valid – DR. WARREN: Right. But it tells me nothing about data quality. DR. FITZMAURICE: That’s right. DR. WARREN: Okay. So I get confused when we talk about reliability of data use for quality – oh, you added measure. But never mind. MR. REYNOLD: Good. We know what you wanted, Judy. Okay, anything else on 6.1? Paul, do you – Bill? DR. WILLIAM SCANLON: I’m concerned about the second sentence. I might be saying what Mike is saying. In our charge, why is this – though I care deeply about data quality for sure, why is this in our scope? MR. REYNOLDS: Because it’s part of the whole data stewardship framework. And everybody that we heard, a lot of people we heard testimony said you’re getting a bunch of junk up front. You can talk quality all you want to. You don’t have good data. So you’re not getting the good answers. MS. MCCALL: Two points. I’m in violent agreement with what you just said. I have found in my work at Humana and elsewhere that it is the business in my world, the business stewardship of that data, the creators of that data, if they don’t feel the ownership of that, it becomes garbage and then you can’t do anything with it. So I would love to keep that here. The point about the second sentence, does it – it now seems out of place because it does seem to go with the now recent removal around quality measures. And I’m still uncomfortable saying in that first sentence that this is data for quality measurement, reporting and improvement because that does seem to bound severely the uses of data. MR. REYNOLDS: Are we just trying to improve overall integrity and capture mechanisms of all health information? MS. MCCALL: For all of its uses. For all of its uses. MR. REYNOLDS: Health information. Margret? MS. AMATAYAKUL: I think one of the reasons we included quality measurement and reporting was that was kind of the impetus for this whole project from ONC wanted us to focus on quality. But if we could add and other uses of health data, that might help. MR. REYNOLDS: Okay. Bill? MR. WILLIAM SCANLON: Well, I agree. Carol made half of my point. But the other part of the point in the second sentence is completeness and accuracy are other characteristics of the data element that is opposed to a measure, and they belong as much up with precision and reliability. Then you get rid of the rest of the sentence which actually refers to measures. MR. REYNOLDS: Okay. Paul? DR. TANG: Well, hopefully this is a contribution. MR. REYNOLDS: Get your microphone. DR. TANG: So I wonder if there are four words such as accuracy, the reliability, the meaning and the integrity of the data. The one word that I added was meaning, and that’s probably one of the things that most derails reuse of data is not to interpret it with the meaning with which it was entered. So that’s why I think that word is probably one of the things that’s missing from this list. And that may be, I mean, we are getting towards that goal of having one sentence describes the various important attributes of data that a data steward should honor, meaning is it more clearly understood by more people. MR. REYNOLDS: Okay. Bill? You look like you had a question? MR. W. SCANLON: Well, I guess I was going to say that the term I thought people might use there is validity. MR. REYNOLDS: What was the term, Bill? DR. W. SCANLON: Validity as opposed to meaning. DR. TANG: In a sense, see, meaning is in the eye of the data enterer. So you have to understand who entered it for what purpose in order for you to appropriately interpret the meaning to reuse it. And so validity’s a different concept to me. MS. AMATAYAKUL: Is there any particular order you would prefer to these terms? MR. REYNOLDS: He’ll tell you at six which ones go in what order. Moving to number seven. Okay, we’re looking at specific uses for quality, measurement, reporting and improvement, and then this is where we really do focus as we were asked as part of our charter to take a good look at quality itself. So I know that one thing we did change on 7.1.1 remain instead of are was the first word we had up there. In other words, what we’re basically saying there is that we heard a lot of discussion about a broad definition of health care operations, quality measurement and so on are clearly stated by HIPAA and others as part of that. So we are clearly stating that they remain part of operations. That’s one of our premises as we did this. So that’s why we used the word remain rather than are because we are very poignantly saying that. Steve? DR. STEINDEL: I don’t think there was any question that they should be removed. I mean, what you’re saying here is they should remain where they are, and I think we should just clearly state that they are there. DR. CARR: Yes, I think that the way that was stated triggered – people interpreted it to mean the opposite. DR. STEINDEL: Okay. MR. REYNOLDS: We got a lot of comment. DR. STEINDEL: You heard comments that this clarifies. MR. REYNOLDS: Yes, yes, that’s why we changed it to remain. Marc? DR. ROTHSTEIN: I happen to think that this is the most important section in the entire document, and I had some problems with it. The sentence at 1245 which is the third full paragraph in number seven is really the key to this document, which reads NCVHS was asked by ONC to consider whether there were or should be boundaries around what quality activities are included in HIPAA’s definition of health care operations and which may be outside of that definition and may call for greater choice by individuals whose data are included. So what I would recommend – I’ll go through several things that I would recommend. Number one is I think we should split seven into two parts, the first part being observations and recommendations on uses of health data under health care operations. And then on the separate section on the uses – observations and recommendations on uses of health data for research. I think those should be separated. I also think that we should begin Part 7 with that particular sentence that I just read because that section is responsive. The whole section is responsive to that particular question that ONC asked us to consider. I also think we haven’t considered it very well. We have in the document, it says on line 1250 at the bottom of the page, several testifiers observed that they had instituted an oversight process to ensure the quality assessment activities were indeed those described by HIPAA. Then it continues with our analysis of some recent articles in the literature and moves directly to the recommendations which basically say things ought to stay the same. We’re rejecting the suggestion that you look at whether individuals should have greater choice, et cetera, et cetera, et cetera. We heard witnesses who said that individuals in fact should have greater choice specifically on this issue, and I think that to be complete, we ought to describe