[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Ad Hoc Workgroup for Secondary Uses of Health Data

October 4, 2007

Hubert H. Humphrey Building
200 Independence Ave
Room 425A
Washington, DC 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030



Agenda Item: Call Meeting to Order, Review Meeting Goals

DR. COHN: I want to call this meeting to order. This is the meeting of the
Ad Hoc Workgroup on Secondary Uses of Health Information of the National
Committee on Vital and Health Statistics. The national committee as you all
know is a statutory public advisory committee to the US Department of Health
and Human Services on national health information policy. I am Simon Cohn and I
am Associate Executive Director for Kaiser Permanente and Chair of the
committee. I want to welcome committee members, HHS staff, consultants, and
others here in person. I do want to mention that today we are not on the
Internet, but we are being recorded. So, as always, I would ask you to speak
clearly and into the microphone so we can produce notes from this meeting.

With that, let us have introductions around the

table and then around the room. For those on the national committee, I would
ask if you have any conflicts of interest on any of the issues coming before us
today, would you so please state during your introduction. I want to begin by
observing that I have no conflict of interest.

[Introductions around the table.]

DR. COHN: Okay, I want to welcome everyone this morning. Let me just talk a
little bit about what is going to be happening. Actually we will first sort of
comment about the schedule for the next day and a half. Just to be clear with
everyone, what is happening this morning is we have a meeting with the Ad Hoc
Workgroup. That meeting will proceed through the morning and will adjourn
around twelve noon. Then this afternoon, we will have a meeting of the Privacy
and Confidentiality subcommittee of the NCVHS in this room. So, that will start
at 1:00. Tomorrow morning, we will start at about 8:30 and continue with our
conversations around the draft report, our observations and recommendations.
Once again, with the intent to adjourn around twelve noon.

Now, today is the fifth meeting of this

workgroup. I just want to start by thanking all of you. I am not going to
name you all individually, but I think for all of us it was a busy summer. It
is turning out to be a busy fall on this topic. I think most of us feel that we
are probably 80 to 85 percent of the way there. Hopefully, by tomorrow it will
be in the 94 percent range in terms of completion. I want to thank you all. I
think we have all spent the summer and fall together. I want to especially
thank Justine and Harry for not only spending the summer and fall together, but
when we are not together we are also sending night calls with Margaret and
others. So, I think this has really been a view of some of the finest in NCVHS
sort of coming forward at the request of the department to sort of quickly work
on a complex and important issue and hopefully be able to come up with some
practically possible recommendations and next steps that the secretary can
actually begin to move forward on as well as the department. Obviously that
will be determined as we move through today and tomorrow.

Now, we will start this session with an overview of the report and
recommendations. You can see in front of you a PowerPoint. Justine and Harry
are going to be leading this. This is really meant to be just to sort of remind
us all of what is in this report. Last night when I was talking with Harry and
Justine, my initial plan was to start on line one and go to line 1500 by
tomorrow at noon and basically review the report on a line-by-line basis. I was
persuaded by them that we may still need to do that, but probably to begin with
given that as we all observe some of the early parts of the report need
streamlining, not that the content is wrong, but it is sort of redundant and
things need to be reorganized. It was not going to make a lot of sense for us
to delve deeply into the wording of the first part today.

Instead, what we are going to do is go through

some slides to help remind us about the framing of the report as well as at
a high level talk about the observations and recommendations. The view is that
we first of all need to start at a forest level before we go into the trees.
Because if we go line by line on the observations and recommendations without
realizing how these things all fit together, we are going to find ourselves
arguing about recommendation 1 when it is really covered in observation 5. As I
say all that, the question will continue to be are these the right
recommendations? Are we missing anything? Certainly for that conversation, we
just need to be aware and be capturing those pieces. We are also close to this
that I think it is hard to sort of take a step back and look. So, that will be
certainly part of the conversation.

From there, we will then move a little more into the tree level and begin
to move through the specific observations and recommendations. Now, this is, as
I said, accounting for what is not there. Wording that does not fully express
the content well. I know you are all excellent editors. I think I told you my
father is a professor of English. When I get into redlining, I am a terror.
This is not the time for spending a lot of time arguing the precise word unless
it affects meaning. We obviously do really want to take redlines offline and
get that information and get it to Margaret in process of the next version.

So we will hopefully do that today. This afternoon, Margaret is going to be
working on further revisions. We will have a chance tomorrow to review those
around observations and recommendations and then go back to the actual body of
the text and see how it flows in our views on that. So, is everybody okay with
the process for today and tomorrow? Paul?

DR. TANG: I think the process sounds very good. I wonder if we could look
at the forest and make sure certain things are covered. I wonder if we could
innumerate those certain things that should be in our mental checklist as we go
through ahead of time. Before delving in, which can draw you into what we have
there, we should first say, what are we looking for to make sure we have those
things covered?

Here is an example, from the testimony there are a few things that we
should focus on. What happens if we do get in the trees all the time, you may
miss the forest. So, three things that I think we heard the concerns were
commercialization of data, the dealing with the business associate, provision
clause contract, and the conversion that the transition the grain is between QI
and research. Those are three sort of high-level things we heard a lot about.
We hope that after you read this, you should come out with some kind of
clarity, if not clarity, the next steps on how to get clearer. That is sort of
the example.

DR. VIGILANTE: If I was to add to that, I think there is a lot of
recommendations here still in which I think we can look at each one and say,
what is the risk benefit ratio in terms of unintended consequences that we may
not even imagine or be in a position to imagine because – the future state
of the complexity by definition of unintended consequences.

