[This Transcript is Unedited]

National Committee on Vital and Health Statistics

Subcommittee on Privacy and Confidentiality

November 5, 2004

Hubert H. Humphrey Building
Room 800
200 Independence Avenue, S.W.
Washington, D.C. 20201

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, suite 160
Fairfax, Virginia 22030
(703) 352-0091

P R O C E E D I N G S [8:05 a.m.]

MR. ROTHSTEIN: Welcome everyone to the early morning meeting of the Privacy and Confidentiality Subcommittee and just for the record we need to introduce ourselves. I’m Mark Rothstein from the University of Louisville and I’m chair of this august subcommittee. Kathleen?

MS. FYFFE: Kathleen Fyffe, U.S. Department of Health and Human Services, lead staff to the Privacy Subcommittee.

MS. CHAPPER: Amy Chapper, CMS and HHS, staff to the subcommittee.

MR. BLAIR: Jeff Blair, Medical Records Institute, I’m an interloper sitting in —

MR. ROTHSTEIN: Former member of the subcommittee.

MR. BLAIR: Jeff Blair, member of the committee.

MS. RIPPEN: Helga Rippen, ASPE, staff to the committee.

DR. HARDING: Richard Harding, member of the committee and subcommittee, University of South Carolina.

MR. HOUSTON: John Houston, member of the committee and subcommittee, University of Pittsburgh Medical Center.

MR. REYNOLDS: Harry Reynolds, member of the committee and subcommittee, Blue Cross and Blue Shield of North Carolina.

MR. ROTHSTEIN: And seeing no audience we will dispense with the audience introductions.

We have two agenda items today and they both relate to our upcoming hearing schedule, the first item is to firm up if possible the hearings that we have scheduled two weeks from yesterday and two weeks from today. As you recall we have a day and a half of hearings scheduled on two issues, a half day on the impact of the HIPAA security rule on current and emerging technologies in medical equipment, and one full day on privacy and confidentiality issues in e-prescribing. Amy, has everyone received a copy of this?

MS. CHAPPER: I don’t think so.

MR. ROTHSTEIN: Okay, if you could distribute these. We are going to be distributing a tentative schedule and if possible today I’d like to have the subcommittee members help fill in any remaining blanks that we have. And of the two hearings the half-day session on the security rule is much, in much better shape and we have John Houston to thank for that. And I’m wondering, John, if I could ask you because your session is in better shape if we would do that first and then talk about that schedule.

MR. HOUSTON: First today —

MR. ROTHSTEIN: Yes, and then we’ll talk about the e-prescribing issues second.

MR. HOUSTON: I’d say it’s in better shape, I wish we had one or two more people and we’re trying to work on that.

MS. CHAPPER: I had gotten your note about Susan having a conflict and then you sent me the new name, I wasn’t realizing that it was replacing the person from McKesson, so then I realized we didn’t have that third.

MR. HOUSTON: I have to admit this has been much more difficult then I ever would have thought, it seems that a lot of people are interested but nobody’s available so maybe we just go through it, Amy had to line up, there’s somebody from the VA who’s coming as well as the FDA, both I think, obviously the FDA person to speak specifically about some of their challenges about dealing with regulated equipment as well as other types, even software and what their view is on the issue of things, patch management and security management in that type of an environment.

I think the issue at core is we have a lot of regulated equipment out there and software and things and under the security rule there’s obviously some affirmative responsibility to ensure that that equipment remains or that software remains secure and that adequate steps are taken. Unfortunately when you have a piece of regulated equipment sometimes you can’t do thinks patch management, software updates in a timely fashion especially if they’re at an operating system level to deal with worms and viruses and things like that.

So that really is sort of the core of the concern is how do you deal with this, how do you deal with the environment where the manufacturer to test each patch might take weeks and months and you have a virus that comes out and typically the immediacy of them is days. Kathy I know, you sort of had that, let me give you an example, I can give you one from my institution, we have medication administration carts there, they’re drugs, they’re dispensing carts, and they have an imbedded computer in them and then with a Windows NT operating system on them, we had a virus outbreak about a year ago where the carts became infected, we couldn’t update them with the patches necessary to prevent them from being infected. They were actually causing serious network problems on our network because they were spewing a lot of denial of service traffic on our network. We ended up having to take the carts off of our network until we could get the manufacturer to go and certify the patch that had come out from Microsoft to prevent the problem.

So here’s a case where we had to take down medication dispensing carts, take them offline because of the fact they became infected by a virus and couldn’t be patched in a timely fashion.

MS. FYFFE: I have a question with regard to that, there’s security aspect which is more technological —

MR. HOUSTON: That’s what that is, yeah.

MS. RIPPEN: And then I guess there are addition then privacy —

MR. HOUSTON: There really aren’t, this was intended to really sort of be a joint privacy security, there is not a privacy issue implicated here, except you have integrity, if you have integrity which I guess is as much privacy, could be considered privacy but it really is primarily a security issue and we sort of decided to take this set of meetings and use them as a joint meeting.

MS. RIPPEN: So there are some interesting questions with regards to that, if we know that there are vulnerabilities in the technology side one could then also minimize the privacy and confidentiality risk by perhaps not storing certain types of information on systems that might be more vulnerable.

MR. HOUSTON: That in my mind gets into affecting patient care, I mean these devices where we’re talking about primarily are specific use devices, maybe a CT, maybe a med administration to a robot, something designed specifically for the purposes that they’re being used for, they’re not sort of a multi-purpose device. And there’s been a lot of concerns out of hospitals and industry about how do I deal with patching these systems and I think the FDA has a position as well as some of the device manufacturers and I just wanted to get, sort of wanted to get a sense of whether this is as big of an issue as people are sort of implying that it is.

DR. HARDING: My mind runs wild thinking of medical equipment, could you define what we’re kind of, what that is?

MR. HOUSTON: It’s not even medical equipment, it is any software device that the FDA regulated in some fashion, is it a 410, I forget the code, there are a number of sections, code sections that deal with specific devices that need to be, that have to be FDA approved for use, that contain either, it could be software or hardware but typically would contain software that are involved in the functioning of that device and therefore have to have an approval and have to have a manufacturer strict guidelines for the updating of things like the operating system. The issue is is that the customer, if you don’t have an FDA regulated piece of equipment the customer would go and throw the patch on themselves, I’ll go test this patch, I’ll go put it on my machines, and if there’s any problem I’ll back it out. In this equipment the customer is not permitted to do that, the patch management, any type of updates needs to come through or be tested by the manufacturer because of the fact that it’s regulated, it’s a device that is regulated or approved by the FDA.

DR. HARDING: So any medical device that has protected health information.

MR. HOUSTON: I don’t think it has to be protected, even have protected health information in this case because if it sits on a network that contains clinical information it could actually impact the rest of that network and that was the problem we had, these medication dispensing carts really don’t contain much information, but what they did do is they took down a big chunk of our network which was the clinical network. So I think there are some devices that do contain PHI like an MR or a CT, they’ll have the image data on it, but I think there’s other devices that frankly by being residents of the network potentially could impact that network.

MR. ROTHSTEIN: So this is a one half day session on November the 19th and we are basically having two panels, one from government agencies and one from industry and we are just like a witness short basically for each panel and I know —

MR. HOUSTON: I think the first panel is okay, do we have DOD?

MS. CHAPPER: Well, he was away and I’ve just been able to speak with him and he’s speaking with the gentlemen from DAJ and hopeful of participating but I haven’t gotten a definite.

MR. HOUSTON: I think if we could get a second person to represent a large hospital I think that would be what we were really hoping for and what I thought we had lined up.

MR. ROTHSTEIN: What about from the American Hospital Association?