the testimony that we heard, why they recommended that, and why we’re rejecting that. My personal view is I wouldn’t reject it, but that’s irrelevant. If we’re going to reject it, I think we need to say why we’re rejecting it. This was a specific point that we were asked to address by ONC, and we’re not addressing it, I don’t think, adequately by just selectively picking out a couple of articles from the literature. I could pick out ten more articles that would say just the opposite. So sorry to present such a kind of a far ranging criticism of this. But I think this section is really very important to the overall document. DR. FITZMAURICE: I guess I would ask – I’m trying to bring my mind back to the stuff that Kelly Cronin sent us in the charge here as to whether it said that it may call for a greater choice by individuals whose data are included. I don’t remember that, but it could be there and I just don’t remember that. I mean, you remember at the beginning, she gave us several pages of thoughts from, I guess, the Quality Workgroup and her thoughts about what we should be doing. I don’t remember that being one of them. MR. REYNOLDS: Margret, do you have the original charge? MS. AMATAYAKUL: I do. Do you want me to check it now, or – MR. REYNOLDS: Yes. Well, I think two things. I think it’s paramount that if that’s the charge, then we need to deal with Marc’s comments either way. But I would like to know whether or not we’re dealing with it against a specific charge or we’re dealing with it as something we heard in testimony and should address. DR. CARR: Marc, can I just ask you? Are you also saying that you would, you think we should not include the references from the literature because they’re selective? DR. ROTHSTEIN: Yes, I think that’s right. I mean, we did hear testimony that supported keeping things the way they are, and that may well – plus our own thinking on the issue may be sufficient rationale. But it looks like we’re selectively using the literature. DR. CARR: Yes. MR. REYNOLDS: Yes. I think, Marc, playing off of your comments, I think our framework is after hearing the testimony, we believe that it should stay as it is, and that we don’t feel because of that structure and because of the additional stewardship and because of the other things that we put in place that we don’t feel that that individual choice is necessary. DR. ROTHSTEIN: No, I understand that. MR. REYNOLDS: No, I’m taking our same principles and rewording it to answer your question, not to debate it. No, I think it’s a great point. Leslie? DR. FRANCIS: One of the points that is mentioned in the literature that’s cited but that is not brought out in 7.1.1, 1.2 and 1.3 is information to patients. So the recommendation that’s cited here is that quality improvement activities should be – patients should be educated about what’s going on rather than just letting the quality improvement, and there’s no mention about whether there should be any information provided. One question’s about letting patients opt out which is really difficult if you’re trying to have a full data set for quality improvement. But the other is about whether patients should have knowledge about how data are being used for quality improvement, and there’s no, unless I – DR. CARR: I think 2.2. MR. REYNOLDS: Yes, we ought to add that to 2.2 probably. DR. FRANCIS: Well, it might make sense in the sevens. MR. REYNOLDS: But 2.2 is our recommendation for education on uses of health data, and we were talking about it overall, multifaceted education. Otherwise, we may have to take all of education apart and put it in every one of these. DR. FRANCIS: Here it’s specifically about, I mean, it seems to me this could be like the example of people should be able to know when data are being shared with public health, too, and there’s no suggestion here that people should be able to know about on request or anything like that. DR. CARR: Right. So I think we could reference it. So it sounds like this is what was asked. This is what we heard, and this is what we’re deciding. This is what we are going to do, and then maybe reinforce the education thing, stewardship thing, keep this at the same. And this is why we’re making this decision, recommendation. MR. REYNOLDS: And regardless of whether we add it here or not, I think it needs to go in 2.1 also because that’s where we really talk about transparency. And if we’re going to do transparency – DR. CARR: Right. But I think as we have done elsewhere, we can refer back to it. There are a couple of things that – MR. REYNOLDS: I think in any education, we ought to make sure we put in there about the information whether it’s quality, whether it’s anything else because that’s our paragraph, and then we can restate it here. Okay, any other comments from the committee? Margret? MS. AMATAYAKUL: You had asked – well, two things. You had asked me to look at the original documents. We got three, one initially, and then two sets of comments. And that wording is not verbatim, but it’s sort of an aggregation of several topics that were throughout the different comments. But I think it’s fair to say – MR. REYNOLDS: From ONC? MS. AMATAYAKUL: Yeah. MR. REYNOLDS: Okay, so then it would appear that we have not addressed that particular – DR. CARR: Well, I’m wondering if the way this is written reflects the intended nature of the question. MS. AMATAYAKUL: But my second question was since I was busily looking at these reports, I didn’t catch what you wanted to put in 2.1. Sorry. MR. REYNOLDS: Well, no, we just wanted to add quality, information about quality uses. DR. COHN: And Harry, that’s 2.2, right? MR. REYNOLDS: Yes. Well, the whole thing, well, 2.1 is transparency. So yeah, either 2.1 or 2.2. DR. CARR: Or both. MR. REYNOLDS: So comments from the general group on restructuring seven. Steve? DR. STEINDEL: It was always my impression on reading this section was, and I agree with Marc that we don’t address the greater choice by individuals whose data are included in section seven. But I thought we had spent most of the rest of the document discussing a lot of those issues, and that’s where we’re really facing the choice issue. And what we’re doing here is saying that there are – that use of this data for quality purposes exists currently under HIPAA, and we see no reason to change it. Now what the relationship of the patient to the provider and how that feeds into the quality system, that goes back to the other sections and the various other letters that we’ve written in this area. That was always my reading of this. MR. REYNOLDS: Simon, were you going to make a comment? DR. COHN: I’m actually trying to digest what Steve’s saying. So Steve, your recommendation is what? DR. STEINDEL: I mean, we may actually have to add a clarification, you know, in this area that says, yes, we’ve addressed the issue of choice in other