MR. ROTHSTEIN: I think one analytical tool that might be helpful is that we
heard a wide range of testimony at the various hearings. From both the comments
that were made at the meeting and informally, some of the practices that were
described to us were in some instances troubling. What I would like to invite
you to think about is, as we go through the recommendations that we have made,
how would things be different if at all if the world were according to our
recommendations versus the way that they currently are. The things that we are
recommending clean up some of the practices that we thought were kind of
inappropriate. That may be valuable to do.

If we are talking about broad themes, another

broad theme that I would raise is the issue of De-identified information.
The HIPAA privacy rule is based on the assumption that if it is De-identified,
it is not PHI and nothing bad can happen to you as a result of somebody using
that. I think that we have heard and recognize in the text several places, but
necessarily in the recommendations that there are some harms that come from
De-identified information. I think that we need to check the recommendations to
see whether we do an adequate job of addressing in our recommendations the
concerns for the possible harms of De-identified information.

I would add as a footnote to at least my statement, but I do not know
whether we want to go so far in the document as saying, I question whether
going forward the distinction that is drawn between De-identified and
identified information continues to be meaningful. It is a foundation of the
privacy rules, I think given technologies and the kinds of research that is
ongoing and the like that the distinction will become increasingly untenable
and it needs to be replaced by some new paradigm that I have nothing to offer.
I am just sort of troubled by the assumptions that we are all proceeding on

DR. COHN: Before we try to solve that particular problem, let us at least
lay it on the table so as we look at the recommendations we can see what we
think of all that.

Any final opening comments before I include my opening comments? I do just
want to spend a minute to talk about at least my view of the next steps. The
next steps are tomorrow on further improvement in this document. I am certainly
very concerned to make sure that we get some additional input on the document
that we are preparing. I think we have obviously gotten lots of public
testimony. We have been meeting in open session and reviewing the document for
the full committee last week and obviously today. Not that many people have
seen the full document. Of course every three days, the full document changes
yet again. I am hoping that after the meetings today and tomorrow, we will be
in a position to begin to distribute and seek public comment on the document
and the recommendations contained therein. The idea being that on October 17,
we do have a conference call scheduled for the committee for the Ad Hoc

My intent is, assuming we leave here tomorrow

sort of feeling this is the right thing to do is to have that be an open
session, invite public comment on the report either in verbal or in written
fashion and begin to get some wider input before we finalize it and bring it to
the full committee. I always feel these things are improved by new sets of eyes
looking at what we are doing. That is not to say that everybody will agree with
all aspects of the report. In fact, I am sure that this will not be a report
that everybody says, I agree with every single one of these recommendations. I
think it is important that we hear and get a sense of those in the industry and
basically the public and private sectors sort of feel about what we have done
to date.

Now, is that generally a – I see people nodding their heads. So, we
obviously need to touch basis as we get in finishing tomorrow and make sure
that we – We need to have a document that we feel good enough about that
it represents our thoughts that we can appropriately get that. Mary Jo I see
you are beaming to raise your hand here.

DR. DEERING: Well, it is just as a place holder for my poor memory because
we do not have to really visit it until tomorrow, but should the workgroup wish
to extend the call for comments widely, we still have the distribution list
from last year’s exercise when we had an open call. So, we have the ability if
we so choose to widen it to those who provided input on the NHIN requirements.
A lot of whom are knowledgeable enough. Almost all of them would probably be
very appropriate to be put on. So, just a placeholder.

DR. COHN: Well, certainly the previous testifiers and other groups that we
want to offer them the opportunity to review and provide any comments. I think
preferably written, but also verbal for them would be appreciated. Paul?

DR. TANG: That reminds me of one more high level filter to make it
significantly shorter. I think we can because there is a lot of duplication. I
mean I would think that we can make it 40 percent shorter.

DR. COHN: I think that is why we are reviewing the next part. Now, final
comment, and I will make this in terms of process is that assuming we are
moving forward, reaching consensus, I think a view would be that we would have
an open conference call while the full committee, the first week of November
where this will be an action item for consideration by the full committee. I do
not think that has been scheduled yet. I think we will go forward trying to
make that happen. Once again, we will have a better sense by tomorrow.

Now, with that, Justine, I want to turn it over to you to sort of go
through some of the slides. Justine will start, and Harry will talk more
specifically about the observations and recommendations and we can sort of
begin to do some of the filters from the conversations and the issues that we
were all just bringing up.

Agenda Item: Review Themes and Issues Raised at the
Full NCVHS Committee Meeting

DR. CARR: Thank you. So, we are actually working from the starter set of
slides we had before. I think what I will do is Margaret has amplified some
where we have some additional considerations. I think we will just build on
that framework. I think as we get to each slide, if there are things that have
been pointed out, I am fine with being interrupted.

On the first slide is just the excerpts from the ONC request. I think we
had a good discussion this morning at breakfast and brought out some of the
specifics with ONC with the looking forward to NHIN and the traveling of data
through health information exchanges, conduits, and involving multiple
entities. I think what we heard this morning is that we do want to pay
attention to what are the relationships of all of the entities that either
receive or transmit data and to whom do they report and what exactly should
they be reporting? That is all I will say about that. We can come back to it,

The next one is our scope of work. I think we are all familiar with this
policy framework. The premises that HIT is not – it is not quality unto
itself. Next.

I would like to pause on this. Yesterday I presented to the AHIC Quality
Workgroup. I would say this slide go the most resounding feedback in support of
never using the term secondary. I think George in particular said, as we move
into the new world it is impossible to tier the uses of data. So, Caroline and
others all agreed that we should strike that word. Also, just that we should
use strong words in the report.

DR. OVERHAGE: I just want to caution us that we end up slipping into
enhanced uses as an alternative for secondary uses. You need some collection
term to refer to this.

DR. CARR: But we have enhanced protection for uses of health data.

