[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Subcommittee on Privacy and Confidentiality

Working Session

October 21, 2005

Room 443E
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington , D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax , Virginia 22030
(703) 352-0091

TABLE OF CONTENTS

  • Call to Order/Welcome and Introductions — MARK ROTHSTEIN, Chair
  • Subcommittee Topic: Discussion of Letter-Report to the Secretary on Privacy and the National Health Information Network

SUBCOMMITTEE MEMBERS:

  • Mark A. Rothstein, Chair
  • Dr. Simon P. Cohn
  • John P. Houston
  • Harry Reynolds
  • Dr. Paul C. Tang
  • Maya Bernstein
  • Amy Chapper
  • Beverly Dozier-Peeples
  • Kathleen Fyffe
  • Gail Horlick
  • Eveelyn Kappeler
  • Lora Kutkat
  • Catherine Lorraine
  • Susan McAndrew
  • Dr. Helga Rippen
  • Bill Tibbits
  • Sarah Wattenberg

P R O C E E D I N G S [9:07 a.m.]

AGENDA ITEM: Call to Order and Welcome –MARK ROTHSTEIN, Chair

MR. ROTHSTEIN: So here are basically the items that we need to do:

We need to go through our draft letter and make various changes.

We also need to talk about our Subcommittee meeting that’s scheduled for November 15.

And we need to talk about our presentation to the full NCVHS on November 16th.

And, for the record, I want to thank and praise Maya for redrafting Sections E and F or — I get confused now as to whether they’re letters or numbers.

MS. BERNSTEIN: The numbers are now letters —

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: — and I just made it so that we could talk about each separately —

MR. ROTHSTEIN: Oh, that’s fine. So, E and F, and the first part of D.

And I think it would be valuable for us — Simon, Harry and John and I sort of huddled on this, and what we’re going to do is try to get through the sections that we haven’t done yet before we go back to the ones that we’ve already reached agreement on, you know, to add minor stuff and clean up language and things.

So we were in the middle of what’s now Section D, that used to be Section 4, and according to my notes —

DR. COHN (by telephone): There’s a stop point actually in the document?

MR. ROTHSTEIN: There is a stop point, yes.

We were in the section under — let me just get to — reading from two documents at the same time — okay.

MS. BERNSTEIN: It’s on my Page 8, under “Procedures” — middle two lines.

MR. ROTHSTEIN: Yes, thank you very much.

So we’re under Procedures, and we had agreed with the first paragraph, and then we did not get to the point that says “Fair information practices should be incorporated to the NHIN,” some examples, et cetera.

And so let’s see if we can reach some agreement on that.

Anybody have any — Simon, do you see where we are?

DR. COHN: You’re talking about the Procedures area?

MR. ROTHSTEIN: Correct. In the second paragraph, where it says “start with this on October 21?”

DR. COHN: Yes.

MR. ROTHSTEIN: Okay.

So I’d like to open the floor for comments on that paragraph.

MR. HOUSTON: I have a —

MR. ROTHSTEIN: Okay, John?

MR. HOUSTON: Never shy. One thing. It says, “All breaches of NHIN security should be reported immediately to the individuals whose records were placed at risk so, wide-scale breaches, there should be prompt disclosure to the public.”

I think I have two comments on that particular sentence —

MR. ROTHSTEIN: Okay.

MR. HOUSTON: — the first being is that the question is, I always find when dealing with privacy and security matters even with my organizations is trying to figure out when an actual inappropriate access occurred, or breach occurred.

Now, I think that as a general theme in this particular case we’re dealing with security issues here —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — which I think again goes back to this comment about sort of segmenting some of the security discussions separately.

But also I think towards this end, as it relates to things other than security, inappropriate access, access to people’s medical records, say, from within the organization, one of the things I think we need to consider is rather than having to try to figure out when somebody’s inappropriately accessed the patient’s record, is it more supportable in the NHIN framework if we give the patient the right to review logs of who has access to his or her record and then leave it up to the patient to decide if he or she believes that somebody inappropriately accesses his or her record?

MR. ROTHSTEIN: Well, the thing that I would —

MR. HOUSTON: It probably would be more successful in my mind, but —

MR. ROTHSTEIN: — say to that is I think we have two objectives that we want to further here, and yours goes to only one of them, and that is alerting people to the — or giving them an opportunity to find out about unauthorized access.

The other is — I mean, and this relates to the last section, and that is trust. And I think if we say, look, we’re setting up this system and if there is a breach of it, you will be notified immediately — I mean, in California now, the law is on consumer breaches.

MR. HOUSTON: Actually, there’s 18 states now that have that protection.

MR. ROTHSTEIN: Really? Well — was California was the first in?

PARTICIPANT: Yes.

MR. HOUSTON: I have a summary of all of them now.

MR. ROTHSTEIN: Oh, well, that’s great.

So, I mean, that’s what sort of prompted me to put this in here, and I think it’s a way of kind of trust building to say, look, if somebody gets a hold of your record, somebody hacks into our file, we’re not going to just record it and if you show up, let you see it, we’re going to notify you.

MR. HOUSTON: And again, that’s where the security — I mean, if there’s a breach of security —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — and again, that’s what I’m saying, what segments security from the privacy? If somebody hacks into a record —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — I think that’s a separate issue which I really think — again, this goes back to the question about scope of this letter, and privacy versus security, and how do we deal with what are ostensibly security-centric issues versus what are privacy issues?

Again, I think, you know, security — if somebody hacks into a system, that’s a security breach.

MR. ROTHSTEIN: Right.

MR. HOUSTON: If an individual who otherwise has authorization to look at records and inappropriately looks are records, that’s a privacy breach, or privacy infraction.

MS. BERNSTEIN: It’s both.

MR. HOUSTON: And I think they — what?

MS. BERNSTEIN: I think it’s both. It’s a management failure and it’s a security — it’s —

MR. HOUSTON: I don’t think it’s a security failure.

You know, here’s my basis in this, is that if individuals in a health care environment often have broad access to information because it’s necessary —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — for them to do their job, if they decide to inappropriately access information, it’s not a security breach. Security is sort of keeping the bad folk out. This to me, though — that’s a privacy infraction.

And I think the best way to deal with privacy infractions, I think the most effective way because monitoring logs is very, very difficult, extremely difficult, I think is to put a lot of that power within a consumer’s hands. So they say, geez, I have to look at my log; my next door neighbor who works for, you know, whatever, Good Samaritan Hospital or whatever it is, happened to look at my record, and why does my next door neighbor look at my record?

I think that’s much more effective.

MR. ROTHSTEIN: Okay, well, let me ask you this, just so we don’t get bogged down in semantics: Are you saying that you want to treat differently the situation where Joe Hacker gets into some hospital system and does whatever and treat that differently for disclosure or access, whatever, purposes, versus your next door neighbor is curious to know why you haven’t been at work all week and has access to the system because he works there? And those are two different things?

MR. HOUSTON: I believe they are.

MR. ROTHSTEIN: Okay, all right.

MR. HOUSTON: But I think that they do need to be treated differently.

MR. ROTHSTEIN: All right, so is it your position that you’re objecting to including this in the letter and that we should say this letter dealing with privacy and confidentiality does not address issues of security; we consider that to be a separate blah-blah-blah?

Or — and/or — do you disagree on the merits with the recommendation?

I’m not sure exactly what — excuse me; let me just tell Amy and Sue where we are. We’re on Page 8.

MR. HOUSTON: We started on Page 8 —

MR. ROTHSTEIN: We’re sort of picking up where we left off. And it’s in the middle of the page where it says “start with this on October 21st.”

MS. BERNSTEIN: Did someone join us, like maybe Paul?

DR. TANG (by telephone): Yes, like maybe Paul.

MS. BERNSTEIN: Hi, good morning. Did I wake you up?

DR. COHN: Wake up!

[Laughter.]

MR. HOUSTON: Did you hear where we are, Paul?

DR. TANG: Yes, I did. Thank you.

MR. HOUSTON: Okay, thank you.

MS. BERNSTEIN: You’re not driving, are you? [Laughter.]

DR. TANG: No. Not yet.

DR. COHN: Nobody’s painting yellow lines?

DR. TANG: I’m going to the airport later on.

DR. COHN: Nobody’s painting yellow lines?

DR. TANG: The bar code —

MR. HOUSTON: Okay.

DR. TANG: — or do prefer a checking device?

I look at the term now that we’re talking about. I’m not sure whether we’re talking about audit trail issues or —

MR. ROTHSTEIN: No, we’re talking about the last sentence, the work that begins “All breaches.” Okay?

DR. TANG: Which?

MR. ROTHSTEIN: We’re talking about the last sentence of that paragraph that says “All breaches of NHIN security,” et cetera.

DR. COHN: How does the HIPAA security rule handle this sort of thing?

MR. HOUSTON: Well, I’m not even quite there yet, Simon. I guess there’s more of a philosophical question that Mark has on the table, and I think we can go into that in a second, what your question is, a bit.

Mark sort of posited a question sort of before that, if you don’t mind if I could answer.

DR. TANG: Great.

MR. HOUSTON: I think, again, the two different issues here are that I think that we need to treat security separately. And to the extent that we have a security recommendation here, I think that if we want to put it with the other security materials that I’ve put together —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — as something that needs to be dealt with, I have no objection to that. And I don’t have an objection to the structure of this recommendation vis-à-vis security. Okay, I think there needs to be reporting when there are security breaches.

So I don’t have a problem with what is stated here. And I guess my concern, or my dilemma, here is that if we’re dealing with privacy, let’s take out the concept of security here and overlay it, the issue of breaches of privacy, which would be ostensibly ones where individuals who have rights to access the information have inappropriately accessed the information.

When you change that context, which is what I sort of when I read this, this sort of thought was where it was going.

MR. ROTHSTEIN: Right.

MR. HOUSTON: Then I do believe that there’s a better way to deal with that type of privacy breach than the way the recommendation is structured, and I think in that particular case, I think that providing consumers with access to the logs of who has NHIN records I think is a more powerful, more successful, way of dealing with this than having to try to have covered entities decide whether something has been an appropriate or inappropriate access.

I mean, I think the covered entity should still try; I still think they have an obligation to internally police, as per HIPAA. But I think that there are some other strategies that I think will give consumers higher confidence.

MR. ROTHSTEIN: Okay, I would like to defer for just a second what I consider the merits of the proposal to sort of the foundational question, and that is whether discussing what we’ve very recently called security and privacy and so forth on the breach issue, whether that’s beyond the scope of this letter, or ought to be beyond the scope of this letter.

MS. BERNSTEIN: I’m sorry — I was distracted for just a moment. Can I ask you, are you saying it’s your proposal that we should notify consumers about breaches on which side, the privacy ones or the security ones, or both?

MR. HOUSTON: Well, I think on the security side, definitely. I think that’s — you know, and if you read this, you know, wide-scale breaches, that’s a security issue.

Now, if somebody has specifically had their record looked at by a health care worker who otherwise had access to it, the likelihood of that type of a wide-scale breach occurring is, I think, very small in comparison to the classic security breach, which is somebody goes in and hacks it and steals a bunch of records.

MS. BERNSTEIN: Unless the person with the so-

called “authorized access” is selling it on the street, you know.

MR. HOUSTON: You raise a good point. But I still think we do need to deal with them separately.

MR. ROTHSTEIN: Well, okay. We could deal with the issue — I mean, I don’t want to weigh in on whether I think your distinction is —

MR. HOUSTON: Has any merit whatsoever?

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: Yes. [Laughter.]

MR. ROTHSTEIN: I think what we need to talk about is whether security — I mean, this clearly involves some degree of security, right? — whether that’s beyond the scope of the letter and whether we should include it.

Now, our charge was to draft a letter on privacy and confidentiality. As we all know, Dr. Brailer tends to view privacy and security very closely aligned, but we are not going into sort of the hard core security issues. So we may get there eventually; it may be some other working group or Subcommittee or something.

So our options, I suppose — we really only have two options.

One option is that anything that sort of smells like security we flag and say we’re not going to talk about security.

The other option is that to the extent that security is so closely related to privacy, we comment on it.

And third, and note also that security is much more complicated and involves many more other things and will be discussed later.

MR. HOUSTON: Now, you know, for the people on the phone, they don’t know this. I mean, I had drafted a sample section to this document specifically to address at a high level security and use it as a place holder. And we do have copies, I know, in this room now.

MR. ROTHSTEIN: Right.

MR. HOUSTON: The other way to handle this is to simply use that section and append these types of security discussions to that section so that it can be potentially addressed in a separate letter maybe by the Security and Standards Subcommittee.

I mean, that’s the other strategy.

MR. ROTHSTEIN: Harry?

MR. REYNOLDS: Yes, I’ve got a couple comments.

Since HIPAA — since we do have some kind of basis out there for protecting information, and that’s HIPAA, and since the regulations there are distinctly separate, there is a privacy reg and there is a security reg. So I think anything we do here we need to clearly define, just like with HIPAA, that these things interact.

MR. HOUSTON: This is what that’s really —

MR. REYNOLDS: Yes, I know it is, but these things interact. But I worry if we blend them in this letter too much, then recommendations about them together where there are regs and other things out there right now that keep them separate is going — kind of creates a whole new discussion.

Now, we all know that they blend together. We all know that you could talk to this subject and people could be listening in a room and they could replace privacy with security with everything else that they’re listening to.

MS. BERNSTEIN: Incorrectly.

MR. REYNOLDS: Yes, correctly or incorrectly.

I do have — well, I’ll let you finish this discussion, because I do have some other concerns on this paragraph that I —

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: — don’t want to get into quite yet.

MR. ROTHSTEIN: You mean the first sentence?

MR. REYNOLDS: Yes, yes.

MR. ROTHSTEIN: Okay. So, John, you wanted to talk about — you had something else to say about —

MR. HOUSTON: Well, I just think I — let me propose that as a bullet point into the proposed security language — I agree with Harry — I mean, that we take this language out of this that we were just discussing and redraft it to go into that section specifically as it relates to security breaches, and that if we want to have a companion discussion about privacy, then I think we should rewrite this particular sentence to discuss the — we’ll call them “privacy breaches,” though I don’t if that’s the right phraseology or not.

MR. ROTHSTEIN: Well, one possibility is to replace the “All breaches” sentence with something that says the following: “An important, fair information practice deals with how the system responds to unauthorized access to information. That issue is very important to establishing the trust in the system, but the specifics will be addressed in a separate letter to the Secretary dealing with the broader security issues.”

MR. REYNOLDS: A separate section or —

MR. ROTHSTEIN: Well, or whatever.

MR. REYNOLDS: I could agree with that.

MR. ROTHSTEIN: John? Simon? Paul?

DR. COHN: What did you say? You’re putting a separate letter or you’re —

MR. ROTHSTEIN: Well, I think we’re not going to be able to go into detail even if we include John’s proposed language or some other language dealing with security as such. This is not going to be a detailed security letter.

We are going to be asked clearly by AHIC or ONCHIT or both to do something in the security area. I mean, that’s what David said at our San Francisco meeting. And it probably — it will be the responsibility of Standards and Security, maybe jointly with Privacy, depending on what the issues are, to come up with a security letter on NHIN at some point in the future.

So, that’s — I was sort of basically deferring to a more systematic analysis of security that we would presumably be doing in the future.

Simon, is that in accord with your understanding?

DR. COHN: No, I mean — you know, I think that to systematically wipe out every security nuance in the letter — I guess what I would say is let’s put some of those things in what I would almost describe as a garage for the moment and then see if they’re, you know, a piece of this letter or how, you know, exactly how we handle the — I mean, I can certainly agree with everyone that this doesn’t get into the nuances on security.

On the other hand, this is not really a comprehensive privacy document, either; it’s sort of topics — I mean, I’ve seen it as sort of topics in privacy and security or privacy, confidentiality and security.

And the question is, I think, whether or not you’re going to make any reference to it, aren’t you? Was that the issue?

MR. ROTHSTEIN: Well, to make any specific recommendations dealing with this because you can see under the recommendations section Number 13, we have “All breaches of NHIN security should be reported immediately” so that unless we say something in here about the importance of notification, we can’t support that recommendation. Sue?

MS. McANDREW: In terms of how the HIPAA world has divided up these topics, I mean, and to the extent notification is your core issue, I would really think it belongs in a privacy realm more than a security realm because it is a matter of — for us, privacy sets the rules about how the information can be used and disclosed and when it’s right and when it’s wrong. Security, the security rule, simply operationalizes those controls in an electronic setting and —

MR. REYNOLDS: Privacy.

MS. McANDREW: And in addition, I mean, there are more technical computer controls that come within the realm of security, but where there is a breach — there can be a technical breach of security that doesn’t breach privacy.

But most serious breaches of security result in a misdisclosure of information, an impermissible disclosure of information or an impermissible use of information, and that’s a privacy matter. And whether the individual knows about it, and how they get to know about it, are in the HIPAA world basically privacy rules, not security rules.

The security reports are only internal management reporting obligations. They do not at all speak to requirements of notifying individuals.

MR. HOUSTON: Well, the HIPAA privacy rule, there’s no notification requirement for patients today.

MS. McANDREW: That’s right. We —

MR. HOUSTON: So in either case we’re talking about a new requirement to notify patients.

MS. McANDREW: No, but what I’m saying is that, from our perspective, other than notifying the individual of when a system doesn’t have, say, access controls to computers, or code names, or they don’t change them frequently enough, even though the information then — even though there’s no known misuse or misaccess that results from that security rule, that’s a security breach and that would be reportable to management under the security rule, that would not result in, the disclosure would not necessarily trigger a notification to the individual or an accounting, which is how we currently are treating individual — similar to what you were talking about in terms of giving the individual access to the audit trail.

MR. ROTHSTEIN: See, traditionally, if you look at fair information practices literature —

MS. McANDREW: Right.

MR. ROTHSTEIN: — and the statutes, say, in Western Europe that deal with fair information practices, disclosure is clearly one of the key elements.

But I think more important than that, this is a political document and it’s a statement to the public, or to the Secretary — through the Secretary to the public — that we take very seriously the notion of protecting the security/privacy of your information and we will let you know if anything happens that compromises that.

And that ties in with the trust section, which is Section F.

I’m just sort of explaining why I put that in there.

MS. McANDREW: I mean, notification is clearly an issue on the table. There’s lots of state laws that are popping up about notification of various identity factors from various sources, you know. That’s fine.

MS. BERNSTEIN: Just jumping off on what Sue was saying and also kind of responding to where John was, is, about this, I don’t really see — I mean, an unauthorized access to me is an unauthorized access, if you came from inside or you came from outside.

You know, many people would say that it’s the internal, you know, accesses that are the ones that people care more about because they’re more likely to be — you know, even if it’s just a sole, you know, health care worker in a hospital, it’s somebody they know, likely, it’s their neighbor, it’s their — you know?

And that breach can be just as — can end up being just as widespread if the person ends up selling the stuff on the street than somebody who hacks in just for the, you know, bravado of saying that they did it.

And I do think that the way I think about privacy is, and the difference between security, is that security, I don’t think of it as just the technical part of what’s happening in a system. I think of it as management controls, technical controls, and — what have I seen as the third part of this? — but it’s how the management of an organization wrests control over their information, and not just a technical matter.

It includes physical access, you know; it includes, you know, the control of your personnel and knowing who they are. It includes managing that. And it also includes all the technical things that we know about.

And so —

MR. ROTHSTEIN: John, would you be comfortable with this? Take a look at this language. Would it make you feel better if it were changed to something like “All incidents of unauthorized access to PHI, or personal health information, should be reported immediately?”

So we take the word “security” out. Does that help at all?

MR. HOUSTON: I’ll tell you — I’m trying to think why I have such strong feelings about this.

And obviously working in a health care environment, you know, in a provider side environment today, one of the concerns that I have is that the logging and reviewing of information in our type of environment is — no matter how we’d like to think it could be perfect, it’s not. And it is very difficult at times to recognize when an inappropriate access occurs, and you say, oh, my God, how can that be?

Well, the reality is that you’re talking about hundreds of thousands of accesses on a weekly basis of information. You’re talking about controls in every current available, commercially available, clinical system being either pretty loose in terms of what they will log or having mechanisms in place to effectively manage the log of information so that they can be appropriately reviewed, as well as the fact that to try to do role-based security, which is what’s being also proposed here —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — is very problematic on the provider side in the health care setting.

When you take the totality of that — I think this is maybe part of my push-back — is that I’m concerned that this type of a recommendation, such a high standard for a provider to try to achieve when you’re dealing with, you know, the privacy component of things, the internal people doing the wrong thing, that I think that every provider in the United States will be in violation of this from the very first day that a recommendation like this is implemented.

That’s my other push-back. I just think we police diligently, we try to do the best that we can, but the recognition is that in the environment in which we work, this is an extremely thorny and difficult

MR. ROTHSTEIN: Okay.

MR. HOUSTON: — set of requirements to try to achieve I guess is maybe the basis for what I’m saying.

MR. ROTHSTEIN: All right. Well, let me see if we can work with it, okay?

DR. TANG: May I add a couple sentences?

MR. ROTHSTEIN: Yes, please, Paul.

DR. TANG: It sounded like there’s two — first of all, I think I would suggest we throw the privacy and confidentiality back to these sentences and probably stay a little bit more away from security, recognizing that they’re linked, that there’s a fair statement to make just about confidentiality in fact.

And the two concepts that I hear in these sentences, and I may be wrong, but the first one talks about trying to extend — I don’t think we should have to rehash HIPAA, but what I see in the first sentence is that we’re asking that the kinds of protections that apply to individuals’ information within an organization should apply across the NHIN. I think that’s the main point there.

As a little bit of an aside, I think the right to correct errors in the record is a bit different than the other two examples.

MR. ROTHSTEIN: If I may interrupt for a second, Harry has some reservations about the first sentence that we’re going to take up —

MR. REYNOLDS: Yes, but I guess — yes, I just wanted — before we fix any of the words, I think the whole paragraph, I got some comments like John and a little disagree with what Paul said, so I just wanted to —

MR. ROTHSTEIN: Oh, okay.

MR. REYNOLDS: I don’t want to interrupt him, but I want to make sure that we discuss it.

MR. ROTHSTEIN: Okay.

DR. TANG: So just got shot down in half of my point —

[Laughter.]

MR. HOUSTON: Hey, Paul, start over so I can hear what you said again because I sort of agree with you until an area where I don’t agree. I was like, okay — where —

DR. TANG: Okay. Now, the second one, the second sentence to me is saying we’re adding a new requirement, and that is that we should — it’s sort of like the California law — we should report the significant risk of confidentiality breaches to the people who are affected, and that’s a new thing.

And again, part of my initial preface is I think, instead of breaches of security, it’s really talking — we can still focus on the confidentiality piece even though the breach tends to be one that’s a violation of security.

MS. BERNSTEIN: Paul said something different than what’s said in this paragraph, which is he said “all significant risks.”

MR. ROTHSTEIN: Well —

MS. BERNSTEIN: We didn’t say “all.”

DR. TANG: Well, and that’s a little bit of applying what John was concerned about.

So I have to — you know, there are things that happen in everyday life, but let’s say if we do find out that something was on the Internet like Kaiser had, well, there’s a whole lot more that we don’t know about and there’s a reasonable reason to believe that your data could have been compromised versus, let’s say, one employee shared his or her password, which does happen a lot and we have to take action on each incident. But that’s not a widespread breach.

MS. McANDREW: Right, but that’s what I was going to ask you guys, is whether there’s some threshold, however you define whatever that threshold is, over which we should make it or not — whether that’s worth instituting or not.

MR. ROTHSTEIN: We could make this — instead of “significant,” we could — instead of “all,” it could be “significant,” “substantial” and so forth. Then we’d have to define what we mean by that, and this is not a regulatory document.

So I would be willing to just take out the word “all” and say “breaches of something-or-other” or “unauthorized access,” and just so that we can make the point to the Secretary that this is important, that there must be reporting to individuals.

And when it comes time for rule-making, then they can take into consideration John’s concerns about, well, there are all these minor breaches and it would be burdensome to send a notice out every time somebody accidentally hit the wrong key and a spring came out.

MR. HOUSTON: Now, going back to — if you look at the privacy rule —

MR. REYNOLDS: Before we change that word, I guess — just the whole paragraph, and I want to play off with something John said earlier because it all plays together, because if you change one word down at the bottom, it still affects what’s in the front part.

Having spent this year on Sarbanes-Oxley and SAF 70 and everything and seeing 20 audits at least go through, I totally agree with John that everybody that has any significant-size systems or electronics are constantly being audited and constantly reworking those, and individual incidents can be an employee leaves and maybe you don’t turn them off right when you’re supposed to, and other things, so —

MR. HOUSTON: It’s a challenge.

MR. REYNOLDS: Yes. So I think, you know, mandating audit trails, under HIPAA it’s called “accounting for disclosures.” And then there’s logging and monitoring. But I’m saying there is accounting for disclosures and then there’s logging and monitoring that’s under the security rule.

So the point is there are platforms, because the important thing, mandating audit trails, if you think of mandating audit trails versus logging and monitoring, as you have decided logging and monitoring should be, are two distinctly different — distinctly different — positions, because, just like you said, when you say “significant,” when you say “mandating audit trails,” boy, that is a whole new world that you’re getting into because which audit trails, and what does that mean and is that every access and what does that mean?

Now, mandating that anyone that deals in this world continually is audited, continually has logging and monitoring rules, continually deals with the accounting for disclosures, I think puts it in a realm where that’s a fact.

And the one thing I feel a little differently on the end — it’s not so much placed at risk, because any security — I’m going through a bunch of audits right now — any security situation, you could say that everybody who’s involved is at risk. That’s not true.

But it’s also whether or not that person’s record was breached — is also maybe a further degree, because when you’re being audited or anything else right now, it’s not the fact that you did or didn’t get somebody off the system; could they have accessed the system during that time? Did they access the system during that time? And if the fact is the answer is no, then nobody’s records were at risk.

MR. ROTHSTEIN: But it seems to me — I’m sorry.

MR. HOUSTON: I think if we achieve that type of an environment still provides the same level of accountability, but I think it allows us to look at the way that the inappropriate access occurred, or the breach of security occurred, and put the audit capability in the hands of the people who probably are the best able to decide if it was right or wrong.

And I apologize if it was a little —

MR. ROTHSTEIN: No, I just think that we’re going around circles here.

I think that we have agreement on the concept; we don’t have agreement on the language.

And I think that there is language — I don’t know what it is — right now, but I think that there’s language that can satisfy all of us and I think perhaps there are some of kind of — there are a few buzz words in here that we need to be careful about.

But I think we agree with the need to include something like this as a paragraph. The importance of fair information practices is a very important self-disclosure. And if we could just say that, we’d be okay, but we need to say a little more than that.

So, Maya, not to put you on the spot, do you have any —

MR. HOUSTON: Simon, were there any comments because I think —

MR. ROTHSTEIN: Oh, sure.

MR. HOUSTON: — he may not have an opportunity to comment because of this telephone.

MR. ROTHSTEIN: Paul, Simon, what do you think?

DR. COHN: Well, you know, I think we’re moving in the right direction.

I guess I was — I mean, I have sort of a global comment here and then I have a question about — I mean, I think, yes, there are some other areas in this area, in this section, that I’m a little concerned about.

The number one is — yes, I think we’re doing very well to principled discussion. I keep finding myself realizing, you know, the NHIN is a vision where obviously, first, anybody is going is doing prototypes at this point, at least per ONCHIT. And then we have all of these RHIOs out there.

And I’m wondering if there’s anything here in this section — this may be really just more of a global

question, that we need to sort of acknowledge that some of this stuff — I mean, is there any piece of this that’s either a research or a need to have slightly different models out there with some sort of assessment? Or is there such high-level principles that we just need this to apply to everybody uniformly?

MR. ROTHSTEIN: Well, I think we have said that the recommendation should apply uniformly.

DR. COHN: Well, I’m just sort of just recognizing that we’re sort of like way early in the region in all of this. I mean, in policy level, it’s probably fine. I just was — as we were searching here, talking about mandatory audit trails versus whatever versus whatever, those may be things that may be subject of evaluations to see what’s really usable and helpful.

MR. HOUSTON: Good point.

MR. ROTHSTEIN: Well, and we can do that. We can just say we endorse the principle of fair information practices, and among those fair information practices to be considered by the Secretary are the following.

MR. HOUSTON: But is that a fair information practice? A fair information practice says to me that you provide the disclosure of how information is going to be used.

To me, this comes down to — again, accountability people, what’s the proper mechanism in place to insure that individuals who don’t have a need to access the information, whether it’s because of a security breach or an inappropriate access because of through privacy, the privacy side, to insure that those people are not looking at the record? And how to best police that?

MS. BERNSTEIN: Well, there’s two —

DR. COHN: And I guess the question is: Is that a determination right now or is that something that needs to be investigated or piloted or demonstrations or blah?

MS. BERNSTEIN: Well, we have a big pilot in the state of California, you know? I mean, I think —

MR. HOUSTON: Whether you like it or not.

MS. BERNSTEIN: Yes, I mean whether you like it or not.

I think, you know, the early fair information principles that were reported to this Department by another advisory committee — that’s the one that preceded the Privacy Act — included the concept that individuals should be able to get access if they request it to a list of where their record went, to whom their record was disclosed, some accounting.