areas, and we’re not addressing it in seven. But I feel we have addressed it. MR. REYNOLDS: Marc? DR. ROTHSTEIN: I was wondering if you think that there’s another place I may not have noticed it where we talk about whether we think the definition of health care operations is broad or too narrow or just right. We did hear much testimony that the health care operations provision is just extraordinarily broad, and it includes all sorts of things, some of which we approve of and encourage and other things we’re not crazy about. And I appreciate Steve’s point and what Harry said earlier about, okay, well, this is the route that we’ve chosen to try to address those issues. But I don’t know that we’ve actually talked about whether the definition of health care operations is too broad or whether it’s appropriate or anything else. MR. REYNOLDS: I think we’ve told a story, but I don’t think we’ve said it that precisely. I think the whole story of the data stewardship, the whole story of tightening things down, the whole story of the chain of trust, the whole story of the fact of 7.1 that we feel that it does fit in there. But, oh, by the way, you ought to have some more guidance over it which we say in 1.1.2 and 1.2.3 or 7.1.3., not the story but the factual in your face statement that it is or isn’t. Obviously, I think we could add something in here that we feel right now that it is open ended enough that the reason we’re adding the stewardship when we’re adding everything else is to make sure that it – DR. ROTHSTEIN: See, I would say something like to support your principle, not that the – we heard testimony that the definition of health care operations is quite broad and considered whether a narrower definition would be more protective of individual privacy while still blah, blah, blah, blah. We don’t think that would work. We think the interests that need to be protected can be protected through data stewardship principles, and it’s better not to mess around with the definition of health care operations because it needs to be broad and covers a variety of things, and here’s how we’re going to strike the balance of protecting people but not by changing the definition of health care operation. DR. DEERING: I think it was Marc who raised or someone that we have upfront general themes where we say some of the background and then leap forward to some more observations and the recommendations because upfront on our copy, page 13, line 502, 503 toward the bottom, I mean we say exactly what you said but way upfront in the common themes, although we don’t draw the conclusions. But it says we heard that health care operations was observed to be broad in scope and not well understood. But then we just go on to talk that trust is more important necessarily than definitions. So we don’t go as far as you had called for us to go, but we had certainly set it up earlier. MR. REYNOLDS: It would seem to me that this needs to be one we need to take and work on as a group and get back. Yes, Marjorie? MS. GREENBERG: I just wondered where this actual language comes from. NCVHS was asked by ONC to consider whether there were or should be boundaries around what quality activities are included in HIPAA’s definition of health care operations, and which may be outside of that definition and may call for a greater choice by an individual whose data are included. Now was that language actually in any of our written exchanges with ONC around this project? MR. REYNOLDS: Margret just answered. But go ahead and answer it again. MS. AMATAYAKUL: We received three or four sets of first of all the sort of scope statement and then comments. And so this is a one sentence summary of basically all of those comments. We can certainly, you know, as Justine commented when I first mentioned that, we can certainly go back and make sure this is correctly worded. But it’s not a verbatim request. DR. CARR: I don’t think it is. MS. GREENBERG: Yes, it’s certainly not. And it may be – it may be parsimonious, but I think we may have lost some of the larger meaning with it. I do think that we have our initial charge, and then there was correspondence that came through, you know, someone summarizing what someone else said like that. And I think we want to be cautious about those giving those the same weight as we did for the initial charge. So I think we can go back to that. But I think that, you know, the points are well taken. I mean, that’s the kind of question that we want to speak to that we actually already heard in the testimony. But I think it’s not quite right that that was the charge. DR. CARR: Yes. I mean, I think as Steve indicated, the difference between quality and research when it actually morphs into or becomes more research and then should be, you know, perhaps dealt with differently, and you deal with that quite well. But at least in the initial round of written documents, this was not like specifically what the committee was asked to do, and I think stating it this way kind of overstates it. Aside from the fact as to whether it may be something that – MR. REYNOLDS: I think Marc’s point still resonates. But Margret, did you see anything different that would – MS. AMATAYAKUL: Well, I think we’ve got four documents that we’re looking at, I think we need to really- MR. REYNOLDS: Good, no, that’s fine. Simon? DR. COHN: Well, I guess the question is is I think what we’re discussing here is whether or not we said NCVHS was asked or is it that NCVHS considered whether there should be, and maybe that’s a more accurate statement of what’s going on here. Is that what we’re beginning to assume? Paul? DR. TANG: Marjorie’s comments stimulated me to sort of reinterpret what was said, and I think – so here’s my guess at what we were asked is, one, clearly quality studies and evaluation are what they’d like to do. And where they run into difficulties and ask for our clarification is, one, whether it can go into research and does it follow different rules. But two, can other things – let me use the word masquerade as quality projects, and should we draw a clear boundary to help people determine where that boundary is that people don’t incur into the quality area and jeopardize the true quality uses. So I think in a sense – MR. REYNOLDS: And we common good on a regular basis. DR. TANG: So I’m agreeing with Steve that we did handle the latter case in section two, and that we’re just about to do the quality research in the next section. Does that make sense. Well, we’re going to simply address the quality research boundary. But I think those two boundaries are what they’re trying to establish, namely so we can continue as we concluded to use data quality projects. MR. REYNOLDS: But still I believe incorporating some of Marc’s comments to be much more pragmatic – DR. TANG: What I took out of that is that in some sense we handled Marc’s concern in