DR. OVERHAGE: I think this is right. It is hard thing to –

DR. CARR: Okay, thank you.

DR. TANG: I subscribe to what you just said, but we are on this side of the
aisle in the sense of, we understand how the data can be used well and how it
can be used well in a protective way. To the consumer, there is only one use
that they are mostly concerned about. I would not want to lose that concept
because that is probably the concept that is driving this whole activity. Do
you all understand what I am saying? We understand what we just said. The
consumer says, I walk in. I am expecting to get care. That is all I am
expecting to get. The other things are secondary to the consumer’s perspective.
I am just worried about losing that concept.

DR. CARR: I would just say that we aught to really think about that more in
depth because as John Lumpkin said early on, part of the challenge is the
education of the consumers. As we move into this next world, we need to bring
them along.

DR. TANG: Okay. Maybe, and this is also keeping with concepts that we talked
about just last week. For the consumer, it is all about unexpected use. We can
educate them on what should be expected in delivering higher and higher quality
care and improving the field of science. There is still something called
unexpected and unanticipated and unwanted. I do not know what the word is, but
that is the point.

DR. VIGILANTE: I have sort of been a broken record on this, and I will restrain
from going off on a tangent. I do think that secondary uses does capture the
notion that it is secondary to the original intent of the patient, which is to
share their – yield their private information for the purpose of being
taken care of. These other uses, while may be equally important at a societal
level or secondary intention of that. So, it may not be the best word, but we
do need an adjective to describe it.

DR. COHN: I was just going to say that I will weigh in on this one. I think
the good news is the title walks the fine line between how we talk about this.
I think that this slide makes a really very important point, as does the
document that not all uses of data are equal that we really need to specify
them. I guess I would speak that we do not spend the next day and a half
arguing about what is primary and secondary. I am only reminded that we have
gotten in conversations whether a consultant use of data is primary or
secondary. Is payment use primary or secondary? Quality improvement, which to
me is as important to care as care itself. Is that primary or secondary? I
think we can spend a lot of our time just wandering around this area, but I do
think this makes the point that we need to get to the specific case.

DR. CARR: Next slide. Okay, so why address uses of health data now? I think
we have talked about this at our previous meeting. I think we are familiar with
this. Let us go to the next slide. Again, we covered it at the last meeting.
Health data available for incorporating into large databases are not just
claims data. There is granular data, sources of electronic health information
expand beyond HIPAA protections of covered entities and their business
associates. So, this is something that I think we need to spend some time on
and really line up what are these various entities, and where do they fall? We
may not have all the answers, but at least to think about who is a business
associate and what are the expectations of business associates and identify
where the gaps are.

Okay, so I think we can move to the next slide. Uses of health for quality
measurement reporting and approval. Improvement enabled by HIT, new benefits
and potential challenges. So, the benefits are outlined and the fact that
quality uses are not well understood by individuals who raises our issue about
transparency. That is an important theme that we have heard. Linkage of
information must assure privacy. It is a very important theme that we need to
make sure we have addressed. Vendors who link data must not violate trust. I
think also, we have been talking about what is the expectation for when vendors
have data. What was it given for? What are they using for? If they change to
use it for something else, how is that accountability hardwired? This issue of
data for performance improvement may evolve into research. How do we manage
that? In some of our discussions – I think one part is defining what is
quality and what is research. I think there is also a need to speak to when
everybody has to the best of their efforts identified something as quality, and
unexpectedly turns into some important research. Can we just address that that
does happen? How do we shepherd safely from quality to research to ensure
privacy, but to not create an obstacle to important information getting out to
a larger community.

The last point says quality data is essential for data aggregation. Again,
this morning as we were speaking, we need some definitions also about what is
aggregation? What does it mean? We use it many different ways, but a piece of
it is that it be done correctly.

DR. FITZMAURICE: I would qualify data aggregation for maybe meaningful data

DR. CARR: Accurate. There is two things. I guess to the stewardship thing
too that if you have data and you aggregate it, you need to know what you are
doing. Part of knowing what you are doing is knowing that your dataset is
complete and accurate and –

DR. FITZMAURICE: So it is good methods and good data.

DR. CARR: Right. So, yes, that needs work a little bit.

DR. TANG: So it not data quality or data of high quality is what you mean
right? Just a point, there is an NQF report that is coming out fairly soon that
speaks specifically about metrics to qualify the quality of data in the EHR. I
think those need to be linked.

DR. CARR: Then the HIPAA challenges, covered entity. One of the things we
talked about today: payers, providers, and clearinghouses. Where do conduits
fit? Entities fit the trends data without looking at it or managing it, but
just sending it. Where do they fit? How do we think about that? The place that
the data goes that are not covered under HIPAA. It is a clearinghouse issue?

DR. COHN: No, I think we tried to address that in one of the earlier
recommendations, I think it is still in there. So, good.

DR. CARR: Covered entity use of business associates and their agents. Again,
we talked about the challenges of what are the expectations? What is the
contract? Is there an annual second look at that contract? If there is a change
in the use of data that goes to the covered entity, how does that get
communicated and addressed?

So, I apologize for not being too fast at these. So, the issue of TPO
operations and quality within operations. So, I think this is something that we
need to pay close attention to. So, right now, if you are doing quality within
operations, there is no requirement for authorization. So, some of the issues
that have come up are, what is the definition of quality? We heard also
definition of quality versus research, the issue also of transparency for the
individuals about how their data is going to be used.

DR. COHN: If I could actually just add – it was brought to my attention
this morning about the issues that we somehow do not have marketing. That is
one of those issues. We talk about privacy versus quality, but we do not talk
about operations versus marketing. It actually is another cleavage. We talk
about areas where there is cleavages and operations is obviously a large area.
We generally do not see cleavages there. Certainly, in marketing, that would be
an area the additional guidance could be helpful.