And in those proposed fair information practices, the accounting is by request of the individual. And what we’re talking about is an accounting, but an accounting that’s not by request. That’s affirmative, if you will, that happens on the initiative of the custodian of the record at a time when the individual doesn’t perhaps know that there’s been some kind of breach.

And that’s what’s happening in California and that’s what’s happening in several other states. That seems to be the way things are moving.

So there may be a change in our world to what we think of as a fair information practice if that turns in to be the standard practice of, you know, large information holders. And I think, you know, the group — you know, we as consumers recognize that that may be the way that the world is going.

So, I mean, you know, whether there needs to be research about it, I don’t know. I think it’s basically turning from a responsive to a — a reactive to a proactive way of informing consumers about what’s happening with their information. But I don’t think it’s a whole new world. That accounting is required now.

MR. ROTHSTEIN: Harry was waiting next.

MR. REYNOLDS: I guess, you know, Simon’s comments and — some wording along the way that obviously the NHIN further opens the availability of PHI versus what we’ve all kind of talked about before, because, I mean, it’s going to give you a little more of an electronic highway of passing it around.

The fair information practices, the HIPAA privacy and security, are the building blocks that need to be reviewed, coordinated, in relation to NHIN, and back to this idea of research, because each of those is now going to be taxed in a different way than it was before.

I mean, we make a recommendation in this that PHI should be dealt with, so whoever owns PHI — well, that’s bringing a whole new set of people that right now are not interested in the Fair Information Practice Act, really don’t even look at HIPAA privacy, and don’t look at HIPAA security.

So I think that’s what we’re — so if I looked at the recommendation rather than even the wording —

MR. ROTHSTEIN: Right.

MR. REYNOLDS: — that’s kind of where it’s headed, because how those mold together, and, Maya, to use your point, and I’ll play off something John said earlier, there’s a difference between in John’s laboratories if somebody accessed the record they shouldn’t have versus that every time you have a lab test, I can tell you every person that ran the lab test, and I have to keep that list and then nobody ever asks and it costs me 50 bazillion dollars to keep it.

So that’s where I think you’re feeling a little push-back from some of us, is semantically it sounds fine; realistically, it is an expense.

And I can give you an example. We have not had one person in North Carolina ask for an accounting of disclosures, but we’re keeping a fortune worth of money, I mean, to do it, so I think — and I’m not defending a business; that’s why I used John’s as an example, not even my company because it’s not parochial to an environment.

So I think the practicality — Mark, I totally agree with you. Anybody that has PHI, and if it gets breached, they better tell the people. I’m right there with you. But I think we got so many pieces out there now with the Fair Information and HIPAA privacy and security.

People that are actually trying to say, okay, I’ll do it — and then you got Sarbanes-Oxley, and then you got everything else –people that are having to do it would like, I think, to see it build off of the current building blocks. And I think that’s a key message.

And how those work together under NHIN, I am not smart enough yet to figure that out, and that’s maybe what this next step could be.

MR. ROTHSTEIN: John, do you have a comment?

MR. HOUSTON: Yes, I remember — not ever having been an auditor but having auditors report to me now and ex-auditors report to me in working with a lot of departments closely on these types of things on SoCs, and one of the kisses of death is if you put in place a policy which you operationally can’t support.

And I think that we have to be careful about recognizing what is supportable, what we’d love to see in a perfect world, and what is reasonable.

And again, I think maybe some of my comments have been couched in just being in the middle of it all and what is reasonable and how far I think we can push, reasonably push, the industry in terms of where it can go with regards to technology and where it stands today.

And, you know, to what Harry said, we’re in the same boat regarding accounting and disclosures. I think we’ve had one person ask, and, you know, periodically we go in and look back ourselves because we suspect something. But it really is a question of where is the benefit?

Now, the public trust is extremely important. I recognize that. But it also compels me to sort of say, okay, what’s practical? Yes, we absolutely should be gathering this information. And how is it digested, though, and by whom, and to what degree is then sort of the next level to the argument or the issue.

And again, this is why I keep going back to the concept of the consumer being — if you say to the consumer, hey, guys, we’ll give you — yes, you by default with the NHIN because NHIN, there has to be some adjudicating processes in the middle of it just to get the data where it needs to go. And it’s also the perfect way to log who asked for it and therefore who accessed it.

So the NHIN has the capacity. Because you think about the NHIN, even if it doesn’t hold any data, it sort of acts as the big med Google of the world.

But when you have the med Google of the world, it can also tell you what information got passed, because when the University of Pittsburgh Medical Center asked for information and Johns Hopkins supplied it on this particular patient, at least that adjudication component is the med Google can also store.

Okay, Johns Hopkins actually provided information to UPMC and it was requested by this individual at Johns Hopkins. And that type of log information I think practically can be stored.

And then you can also give every consumer who agrees that they want to be part of the NHIN an account which they could then go back through and they can query to see who looked at that information.

MS. BERNSTEIN: It can be more constructive is what you’re saying.

MR. HOUSTON: Exactly.

MS. BERNSTEIN: That’s actually the rule under the Privacy Act in the Federal government. It does not require that an agency keep an ongoing account of marking in every record of every time the record was disclosed. What it requires is that the agency be able to create that record when it is requested.

So, for example, in a computer matching program where thousands of records are matched with thousands of records of another database, you don’t have to go through and mark each record to show that there was a disclosure on a day for a matching program. What you have to have is a record that there’s a matching program in which —

MR. HOUSTON: Right.

MS. BERNSTEIN: — every record of this following sort, you know, that fits in this category, was disclosed on such-and-such a day, and you can look at that and go, okay —

MR. HOUSTON: What happened.

MS. BERNSTEIN: — you know, here’s John, who asked for his record, and does it meet the criteria that’s in my list here? If it does, that means it was disclosed on that day. But before that, I don’t have to mark in the record and I don’t have to keep all this detail.

MR. HOUSTON: But I think you could actually go further than that because you could, I think, in an NHIN scheme, develop a very efficient way to say, yes, Johns

Hopkins actually provided a record so that they could at least note what the record was, from where, by whom, you know, so that there’s — yes, you could go back through and then see what was in that record and what was actually disclosed, but it’s sort of a little bit —

MS. BERNSTEIN: Right. If it’s a record. But if there’s a thousand records that got disclosed on that day, going through and marking each one like that is very burdensome.

And if what you have is a record that says a group of records that falls in category, you know, “all people with such-and-such a diagnosis” was disclosed on October 17.

MR. HOUSTON: Twice a year, say, right. I agree with that.

MS. BERNSTEIN: Then when somebody who happens to be in that category asks for their records, you can go, oh, this is a person who’s in the category of all people with whatever and they must have been disclosed on that day and I’m going to assume they’re disclosed on that day and then I’m going to recreate that accounting.

MR. HOUSTON: And the way that HIPAA says it today —

MS. BERNSTEIN: It’s less burdensome.

MR. HOUSTON: — is, you know, (?) research.

MR. ROTHSTEIN: Okay, can I make a suggestion here?

All right, here is a suggestion. I have drafted some language that I’d like to see if we’ve got some approval in concept, at least. I had to set low standards so there’s some chance of making it.

Okay, so here’s what I’m suggesting. Here’s what the paragraph would read like:

“Reasonable fair information practices should be incorporated into the NHIN. Among those practices to be considered for adoption are audit trails, the right to correct errors, and establishing procedures to investigate and resolve complaints filed by individuals.”

Okay, I’ll give it to you in more detail if you want.

“NHIN regulation also needs to consider measures for the proper reporting to individuals whose records have been placed at risk through unauthorized access.”

MR. REYNOLDS: Why did you only mention fair information practices and not the HIPAA privacy and security as being looked at also?

MR. ROTHSTEIN: Well, we can put that — because —

MR. REYNOLDS: Do you consider a subset of fair information practices?

MR. ROTHSTEIN: Well, I mean it —

MS. BERNSTEIN: They are the attempts to get this —

MR. ROTHSTEIN: Those are the embodiment of —

MR. HOUSTON: Already, yes.

MR. REYNOLDS: I guess I would feel comfortable in putting —

MR. ROTHSTEIN: We could put parenthetically —

MR. REYNOLDS: You put “including” — yes, I think —

MR. ROTHSTEIN: — “reasonable fair information practices.”
MR. REYNOLDS: — I mean, the only reason I say that is since there is a base out there in the world that everybody’s built, if we’re going to continue to use it —

MS. BERNSTEIN: If we’re going to continue to use it is a big question. I mean, I think the rule is two years old, you know? It’s a regulated something that — no, I’m not saying that we’re going to scrap HIPAA, but I’m saying that it’s a new rule, and when governments put out new rules, they look at them and see whether they got it right the first time. It’s unlikely that they did get it right, did perfectly, the first time, and things may be amended in the future, and you should feel free to recommend such —

MR. REYNOLDS: Okay. But my point is I’d like them mentioned so that if that becomes a fact, then it is a clearly and precisely executed thing.

MR. ROTHSTEIN: Paul and Simon, did you want to comment on my sort of straw paragraph?

DR. TANG: Yes, I like your straw paragraph. I also like the way — I have to admit I like the way Harry talked about the build on HIPAA piece. It’s a build on HIPAA to take the — and a lot of times the discussion sounds like it really is a bit of rehashing of HIPAA. And HIPAA struck a reasonable compromise.

I still have my objection to the “correct medical errors” as seemingly — it’s not the same as the other two examples. But I like your —

MR. ROTHSTEIN: Okay. Here’s a change to get the HIPAA wording in there: “Reasonable fair information practices building on the HIPAA privacy and security rules.” I mean, is that —

DR. TANG: That sounds nice, that’s good.

MR. REYNOLDS: Or considering it. Back to the other point. Considering those. You may or may not build on them because, for example, the PHI, we recommend later doesn’t build on it; it goes outside.

So considering those is what I mean. I’m interested in making sure that they’re considered.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: I’m not even force them to —

MR. ROTHSTEIN: All right, then I can put: “Reasonable fair information practices (giving consideration to the HIPAA privacy and security rules).” Okay?

MR. HOUSTON: Could you read the last sentence over again?

MR. ROTHSTEIN: Maybe. Okay.

MS. BERNSTEIN: So now the first sentence is?

MR. ROTHSTEIN: The first sentence should be: “Reasonable fair information practices (considering the HIPAA privacy and security rules)” —

DR. COHN: Why aren’t we building off the HIPAA privacy and security? I’m confused.

MR. ROTHSTEIN: Harry didn’t want to build on them.

MR. REYNOLDS: Well, the other reason I — I originally said — what, you think it should be “build on?”

DR. TANG: I think you originally said “build,” and I think that was great.

MR. HOUSTON: I like “build” personally, but that’s just one — we all have our opinion.

MR. ROTHSTEIN: All right. Well, we agree at least on concept, and we can work with that later. So I’ll put the “building” back:

“Reasonable fair information practices building on the HIPAA privacy and security rules should be incorporated into the NHIN. Among the practices to be considered for adoption are audit trails, the right to correct errors, and establishing a procedure to investigate and resolve complaints filed by individuals.”

And the last sentence is: “NHIN regulation also needs to consider measures for the prompt reporting to individuals whose records have been placed at risk through unauthorized access.”

MR. HOUSTON: I remain concerned over the last sentence. I’m just trying to be — I hate to sound like a broken record, but —

MR. ROTHSTEIN: I mean, it’s pretty vague, and it’s, as we say, precatory language.

MR. HOUSTON: My concern today, under the current privacy rule —

MR. ROTHSTEIN: Right —

MR. HOUSTON: — if somebody is inappropriately accessed, how anybody will use the privacy rules as sort of the status quo — you figure that the privacy rule is sort of — it’s the standard we currently apply, because today, internally, if I recognize somebody has inappropriate access to a medical record, I have an obligation to account for that disclosure and I have an obligation to sanction that member of my work force some way — fire them, suspend them, do whatever, okay?

But I don’t have that obligation today to go to that user and say, oh, by the way, we believe somebody inappropriately looked at your record.

MR. ROTHSTEIN: John, let me read that sentence again.

MR. HOUSTON: Okay.

MR. ROTHSTEIN: “An NHIN regulation also needs to consider measures for the prompt reporting to individuals.”

MR. HOUSTON: Well, it’s “consider,” but what we as a Committee — all I’m saying is we as a Committee, though, need to decide whether that is something we want them to consider. And I am not of the opinion that this is for the —

MR. ROTHSTEIN: Do you think — I mean, thinking in terms of the American public and what they are worried about, right, on “they’re putting my records on the Internet, and everybody who Googles me is going to find out my medical records!” And we’re saying, “Don’t worry about it. If there’s anything wrong, we’re going to let you know.”

MR. HOUSTON: I have offered an alternative which I think is more effective, and my alternative is that this information is logged and is available to individuals so that they can decide whether they believe there has been an inappropriate access. That’s the key difference here, is who has the responsibility to review and make the affirmative disclosure.

Now, I’m just saying, though, let’s put the two side by side. One, the way you have it written, says that they should consider developing a scheme where we have to monitor — which we do — but if we monitor and find that somebody has done something inappropriate, we have to tell the patient, okay?

And all I’m saying is I think the better vehicle from a public trust perspective is to say that, yes, we still have to monitor; yes, we have to sanction our work force and do an accounting of disclosure, but we give the user the log information that’ll allow them to review the logs also.

MR. ROTHSTEIN: Well, let’s think what’s going to happen. Let’s suppose you’re right. Let’s suppose the Department —

MR. HOUSTON: It’s not that I’m right or wrong; I just want to tell you my feelings.

MR. ROTHSTEIN: Well — no — I mean, let’s suppose the NHIN adopts your view of what should happen, okay? Is there any doubt that 50 states are going to enact laws that mandate that any breaches be disclosed to individuals, right?

So that may be preferable in somebody’s mind or not, but the fact of the matter is that the privacy restrictions are going to be imposed on the NHIN by state legislatures which are going to all be different and which are going to make things much more complicated for large entities —

MR. HOUSTON: Well, but you’re also — now you’re bringing in another factor, which is: Should part of our recommendation here, there will also be that there needs to be uniformity of law and that there needs to be standards?

MR. ROTHSTEIN: We’ve already dealt with that.

MR. HOUSTON: But again, you are sort of arguing the opposite now, which is —

MR. ROTHSTEIN: No.

MR. HOUSTON: — that then we’re going to go out and throw these laws up that require this?

MR. ROTHSTEIN: Oh, they are. All I’m saying is your view of the world is not going to happen because if it’s not done by the NHIN, it’s going to be done by state laws.

MS. BERNSTEIN: We have how many already? So now we have —

MR. HOUSTON: I just think this sets a standard that is going to be precarious.

MR. ROTHSTEIN: All that I’m —

MR. HOUSTON: We have an obligation to make sure that we don’t set precarious standards.

MR. ROTHSTEIN: I’m not trying to ask the Secretary to impose unreasonable, burdensome restrictions. All that I’m saying is I think we would be terribly remiss if we didn’t even raise the issue for the Secretary that the NHIN, you know, in designing it, needs to consider the issue of recording breaches to individuals.

MR. HOUSTON: Well, I think that the Secretary should consider developing a rational system so that there is some mechanism for individuals to be able to see who has accessed their record, whether it be appropriate or inappropriate.

MR. ROTHSTEIN: Harry?

MR. REYNOLDS: Yes. I think I’m right between the two of you.

MR. ROTHSTEIN: Well, then maybe you can fix that.

MR. REYNOLDS: No, I think so, because as I think as I look here —

MR. HOUSTON: I’m just getting up because I’ve got to stretch my legs.

MR. REYNOLDS: No, no, that’s fine. John’s getting up to hit me, so I —

[Laughter.]

MR. REYNOLDS: John, stay there right behind there. I guess where I am is whose records have been placed at risk —

MR. HOUSTON: That’s just not an issue.

MR. REYNOLDS: No, let me finish. It’s more whose records have been used inappropriately is where I’m going, because a lot of times risk is in the eye of the beholder —

MR. ROTHSTEIN: Access or used them?

MR. REYNOLDS: Well, yes, I guess because — and I’ll stay in John’s laboratory for a minute —

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: — okay? When you talk about role-based access, you could basically say that anybody working in that lab that knows anybody whose test comes through there, their records are at risk. You could say this.

I could go there —

MR. ROTHSTEIN: Right.

MR. REYNOLDS: — I could go there immediately. That’s — they went to the hospital; the person works in the lab.

So I’m saying, just because of their role, the record is at risk. That is a fact. I mean, I could argue that lots of places.

But the fact that that’s the person’s job to be there, if they use it inappropriately, in other words, they get it and then they do something, now I think absolutely, I’m right behind you, man. Somebody had better be on somebody if they find out about it.

So that’s the whole thing. It’s because at risk, as we look to the Internet, as we think of people doing their jobs, as we think of people, you know, and my two neighbors work in a laboratory and I go into the hospital, which I was for ten days, and they see my lab tests, that’s their job.

Now, if they use that wrong, I want ’em. That’s where I’m going, so —

MR. ROTHSTEIN: I’m happy to change that language —

MR. REYNOLDS: Okay. But I think that’s the difference, where the user is.

MR. ROTHSTEIN: So we’re in the last sentence, and it would now read:

“NHIN regulation also needs to consider measures for the prompt reporting to individuals whose records have been inappropriately accessed or used?”

MR. REYNOLDS: Yes. I like that.

MR. HOUSTON: Methods to — don’t say “report.” Could we say something “methods to notify?”

MR. ROTHSTEIN: I have no problem with that. “Notify” is fine.

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: “Needs to consider measures to notify individuals” —

MR. HOUSTON: Right.

MR. ROTHSTEIN: — “whose records have been” — and what was that?

MS. BERNSTEIN: Inappropriately accessed or used.

MR. REYNOLDS: Yes.

MR. HOUSTON: Could we — now let me change that slightly. Can we also say “where it has been determined” that records have been inappropriately accessed?

The reason why, I’m trying to set a standard that’s rational here, because if there’s an absolute requirement that we ferret out every possible inappropriate access and use, I’m afraid we set a standard.

But if we set a standard where we say if we work diligent and through our monitoring we find something, then we have to —

MR. ROTHSTEIN: Where does that language go?

MR. HOUSTON: In that sentence.

MS. BERNSTEIN: He wants to say:

“NHIN regulation also needs to consider measures to notify individuals where it has been determined that their records have been inappropriately accessed or used.”

MR. ROTHSTEIN: Actually, I don’t like that, because that implies that there’s been, you know, a law suit or administrative finding or something like that.

MS. BERNSTEIN: “It is known” —

MR. ROTHSTEIN: Yes —

MR. HOUSTON: See, right now, because of the privacy rule, we have an obligation. I mean, we, right today, you know, we’re supposed to put appropriate measures and controls in place and we have an obligation where, through those mechanisms, we come upon inappropriate access, we have to do an accounting of disclosure already.

It builds upon the privacy rule obligations, in my mind, and where, as a result, all we have to do for the privacy rule, it becomes known to us that a record has been inappropriately accessed, that in that particular case, then we have an obligation to notify.

MR. ROTHSTEIN: Paul, Simon, you want to weigh in on this?

DR. TANG: I think your original language is pretty good. Unfortunately, the way I would like to address it is put that word “significant” back in and that sort of deals with the “every” versus “risk,” “little risk” or “a lot of risk.”

MR. ROTHSTEIN: Where does the word “significant” go?

DR. TANG: Where you talked about risk. I’d just put “significant risk” in front of that, I guess.

MR. ROTHSTEIN: Well, the word “risk” is now gone. So the sentence —

MS. BERNSTEIN: He wants it back. He says —

MR. ROTHSTEIN: Oh, you want it back?

MS. BERNSTEIN: — he likes the original wording.

DR. TANG: I think it’s better than, as you mentioned, than to say “where it has been determined.” To me, that seems a lot more burdensome.

MR. ROTHSTEIN: Okay, let me just read you the sentence and then I’ll ask you where you want to stick that wording in. Do you have it, Maya?

MS. BERNSTEIN: “NHIN regulation also needs to consider” —

MR. ROTHSTEIN: “Measures –“

MS. BERNSTEIN: — “measures” —

MR. ROTHSTEIN: “To notify” —

MS. BERNSTEIN: — “to” — we changed that, but now I can change it; I should have written it.

MR. ROTHSTEIN: “Measures to notify individuals” —

MS. BERNSTEIN: “Where there is a significant risk of inappropriate access and abuse.”

“Significant risk of inappropriate access or use of their record,” something like that.

MR. ROTHSTEIN: See, I think that’s even broader than it was before. I think it’s worse for you guys.

MR. HOUSTON: I don’t like the risk — I don’t like this issue of risk. I think that’s —

MR. ROTHSTEIN: So, I think —

MR. REYNOLDS: No, I don’t like it. The word “risk” just scares the hell out of me.

MR. ROTHSTEIN: — it’s closer to where I want to be, and maybe where you want to be as well, if we say:

“NHIN regulation also needs to consider measures to notify individuals whose records have been inappropriately accessed or used.”

DR. TANG: I’m sorry — is that the good one?

MR. ROTHSTEIN: Okay. Simon?

MS. BERNSTEIN: Read it again.

MR. ROTHSTEIN: All right, I’ll read it again, see if I can read it the same way:

MR. REYNOLDS: Okay.

MR. ROTHSTEIN: “NHIN regulation also needs to consider measures to notify individuals” —

MS. BERNSTEIN: Mmh-hmm, “measures to notify individuals,” yes?

MR. ROTHSTEIN: — “whose records have been inappropriately accessed or used.”

MR. HOUSTON: Why can’t we say “where it’s been determined that the records” — I mean —

MS. BERNSTEIN: Because it requires a determination.

MR. ROTHSTEIN: Yes. Who’s making that determination?

MR. HOUSTON: But the opposite is it sets a standard where I’m just afraid that it’s going to become problematic, you know? There’s going to be this requirement for scrutiny that didn’t —

MR. ROTHSTEIN: Well, unless you determine that they’ve been inappropriately accessed or used, you’re not going to do it.

MS. BERNSTEIN: Right. Well — right. That’s very different in practice, actually.

MR. ROTHSTEIN: Simon?

DR. COHN: Yes?

MR. ROTHSTEIN: Do you want to weigh in?

DR. COHN: No, I’m waiting for a moment.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: It’s 7:30. You should be awake.

MS. BERNSTEIN: He’s waiting —

MR. HOUSTON: You’re having your first cup of coffee, right?

MR. ROTHSTEIN: He’s waiting for his toast to pop.

[Laughter.]

MS. BERNSTEIN: Be nice to them!

DR. TANG: With all due respect, we’re still finishing two sentences and it took an hour and a half, so is it going to scale properly?

MR. ROTHSTEIN: Yes. We’re —

MR. HOUSTON: I will concede the recommendation the way it’s been — the last wording by Mark — and agree to that.

MS. BERNSTEIN: This isn’t a be-all, end-all, you know?

MR. ROTHSTEIN: Oh, yes

MS. BERNSTEIN: We’ll get another crack at this. We’ll write — I’ll write it up.

MR. HOUSTON: Well, but we’ve agreed that — I think that when we need to agree, Mark.

MR. ROTHSTEIN: Yes.

MR. HOUSTON: Make this your comment.

MR. ROTHSTEIN: Yes. I’d like to make this sort of agreement among the Committee members —

MR. HOUSTON: Just the people.

MR. ROTHSTEIN: Yes. And that is that when the members of the Subcommittee — you’ll have ample opportunity at the Subcommittee level to massage every comma and semi-colon in the document, but once we approve it and it gets to the full Committee, we shut up. [Laughter.]

MR. HOUSTON: We’re a unified voice.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: We’re unified —

MR. ROTHSTEIN: We’re not going to sharp-shoot our own document. There’s going to be enough discussion from the other members of the full Committee that I don’t think members of the Subcommittee should be rewriting our own document at the Committee level.

MR. HOUSTON: Agreed.

DR. COHN: Mark, at what point does that door close?

MR. ROTHSTEIN: Well, when we take a vote of the Subcommittee members to approve a document to send to the full Committee.

DR. COHN: But you said this chapter will not close until after the November meeting.

MR. ROTHSTEIN: Oh, no — we don’t even have hinges on the door.

[Laughter.]

MS. BERNSTEIN: That door needs to be framed yet. [Laughter.]

DR. TANG: Can I make an overall comment then on the document?

MR. ROTHSTEIN: Sure.

DR. TANG: As I was rereading it again, it sounded like it was pretty dense with respect to a public document and as it’s if it were written by a lawyer, but no offense. It’s just a lot of words that are pretty technical from —

MR. ROTHSTEIN: Actually, we talked about that before you got on —

DR. TANG: Right.

MR. ROTHSTEIN: — and the next go-through, we’re going to try to make it more accessible. A sine qua non is definitely going, unfortunately. It doesn’t pass the Jeff Blair test.

[Laughter.]

MR. REYNOLDS: I thought it was a drink or something.

[Laughter.]

MR. ROTHSTEIN: So, your point, Paul, is well taken.

MR. HOUSTON: An industrial solvent.

DR. TANG: Because otherwise, we’re going to have to look up (?).

[Laughter.]

MS. BERNSTEIN: That was Mark, not mine.

Okay, for the record, I didn’t know which one that was.

MR. ROTHSTEIN: Could we go to the recommendations now? Here’s what I would like to propose. I would like to propose, as a matter of self-preservation, that in Number 12, the recommendation should be:

“Fair information practices should be incorporated into the NHIN.” And we can make it “Reasonable fair information practices” if you want, but taking out the specifics so we don’t —

DR. TANG: I like that.

MS. BERNSTEIN: For your information, in practice is a (?) by definition reasonable?

MR. ROTHSTEIN: Well —

MS. BERNSTEIN: They’re fair. They’re fair to everyone.

DR. TANG: Yes.

MR. ROTHSTEIN: Okay, so we’re just going to delete that.

So, let me start in order.

MS. BERNSTEIN: Paul?

MR. ROTHSTEIN: What about Number 11? Is everybody okay with Number 11?

MR. HOUSTON: Well, in terms of trying to — your last comment about being understandable, I’m not sure what people understand.

MR. ROTHSTEIN: Open and transparent?

MR. HOUSTON: Open/transparent might need to be better re-wordsmith to make it more understandable.

MR. ROTHSTEIN: Okay. “Should be widely available and clearly understood?” “Easily understood,” something like that?

MR. HOUSTON: Yes, that sounds good.

MR. ROTHSTEIN: How’s that? Maya, do you have that?

MR. REYNOLDS: You know, to me it’s a little bit like the philosophy of when you rent a movie, the warning always comes up front where you know you can always see. It needs to be available.

MR. ROTHSTEIN: Okay, so —

MS. BERNSTEIN: “Widely available, easily understood” — what else?

MR. ROTHSTEIN: Oh, that’s enough. Cause more problems.

MS. BERNSTEIN: Is there anything else about

transparency that isn’t captured by those things?

MR. ROTHSTEIN: “Widely available and easily understood.”

MR. REYNOLDS: Where are we at?

MR. ROTHSTEIN: Eleven. We’re just changing “open.”

So, “NHIN procedures should be widely available and easily understood.”

Okay, the second one, then, was: “Fair information practice should be incorporated into the NHIN.”

MS. BERNSTEIN: Fair information practices is actually a technical term of AHRQ in the privacy world.

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: Do you want to — but you also don’t want to delineate what those are, so somewhere —

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: — we have to let people know what it is we need.

MR. ROTHSTEIN: All right. That’s the purpose of the text.

MS. BERNSTEIN: Oh, okay.

MR. ROTHSTEIN: Number 13, we’re going to need to change that.

MR. HOUSTON: No, no, no —

MS. BERNSTEIN: Thirteen is after another

paragraph called “Enforcement.”

MR. REYNOLDS: Yes, we’ve got to go to —

MR. ROTHSTEIN: Oh, I’m sorry, I’m sorry.

MS. BERNSTEIN: We checked a little red mark that says “second” on October 21st —

MR. ROTHSTEIN: Yes, yes, yes, yes — okay.

MS. BERNSTEIN: We’re going to a new topic?

MR. ROTHSTEIN: So are we okay to move to a new topic?

MR. HOUSTON: Yes.

MR. ROTHSTEIN: All right.

MS. BERNSTEIN: Does anyone — are you guys on the phone ready to go to the next?

DR. TANG: What’s the next topic?

MR. HOUSTON: It’s 10:30. Do we want to take a break?

MS. BERNSTEIN: Enforcement.

MR. ROTHSTEIN: Do you want to take a five-minute break?

DR. TANG: What an idea!

MR. ROTHSTEIN: Okay, yes, it’s 10:30 already; I didn’t realize that. Time flies when you’re having a good time! [Laughter.]

MR. HOUSTON: The shorter, the better, I mean —

MR. ROTHSTEIN: Yes, let’s just — five minutes

is fine. A bio-break and we’ll be back in five minutes.

MS. BERNSTEIN: I can’t get what that’s from.

MR. HOUSTON: Bio-break?

MS. BERNSTEIN: Bio-break.

(Break)

MR. ROTHSTEIN: “III” at the bottom of Page 8, which is “Enforcement.”