MR. HOUSTON: I put in a call to them and they really have not been responsive in this regard, I mean I could try again.

MR. ROTHSTEIN: What about from some of the software companies, somebody from Microsoft —

MR. HOUSTON: I tried Microsoft, Microsoft really felt like they didn’t want to, not meaning negatively, they weren’t sure what they were going to add in this specific case. They were very helpful in getting to people in the FDA, I can tell you that, so it’s not that Microsoft isn’t interested, I’m not sure like they felt like they had much to add. I can say this, though, Stentor(?) is a piece of software that’s used for reviewing diagnostic images and their software is FDA certified, regulated, whatever, they have I guess a 510 certification so they’re going to speak from a software perspective and then the gentlemen from McKesson is going to speak from, they do have a lot of equipment, different types of equipment that is FDA regulated.

MR. ROTHSTEIN: And what about some other Medtronic type —

MR. HOUSTON: We tried, I tried a lot of people, I tried GE, Siemens, I’m surprised we really haven’t gotten anything, we really have not been able to get commitments, Beckman, there’s some people who say I’m just not available that day and just really haven’t been able to get a commitment out of people. This has been trying.

MR. ROTHSTEIN: Okay, let’s, we’ve got four to five witnesses, I don’t think we should necessarily comb the bars to try to drag out another witness, if that’s who we have that’s who we have and I think the willingness of the eagerness of people to testify goes to the urgency that they feel perhaps of the issue. So let’s just do what we can and if we have a panel that lasts an hour so be it.

MR. HOUSTON: I will try to get yet a third person for the second panel, we’re just trying to figuring out who. Simon had indicated previously that he thought there might be somebody who could help out in that regard —

MR. ROTHSTEIN: You mean from Kaiser?

MR. HOUSTON: No, there was somebody here yesterday that he had, frankly I didn’t have a chance to touch base with him but I’ll try to talk to Simon today and see if we can —

MR. ROTHSTEIN: So the only thing I would do is I would urge you to see if we can get this nailed down in the next couple of days, I mean by early next week because this is in two weeks and we need to provide notice, I’m not sure what that entails but the more the better. I don’t know what, the Federal Register notice has already appeared, correct? But we need to get website details to advise the public as soon as possible. If Amy and John you can take care of that early next week I’ll be available to check with.

Now if we can move to the second of the two hearing days and that is the privacy and confidentiality issues in e-prescribing which is scheduled for a full day on November the 18th and let me just say that I think that Amy has done a terrific job of tracking down leads and the fact that we’re having difficulty lining up witnesses is not a testament to her lack of effort. I have to confess at the outset that this is not an issue that I am really, thank you, excuse me, I’ve just been informed that we have two people who have called in the conference call and for the benefit of our transcript could I please ask those people to identify themselves?

MS. HORLICK: Hi, this is Gail Horlick at CDC in Atlanta.

MR. ROTHSTEIN: Good morning, Gail, thanks for joining us. Anybody else? Okay, so we have Gail with us, thank you Gail.

As I was saying the e-prescribing issue is not an issue about which I have very much expertise and it was an issue that our friends from the Subcommittee on Standards and Security, in particular Simon, were very interested in having us hold hearings on. Unfortunately many of the natural constituencies who one would think would be eager to testify have indicated that they don’t have anything to say at this point and that would include the AMA, AARP, etc., and I’ll let Amy run down the list of contacts and leads that we had been pursuing. In fact it was my impression that we were going to need even more then one day and this was supposed to be day one of several hearings and at some point in the future we may need to do that but I’m not sure that the future is now. And let me ask Amy if you would before we get to the people on our list talk about all the people who are not on our list that we’ve tried to include.

MS. CHAPPER: Well I believe it was at our last conference call where we discussed the hearing, we had talked about the overview to set the framework and discuss the issues looking to government such as CMS and OCR and I’ve been working fairly closely with Maria Friedman who’s lead staff to the Standards and Security Subcommittee and CMS she didn’t feel was appropriate to present on this issue. I did speak with Sue McAndrew and we were sort of waiting to see what we ended up with as far as the other presenter for this. Thank you, Sue, for being here to see what happens.

MR. ROTHSTEIN: If she weren’t here she might be speaking.

MS. CHAPPER: In working with Maria, Maria did suggest and this person is on the list that Phil Rothermich present an overview so that was her suggestion. I guess I can talk about Mark, when we spoke we were thinking that we really wanted possibly someone without like a connection or a perspective from the industry so that’s why we were trying for someone else. I had spoken with Ann Canfield(?) at Rx Benefits, this was another suggestion thanks to Maria, and she suggested a Jeff Brown who’s also on the list now for the industry but again his clients are from that perspective so again we were hoping for someone, again, government or an academic presenter. So that’s where we were with the overview.

Also at our call with consumers we had talked about AARP and as Mark indicated they don’t have any issues at this point. They did suggest the Consumer’s Union and I contacted them, they said they haven’t focused on this issue. Families USA, I haven’t heard back from the gentlemen there, Bill Vaughan that I called, so I’m still waiting to here, we may get them.

MR. BLAIR: Did you try like Georgetown University? What’s her name?

MS. CHAPPER: I didn’t, I mean I certainly can, hopefully these other two will be interested and I’ll follow up with them right after this.

MR. REYNOLDS: Mark, can I make a couple of comments?

MR. ROTHSTEIN: Sure, Harry.

MR. REYNOLDS: I am on the Standards Committee, and Jeff is the co-chair, can override me in anything I say here. In thinking this through since we did kind of recommend that it come here, if you listened to Jonathan Teich yesterday he went through a significant list of the basics that the physicians would want in e-prescribing. If you look at the regulation, and one of the reasons I think it would be good to have somebody talk about the regulation up front, the regulation has some goals, reducing errors and a number of other things, so that’s the framework under which we have a regulation and then we have the physicians and the industry who say this is how it’s going to work and we’ve heard numerous discussions about that.

The problem now becomes, and one of the things that was even in the most basic of discussions yesterday, was whether or not the doctor would see all of the drugs that the person is getting whether or not at some point they would be told whether the person filled the prescription or not. That’s where this thing moves from a technology implementation into can the goals of the regulation be met and if they do do they infringe on what the person might want as a patient happen or not happen or be transmitted or not transmitted.

And let’s assume everybody agrees, does the authorization or does the privacy notice that the person signs when they go into the doctor have to include the fact that that doctor now is going to have access to information that that doctor would not have had access to necessarily were it not because of e-prescribing. And so that’s where this thing starts crossing over the line so Jonathan yesterday put, so the stake is in the ground on the regulation, what it wants to achieve, the stake is in the ground at least about the basics as to what the physicians see would be necessary to have basic and then expanded e-prescribing. And now listening to the people that would represent the consumers and represent the patient as to what does this mean to them is what we were trying, why we felt that it kind of came into this group.

MR. ROTHSTEIN: Harry, I wonder if you can, and I think you for your observations, I wonder if you could shed some light on why you think it is that the issues that you’ve described, and many others that I’m sure we could all think of in terms of privacy interests, why this is not really something of great interest apparently to all these groups and individuals that we’ve talked to. When we had our conference call we made a long list of groups that we thought we needed to hear from, the PBMs and the retail drugstores and so on and so forth and it’s just not on their radar screen.

MR. REYNOLDS: See the interesting point, and I’ll make a comment and then Jeff, you go first, you’re the co-chair, I’m happy to defer to you.

MR. BLAIR: No, you go ahead.