MS. AMATAYAKUL: Are you suggesting that there is a cleavage between quality
and marketing or within marketing also?

DR. CARR: Are we talking about operations and marketing?

DR. COHN: I was talking about operative —

MS. AMATAYAKUL: Is there cleavage there or is there cleavage also within
marketing? Maybe not within marketing as much, but within Paul’s commercial

DR. COHN: I want to help with this one –

DR. TANG: This is an area that went through lots of morphing during the
Friday of HIPAA. The way it works is a covered entity may share information
that would increase the use of its services, but not the services of a third
part, and not the financial gain of a third party. That is sort of the way they
got around saying, we can tell you that you are due for a flu vaccination,
which would be something a provider offers. But you could not go with — a
retail pharmacy chain could not pay you to increase the use of drugs, even for
more than that retail chain. So, there is the financial connection, and there
has to be a connection – there is the financial relationship with any
third party is relevant. It can only be for increasing uses of your own
provider services.

DR. CARR: So, you could look at everybody who went. You could open a new
glasses shop and look at your list of everybody who had an eye appointment last
year, and send them a notice of your glasses shop.

DR. TANG: Yes, you can see how it can work both ways.

DR. COHN: I think Mark wants to make a comment on this.

MR. ROTHSTEIN: Yes, here is the concern about marketing and commercial uses
of data. We talked about it at the various hearings and in the report as well
in the text the fact that healthcare operations is very broad. We are not sure
where to bring that in. It goes into at least the two areas. We have recognized
that at some point in the quality purpose area, it sort of spreads into
research. There is also point in which it can spread into commercialization,
marketing, and selling of the information. I think that is an area where we
need to at least in the report and recommendations, alert the department to
this issue that we spotted that at the very least the department aught to
provide guidance as to, okay, these kinds of practices are permitted healthcare
operations, but if you go too far and start selling this stuff around even
though it may be De-identified or if you had some notice that you are going to
do this, it is too far. It is really marketing. You are going to need an
authorization. So, that was the point that Simon and I discussed before the

DR. VIGILANTE: So, is that marketing? If you have data and you sell it to
somebody and nobody knows about it. For instance, take the folks who came here
from the cardiovascular quality project. They are out there collecting data on
mortality and best practices under the rubric of a quality initiative. Then of
course they start publishing the stuff in journals. I do not know what hoops
they went through to do that, but they went ahead and did it. Thirdly, they are
selling the data to medical device companies. Now, I would not call that
marketing. That is a sustainable business model. Marketing to me is when you
advertise what you have to offer to a consumer.

DR. CARR: I think they were doing that too, were they not? They talked about
in New England that members of NNE had lowest mortality or something like that.

DR. VIGILANTE: When we use the word —

MR. ROTHSTEIN: Well, Kevin, the reason I use that word is because the
privacy rule does not draw the distinction between commercial and noncommercial
uses. The only thing that it draws a distinction for is “marketing”
as it is defined in the rule. What my concern is that the commercialization of
health information really starts in some instances to fail the consumer
expectation test that we have kind of been dancing around. I think we need to
recognize that in our report.

DR. VIGILANTE: I am not challenging it. I am just —

DR. CARR: Well, I want to ask the question just for clarity. Are we saying
that as folks submit their quality data and they get to the top tier and they
are noted as a top hospital, then say the recent 30-day mortality. If a
hospital were in that top 10 percent tier, can they use that as part of their

MR. ROTHSTEIN: There is a problem with that. What I am talking about is the
commercialization of individual health information. You are talking about
aggregate data. That is so far removed, I think, from what patients are
concerned about. I think what patients would be concerned about, and I think we
heard testimony that would verify this is that their information that was
freely given for the purpose of treatment is now being sold. There is some
sales that I would conceive are legitimate. At some point, the
commercialization that is not integral to care I think consumers have a
legitimate concern about. I think we should recognize that.

DR. COHN: Mark, just to clarify because I am actually hearing the
conversation become very alive with what Paul had mentioned earlier is —

MR. ROTHSTEIN: He said several things, but the one thing that I have
subscribed to all along is that we need to recognize what consumers reasonably
expect will be done with their data. When something goes beyond that, then
something has to happen. What that something is, is it notice? Is it an
opportunity to object? Is it a prohibition? There are all sorts of things that
could happen, but I think that is the area where if it goes too far, everybody
would say that is an inappropriate use.

DR. CARR: Moving on. De-identified data, I think this is an area that we
need to pay attention to. A couple of things I think have come up since our
last meeting, if we stay within HIPAA, all quality operations may use
identified data. So, then whether it is annonomized, it does not matter, they
can use identifiable data. Outside HIPAA is the De-identified data, which is
defined as 17 identifiers taken off.

So, we heard from Latonia Sweeney about how you can re-identify, and then we
have incorporated into some of the report some expectations that assessing the
re-identifiability of data would be a responsibility of somebody. A couple of
things is, unfortunately we do not have a publication or even a PowerPoint from
Latonia Sweeney despite multiple requests. So, I think in the absence of having
a primary document that we can reference and make available. It is very hard to
just take the sound bytes of the notes of what people took at that meeting.
Secondly, Judy Warren touched on this at the last meeting that if we are
setting an expectation that a person using data has to provide a statistical
analysis of re-identifiability, I think a question is, how do you do that? If
you are giving your data to someone else, how do you know what other data
sources they have? So, you really do not know that or how they would even
manipulate the data set because they could get something down to a cell size of
three. I think we need more clarity of our thought about what those
expectations are in terms of assessing re-identifiability and who owns that and
what is feasible to accomplish.