section two, and I took that to be the overlap with ONC’s request that we find a way to distinguish true quality from those uses masquerading as quality projects. MR. REYNOLDS: Okay, so where are we? Okay, so Paul, you just made the statement. So what do you think happens with seven? DR. TANG: I think our conclusion is a reasonable one based on the testimony and the deliberations of the work group, and that it does answer – the report in totality does answer the question that was posed in that statement, that summary of the ONC charge, that it does – DR. ROTHSTEIN: My question’s really not the conclusion. My question is whether your conclusion, our conclusion is supported now in the document with the support that’s currently there. DR. TANG: I think it is. DR. CARR: Well, I mean, I think we need to rework this a little bit. I think all of the things that have been said will add value and strengthen it. So I think why don’t you give us a chance to reword it, and then let’s talk about it again. But I appreciate the attention to it because I think you’re right. We need to say what is, what we heard, and what we’re going to do. DR. COHN: And Margret, it sounds like you may have some notes that we could borrow, or is that – MR. REYNOLDS: Okay, let’s move on to our line 1297 starting on the uses of health data for research which then moves into 7.2 through 7.5. John? MR. HOUSTON: Yes, I probably kept my mouth shut too long in the last discussion. But I think that there’s a hole here, and we talked about it a little bit before in terms of oversight because when research, when quality assurance morphs into research, often in many organizations there’s just simply is a hole. And I’ve actually in talking to the head of our IRB, he’s said theoretically what’s the value in having some common oversight mechanism for research and quality assurance, some umbrella organization so that you don’t have to worry about where research ends and quality starts, and that there’s committees and there’s processes in place through a common structure to handle those things in some systematic fashion. And he, you know, in not a very long involved conversation, said, you know, that really is of value. And the third prong of this, and I brought this up before is we still have a separate piece here that really nobody’s looking at it, and it’s decedent research. I deal with decedent research weekly any more. IRB says if everybody’s dead, then it’s not a human subject research, and it’s therefore we’re not concerned about it. It’s not quality, so it doesn’t fall under any quality committees. We have a group in our organization called CORAD which is related to research on the dead. But they don’t deal with privacy issues. They deal with other ethical issues associated with decedent research where you’re using some corpse or some brain dead individual for some research endeavor. And it does happen. I mean, it sounds gory, but those types of things do occur, and there’s a lot of ethical issues, and they try to handle those things. But we’re still doing with this lump of data which is data about dead people that otherwise would be characterized as research that is really not under anybody’s purview. And I guess if we had a privacy board in our health system, we could handle it under that thing as well. But it begs for the fact that we’ve got all these different uses that are sort of, you know, investigatory whether they be research, quality assurance, decedent research, whatever, and there’s no common vehicle or mechanism in order to oversee all of them. And I guess – I think I said this before, but I just think there needs to be some consideration given to a common oversight process. And I don’t think that’s bad to bring that up. MR. REYNOLDS: Carol, then Bill? MS. MCCALL: I’m adding onto maybe one reason for a common process is that it’s not decedent research, but it’s true data base research, and I think some of the research oversight has come from an older world where the research itself involved the laying on of hands of human subjects, and that will become less and less prevalent, and a lot of the research will be data based. We need the data, don’t need to touch you, but I need to know who you are, you know. It needs to be at a grain that it all needs to be hooked together. But it’s different, and I think actually moves closer in some ways to some of what’s been done on the quality on the quality front. It’s not all of the quality work, but moves it closer in that respect. And so I don’t have the answers. But I don’t know if a common framework is right. But certainly a common, I mean, a common oversight mechanism, but perhaps a more common framework for that type of research. MR. HOUSTON: You could go that far. I mean, I’m just thinking broadly. There’s this hole here, and that’s what I’m – MS. MCCALL: I find myself in that world all the time, and it is extremely difficult for me and my organization to actually work on data based research with entities some of whom are covered, some of whom are not, some of whom are overruled by IRBs, some of whom are not, and they go, okay, ready, and you try to begin this orchestra, and it’s just like ragtime band. MR. REYNOLDS: Okay, we’ve got Bill, Larry, Marc and Steve. DR. WILLIAM SCANLON: I think it would be a much better world if there was a common framework. But I think part of the problem we face was we didn’t want to try to make changes that were too large. But having said that, I think we have to be careful about what we say about the distinctions between quality and research. And I have page 33, line 1345, these two paragraphs start there, the differences between quality activities and research. I’ve never found these discussions convincing. I can understand something being operations when I’m looking to develop a guideline that is driven by the prices that I pay. And so if I’ve got drug A and drug B and I’m thinking about which one do I want to put on my formulary in a particular tier, I do it on the basis of the price that I pay for drug A versus drug B. When all I’m doing is looking at sort of a physiological result of a treatment, and do it under the operations rubric, that’s research. The physiology of the people that I cover are probably the same as the physiology of the people that Carol covers. And so, therefore, it’s generalizable. And you know the distinctions that are part of the group health distinction was, well, if it’s done kind of sloppy, then it’s quality. And if it’s done with rigor, it’s research. I mean, that makes no sense. So while I would aspire to a common framework, I think that may be unrealistic for where we are. But at the same time, we’ve got to avoid endorsing a distinction that isn’t really there. MR. REYNOLDS: Larry. DR. GREEN: I want to know if John and Bill and Carol have a recommendation about what to do here. What I heard in those three