MR. REYNOLDS: I think the issue is a lot of people think about e-prescribing as only the electronic transmission of the prescription. The decision support that was discussed yesterday is a silent issue to most of the people outside of the standard environment. If you don’t sit down and draw the boxes and understand the data coming from the boxes as to how this all flows from a doctor to a pharmacy to a PBM to a payer and so on the light doesn’t come on that I could go into a doctor’s office, I could be seeing three other doctors, I may or may not tell that doctor that I am but all of a sudden he or she is going to have those drugs in their hand, they’re also going to be told whether I did or did not fill the last prescription. And they’re also going to have my formulary data, which they should have, but the process, and I think that’s one of the things those of us that have been in the hearings and I’m out in the industry and have looked at this, until you put it all together the light doesn’t come on that now the doctor has far more access to information and far more determination of who you are, what you are. Now if I’m a physician I want that if I’m liable because I give you a drug and something happens, but we need to hear from the patient side. But they haven’t connected the dots and we heard that, as we went through the testimony, the longer we went through it then people, the light started coming on —

MR. ROTHSTEIN: Well, we also need to hear from physicians and pharmacists and all these other people as well, I mean the point that you make is an excellent one and it’s one that we’re going to see when we get to the broader issue of electronic health records and that is that it’s not just a procedural change, it’s a substantive change in who has access to what, when and so forth —

MR. REYNOLDS: But let me quickly answer your pharmacy question, you mentioned pharmacists. Pharmacists right now tend to have all that because when they go to put a drug in it usually goes to the PBM, pharmacy benefit manager, and the pharmacy benefit manager has all that. So between the pharmacy and the pharmacy benefit manager you’re not seeing a dramatic amount of change.

MR. ROTHSTEIN: Let me get to Jeff and then John.

MR. BLAIR: I find it helpful to look at the last time we had a privacy issue blow up and that was in July, June or July of 1998 with the NCVHS testimony in Chicago. And if you take a look at what happened there it appeared to be something that people wouldn’t be very upset about and it was hearings on a patient identifier. But let me tell you how that got translated by certain portions of our population who were fearful of what this portrayed and they went directly to Congress and overrode, they almost overrode the entire HIPAA regulation. I don’t know if you know that but I’m saying that because this is not just a legal issue and it is not a technical issue, this is an emotional, a very powerful emotional issue and that’s why it’s important and sensitive.

And if you look at the headlines in the New York Times the headline articulated the fear, wasn’t even true but it caused the removal of part of HIPAA which was the patient identification. The headline said that the federal government is planning to create a “huge database of our medical records.”

Now when you look at e-prescribing or you look at a lot of the other things that we’re doing now with electronic health records, but let’s take e-prescribing in particular, and Harry touched on this but I’ll articulate it just a little bit more specifically, we want to improve patient safety, in order to improve patient safety we want that medication history so that we can find the drug to drug interaction. We want medical histories so that we can wind up fighting allergies, so that we could wind up finding an indicator from laboratory results that might be a safety problem, dosage levels, so in short when we go into e-prescribing with clinical decision support, and clinical decision support is at the heart of this, you then pull in the medication history and the medical history.

Okay, now you’re over the line, you’re over the line right there, this is the patient’s medication history, this is the patient’s medical history, medication and medical, you’re already over the line. Now the question is does the public right now know that? The public is not really aware of this technical feature, when they do become aware of it if we don’t have privacy recommendations in place and if the administration, whoever the administration is, doesn’t work aggressively to indicate that it’s protecting privacy this could blow up the same way things did in Chicago because it has all the same ingredients.

Now let me drill down further and it’s after the election so maybe we can wind up talking about these things a little bit here. Medication history, what if that has drugs for HIV, what if that has drugs for depression or sexually transmitted diseases, will the industry without government involvement is already sensitive to this and you will find payers when they offer medication history to the prescriber they filter, even though they know that this could be a patient safety issue because not all the medications are there for the drug to drug interactions, and they’ve stepped back and they have wound up saying to us well, that’s the responsibility of the doctor. Really? Think about that. Now that may be a nice legal construct until it blows up.

The other piece is even worse and that’s medical history, maybe all you wanted for that prescription was just to know the diagnosis. But if we come out with a law and it says that the payers are providing medical history information, those words, you will have an explosion.

Now what you may mean and what the people who fear this may mean will be very different things. We may simply mean that we’re getting the diagnosis from claims that are right here in CMS, or in the PBMs or whatever. But if you wind up using those words it’s like waving a red flag in front of a bull and I think we have to take it very, very seriously.

And I’m not talking about violations that I personally would consider offensive to me because I have a level of trust that the federal government is not going to abuse my privacy, but a large portion of the population does not have this trust and that New York Times headline articulated exactly where their fear is. The federal government has a database of our medical records and here we wind up in e-prescribing law saying that it’s going to be the payers, including the federal government, that’s providing the medication history and medical history.

MR. ROTHSTEIN: Thank you, Jeff, I appreciate that. John?

MR. HOUSTON: I sort of, dovetailing what Harry just said, I mean this is definitely a bigger issue. I had an opportunity to talk to David Brailer for a while yesterday, I think Kathleen was there, and just I think this is a theme that’s going to run through the NHII and these RIOs and this is, though we are speaking of it in the context of e-prescribing now it will be the exact same dialogue in my mind that we will have on a much broader basis and I think that we, for that reason I think we need to, whatever we need to do I think it might be beneficial to try to ensure that we start to scope it, not only expecting it’s going to apply to e-prescribing but in a much broader sense. This is an extremely important issue, I know that Dr. Brailer has identified this as being one of his chief concerns if I’m not mistaken as one of the barriers to implementing NHII and what his vision is.

I also think this is an issue that he believes is well within NCVHS’s, area that NCVHS can be a great help to him.

MR. ROTHSTEIN: Let me raise the issue of timing, that’s what I’m trying to work out in my own mind. When we finish discussing this e-prescribing hearing we are going to be discussing the NHII issues because that’s on our agenda for this winter anyhow. But when, I was under the impression from Simon and I may be mistaken and maybe Jeff you can help me with this, that there was some immediacy in terms of the need for us to develop recommendations on the e-prescribing. And if we link that too much with the broader issue of electronic health records in general, which I see as a huge issue, then we’re going to be pushing this months down the road —

MR. HOUSTON: Let me say this, I agree with you except that I believe that the timeframe also for having clarity on the broader issue, the time horizon there is also quite short, I think they really feel like this is an issue that needs immediate attention and is something that we ultimately need to try to get resolved. It might be for longer then e-prescribing but really the time horizon isn’t very long.

MR. ROTHSTEIN: I mean there are all these seemingly to me conflicting time horizon issues, then I’ll ask Helga to comment, in other words it’s not something that a lot of people that we would want to hear from have thought a great deal about and have something to say, I mean the pharmacists ought to be lined up to talk to us and the retail pharmacies and the PBMs and all these people in the consumer groups and so forth and we’ve got to pry them and poke them to talk to us. On the other hand so it seems like oh, we ought to defer on this but then we’ve got the pressure to do something quickly on e-prescribing and then we’ve got the same set of issues coming up again in the NHII. So I’m just not sure —

MR. BLAIR: I think you need to engage them in a different manner, I think you need to do a little bit of education like the things that I just said and wind up proactively saying there’s a difference between the reality of what’s happening and the words that have been picked to describe the reality and the words could be something that unnecessarily frightens a lot of people and we engage them to help us understand the magnitude and breadth of that fear in the public and come up with either better wording which won’t incite those fears or methods in addition to the wording to address their fears. And I think we have to be proactive because it will be simply too late if we wait until the public reacts.

MR. ROTHSTEIN: I think you’re right. Helga?