DR. FITZMAURICE: You raised an interesting point and that is, you might get
it down to a cell size of three, so you threw out a personal interview the
three people in that category and find out which one had the particular
hospitalization. The privacy rule does not make that a crime. Nothing makes
that a crime. Maybe that is a feature that we want to highlight that there
aught to be a law against somebody trying to identify another individual on the
basis of De-identified health information.

DR. STEINDEL: This brings us to the point that Mark was making earlier in
the meeting about his statement that maybe we should stay away from the term
De-identified because in today’s world, that may not be a true statement. I
think the point that you just made is very much correct. I think a researcher
or somebody who is collecting data can make a statement about re-identification
with respect to the population that they were studying and the data they were
studying. But once that data is released, they can make no statement about what
anyone else is going to do about their ability to re-identify it. That was what
you just said, and I think that is totally correct. With regard to what Mike
just said, even if we had a law that said you could not do it for marketing
purposes. Someone could re-identify down to a cell size of five. They have no
problem without sending marketing material to five people. They do not have
problems with sending it to 10,000 people, so five is going to be great. So, I
do not think a law will even help in that area.

DR. TANG: So, as we go through this, and Mark had put that as one of the
things to look for, do you want us to come up with a consensus about how we
feel about De-identified data as you go through this or later?

DR. CARR: It seems like – so, the point of this is we actually started
out when you mentioned some of the things that are weighing on your mind that
we haven’t tied out. This is really an exercise to tease those things out. I do
not know if there are things on the quality use case that we talked about
today. What are the things that before we go home we have to have some
consensus on?

DR. TANG: Is this at the inventory stage or the discussion stage?

DR. CARR: Inventory.

DR. COHN: I would just say this in terms of inventory. I think we somehow
need to make a differentiation or be inclusive of there being identified data
and these sort of aggregated reporting like 57 percent or 63 percent or
whatever, which is a lot of what happens with this stuff when it gets reported.
There needs to be a bullet somewhere that makes that distinction here.

DR. CARR: So, these seem to be where the pushback is coming. So, anything
else on – In terms of the operations, the things that we talked about
today of all the different places data can go, is there anything that we need
to —

MS. ANDERSON: Sure, I think the one thing we want to keep in mind is that
around the quality use case is beginning to contemplate longitudinal patient
centered data. So, we are thinking now not just about the current state where a
lot of the aggregation is site specific, but thinking toward the future state
as there will be new aggregators, but we need people to collect the patient
level data on multiple entities. There are issues. The quality workgroup was
looking for clarity on, with respect to that those entities are doing quality
improvement when they are linking data across multiple entities. Some
clarification on the ability of that data be identified if it falls under TPO.
Also, about the matching then occurring there and the issue of the feedback
mechanisms because now you are really talking about data that has come from
multiple institutions and is the one place for the purpose of that patient
care, which is different than institutional quality improvement. So, wanting to
be sure we are clear about that so the language can be interpreted for quality
improvement to also include cross site of quality improvement.

DR. COHN: I did not come and join you at the beginning. As you talk about
this one, and remember I am from California, but this thing called HEDIS in
NCQA reporting and has been going on, not quite since I was a little kid, but
it feels that way sometimes. Can you distinguish that sort of aggregation,
which is cross facility, cross provider, cross institution for what you are

MS. ANDERSON: So, we are thinking about data coming from clinical systems
that would – and also supplemented data from other systems that would be
linked about a patient, which could include patient provided information. It
could include registry information. It could include information from hospitals
and home health and physician offices, et cetera. But being aggregated and
linked about a patient, in order to envision a future world where you are
actually commenting on the patient outcome. So, wanting to health IT enable
that sense of quality improvement, very patient centered that does exist in
some leading entities in the US. Largely, the quality improvement is within an
entity within a hospital, within a physician group, et cetera. So, trying to
make sure whatever language we use is clear to, is this going to be operations.
It also encompasses that. Versus NCQA, which historically has been both claims
based and some individual record gathering.

DR. VIGILANTE: So you are saying this is consistent with the episode of
care concept? Is this what you are talking about in terms of, you owe one
episode – okay, where somebody might be moving from one hospital to an
out-patient environment to a set of specialists who are coordinating care. Who
is really responsible for losing that limb? Is it the endocrinologist? Is it
the vascular surgeon? So, to understand all of these things, we need to be able
to track folk’s data. We want to do it longitudinally and across institutions,
which may require more specific capabilities of identification in a
longitudinal way. Is that it?

MS. ANDERSON: I am not going to go as far as – but I do not need to
worry about that in this context. But I do – the concept of aggregating
data longitudinally in order to evaluate patient outcomes is the concept. So,
in doing that with data that is both clinical and then also there will be
efficiency measures that will have some administrative non-clinical data plus
patient reported data may factor in to how clinical physicians support all of
this, et cetera. Did I answer the question that you asked?

DR. COHN: I think others want to comment. I will finish this one up.

MR. REYNOLDS: Try the diabetes example. That was a good one you gave us
this morning where the person was a diabetic.

MS. ANDERSON: Okay that probably does overlap a little bit with NCQA. Maybe
the one I can try is around hospital-acquired infections. So, if we want to
hold accountable or do some quality improvement on infections, it may be true
that that patient comes back to the same hospital. Therefore the hospital has
insight into the fact that that patient acquired an infection, but it may not
be true. They may go to another hospital. They may not require hospitalization.
So, if you are trying to evaluate infection control across the continuum, you
want to have data from multiple entities, and then you want the feedback loop
to at least not only just tell the original hospital, you had more infections
then you know you had, but also be able to on an identified way say, and we
know that because the patient got this prescription or saw this doctor and was
admitted here or there. That is quality improvement at a level that does not
currently happen in the United States. The idea of being that that is a vision
that would – the question from the quality workgroup is that is also
operation. Even though these entities are not necessarily affiliated with one
another, but it is part of the quality improvement at a higher level.