comments was that we’ve got a couple of pages here where we elaborate on the confusion, and then we have four recommendations that frankly don’t say one hell of a lot. They don’t say too much. MR. REYNOLDS: Starting where? Starting which numbers? DR. GREEN: That would be recommendation 7.2, .3, .4 basically says HHS should work on this. I’m not being fair. MR. REYNOLDS: No, it’s like – nobody’s taking it personally. DR. GREEN: What I heard in those last three comments would be that we would have a finding that says we can’t find a crystal clear distinction between quality improvement and research any more. We heard a lot of testimony that says that this morphs back and forth, that sort of stuff, and maybe we should just have a recommendation that says the way we’ve been doing this requires further attention, and we don’t have a solution or something. DR. W. SCANLON: And I think we were potentially moving in that direction in 7.1. We were aiming and trying to improve what was happening on the operations side in terms of oversight. So this voluntary proactive oversight process is not the strongest in the world. MR. REYNOLDS: Okay, we’ve got Marc. DR. W. SCANLON: And then sort of in two, we’re saying there should be something parallel to the research side so that even though you don’t have a common framework, everything’s covered. And that would be the implicit principle behind it. MR. REYNOLDS: Larry, what I’d like to do if we could is, let me hear from everybody else, and then whoever wants to put forward the recommendation, okay, because these other ones may actually have, so we can get through the list. So Marc and then Steve, Paul and Justine. DR. ROTHSTEIN: Okay, I’ve got a small recommendation that’s got a much better shot than my previous one, so I say, yeah. Twelve ninety-nine, under the uses of health data for research, the first sentence. It says the common rule, and then paren, defines research as blah, blah, blah. That’s also the definition of research under the HIPAA privacy rule. And I think we should include that because just including the Common Rule gives you the impression as a reader that it’s different somehow. MR. REYNOLDS: Okay, Steve. DR. STEINDEL: I object. My question to John when he was going through this and he was picked up by others. If we broaden 7.1.3 which already calls for an institute oversight, would that address both your questions and Larry’s in a way, also. Right now, 7.1.3 is inferred to refer just to quality, but actually it doesn’t. DR. CARR: Wait. But I think that – if I can jump in here, that was what my recommendation was going to be that it’s looking at what’s being done and making that assessment. I mean, it sort of took a turn here that I guess I didn’t quite remember to say what protections. But part of the protections really is, is this truly research and needs to be under that. So I think that was what our initial intent was. MR. HOUSTON: My fear is that – not fear. If you look at all of the recommendations under seven, though, there is a disjoint here because some of them talk about giving more guidance so you can help understand what is what. And my thought is that you almost have to say either you have to give guidance or as an alternative you need to recommend some type of overarching structure to support the use of PHI for investigation purposes. You know, I’m using it as a catchall. DR. STEINDEL: Well, what resonated with me when you were talking about this was when you said you talked with your IRB person, and you suggested what if we had one group that looked at all this. And basically then I went back and I looked at 7.1.3, and a little bit of changes in language actually says that. Create one group within your organization that addresses these issues. MR. REYNOLDS: All right, Paul. DR. TANG: So maybe this is a good example. We have a group called HIUD, Health Information Use and Disclosure, and it precedes your access to data. In some sense, it could be an overarching framework. So before you call it anything, if you’re going to get access to the database, you must be a responsible person with responsible intent and a good way of protecting the information. Then you can pass in and later on you can decide, and then you have the rules on what’s research and then you have IRB. But what we’re trying to do is protect the data. So let’s put the filter upfront. Before you get access to the database, these are the things that you have to do, and then downstream. MR. REYNOLDS: Okay. Since I had interrupted Larry’s process, Carol? Okay. Leslie? DR. FRANCIS: It seems to me that the recommendation shouldn’t be which structure, but that there needs to be a structure that deals with the current gaps and problems in the current system, and that that structure should incorporate appropriate principles of data stewardship such as transparency and whatever. But that would be my recommendation because I don’t think we’ve got it solved here. And it’s going to take all kinds of negotiating between IRBs and everybody else to figure it out. MR. HOUSTON: So I’ll just maintain it to be the gaps, though. I think there needs to be a structure that manages it holistically because when things morph there’s a lot of considerations, you know, that the IRB when they look at research and if research morphs, there’s a whole process to go through to modify your protocols and things like that. That’s why I think a common structure’s of value. So I just think it can be a very open ended recommendation. But I just think, you know, structurally this is something that I think would help resolve this problem in a systematic fashion. MS. GREENBERG: I wanted to ask a question. Do we have a simple statement that we have been or problem that we’ve asked to address like we were trying to clarify for the other one, or have we uncovered a simple statement of a problem that we believe needs addressed. What’s the problem we’re trying to solve? MR. REYNOLDS: Related to this subject? MS. GREENBERG: Related to this particular subject around research or research/quality. We – is that written down or – MR. REYNOLDS: I would add operations in there, too. MS. GREENBERG: No, well, I’m trying to – MR. REYNOLDS: I’m just saying I would say what is operations, what is quality, what is research. Those three things are the things we’ve been spinning around. MS. GREENBERG: No, but we had for the first part, we had a specific, we were tasked to answer a question, right, and we were kind of mousing around about it. But we were asked by ONC to consider whether there should be boundaries around this and all that. Now that did not include research. You’re saying it does. MR. REYNOLDS: Margret? MS. AMATAYAKUL: This was the original request that we got from ONC, and it is a little dense. But while quality measurement and reporting is a priority for HHS, there are other secondary uses of