MS. BERNSTEIN: Yes. Let me find my own page numbering.

DR. TANG: Okay, so we’re not doing — we’re not ready for the rest of 14, 15 yet?

MR. ROTHSTEIN: Oh, no. We’re going to do that paragraph of text first —

DR. TANG: Okay.

MR. ROTHSTEIN: — and then take up Recommendations 13, 14 and 15.

MS. BERNSTEIN: Actually —

MR. ROTHSTEIN: Correct?

MS. BERNSTEIN: Oh, yes.

MR. ROTHSTEIN: Okay. So the floor is open for comments on the paragraph that begins “Several witnesses” and ends “entitled to compensation.”

MS. BERNSTEIN: John has handed me — for you guys who can’t see on the phone —

MR. ROTHSTEIN: He’s got both hands, and he’s panting!

[Laughter.]

MS. BERNSTEIN: Are we shocked?

MR. ROTHSTEIN: Okay.

MR. HOUSTON: Very funny. I’ll kick this off. I have a strong, a very strong, bias against individual compensations and private rights of action.

DR. TANG: Could you repeat that? Take it up a notch, John.

MR. HOUSTON: I’m sorry. I have a very strong bias against private rights of action and individual compensation.

DR. TANG: No, I mean to take up your — I’ll throw my weight behind your strong objection.

MR. HOUSTON: Oh, okay, good.

DR. TANG: Being quiet.

MR. HOUSTON: All right. I’m sorry — I thought you were saying take it up a notch so you could hear me.

MS. BERNSTEIN: That’s what I’m usually telling him.

MR. HOUSTON: I think that to the extent that providers and others inappropriately access information, the deterrent impact is obviously civil or criminal sanctions, and I think that has to be the effect of a forced mechanism. To provide people with the right recover simply allows people to look at this as another way to grab some money from somebody. I just think it’s counter-productive.

MS. BERNSTEIN: Well, does anyone happen to know how many civil actions have been brought by the Department of HHS under HIPAA?

MR. ROTHSTEIN: Zero.

MS. BERNSTEIN: That’s correct. Just so you know how effective it is. I mean, a suer here, perhaps you would defend — you know, I don’t mean to — but the point is, if you have to wait for the Department, for some other agency, to take action, it’s not very effective recourse.

MR. HOUSTON: This opens a floodgate for every provider.

DR. TANG: I thought somebody was put to jail in Seattle.

MS. BERNSTEIN: It’s true. Someone was put in jail in Seattle and then the Department of Justice came out with a policy that undermines the basis on which they were put in jail and that person is probably going to have to be set free.

DR. TANG: Yes, that I can’t help.

[Laughter.]

MR. HOUSTON: Okay, we’re —

MS. BERNSTEIN: We’re off the topic.

MR. HOUSTON: Yes.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: How about — I mean, this paragraph has three or four different ideas in it, maybe all of which you will object to, but let’s go in order and then we will — you’ll get plenty of opportunity to make your point as to each of them.

MS. BERNSTEIN: Actually, it doesn’t say anything about private rights of action in here.

MR. ROTHSTEIN: No, there —

MS. BERNSTEIN: I doesn’t.

MR. ROTHSTEIN: Correct.

MS. BERNSTEIN: It doesn’t.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: It says that people should be compensated. It doesn’t say they should be entitled to (?) advocate.

MR. HOUSTON: I think that sort of — to me, I sort of read “private right of action” to individual compensation.

MR. ROTHSTEIN: Yes. See — well, you need to read the reporter’s notes to this.

MS. BERNSTEIN: Which are — are they in here?

MR. ROTHSTEIN: Yes, except the numbers don’t —

MS. BERNSTEIN: They have numbers on that?

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: Okay. So I’ll fix that.

MR. ROTHSTEIN: So at any rate — well, if I may suggest we go sentence by sentence:

“Several witnesses testified that strong enforcement of penalties are essential to deter wrongdoing and to assure the public that breaches of privacy, confidentiality and security are taken seriously and will be dealt with aggressively.” Okay?

MR. HOUSTON: Great.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Any issues, over there on the phone?

MR. ROTHSTEIN: Simon, Paul, is that okay?

DR. COHN: That’s fine.

MR. ROTHSTEIN: All right. Now we run into trouble. [Laughter.] But at least we got one sentence through.

“We believe that appropriate civil and criminal sanctions should be imposed on individuals and entities responsible for the violation of confidentiality and security provisions of EHRs and the NHIN” — which of course is already in place in HIPAA, leaving aside the enforcement issue, right?

MR. REYNOLDS: It’s a place for HIPAA, but not

all the people that —

MR. ROTHSTEIN: Okay, so you’re okay with that?

MS. BERNSTEIN: Boy — I didn’t hear what Harry said.

MR. REYNOLDS: It’s in place for HIPAA, but the NHIN EHRs go far further than —

MR. ROTHSTEIN: Correct.

MR. REYNOLDS: — people that are under the jurisdiction of HIPAA.

MR. ROTHSTEIN: That’s right.

MS. BERNSTEIN: That’s correct.

MR. ROTHSTEIN: So are you okay with it?

MR. REYNOLDS: I’m okay with what it says.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: That’s why I was just —

MR. ROTHSTEIN: Thank you. Paul, Simon? Any —

DR. TANG: You changed the sentence, the second sentence, instead of the third?

MR. ROTHSTEIN: No, we haven’t gotten — well, the sentence — we haven’t changed anything. We’re asking for comments on the sentence that begins “We believe that appropriate civil and criminal” blah-blah-blah-blah.

DR. TANG: I agree with it.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: I have one change that actually

agrees, plus a little bit —

MR. ROTHSTEIN: All right. Well, why don’t we let Amy —

MR. HOUSTON: I’m sorry.

MS. CHAPPER: That law suit you referred to, wasn’t it because it was an individual —

MR. ROTHSTEIN: Yes, that’s right.

MS. CHAPPER: — not an entity, so that’s why they said that would change.

DR. TANG: Remember — I mean, this is restating HIPAA, but EHRs — and probably our major point is that we would like to see if it works and built on HIPAA and apply it to NHIN as well. So, I mean, the emphasis is a little different.

MR. ROTHSTEIN: Well, the reason I’m — in my notes to this section, okay, and this recommendation, I say, “We are not commenting on” — this was Note 17 — “on the nature of these penalties but note the recent DOJ interpretation that HIPAA criminal sanctions do not apply to individuals. We also note that HHS has never imposed any civil penalties under HIPAA.”

So that’s why I say, “We believe that appropriate civil and criminal sanctions should be imposed on individuals and entities which” — the Justice Department said you can’t impose on individuals —

DR. TANG: Oh, okay — I didn’t —

MR. ROTHSTEIN: — responsible for the —

DR. TANG: So the two important points in that sentence is, one, the individual, and two, NHIN, not just the EHRs?

MR. ROTHSTEIN: Correct.

DR. TANG: And maybe I could just see it being more forcefully —

MR. ROTHSTEIN: Okay.

DR. TANG: — by rearranging the sentence structure, that’s all.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Is it the case that anything that’s — that EHRs are necessarily covered by HIPAA? I mean, is there anything that might be an EHR which is not in the custody of a covered entity?

MR. HOUSTON: Yes, sure.

MR. REYNOLDS: Absolutely.

MS. BERNSTEIN: Right.

MR. HOUSTON: Private pay docs.

MS. BERNSTEIN: Sure.

MR. REYNOLDS: Absolutely.

MS. BERNSTEIN: Private pay docs.

MR. REYNOLDS: That’s the whole PHI issue we have earlier or later in this line.

MR. HOUSTON: Right.

MR. ROTHSTEIN: Okay, so how do we need to change that “We believe” sentence?

MR. HOUSTON: Can I make one comment about this addition?

MR. ROTHSTEIN: Please, yes.

MR. HOUSTON: I honestly — this can sound not only strange but I don’t think this goes far enough.

I believe that if you have an entity that has a reoccurring problem with regards to these issues, there should be a way to exclude them from NHIN participation.

MR. ROTHSTEIN: And Medicare and — they should have their license pulled and they should — I mean —

MR. HOUSTON: I mean, think about this.

DR. TANG: I like that, I like that, the convention of participation argument.

MR. HOUSTON: I think there’s an argument to be made for this.

MS. BERNSTEIN: Who knew? Simon? Are you back?

MS. McANDREW: That’s dealing with it aggressively.

MR. HOUSTON: It is.

MS. BERNSTEIN: Do you have any thoughts —

DR. TANG: But should this come maybe towards the end as part of our punch? You know, we’re going to want to declare that we need a new law that covers everybody and, two, that from a government point of view, all people who participate in government funding need to comply with this?

MR. ROTHSTEIN: Well, how about if we — how about this. I want to see if I can work John’s point in here and then we’re going to get to yours, Paul.

How about if after the “We believe” sentence we add something like: “A range of other sanctions should be considered to deal with repeat offenders, including the following.”

MR. HOUSTON: Actually, I think there’s an easier way to do this.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: “We believe that continued NHIN participation, as well as appropriate civil and criminal sanctions, should be imposed on individuals and entities responsible for violation of confidentiality provisions of EHRs in an NHIN.”

MS. BERNSTEIN: Should be imposed — continued NHIN participation as well as appropriate civil and criminal sanctions should be —

MR. ROTHSTEIN: Well, we’re going to have to —

MS. BERNSTEIN: One has got to be removed and one has —

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: — got to be imposed.

MR. ROTHSTEIN: Continued participation should be contingent on what, compliance with all the rules and regulations, or — see, then you get into the people will be afraid they’re going to be yanked because they have a couple of minor infractions.

MR. HOUSTON: But it’s a deterrent. It’s probably a quicker deterrent step than criminal and civil penalties. Can’t we just stick it —

MS. BERNSTEIN: Can I just add something?

MR. HOUSTON: Yes, please.

MS. BERNSTEIN: The kinds of things that you’re talking about belong in the recommendations and not in the textual stuff. So, that is, if you think that it’s the case that continued NHIN participation should be contingent, or do you think that —

MR. HOUSTON: Okay —

MS. BERNSTEIN: — something that I would move, though, to the recommendations and get to them after you work on the text.

MR. HOUSTON: Okay, let me say this. Take out of this sentence, then, “civil and criminal sanctions.” Just say “appropriate sanctions should be imposed.” Take what Maya is saying then. Then you describe in detail in the recommendations section the fact that the sanctions are criminal and civil, on one hand, and that they are removal from participation in an NHIN in another case.

Sanctions become more global in the discussion section and then you can detail the type of sanction that you —

MS. BERNSTEIN: Or you can detail the types of —

MR. ROTHSTEIN: Okay, let me just —

MS. BERNSTEIN: Mark is having heartburn, okay?

MR. ROTHSTEIN: No. I want to defend corporate America here.

[Laughter.]

MR. ROTHSTEIN: You’ve got some rogue employee at Pitt —

MR. HOUSTON: Yes —

MR. ROTHSTEIN: — who is — or UPMC — who has done all sorts of terrible things —

MR. HOUSTON: Yes —

MR. ROTHSTEIN: — and they send this person to jail. If they pulled your participation in NHIN, it’s the death penalty for business.

MR. HOUSTON: Now, let me argue the opposite. Let me just tell you I don’t believe that one infraction, or even two infractions, should get to that.

But let’s just say here — a little bit paint the opposite scenario — after repeated problems and repeated failure on the part of the organization to take appropriate steps to improve its privacy and security practices surrounding all of this, they failed to take those appropriate steps that — and after being warned of that that they continued to fail to do this, then in that case their participation in NHIN would be maybe suspended for some period of time.

MR. ROTHSTEIN: But your argument is premised on the fact that the NHIN is the government.

MS. BERNSTEIN: Oh, it’s not.

MR. ROTHSTEIN: The NHIN is not the government. The NHIN is a system of systems for which the government is helping to set standards and therefore, then there would have to be some sort of adjudication by the NHIN, I mean, then there’d be the right to a hearing and all this —

MR. HOUSTON: But we’re trying to think of practical ways to improve privacy and security. We are talking about ways that may be more efficient than in going down the road of criminal and civil sanctions. I think this is a more effective mechanism.

You know, you know what happens? Like every large organization, you know when large organizations jump? It’s when JCAHO comes in.

MR. ROTHSTEIN: Exactly, but JCAHO is going to come in if they have these multiple things. The state licensing people are going to come in. Medicare is going to pull their license.

MS. BERNSTEIN: Right. But you don’t want till they come in, probably. Say you’re a RHIO and you’ve got ten members in your RHIO and you’ve got one member organization which continually has breaches, failed to fire the people that are responsible, fails to take your —

MR. HOUSTON: It is a problem.

MS. BERNSTEIN: They failed to — but, right, it’s a problem child, right? Continually failed to improve whatever their situation is that’s causing these breaches. They are risking everybody else here, essentially, right? Everybody else’s reputation —

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: — in RHIO.

My view is the people in the RHIO, whoever the management is of the RHIO, just looking at that model, gets together and boots that guy out, because that organization is risking it for everybody else.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: And that’s the kind of thing, it seems to me — in another draft of this document we had — you talked about some organizing body, some oversight —

MR. ROTHSTEIN: Correct.

MS. BERNSTEIN: — advisory — some kind of —

MR. ROTHSTEIN: Right, before that was yanked.

MS. BERNSTEIN: Before it was yanked.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: But it seems to me that in the private sector, you know, they have membership organizations, they have the bar associations or — the AMA will eventually, although it apparently has to be egregious, but they will eventually boot you out —

MR. ROTHSTEIN: Okay. I —

MS. BERNSTEIN: — if you —

MR. ROTHSTEIN: — have no problem with the boot-out language. I think it needs to be separate from the criminal and civil —

MS. BERNSTEIN: Yes, that’s right.

MR. HOUSTON: I try to resolve it by simply talking about if we simply use the word “sanctions” within the document and then within the recommendations section we talk about criminal and civil sanctions on one hand and then — maybe sanctions isn’t the right word — but then we talk about removal from the NHIN as being as a separate sanction recommendation, or maybe it’s suspension from NHIN as being a separate sanction.

MR. ROTHSTEIN: What we have to recommend is that when the Secretary authorizes or certifies or approves RHIOs, a standard has to be included that the RHIO has disciplinary authority over entities that consistently been shown to violate privacy rights of the individual.

MR. HOUSTON: Up to and including either termination or suspension of —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — NHIN rights. I have no — that’s what I’m getting at.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: Maybe you have enunciated it better than I, but I’m just —

MS. BERNSTEIN: Standards. That we should develop standards — standards of, I won’t say “behavior” but —

MR. ROTHSTEIN: The RHIO needs —

MS. BERNSTEIN: Or whatever it turns out to be.

MR. ROTHSTEIN: — yes, standards and the authority to, you know, remove entities from the organization that’s consistently blah-blah-blah-blah.

MS. BERNSTEIN: Failed to meet those standards.

MR. ROTHSTEIN: Yes. Harry?

MR. REYNOLDS: A question. You got some help. HIPAA is clear because the jurisdiction falls on the government agencies. The Internet —

MS. BERNSTEIN: No government.

MR. REYNOLDS: Okay, but the Internet starts to

feel a little more like NHIN because you really — Mark, you said that perfectly earlier; NHIN’s not a government — and Simon put it perfectly; it’s a philosophy right now and a theory of connecting these things, which can be done technically, but it’s still — as a jurisdiction point, there isn’t any.

So I guess, as I sit here as a bit of a layman on this, on the sanctions, the idea of what do I have as personal rights when somebody does something to me on the Internet and why wouldn’t that extrapolate to be a similar thought process if my records are involved in NHIN, and what are we asking anybody to do differently or what would I be doing differently —

MR. ROTHSTEIN: Okay. Well, I think we have not yet, I don’t think, taken up the right of what individuals should be able to do.

The question is whether entities should be subject to any sanction if they’re repeat offenders. And as originally drafted, there were just the civil and criminal sanctions.

John wants to add some mechanism for them to get bounced from the NHIN.

MR. HOUSTON: Self-policing.

MR. REYNOLDS: But again, who has the jurisdiction to bounce?

MR. HOUSTON: But I think that’s part of what actually Mark just indicated. I think it’s part of the charters for the NHIN and RHIOs that establish under them, maybe.

MS. BERNSTEIN: Self-regulatory mechanism.

MR. HOUSTON: Isn’t that there need be some mechanism — there should be — in which bad actors, that organization simply unwilling to be a good citizen of the NHIN or RHIO, is removed.

MR. REYNOLDS: But you’re basically talking about there needs to be some rules of engagement on the NHIN.

MR. ROTHSTEIN: Exactly.

MR. REYNOLDS: I guess that’s where I’m trying to —

MR. ROTHSTEIN: That’s right.

MR. REYNOLDS: — and I don’t read that here. There needs to be rules —

MR. ROTHSTEIN: It’s not in here.

MR. REYNOLDS: Yes, okay. But I guess that’s kind of a premise to me of this paragraph, which basically says since the NHIN is not under anybody’s real jurisdiction, if there are not some rules of engagement established —

MR. ROTHSTEIN: We note but —

MR. REYNOLDS: — but I don’t know you base — you know, then those rules of engagement you could then base these things under them.

MR. HOUSTON: Then, Harry, what I think is that I think Mark’s premise was that when these things are established, there absolutely I think will have to be, and will be, agreements and documents and charters put in place.

And then, again, as part of those charters, there simply needs to be language that obligates those entities that are part of it to be good citizens of the NHIN and if they’re not that there’s certain rights of the NHIN to remove them or to suspend their rights or, you know, maybe impose even — or in the alternative is impose additional audits or something.

Something, there has to be. And I think — I agree with what you’re saying. We’re making an assumption that those types of documents will have to be in place and that we’re simply adding to them, maybe.

MR. REYNOLDS: Well, and the other thing I guess we’re saying is — I still won’t believe, being a technologist, there’s going to be this magic NHIN in the sky, especially as it goes over the Internet and other things. It probably —

MS. BERNSTEIN: It’s not going to be a single —

MR. REYNOLDS: — it’s going to be a probably a loosely knit, secure package switch of information. And so we continue to discuss it as if, you know, at some point you can go visit the NHIN and talk to somebody.

MR. HOUSTON: Sort of visiting the Internet.

[Laughter.]

MR. REYNOLDS: Yes, and that’s why, exactly why, I use it as an example.

MR. HOUSTON: Were you here for (?)

MR. REYNOLDS: Yes.

MR. HOUSTON: I think it’s going to be a med Google where we go on, you query other organizations if there’s some comments in facts —

MR. REYNOLDS: No, it is, it is. But the point is there’s no jurisdiction over that stuff now.

MR. HOUSTON: But I think, though, that hub, and the organizations that will contribute to develop those hubs that are adjudicators of information, we’ll have to have their charters, we’ll have to have the agreements.

And part of that then, you will be able to impose appropriate, you know, language in those documents that do this enforcement. I think it’s an appropriate thing to put in this letter.

MR. REYNOLDS: Well, yes, I think if you were to add that, Mark, to the paragraph, (?). But I think right now, I’m getting a sense we’re tying it to something that is kind of — it’s going to be an Internet —

MR. ROTHSTEIN: Well, yes. What we would need, I think — do you have the language?

MS. BERNSTEIN: Well, what I was going to ask in this discussion — I mean, it seems like you’re talking about kind of voluntary industry self-regulatory kind of mechanisms.

MR. HOUSTON: It’s stronger than that.

MS. BERNSTEIN: Maybe — well, depends on their industry. In the securities industry, the self-regulatory mechanism is extremely strong in NASD. They can, you know, bring real sanctions against you. And in other industries, it’s much less strong.

But my question would be: What can the Secretary do about it?

You’re advising the Secretary. What is it you think that the Department can do to help this along if you think it’s the right way to go?

Or should we put an assumption? We assume in the language of the paragraph that the way that the world is going to develop is that there are going to be these private organizations that get together in some kind of consortia and we presume that they’re going to have these contractual arrangements of whatever sort, of trees or whatever —

MR. HOUSTON: Doesn’t Brailer influence? I mean, doesn’t the Secretary — aren’t they going to build — aren’t they shaping a framework?

MS. BERNSTEIN: Well, they can put seed money, they can give models and examples. They can’t impose — well, there does not seem to be an intention to impose regulation on it right now.

MR. HOUSTON: Okay, but to the extent that the NHIN, like how did they do it with HIPAA? How did they go into HIPAA privacy and security? The said — the way they sort of tied the Federal government into HIPAA privacy and security was because of the fact that —

MS. BERNSTEIN: Medicare.

MR. HOUSTON: — Medicare and Medicaid.

MS. BERNSTEIN: Yes.

MR. HOUSTON: You could do the same tie here to force that to happen.

MS. BERNSTEIN: You could. You know, the question is, do you — what you’re talking about is not a government-imposed regulatory scheme so far. Harry’s smiling at me, for the record. [Laughter.]

You folks out there in the regulated community are generally loathe to respect more regulation, although I think that if a scheme like this is not working, you could expect the government to step in and make it work for you if there’s a, you know, market failure, however you want to represent that failure for this scheme to work.

But I think what’s happening, the way I see at the moment, is that the Department is trying to encourage different models of private sector development in the same way really that they did with the Internet. We had the backbone, we had small, you know, sort of grants, research out there. Same sort of thing that the Department is doing, is spending its money in ways that I think will create industry development.

And in the same way it could money model standards, you know, as one member of the health care community with a very big foot in the market to affect what’s happening out there or to influence it, I guess.

So that could be part of the discussion, that we expect all this to happen.

Then the question is, well, in the recommendations, what concrete things can the Secretary actually do about it? And I haven’t heard that this group seems ready to say we should — well, maybe you are, in some cases. I mean, if there are particularly bad actors, you — criminal penalties, certainly; that’s a governmental function.

MR. HOUSTON: And, by the way, they’re —

MS. BERNSTEIN: Monetary or civil sanctions can be a governmental function, like they are in HIPAA.

DR. TANG: There’s a couple other ones.

MS. BERNSTEIN: There are other ways to impose pain on bad actors. One of them is boot them out of your RHIO or your organization. That’s not something the government’s going to do.

DR. TANG: There’s a couple payment options, a hook.

MR. ROTHSTEIN: Right.

DR. TANG: One is the certification process. If you want to get certified — let’s see. One is getting certified to be an exemption for SPARKS could include policy event, cover privacy and confidentiality, and security, for that matter.

The other is payment incentives from CMS for the use of IT. It could also include these kind of provisions.

MR. ROTHSTEIN: Well, I’ve drafted some language that may be a starting point for us.

MS. BERNSTEIN: For the paragraph or for the recommendations?

MR. ROTHSTEIN: It’s for the paragraph, and then we can —

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: — deal with the recommendations in a second.

MS. BERNSTEIN: Read slowly.

MR. ROTHSTEIN: After “NHIN,” before the “In addition,” which we’ll deal with separately, it would go after the sentence “We believe that appropriate civil and criminal sanctions should be imposed on individuals and entities responsible for the violation of confidentiality and security provisions of EHRs and the NHIN. Other mechanisms for sanctioning recalcitrant organizations also should be considered. These include suspension or termination from participation in Medicare and Medicaid or requiring all NHIN operating user agreements” — and this needs to be changed — “to contain provisions for loss of NHIN participation rights for multiple privacy breaches.”

That’s attempting to get your thought in there, but —

MS. BERNSTEIN: Mine or his?

MR. ROTHSTEIN: No, that’s John’s. It’s a try to get John’s —

MR. HOUSTON: I think with some wordsmithing I think that’s on the right track.

MS. BERNSTEIN: Okay, I’ll work on it.

MR. ROTHSTEIN: Simon?

DR. COHN: Yes?

MR. ROTHSTEIN: What do you think?

DR. COHN: I think it sounds okay.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: So far so good, okay.

MR. ROTHSTEIN: All right, we will leave to Maya’s good offices to —

MS. BERNSTEIN: Recalcitrant, okay.

MR. ROTHSTEIN: Yes.

MR. HOUSTON: It’s a sine qua non for —

[Laughter.]

MR. ROTHSTEIN: Now let’s take up the last sentence, the one that John started with, and that is:

“In addition, individuals whose privacy and confidentiality are breached should be entitled to compensation.”

In the notes, in the reporter’s notes, that is Number 17 in which — no, no, no, wait — oh, Number 18 — in which I say, “We are leaving open the nature and method of compensation.” So we’re not saying whether it should be a fixed amount or damages and whether it should be administrative or through private right of litigation.

So, all that we’re saying is that people whose privacy and confidentiality are breached should be entitled to compensation.

And I would even be willing to say should be “eligible for compensation,” which is different than “entitled to compensation,” because then you can set a standard like you have to show you were actually harmed by it and you —

MS. BERNSTEIN: Got to find the damages.

MR. ROTHSTEIN: Yes. You had some damages; you lost your job, you didn’t get a mortgage, or who knows what.

DR. TANG: I’m still not comfortable with it, but I’m going to let John take care of it.

MR. HOUSTON: Thanks, Paul. I’ll fight for ya!

DR. TANG: Yes.

MR. HOUSTON: I’m just going to say I’m fundamentally opposed to this. I think that I’m okay with the concept that a covered entity or somebody else under the NHIN who gets NHIN data should be exposed to sanctions which may include monetary fines.

But I think when you start giving that out to the public, you know, whether there’s a private right of action or not, I still think this creates an environment where somebody — I mean, people will use this as a pretense to try to get money. I mean, I’m sorry. I think it’s counter-productive. It ends up costing organizations a lot of money to respond to, you know, potentially many, many frivolous claims.

We see this today. It isn’t just necessarily related to this. I mean, it’s the way people try to leverage getting free health care by trumping up something and trying to make the claim small enough that it becomes an annoyance to respond to it other than simply saying, “Fine.” I mean, you know what’s interesting? I periodically will get somebody complaining, who will say, you know, we think the person’s information was inappropriately used and we want $5,000. That’s the classic example. I’ve gotten it on a number of occasions.

And it’s interesting because it’s always an attorney who finds it and it ends up being a situation where we know what they’re trying to do. They put a nuisance dollar figure on it that they think is small enough that we’re just going to say, you know, it isn’t worth or while to fight it.

And we always say, “No.” And say, “Oh, by the way, HIPAA doesn’t provide a private right of action but if you feel you have a right under Pennsylvania law, you’re more than welcome to sue us.” And they never come back. They never ever come back. And I think it’s because they — you know, it’s the nuisance to try to —

MS. BERNSTEIN: So you get your intern to write those letters. I mean, what’s the big deal — [laughter.]

MR. HOUSTON: No, we simply say no.

MS. BERNSTEIN: — to say no?

MR. HOUSTON: We just say —

MS. BERNSTEIN: And you just have a stash of them and you write them back and —

MR. HOUSTON: No, no — but we do that. My point is that we do this today, but I think that there’s — what I’m trying to express here, maybe I’m not being clear about it, is that there is a certain segment of the population who will be very likely to do this who’s simply look for —

MR. ROTHSTEIN: There’s no question about that. Every large enterprise that’s open to the public knows that they’re going to have a percentage of floppers who are going to sue them, right?

There are lots of law suits against casinos and Disney World and so on. But the fact —

MS. BERNSTEIN: There’s a whole raft of stories you can —

MR. ROTHSTEIN: — that people take advantage doesn’t mean that others who are legitimately injured —

MS. BERNSTEIN: Right.

MR. ROTHSTEIN: — as a result of the negligence on one of these premises shouldn’t be entitled to compensation.

MR. HOUSTON: I think if you’re trying to prevent — if you’re trying to deal with the issue, again, like the HIPAA privacy rule, you know, by providing the penalty to the covered entity, you know, that’s the deterrence to the covered entity to act or not act or do what they were supposed to do.

And frankly, if really what we need to do is to have the Federal government be more aggressive about providing appropriate penalties for inappropriate access and use, then maybe that’s the more important recommendation, that we need to figure out a way for us to actually enforce this.

MR. ROTHSTEIN: Harry?

MR. REYNOLDS: Yes. I guess where I come down on this is we’ve talked about privacy — kind of going through — we’ve talked about privacy notices and how can we get people to really understand. And then we’ve talked about consent.

Well, this last sentence to me is kind of informed what do I do about it? When somebody does something to me, what do I do about it?

Under HIPAA, I could run —

MS. BERNSTEIN: My resource. What redress is there?

MR. REYNOLDS: Yes, what’s my resource, okay?

So, I guess what may be a comment here is that because the NHIN takes this data into realms that may not be currently under consideration, and since there is no jurisdiction, clear jurisdiction, of this, just like there really isn’t of the Internet, if the Secretary or someone could come up with a process that individuals could understand what their due process is in these situations, then I think that would be — or somebody could.

I mean, because right now, I mean, think about the Internet: What do you do if something happens to you there?

So I think that’s — so we’ve said here’s a privacy notice we want you to understand. We want you to understand, you know, all these other things that — you know, informed consent. And now we get to the end where we’re all talking about businesses.

But I’ve got a person that feels they were wronged, and what is their process, because this NHIN in the sky is out there just like the Internet is? So whether or not we could — maybe that’s where we’re headed, because I don’t even understand the process. I’m not worried about whether you get compensated.

MR. ROTHSTEIN: Yes.

MR. REYNOLDS: I’d like to know that they had a process to go figure out what the heck happened.