DR. STEINDEL: I have no objection to the vision that you are painting and
to allow in that vision. I think it is very useful. I have a problem with, are
you hard and fast on calling it operations, or is your real drive just allowing
the vision?

MS. ANDERSON: What we want to know is clarity on that because there are
aggregators that will be meeting of these vision and to think about what their
requirements are about having identified data where they are linking. So, it is
more about the operations of use as a term of, where do all of the conditions
that apply in this report, do those apply to those entities or not?

DR. STEINDEL: Yes, I think my problem with that is I have a little problem
with the way HIPAA defines operations of extending it outside the institution
in the context of the way it has been defined. I have no problem about
extending the concept through business associate agreements to allow the type
of structure that she just talked about.

DR. CARR: Okay, moving on. Stewardship, and here a question that I think
has come up about stewardship is within operations, using data for quality, is
there any expectation of oversight of how data is used within an organization
for operations?

DR. OVERHAGE: Why just within? You said within an organization.

DR. CARR: I am sorry. I meant – it is because I do not get out much.
When we talk about Christine’s vision, our future vision.

DR. TANG: Where did that first definition come from?

DR. CARR: Merriam Webster.

DR. TANG: Do we have to use it?

DR. CARR: It is better than the one that was there before, but I think if
we are talking about data stewardship, I am not sure that that adds anything.

DR. TANG: I thin the second one says the two things we are worried about
are responsibility and accountability.

DR. COHN: I get that. They seem to be both large and consistent with each
other and we probably aught to, you know. Do you think there is an issue there?

DR. CARR: We can work on that. Also, the other thing, to my chagrin when we
presented this, we did not mention the RFI that had gone out. I know we have
heard preliminary from John, and he still deeply immersed in it, but is there
anything that we need to tie out with the RFI?

DR. COHN: Are there any definitions from the RFI that we need to pull in?
We probably just need to include more definitions.

DR. CARR: Right, we need definitions beyond anonymization. So, Harry, do
you want to speak to this? This quality assessment comes from HIPAA. This is
HIPAA’s definition of quality assessment. So, outcomes evaluation and
development of clinical guidelines provided that a painting of generalized
knowledge is not the primary purpose. So, outcomes evaluation and development
of clinical guidelines fits with the AHIC Quality Workgroup vision. Population
based activities related to improving health or reducing healthcare costs
– what is it related – Harry, this fits with payers. Then, research
is a systematic investigation including research development, testing, and
evaluation that was designed to develop or contribute to generalizable
knowledge. Okay. Harry?

MR. REYNOLDS: What we will try to do is, again, using the idea of grouping
these up into more of a story. Each of you came up with some things today,
trying to group it up into more of a story than just exactly how it says it is
in the document.

We are starting with HIPAA where it provides the use of health data for TPO
without authorization. Then we are recommending that the secretary issue
guidance to cover entities to adopt data stewardship approaches, stronger
sanction policies, self-policing, technical data security approaches, and
organized healthcare arrangements. We are stating clearly that operations
includes quality. We are recommending in their oversight by senior management.
It has been necessary for satisfactory uses for quality and data release
agreements for use of datasets. So, again, HIPAA had gave us TPO for qualities
included as defined in the HIPAA rule.

Going next to contractual arrangement for data sharing from covered entity
to business associate to agents of business associates. We recommend
strengthening the chain of trust. Only permit use of De-identified data when
method and chance of re-identification are reported to the covered entity. Now,
based on our earlier discussion today on the De-identified that Mark put on the
table. This would be one that as we get into our further discussion whether or
not we overlay that on top of here to decide what we would really end up doing
or not doing with statements. So, I guess everywhere we mention De-identified,
we would want to at least put this filter over it to say, is that the right
word? Are we staying with De-identified in this case, or are we actually not?
Does it branch out? So, that is the way we would want to think about it as we
do it.

DR. CARR: So, this is under the bullet of contractual arrangements for data
sharing from covered entity to business associates. Why do we need
De-identified data if covered entities and business associate’s use of data is
for operations. I guess that is what I am wondering if we are talking about
operations. If we are, why is De-identified an issue?

MR. REYNOLDS: Margaret you want to comment first?

MS. AMATAYAKUL: So, if they decide to De-identify and use it for other
purposes. Today, there are no protections. So, what this is saying is, so you
cannot do anything more unless you notify us.

DR. CARR: Right, but that is not it. The way I read it was, if you are a
covered entity and you are working with a business associate, my assumption was
it was without operation. So, I guess in that top bullet you might want to say,
for other purposes. For TPO, you do not need De-identified data. You can work
with identified data. So, it is confusing.

MR. REYNOLDS: We have Steve and then Paul.

DR. STEINDEL: I think my comment is essentially the same as Margaret’s.
When you transfer identified data down the stream of trust that we are
creating, there is a chance that one of those agents or business associates may
decide there is other things they can do with the data. For instance, either
internally within their own operations or externally use it for marketing
purposes, identification of potential markets, or whatever it might be. What we
are saying here is, you should specify whatever uses you are going to do with
the De-identified data.

DR. TANG: So, I am going to play a couple of our rules. One was the
expectation rule, and the other is Mark’s thing, what if they did this? Would
the world be a different place?

So, I am going to try the second one first. If we did this, the world would
not be any different. So, that makes me go look and say, I think we need to
strengthen the language and what we want to say. So, the first, instead of
issue guidance, I would say require. It does a couple things.

MR. REYNOLDS: Did you have a question? What is your question?