clinical data that could be potential sources of revenues to health information exchanges. These uses generally fall into two categories, research and population health. MR. REYNOLDS: Does that help at all? MS. MCCALL: Not yet, only because what I’m looking for is for us to have a fairly simple question that we’re trying to answer for ourselves, whether it came from them or whether we discovered it during testimony. And I see us kind of wandering around, but we haven’t – we don’t have that clearly in front of ourselves. I think that would help us. MR. REYNOLDS: I’ve got Simon next, and then I’ve got Bill. DR. COHN: Yes. You know, I do want to implore everyone to maintain – I mean, I think there’s an issue of scope, focus as well as I worry personally about us wandering off into areas if we start pursuing them really require more testimony and more hearings. And I think that at this point bringing up a common oversight for all uses of health data, yes, et cetera, et cetera would be something that normally if we were pursuing, I would want to get to hear from people to hear what the impacts and implications are. Now I guess what I heard from John Paul was that he felt that there were other areas and other holes that he had identified. And I think that we have recommendations on research that have to do with this issue of the research quality area and making sure that these things get melded and harmonized so there aren’t gaps there. I think we have a recommendation in 7.1.3 that probably, with a little bit of wordsmithing, might be able to sort of along the lines of this similar approach could also be utilized to provide oversight to other identified gaps in your institution or something like that which might help solve some of that other problem. It isn’t a uniform structure. But I don’t think at this point, I mean, I guess I wouldn’t be comfortable suddenly throwing out a new major recommendation that might require unintended – MR. HOUSTON: What about investigation of this. As a recommendation thing, this needs to be further considered because part of this also is that should there be because of the NHIN, should there be something more formal such as through OHRP would address these types of things. And I’m not saying that’s a recommendation as much as it’s something that maybe needs to be considered because these quality exercises are going to be enormous once you start mining on a national and a regional basis. So I think it is fair to say there needs to be some common oversight structure considered or at least researched because of the implications of broad access to data for quality purpose or for a variety of secondary use purposes. And this is I think a reasonable thing to at least propose investigation of. MR. REYNOLDS: Now where do you want us to go on this one because I would like to at least quickly touch base on eight and nine. So if you could give us some direction on what we want to do tonight on seven, how we want to pull all this together. DR. COHN: Well, I guess I’d be curious about whether John Paul, whether something like this in 7.1.3 or whether it’s actually really more along the lines of a jurisdictional sentence. MR. HOUSTON: I think it’s almost – DR. COHN: Or 7.5 or 7.6. MR. HOUSTON: Yes, I think it’s another recommendation, and it’s couched in terms of, you know, consideration for further evaluation. DR. COHN: Okay. So it’s like it’s 7.6, other areas – MR. REYNOLDS: Okay. So this one’s on the table, too, for us to clean up tonight. Marc’s comments are on the table for us to clean up tonight. And I think tomorrow morning, Carol, we’ll try to have a better answer for you. I think I got one, but it’s late enough in the day right now that I’m not sure I would put it in as far as why it appears we’re wandering around, at least I know what I feel is we’re do that. DR. ROTHSTEIN: I just want you all to know I have another comment. MR. REYNOLDS: Okay, let’s move to – no, he doesn’t. Okay, moving on to eight, let’s touch base on eight and nine, please, before we get out of here so we can get anybody’s comments, issues, concerns so that when we work on this further, we at least have had a complete discussion, not all the answers. All right, eight really is focusing on this whole idea of transitioning to the NHIN, and we’ve all on the Committee heard enough about – plenty about the NHIN and what it is or isn’t. And so you can see in 8.1 through 8.1.6 what we’re talking about there as far as incorporating a number of things into the common trials and evaluating a number of other things to deal with some issues. Any comments? Okay. Well, moving onto nine. I think everybody had this. Not being ugly, I’m just trying to make sure that we get the input from people so we can go to the next step. We’ll see it again tomorrow. Observations and recommendations on additional privacy protections. As we go through that, 9.1.1 is pretty much exactly what came out of our privacy letter previously as a committee. So that’s – and then we built off of that with 9.1.2. Short of legislation, what can we do in 9.1.2, and then you can see 9.2 and 9.3. So Marc? DR. ROTHSTEIN: I have a suggestion in 9.1.2 on line 1523 which is the last sentence in that recommendation. I’ll read it, and then I’ll tell you that my recommendation is to delete it. The sentence says care should be taken to ensure that organizations of today only have aggregated health data such as employers not be included in the definition of covered entity, et cetera, et cetera, et cetera. I don’t think we – that’s opening a totally new can of worms, and I think we should just strike that whole sentence. MR. REYNOLDS: The concern that I had, and I think we heard especially through responses we got back from employer groups actually on one of our open calls was that they did not want to be brought under the umbrella of covered entity at all. And so we’re making it perfectly clear here that we’re not opening this up and saying everybody’s a covered entity, so everybody’s employer has all their data, and that’s what we’re trying to do with this sentence. It may not be worded the way it is, but that is the specific reason that we called this out and actually put this sentence to clearly state that. DR. FITZMAURICE: Doesn’t HIPAA make it very clear and so our saying it or not saying it isn’t going to matter. MR. REYNOLDS: Well, if we’re recommending that we expand the definition of covered entities and we don’t reiterate we don’t mean to everybody, then I think we are. DR. FRANCIS: Doesn’t that point belong earlier? MR. REYNOLDS: Excuse me? DR. FRANCIS: Doesn’t that point belong earlier in the discussion of the definition of covered entity. MR. REYNOLDS: No, the definition in the document of covered entity is as by HIPAA. We’re talking about expanding it, and employers are not in it currently. We don’t want it expanded to them. We want to