MR. HOUSTON: I agree with you on that. There needs to be a process, absolutely, a process for enforcement. That’s sort of assumed by the criminal and civil sanctions, that there has to be a process for an aggrieved individual to say, “I got a problem here.”

MS. BERNSTEIN: For bringing — for causing punishment to the entity.

But there’s nothing there — if you are harmed. What we’re talking about is if you are the subject of the breach and if you have suffered actual, out-of-pocket damages, and some real harm, and maybe even not out-of-pocket. Maybe it’s, you know, damage to your reputation in your community or — well, maybe that can be measured. But maybe it’s failure to be able to get a loan or a mortgage or a car loan or whatever because they decide you have some disease that’s not —

MR. ROTHSTEIN: Well, you know, it’s sort of —

MS. BERNSTEIN: You know, then you’re a bad risk because, you know, you have a heart condition or you’re a bad risk because you’re a cancer patient and I don’t want to lend money to you —

MR. ROTHSTEIN: Somebody accesses your records —

MS. BERNSTEIN: — that’s a real problem.

MR. ROTHSTEIN: — and discloses to your boss that you were in drug rehab ten years ago and you lose your job — or, you know, who knows what?

MS. BERNSTEIN: Causes you actual problems.

MR. ROTHSTEIN: And if they file a complaint with

OCR, maybe the entity will get fined or the individual will get fined or something. But what about the poor individual?

I think this is — you know, I think allowing for some type of compensation is very key to the trust aspect. We’re going to do everything that we can to safeguard your rights. We’re going to make the process clear. We’re going to regulate these organizations who have your records. We’re going to do other things that we’re going to talk about. We’re going to make them notify you some way if there are lapses. And if something happens, you may be entitled to some sort of compensation, and of course we’re leaving that open, whether it’s, you know, up to a thousand dollars through an administrative agency or who knows what. But just the point of eligibility for some recompense.

MR. REYNOLDS: But not adding your other words about some kind of process and some kind of something else.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: I can’t support it.

So if you put in there that somebody will help people define the process they would need to go through, and at the end of that process, compensation could be an outcome, I could go with that. But I’ve got to see some process in here that helps the person to understand what to do and then once they do it — well, that’s just where I’m at.

MR. ROTHSTEIN: Okay. I’m happy to —

MS. BERNSTEIN: Are you really talking about an ombudsman function? Are you talking about —

MR. REYNOLDS: Probably. Oh, I don’t know, because you can’t run to the government, you can’t run —

MR. ROTHSTEIN: He just thinks that that sentence is sort of naked.

MR. REYNOLDS: Yes. It just says you’re going to get money — have a nice day, you’re going to get money. I think there should — here’s how you go about — if you have a real — you feel you’ve been wronged, here’s how you go about it. And ombudsman may be the thing. Or, you know, they call it —

MS. BERNSTEIN: Well, in the — so the scheme that I can live with most, which is the privacy act, the Federal privacy act — just to sort of respond to what John’s concerns are — he’s concerned that there are frivolous suits that take up time and —

MR. REYNOLDS: Well, we all are, yes.

MS. BERNSTEIN: — and, yes, we’re all concerned about that, and that either it’ll be too easy to get compensated, there’ll be too many frivolous suits which will be burdensome administratively, and so forth, right?

Under the privacy act, under any scheme where there’s a private right of action, you have that problem. But the privacy act actually makes it extremely difficult to recover, it turns out.

You can recover if you are the subject of some kind of breach, but what happens is you have to prove that there was knowing and — let me see my notes because I —

MR. HOUSTON: Malicious.

MS. BERNSTEIN: Right? It has to — well, malicious isn’t the word. But it has to be a willful and knowing disclosure or violation of the law. You have to have actual out-of-pocket damages. There has to be a link between the broken law and your actual harm, you know, and you have to be able to show that it affects you in your pocket.

Now, if you can prove that entire chain, in my view the government should be getting sued, because it’s extremely difficult to prove that and it means that probably the government really did do something wrong that affected someone.

But it is extremely to do, and litigation is not fun, and you need to get a lawyer. I mean, there’s all these other things. You have to have the money to pursue the suit. You have to have the money to bring it against a large organization which has many resources.

So there are lots of ways that it makes it difficult for people to bring just frivolous suits. I mean, they can file them, but actually following up and getting compensation is very difficult.

MR. HOUSTON: You have to have a darn good system. I just see the reality today now.

You know, here’s the other question. Let me ask you a question. If an employee — let’s just say in my organization I have a nurse that looks at the record of her next door neighbor. Okay, there’s that knowing, there’s that malicious, there’s that concept of, you know, a bad person doing bad things, okay?

Who would you, in that scenario, say is responsible? Is it the covered entity?

MS. BERNSTEIN: Well, it depends on what happened. I mean, is there any reason to do anything? Is anyone damaged by it?

MR. HOUSTON: Okay, I will —

MS. BERNSTEIN: Just the fact that the woman is HIV positive is all over the walls of her church or —

MR. HOUSTON: — let me play out the scenario, okay?

The nurse finds out that the next door neighbor was pregnant and had an abortion, okay? The nurse tells the next door neighbor’s husband, who didn’t know. It

turns out the next door neighbor, the wife, is having an affair. The marriage is destroyed, you know, and there’s all sorts of damages because there’s a million-dollar net worth and that was split in half, and so you have a broken marriage and attorney’s fees to the tunes of hundreds of thousands of dollars to go through the divorce. And so we’ll just say there’s some damages.

Now, in that scheme, is it the covered entity who is now responsible for the hundred thousand dollars in legal fees — because of our bad actions, we caused the marriage to fail? Is it the nurse who was the next door neighbor who was sort of taking these — to use a legal term — the frolic and detour from her job to go look up the record?

MS. BERNSTEIN: She made an authorized —

MR. HOUSTON: So this is where, you know —

MR. REYNOLDS: Well, I would ask you two questions, and then I want to answer your questions. These are —

MR. HOUSTON: Hypothetical.

MR. REYNOLDS: Okay. Did you have policies in place that explained to your employees what they could or couldn’t do?

MR. HOUSTON: Assumed yes.

MR. REYNOLDS: Did you teach them, yes?

MR. HOUSTON: Yes.

MR. REYNOLDS: Did you this, did you that? Then the answer’s the nurse.

MR. HOUSTON: But, see, the pocket is the hospital.

MR. REYNOLDS: I understand that. And that’s called a Level 2 finding, not a Level 1 finding, because you have a control, you’ve talked to people, and everything else.

So, I mean, if I was defending it, I would defend it as a Level 2. This person broke —

MS. BERNSTEIN: I mean, I think, an organization that has reasonable policies in place and is enforcing them in a reasonable way, you know, according to this policy, the term “standard or care” —

MR. ROTHSTEIN: I’ve got some proposed language.

MS. BERNSTEIN: Okay. For that sentence?

MR. ROTHSTEIN: Yes, for that issue, to replace the last sentence, that I think will satisfy Harry. Nothing could satisfy John. Okay, so here’s the proposal:

“We believe that a process needs to be put in place” — I’ll read it later slower if you want — “to investigate complaints by individuals who allege they have been harmed by having their records inappropriately accessed or used, and upon the finding of a willful invasion of privacy resulting in harm, to award appropriate compensation.”

DR. TANG: I think we need to stick more with principle and concept. That seems very, very detailed in terms of — it’s almost like a reg rather than the principles.

MR. ROTHSTEIN: Well, yes, that last — that’s to replace the sentence that was a principle.

[Laughter.]

MR. ROTHSTEIN: If you want the principle, individuals whose privacy and confidentiality are breached should be entitled to compensation. That’s the principle.

DR. TANG: If you disagree with the principle and it doesn’t help to replace it with detail.

MR. ROTHSTEIN: Oh, I see. So if you don’t like the principle, you’re not going to like anything else.

MS. BERNSTEIN: How about the following tweak to that principle instead, which is:

“Individuals who have been harmed by a breach of their privacy or confidentiality should be entitled to compensation.”

MR. ROTHSTEIN: I’m fine with that, but I don’t think would help Paul or —

MR. REYNOLDS: I think “should be entitled to a process,” some kind of due process.

I mean, the whole problem with this is we’re trying to base part of this NHIN on privacy and security and all the stuff with HIPAA, but it’s still nothing; it’s still just a data — and until somebody owns it, that individual person —

And again, where I feel a little differently, HIPAA tells me as a covered entity what I can do. But NHIN is — man, we’re in a whole different world. And that stuff can fly all over the place in lots of different ways for lots of different reasons for lots of different uses, and it’s going to go to people that aren’t business associates and it’s going to go through this and it’s going to go through that.

And I just think the individual — we have really talked trust, trust, trust, trust. And I think we’ve got a big hole here, that that person doesn’t know what to do. And I’m not into compensation. I’m into: How do they go about something?

DR. TANG: I think we’ve backed ourself into the corner where you have to have — you’ve got to get rid of the covered entity language. You have to hold people — the principle is holding people accountable. And so if —

MR. HOUSTON: And what’s the enforcement for that?

MR. REYNOLDS: Yes, and what’s the enforcement?

DR. TANG: The what?

MR. HOUSTON: What is the enforcement for holding people accountable?

DR. TANG: If Pitt goes and discloses things irresponsibly, then we have to go after Pitt. If that guy with the credit card does it, then you go after the guy with the credit card, put him in jail. But you just have to hold people accountable. I don’t know that we can specify — there is no “owner” of the NHIN any more than there is owning for the Internet, but you can prosecute people for misusing information that they got via the Internet. It doesn’t matter how they got it. But the easiest way is to get it through the Internet or through the NHIN.

MS. BERNSTEIN: So you’re saying — back to this sort of entities with recurring problems who fail to take appropriate action to fix those problems —

DR. TANG: I mean, that’s a detail in terms of the recurrent, but basically organizations that violate people’s confidentiality rights or health information may be prosecuted. I mean, if we could get that passed — and I know that’s a big if — that would eliminate a lot of this, these complications that we’re trying to find words and principles around.

MR. ROTHSTEIN: But that wouldn’t go far enough.

MS. BERNSTEIN: It still doesn’t help individuals.

DR. TANG: Why?

MR. ROTHSTEIN: There’s still two things that are hanging in the balance. I mean, your point, I think, Paul, goes to the deterrent effect, right?

DR. TANG: Right.

MR. ROTHSTEIN: You won’t do it if you’re going to be put in jail.

But there are two other interests that we need to protect. Number one is in those instances, and there I hope will be few, in which people suffer some tangible harm as a result of this, they should be entitled to some sort of remedy. And the remedy may not even be money. The remedy may be to return some records or whatever. But they should be entitled to some sort of remedy.

And the other thing that I think we can’t forget is that I think giving people a process and a remedy is very important in assuring the public that they can trust this system, that their stuff is not just going to be hanging out there and they’ve got no place to go if something goes wrong and they have no rights whatsoever.

DR. TANG: Well, I think the deterrent effect of holding everybody accountable is one kind of reassurance. The other, in terms of the remedy, the HIPAA language I

think is mitigation and there’s something else to address the returning the records and those kinds of things without saying you have to “compensate.”

MS. BERNSTEIN: But the problem with privacy is that a record about your medical information is not just a piece of property like returning —

DR. TANG: Yes.

MS. BERNSTEIN: — your car that got stolen.

DR. TANG: Right.

MS. BERNSTEIN: Once it’s out, it’s out of the box. You can’t stick — it’s like the toothpaste in the tube. You can’t put it back in.

DR. TANG: Right.

MR. HOUSTON: I put some back in, just so you know.

MS. BERNSTEIN: Because you’re very fastidious. [Laughter.]

DR. TANG: The trouble is I think that, just as Mark said, probably there are going to be — hopefully there are going to be very few instances of egregious breaches.

MS. BERNSTEIN: We’ve had about 20 in the last month.

DR. TANG: We had what?

MS. BERNSTEIN: Stuff in the medical — you know.

But consumers, I’m reading several a week about consumer data that’s been disclosed in huge numbers on a regular basis just in the last year. You’re seeing two stories a week about it now.

DR. TANG: So I understand that piece, but we do have to hold the health care organizations to a higher standard.

MS. BERNSTEIN: Good, but that doesn’t mean there won’t be breaches. I mean —

DR. TANG: And I agree with all that. But, like John, I don’t think holding out the money pot is —

MR. HOUSTON: To consumers.

DR. TANG: — is the better or even the best efficient deterrent rather than going after the bigger fish, which just makes this a uniform law.

I mean, I think that solves so much of our problems.

MR. ROTHSTEIN: Well, we’re already recommending that the jurisdiction —

DR. TANG: I know, but I put all of our weight that use effective to build up the case for that rather than building up the case for trying to essentially fix that —

MS. BERNSTEIN: How does your uniform law help consumers who are in fact harmed in their pocket? I mean, what is the recourse for someone who actually is harmed as a result of an unauthorized disclosure?

DR. TANG: Like you say, I can’t even compensate them for the loss of their — the knowledge of their information. But what I can do is try to (?) work for everybody, including that individual sustaining that loss.

And I think the deterrent with heavy penalties is the way to do it. Well, is a better way to do it than to open up private right of action to everybody.

MR. ROTHSTEIN: I actually think — I hate to go back to this point, but if the NHIN comes into place and it doesn’t provide for some sort of redress for individuals who have been harmed from disclosure, there will be 50 state laws allowing for private rights of action.

MR. REYNOLDS: I agree.

MR. HOUSTON: It didn’t happen under the HIPAA privacy rule.

MR. ROTHSTEIN: The HIPAA privacy rule doesn’t go far enough. When you start dealing with everybody, everybody having a right, not just covered entities, to send this information all over the place, you’re going to have — some states, well, some already do, but, I mean, you’re going to have many more, and things are going to be worse, from your perspective.

And I think that it’s not asking a whole lot, or imposing a great burden, to say in those situations in which people have suffered harm — and that’s why I put even that as a result of the willful invasion of privacy, although somebody else can set whatever standard they want for that — that there is some mechanism and some sort of administrative remedy where they can be awarded, you know, $2,000 or something, I just think it’s not going to result in nuisance suits because —

MR. HOUSTON: By the way, you know what I think is going to happen, though? I think we’re going to have — let’s take the scenario that OCRs, if it’s already in place to enforce the privacy rule, becomes this ombudsman, becomes the authority that evaluates these claims. So you figure —

MS. BERNSTEIN: It is now the authority to —

MR. HOUSTON: What does that mean to the volume of work that OCR has to take on, and is it able to — and I think it also requires a level of investigation that — I think it’s going to —

MS. BERNSTEIN: It’s imaginary resources. But they don’t have enough resources now.

MR. HOUSTON: And, by the way, we probably have to find some non-governmental agency, because as soon as the government starts to dole out damages, then I think there’s all sorts of appeal rights and other things that occur that —

MS. BERNSTEIN: Yes, yes.

MR. HOUSTON: — could become very, very involved.

MS. BERNSTEIN: I mean, who is envisioned to be paying damaged?

MR. HOUSTON: But I think the hospital. From the hospital to —

MR. REYNOLDS: I think we’re still spinning around.

MS. BERNSTEIN: A quasi-judicial role.

MR. REYNOLDS: We keep saying HIPAA, we say other things. HIPAA was a by-product of the government. NHIN is something different and I — we’re trying to act like we can use the same jurisdictionary — Mark, I agree with you. We’ve got to do something —

MR. HOUSTON: Let me say — if in fact it doesn’t come under government control and it’s this private concept, okay, that there has to be some law that provides this private right of action and whether to fill that gap then, because this can’t be — unless all the NHINs have decided that there’s going to be some private compensation scheme that their members are going to have to all agree to, which I think becomes dangerous in and of itself.

MS. BERNSTEIN: Well, I mean, I don’t think that’s very likely, but I think it’s possible that the membership of a RHIO, if there’s ten members, will get together and say, “According to our agreement, if you flub it up for the rest of us and harm our business essentially, we’re going to, you know, make you pay people whose trust we are losing because you are flubbing it up, and we are going to maybe boot you out of our organization or we’re going to fine you or we’re going to” — I mean, that’s a matter of a private — you know, some kind of private scheme among business folk who gather together to —

MR. ROTHSTEIN: I just wanted to — when you think of it — all right, let’s suppose we did something like this; how would it work in practice, okay?

The large entities who are presumably very careful about all this other stuff and want to do the right thing, it probably wouldn’t affect their day-to-day operations. But you could get privacy insurance. You’d probably self-insure for it anyhow, right? And now it’s a budget expense that you’ve got. You know, you’re going to budget, $50,000 a year to pay privacy claims, and at the end of the year, $48,000 is going to be carried over for Year 2.

MS. BERNSTEIN: It could happen, yes.

MR. HOUSTON: You know, there’s no way to judge the actual impact of this. It could be everything from that to it opens the flood gates in that you end up having to have, you know, a team of people to evaluate these claims to a lot of processes. I just don’t know what the impact is going to be.

I think there are individuals who as soon as you start to wave money in the air, it’s like sharks; it becomes a run. And I just think that’s the fear that I have. And I don’t know how much — it could be perfectly within the right and it’s still — it doesn’t mean people aren’t going to try to game it. I just think there’s too many people willing to — look at insurance fraud.

MR. ROTHSTEIN: John, I’m sympathetic to the problem of the abusers. And if two percent of the population is abusing —

MR. HOUSTON: That’s a big number.

MR. ROTHSTEIN: Hah?

MR. HOUSTON: Big number.

MR. ROTHSTEIN: That’s a very big number, and we need to worry about what to do to that two percent and the people who represent them.

But that doesn’t mean that in order to get the trust that’s essential in this system we can say to the 98 percent, “Tough luck, fella.”

MR. REYNOLDS: I want to —

MR. ROTHSTEIN: Harry?

MR. REYNOLDS: — comment. As any entity, when we are doing our normal business, anybody is, as it relates to treatment and payment in health care operations, and I’ll use the HIPAA terms, the regulations, the laws, the oversight is clear.

The minute — and you have your business associates, and you’ve got a whole structure that the world lives in. Fair?

MR. HOUSTON: Fair.

MR. REYNOLDS: We are now talking about, and this is where I continue to go back to. We’ve got a whole set of people that are going to be playing in this NHIN that are never mentioned in any HIPAA reg or anywhere else.

So that’s a big concern to me as a person. I’ll speak as an individual right now.

So, you’re talking about having me trust it. Now you just blew me up.

Now you have that other situation where institutions will be passing information, people — doctors — will be passing; everybody will be passing information over some mechanism that has no jurisdiction, has no structure, has no focus.

MR. HOUSTON: How do you know that?

MR. REYNOLDS: Well, how do you know it’s not, because NHIN is not decided?

So I’m just sitting here right now with what I have in hand.

MR. HOUSTON: Might not be.

MR. REYNOLDS: Well, but again, maybe that’s a recommendation.

Understand my point. If I sit here as a person, you can’t tell me what NHIN is and what it looks like and how I could go talk to it. You’ve got people out there that aren’t covered. And then you’ve got some people that are going to act right because they’re having to act right under HIPAA.

I mean, as an individual, I’m not going to trust that. You forget that. You can tell me privacy notices all day, you could do everything else you want to do.

Our goal is to try to set up a structure so that it’s adopted and used, not a structure that says, you know, opt out and have a nice day.

MR. ROTHSTEIN: Paul, did you want to —

DR. TANG: Harry, you know, I sympathize a lot with what you’re saying, but there’s so much that we don’t have control over now. Even think about ATMs. Who is it actually that you go to to cut off, you know, one merchant off of the ATM, let’s say. I know those CitiBank folk — sorry; I know those Bank A folks are crazy, so I don’t want my money to be acceptable to any of their teller machines.

Or the central bank clearinghouse — you know, you have your check that’s written out to the HIV clinic and it’s cashed all over the place and I don’t have anybody to go to stop it if I wanted to, and that’s the only way I can even write a check, or the national provider database.

There’s a lot of things that work for efficiency and for effectiveness — let’s say the national provider database — that is faceless, and we don’t have anywhere to go. But it is still trusted because there is — we sort of trust government to look out for public health and safety.

So I don’t know that — there aren’t a whole lot of examples where the use or spread of information is not governed by any body that you can go to.

Does that make any sense?

MS. BERNSTEIN: But you can go complain, you know, if you have a problem with your ATM or whatever. You can go to the banking agencies, you can go to the office of the Controller of the Currency, and you can make a complaint and they will —

DR. TANG: Just like you can go to HHS. I don’t know what the banking officials can do if Bank A is doing all this fishing on email and getting your — you know.

MS. BERNSTEIN: Well, it’s easier to measure the compensation if you’re out in a banking scheme because it usually involves cash or some monetary thing that can be measured.

DR. TANG: I’m still talking about it’s a loss of control. We do have a loss of control over the dissemination schemes that benefit us in general, benefit 99.9 percent of the folks.

MR. HOUSTON: Maybe — let me think — let me throw up a proposal to make this compromise. And again, I still have a problem in general with compensating individuals.

What if we were to posit that there will be no private right of action by individuals under — we would not propose a private right of action, but that we would recommend that some type of internal process be established, some type of process be established which in the event of an egregious violation which resulted in actual damages to the individual, there would be a process in place whereby that individual could be compensated for his or her actual damages.

MR. ROTHSTEIN: How?

MR. HOUSTON: I’m not saying how. Let’s not get into how yet.

MR. ROTHSTEIN: Oh, okay.

MR. HOUSTON: Because, you know, there very well could be ways that the NHIN could have some type of an ombudsman and some type of self-insurance plot that would have — you know, some type of fund which could be used that the entities would have to pay into, or something like that, and they could be charged in the event of this.

This would prevent — maybe would still allow for the true damage, the person that’s really damaged by this, and have it —

MR. ROTHSTEIN: I would propose one amendment. But, I mean, that’s really not too different from the language that I quoted, in theory.

Instead of where you say “damage,” I would say “harm,” because a lot of the harms are going to be intangible. You know, my husband left me, I lost my this, that and the other thing. Where you say “damages,” it’s out-of-pocket, you know, monetary.

MS. BERNSTEIN: We lawyers think of that word that way, by the way.

MR. ROTHSTEIN: How many lawyers think of this —

MS. BERNSTEIN: Damages in common parlance does not mean monetary damages, I don’t think. I mean —

MR. HOUSTON: But I would argue that we should restrict ourselves to that which is tangible because, you know, the pain and suffering of this and that becomes a real touchy-feely, open to a lot of interpretation.

But see, but if you to couple something of the concept of actual monetary —

MR. ROTHSTEIN: Monetary —

MR. HOUSTON: No, no, no, no.

MR. ROTHSTEIN: Damages.

MR. HOUSTON: Yes, but let me make my point. Actual monetary damages along with some sanction capability against the covered entity for doing something wrong.

What you’re doing is trying to reason — we split the difference between you’re trying to make the individual whole to some degree and trying to provide enough pain on the organization that caused the harm that they don’t want to do it again. But it doesn’t open up these wildly incredible damage awards that are based, you know, on hundreds of thousands and dollars based on pain and suffering, the attorneys’ fees, the person being divorced and now she’s, you know —

MR. ROTHSTEIN: That was never even —

MR. HOUSTON: When you talk about harm, I think harm is everything from —

MR. ROTHSTEIN: No, but you tied harm into unlimited damages. I mean, there would be a limit.

MS. BERNSTEIN: Practical, measurable.

MR. ROTHSTEIN: Yes. And there’d be a cap, $5,000 or whatever.

MS. BERNSTEIN: We’re not talking about punitive damages.

MR. HOUSTON: Oh, I think you — I thought that’s where it was going, and I’m having a problem —

MR. ROTHSTEIN: Harry? Please.

MR. REYNOLDS: Okay, here’s a thought. If the government endorses the NHIN, because we’re really talking to the Secretary; we’re not talking to everybody, right?

MR. ROTHSTEIN: Right.

MR. REYNOLDS: So if the government endorses the NHIN, then some ombudsman or Federal agency should be identified, because if you certify the NHIN, you’re going to do government over it, you just —

MR. HOUSTON: Right.

MR. REYNOLDS: Okay? It should be identified to allow individuals to seek retribution when their information is inappropriately used over the NHIN. In other words, you’re focusing it, because that’s really the subject we’re —

MR. ROTHSTEIN: Redress.

MR. REYNOLDS: — talking about here. Yes, whatever. You guys have got the right word.

Because I think the point is, you know, the government right now is letting all the RFPs and talking about the NHIN and doing this and that and we recommend to the Secretary, and if the government endorses it or does business over it.

Now, whatever happens with the private sector is the same way with HIPAA or anything else; I don’t know how that works. But I guess if the government is going to endorse it, then it has to come under some process.

MR. ROTHSTEIN: But I think technically the government doesn’t have to endorse it in order to create a mechanism to provide for redress. So, in other words, if I work for your bank and I steal money, the government isn’t involved but they can still put me in jail —

MR. REYNOLDS: Right.

MR. ROTHSTEIN: — and so on. I think the —

MR. REYNOLDS: I was just trying not to go outside our purview. In other words —

MR. ROTHSTEIN: No, I understand.

MR. REYNOLDS: Our purview is that we recommend to the Secretary. And from what we’ve heard in testimony and everything, if government business goes across the NHIN. That’s where I was headed.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: That’s what I was trying to do —

MR. ROTHSTEIN: I see.

MR. REYNOLDS: — because that’s really our purview.

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: Does everyone on the Subcommittee

agree that there should be some kind of redress on the individual level if there’s inappropriate use —

MR. ROTHSTEIN: Well, John’s latest language is compromised.

MS. BERNSTEIN: — with harm deriving from inappropriate use of information?

MR. HOUSTON: Well, I think both Paul and I are of the opinion that we don’t believe that. I’m trying to broker what I think is at least some type of compromise that this Committee can take forward. I don’t feel comfortable with it, but again, I’m trying to put something in place that —

MR. ROTHSTEIN: Well, if you —

MR. HOUSTON: I’m willing to move forward. I just want to comment. I’m willing to move over to compromise. I just —

MR. ROTHSTEIN: Okay, so what’s that line? Can you repeat that? Do you have that, Maya, or does Harry have it?

MS. BERNSTEIN: Harry’s?

MR. ROTHSTEIN: Well —

MS. BERNSTEIN: No, no, no — John’s.

MR. ROTHSTEIN: Goes back to John and maybe we can add some of Harry’s to it. I don’t care about you. I have you on board.

MR. REYNOLDS: I gotcha! [Laughter.] I’ll try to stay on board.

[Laughter.]

MR. REYNOLDS: Go ahead, Maya.

MS. BERNSTEIN: John said that although we do not want to recommend a private right of action, we would recommend some type of process be established in the event of an egregious violation resulting in out-of-pocket damages for which —

MR. HOUSTON: The actual monetary.

MS. BERNSTEIN: — a person could be compensated.

MR. HOUSTON: By the way, I would —

MR. ROTHSTEIN: Would you — instead of “out-of-pocket,” would you take “tangible harm?”

MR. HOUSTON: No. I think there has to be a direct tie to actual monetary damages, in my mind.

And by the way, the other part of it is I would say we need to recommend specifically against a private right of action.

MR. ROTHSTEIN: We just said that. Twice already, I think.

MR. HOUSTON: I think what Maya said was not that far.

MS. BERNSTEIN: I didn’t say that.

MR. HOUSTON: She didn’t say that.

MS. BERNSTEIN: I said we would not recommend one. I didn’t say we would recommend against one.

MR. REYNOLDS: What do you mean by “private right of action?”

MS. BERNSTEIN: The ability to go into court to sue.

MR. REYNOLDS: Get an attorney and go to the court, sue a hospital —

MR. ROTHSTEIN: On the basis of a violation of the statute.

MR. REYNOLDS: Right.

MR. ROTHSTEIN: Nothing that we would do is going to prevent them from going and suing under some other theory, like invasion of privacy or —

MR. HOUSTON: I would really — again, I would want to hear we recommend that there is no private right of action, and what this would cause.

MS. BERNSTEIN: That’s a new one. That’s a new recommendation.

MR. HOUSTON: Well, no, no, no, no. This is coupled — you might want to try a compromise here, because I think why it’s important to me is that what it does is it puts the evaluation of somebody’s harm, or damages, and the issue into some pre-defined, hopefully predictable process to get it resolved rather than, you know, the attorney calling me on the phone and saying as a privacy officer he’s got a patient; his client has been aggrieved and they want money because they think there is a violation of their privacy and I’m going to sue you if I don’t.

MS. BERNSTEIN: Let me break down what we have for a minute. We have — I mean, private right of action is a well-defined process. It doesn’t have an easy to predict result necessarily, but there is a process, there are lots of rules for it, there’s a place to go to get an adjudication. You know, people go to court to get a decision when they can’t make a decision on their own, basically.

MR. HOUSTON: I understand that.

MS. BERNSTEIN: And that’s just a process. You don’t like that process. Now you’re talking about —

MR. HOUSTON: Why? Because let me tell you what happens in a private right of action, though.

MS. BERNSTEIN: Expensive and time-consuming.

MR. ROTHSTEIN: We know why — it’s extortionate.

MR. HOUSTON: Yes, because people come forward with the $5,000 claim.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Yes, okay. So there are frivolous claims.