MS. AMATAYAKUL: I just want to make sure, are you referring to this, only
permit uses? Or are you referring to this whole entire slide?

DR. TANG: This whole entire slide. So, I think issue guidance does not help
the world. If we said require the following, I think it changes the world in
two ways. One, it is certainly very proactive and action oriented. Secondly,
based on what Leslie said at the last meeting, it has legal implications that
strengthen what goes on. The other piece is the discussion about business
associate and whether they need to be De-identified or not. That is where I
would use the word restrict because the covered entity is supposed to, but what
we have found out is either business associate agreements were written
essentially by the recipient and allows them to do way too much, or does not
have the power to be enforced anyway.

MR. REYNOLDS: Where are you restricting?

DR. TANG: The use of data should be restricted by the required business
associate agreement not to do anything more than the specified use, not take it
to the side what is operation or not. It is the covered entity that gets to
decide, not the business associate. MR. ROTHSTEIN: I would like to suggest
something to maybe put on the table for perhaps discussion in whatever the
discussion section is. That would be a principle that is analogous to minimum
necessary. We are in healthcare operations allowing the use of individually
identifiable information for those purposes without additional notice or
consent. I would like to raise the question of whether an analogous principle
necessary would be helpful, and that is not only is it minimum necessary, but
the data should be used in the least identifiable form consistent with the
operations use. So, it may well be that there are some healthcare operations
uses of data that they do not need to use identifiable stuff. There are other
operations where they do need identifiable stuff. I think the principle we are
discussing is to ask the covered entities or require the covered entities when
they are using data in healthcare operations to use it in the least
identifiable form that is consistent with whatever their use is.

DR. OVERHAGE: In the spirit of Kevin’s looking for unintended consequences
here, we talked about insuring companies that provide data transmission or
business associates and give them the guidance of issues that says the postal
services is one of those triggers. Are we putting ourselves in a corner that is
going to be hard for people to say, well this is a crazy recommendation?

MR. REYNOLDS: We spent a little time this morning talking about conduits,
which were identified in the rule.

DR. OVERHAGE: You did not say conduits.

MR. REYNOLDS: No, what I am saying is we need to look at that. Steve?

DR. STEINDEL: Harry that was a red flag that was raised when you talked
about conduits this morning. I think there are two types of conduits. There is
one type of conduit that is just the medium for transmitting the information
from point A to point B. That medium may actually have a temporary storage
role. Then there is another type of conduit where it has a more permanent type
of storage role. We need to differentiate between the two. I think the
temporary storage role is one that we want to allow to flow freely.

DR. COHN: Steve, thank you for saying that. I think you have created the
additional precision on this one. I really agree about the US post office, US
mail, and places – the real question is, what are people doing with the
data, which I think is what Steve is bringing up.

MS. AMATAYAKUL: The first point about issuing guidance versus requiring.
Can we weigh in on that a bit more?

MR. REYNOLDS: Would is the wording? Is it in here?

MS. AMATAYAKUL: Issue guidance to covered entities to do whatever.

DR. STEINDEL: We talked about this somewhat at the last meeting as well.
This has to do with our idea that we would like to provide a mechanism for the
secretary to do something under the existing constructs so they do not have to
go through either legislative process or rule making process to institute any
of this. It was thought one of the best ways to do this was through the
guidance documents that we release in terms of how do we implement this
regulation or what is the department looking for when it goes to investigate
complaints about the application of this regulation, or people ask, how do I
implement this regulation? And they issue guidance documents, is what they are
called. So, I think we adopted the word issue guidance because that was we
wanted to go into those guidance documents. I think Jim Scanlon at the last
meeting said as far as he was concerned whether we use the terms issue guidance
or say require that the department will review both uses of the verbiage as
going into the guidance documents.

DR. COHN: This is one of those times where I want to have people refer to
the document. I am on line 884 to 888. It is actually a little bit more than
what is up there on the slides. This is the new copy that is in front of you
today. I do not know what the old one is. It basically talks – It is
trying to walk the line here. It is not just issuing guidance. It is more than
that. Do you want to read that?

MS. AMATAYAKUL: 884 recommendations for the issuance of guidance such as
the HIPAA security guidance distributed by CMS on December 28, 2006 and or
further enhancements of regulations are made that would service means for
covered entities to demonstrate good faith efforts and compliance with
applicable regulations.

DR. COHN: So, I think that is a little bit more than just issuing guidance.
I guess, when you read the whole thing, it sounds at least to me the intent
here is to be stronger while not using other words.

MR. ROTHSTEIN: This is not a legal opinion. You have to be the judge of
that. I do not think legally the agency can impose new substantive requirements
under the guise of “guidance” that would violate the Administrative
Procedure Act and deny due process. So, the guidance clarification route is
only where you explain what you mean by existing requirements. I do not think
it would be enforceable against a covered entity to issue civil penalties
against an employer for failing to adopt data stewardship practices, et cetera.
So, I do not think there is a way to make this new requirement mandatory simply
by going through the guidance route. Also, as a matter of strategy, I think
there is a likelihood that if we put in our recommendations, the secretary
should “require” that the secretary might take that and make it
guidance. Okay?

I do not think there is any likelihood it would go the other way that if we
recommend guidance that the secretary is going to make it stronger. So, in
other words, if we put the secretary should require, the secretary might
require or the secretary might issue guidance or considerably neither. I do not
think they are ever going to ratchet it up. They might have to ratchet it up in
order to make this enforceable.

DR. DEERING: That was essentially – I was going to frame it in a
question, but my issues were: can you in fact correct errors, fill gaps, or
introduce something new through guidance. I guess the answer is no.

DR. TANG: So this is a non-legal response to the disclaimed legal. I
thought of a way the secretary can make required in federal business associate
agreements or contracts such and such. And that could set a standard or a
model. It can compel its business associates to do the following. That could be
very powerful.