expand it to PHR vendors. We want to expand it to all these other people. DR. ROTHSTEIN: Harry, the way it reads now is I don’t think accurate because it says care should be taken to ensure that organizations that today only have aggregated health data such as employers. Employers have specific health data. They don’t just have aggregated health data. Some of them have very detailed health data from all sorts of sources, pre-placement medical examinations, et cetera, et cetera. So there are some situations in which employers might have through their health plan if it’s placed with a commercial insurer only get aggregated. I mean, that’s really too complicated, I think, to handle in this sentence. MR. REYNOLDS: Let me ask this question, then. Do you feel that – so if we take that out and the Secretary were to include covered entities, employers, just all employers in covered entities whether they have a health plan or not, do you think that’s okay? DR. ROTHSTEIN: Well, we recommended that in 9.1.1 and elsewhere that comprehensive privacy legislation should apply to anybody who gets confidential health information, whether you’re talking about employers, life insurers, whatever. Here, 9.1.2 is our sort of back up plan, right, and I think that what we’re talking about is people who regularly transmit PHI in their dealings, they should be covered. I mean, I would – it’s not just, let’s see, vendors. It’s like in the California bill, the health information exchanges and so forth. MR. REYNOLDS: Carol. MS. MCCALL: This is one place, and then early in the paper, there’s another place where it talks specifically about PHRs and uses them as kind of an example. And I guess what I’d like to do is I would like it if we could find another example of something else that we would like to put into this category only because it’s going to seem like if all we do is hit that particular nail, people will think that all we’re talking about are PHRs. An example that I would give, and it may not be one that we would use here, are some of the emerging kind of you could call them incentive and rewards health and fitness, things like that. They actually capture, carry, transmit personal health information. The program we put together with a company called Virgin Health Mile now, and so there’s activity level information. But there’s also blood pressures and whether I step on something and it captures it for me or enter it, they have it. MR. REYNOLDS: Right. MS. MCCALL: And I don’t believe that they are in fact captured – now they won’t have everything an entire PHR will have. But they have some things, and there’ll be more like that all the time. What is the intent? MR. REYNOLDS: Margret? MS. MCCALL: I’ll think of a term and give it to you tomorrow. Right now you can use a placeholder for just kind of personal health management. MR. REYNOLDS: Other than just singling out PHR. MS. MCCALL: Yes, it’s not about a record. It’s some sort of device – DR. TANG: Or HRA provider is another one? MS. MCCALL: Another what? DR. TANG: HRA provider. MS. MCCALL: Absolutely. These are all over the place, guys. MR. REYNOLDS: Okay, Steve. DR. STEINDEL: Harry, I’ve always read this as what we’re recommending is we’re – if the first doesn’t work, our fall back as Marc calls it is expanding the definition of covered entity. MR. REYNOLDS: That’s correct. DR. STEINDEL: And we were very specific. We said if you are going to expand the definition of covered entity, we want to make sure you – it’s getting late, we want to make sure that you include PHR vendors, period. That is the one specific group that we wanted as NCVHS we wanted included. Marc’s bringing up the comment that we should delete the last sentence, and I agree. I think anybody else except for that specific case of PHR vendors, whether or not they’re included in this legislation is up to the legislative process. MR. REYNOLDS: Well, that’s fine. But I will go to our open call where we heard the lady that represents the employer association made it perfectly clear that they did not want to be – DR. STEINDEL: But I don’t thin we should take a position on whether they are – MR. REYNOLDS: Well, what’s the difference between taking a position versus – I mean, we heard all this other testimony. I’m just make sure, I mean, they were adamant because they do not – one of the biggest issues that we’ve offered, and we sat through the privacy hearings a thousand times. People are most afraid of the employer all of a sudden having everything. And yes, they have some things, but not under – they’re not just handed to it by HIPAA. Marjorie? MS. GREENBERG: Well, first of all, being a covered entity doesn’t mean you can get anything. I think it’s a non sequitur. What it says here is, so I would agree about deleting it. But what it says here is that it should cover other organizations that manage, collect, view, store, share, disclose or otherwise make use of personal health information. So if you’re doing that, that may make you covered. But it doesn’t say that by becoming a covered entity, I don’t think there’s anything about being a covered entity that gives you carte blanche to information unless it’s for maybe treatment, payment and operations. I don’t know. But this doesn’t make sense that if you currently have aggregated health data, making you a covered entity would give you all this access. I think they’re non sequiturs here. MS. AMATAYAKUL: I have the exact language. Would you like – there were two comments. MR. REYNOLDS: Yes. MS. AMATAYAKUL: Okay, one said while we support expanding HIPAA framework to non-covered entities, we believe that the proposed recommendations are unclear about whether the Committee intends to accomplish. For example, by specifically expanding the HIPAA requirements to employers, we do not believe that the Committee intends to enable all employers to receive protected health information about individuals or to change the existing HIPAA privacy rule protections that apply to group health plans which establish limitations about the types of information that group health plan can share with the employer. However, we are concerned that differing interpretations could result if the proposed recommendations are not clearly stated. And then another comment was that because of potential concerns that expanding the privacy rule might weaken some protections, for example, by inadvertently giving employers access to PHI, we further recommend clarifying the recommendation to note that when privacy rules are expanded to non-covered entities, nothing should be construed as changing the current rules governing disclosures to employers. MR. REYNOLDS: So having heard that, Marc, do you feel any different than you had – DR. ROTHSTEIN: No, it’s interesting that those concerns that there would somehow be a loss of privacy by allowing employers to get access either through