But your proposal isn’t that different. You were saying there should be a process and it should result — in egregious cases, there should be a resulting compensation.

But you still have the problem of deciding which are the egregious cases —

MR. HOUSTON: Right.

MS. BERNSTEIN: — and the people who make frivolous claims who don’t have egregious cases. And how are you going to differentiate that, and why is that different than a court process?

MR. HOUSTON: Well, because if you have a streamlined process that —

MS. BERNSTEIN: So you’re going — “streamlined” means?

MR. HOUSTON: “Streamlined” means you have a pre-defined ombudsman or process at the NHIN or the RHIO maybe in the region sets up and it’s like an arbitration process, it’s pre-defined, and —

MR. ROTHSTEIN: I would agree with that, that if I were designing a process, I’d put in some sort of mediation. Now we’re going into much more detail than — I mean, that’s what somebody at some level at some time may have to do that.

MS. BERNSTEIN: Right. What I’m saying is —

MR. ROTHSTEIN: What’s the minimum amount of information that we can put in both the text and the recommendation that gets our sort of conceptual agreement out?

MS. BERNSTEIN: I don’t think we have a conceptual agreement.

MR. ROTHSTEIN: Well, I mean, John was willing to go part of the way. I don’t know — we may have lost Paul in that agreement. Paul?

We may have lost Paul, period!

DR. TANG: No, no, no. So, John —

MR. HOUSTON: Here’s my proposal —

DR. TANG: — there’s a private right of action on the western half of the United States.

[Laughter.]

MR. HOUSTON: What, Paul? Paul was talking —

DR. TANG: They qualified it as “egregious,” is that the way you classify it?

MR. HOUSTON: Well, my compromise was twofold.

One, I said that there cannot be a private of action, meaning you can’t go in with your attorneys and go sue —

DR. TANG: Okay.

MR. HOUSTON: — the covered entity, but rather there would be some type of mediation process that would be sponsored by a RHIO or the NHIN which would allow an individual who was egregiously harmed to be able to get actual monetary damages. And again, this has to be — somehow it has to be mediated, but there would be an internal, some type of process, which could then, in certain cases, award actual monetary damages to the individual.

But again, what it would prevent is the attorneys coming to the door with the nuisance claims for the $5,000 or, you know, open a flood gate of law suits.

DR. TANG: I think I agree with that. So the one part is no private right of action; the other is that we do need, and we’ll probably stick more responsibility on this oversight board for RHIOs and other things that control the flow of information throughout the NHIN.

I think we’ve sort of alluded to that before and it has public, you know, representation and that kind of thing. So this may be one of their responsibilities, is figure out how to redress violations that cause harm.

Is that in keeping with the compromise?

MR. ROTHSTEIN: Yes, I think. Harry, are you still on board?

MR. REYNOLDS: Yes, I’m good with that, yes, right.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: Amy, you look —

MS. CHAPPER: Yes, yes.

MR. ROTHSTEIN: I got one hand on the anchor, and —

[Laughter.]

MR. REYNOLDS: Amy, in particular, I’m not sure that —

MS. CHAPPER: It’s fine.

MS. BERNSTEIN: So, there’s a two-part — let me read — see if I got it, okay?

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: We have a two-part proposal on the table, which is Part A, we recommend against a private right of action, and Part B, we instead recommend that there should be a mediation or arbitration —

MR. ROTHSTEIN: A mechanism set up to —

MS. BERNSTEIN: A mechanism.

MR. HOUSTON: To mediate.

MS. BERNSTEIN: Mechanism set up to mediate —

MR. ROTHSTEIN: To receive and —

MS. BERNSTEIN: Adjudicate?

MR. ROTHSTEIN: — adjudicate claims, including through mediation and similar processes.

MS. BERNSTEIN: Some kind of ADR.

MR. ROTHSTEIN: Yes, conciliation, mediation, whatever.

MS. BERNSTEIN: It’s called “alternative dispute resolution.”

MR. HOUSTON: Where there is a right to receive damages for actual harm — for actual —

MR. ROTHSTEIN: Yes — put that down.

[Laughter.]

MR. HOUSTON: Actual damages for harm.

MR. ROTHSTEIN: Actual damages for harm? Okay, good. Actual damages for harm, you got that? Okay.

MS. BERNSTEIN: Right.

MR. ROTHSTEIN: All opposed? Okay.

So let’s go to the recommendations —

[Laughter.]

MR. HOUSTON: You know what this sounds like? It sounds like union negotiations.

MS. BERNSTEIN: Can we make clear that we are talking about an internal NHIN as opposed to a Federal —

MR. ROTHSTEIN: An HHS —

MR. HOUSTON: Federal or state.

MR. ROTHSTEIN: We should put “as part of the certification process” there —

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: — right? Isn’t that what we want to set up, as part of the certification process for RHIOs or other organizations that are —

MS. BERNSTEIN: Who’s certifying these things?

MR. ROTHSTEIN: Yes — well —

MS. BERNSTEIN: What certification process?

MR. ROTHSTEIN: Well, isn’t there? Do they have to be licensed? Aren’t they going to be regulated in some way?

MS. BERNSTEIN: Let’s be recommended.

DR. TANG: To me, I think there was some talk about — and this may come up in some of these RFPs for the running of these NHINs or RHIOs — that the local organization, sort of the RHIO organization setting some rules on how you quality for HIT compensation or reimbursement. And as part of that, we would hope that they include the provisions for privacy and security, confidentiality.

MR. REYNOLDS: One thing, though, not everything going through the NHIN is going to be involved with RHIOs.

MS. BERNSTEIN: That’s right. That’s correct. It is one model —

MR. REYNOLDS: That is one model.

MS. BERNSTEIN: — for how things might be done that is being pushed by some particular organizations.

MR. REYNOLDS: Not all states will have RHIOs.

MR. ROTHSTEIN: Can we say that anyone who uses the NHIN must make provisions for —

MR. REYNOLDS: I like that.

MR. ROTHSTEIN: — being —

MR. HOUSTON: Yes.

MR. REYNOLDS: And I like that, yes, right.

MR. ROTHSTEIN: — covered under a system —

MR. REYNOLDS: Amen, I like that.

MR. ROTHSTEIN: — that provides for —

MR. REYNOLDS: The models are not clear, who’s going to have the ball is not clear, so I like that.

MS. BERNSTEIN: Anyone who uses the NHIN should make provisions for —

MR. ROTHSTEIN: For being part of a system to adjudicate claims alleging violations of privacy or —

MR. REYNOLDS: Let’s don’t use “adjudicate claims.”

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: By?

MR. REYNOLDS: You talk about a term of art! [Laughter.]. No, I’m serious.

MR. ROTHSTEIN: “To resolve disputes?”

MS. BERNSTEIN: Resolve disputes.

MR. REYNOLDS: I got that. I’m good with that. But “adjudicate claims” is definitely a term of art.

MS. BERNSTEIN: Okay. Resolve disputes —

MR. ROTHSTEIN: Resolve disputes or —

MS. BERNSTEIN: — alleging violations of privacy by — or alleging violations of privacy, period?

MR. ROTHSTEIN: Right. And in resolving the claims, alternative dispute resolution methods should be used and then the language on the harm damages.

MS. BERNSTEIN: You know what? You can make a provision — what if we just say “make provisions” and say, you know, with the implication that those provisions could be we go to court if that’s what our provision decides to be; if we decide that we want — that our group is going to decide we’re going to use the judicial system that exists already, that’s fine.

And if you decide you want some mediation or arbitration or whatever it is that you decide, but you have some mechanism which is —

I’m sorry I’ve been distracted, for those of you on the phone, but John has appropriated Helga’s tent card since Helga’s not here and he’s written on it “People of good faith will find solutions.” He’s an inspiration to us.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: Okay, so the idea is that if you make an arrangement, you make a provision, for being part of a system to resolve disputes, that system could be — you’re a private sector actor; it could be the existing judicial system.

MR. HOUSTON: I will even agree to that.

MS. BERNSTEIN: And one can choose.

MR. HOUSTON: I will even agree to that.

MS. BERNSTEIN: If you don’t choose that, you can choose some other mechanism.

We are not going to say which mechanism to use.

MR. ROTHSTEIN: But there must be a mechanism.

MS. BERNSTEIN: There must be.

MR. HOUSTON: That could be very — that could also allow you to take into consideration state laws that might provide specifically for private rights of action, so I will even accede to that one.

MR. REYNOLDS: And if you went one step further, when you get into this certification process, that could also be —

MR. ROTHSTEIN: Right.

MR. REYNOLDS: — a portion of that, that people that you certify have validated that they do have —

MS. BERNSTEIN: Right. I would like to know about —

MR. REYNOLDS: That would be another possible recommendation.

MS. BERNSTEIN: — the certification process.

MR. REYNOLDS: That could be another —

MS. BERNSTEIN: There could be another

recommendation —

MR. REYNOLDS: Yes.

MS. BERNSTEIN: — that there should be some kind that the Secretary should adopt or a state should adopt or something, some kind of certification process that organizations who manage, control —

MR. REYNOLDS: Do business over the NHIN.

MS. BERNSTEIN: — using PHI — I can’t write and talk at the same time — but there should be a certification process for those businesses, those entities, that — what did I just say? That participate — what did you say, Harry?

MR. REYNOLDS: That do business.

MS. BERNSTEIN: That do business or —

MR. REYNOLDS: — do a better chunk —

MR. ROTHSTEIN: What we should probably —

MS. BERNSTEIN: You mean PHI in basically the context of —

MR. ROTHSTEIN: I mean, I agree with that, but I would recommend that that should be in a different section of this, or a different sub-section, because this sub-section is Enforcement.

MR. REYNOLDS: Okay.

MR. ROTHSTEIN: And can we move that —

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: — to Procedures?

MS. BERNSTEIN: Well, the certification process —

MR. REYNOLDS: Okay.

MS. BERNSTEIN: — could be part of Federal enforcement, right.

MR. REYNOLDS: I’m open to either. I mean —

MR. HOUSTON: Me, too.

MR. ROTHSTEIN: Yes, we’ll revisit that later.

MS. BERNSTEIN: Let’s get the idea down, which I’m not sure I have, but —

MR. ROTHSTEIN: All right, we’re going to give you a minute to catch up, and then I want to go through the recommendations, and then we’re going to break for lunch.

MS. BERNSTEIN: Okay, I’ll figure this out, but —

MR. ROTHSTEIN: Are you in good enough shape to —

MS. BERNSTEIN: Yes.

MR. ROTHSTEIN: Okay. So we now need to consider at least 13, 14 and 15, and I have a substitute proposal for Number 13, because we’ve changed that language.

So, making it consistent with what we agreed to earlier, it would be something like this:

“Individuals whose records have been inappropriately accessed or used should be notified promptly.”

MR. HOUSTON: That’s fine, but it should go up underneath the other section, the Procedures section, with the language related, correct?

MS. BERNSTEIN: Not under Enforcement?

MR. ROTHSTEIN: Not Enforcement? That should be a Procedures?

MR. HOUSTON: Wasn’t that where the text was discussed, was under Procedures?

MR. ROTHSTEIN: I’m looking.

MR. HOUSTON: I thought that was what we —

MR. ROTHSTEIN: Yes, you’re right. So —

MR. HOUSTON: So I think we just move it up. I don’t have a problem with that.

MR. ROTHSTEIN: Okay, can we move that?

MS. BERNSTEIN: Okay, it goes where now? It goes —

MR. HOUSTON: It goes right under 12.

MR. ROTHSTEIN: It goes under those little “ii.”

MR. HOUSTON: Right below 12. I’ll change — move it where we discussed it.

MS. BERNSTEIN: But now I have all kind of notes in here, so it’s hard to answer. And it’s not in my machine, so I —

What you’re calling 13, which is down here in —

MR. ROTHSTEIN: It should be under Enforcement. It should be in the prior section.

MR. HOUSTON: I don’t have a problem with it.

MS. BERNSTEIN: And the language says — used to say —

MR. ROTHSTEIN: Okay. It used to say “All breaches of blah-blah-blah.”

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: Okay, the new language is:

“All individuals whose records have been inappropriately accessed or used should be notified promptly.” Which is sort of word for word from what we did before.

MS. BERNSTEIN: “All individuals whose records have been inappropriately accessed or used should be” —

MR. ROTHSTEIN: “Notified promptly.”

MS. BERNSTEIN: –“notified promptly.”
MR. ROTHSTEIN: So that replaces 13. Okay with the Californians?

DR. TANG: Yes. I mean, basically you just changed the wording of 13 and moved it to Procedures, right?

MR. ROTHSTEIN: Correct.

MR. HOUSTON: Right.

MR. ROTHSTEIN: Okay. So 14, then, is:

“Severe penalties should be imposed for privacy and confidentiality violations committed by any individual or entity.”

MR. HOUSTON: I would only change that to — rather than “severe penalties,” I would say “caning at one’s toes.”

MR. REYNOLDS: What did you say again, Mark?

MR. ROTHSTEIN: Well —

MS. BERNSTEIN: That’s what’s written here, right?

MR. ROTHSTEIN: Yes. It’s the Number 14, “Severe penalties should be imposed for privacy and confidentiality violations committed by any individual or entity.” We don’t say what they are.

And in the text, we had previously agreed to:

“Several witnesses testified that strong enforcement and penalties are essential to deter wrongdoing” et cetera et cetera et cetera. And we also agreed that “We believe that appropriate civil and criminal” — would you prefer “appropriate penalties?”

MR. HOUSTON: Well, first of all, we’re talking civil and criminal sanctions as being one, so, I mean, we might as well float that down to the Recommendations section.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: And we should also say that there should be an enforcement process. What we say is “an enforcement process with” that can — what’s the word? Not “deliver” — but can —

MS. BERNSTEIN: Effective enforcement procedures.

MR. HOUSTON: Effective enforcement process that includes the ability to assign civil and criminal sanctions should be provided —

MR. ROTHSTEIN: Employed, or provided for.

MR. HOUSTON: — for privacy and confidentiality violations, because I think if you look at the OCR model and what’s place for privacy, there isn’t the capability to investigate and decide whether lesser penalties are appropriate, or lesser actions are appropriate.

We just say that there is a privacy violation and OCR comes in and they say, you know, we’d like you to retrain your work force, or the covered entity proposes to retrain a work force.

MR. ROTHSTEIN: Right.

MR. HOUSTON: That might be an appropriate —

MS. BERNSTEIN: Informal resolution.

MR. HOUSTON: — informal resolution.

But then, would anybody come in and say, you know something? That was absolutely egregious here, not listening to what we’re saying, and then they —

MR. ROTHSTEIN: You guys said you were going to train them and you did train them. You —

MR. HOUSTON: Now you have this problem again.

MR. ROTHSTEIN: Yes.

MR. HOUSTON: And so I think that there has to be that lesser capability by some type of oversight function as well as up to and including civil and criminal penalties.

MR. ROTHSTEIN: Okay. I have no problem with that.

MR. HOUSTON: So I just think there has to be that, because when you to the “severe penalties,” it’s like, you know, get out the cane and start — you know.

MS. BERNSTEIN: My only — I don’t know how you talked about this in the past. I mean, all that may be fine for the civil sanctions. But I don’t see any way of imposing criminal sanctions.

MR. ROTHSTEIN: Right. The criminals go to Justice.

MS. BERNSTEIN: Well, the criminal sanctions, I think, would actually need to arise from some legislative source.

MR. ROTHSTEIN: Correct. Yes, so these are recommendations and —

MS. BERNSTEIN: And we have no control over DOJ.

MR. HOUSTON: Right. But what we could say is, we could say the recommendations need — but I think we probably have this ability to do this, at least for covered entities that already are obliged under the HIPAA privacy rule, sanctions that are currently available will be extended to their actions in the NHIN.

MR. ROTHSTEIN: No, I don’t think there’s jurisdiction to do that.

MR. HOUSTON: I think it’s already there.

MS. BERNSTEIN: We can look into whether there is any concern on —

MR. ROTHSTEIN: Well, first of all, you have to realize that a lot of this stuff that we’re recommending here is going to require Congressional action.

MS. BERNSTEIN: Sure.

MR. HOUSTON: I agree, yes. We might as well propose it.

MR. ROTHSTEIN: Okay, so part of what we’re asking the Secretary to do is support legislation as well as —

MR. HOUSTON: Right.

MS. BERNSTEIN: Okay.

MR. HOUSTON: But I just think there’s this concept of a continuum of options vis-à-vis addressing —

MR. ROTHSTEIN: I have no problem with that.

MR. HOUSTON: However you want to wordsmith it, I think, maybe —

MR. ROTHSTEIN: Yes. Severe penalties need to be available for some cases, but I don’t want to give the impression that everybody that comes in gets a hundred thousand dollar fine or whatever.

MR. HOUSTON: Okay. I have no problem with that.

MR. ROTHSTEIN: And I don’t know how we can get in there the sense that they need to be enforced aggressively.

MR. HOUSTON: I think that’s (?). Hopefully, that’s —

MR. ROTHSTEIN: Well, I don’t know.

MR. HOUSTON: And build it and they will come. I mean, OCR isn’t wanting for people to just file complaints, right?

MS. BERNSTEIN: Not yet.

MR. ROTHSTEIN: Yes, but they’re wanting for people to investigate them and they’re wanting for the inclination to impose civil penalties.

MS. BERNSTEIN: Well, I mean, it’s not necessarily the inclination to impose civil penalties. It really may depend on, I mean, how you want entities to proceed with sanction laws.

And it is perfectly fine if you want the sanction policy in the NHIN to become a you do it, you pay the fine, and then you also take corrective action.

MR. ROTHSTEIN: Right.

MS. McANDREW: That is not an enforcement scheme that we have adopted under HIPAA. The issuing of the fine comes because you don’t want to take the corrective action, and we need that additional incentive to get you to the table to be reasonable.

So there is a possibility of — the scheme is for corrective action and to try to improve things, only —

MR. ROTHSTEIN: Right. Which would be more likely OSHA model.

MS. McANDREW: In egregious cases, do you get to a point of civil penalties?

MS. BERNSTEIN: Egregious and uncooperative cases.

MS. McANDREW: And uncooperative.

MR. ROTHSTEIN: Yes, and the reason that Congress didn’t go for that in, for example, OSHA or other legislation, is that they felt that you’re giving people one bite of the apple. And so once you get nabbed, then you say, “Okay, I’ll be good in the future,” rather than knowing that you have to be good from Day 1.

I mean, there are different approaches, but

personally, under the heading of building trust, making sure people realize that we’re serious about this, the other model is much more appealing, but I don’t know how

to —

MR. HOUSTON: Gamble on this.

MR. ROTHSTEIN: Well, how to put that in there.

MS. BERNSTEIN: Well, you know, we can make — I mean, you can make recommendations that you know to be (?). You can. It’s a sort of sense of the Congress kind of a thing, right? I mean, you can tell the Secretary you think it ought to be such-and-such a way even if you know practically it’s difficult or whatever.

MR. HOUSTON: I think we need to impose a level of practicality to make —

MS. BERNSTEIN: Well —

MR. HOUSTON: That goes to our credibility. I really do. I think we have to be practical about the things we offer.

MR. REYNOLDS: I like actionable, more actionable.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: Okay, are we comfortable on 14?

MS. BERNSTEIN: Let me find it again; I have all these notes. Fourteen says — 14 still says — well, there’s a whole discussion about 14. [Laughter.]

MR. ROTHSTEIN: We had changed —

MS. BERNSTEIN: Yes.

MR. ROTHSTEIN: I mean, as it’s worded now, I think it’s not worded very well —

MS. BERNSTEIN: Right.

MR. ROTHSTEIN: — because severe penalties should be available in appropriate cases, and the way it reads now is that everybody gets a severe penalty, and that’s not what I had in mind, but that’s what it says.

MS. BERNSTEIN: Okay. Here I have something else.

MR. ROTHSTEIN: So, John had some language, I think, that changed that.

MR. HOUSTON: And if you ask me to re-say it again — [laughter].

MS. BERNSTEIN: We have:

“An enforcement process as a part of the processing should include the ability to assign civil and criminal penalties.” Or we used the word “informal,” some other informal resolution that there should be — up to include severe penalties. We were saying there should be lesser capabilities —

MR. HOUSTON: Right.

MS. BERNSTEIN: — by whatever the oversight function is, up to —

MR. ROTHSTEIN: We could put, “A range of —

MS. BERNSTEIN: A range.

MR. ROTHSTEIN: — “penalties should be available to enforce the provisions” or whatever.

MR. HOUSTON: Does it say “corrective actions and penalties” or something of that sort, because a lot of —

MR. ROTHSTEIN: Sanctions?

MR. HOUSTON: Well, but what OCR does is work formally with organizations, and we might decide upon corrective actions that address the concern.

MS. BERNSTEIN: Informal —

MR. HOUSTON: We go back and do more training or we put a process in place because it’s something —

MS. BERNSTEIN: Procedural corrective actions.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: It could be more notice, it could be more training, it could be —

MR. HOUSTON: Yes, really a bunch of things. I mean, it’s just always —

MR. ROTHSTEIN: “A range of enforcement measures should be available” —

MR. HOUSTON: Right.

MR. ROTHSTEIN: — “up to and including severe penalties.”

MR. HOUSTON: Well, let’s say “and corrective

action and enforcement” again. Let’s just say a case where we find —

MR. ROTHSTEIN: Okay. See, I would consider corrective action within the realm of enforcement.

MR. HOUSTON: But I don’t care. You can say —

MS. BERNSTEIN: Compliance and enforcement.

MR. ROTHSTEIN: Yes, compliance and enforcement.

MR. HOUSTON: Yes. You know, OSHA may accept the fact that we fire somebody —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — that does something wrong. Corrective action puts the right tone on things is my take on it.

MS. BERNSTEIN: So you want everything from, you know, minor corrective actions to severe fines, I mean, anywhere in that range?

MR. ROTHSTEIN: Correct.

MR. HOUSTON: Yes. And do we set the fine level being consistent with what’s in HIPAA, because it’s a —

MS. BERNSTEIN: No.

MR. HOUSTON: Or do we just simply say “fines?” “Severe” sounds —

MS. BERNSTEIN: That’s just a large range of possibilities. All we’re saying is anywhere within that realm, there’s procedures —

MR. ROTHSTEIN: We’re going to need new legislation —

MR. HOUSTON: Right.

MR. ROTHSTEIN: — and we’re on record as saying that there should be lots of options in your bag of tricks.

MR. HOUSTON: Okay.

MS. McANDREW: Do you think the CMA structure as under HIPAA would be appropriate here — fines, or you could say, no, $100.00 in violation is too small, $25,000 as a cap is too small, too big?

MR. ROTHSTEIN: I think that’s micro-managing.

MS. McANDREW: Well —

MR. ROTHSTEIN: Well, that’s what we do.

[Laughter.]

MR. REYNOLDS: Yes, but the only reason I would not do that is, again —

MS. McANDREW: The question is, if you have an opinion on the matter, you can express it. If you don’t have an opinion, then —

MR. ROTHSTEIN: I do have an opinion, but we’d probably have 18 opinions at NCVHS.

MR. REYNOLDS: Well, again, until we understand better the structure of where this NHIN is going to fit, I’m not willing to give my — I’m not willing to align to anything that —

MR. ROTHSTEIN: And probably what is maybe more appropriate is we’re setting out sort of a framework, and then when it comes time for rule-making, and we’ll comment, like we did for the privacy proposals and stuff like that, security, but I think now maybe it’s not the right time.

Okay, on 15, can we replace 15 and conform that to the language that we agreed to?

MR. HOUSTON: I think rather than try to agree, I think we’ve already got words for that.

MR. REYNOLDS: Yes, we worked that.

MR. ROTHSTEIN: Does that mean “beat to death?”
[Laughter.]

MR. REYNOLDS: I decided to take the high road. We —

MR. ROTHSTEIN: Okay, so it’s now 12:15. Can we take a half-hour?

MR. HOUSTON: Yes.

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: Is that not enough?

MR. REYNOLDS: Yes — do we want to just bring food back down here?

MR. ROTHSTEIN: Well, yes, that’s what I’m saying.

MR. REYNOLDS: Yes, I think that’s a good idea.

MS. BERNSTEIN: It’s breakfast time in

California .

MR. ROTHSTEIN: Oh, okay — tell us what you want to do.

DR. TANG: I thought I’m going to leave to go to the airport now, so I probably won’t be able to join you for the rest of the meeting.

MR. ROTHSTEIN: Okay. Simon?

DR. COHN: Mark, how long do you intend to have the meeting go today?

MR. ROTHSTEIN: Till 4 Eastern.

DR. COHN: Okay. I’m going to be probably going in and out as the morning progresses. I’m supposed to be

— I’m in Seattle right now, and I’m supposed to be at those other meetings.

MR. ROTHSTEIN: Okay.

DR. COHN: I can certainly hold off for a while, but probably in about an hour, hour and a half, I’ll be wandering off to something else. So why don’t you make it a short lunch, if you can.

MR. ROTHSTEIN: Yes. We’re going to take a half an hour, just time to get stuff and bring it back here, and then, just to alert you, the plan is to go to what used to be Section 3, which is now C. Let me see what it’s called.

DR. COHN: Okay.

MR. ROTHSTEIN: We’ve been going backwards.

So we finished the regulatory issues. We’re now on C, “Disclosing Personal Health Information.”

MR. HOUSTON: Then we’re going to go to B.

MR. ROTHSTEIN: No, then we’re going to A. [Laughter.]

MS. BERNSTEIN: It’s going to be harder.

MR. ROTHSTEIN: Yes.

DR. TANG: Have a good lunch break.

MR. ROTHSTEIN: Okay. I think as long as you’re not going to be on the rest of the call, I want to tell you that we’re still scheduled for the 15th, and the plan is probably now it becomes increasingly clear to me that we will work from 2 to 5 on the 15th.

MS. BERNSTEIN: From 2 to 5?

MR. ROTHSTEIN: Yes, because I can’t get in until 1.

MS. BERNSTEIN: Okay, that’s fine.

MR. ROTHSTEIN: From 2 to 5 on the 15th, and we’ll do Section B. We’ll have that whole three-hour block to do B.

MR. HOUSTON: Can we go 2 to 6?

MR. ROTHSTEIN: Fine, 2 to 6, whatever it takes.

MR. REYNOLDS: Fine with me.

MR. HOUSTON: I mean, I don’t care what time we work to.

MR. REYNOLDS: No, I don’t, either.

MR. ROTHSTEIN: Well, we can go 2 to 9.

MR. REYNOLDS: Well, but it depends upon —

MR. HOUSTON: I’d like to go 2 to 6. We’re stuck in town, so —

MR. ROTHSTEIN: So we have to go 2 to 5.

MS. BERNSTEIN: I’m fine, but —

MR. HOUSTON: Why?

MS. BERNSTEIN: Because of staff support, so —

MR. HOUSTON: Okay.

MR. ROTHSTEIN: — we’ll go 2 to 5. And we’ll do Section B.

And today we’re going to do C and then A and the Introduction, depending on whether we’ve got time, and we’ll just hope the —

MS. BERNSTEIN: Are you going to make any remarks about what’s going to happen in between now and then or our preparation for our presentation at that meeting, before we lose Paul?

MR. ROTHSTEIN: Yes. Paul, Simon, just to tell you my plans for the 16th at the full Committee meeting, we — are you still there?

DR. COHN: Yes.

DR. TANG: Yes.

MR. ROTHSTEIN: Okay. We’ve got an hour and 15 minutes to report to the full Committee what we’re working on, and my plan was as follows: To begin with a short overview of all the —

MS. BERNSTEIN: You guys, it’s all being —

MR. ROTHSTEIN: — hearings that we’ve held, who we’ve listened to, and what the overall structure, just sort of the working structure, of our report is.

And then we would have shorter presentations on each of the sections that we agree to. So, for example, I’m going to ask Harry to speak about Section F, on Maintaining Trust, and, Paul, I’d ask you if you’d be willing to talk about Section E on Secondary Uses, which we’ve already agreed to, and then John to talk about D, which is the Regulatory that we just finished.

And I won’t assign any more sections, but just to lay out for the full Committee what our recommendations are likely to be and what some of our sort of thinking is behind them.

DR. TANG: Okay.

MS. BERNSTEIN: Okay?

MR. ROTHSTEIN: Simon, okay?

DR. COHN: Yes. No, I think it sounds great.

MR. ROTHSTEIN: Okay.

DR. TANG: The presentation is — approximately what you’re thinking about?

MR. ROTHSTEIN: Well, I’m thinking that I would spend maybe 15 minutes, tops, going through the — discussing the hearings and the sort of the structure of our letter that we’ve been working from and then maybe five minutes on each of the sections, followed by discussion. So, Harry may talk for five minutes saying, you know, what we did on the Maintaining Trust section, but people may want to talk about it for another ten minutes or so. And same thing with the other sections.

We’ll probably have three or four sections of the report letter agreed to by the time we need to do it. Maybe, if we’re lucky, we’ll have the whole thing agreed to, but who knows? Okay?

DR. COHN: Great.

DR. TANG: Thank you.

MR. ROTHSTEIN: All right. Thanks, Paul, thanks, Simon, and —

MS. BERNSTEIN: Five minutes to —

MR. ROTHSTEIN: — I’ll see you on the 15th, and we’ll be back at ten of, right?