MS. RIPPEN: And actually I want to build on what both of you said, I think that there is probably hesitation because of some of the sensitivities and awareness in the public of how much data people really have and also that people will be looking at how this is handled to get a comfort level with regards to the broader RIO, NHII initiative. So this will actually set I believe the tone in how we’re going to be addressing these issues. And I think trying to be proactive and trying to not be inflammatory or inflame emotions but yet make it clear that this is important for the people that may not be stepping up to really discuss it, to really think about how we’re going to address this and what’s the best way to do it because otherwise I do believe that this could actually create a lot of excitement that Jeff was referring to.

MR. ROTHSTEIN: Can anyone supply us with the sort of the timetable, the regulatory timetable for e-prescribing and the NCVHS timetable for positions on that? I mean do we have to have something to the full committee by March for example to get a letter, could somebody go through that, Jeff or Helga?

MR. BLAIR: The first deadline that the MMA set forth was September 2005, at that time the Secretary is responsible for identifying the initial e-prescribing standards. In reality that timeline has been accelerated dramatically and as you’re aware the initial recommendations to the Secretary were set forth in September and the reason that we did this is we started to look at things and to us the real driving factor is the demonstration and pilot tests that will begin January 1st of 2006 and go on for an unspecified time during that year. In order to be ready for that it means the improved standards have to be in place and the vendors have to have adopted those standards in their systems by January 2006. So we accelerated our recommendations, or at least our initial ones, to September 2004. We don’t really know what deadline there might be —


MR. BLAIR: We in NCVHS don’t really know how much time is necessary for the standard development organizations to get ready for 2006 and how much time the vendors, but we just try to give them as much time as possible, we just worked as hard as we could and that was what we could do. And we couldn’t provide all the recommendations by that date but we provided you might say the low hanging fruit by that date and then we’re going to provide what the next bunch by March of 2005. So although I can’t give you a definitive data I could say that January 1st, 2006 is certainly, it’s probably too late by January 1st, 2006, so whether it is three months, six months, or nine months before that I don’t know but in a sense what you’re doing is you’re in a race and you’re in a race to get something as a guideline out before the public understands what the words are in this reg.

MR. ROTHSTEIN: So when do you think that the privacy component of this needs to be in a recommendation letter to the Secretary?

MR. BLAIR: If you could do it by March, I can’t see how you could do it earlier then March, you have to set your own target dates. If you can come together with some good recommendations, if you could get the cooperation of these privacy advocate groups, draw them into this, indicate that the words are one thing, we don’t want them to react to the words, we want them to react to the reality of what these things are and for them to help us before there’s a public reaction.

MR. ROTHSTEIN: So my sense is that we’ve got to pursue this on sort of the same multiple tracks as we’re doing other things as well even though the people who we need to talk to are not necessarily making themselves available. Let me ask you this, Jeff, I assume that you’ve had lots of people testify before Standards and Security on e-prescribing right?


MR. ROTHSTEIN: Would any of those people be appropriate to be invited to come here and talk to us about, or are they more technical people?

MR. BLAIR: They’re a couple of software vendors that have pointed out that they’re concerned about the privacy issues and one of them indicated that that issue that I discussed with you, that the PBMs in fact screen what they give to prescribers because they don’t want to provide information on the drugs for HIV, sexually transmitted, all of those things, mental health areas, so they voluntarily they’ve done that and they’ve made a decision that privacy is more important then safety. Now that’s something that I feel has to be brought into the open, that there’s already tradeoff that’s going on, people are already making decisions on this, and we could get burned either way. So there are some names of some software vendors that I could offer you —

MR. ROTHSTEIN: That would help.

MR. BLAIR: That could help on that, but I do think that the main thing we have to do is maybe have a little bit of a discussion with the major privacy advocacy groups, explain to them why we need them to work with us, and whether it’s testifying or advice or counsel or whatever format I’m not sure but we need them to work with us to diffuse an unnecessary reaction to words rather then meaning.

MR. ROTHSTEIN: Well, I would agree to the first half of your statement that we need to do that but I’m not sure the, I mean we’re sort of prejudging the issue by saying that, there are lots of substantive things that we need to decide, for example just to —

MR. BLAIR: Could I just clarify what I was thinking when I was saying diffuse the issue?


MR. BLAIR: I was only thinking of the fact that if the NPRM has the words, and this is really derived from the law, the law used the words medical history and used the word medication history and it didn’t define it and it didn’t say where it was coming from but those could be lightening rods for fear. Now in the case of e-prescribing when they say medical history all we may need is the diagnosis so that we make sure that the drug is appropriate and once the privacy community understands that that may, the word I used is diffused, maybe that wasn’t the best word, but they won’t have an emotional reaction to the word medical history or medication history.

Similarly with the medication history, if they understand how it’s being used and why it’s being used then they may be able to help us to craft this in a way that won’t cause a public fear and a reaction.

MR. ROTHSTEIN: No, I know what you’re saying Jeff, but what I was saying was that some of the issues that e-prescribing raise are even more fundamental, in other words what is the role for example of the pharmacist and the pharmacy in one’s health care —

MR. BLAIR: True, true.

MR. ROTHSTEIN: We are sort of still operating on the corner drugstore mentality where your doctor and your pharmacist work together and they meet and chat about what drugs should be formulated for your health and in the real world I don’t know who my pharmacist, my retail pharmacists are, I don’t know their names, I’ve probably got 20 different ones that work at the same major chain drugstore that I go to, I don’t view them as my health care providers in any sort of the same sense that I view my physicians and I’m not sure that I feel even comfortable having them have access to the same sort of information that my physicians would have and in the issue of, it’s not always sort of safety versus privacy, they matter a great deal in terms of how much you’re talking about. So there are lots of people who would trade off sort of hypothetical or very marginal safety benefits against overwhelming here and now privacy incursions, so it’s a very complicated issue and I’m feeling sort of under the gun in terms of getting hearings together to come up with a strategy in a few months when there aren’t even people who we can identify to help us with this. John and then Harry.

MR. HOUSTON: Back to your just last point, we had all this discussion about, a few months ago in testimony of the pharmacists related to marketing and sort of dovetail your point which is they like to, I think there was a lot of discussion about how the pharmacies, they want to do treatment planning and care planning and a lot of this was frankly really a guise for wanting to do marketing. And so I think there has been some public outcry about that so to extend it a little bit further to what you were just saying now I think there is going to be some consumer pushback that the pharmacist already has information and they’re not necessarily doing the right thing with it. And really what their purpose is not necessarily to provide treatment or the like but it’s an opportunity for them to engage for the purposes of enhancing revenue.

MR. ROTHSTEIN: I agree. Harry?

MR. REYNOLDS: Mark, I think the key, if you look at treatment, payment, and health care operations, which is really one of the basis for everything that’s gone on with HIPAA and some of these laws, it’s the patient, the doctor, and the pharmacist that are really the three here, the PBMs and payers, they have information but once it’s decided who’s going to get what information, I mean we could recommend this basic as that all privacy notices ought to have clear definition if that doctor is using e-prescribing then they are in fact getting the medication history, or it could go all the way to that the pharmacist has to do it, I mean it could take all kinds of shapes and forms. But I think it’s, I mean everything, if you read the regulation it’s clear you read, you hear what the doctor said yesterday it’s clear, and so the question is how do we use the mechanisms that are there to either expand them, like the authorization, a good example is does the patient have the right to opt out. If I go to a doctor and it’s an orthopedic surgeon and I’m going to get medication do I have the right to not sign that privacy notice and opt out of them using e-prescribing.

MR. HOUSTON: I agree and this discussion I had yesterday with Brailer is how, I mean in my mind this all centers around just that concept, how much control is the consumer going to have over the control of their information, the flow of their information.