group health data or through other kinds of means. I don’t share that. I mean, I’m certain that should that happen, but I don’t think this language opens a door to that. And I think that’s sort of seeing goblins under the bed. I would just – MR. REYNOLDS: Mary Jo? DR. DEERING: I’m wondering whether –if there’s a baby in this bath water, and I’m wondering whether it’s the sense of unintended consequences and whether there’s a baseline message that we’re trying to convey is that such actions should not inadvertently without specifying anything. You know, care should be taken that such enhancements, changes should not inadvertently weaken current – DR. CARR: Right. That would be great. Motherhood and apple pie. MR. REYNOLDS: Do we reference employers at all? Just inadvertently weaken what? Okay. Everybody good with that? Gene, did you have a question? DR. STEUERLE: I have a general comment that fits in 9.2, but it applies to a number of things throughout. Are we coming back to this tomorrow? DR. COHN: Well, hopefully, but whatever it is, I mean, we need to hear it today. DR. STEUERLE: My concern is there are times in here when I get the sense that there were these hearings and there were these legitimate concerns raised. And then there was a compulsion – this is unfair because I didn’t have time to draft it. Compulsion to say, okay, this is a legitimate concern. Let’s put it in here because this is a concern, and HHS should address it. But at times the language seems to imply that it should be addressed by writing guidance or regulations or rules. I’m just thinking this Committee probably spent about a million dollars worth of staff time roughly doing this document. It’s recommending HHS go back and spend millions more and that the entities out there spend, I’m guessing, ten or hundreds of millions of dollars in terms of their own efforts, and where they’re really worthwhile efforts, that’s okay. But I do worry that we haven’t really thought out or are capable of measuring the time cost we might be imposing. And in some cases, it seems to me what we’re recommending is things belong on the spirit. Like, you know that thing about having adequate sample sizes stuck in here. I really don’t know that we really want to write a regulation. Maybe we want to remind people if you do research, you should have adequate sample size. But I don’t know that we are capable of writing in fine language even if it’s a regulation or a guidance or law what that amount is. And just some places I think the tone should be here’s the spirit of what we found that should be done in this area. But it may not be something where there is a legal way we can put it in this recommendation to HHS the guidance or the regulation or the ruling would be there. And I mentioned this with 9.2. I just sort of waited there. It says, you know, and we shouldn’t have anti-discrimination. But there’s no evidence here on what you should do. It’s sort of like Congress should actually work for legislative or regulatory measures. Does this imply that the ones that we now have are inadequate? Or does it mean in the spirit of the law we should be constantly looking to make sure that that discrimination isn’t there. There’s just a lot of cases where the language implies moving in a legalistic way to solve the problem when I’m not sure we have determined that that’s what we want. And it’s a general comment, and as I say it’s a little bit unfair, but I saw it so many places in here where there were good things to be done, but it wasn’t clear to me we knew how to prescribe it. MR. REYNOLDS: Simon, I’ll turn it back over to you. The vice chairs have gotten through it now. Simon, you’re holding us up. DR. COHN: Well, I guess without going to the general, and Gene let me mention. One of the reasons we opened this up to public comment was we wanted to make sure that we were not creating unintended burden on things. So I have to say that we actually went out and sought that sort of input to make sure that we really were not doing things that just didn’t make any sense or whatever, and the document has been significantly modified as a result of that. Now so that’s the global comment. Now you’re specifically commenting about 9.2, and I think I have to look to Marc Rothstein to help us with this one only because these are recommendations that have come out of previous privacy letters from the Full Committee that maintained sort of the spirit and the – I mean, it isn’t like this comes out of new ideas. This is things that we have recommended previously. Marc, do you want to comment? DR. ROTHSTEIN: Yes, we’ve made several recommendations, Marjorie reminds me that since the late 1990s. In fact in our 2006 letter, recommendation R-22, this is a big June 2006 letter said HHS should support legislative or regulatory measures that eliminate or reduce as much as possible the potential harmful discriminatory effects of personal health information disclosure. So I think we are on record as supporting broader non-discrimination laws. There are a couple changes actually that I will give to Margret on the text in 9.2 that needs to be cleaned up a little bit that might help some of your – DR. COHN: Okay. I know it’s after six. In fact it’s close to 6:20. Now any other final comments on this? Now what we’re going to be doing is redlining. Margret will stay up tonight to work on this one. Harry, Justine and I will wake up at 5:00 a.m. to work with her to review things, hopefully not. But anyway tomorrow morning obviously after the workgroup and subcommittee meetings, we will have a redline version to review and consider. Hopefully, as I said, I guess I would have you all consider, I mean, we’ve taken obviously a lot of input. It may not be perfect. Just remember the really important part here are the recommendations, and we need to make sure those are right. A lot of things in terms of wording and wordsmithing, we can take care of offline after this meeting. So I just want to keep everybody aware of what the most important thing here is. Now I do want to tell you that anybody who had any optimism about leaving before three o’clock tomorrow afternoon, I think I would abandon that optimism because it’s very clear based on this conversation that we’re going to have issues around seven again, and we’re going to have to sort of try to work through that. Anyway, with that, obviously I think we have dinner which hopefully at this point is going to move til seven since I think we all need a breath at this point. Maybe you can call them and let them know – you already called. And you have instructions for us about how to walk there or otherwise get there? MS. GREENBERG: What do we do? We walk out the front door, turn left towards DuPont Circle? [Background chatter.] DR. COHN: Sure, ten to seven. Okay, and the meeting is adjourned. Whereupon at 6:22 p.m. the meeting adjourned.]