MS. BERNSTEIN: Five of.

MR. ROTHSTEIN: Ten of, five of.

DR. COHN: I’ll dial back in in half an hour.

MR. ROTHSTEIN: Okay.

Whereupon, a lunch break was taken at 12:25 p.m.).


A F T E R N O O N S E S S I O N (12:57 p.m.)

MR. ROTHSTEIN: We are going to start on Section C, Disclosing Personal Health Information. With no objection, we’ll go just sort of paragraph by paragraph. I’ve got a couple of comments on some of the later paragraphs. But I’ll give you a minute to review the first paragraph in D.

MR. HOUSTON: C?

MR. ROTHSTEIN: I’m sorry — well, yes, I’m sorry — in C, on Page 5, the one that begins “Modern health care.” John?

MR. HOUSTON: Yes. My concern with this paragraph is the third to the last sentence, starting with “This principle, role-based access criteria, has been successfully embodied in the EHR architecture at several large health organizations and health care systems.”

I’m a little concerned, and I know we talk about this role-based access a couple of other places.

MR. ROTHSTEIN: Right.

MR. HOUSTON: Role-based access is a very sticky issue, and I’m very concerned with — first of all, we have role-based access, but, frankly, we’re very broad in our roles because of the concern over not having adequate information for purposes of patient care.

And it’s easy in one sentence — well, not easy, but it’s doable for an organization to build a new role- based access. I’m not sure how you overlay that concept into the NHIN. I think it becomes extremely difficult, and I’ll tell you how.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: I think that if you have information in the NHIN, you then have to be able to characterize the information in a way that allows existing rules on the spared system be overlaid over top of that information.

You know, by example, we use Cerner, and we might have some psych data that’s specifically identified as psych data in the Cerner system, and we might have a set of rules associated with psych data.

We have to make sure that the information that’s coming in from the NHIN that we’re querying, okay, that it’s properly classified as psych data. Or psych might be easy, but there might be a variety of different data types that then have to be classified and then the rules applied to it.

And I just want to cautious that I think in a lot of technology that has to be implemented behind the scenes to make something like this work correctly, and my fear is that that level of complexity in the NHIN may be years away. That’s my only caution.

MR. ROTHSTEIN: Well, I mean, let me give you a simple example.

If I go to one of your hospitals and they send me down to have a blood draw —

MR. HOUSTON: Right.

MR. ROTHSTEIN: — okay? So the lab tech drawing my blood is going to have some restrictions placed on what he or she has access to.

MR. REYNOLDS: Absolutely.

MR. ROTHSTEIN: Yes. Suppose, instead of having the blood draw inside your hospital, I now go to some community clinic which is closer so I don’t have to drive to downtown Pittsburgh —

MR. REYNOLDS: Absolutely.

MR. ROTHSTEIN: — and I want my blood drawn, and they should have — this is the point of this paragraph — the same role-based access restrictions should apply to the blood draw that I’m going to have in the North Hills as opposed to in Oakland.

MR. HOUSTON: Don’t disagree with you. Here is my dilemma, and it’s a matter of degrees.

Clinical systems are different in terms of the way they’re typically designed. Not all of them are designed with the same data-based schemes and the level of complexity and role-based access. And sometimes they’re just different.

My only concern is when you try to come up with a way to marry the role-based access scheme of one system against the data that is going to get from a spared system that may have a different design to it could make this contextual access, or being able to automatically differentiate the data, in order to provide the role-based security might make it very difficult. That’s all —

MR. ROTHSTEIN: Okay. So, let me just clarify what I hope this paragraph says, and that is, I don’t hear you disagreeing with the principle; I hear you saying that there are sort of practical limitations that may be overhanging now.

And I think all we’re saying is that as we move forward, this is something that we should try to incorporate.

MR. REYNOLDS: Yes. I think your words here are fine. But your explanation is where I think it — in other words, every entity should define their roles.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: Okay, and I think that may be a cleaner way of stating it. Every entity should have their roles defined and access appropriately.

But, two different entities could have a nurse or a something else, depending upon the size of the entity and the things they do. A nurse here may have access to a lot; a nurse here may be only in a specific area and only have access — or a lab tech.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: They might be doing lots of different kinds of labs, whereas his blood drawer might just be doing certain things.

I mean, so each entity sets up the roles.

MR. HOUSTON: But my point and my issue is a little bit of the lower depth. I recognize that the roles are different in organizations and the way the systems interpret those roles are going to differ.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: That’s a given.

MR. HOUSTON: What I’m concerned about is sort of the next layer below it, which is now I have all these different — I’m getting this data through the NHIN that is coming into my clinical system. I think one of the big challenges is going to be is how do you insure that the data that you’re getting in is appropriately classified so that when you apply the role-based security against that data that the appropriate data is displayed and the inappropriate data is not included?

And so maybe going to the last sentence in this paragraph —

MR. ROTHSTEIN: Okay.

MR. HOUSTON: — my only thought might be is we believe role-based access criteria should be evaluated or researched for application. Or somehow I think where there’s a — this is where, I think, you questioned. Maybe we need to figure out whether to do some investigation into the success of doing this and I think it involves — it part it comes down to data standards and things of that sort —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — because if you have real good data standards and are able to use those and apply classification criteria to that data, it gets really stickier.

MR. REYNOLDS: Yes, and I think — well, play off that point.

The role-based says what I should have. But NHIN is going to initiate this whole new idea of data from disparate entities being transferred. And I think the words, the classification, what level of role — if it meant one thing in one organization, it may mean another thing in another organization. And I think that’s what this whole thing is about.

MR. HOUSTON: Yes.

MR. ROTHSTEIN: But unless we put into place, “we” meaning the NHIN gods, there will be no standard, or no effort made to sort of make comparable role access rules apply. And that, I think is —

MR. REYNOLDS: Roles and classifications. I think if you added “roles and classifications” to data —

MR. HOUSTON: You have to do both.

MR. REYNOLDS: — then I’d feel better.

MR. HOUSTON: But I think our recommendation has to be in terms of evaluating this, because the train wreck I fear comes is that the NHIN is available and that data is improperly excluded, that somebody that needs to see data doesn’t see it because the role-based system that they’re on either says, you know something? That person is not allowed to see this data that I’m getting from NHIN because the data is not classified in a way that’s meaningful to the recipient system.

I know this sounds very technical, but I have seen this type of issue arise, and again, I think it’s — this a ways down the road — I think it’s definitely a direction that we need to be focused on, but it involves an enormous amount of work on data standards, and not just data standards, but there has to be also some inherent classification in those data standards that I’m not sure —

MR. REYNOLDS: Because the big deal of the thing that we all tend to lose of sight of something, our entry-level job is the mailroom, and every bit of paper that comes in, that entry-level person has the ability to read.

No, no, I mean, I always use that as an example —

MR. ROTHSTEIN: Right.

MR. REYNOLDS: — a lot.

So, basically, we really get all wound up about a system, but there’s some things going on in this paper world right now that also add some interesting issues.

MR. HOUSTON: No doubt. And I think we’re trying to improve upon those things.

MR. REYNOLDS: Yes, I agree.

MR. HOUSTON: So I’m just trying to throw a little caution here, Mark. That’s all — I only —

MR. ROTHSTEIN: Can we put something like: “We also believe that research and pilot projects should be undertaken to facilitate the adoption of role-based access criteria for the disclosure of personal health information in the NHIN” — something like that?

MR. HOUSTON: Instead of “accurate disclosure,” say “appropriate disclosure.
MR. ROTHSTEIN: Well, I don’t know. The “accurate” —

MS. BERNSTEIN: Role-based criteria for the accurate —

MR. ROTHSTEIN: Okay, so let’s start over again. “We also –“

MS. BERNSTEIN: “We also believe that research on pilot projects should be undertaken” —

MR. ROTHSTEIN: “Research and pilot projects.”

MS. BERNSTEIN: — “and” — all right, “and pilot projects should be undertaken to facilitate the adoption of role-based criteria” —

MR. HOUSTON: And data standards.

MR. ROTHSTEIN: Well, we haven’t talked about data standards in that paragraph.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: It’s sort of out of context.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: So, “role-based access” — let’s see. “We also believe that research and pilot projects should be undertaken to facilitate the use of role-based access criteria in the disclosure of personal health information from the NHIN?”

MS. BERNSTEIN: “Role-based access criteria in the disclosure of” —

MR. ROTHSTEIN: “Of personal health information.” Then the rest is the same from the original.

MR. HOUSTON: I think we’re going to want to say something — I was just sort of thinking that it’s — facilitate adoption of role-based access. It’s not the adoption, the use of it; it’s insuring that the use of role-based access criteria are —

MR. REYNOLDS: Aligned?

MR. ROTHSTEIN: Supported?

MR. REYNOLDS: Aligned?

MS. BERNSTEIN: Coordinated or —

MR. HOUSTON: Criteria are not coordinated. It’s this role-based access criteria ensures that appropriate data —

MR. ROTHSTEIN: Or role-based access — are standardized, something like that?

MR. HOUSTON: No, what I want to do is make sure that appropriate data is provided through the NHIN, based upon the role-based access criteria.

MR. REYNOLDS: See, I guess I’d rather say, when you use a word — and read the first part of the sentence, would you?

MR. ROTHSTEIN: “We also believe that research and pilot projects should be undertaken” —

MR. REYNOLDS: Okay, stop right there. Then I would say, “to define, understand and recommend” —

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: — the relationship between role-based — the classification of data, the role-based usage in this area, and how it can ensure that the right data gets used. I don’t know. I got a little flaky there.

MS. BERNSTEIN: “Define, understand and” —

MR. ROTHSTEIN: “Recommend role-based access” —

MR. HOUSTON: “Criteria.”

MR. ROTHSTEIN: — “criteria used for the disclosure of” —

MR. REYNOLDS: There you go.

MR. ROTHSTEIN: Okay?

MR. REYNOLDS: Because I think if we’re asking them to do research —

MR. ROTHSTEIN: Right —

MR. REYNOLDS: — I think telling them to facilitate something until we see what they really find, because I —

MR. ROTHSTEIN: All right, let me read that sentence again, and, Simon, then I’ll ask if it’s okay with you as well: “We also believe that research and pilot projects should be undertaken to define, understand and recommend role-based access criteria for the disclosure of personal health information from the NHIN.” Simon?

DR. COHN: That’s fine, except is it disclosure or is it access?

MR. HOUSTON: It’s disclosure by one, access by another.

MR. ROTHSTEIN: Yes.

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: All right, how about “for the transmission of” —

MS. BERNSTEIN: Sharing?

MR. HOUSTON: Sharing.

MR. ROTHSTEIN: — or for the — “sharing?”

MR. REYNOLDS: Yes, I like that.

MS. BERNSTEIN: Sharing’s always a good word.

MR. ROTHSTEIN: “Of personal –” — “in the NHIN.”

MS. BERNSTEIN: Okay, make sure I got this.

MR. ROTHSTEIN: “We also believe that research and pilot project should be undertaken to define” —

MS. BERNSTEIN: “Define, understand and recommend the” —

MR. ROTHSTEIN: No. “Role-based access criteria.”

MS. BERNSTEIN: “The role-based” —

MR. ROTHSTEIN: “And recommend role-based access criteria for the sharing of personal health information in the NHIN.”

MS. BERNSTEIN: “Sharing of –“

MR. ROTHSTEIN: “Personal health information in the NHIN.”

MS. BERNSTEIN: I’m in the wrong — “define, evaluate” —

MR. HOUSTON: Somewhere you have to talk about data classification, its function, because role-based is only half the issue, it really is.

MR. ROTHSTEIN: Is that putting it too complex a level? Is that going to pass the Jeff Blair test?

MR. HOUSTON: Unfortunately I was sort of caught in the middle of this because it’s a fairly complex issue, but it’s real. So, you know, I’m —

MR. ROTHSTEIN: How about if we — here’s another place where we might want to stick it in. See the sentence that begins “This principle of role-based access criteria?” We could maybe put in parens “and the related concept of data classification” —

MR. HOUSTON: Right.

MR. ROTHSTEIN: Would that do it for you?

MR. HOUSTON: Yes.

MR. REYNOLDS: Yes, I think that would do it.

MR. ROTHSTEIN: Simon, you see where we’re talking about?

DR. COHN: No, I’m not sure at this point. Where are you talking about?

MR. ROTHSTEIN: Okay. I’m in the sentence about five lines up, in the middle, that says “This principle.”

DR. COHN: Okay.

MR. ROTHSTEIN: So what we’re proposing to do is add, and make it:

“This principle of role-based access criteria” then in parens “(and the related concept of data classification)” close parens “has been successfully embodied” blah-blah-blah-blah.

DR. COHN: Okay.

MR. ROTHSTEIN: Just to add that just sort of clarifier.

DR. COHN: Sounds good.

MR. ROTHSTEIN: Okay, anything else, Harry, in the first paragraph? All right, let’s move to Paragraph Number 2, the one that begins “An analogous principle.” Really it isn’t “analogous.” It really is a “similar principle,” don’t you think?

MS. BERNSTEIN: I don’t think it’s either, analogous or similar.

MR. ROTHSTEIN: “Another principle.”
MS. BERNSTEIN: Another principle.

MR. ROTHSTEIN: “A related principle.” Well, you know, we’re trying to restrict what’s going on.

MR. HOUSTON: It’s another principle, in my mind. It’s not analogous. One relates to treatment, the other one relates to —

MR. ROTHSTEIN: Stuff.

MR. HOUSTON: — yes, the use of a user.

MR. ROTHSTEIN: All right. Another principle.

MR. HOUSTON: I have to admit, you know, I must have something about last sentences of paragraphs that I don’t like.

MR. ROTHSTEIN: Hey, if the others are okay, I’ll take it.

MR. REYNOLDS: I’m not jumping till then, so —

MR. ROTHSTEIN: Oh, okay.

MR. HOUSTON: I honestly — I do have this philosophical problem with compelled authorization, and you may have heard it many times before. Every time I hear it, I wince.

MR. ROTHSTEIN: But is it the term or the concept?

MR. HOUSTON: The concept.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: My belief is — and I understand your point, I think, is sort of there’s a nuance here which is that compelled authorizations — having an authorization in order to get employment or get insurance, as long as it’s relevant information that’s being disclosed, is okay.

MR. ROTHSTEIN: Right.

MR. HOUSTON: Now, I just put this — it’s sort of the same thing with data classification. How the heck are we ever going to put a system in place to decide what is appropriate for an insurance company or employers here or not?

I understand the concept. Conceptually, yes, fine. If it’s related to somebody’s job, well, then, it’s a —

MR. ROTHSTEIN: I’ve actually been working on this with IT people and it’s doable. It just requires a lot of research and a lot of work, and it’s not easy, and it depends on the use.

The easiest case is life insurance where at the present time life insurers, unless you are asking for, you know, a huge policy, they only care about ten or 12 data fields and they don’t want to examine you, they don’t want to do anything; they want to ask you ten or 12 questions.

And the same thing is true in terms of access to health records. If they could get their hands on only ten or 12 pieces of information, that’s all they want.

Now, the question is: How do we get our hands around that? And it’s doable. But we need some money to research how to do that, whether it’s by the role of the provider, so, in other words, any service provided by a cardiologist or an oncologist or whatever, they want that, okay, and other kinds of information.

It’s something that is certainly not off the shelf. But if we don’t commit money and the effort to research this, we’re never going to really ever have privacy in any meaningful degree in health information.

MR. HOUSTON: By the way, just saying I’m on the 4:10 flight now, so I’ll go to the airport with you.

MR. REYNOLDS: If you think of standards, you know, we have standards for the claim, we have standards for remittances, we have standards for inquiries, we have standards for claims attachments.

Using your example, a standard data set that is a standard transaction itself. If a life insurance company wanted information, they would send a standard transaction. The response back would be those 12 fields.

MR. ROTHSTEIN: Right.

MR. HOUSTON: Yes, but that assumes —

MR. REYNOLDS: I don’t know — I’m using it as an example. In other words — because otherwise, I mean, and I’m an IT guy, so otherwise every person will look at it through their own way and my vendor system might ask for 20 and your vendor system might ask for 12.

And so writing a concept, there’s no question anything could be done. It’s this idea of being able to, by criteria, and especially, you know, when you look at employers —

MR. ROTHSTEIN: That’s the hardest case.

MR. REYNOLDS: Okay. You look at life insurance, you look at —

MR. ROTHSTEIN: Disability.

MR. REYNOLDS: — health insurance, yes. And so I guess I’m like you; I think it’s going to need a lot of research, it’s going to need a lot to figure out.

But at least those are the kinds of things that could be considered to where — you know, some of the basic things where we know there is already what could be considered abuse, not purposeful abuse, but just because of the process.

MR. ROTHSTEIN: And our key recommendation really is Recommendation 6 that comes from this:

“HHS should support research through the National Library of Medicine or another HHS agency to develop contextual access technology.”

I think that’s really the key, because it’s not ready to go, but if we don’t think about it and contemplate it in the NHIN, we’re going to be stuck with no chances —

MR. REYNOLDS: Yes. The only reason I push back on the contextual, in the wording, the contextual gets down to real, maybe, at least the way I read it, some real detail, field by field. But contextual can be really detailed field by field or it could be by subject, so —

MR. ROTHSTEIN: Correct.

MR. REYNOLDS: — life insurance — so I would like to make sure that, you know, it could be contextual by, you know, types of access or — I don’t know.

MR. ROTHSTEIN: Do you have any words or —

MR. REYNOLDS: No, we just had this discussion. I haven’t had a chance to think about it. But I just — because contextual discussion gets down to where you can really, really, you know, parse a record.

Yes, technologically, you could parse any record. As a health industry, we never want parsed records at that level. So we talk about data sets.

And so, the contextual — so if you make contextual, you talk about data sets, i.e., health insurance or life insurance, this or that, then I could feel a little better about it because otherwise it looks like we’re going to go into every field and every record and have the ability to parse it in or out when it we pass it around, and I just don’t think that’s practically doable in any kind of near future or with any kind of technology that’s going to be out there because that’s going to be too much in the eye of the beholder.

MR. ROTHSTEIN: And I think — Simon?

DR. COHN: Yes.

MS. BERNSTEIN: Is somebody other than Simon on the phone?

DR. COHN: I think I must be alone.

MS. BERNSTEIN: Well, we can hear a lot of noise on this end that sounds like it might be Paul on his cell or — but we can’t hear the person.

DR. COHN: How about if I’m near to — will that help?

MS. BERNSTEIN: Maybe.

MR. HOUSTON: We’re getting some crossed lines on that.

MS. BERNSTEIN: Are you hearing it, too? You’re hearing that, right?

MR. ROTHSTEIN: What I don’t want to do, and what I don’t think we have to do, is go into detail about this was going to work because we don’t know how it’s going to work or even if it’s going to work.

And in the last paragraph, I think we say, correctly, “Developing this will complicated. It will involve collaboration by various stakeholders.” But if we don’t do it now, we’re going to be sort of stuck.

So it’s really a call for we think this is important, it needs to be researched, and to the extent that it can feasibly work, it needs to be built in.

MR. HOUSTON: Okay, can I — I have no objection to that. I’m going to jump forward. Maybe I shouldn’t jump forward with the recommendations then.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: And the reason why I jump forward to that is that I think the order of the recommendations needs to be changed, because Number 6 is actually the one that —

MS. BERNSTEIN: Precedes, yes.

MR. HOUSTON: — has to come first.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: And then I think it should say “research in developing both appropriate role-based access criteria and contextual access technology” and then —

MR. ROTHSTEIN: What? I’m sorry — “contextual access criteria and access technology?”

MS. BERNSTEIN: Wait, wait —

MR. HOUSTON: You have access technology — “develop role-based access” — well —

MS. BERNSTEIN: “Role-based.”

MR. ROTHSTEIN: No, not “role-based.” “Contextual.”

MR. HOUSTON: No, no, no — add both of them.

MS. BERNSTEIN: Where is it he’s adding?

MR. HOUSTON: I think we need to do research into both first.

MR. ROTHSTEIN: Oh, I see.

MR. HOUSTON: And then resulting from that, we should look at what is now, what is previously Number 4 and Number 5 here.

MR. ROTHSTEIN: So you want to put 6 ahead of 4?

MR. HOUSTON: Right.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: And add the concept of research into role-based —

MS. BERNSTEIN: Criteria.

MR. HOUSTON: — access criteria. Add that into Number 6, so you’re doing research on both.

And then we can talk about then applying those to, you know, the role-based access criteria and the contextual access criteria to, you know — you develop, then you apply it, I guess is my point.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: I agree with that. And, Mark, where I jumped ahead, I guess, we were reading where we were, but if you could read the last paragraph —

MR. ROTHSTEIN: Yes.

MR. REYNOLDS: — of what we were saying?

MR. ROTHSTEIN: Which one?

MR. REYNOLDS: It starts with “developing the algorithms.”

MR. ROTHSTEIN: Yes, okay.

MR. REYNOLDS: I guess that’s where it got too complicated to me because it’s not necessarily — it may or may be not be algorithms and it may or may not be architecture.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: I think that makes it — in other words, whatever they decide — I mean, it could be a clean data set, just like an 837 or anything else, so —

MR. ROTHSTEIN: Okay. Suppose I make it “developing the methodology?”
MR. REYNOLDS: There you go. I’m good with that. But when you get into algorithms and architecture, it starts really — it makes it look overly complicated or —

MR. ROTHSTEIN: The last paragraph.

MR. REYNOLDS: — makes it look like each system’s going to have to have whole lots of things. And it may just be a data set. And I could easily write a transaction that would go into any EHR and pull out a data set and give it back to somebody.

MR. HOUSTON: I don’t know if it should be replaced by “methodology.”
MR. REYNOLDS: That’s all I was saying.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Methodology.

MR. REYNOLDS: And then if you do that, I’m fine.

MR. ROTHSTEIN: All right. Well, let’s back up again.

MR. REYNOLDS: Okay.

MR. ROTHSTEIN: So —

MR. REYNOLDS: That took care of my concern.

MR. ROTHSTEIN: — now that we’ve jumped ahead, John, can we go back and see if we can satisfy your concerns on the second paragraph? It was that last sentence that you —

MS. BERNSTEIN: “Although unauthorized?”

MR. ROTHSTEIN: Yes.

MR. HOUSTON: Well, my concern about the compelled authorizations is, again, the issue of scope, and I think we have talked about that.

MR. ROTHSTEIN: I would be —

MR. HOUSTON: Is it unrestricted?

MR. ROTHSTEIN: — happy to just delete that sentence. I —

MR. REYNOLDS: I’d take that.

MR. HOUSTON: If you did that, I’d be very happy.

MR. REYNOLDS: Take it out; we’re good.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Do you intend for this contextual access technology to apply generally to the third party authorizations or just —

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: — compelled ones? I mean, do you disregard the concept that the individual can voluntarily want his entire medical file to go to X?

MR. HOUSTON: Fair point.

MR. ROTHSTEIN: I think it should be —

MR. REYNOLDS: Well, if you go to the second sentence, the third line, the fourth line, it says — we still leave in there that the authorizations are only nominally voluntary.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: And then we say “research,” so —

MS. BERNSTEIN: No, but the language here frames the question in terms of a compelled authorization, that in these types of situations you believe that the individual is on a level bargaining field with the entity that wants to obtain his information and therefore that the holder of the job, the holder of the insurance policy, the holder of welfare, the holder of Social Security benefits, whatever, is in a superior bargaining position and will coerce the individual into giving up his natural privacy rights to his medical information and that, therefore, we will, through our disclosure rules, limit what these — kind of level the playing field, if you would, and limit the disclosures.

The question is: Do you want to limit that supervision to controlling disclosures to some judgment about level playing field, or is that too much — too difficult to do, and so this is just a general rule that you will apply to anybody?

MR. ROTHSTEIN: Okay, let me see if I can answer that.

I don’t think that we should set social policy through the disclosure rules. I think that needs to be set through the regulatory legislation. But we can facilitate that through the disclosure rules.

Let me give you an example.

There are two states, Minnesota and California, that have enacted laws that say that all disclosures of health information to employers must be limited to information that’s job-related and consistent with business necessity.

So if you apply for a job in California and you are doing X, in theory the employer says to the health care record holder, “Send me information about whether this individual can do Job X.” Well, there’s no way they can do that now.

So what they do is they copy the whole record and send it anyhow.

What we would be doing, at least initially in those two states, is facilitating those providers in giving what legally the employer could only ask for.

Today, under the ADA in the District, in Maryland and wherever, when you sign an authorization, there are no restrictions, so the employer can assign this sort of blanket authorization and they get everything.

The other half of it would clearly have to be legislation, either amending Section 102D3 of the ADA or a state law like California or Minnesota saying that employers can only get information that’s job-related and so forth. And now you’d be able to do that.

You’d have to enact maybe other laws in all these other substantive areas, but I wouldn’t attempt to protect that, those interests that you identified, through this. I would view this as a way of facilitating those interests that have already been recognized by statute.

So the answer to your initial question is yes, you could sign a release, but an employer in certain states and insurers in other states can’t ask you to do that because it’s unlawful.

MR. HOUSTON: I can only go back to my law school days, and sort of looking at it in another way is, you know, there’s a type of deed that’s de facto considered to be — even though you can grant a certain type of deed —

MR. ROTHSTEIN: Quitclaim deed?

MR. HOUSTON: Yes, it’s sort of typically voiding because of, you know, a public policy decision that is typically a sham.

And I hate to say this but there’s sort of this presumption that, yes, you might tell me to my fact, yes, that was truly a voluntary disclosure and the authorization is broader than it needed to be and the person was okay with it, but if they’re being threatened on the side that unless they do give this broader authorization that is done, you know, at their free will, they won’t be considered for the job —

MR. ROTHSTEIN: Well, it’s unlawful to do that.

MR. HOUSTON: Well, I know that, but —

MR. ROTHSTEIN: There are a lot of things that are unlawful for employers to do that they would do on the side, but we can’t —

MR. HOUSTON: But my point, though, is that you get to a point where if there is any policing of any deviation from what we’re saying is the appropriate standard becomes very tricky because the employer complains, “I didn’t coerce that. That person’s telling me now because they didn’t get the job. But they didn’t have a problem when I asked them for it.”

MR. ROTHSTEIN: All right, don’t think about it in the abstract. Think about California or Minnesota, okay?

MR. HOUSTON: I understand that.

MR. ROTHSTEIN: Unless we do the research, those laws are worthless, unless we have a way of facilitating that.

Under a paper-based system, there’s no way that it could be done. Now, fortunately — I mean, one of the bright lights of NHIN is we’re going to have technology perhaps to be able to tailor disclosures to only the information that’s relevant.

MR. REYNOLDS: I like what we’re doing.

MR. ROTHSTEIN: Simon?

MR. HOUSTON: Simon agrees.

DR. COHN: I joined the meeting. [Laughter.]

MS. BERNSTEIN: Okay, he’s there.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: He wants to be quiet since he’s out of the meeting.

DR. COHN: I’m going to have to leave in about five minutes for another meeting so I think realistically I may be able to come back right at the end, but — what time do you guys finish up? You said 3 or 2?

MR. ROTHSTEIN: We’re going to finish up in an hour, because we don’t want to take on new issues with only three of the five members.

So we’re going to finish up C, give you a chance to sort of weigh in on C, and then we will kind of clean up the language, because we don’t want to have to go through this with Paul not on the phone and with you not participating as well.

DR. COHN: I mean, do you want to do something along the lines of getting to where you can with the revision and then let Paul and I submit written comments? Would that be easier?

DR. COHN: If you get my comments, you’re still left without Paul’s.

MR. ROTHSTEIN: Right. So —

MS. BERNSTEIN: If you send them, well — you know, we can circulate them, we can try to work them in.

MR. ROTHSTEIN: Right, but we don’t want to go forward. We don’t want to do A or B.

MR. HOUSTON: Well, I think we do the non-contentious ones for the next ones.

MS. BERNSTEIN: A.

MR. HOUSTON: A, which I think — and then we —

MR. ROTHSTEIN: Okay.

MR. HOUSTON: — can go into the Introduction, and then just decide we’re not going to go any further because we don’t think it appropriate.

MR. ROTHSTEIN: Yes. We sort of earmarked the meeting on the 15th to do B, which is the real sort of challenge.

So if you had comments on C, we’d be happy to hear them now so that we can incorporate them, but we will continue to try to work through this.

DR. COHN: Yes. I mean, my only comment would be that I think that the comments by the others — I mean, I make notes but I’m hearing them mostly being reflective and I think what the people on site are saying, so I’ll take a look and see what it looks like all together with the next version of this area and obviously I will free, since I’m still allowed to make comments, to sort of take that and further refine it — I think it was pretty good almost to begin with, but I do think that the comments that I think helped with this whole piece.

MR. ROTHSTEIN: Okay. Thank you.

DR. COHN: Thank you. Have a great weekend and I guess I’m sorry the Washington weather is so unpleasant.

MR. ROTHSTEIN: It was beautiful on Wednesday.

MS. BERNSTEIN: For those of us who took the two days off, we took the right two days.

[Laughter.]