MR. ROTHSTEIN: Okay, let’s see if we can move the ball forward on this, this is not, this is actually not our hearing on the substance, I think, Jeff I hear you about the need to get something out in March which means that we’re going to have to conclude hearings probably, we have a hearing scheduled in January, we’re going to talk about our future schedule in a minute. It may be that our March letter is one of these we’ve heard testimony and we’re concerned about the following ten issues and describe the issues that we’re concerned about without coming up with recommendations because we don’t have enough information and so on. But we clearly need to have something for March.

I suppose what I hear the subcommittee saying is that maybe it’s less important at this point to hear from the industry, that is the vendors, the software companies, the PBMs and so forth because we know in sort of broad strokes what their role is going to be and the Standards and Security Subcommittee is going to be fleshing out sort of the technical aspects. And what we need to concentrate on is the sort of the policy issue that we need to flesh out so we need to go to probably a broader range of consumer groups then we’ve been talking about, we need to go to the ACLU, the electronic data people, privacy people, and a whole range of other folks and see if we can get them on board.

So as we’ve sort of sketched things out maybe we can go, my initial concern was that we didn’t want somebody from the industry to frame the issues for us, we wanted some neutral person to frame the issues for us. But maybe I mean just to think about it is to have the industry people present where they’re going and then sort of, not to set them as sort of the straw man that people are going to attack but just let them set up the framework and then have, allow the privacy people to say well wait a minute, we’ve got issues with what you’re planning to do because we’re concerned about notice or opting out or all the other things that we’ve referred to.

Does that sound like what people are thinking? Richard?

DR. HARDING: Yes, I think Harry was right in that we have to broaden, instead of saying issues in e-prescribing, I mean that to the typical doctor is how is my PDA going to get this to the druggist, I mean that’s kind of, that’s e-prescribing. I mean this like ought to be privacy and confidentiality issues in e-prescribing as it pertains to the electronic health record or something like that that kind of helps people see where this is the whole thing we’re talking about not just the software for the PDA that’s going to shoot it to CVS —

MR. ROTHSTEIN: E-prescribing and the sharing of the electronic health record.

DR. HARDING: Yeah, the whole electronic health record issues. So yes, I think, who will frame it will be very, I don’t know who should do that.

MR. BLAIR: Could I just add one little tiny piece?


MR. BLAIR: If you could produce recommendations that are somewhat comprehensive by and large that is clearly desirable because we don’t really know what is going to happen but I wasn’t saying that that was a hard and fast deadline because I don’t really know when it is that privacy advocates will wake up to this as an issue. So maybe you’ve got until June to get it right, I don’t know, it March is your target that’s fine but I wasn’t saying that that’s a deadline.

MR. ROTHSTEIN: Thank you very, very much for that clarification. Harry and then Maria, did you want to comment? Hang on Harry.

MS. FRIEDMAN: I don’t think at this point you’re going to be able to have one person or one group to neatly frame the issue and put a bow on it and present it, I think you’re going to need to have multiple presentations from different perspectives because I don’t think this is entirely on everybody’s radar screen yet and I think you are going to have very different perspective so you may want to consider what you’ve just described is to have a bunch of people talk about it from where they sit and then to try and get your arms around that and then see where that goes.

MR. ROTHSTEIN: I think you’re right, I think the assimilation is going to be our responsibility, nobody is going to come up and hand us a report that outlines the 20 issues. I’m going to go to Harry and then Mary Jo.

MR. REYNOLDS: I still think that the regulation frames it. The regulation talks about medical history, it talks about information that’s going to be passed back and forth, it talks about patient safety, that frames what the subject is. If you talk to Express Scripts or RxHub or any of these, they’re the vehicle, and so a lot of the people that we heard are the vehicle whereas the regulation clearly states what’s trying to be protected, what’s trying to occur, what information needs to be involved, that is the issue where I think the privacy comes into play. Not the fact that Express Scripts sends it back and forth from the PBM to the pharmacy or RxHub is the central thing or this or that, they’re doing that all right now. It’s what does the reg, there’s a vision in the reg and there’s a clear description of some data that’s going to be involved to get to that vision and that’s where the privacy comes from. And then how does the patient, the doctor, and the pharmacy deal with that information that’s listed in that reg, that’s the issue in my opinion. Talking about how it goes, the industry is going to implement the mechanism to deliver that reg, not make the decisions on exactly what data it is and that’s why you heard the doctor who did an excellent job yesterday frame this is what I would want as a doctor, well, what does somebody want as a pharmacist and where does the patient fit and how do I get in, how do I get out, how do I say no, how do I say yes, do I want my orthopedic surgeon to know I have AIDS, do I want somebody to know this, I mean those are the kind of things that are going to be the issues. So I think the framing of it is the reg because if we frame it too much outside the reg then we may be off base in what we’re approaching.

MR. ROTHSTEIN: So maybe what we ought to do and CMS has deferred on sort of sketching out the reg, maybe we ought to go to Jeff Brown, who is the lawyer who represents a lot of the vendors and those people who can talk about the legal framework and what this is attempting to do and then instead of having witnesses from Express Scripts and the like then we move right into the privacy people and let them raise their concerns and hopefully suggestions about this electronic vision and what their issues are. Mary Jo?

DR. DEERING: This is sort of a segue to the next agenda item which is how we’re going to work together and it seems to me that there is a crossover between your needs for specifically related to the e-prescribing reg and then the broader consent and authorization which we were going to discuss jointly anyway. And I just wanted to put a group on the table that we had thought of having for the personal health record and we were going to put them back on the table for our January hearing, namely AARP, because we happen to know that they have been actively considering a personal health record, we know that they’ve thought thoroughly about the broader drug issues, I don’t know exactly how they weighed in on the e-prescribing per se but clearly these are people who have done a lot of thinking about their users point of view. And I would hate to go directly from a legal industry framing directly to the privacy advocates themselves without interjecting first some consumer orientation to give the full balance to the package.

MR. ROTHSTEIN: Okay, so you tried some, Amy, you did try with AARP, maybe Mary Jo can give you a different, we tried to reach someone at AARP —

[Group discussion.]

MR. ROTHSTEIN: So how about this as our working plan on the issue? Amy and I will be busy next week and we would greatly appreciate any suggestions, Jeff, if you could give the suggestion that you made earlier about the industry efforts to already filter privacy information, that would be helpful. I have a couple dozen usual suspects that I could refer you, Amy, that I will mention. We will schedule the hearing, go through our one day hearing in November, see what happens, and not be tied down to any particular date, we’re going to try to get it out as soon as possible. If we can do it in March, by the March meeting we’ll do it by the March meeting, if we can’t then we’re going to have to move it back. I don’t know what else we can do. Is that okay?

Alright, let’s move to the related issue of our plans for the next batch of hearings. You will recall that we have one two day hearing scheduled for January 11th and 12th with a topic to be determined presumably it included some time for us to talk about e-prescribing. But let me tell you what else is on our agenda and what I might want to add to the agenda with your consent.

So we had previously agreed to have hearings on the issue of patient controlled limits on the contents of electronic health records, this is the big NHII issue that we’ve all been talking about, we were committed to doing that. We’re also committed to doing three other things from prior meetings, they are limits on disclosure of PHI to third parties via compelled authorizations, and this would include sort of the privacy issues when you’re required to sign an authorization if you want life insurance or —

MR. HOUSTON: Mark, would you reread that again?

MR. ROTHSTEIN: Sure, limits on disclosure of PHI to third parties via a compelled authorization, so in other words if you apply for a job it’s legal in 48 states for them to say as a condition of employment sign this authorization and we want all your medical records. So that’s one of the things we want to look into.