MR. ROTHSTEIN: Okay, so we’ve deleted that “Although” sentence in Number 2, Paragraph 2. Was there something else that you wanted —

MS. BERNSTEIN: Paragraph 2 is otherwise just lovely with you?

MR. ROTHSTEIN: Yes.

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: Okay. In Paragraph 3, let me just note that I made a note in my margin here to revisit the first sentence we haven’t agreed on including that example, because the domestic violence, that’s in Section B which we haven’t agreed to at all.

MR. HOUSTON: Right.

MR. ROTHSTEIN: Okay? So just, you know, ignore that first sentence.

MR. REYNOLDS: Oh, we will.

[Laughter.]

MR. ROTHSTEIN: And the other thing I would suggest on the third paragraph is to delete the parenthetical at the end of the sentence because that’s not the way that Section 5 came out.

MS. BERNSTEIN: Other than the fact that it’s now D.

MR. REYNOLDS: Oh, yes, I got you, right, right, okay, yes.

MR. ROTHSTEIN: Do you see that? So we’re going to chop that parenthetical.

MR. REYNOLDS: Right.

MS. BERNSTEIN: Yes, I’ll have to go through and make the references match and so forth.

MR. ROTHSTEIN: Okay. So let’s back up now to the rest of that third paragraph, starting with the “At the same time.”

MR. HOUSTON: Where’s this at?

MR. ROTHSTEIN: We’re going to skip this sentence, right?

MR. HOUSTON: Right — I see it, okay.

MR. ROTHSTEIN: And start with “At the same time.”
MR. REYNOLDS: Under — go ahead, John.

MR. HOUSTON: Are we defining “compelled authorizations?”

MR. ROTHSTEIN: Well, yes.

MR. HOUSTON: Where?

MR. ROTHSTEIN: It’s the beginning of the second paragraph that describes —

MR. ROTHSTEIN: Yes. “These authorizations are only nominally voluntary.”
MS. BERNSTEIN: Well, “non-medical use of personal health information” —

MR. HOUSTON: My only point, though, is —

MS. BERNSTEIN: Via signed authorization.

MR. HOUSTON: — should we put in parens, you know, “compelled authorizations?”

MR. ROTHSTEIN: I’m happy to do that. You mean, back in the second paragraph?

MR. HOUSTON: All I’m trying to do is every time I read “compelled authorizations,” sort of wince a little bit.” If I had —

MR. ROTHSTEIN: Well, we can make it instead —

MS. BERNSTEIN: Is it because it hasn’t been defined previously or because you don’t like the term?

MR. HOUSTON: Well, I don’t like the term in a vacuum, but I think if it is defined within the previous paragraph —

MR. ROTHSTEIN: All right, John, here’s —

MR. HOUSTON: — all right, I’m fine if you do that.

MR. ROTHSTEIN: How about — you see where it says, in the third sentence of the second paragraph, “The authorizations?
MR. HOUSTON: Yes —

MR. ROTHSTEIN: How about if we put: “These compelled authorizations are only nominally voluntary” blah-blah-blah-blah.

MR. REYNOLDS: Where are we, Mark?

MR. ROTHSTEIN: Okay, on the second paragraph —

MS. BERNSTEIN: Fourth line of the —

MR. ROTHSTEIN: — the third sentence —

MR. REYNOLDS: Okay.

MR. ROTHSTEIN: — the one that begins “The authorizations.” I’m proposing to make it “These compelled authorizations are only nominally” — would that do it?

MR. HOUSTON: Well, actually, I would say in the previous sentence, after “purposes,” I’d put in parents, “compelled authorizations.”

MS. BERNSTEIN: Is there something in there that talks about the compelled versus —

MR. ROTHSTEIN: Yes —

MS. BERNSTEIN: — except as a condition. It does say “a condition of applying for employment.” That’s good.

MR. HOUSTON: Somewhere I’d just like to see it defined so that the first part — because when you go down to that paragraph and the first sentence you see “compelled authorizations,” you sort of — to me, there is a guttural sort of reaction.

MS. BERNSTEIN: What if I could put it in quotation marks —

MR. ROTHSTEIN: How about another put — how about in the second sentence, “Each year, as a condition of applying for employment, insurance and disability benefits as well as other uses, individuals sign millions of compelled authorizations to disclose their — ?”

MR. REYNOLDS: Well, why don’t we say this? Why don’t we say “individuals sign?”

MS. BERNSTEIN: “Individuals are compelled to sign authorizations.”

MR. ROTHSTEIN: Well, I don’t really —

MR. HOUSTON: Well, I like that, though.

MR. REYNOLDS: Yes, I’d rather say that they’re compelled to sign it —

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: — rather than compelled authorizations because —

MS. BERNSTEIN: Coerced — I mean, we don’t want to use that word, but —

MR. HOUSTON: No.

MS. BERNSTEIN: — that’s the point. But they are —

MR. HOUSTON: Again, all I’m trying to do is deal with —

MR. ROTHSTEIN: So your point is really — not to belittle you, but it’s a small point, really, because you’re just concerned about the wording being — concerned about concept.

MR. HOUSTON: I’m not concerned about concept whatsoever.

MR. ROTHSTEIN: Okay. So — Maya?

MS. BERNSTEIN: How about — okay.

MR. HOUSTON: I just want to define it so that people —

MR. ROTHSTEIN: Okay.

MR. HOUSTON: — when they see “compelled authorization,” they can go back and say, okay, here’s what was defined.

MR. ROTHSTEIN: I know what they mean, okay.

MS. BERNSTEIN: “As a condition of applying for employment, insurance, and disability benefits as well as other uses, individuals are compelled to sign millions of authorizations requiring them to disclose their personal health information for non-medical purposes.”

MR. REYNOLDS: I like that. I’ll go completely with that.

MR. ROTHSTEIN: John?

MS. BERNSTEIN: “These authorizations” —

MR. ROTHSTEIN: Right.

MR. HOUSTON: Well, then just put in, “These compelled authorizations.”

MS. BERNSTEIN: Well, but —

MR. HOUSTON: Yes, you could do — yes.

MS. BERNSTEIN: Okay.

MR. HOUSTON: If you tuck in two things, I think we’re good.

MS. BERNSTEIN: “These compelled authorizations

are only nominally voluntary.” Well, if we say they’re compelled, they’re obviously not voluntary.

MR. ROTHSTEIN: Well, legally they’re voluntary.

MS. BERNSTEIN: How are they voluntary?

MR. ROTHSTEIN: They’re legally voluntary. You don’t want the life insurance policy? Don’t sign.

MS. BERNSTEIN: Correct.

MS. McANDREW: That’s not voluntary. That’s the whole point.

I mean, even if they didn’t ask, I could be perfectly willing to turn over my medical records.

MS. McANDREW: That’s true.

MS. BERNSTEIN: I could voluntarily want to do it.

MS. McANDREW: In the case of life insurance, you might very well.

But we had a huge conversation about this in the development of HIPAA —

MS. BERNSTEIN: Right.

MS. McANDREW: — the same issue, which is you’re compelled to turn over, you know, in the treatment and payment issue. We were talking about whether that should be within the realm of automatic okay or not. That was the big issue, right? Whether, at the time of treatment, you go in for treatment and they say, “You must sign this piece of paper that says you have to give us your permission to turn it over to your insurance company,” that’s compelled. I may be completely, voluntarily willing to do it, but, you know, it’s coercive because I need care at that point.

You might think it’s less coercive if what I only need is life insurance which is, you know, not going to —

MR. HOUSTON: That’s why you can’t have a patient sign it, an authorization going into the Emergency Department. You have to be medically stabilized and evaluated before we’re allowed to do it —

MS. McANDREW: Right.
MR. HOUSTON: — because it’s considered to be compelled.

MR. ROTHSTEIN: I’d like — we’re okay. We’re happy.

MR. REYNOLDS: Yes. So in Paragraph 3, then, are there other — the one that starts at the bottom of 5 and continues over at the top of 6, are there other things that we —

MS. McANDREW: I mean, I would take exception to saying it’s not feasible.

MR. ROTHSTEIN: You would take exception to saying that it is not feasible?

MS. McANDREW: To do that with paper records.

MS. BERNSTEIN: Where are you?

MR. REYNOLDS: Practical.

MS. BERNSTEIN: Oh, the third sentence?

MR. REYNOLDS: It’s not practical.

MS. McANDREW: Because essentially, I mean, both minimum necessary and the restriction of disclosing what is required and what is stated in the authorization as being asked for —

MR. ROTHSTEIN: Right.

MS. McANDREW: — both may require that you give less than the full medical record.

MR. ROTHSTEIN: Right.

MS. McANDREW: And so to say it’s not feasible to comply with Pfizer minimum necessary standards for the authorization itself, it may not be practicable to search a paper record.

MR. REYNOLDS: I can go with “practical,” because I think that’s the issue.

MR. ROTHSTEIN: Can you live with that?

MS. McANDREW: Yes.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: I like “practical.”

MS. BERNSTEIN: Then it says, “Thus, as a practical matter,” so then we have a “practical.”

MR. HOUSTON: We trust your judgment.

MS. BERNSTEIN: “Thus, in practice –“

MS. McANDREW: Okay.

MS. BERNSTEIN: I’ll work it out.

MR. REYNOLDS: You got rid of the parenthesis —

MR. ROTHSTEIN: At the end, yes.

MR. REYNOLDS: And then are we on the last paragraph, then?

MR. ROTHSTEIN: Well, unless you’ve got something else.

Okay, so now we’re on the last paragraph, the one that now begins, “Developing the methodology will be complicated.”

MR. REYNOLDS: Right.

MR. ROTHSTEIN: Okay?

MR. HOUSTON: Not much problem with that.

MR. ROTHSTEIN: And I have a change, small one. How about “will be complicated and it must involve collaboration?”

MR. REYNOLDS: I was going to say — I’m not sure it’s going to be complicated.

MR. ROTHSTEIN: Oh. [Laughter.] Really?

MR. REYNOLDS: No, no, no, I’m serious.

MR. ROTHSTEIN: How about “could be complicated?”

MR. REYNOLDS: Well, I think developing — say what you said again — “Developing” —

MR. ROTHSTEIN: “The methodology.”

MR. REYNOLDS: — “the methodology will require input from all the appropriate stakeholders.”

I mean, I wish it —

MR. ROTHSTEIN: We shouldn’t make predictions because we don’t know.

MR. REYNOLDS: Yes, because I think you could pick some of them off and it might not be that big a job.

MR. ROTHSTEIN: Well, I’ll tell you what will be there will be employment because actually I’ve been working on this for years, so —

MR. REYNOLDS: Well, how about “controversial?” I’d still struggle with “controversial.”

MR. ROTHSTEIN: Here’s how you do it. The only way you could do it is —

MR. HOUSTON: Complex.

MR. ROTHSTEIN: — you’re an employer and you say, “I want Mark’s records to see whether he can climb telephone poles. He’s a Lineman, Stage 3.”

So now there has to be some way of translating what the job requirements are into physical demands and then translating the physical demands back into medical factors that would bear on those demands. I mean, it’s like a multi-stage —

MR. REYNOLDS: I like “complex.”

[Laughter.]

MR. ROTHSTEIN: Okay, so, let’s see: “Developing” will be “complex” instead of “complicated?”

MS. BERNSTEIN: Yes.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: Yes.

MR. REYNOLDS: May be.

MR. ROTHSTEIN: “May be complex?”

MR. REYNOLDS: “Complex.” Yes, “complex” to me means — “complicated” means you’ve got a lot of little details; “complex” says you’ve got a lot of issues. And I think your statement there has —

MS. BERNSTEIN: Do you want it to be “complex?”

MR. ROTHSTEIN: Our current version that I have is:

“Developing the methodology will be complex and it must involve collaboration by various stakeholders.
MR. REYNOLDS: I like that.

MR. ROTHSTEIN: So you’d have to get the employer community —

MR. REYNOLDS: Yes, sure — right.

MR. ROTHSTEIN: — the insurance people, and so on, the IT people. Okay.

MR. REYNOLDS: Maya, you’re smiling.

MS. BERNSTEIN: That’s right. You’re not smiling about this?

MR. ROTHSTEIN: John, do you have anything else in that paragraph?

MS. BERNSTEIN: Sometimes I just think funny things.

MR. ROTHSTEIN: Okay. Can we now just, to make sure we’re all on the same page, go through the Recommendations as revised?

We’re moving 6 to the top of that section.

MS. BERNSTEIN: I is now 4. Five is now role-based access” —

MR. ROTHSTEIN: Okay, let me just — “to develop role-based access criteria and contextual access technology. Role-based access criteria should apply to” —

MS. BERNSTEIN: “Provider –“

MR. ROTHSTEIN: Okay, so let’s make that consistent with what we said before, okay? So how did we phrase that before? “Sharing,” we used, okay? “For sharing” something — “should apply to the sharing of personal health information through” –?

MR. REYNOLDS: Yes. What I think ought to happen is — we already have the words up in the paragraphs.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: I’d like to see — I mean, I’d be comfortable with you guys mapping it, using John’s hierarchical discussion.

MR. ROTHSTEIN: We’re trying to work the same words back in.

MR. HOUSTON: Can I just make one point on 4 and 5, the original 4 and 5?

MR. ROTHSTEIN: Yes.

MR. HOUSTON: Does it make sense, because we’re moving 6 up, say “resulting role-based access criteria?” Because we’re going to talk about doing research in 6; then I want to make sure that 4 and 5 become the result of research.

MR. ROTHSTEIN: Okay. We could put “Any resulting role-based” blah-blah-blah, yes, okay.

MR. REYNOLDS: Just put it in.

MR. HOUSTON: There’s an order of precedence to —

MS. BERNSTEIN: “Resulting role-based access criteria should apply to” — like that?

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: “And resulting contextual –“

MS. BERNSTEIN: “And resulting –“

MR. ROTHSTEIN: “Access here should apply to the sharing” —

MS. BERNSTEIN: Yes, “to the sharing –“

MR. ROTHSTEIN: “– of personal information in EHRs and the NHIN when disclosure is made pursuant to a –“

MS. BERNSTEIN: “Should apply to the sharing of personal information?” Is that right?

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: “Personal health information in EHRs” blah-blah, okay? Okay.

MR. HOUSTON: Then under the contextual access criteria, rather than the “sharing of,” I think it should be “contextual access criteria should apply to the provision of” — because I suspect the individuals who will get access to that information for employment and other insurance purposes —

MR. ROTHSTEIN: It’s not going to come back the other way.

MR. HOUSTON: Well, all they’re going to do is get a copy of something that’s going to be —

MR. ROTHSTEIN: So we could make that “the disclosure,” really, right?

MR. HOUSTON: Exactly.

MR. ROTHSTEIN: “Should apply to the disclosure.
MS. BERNSTEIN: “Disclosure.”

MR. HOUSTON: It really is pursuant to an authorization. It’s just it’s —

MR. ROTHSTEIN: Yes. So the old 5 now reads, as far as my record:

“Resulting contextual access criteria should

apply to the disclosure of” blah-blah-blah.

MR. HOUSTON: Right.

MS. BERNSTEIN: Well, “Personal health information in EHRs and the NHIN when” —

MR. ROTHSTEIN: “When that disclosure.”

MS. BERNSTEIN: “Disclosure is made pursuant to a third party not involved in patient care.”

MR. HOUSTON: The word “pursuant” shouldn’t be in there. It’s made to a third party, right?

MS. BERNSTEIN: Yes, yes —

MR. HOUSTON: Pursuant to an authorization.

MR. REYNOLDS: Right, right.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: “To a third party –” okay.

MR. HOUSTON: In these Recommendations, we’re using the phrase “personal health information.”

MR. ROTHSTEIN: Correct. And that’s explained in the Introduction.

MR. HOUSTON: Okay.

MS. BERNSTEIN: Are we’re specifically using that term?

MR. ROTHSTEIN: “The report uses the term” — this is Paragraph 1 of the Introduction — “‘personal health information’ rather than ‘protected health information’ because the latter term applies only to coverage under the HIPAA privacy rule, and our use of the term is not constrained by HIPAA coverage.”

MR. HOUSTON: When I look at it this time, again, what the NHII work group had regarding PHRs, personal health records, I guess when I see something that says “personal health information,” I sort of get this feeling like it’s information that the patient has contributed to his record. What about —

MR. ROTHSTEIN: “Individual health information?
MR. HOUSTON: “Individual” —

MS. BERNSTEIN: What’s the term of art in HIPAA?

MR. HOUSTON: Oh, it’s “protected health information.”

MS. McANDREW: “Protected health information.”

PARTICIPANT: “Personally identified protected health information.”

MR. ROTHSTEIN: Yes.

MR. HOUSTON: Well, you more personally identify it with health information.

When I saw “personal” here, I just sort of think, you know —

MR. ROTHSTEIN: We could change that. There’s no — the only thing that I am concerned about is that we don’t use “PHI.” Any other term —

MS. BERNSTEIN: We mean “personally identifiable health information.”

MR. ROTHSTEIN: We can use “personally identifiable,” “individually identifiable” or anything like that is fine.

MR. REYNOLDS: But I think as we read it, this whole idea of PHR, EHR, NHIN, PHI, the real PHI, this PII or whatever it is, we need to make sure that they play to the eye of somebody else that’s not in here debating this.

MR. ROTHSTEIN: That’s true.

MR. HOUSTON: We could put a footnote in here to talk about why we chose that term or that term, what it means.

I just — again, you know, thinking about the PHR recommendation that we made, every time I see “personal,” I think —

MR. REYNOLDS: But what I’m saying is, now that we’ve done whatever we do —

MR. ROTHSTEIN: We’ll just make sure —

MR. REYNOLDS: — we need to read it again from a different perspective.

MR. ROTHSTEIN: From a Jeff Blair standard.

MS. BERNSTEIN: Well, actually that’s a good point. What is the term that we used in the PHR letter and do we as a Committee want to be — do we care if we’re consistent across each of these letters?

MR. REYNOLDS: We’re not talking about — see, the difference is —

MS. BERNSTEIN: Right, I understand, but —

MR. REYNOLDS: We’re not talking about — see, the difference is —

MS. BERNSTEIN: Right, I understand, but —

MR. REYNOLDS: We’re not talking about — that was about personal health records.

MS. BERNSTEIN: I understand, but —

MR. REYNOLDS: This has EHRs and other things.

So that’s why I like a different one.

MS. BERNSTEIN: But isn’t our point, even your point, really? Earlier on, you were saying that the EHRs, NHIN is going to cope with all of this stuff, whether it’s PHRs, EHRs or whatever, and it’s personally identifiable — whatever term that you want to use, individually identifiable information is the point. We want to look at that, whatever context it appears in, and —

MR. REYNOLDS: Right. Right. But I agree. Once we use the word “personal,” people lock in to maybe personal health record. That’s where we’re going. We’re in agreement.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: Are we ready to move on?

MS. BERNSTEIN: Okay, so I will — what’s the

term here you currently like, because I’m going to go through the document and —

MR. HOUSTON: “Identifiable” —

MR. ROTHSTEIN: “Individually identifiable?”

MS. BERNSTEIN: “Individually identifiable” you like better, “IIHI,” if you want to make an acronym?

PARTICIPANT: It’s a term, a HIPAA term, but it’s more general than “protected health information.”
MS. McANDREW: Right. Protected health information is a privacy term.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: So, wait a minute — I just want to see whether, for the same reasons, we don’t use that.

Do you want to just make it “IIHI?”

MR. REYNOLDS: I actually like that one.

MR. HOUSTON: Which one?

MS. BERNSTEIN: “IIHI.”

MR. REYNOLDS: Yes, because that really helps —

PARTICIPANT: Hold on. The HIPAA definition defines protected health information is individually identifiable health information (?) collected, maintained, created by a covered entity.

MR. HOUSTON: So why don’t we use “IIHI?”

MR. ROTHSTEIN: So we could use it and it wouldn’t have —

MR. REYNOLDS: Yes, I like that one.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: That works.

MS. McANDREW: I would need to just double-check to see if we have incorporated the “collected and maintained by” —

MS. BERNSTEIN: I could go — it’s sitting on the top of my desk, the Department’s text.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Literally, it’s sitting on top of my desk in a grabbable place across the table.

MR. ROTHSTEIN: Then our plan then is to try to get through A?

MR. REYNOLDS: Yes, sir.

MS. BERNSTEIN: I mean, we may want to pick another term that’s specifically not used by HIPAA just so it’s not confused —

MR. ROTHSTEIN: Yes, I understand.

MS. BERNSTEIN: — even if you mean something similar, because we don’t want to be confined to that.

MR. HOUSTON: Based on the reading of — your name? —

PARTICIPANT: Mike (?).

MR. HOUSTON: — Mike just indicated, it’s meaningful insofar as HIPAA defines it, but defines it to be patient information but that is a lot broader classification that when you apply HIPAA to it, it becomes PHI, which is sort of the narrow — it narrows. So it doesn’t make sense.

MS. McANDREW: The limitation on IIHI is that it has to be created or received by a health care provider, not a covered entity, a health plan, an employer or a health care clearinghouse.

MR. ROTHSTEIN: Okay, so we need another term.

MS. McANDREW: Yes, another term.

MR. ROTHSTEIN: All right, we’ll come up with something.

MS. BERNSTEIN: Okay, I will —

MR. HOUSTON: Let’s call it “Fred.”

MS. BERNSTEIN: I could call it “Fred.” For the moment, we’ll call it “Fred.”

MR. ROTHSTEIN: All right, so we’re now going to take a look at A, “The Importance of Privacy and Confidentiality,” which is on Page 2.

I just have one suggestion in the very first sentence. I think we need to add the word “our” before “society” because that’s probably not all societies.

MS. BERNSTEIN: Where?

MR. ROTHSTEIN: “Informational privacy is a core value of our society.”

MS. BERNSTEIN: Yes, well — right. American society, yes?

MR. ROTHSTEIN: American society?

MS. BERNSTEIN: Think the Canadians would object?

MR. ROTHSTEIN: That’s fine. No. The Canadians would go for it.

MR. HOUSTON: You know, I mean, going to the Jeff Blair issue —

MR. ROTHSTEIN: Yes, it just occurred to me that do you think the third sentence — “beneficence?”

MR. HOUSTON: “Beneficence,” I don’t even know what the hell that means.

MR. ROTHSTEIN: Doing good.

MS. BERNSTEIN: Right.

MR. HOUSTON: Okay. Well, doing good, liberty and doing good.

MR. REYNOLDS: Is there another word for the “bio-ethics?”

MR. ROTHSTEIN: Well, we could take out the whole sentence, if you want.

MS. BERNSTEIN: “In the health care setting?
MR. ROTHSTEIN: Yes. And just — well, we need something that says why this is good.

MS. BERNSTEIN: It doesn’t have to be bio-ethical principles. Those are principles that will cross —

MR. REYNOLDS: Yes, that’s why I thought, just take bio-ethics out.

MR. ROTHSTEIN: “Respect for a person’s justice, liberty” —

MS. BERNSTEIN: You just don’t like “beneficence.”

MR. HOUSTON: I don’t like “beneficence.”

MR. ROTHSTEIN: Too hard to pronounce?

MR. HOUSTON: Yes.

MR. REYNOLDS: We’ve got enough without it? [Laughter.]

MR. HOUSTON: Why don’t you put “ombudsman” in there, too?

[Laughter.]

MR. ROTHSTEIN: “Respect for purposes” —

MR. REYNOLDS: We’ve got enough without it, don’t we?

MR. ROTHSTEIN: “Justice and liberty?”

MS. BERNSTEIN: Charity, beneficence, what are the words to pick? I can get you other words. “Beneficence” is not even in here.

MR. ROTHSTEIN: How about “non-maleficence?” Would you like that better, John? [Laughter.]

MR. HOUSTON: I want “antidisestablishmentarianism.”

MS. BERNSTEIN: But do you actually want what that is?

[Laughter.]

MR. HOUSTON: The movement against the disestablishment of —

MS. BERNSTEIN: Yes, right. [Laughter.]

Okay, let’s try this.

MR. ROTHSTEIN: “Privacy and confidentiality, advance the principles of autonomy, respect for a

person’s –“

MR. HOUSTON: What’s “autonomy?” When you —

MR. ROTHSTEIN: Well, individual control of one’s, you know, person, papers. “Respect for a

person’s” —

MS. BERNSTEIN: Make easier, lend a hand, help out, facilitate, be of assistance, sort of — support.

MR. ROTHSTEIN: Well, it also promotes — I mean, the way I envisioned it, I mean, what I intended by “beneficence,” is that it promotes the health of people because when you are assured the confidentiality of your health care communications, you’re more likely to disclose important things to your doc.

MS. BERNSTEIN: Good will?

MR. REYNOLDS: Good health.

MS. BERNSTEIN: Altruism, benevolence?

MR. HOUSTON: Would you propose a delete of that sentence?

MR. ROTHSTEIN: Well, I did that, but the reason I didn’t was we don’t ever say why it’s important. Then we say it’s not absolute, but we don’t say why — and that’s the title of the whole section, “The Importance of Privacy and Confidentiality.”

MR. REYNOLDS: I’m willing to give you guys that word that worked to fix.

MS. BERNSTEIN: But, you know, I think privacy and confidentiality, these are sort of very grandiose kind of concepts for why we need privacy and confidentiality, and we also need it because people just won’t talk to their doctors about — I mean —

MR. ROTHSTEIN: Well, that’s — yes, right.

MS. BERNSTEIN: They need to be candid in order to get — right.

MR. HOUSTON: To promote disclosure of sensitive health information (?) —

MR. ROTHSTEIN: Jeff Blair better let me have that, or — [laughter] —

MR. REYNOLDS: I’ll talk to him.

MR. ROTHSTEIN: He’s in trouble.

MR. REYNOLDS: I’ve got to talk to him this week anyway. I’ll teach him —

MS. BERNSTEIN: We haven’t even there directly said — you know, there’s a sort of assumption that people understand what the public health issue is, which is that if people aren’t candid with their doctor, we’re going to have a public health problem.

And we just never said. And they’re not going to be candid if they think their information is going to be disclosed.

MR. ROTHSTEIN: Okay, so what are you suggesting?

MS. BERNSTEIN: I’m just saying we be more explicit about what it is — why, just on a day to day reality, why —

MR. ROTHSTEIN: How about — we’ve got agreement over what we want to do — how about if we get tentative authorization —

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: — to rework that sentence? And Maya and I will try to write it in much simpler terms. “Privacy is important because it allows patients to decide” blah-blah-blah, that sort of stuff.

MR. REYNOLDS: Yes, use the Jeff and Harry rule

— Jeff can’t see it and I don’t understand it.

MR. ROTHSTEIN: Okay.

[Laughter.]

MR. ROTHSTEIN: Okay, anything else in that first

paragraph other than rewriting that third sentence?

MR. REYNOLDS: I like that.

MR. ROTHSTEIN: Okay? So —

MS. BERNSTEIN: Wait — my —

MR. HOUSTON: That’s fine.

MR. ROTHSTEIN: Okay, second sentence?

MR. HOUSTON: Second paragraph.

MR. ROTHSTEIN: The second paragraph — sorry.

MR. HOUSTON: I have like some wordsmithing. The one phrase I saw in there that I don’t like is “scarce health care resources.” I don’t think for the most part in our society we have scarce health care resources.

MS. BERNSTEIN: Well, there’s 40 million people or so who would disagree.

MR. ROTHSTEIN: How about livers for transplant?

MR. HOUSTON: That has nothing to do with EHR, I don’t think.

MR. ROTHSTEIN: I know. But it’s a scarce resource. You wanted a scarce resource? I gave you a scarce resource.

MR. HOUSTON: Here health care resources as being lack of beds, lack of this, lack of that. I would say that —

MS. BERNSTEIN: If you’re one of those 40 million, they’re lacking in resources.

You’re saying that the resources are just —

MR. ROTHSTEIN: A waste of resources? You just want to take the word out?

MR. REYNOLDS: Business inefficiencies.

MR. ROTHSTEIN: Okay.

MR. HOUSTON: That’s waste of your health care resources.

MR. ROTHSTEIN: Okay. I have no problem with that.

MS. BERNSTEIN: Where are you?

MR. ROTHSTEIN: In the fourth line up from the bottom, in the middle of the second paragraph, delete the word “scarce.”

MS. BERNSTEIN: “Waste” or “scarce?”

MR. ROTHSTEIN: No, just “waste of health care resources?”

Okay — anything else, John?

Harry?

MR. REYNOLDS: Yes. On the last sentence — are you talking about the last sentence? You’re in the same paragraph?

MR. ROTHSTEIN: Second paragraph, yes.

MR. REYNOLDS: Yes. “Thus, there are ample ethical policy and business reasons” —

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: — “for a shift to EHRs.”

MR. ROTHSTEIN: Business or economic?

MR. REYNOLDS: Economic’s fine.

MS. BERNSTEIN: “Ethical policy and economic reasons” —

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: Are you finished? All right.

Okay with you? Good, all right, now — oh, my own — this is being recorded? Oh, my. Okay.

MR. REYNOLDS: Somebody’s going to read it.

MR. HOUSTON: He ain’t going to read it.

[Laughter.]

MS. McANDREW: Say you’re sorry.

MS. BERNSTEIN: I’m going to read it.