Second of the, well, I guess this would be third if you start out with NHII and that second, third is the issue of decedent and archival health information which came out of our prior hearing you’ll recall that we said we need to look into this further.

A fourth is the issue of patient identification, not the Chicago style patient identifier, a New York style patient identifier.

Now there are two other issues I want to add to our list for consideration, the first is I was an invited guest at the Population Subcommittee hearings yesterday and the Population Subcommittee is interested in the issue of access to research datasets key to subpopulation groups, so in other words researchers might want to know about the health status of a sub-subpopulation group in a certain area and they can’t get that because of restrictions on disclosure by say an HHS agency. And it turns out we think that all the different HHS agencies have different policies on when they can disclose that information, this is not PHI, this is just research information, and I think what is likely to happen is that they are going to get a contractor to compile all the different positions of all the different HHS agencies on this issue and then we’re going to have some joint hearings with them about how you balance the privacy interests against the research interests and to try to get a more uniform policy. But that is not in our immediate future but that’s sort of down the road and I wanted to share that with you.

The other thing that I would recommend or propose that we take up is the issue of radio frequency identification chips, because we’re not doing anything controversial I thought —

DR. HARDING: They’re already being used.

MR. ROTHSTEIN: It was time for us to stick our head into the lion’s mouth. I didn’t, like most of us I’ve been sort of following this from a distance, I didn’t realize that Senator Leahy had in April asked the department to take a look at the privacy implications of this issue and I talked yesterday with Jim Scanlon to make sure that the department wasn’t already doing something in this and maybe Sue if you know something else you could help me with this. But according to Jim this has not been done yet in terms of sort of a formal inquiry by the Data Council or any other group and he thought that it would be quite appropriate and timely for NCVHS to take a look at this. Sue, is OCR involved in this?

MS. MCANDREW: Just in querying the response back to Leahy’s inquiry which I think, it was presented in a way that didn’t really link it as immediately as it turned out to its on street appearance here, so I think he got a very general response.

MR. HOUSTON: A what response?

MS. MCANDREW: A very general response.

MR. HOUSTON: Leahy did.

MR. ROTHSTEIN: So in other words, thank you we’re looking into it kind of response or —

MS. MCANDREW: We’re looking into it to the extent this is used for health information and that it would involve the electronic transmission of health information in one way or another, then if it’s a covered entity they would need to take into account the privacy rule implications of that transmission.

MR. ROTHSTEIN: So I would think that Catherine Lorraine who is our FDA staffer on the subcommittee, if we decided to follow through with this would be the perfect person to work with us, not to draft you Catherine, but because it’s FDA approved and we’d need FDA witnesses and so on. So that’s another thing that I would add to our list.

And it seems to me that we’re going to have to do a couple of things, one is clear some dates on everyone’s calendar and I’ll have Marietta send around information about dates but we may need to schedule in addition to our January hearing hearings in February, March, and April as well until we get through this stuff. The other thing is to try to assign some level of priority to the various things that are on our plates as well as try to figure out the number of hearing dates for each one of these issues.

So let me just to recap the items that we are either committed to do or might want to take up right now. They were the big NHII issue, the disclosure via authorizations, the decedent and archival information, patient identification, putting aside the population issue, and the last one is the radio frequency chips. So of these issues, just to put a proposal on the table for us to think about, I would suggest that we defer on the population issue because it’s not ripe yet. I’d also suggest deferring on the patient identification issue, I mean we need to do that but I feel less of a time pressure and there are only so many things we can take on. So that would leave us with three things that we’re committed to doing in addition to e-prescribing and one, the chip issue, that I think we ought to do.

I think in terms of hearing dates I think we need to schedule two days at least initially on the NHII issue, it’s just too important and we need to hear from too many people. I think that Mary Jo has previously volunteered to work with us and Kathleen is also a natural person so between Mary Jo and Kathleen we’ve got the expertise on that.

On the next issue, the limits on disclosure of PHI to third parties through authorizations, Helga RIPPEN has previously talked to me about volunteering to do that and I think that would be great. I think at this point we only need one day on that issue.

On the decedent and archival health information Sarah Wattenberg was the original person who did the hearings that raised that issue for us so I would ask her to take over that. And that would be at most a day, perhaps even a half a day on that issue. And then if the subcommittee decides to follow through on this Catherine would be the person and I would think a day maybe would be the appropriate amount, probably not less, we need to hear from a variety of people, industry people, FDA people, as well as consumers. That’s on the RFID issue.

So now it’s a question of working out dates and prioritizing issues —

MR. HOUSTON: Wait, wait, I’m not sure I agree with some of the, at least NHII, that two days is sufficient —

MR. ROTHSTEIN: I said at least initially two days.


MR. ROTHSTEIN: So in other words if we scheduled a hearing in February on that for example we would schedule two full days on that, not committed to the fact that it’s only two days because I share your view, we may have to have a whole series of hearings on that.

MR. HOUSTON: As I indicated before I think this is going to be a very immediate, this is an area where we can provide immediate value and I think that looking at all these different things we should try to prioritize. Personally I would like to say that’s probably a more immediate interest and need and I would prefer to say we put more time at it earlier as opposed to doing two days, then doing these other things, then maybe coming back for some more hearings.

MR. ROTHSTEIN: Well, the issue is we don’t know how much time we’re going to need until we actually start doing it so we can hold out some time, so for example we have January 11thand 12th already signed up and if the committee desires we can make both dates on the NHII issue. And then we might schedule something else for February and be prepared to move back in March or April or some future time on the NHII.

Before we do that and figure out what we’re doing when and how much time to allocate we need to take up the issue and have some subcommittee discussion about whether we want to put the RFID issue in the queue for consideration with all the others. So I just presented it, proposed it, but like all these other topics they need to be approved by the subcommittee before we put them on our agenda. So with your permission I’d like to have comments and eventually vote on it.

DR. HARDING: To me it’s a very interesting issue but I think compared to the NHII issues it’s not near as critical, and it’s kind to me would be more like a filler if we had a half day to put in about that, that’s kind of how I would see it as opposed to separate things for it.

RM. ROTHSTEIN: So your view is that it’s appropriate for us to look at it, we ought to look at it, but it’s not a high priority.

DR. HARDING: It’s being used in Connecticut at the present time, chips are put into triceps as people entered through the emergency room and then that’s used as their identification through the hospital, Hartford, Connecticut. It’s interesting.

MR. ROTHSTEIN: If we have a hearing I’d like to get those people to come talk to us, interested in the informed consent and some of the other —

MR. HOUSTON: One of the things that in reading this article that you distributed, I notice that it said that Leahy had made inquiry I believe it was in April, in a letter sent to Thompson in April, my thought is is that that seems like it’s a long time ago and are we getting involved either at a late date or at a point where no matter how we respond to this issue Leahy is going to come back and say well I asked you in April, why has it taken you to April of the next year to respond.

MR. ROTHSTEIN: I’m not sure I agree with that, I think that first of all Senator Leahy didn’t write to our committee and we didn’t, I didn’t know he had written this letter until I read this although I had been following the issue, I mean there’s lots of stuff in the paper about these chips. And I would be more then happy to defer to someone else if they were doing anything, that’s why I asked Jim Scanlon yesterday if the Council was doing something, nobody knows of any hearings that are scheduled on the Hill at all, and I don’t think the FDA is pursing this —

MS. LORRAINE: I was just asked yesterday in fact about the HIPAA privacy and security access —

MR. ROTHSTEIN: Excuse me Catherine, could you go to the microphone so we can get you recorded?

MS. LORRAINE: I was just asked yesterday by colleagues at FDA who are working on our drug importation and counterfeit prevention program about the possibility of putting RFID technology on every prescription, from the large bulk bottles that are provided by manufacturers to distributors, to the amber vials that are dispensed to patients. So it’s sort of a happy coincidence or maybe it’s not happy but it’s a confluence of issues here. So I think that is an issue that I was planning to raise with colleagues in OCR for discussion. So we may not being doing anything particularly on the privacy security aspects of the verichip(?) device that was approved by the agency but it is coming up in this other aspect.

MR. ROTHSTEIN: So other views? I think I have John’s sense, Harry?

MR. REYNOLDS: If you look at these, whether you take e-prescribing, NHII, the FDA, or the RFID, it’s really putting patient information and how do we get at it. So I think each of the hearings is going to give us some, we’re going to get data, every time we talk to someone or every time we hear from someone we’re going to get more information about, because whether it’s technically coming to a palm or whether you’re getting it, as Richard said, you’re getting it from somebody’s bicep, this whole idea of where is it, what is it and how do you get it, the technology is going to let us put it in different forms. To me a lot of it is pretty much the same subject so the order is not as important to me as the fact that all of them fit in the same process. So I’m fine adding RFID, I’m find adding the FDA, because every one of these is going, whichever pressure point hits first is going to open the subject and once the subject is open we’re going to have to have thought about it and done something about it.

MR. HOUSTON: Actually that’s a very insightful point and I guess the question is how do we, maybe we need to think about how do we frame this in a sense it’s maybe a little bit more global while still meeting some of these specific, address some of these specific issues. I agree with Harry, it sounds like there will be some duplication I guess, rather then duplicate work try to be as inclusive as possible as we’re investigating issues to ensure that we sort of, we can leverage one set of hearings if it really is applicable in other areas. I’m not sure how to do that but I would A, either hate to miss the opportunity to get good information that we can use in a variety of these issues, but also not sound like we’re really disjointed in the way we’re going about things either, because he is correct, a lot of this stuff simply overlaps.

MR. ROTHSTEIN: Well, I think the most obvious overlap is the e-prescribing/NHII issue and I think that when we get our January hearing, let’s assume we do it on NHII, it certainly will influence whatever it is that we recommend on e-prescribing. Jeff?

MR. BLAIR: Earlier we were talking about having difficulty getting folks from the privacy community to engage on these issues. It could be that Patrick Leahy’s staff might be a place to help us engage because he has raised these privacy issues in the past and he probably has somebody on his staff that may have some expertise in this that may be able to give us some guidance. The other thing is they may be able to point us to some of the privacy advocacy groups that we may not even be aware of that also could educate us on their concerns.

MR. ROTHSTEIN: I want to raise this as sort of a process issue in terms of working with the Hill and that is on this issue where Senator Leahy specifically asked for something to be done on the RFID I think it’s, I don’t personally see a problem with that but in terms of just sort of selecting a member of the Senate to work with us, I mean are there any department people who have opinions on whether that’s frowned on? I think we’d clearly need to check with Jim and Marjorie before we do anything like that, it would have to probably go through either the department or some sort of committee with jurisdiction or something, I’m not sure just sort of hand picking Senators would be a good idea although on the RFID issue I don’t think there’s anything wrong with working with Leahy’s staff. John?

MR. HOUSTON: Back to the January 11th and 12th meeting, I’m concerned because of the timing of that meeting and what we want to do in that meeting, I think NHII does warrant immediate attention but I think we’re going into Thanksgiving and then Christmas and then New Years, I think it’s going to be difficult in two months time to get together a good substantive panel and at the same time flesh out the exact issues that we want to work on in those meetings. Not that we shouldn’t do them I’m just, I’m voicing my concern, that’s going to be a lot of work to get this —

MR. ROTHSTEIN: Well, it may be that we would want to have our NHII hearing in February but not give up the January dates and use the January dates to do issues that are more sort of self contained, for example the decedent and archival health information, which is not at the top of our agenda but I think it’s much more concrete, I think we can identify the people who have an interest in that topic, identify what the issues are, I mean it’s mostly the research community and so forth. I think we could do that more easily, I think we could probably do the RFID issue because we know who to talk to at FDA, who to talk to in industry, get a couple of privacy, we could probably do those issues, but I think you may be right in that it’s going to be very hard to get a sense of what we need to do for a January hearing because we’d have to invite the people probably before Thanksgiving.

MR. HOUSTON: Exactly, and I think that we don’t even necessarily, we haven’t really framed the issues yet, we just know, we know we sort of need to go this route, that there are clearly going to be privacy implications of NHII and I think we need to work with Kathleen and Dr. Brailer’s office to make sure we hone in on the very specific issues we want to try to delve into. I understand the first meeting is going to sort of set the agenda for subsequent meetings and maybe, or maybe the alternative is on January 11th and 12th is we get some type of primer, like a half day on the 11th and 12th just to understand where we need to go with NHII, or maybe that’s too late, I don’t know.

MR. ROTHSTEIN: Let me just raise a suggestion, do you think it would be, we have a day and a half scheduled in two weeks, I don’t know whether people have all their travel plans set but I was wondering whether we could carve out some time to do planning for our NHII hearing in two weeks when we’re all here.

MR. HOUSTON: I’m looking at Kathleen, I mean tell me if I’m out of order, but could we do a working session with you and whomever else needs to be involved to make sure we do have the issues identified, at least the initial issues identified? I mean I think this committee could probably spend some time and just really try to focus on what are the most important key points initially to try to get information on, testimony on.

MS. FYFFE: I think we could make a decent start but pulling together all the issues I think is —

MR. HOUSTON: No, I’m not asking for that but just spending some time in sort of a structured setting where we could just sit down and sort of brainstorm.

MR. ROTHSTEIN: Dr. Brailer, I may have misunderstood —

DR. DEERING: — and even Dr. Brailer who posed this question in almost philosophical terms and it could well be that it would behoove us to have a sociological cultural discussion about this to start with as opposed to jumping into the technologies and have the privacy experts get to it, I mean this is a profound shift in our values and our tradeoffs and it may well be that we need to be facilitators of a dialogue about what are the American people’s values on these tradeoffs so that those can be aired fully as opposed to presuming that we can get in any short period of time toward a really working system that balances those.

MR. ROTHSTEIN: Right, so maybe we won’t be able to do all this stuff in a half day —

MR. HOUSTON: A couple points, I think the train sort of in one sense already left the station and I think we need to figure out how to make sure all, everybody wants to ride it or at least has the ability to decide whether they want to get on or get off it. But I know that Dr. Brailer’s office is going to be publishing an RFI which I know will be containing, assuming will be containing questions related to, specifically to privacy and authorization and things like that, I’m looking at Kathleen, or we don’t know that yet.

MS. FYFE: The RFI has as its primary objective the issues surrounding interoperability and I would imagine that there would be some implications for privacy in that —

MR. HOUSTON: And the reason why I ask is is that that also might give us some insight as to how we want to structure things by simply looking at what’s going to be, even on a tentative basis what’s intended to be in the RFI and if we could get at least those questions that in the RFI that relates to privacy maybe that, and distribute those to the committee that might help us, or subcommittee, that might help us also mature our thoughts on how to proceed.