[Laughter.]
MR. ROTHSTEIN: Well, you’re in trouble.

MR. REYNOLDS: John, you shouldn’t have said that.

[Laughter.]

MR. ROTHSTEIN: Okay, third paragraph.

MR. HOUSTON: Do you have the word — again, this

is wordsmithing — “transparency –?”

MR. ROTHSTEIN: Where?

MS. BERNSTEIN: So you don’t like that word? Every time I see it, I will call —

MR. HOUSTON: — “of the systems operation.” Don’t know what that even means.

MR. ROTHSTEIN: Okay. Or let’s —

MS. BERNSTEIN: Transparency — openness, you know.

MR. HOUSTON: In this context.

MR. ROTHSTEIN: Okay, let me just read the — a commitment to privacy and confidentiality?

MS. BERNSTEIN: Openness and understanding.

MR. ROTHSTEIN: Organization and government structure, the rules for collection, use and disclosure of personal —

MS. BERNSTEIN: The simple to understand view.

MR. ROTHSTEIN: “Open and simple,” how is that?

MR. HOUSTON: Well, it’s with systems operation. I can think of systems operation —

MR. ROTHSTEIN: No. Well, we don’t want — I didn’t mean that in the technical sense.

MS. BERNSTEIN: Right, right.

MR. ROTHSTEIN: I mean in — you know, Joe Smith understands how it works and everything is disclosed and that sort of thing.

MR. HOUSTON: But the “system,” meaning the NHIN operation?

MR. ROTHSTEIN: Correct.

MR. HOUSTON: And then we should simply say something of the operation of the NHIN.

MS. BERNSTEIN: “Understandability?” Well —

MR. ROTHSTEIN: Well, maybe we shouldn’t say “system.”

MS. BERNSTEIN: What do you mean, “operations?” I think that was the —

MR. ROTHSTEIN: How the system works. It’s easy to understand how the system works, the capability of the system to limit disclosures to necessary information, the ease of — okay, we know what to say, and Maya’s going to fix that.

MS. BERNSTEIN: The ease of the system to function.

MR. REYNOLDS: Yes, I hope we can restructure that sentence. I mean, it’s just got a lot of stuff in it.

MR. ROTHSTEIN: It’s a long sentence with some big words.

MR. REYNOLDS: I’m not debating whether the stuff should be there; it’s just a lot of stuff.

MR. ROTHSTEIN: Yes.

MR. REYNOLDS: Maybe break it into other ones

or —
MS. BERNSTEIN: I don’t like the word “sanctions.”

MR. HOUSTON: I don’t like the word “legal.”
MS. BERNSTEIN: Yes.

MR. ROTHSTEIN: The existence of —

MR. HOUSTON: We sort of got away from using — I mean, there’s administrative —

MS. BERNSTEIN: The problem with “sanction” is it means — it’s opposite.

MR. ROTHSTEIN: How about “remedies,” and “existence of remedies?”

MR. HOUSTON: No, because remedies — it might be that somebody is terminated for wrongful access, so remedy — I mean, I guess there’s a remedy to a patient or enrolling in NHIN, but I —

MR. REYNOLDS: Let’s make sure that that’s compatible with that section.

MR. ROTHSTEIN: With that section we just did.

MR. REYNOLDS: Yes. I’m more interested in that than which word we put in.

MR. HOUSTON: That’s where I am, because I think we carved out — you know, legal sanctions is not what we described.

MR. ROTHSTEIN: We changed that about a hundred times.

MR. REYNOLDS: Yes, so let’s just make it compatible with that.

MR. HOUSTON: What did we call that? We said it was something —

MS. BERNSTEIN: “Appropriate resolutions,” or something.

MS. McANDREW: Or you might talk about, you know, effective enforcement.

MR. ROTHSTEIN: Then I guess “effective enforcement measures.”
MR. HOUSTON: Yes.

MR. REYNOLDS: There you go.

MS. BERNSTEIN: Okay.

MR. HOUSTON: It’s just not wrongful access, either. It could be inappropriate disclosure or use.

MS. McANDREW: Right. I was going to ask.

MS. BERNSTEIN: “Or inappropriate use or disclosure.”

MR. HOUSTON: Yes.

MR. ROTHSTEIN: But semi-colon is okay, right? [Laughter.]

MR. REYNOLDS: We’ll decide that next time.

[Laughter.]

MR. REYNOLDS: We’re into messaging now.

[Laughter.]

MR. ROTHSTEIN: Okay, now, let’s see. What about — it’s not 4 anymore, right? It’s D and F?

MS. BERNSTEIN: Yes. D is 4 — so basically, you can change the numbering; I’ll change it however you want it.

MR. ROTHSTEIN: No, it’s okay.

MS. BERNSTEIN: But I wanted the recommendations to be numbered in Arabic numerical order —

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: — so they were easy to refer to by the time we got to the end, when that’s what we’re presumably going to be focusing on. So I figured the outline matters less.

MR. ROTHSTEIN: Are we okay with A? Anything else?

MS. BERNSTEIN: There are no recommendations associated with A.

MR. ROTHSTEIN: No, that’s the —

MS. BERNSTEIN: Okay.

MR. HOUSTON: Can I go to B for one second because I just notice I had a couple comments which are just grammatical. They don’t go into the substance of B, which I’m not talking about.

MR. ROTHSTEIN: Yes?

MR. HOUSTON: The very first sentence, “There’s likely to be many transitional issues in establishing NHIN and most of them are beyond the scope of this letter.”

So that’s just one thing I saw.

And I guess we won’t get into the substance of B?

MR. ROTHSTEIN: No.

MR. HOUSTON: Mark doesn’t want to.

MR. ROTHSTEIN: Well, I don’t want to get into an important discussion with only three of the five members.

But do you want to do the Introduction?

MR. HOUSTON: We could do the Introduction. I didn’t see much — by the way, I guess I need to send — can you send me an email to remind me to study this because how do we want to incorporate —

MS. BERNSTEIN: Yes. Are you going to be back tonight?

MR. HOUSTON: No, but I might be online tonight, looking for something online.

MS. BERNSTEIN: You know, I think that’s probably plenty of time for Paul and Simon. That’s who needs to see it. The rest of us have it on paper.

MR. HOUSTON: — So —

MS. BERNSTEIN: Send it to me on Monday?

MR. HOUSTON: Okay.

MS. BERNSTEIN: But I’ll send you it.

MR. HOUSTON: Actually, I’ll send it to myself.

I was very careful, because there was a discussion on security versus privacy in this first

section.

MR. ROTHSTEIN: Yes. I mean, I would take issue with the first several sentences, up until “security,” because, really, your definition of privacy and confidentiality —

MS. BERNSTEIN: His or his?

MR. ROTHSTEIN: John’s.

MS. BERNSTEIN: Which I sent you long ago. I sent you my —

MR. ROTHSTEIN: Right. I mean, I’m perfectly happy to substitute your definition of security, but I don’t want to give up the definition —

MR. HOUSTON: What are some other points?

MR. ROTHSTEIN: That’s Harry’s.

MR. REYNOLDS: The play on security versus privacy versus confidentiality.

MR. ROTHSTEIN: So I would be more than happy to change where it says “security” blah-blah-blah in the current letter and make it security refers to the practices, physical safeguards and electronic safeguards necessary to insure that the information can only be acceded by a bonafide need to access the information. I’m happy to do that.

MR. HOUSTON: Well, my thought is this an entirely separate section.

MS. BERNSTEIN: Physical management and technical.

MR. HOUSTON: That would simply be a — you know, there would be a seventh section of this report.

MR. ROTHSTEIN: Oh, I see, I see — so you don’t want to —

MR. HOUSTON: No.

MR. ROTHSTEIN: Or this is not — okay. Let’s talk about that.

MR. HOUSTON: Let me say this. I tried to make — the definitions, my use of security, privacy and confidentiality, in this section, I tried to make them compatible —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — and I may have not succeeded with what was in the —

MR. ROTHSTEIN: Okay. Well, here’s my issue with Section 7, or G, or whatever. If we’re going to add “security” to this letter, it’s going to require a lot more than this.

MS. BERNSTEIN: Clearance with the security group.

MR. HOUSTON: Well, no, no, no, no. What this was intended to do was be a place holder. I think when we had the last meeting, we said, gee, we can’t not talk about security, but we don’t want to talk about it in depth.

MR. ROTHSTEIN: Right.

MR. HOUSTON: What we want to do is use it as a place holder, that it needs to be addressed; it is separate from privacy and confidentiality —

MR. ROTHSTEIN: Right.

MR. HOUSTON: — which is the intent of this letter, but here are some high level concepts that we believe need to be addressed in a more substantive fashion.

I mean, that was the only reason for adding the security section. And I think it was sort of a take away from either our last meeting or last conference call. I said I would sit down and try to draft something that acted as that place holder. That’s the only reason why I drafted what I drafted.

MR. ROTHSTEIN: Okay, but I wouldn’t — well, I’m happy to consider adding another paragraph to the Introduction to sort of put some meat on the security bones. But I think if we have a section, you know, a Section 7 on security, and just have a paragraph, that’s not a good idea.

MR. HOUSTON: However, I — it’s fine.

MR. ROTHSTEIN: Would you be willing to do that? I mean, would you be acceptable to —

MR. HOUSTON: Sure.

MR. ROTHSTEIN: So what we can do is — let me make this suggestion.

MR. HOUSTON: See, the problem was — by the way, the other part of this, too, Mark, is really I think — I don’t remember completely, but I believe at the time I tried to fashion it in here and it got too complex with security in this Introduction without —

MR. ROTHSTEIN: Okay, here’s what I’d like to propose, that if you take a look at the Introduction, when we’ve got like in Line 7 or so the definition of security, substitute John’s definition of security for my definition of security. Then, after —

MR. REYNOLDS: Where’s this one, John? Where’s your definition of security?

MS. BERNSTEIN: The last —

MR. ROTHSTEIN: Okay, it’s in here. I would say security consists of the practices, physical —

MR. REYNOLDS: Fine.

MR. ROTHSTEIN: Okay. Then, after that sentence, okay, delete or move the next sentence, okay, where it says “The security” blah-blah-blah “is not covered in this report.” I want that to be the first sentence of a new paragraph later on.

But then we’ll continue saying the report uses the term whatever it is, individual health information or whatever — then the report uses the terms “individual” rather than “patient,” et cetera.

Then, start a second paragraph that begins:

“The security of electronic health records is not covered in this report.”

[Noise from telephone links.]

MS. BERNSTEIN: Gail, are you still there? Hello?

MR. ROTHSTEIN: Okay. And then, in the second paragraph, put: “The security of electronic health records” — actually, we should put “and the NHIN” — “is not covered in this report.” And add a sentence like: “Those issues will be discussed in a future letter, but we would note in passing that they are closely related to” blah-blah-blah “and may incorporate some of the information that is in the generally –“

MR. HOUSTON: Do you typically put notes in letters?

MR. ROTHSTEIN: No.

MR. HOUSTON: Okay.

MR. ROTHSTEIN: Well, we typically don’t do them.

MS. BERNSTEIN: Okay. I do not have these things. I mean, I have your copy of this —

MR. HOUSTON: We just passed it out today.

MS. BERNSTEIN: I understand that, but she took it up to make more copies of it and then I put it down —

MR. HOUSTON: There’s some over there.

MS. BERNSTEIN: — and it’s disappeared again. Are there more? Sorry. Jeanne, thank you.

MR. ROTHSTEIN: Okay, John, I’m open to —

MS. BERNSTEIN: Oh, I do have it. Sorry — I’ll return this.

MR. ROTHSTEIN: Maya and I are going to work this afternoon. We will take a crack at doing that.

MR. HOUSTON: Okay.

MS. BERNSTEIN: Yes.

MR. ROTHSTEIN: Unless you’ve got other plans. Do you have other work? [Laughter.]

MS. BERNSTEIN: It’s your job. This not my full-time job!

MR. ROTHSTEIN: Oh!

MS. BERNSTEIN: I have a big deadline to OMB

but —

MR. ROTHSTEIN: Okay, we can work on it next week.

MR. REYNOLDS: Mark, I’d like you to consider in whatever sentence we use on privacy, where this starts off, John’s first sentence, “An issue that often clouds discussions regarding privacy is privacy confidentiality and security?”

And I want to maybe put in there “especially as it gets discussed with the general public,” either in the beginning of the sentence —

MR. HOUSTON: I think he’s going to drop a lot of that.

MR. REYNOLDS: Well, wherever we mention — because we feel it’s a separate subject, but the general public cannot — most people that you talk to can’t separate them. They can’t draw that fine line.

MS. BERNSTEIN: Privacy and security?

MR. REYNOLDS: Yes. They can’t draw the fine line.

MR. ROTHSTEIN: How about if we make —

MR. REYNOLDS: I’m not talking about people here.

MR. ROTHSTEIN: — in the very first sentence of the Introduction: “Health privacy, confidentiality and security are often used interchangeably and imprecisely by the general public?”

MR. REYNOLDS: Perfect. That’s exactly what I want, because I think that’s a huge issue.

MS. BERNSTEIN: You know what? They’re often used that way not just by the general public but by the security folks, by —

MR. REYNOLDS: Well, yes, I agree, but —

MS. BERNSTEIN: Particularly security.

MR. REYNOLDS: They’re included in the general public. [Laughter.]

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Okay, so we can take a crack. We’ll revise this.

So I think we’ve got agreement on —

MS. BERNSTEIN: Okay, what’s the first sentence that you wanted to put —

MR. ROTHSTEIN: Okay. The very first sentence of — no, you’re in the wrong document. In the

Introduction —

MS. BERNSTEIN: Yes?

MR. ROTHSTEIN: — after the word “imprecisely,” add “by the general public.”

MS. BERNSTEIN: I got that.

MR. ROTHSTEIN: That’s it.

MS. BERNSTEIN: Earlier, about two minutes ago, you were saying you wanted to make something —

MR. ROTHSTEIN: Oh — okay.

MS. BERNSTEIN: — that John had written the very first sentence of a new paragraph about something. What was that?

MR. ROTHSTEIN: No, I wanted to — I’m changing the definition of “security” in the middle of the —

MS. BERNSTEIN: “Security refers to” —

MR. ROTHSTEIN: Yes. “Security refers to,” and use his definition.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: “Security refers to the practices, physical safeguards and electronic safeguards necessary to ensure that” blah-blah-blah.

MS. BERNSTEIN: Right.

MR. ROTHSTEIN: Okay, then — the first paragraph.

MS. BERNSTEIN: Taken out —

MR. ROTHSTEIN: Of the first paragraph. Just delete it.

MS. BERNSTEIN: “Security refers to” — you’re going to delete that?

MR. ROTHSTEIN: Well, we changed that. The security of electronic —

MS. BERNSTEIN: “is not covered in this report.”

MR. ROTHSTEIN: Correct. That’s the beginning of the next paragraph, as yet to be written, I will take care of, that is going to incorporate some of these items.

MS. McANDREW: So then the next sentence is?

MS. BERNSTEIN: The second sentence is going to be taken out of here but put somewhere else, is that what you’re saying?

MR. ROTHSTEIN: The sentence that begins —

MS. BERNSTEIN: “The security” —

MR. ROTHSTEIN: — “The security” is going to be the — or something like it — is going to be the first sentence of a new Paragraph 2.

MS. BERNSTEIN: Okay. So let me do that —

MR. ROTHSTEIN: Well, don’t worry about it because I’m going to rewrite a whole new Paragraph 2 —

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: — and we’re not going to do it now.

MS. BERNSTEIN: Okay.

MR. ROTHSTEIN: Okay, and then that will — so where we are now is we’re up to the paragraph “In the debate.”

MR. HOUSTON: Again, some wordsmithing at the end of the first sentence?

MR. ROTHSTEIN: Okay.

MR. HOUSTON: “The conflict between individual interest in privacy and confidentiality and the societal interest in disclosure” — is “disclosure” the right word here?

MS. BERNSTEIN: No.

MR. ROTHSTEIN: “Information sharing?”
MS. BERNSTEIN: “Use of information.”

MR. HOUSTON: “Use, disclosure, access” —

MS. BERNSTEIN: “Use, availability –“

MR. HOUSTON: — I’m not sure what — I mean, “disclosure” seems —

MR. ROTHSTEIN: “And widespread availability of information,” something like that?

MR. HOUSTON: I just think there’s a more precise or more meaningful —

MS. BERNSTEIN: Right.

MR. HOUSTON: — term or use of words than “disclosure.”

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Did you — we haven’t done anything, Mark, since I kind of bled all over the first version, you didn’t do anything to that stuff? Maybe I’ll see if any of that’s still relevant.

MR. ROTHSTEIN: From your original mark-up?

MS. BERNSTEIN: From my original mark-up.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Right. Sort of look at this particular — this Introduction.

MR. ROTHSTEIN: Yes, it’s not artfully written, but I think the point is important.

MS. BERNSTEIN: Yes, yes, sure.

MR. REYNOLDS: Mark, the last sentence of Paragraph 2 —

MR. ROTHSTEIN: Yes?

MR. REYNOLDS: — “At the same time, there is strong individual interest in the use and disclosure of health information to improve individual health.”

MR. ROTHSTEIN: Right.

MR. REYNOLDS: What’s the “strong” — why — is there strong interest, or strong individual interest, or — I guess —

MR. ROTHSTEIN: Well, what I’m trying to say is –in the whole paragraph, sometimes the privacy debate is pitted as people don’t want to share information against the people who want the information, and people only have an interest in keeping stuff to themselves and everybody else has an interest in getting more stuff out there.

And individuals have an interest in sharing and disclosing information because it’s going to improve their health, it’s going to improve the quality of the health care system, it’s going — well, assuming that, it’s going to — if you keep all information to yourself, you would hamper —

MS. BERNSTEIN: Right.

MR. ROTHSTEIN: — public health research and so on.

MS. BERNSTEIN: Well, public health research is not the same as my individual health —

MS. McANDREW: Right.

MS. BERNSTEIN: — at all.

MR. REYNOLDS: No, I didn’t say that.

MS. BERNSTEIN: All right, okay. But —

MR. ROTHSTEIN: But I said if we — if nobody shared information. The best way of protecting people’s privacy would be to abandon —

MS. BERNSTEIN: Share nothing, right, right.

MR. ROTHSTEIN: — you know, all sorts of things that are good for us.

MR. REYNOLDS: No, I guess where I was going — I struggle with the two —

MR. ROTHSTEIN: Two “strongs?”

MR. REYNOLDS: No, the two “individual” —

MR. ROTHSTEIN: Two “individual.”

MR. REYNOLDS: — because I just —

MR. ROTHSTEIN: There is a strong —

MR. REYNOLDS: — I can’t tie them together, I just can’t —

MS. BERNSTEIN: I would say “individuals have a strong interest” —

MR. ROTHSTEIN: Right.

MS. BERNSTEIN: — “in the use and disclosure of health information” —

MR. REYNOLDS: To improve their health.

MS. BERNSTEIN: — “to improve their health.”

MR. REYNOLDS: I agree with that.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: I could go there.

MR. ROTHSTEIN: Excellent.

MS. BERNSTEIN: We’ll work on the passive voice thing, too.

MR. ROTHSTEIN: Yes.

MS. BERNSTEIN: It’s easy to slip that in; it’s very easy when you’re writing policy documents to do that and —

MR. ROTHSTEIN: No passive. [Laughter.]

MS. BERNSTEIN: Big no.

MR. ROTHSTEIN: Okay, third, throughout. Oh, I don’t think anybody would question that first sentence, would they — but Harry? [Laughter.]

MS. BERNSTEIN: There’s something grammatical about the second sentence that’s sort of awkward.

MR. REYNOLDS: You know, stepping back for a second, Mark, you know, you were going to say that the full Committee — I guess this is just about the Introduction —

MR. ROTHSTEIN: Yes —

MR. REYNOLDS: — you were going to say the full Committee, you know, all the hearings we had and everything else —

MR. ROTHSTEIN: Right. I wrote that information and that was attached to this version of the letter as the draft for the letter to the Secretary.

MR. REYNOLDS: Okay, good. Okay, I gotcha.

MR. ROTHSTEIN: Do you remember seeing that?

MR. REYNOLDS: Yes, okay, good, okay. I just — as I was sitting here looking at the Introduction and I didn’t remember that portion of it, I thought, well, geez, we go right into it and we didn’t really tell the

Secretary —

MS. BERNSTEIN: Did we show Harry the covering note?

MR. ROTHSTEIN: Yes —

MR. REYNOLDS: You know, we’ve gone east to west on this. We’ve had many hearings. Okay —

MR. ROTHSTEIN: It says “all the hearings –“

MR. REYNOLDS: No, no, that’s great, okay. I just — as I was sitting here trying to finish up the philosophy of the Introduction, I felt like we —

MS. BERNSTEIN: Do you want to circulate that along with the —

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: We’ll pick it up and look at it again and see as how it needs to change with the perspective of what we’ve done already here.

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Yes?

MR. ROTHSTEIN: Yes, that’d be good. That was on version one of the draft.

MS. BERNSTEIN: Oh, I may have separated them myself. Maybe you separated them after that.

MR. ROTHSTEIN: Oh, you’ve gonged all the old versions?

MS. BERNSTEIN: No, no, no, I haven’t.

MR. ROTHSTEIN: Okay. It’s at the end of the —

MS. BERNSTEIN: I’m just saying that’s maybe where we lost it. We started focusing — we separated the two documents.

MR. ROTHSTEIN: Yes. So we’ll include that in the next go-round.

And the second sentence needs to be put into English, I think.

MS. BERNSTEIN: Yes.

MR. HOUSTON: “As the level” — which one?

MR. ROTHSTEIN: Yes, “As the level –“

MS. BERNSTEIN: Even my computer thinks so. [Laughter.]

MR. HOUSTON: Yes, I don’t know if “integration” is the right word. I mean, “interoperability” or —

MS. BERNSTEIN: “The level of integration” — “add to the level.”

MR. ROTHSTEIN: We could say, “A highly integrated system has great utility but it also poses great threats to privacy –“

MR. HOUSTON: This is not — NHIN is not “integration.” It’s “interoperable.”

MR. ROTHSTEIN: “Interoperability?”
MR. HOUSTON: I’m not even sure it’s —

MR. REYNOLDS: It’s “electronic sharing,” you know?

MR. HOUSTON: Yes, it’s — actually, maybe that’s “As the level of integration of information increases” or the — because we’re not talking about systems.

MR. ROTHSTEIN: Right, yes. I am not talking about system.

MR. HOUSTON: So, maybe what we’re really saying is “As global access to information increases.”

MR. ROTHSTEIN: Right.

MR. HOUSTON: “As we provide global access to information, it has greater utility but it also” —

MR. ROTHSTEIN: Right.

MR. REYNOLDS: Yes, I think that’s good.

MR. HOUSTON: But I’m not sure if David — I guess David has utility.

MS. BERNSTEIN: Sure.

MR. HOUSTON: So — but then this is highly integrated data systems but we still need to change — but “highly integrated systems” has to be changed, but something related to the data.

MS. BERNSTEIN: “As global access to information increases, it may have greater utility, but it also poses a greater threat to privacy and confidentiality.”

MR. HOUSTON: Right.

MR. ROTHSTEIN: I think that’s fine.

MR. HOUSTON: Fine.

MS. BERNSTEIN: “Global,” do you like that word?

MR. HOUSTON: Yes.

MS. BERNSTEIN: How about just “access to information increases?”
MR. HOUSTON: No, because we have access — I mean, now.

MR. ROTHSTEIN: How about “broader access?”

MR. HOUSTON: “Broader access.”

MS. BERNSTEIN: Well, you’re saying “increases,” so you’re saying —

MR. ROTHSTEIN: Oh, okay.

MS. BERNSTEIN: “As access to information increases.”

MR. ROTHSTEIN: Fine.

MR. HOUSTON: “As availability of information increases.”

MS. BERNSTEIN: Do you like that one better?

MR. ROTHSTEIN: Okay.

MS. BERNSTEIN: Okay? “Availability” implies that you can actually get it.

MR. ROTHSTEIN: The other sentence, the last sentence, isn’t written that well, either. [Laughter.] What was I drinking when I wrote it?

[Laughter.]

MR. HOUSTON: Awful strong stuff.

MS. BERNSTEIN: “Furthermore?”

MR. ROTHSTEIN: Yes, “furthermore” is not too hot, either. That’s a thought I’m still willing to defend, but I mean —

MS. BERNSTEIN: My computer likes that one.

MR. ROTHSTEIN: Oh, really?

[Laughter.]

MS. BERNSTEIN: That’s only because the grammar thinker is not so good on it, maybe, I don’t know. If you don’t like it, I trust you better than it.

MR. ROTHSTEIN: I don’t like “respecting.” “Efforts to” —

MS. BERNSTEIN: It’s backwards written. Turn it around.

MR. ROTHSTEIN: — “advance the autonomy of

individuals” —

MR. REYNOLDS: Another thought. How about: “Balancing the autonomy of individuals, the flexibility of their choices, simplicity in utility are a challenge?” Or I don’t like “are a challenge,” but, I mean, those are really — you lay those four things on a grid and it starts coming apart, that’s what I think you’re saying here.

MR. ROTHSTEIN: That’s what I’m trying to say.

MR. REYNOLDS: That’s what you’re saying. So I think I’d say it in much plainer terms. But they’re way too plain.

MS. BERNSTEIN: Take any two, right? I mean, it’s like —

MR. REYNOLDS: No, but I think the key thing is being able to balance everything we heard, that individuals want autonomy, we want a flexible system, we want this — is really the heart of the challenge.

MR. ROTHSTEIN: But on the other hand, the more flexibility you have, the more complicated —

MR. REYNOLDS: That’s what I mean, yes, right, right.

MR. ROTHSTEIN: — and expensive and —

MR. REYNOLDS: Yes, so that’s what we’re trying to say. It’s that balance, on both sides.

MS. BERNSTEIN: “Autonomy, flexibility, simplicity, utility, cost.”

MR. HOUSTON: Well, the individual choices are whether you want — well, I guess it’s more than just whether information is available or not; it’s a whole —

MS. BERNSTEIN: What kind of insurance you want, what kind of a doc do you want to go to, whether you want to be treated at a clinic or a private office. All those kinds of things are choices in your health care, right?

MR. ROTHSTEIN: So what are you saying, Maya? Flexibility, individual —

MS. BERNSTEIN: “Balancing” — this is what Harry said — “Furthermore, balancing the autonomy of individuals, the flexibility of their choices, the simplicity, utility and cost.”

MR. REYNOLDS: All I’m saying, Mark — I like everything you have here. I think the key thing is the balance.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: I mean, I like that word because it’s really what our struggle has been on this. It’s to balance how to help make everybody happy out of this thing, and that’s the thing I’m struggling with.

MS. BERNSTEIN: But, you know, I think something that’s sort of coming around in the privacy world is trying

actually not to use the word “balance” because it implies that if we have more security, somehow we have less privacy or something, that somehow there’s a tradeoff. And it’s not clear to me that it’s always the case that there’s a tradeoff. Maybe you can have all of these things increased, right?

MR. REYNOLDS: Right.

MS. BERNSTEIN: You might be able to get more security and more privacy and not balance them.

So there are some people who have —

MR. REYNOLDS: How about the relationship between those is really our challenge?

MS. BERNSTEIN: Something, yes.

MR. REYNOLDS: The interaction, the relationship, yes, something like that.

MR. ROTHSTEIN: Deciding on appropriate —

MR. REYNOLDS: Yes, levels of —

MR. ROTHSTEIN: And I assume that that the last paragraph, nobody has any problems with it other than the fact we’re changing the “1’s” to “A’s?” [Laughter.]

MR. REYNOLDS: Other than the fact we might change all the subjects, no. [Laughter.]

MR. ROTHSTEIN: Oh, I think we’re in reasonable shape, considering that we haven’t gotten to —

MS. BERNSTEIN: B.

MR. ROTHSTEIN: — B.

[Laughter.]

MR. REYNOLDS: Yes, I think we got a whole meeting to discuss it further.

MS. BERNSTEIN: Yes, just for B.

MR. ROTHSTEIN: Yes, well — I think we — it’s a good dialogue.

MR. REYNOLDS: Yes, but the other thing — but I think the structure and the dialogue that we’ve had may change everybody’s look at how B comes into place. I think — I mean, we all have come to a lot more common ground than we had if we had started this —

MR. HOUSTON: Like hell we did.

[Laughter.]

MR. REYNOLDS: I tried to give you an out, John; you didn’t take it.

MR. ROTHSTEIN: I think it actually was a good idea to work backwards.

MR. REYNOLDS: I thought it was very sensible.

MS. BERNSTEIN: Okay —

MR. ROTHSTEIN: Should have done that —

MS. BERNSTEIN: — you know, my plan was to be with you guys till 5, anyway. So we should sit down and talk.

MR. ROTHSTEIN: Right. That’s what I was hoping we could do.

MR. HOUSTON: Okay.

MR. ROTHSTEIN: So I’ll see in 15?

MR. REYNOLDS: Hey, thanks, nice job.

MR. ROTHSTEIN: Till next time, thank you, Harry.

( Whereupon, at 2:37 P.M., the meeting was adjourned.)