MR. ROTHSTEIN: In the interest of moving forward I have a proposal and that is as follows, I will work with Amy to see if we can change the focus of the one day e-prescribing hearing to have less of a what is being done from a technical standpoint to sort of more privacy issues. We’ll have an extra half day the afternoon of the 19th after the morning session on the security and we will schedule maybe not the full half day because it is a Friday afternoon and people need to get out before the planes stop flying, at least a few hours for us to get together and talk after lunch about issues related to planning our hearings for NHII. We are committed to meeting on January 11th and 12th for two days, given our schedule, how hard it is to free up dates, the number of issues we have, suppose we schedule for the 11th and 12th one day on RFID, a half day on decedent and archival health information, and a half day on disclosure via authorizations. So at our January hearing which is already scheduled we’ll in some sense clean up all three of those issues, I mean we may need to pursue them but at least we’ll get them off our immediate list, and that will leave only, only I say, the NHII and the e-prescribing follow-up that we can sort of follow-up on and I would propose that we plan to have our first set of hearings on NHII in February based on the stuff that we decide in two weeks. And then we can follow-up as needed and our February hearings may also help us frame the issues on e-prescribing which is still going to be probably unresolved at that point.

So comments on that plan and let me just review the staff implications of that, making sure that everyone will be able to do it. For the January 11th and 12th Helga will be working with me on the compelled authorizations, Sarah on the decedent and archival and Catherine on the RFID, and then for the February hearing Kathleen and Mary Jo would be working with us on that. So comments on that rather ambitious proposal.

DR. HARDING: I think it’d be fine, the only thing that I’d comment on is the three topics, you said a half a day and a half a day and a whole day, whatever you work out, that it might be two thirds of a day and that type —

MR. ROTHSTEIN: And it may be that when we start actually looking at this it’s not going to work that we’re going to be able to do all three in two days and we’ll wind up doing two of the three and holding one over.

MR. BLAIR: Mark, could I just add one thing here?


MR. BLAIR: I don’t mean to volunteer somebody that doesn’t want to be volunteered but when you get to the e-prescribing thing maybe Maria, Maria are you in the room?

MR. ROTHSTEIN: Yes, Maria is in the room and she’s been working with Amy —

MR. BLAIR: Because I really feel like she should work very closely with Maria on the e-prescribing stuff.

MR. ROTHSTEIN: Well, I thank you and Maria certainly has been instrumental in this.

So without objection we will proceed on this course, if you can help out at all, that is subcommittee members, please, we all have day jobs and if you can send us names and so on that would be very helpful and in fact I may ask one or more of you privately if you would help us take the lead on planning some of these hearings as John Houston has done with the security hearing, so for example if somebody would be willing to work with Sarah on the decedent and archival stuff that would be very helpful.

MR. HOUSTON: I can try to help out in that regard.

MR. ROTHSTEIN: Your volunteering is much appreciated. And so if Harry and Richard, if you have an interest in one of the other topics we can talk later today.

So any other business for, Richard.

DR. HARDING: Just into the meeting kind of drop something here, we’ve just been through elections and exit polls and how things are going and all this kind of stuff that all of us are fed up with but I’d kind of like, I wish we had some feedback on is America feeling or are they really more comfortable with their health information now as opposed to before. Is there any —

MR. HOUSTON: Well that was that Jeff question from yesterday, sort of the same vein which is —

DR. HARDING: You get something to fix in your mind you forget where it comes from, maybe Jeff brought that up yesterday but do we have the data or just the subjective impression of people in the exit polls or whatever that their health information is being tended to and they’re more comfortable with that reality at this point, or are we still wandering around through the wilderness.

MR. ROTHSTEIN: We’re sort of floundering but maybe, your question is a very important one and it raises a couple of things in my mind, I wonder if it would be possible, Ed Sondik is not here but to include a question or two along those lines in some of the NHANES —

MR. BLAIR: But that doesn’t go to the citizens of the country in terms of whether they trust that health care, that their health care information in electronic form is protected and safe.

DR. HARDING: We spend a ton of money and a lot of energy and does the public in general feel that something has happened —

MR. ROTHSTEIN: That’s one issue and a very closely related issue is that you’ll recall that in I believe it was the April or May of 2003, about the time the privacy rule, compliance date, the committee sent a letter to the Secretary suggesting or recommending that a research program be set up at the department to study the effectiveness of HIPAA, to see whether all the time and effort and sweat and blood and anxiety that we’ve gone through and many other people have —

MR. BLAIR: You’re talking about the privacy regs —

MR. ROTHSTEIN: This is the privacy rule, whether its had any appreciable effect, objectively, subjectively, and so forth, on privacy and to try to come up with some sort of metrics for ongoing monitoring of this and I don’t know that we’ve ever gotten a response to that letter, it may be appropriate for us to send another letter to reiterate our view that that’s very important. Yesterday we heard about the commitment of the department to health information and privacy issues and so on and there’s a $50 million dollar pot for this and there’s a pot of money for that and it sure would be nice if a chunk could be carved off for AHRQ or ASPE or somebody to study the issues that we’ve described. Steve?

DR. STEINDEL: I believe AHRQ has been given the charge to do any type of survey measurements in the area of HIT because that came up last year and I suggested using telephone interview surveys for that purpose and I believe in the framework it came out with AHRQ getting that responsibility.

MR. HOUSTON: Is it HIT though?

DR. STEINDEL: Well, I think lots of issues associated with it, what Ed and I were talking about basically was just finding a vehicle, unframed —


DR. DEERING: Another thought in terms of distributing the workload and what might the private sector do, I mean for the kind of fast feedback that you want you might want to just try some jawboning of, I can think of at least a couple of organizations that have looked at this issue in the past, I think the California Health Care Foundation or one of those other big California firms put a big report about people’s attitudes towards privacy of their health information pre privacy rule and it was sort of as the eHealth thing was coming along and I remember that, I seem to remember that report. But also the Peer Internet in American Life Project that goes into the field very frequently and has looked at some of these issues. There’s nothing lost by having one staff person poke around at any of these entities who frequently look in this area and see is this on your radar screen in the near future, I mean it doesn’t involve giving them money but I would think that some of these people, entities, would in fact be interested in this very question and then you could just benefit, or prod them along —

MR. ROTHSTEIN: Well, I think that’s a good suggestion, attitudes are one thing and that’s certainly one of the things, but I would like to suggest that we actually, the research that I envision would be even more, has it been as costly as we thought it would be, what’s the training been like, I mean more robust research. John?

MR. HOUSTON: When we get into cost though I think that there needs, who did the first one, OMB, who did the original cost projections for HIPAA that were in the actual Federal Register?

PARTICIPANT: The department.

MR. HOUSTON: The department did it itself?


MR. HOUSTON: — at least engage the same people that were involved in that to reevaluate that but I guess the other question is is people like, foundations like Markle, would they have an interest in trying to doing surveys or engaging on the topic of public awareness.

MR. ROTHSTEIN: I have no idea.

DR. HARDING: But as Jeff says there’s a trust element and if the trust isn’t rising and we’re starting to roll out more trust us things we ought to know that.

MR. ROTHSTEIN: It’s an excellent point and given that we don’t have anything else to do we should consider taking that up. Okay, last point, Helga.

MS. RIPPEN: Just to kind of put it back in perspective just letting you know what was said earlier, there’s a question as far as we’re very in tune to HIPAA and things like that but there’s a general, it would be very interesting to understand what the general population understands people have information about them and what their perceptions are and then about how they would feel about certain things because I think you may find a pretty big disconnect and those are the things that might come up when these things are then discussed from a policy implementation perspective.

MR. ROTHSTEIN: I think that’s certainly true, I think from every study that I’ve seen the public has a totally unrealistic view of the privacy of their medical information and so on.

MR. BLAIR: Although what is that phrase, perception is reality —

MR. ROTHSTEIN: We’ve got the full committee meeting here shortly and I don’t want to go over, I thank you all and you’ll be hearing from us. The subcommittee meeting is adjourned.

[Whereupon at 9:55 a.m. the meeting was adjourned.]