DR. FITZMAURICE: In the privacy rule, I think the word reasonable appears
about 143 times to say take reasonable precautions to do this in a reasonable
fashion. This could be put out as guidance to say, if you do this, this would
be what we expect a reasonable man to do. So, it must not have the effect of
getting 100-dollar penalty if you do not do it. But if something happens, you
can say, well I took reasonable precautions. I did these things that were put
out as guidance.

MR. REYNOLDS: It would also be good to include that reasonable under the
original HIPAA and what we are thinking about with all of these other things
that we are finding out that the other uses and the NHIN, reasonable looks a
little different now.

DR. FITZMAURICE: We would expect that good data stewardship would lead a
reasonable man to do the following things.

DR. COHN: I just want to observe that the report says guidance and/or
enhancements of regulation, which I think, Mark, that is with your position. I
actually do not know the answer to this one, but I think we are covering both

MR. ROTHSTEIN: Well, I think it would not hurt us to put our preference and
fallback positions. In other words, we recommend that the secretary require in
the alternative and at least HHS contractors should be required, or at least
the secretary should publish guidance.

DR. COHN: I guess the question to me is – I guess I am sort of
thinking that the intent here is to get into a position where it is the
standard and it is the expectation of the industry and with some enforcement
capability that all of this can happen. And somehow if we are not saying that,
but also leaving to secretarial discretion whether the secretary believes that
some or all of this can be done via guidance versus regulation. I think it is,
to me, a very reasonable position.

I do want to pose an additional idea of adding contract capabilities. I
think that should be a recommendation. So, I guess I am trying to – we
need to specify the tools the secretary needs to use on that.

DR. TANG: What Mike just said about the reasonableness brings up an
interesting point. I think, clearly, we have said we need to educate consumers.
Interestingly, I think what we have learned and sometimes we miss the forest,
we have learned that what was reasonable even five years ago, or what we
thought could be done or should be done or what it would be outrageous to do
has now become reality. There are new threats that we did not know, even the
people around this room that are deep into this did not think was going to
happen or could happen five years ago.

MR. REYNOLDS: Okay, let us go onto the next slide. Transparency, we
recommended that we identify business associates and their agents including
those who then again the De-identified will have to work on that.

MR. ROTHSTEIN: I would just like to put on the table another general
filter. That is, we have identified in this document very well the emerging
world of health information exchange for these purposes. I think we have
recognized a variety of risks to individual privacy and so forth. So, the
question that I have is, in what ways are consumers better off as a result of
what our recommendations are? If you had a consumer sit down here and had bad
problems and they want to know, what are you recommending that is going to
protect us? Well, what is that?

MR. REYNOLDS: Good point, but I remind you that we all are consumers around
the whole room. It would a good question to ask ourselves in the room here.

DR. FITZMAURICE: I would ask in what way are we harming consumers by not
permitting them to get some information that they would otherwise get with
these requirements?

DR. OVERHAGE: I guess I am looking at some of these through the lens of
what I do every day and thinking about what it means. So, for example, describe
and publish intent to link data. So, that means that the laboratory where you
get your blood drawn has posted on their website something that describes that
they have participated in the health information exchange and refers to the
health information exchange website. I am just trying to think how some of this
gets operationalized. And to Mark’s point, can you expect people to really
understand and get that? For example, how many of you know that the coroner’s
data is publicly available? You can go to a coroner’s office and review the
report on any coroner’s case. I guess the point of that is, how much do we
really expect the consumer – how far does this go? You have to understand
and know what that means and how much at work – it is one of those things
where it is the footnote on the website that refers to two other websites that
refers to this.

DR. CARR: Getting back to what Paul said earlier. Where do we fit in the
idea of the unexpected uses? DR. OVERHAGE: It is just unexpected that the
details of, you know, you see a patient today and next year as part of a
quality improvement thing, you are working with a new contractor. How does that
– I mean, you could make it available on the website so somebody could go
and look.

DR. CARR: Maybe what the spirit of what we are trying to do as Paul stated
it is letting individuals know when the data is being sold or marketed or
unexpected beyond care delivery. I think there is an opportunity of saying,
care delivery is not just your conversation with you doc, but the whole
continuum of–

DR. OVERHAGE: I think that is the fundamental thing of where is the
boundary of sold or unexpected by the consumer. I do not know that we nailed
that one.

DR. CARR: No, but I think we need to come to closure on what we think and
our best effort because the heart in the matter is they do not really care what
the lab relationship is with the HIE, but they care a lot about selling or
marketing. This is where we were a couple of years ago in the beginning.

DR. VIGILANTE: In medicine, we do a lot of things to the patient, so we can
say we did it. So we feel better about it, but it does not necessarily help the

I think that the same thing here, as you get into this area of you are
trying to do everything and make everything transparent, but that actually just
obscures because you cannot get to the bottom of what really matters to me. I
think that if we could – if the requirements could for transparency –
should hone in on those things that would be reasonably expected to disturb a
patient. If they were surprised to find out you did that, those are the kinds
of things around which transparency should be focused.

DR. TANG: I am sympathetic to what Marc Overhage said about the burden.
Some of the requirements in here could be burdensome without contributing. That
would go along with what Kevin said. Even novice lawyers could say that intent
is a pretty hard thing to publish. If we did publish in a transparent way, what
uses you do – I think it is – Okay, the fact, I just learned the
coroner thing from you just now, but that is okay. In today’s world, if we had
this long list of things of how data is used, there will be somebody who
basically explains this, and I think the world will be a better place. There
would also be some exposure of things that the world does not agree should
happen and we should adjudicate those.

DR. STEINDEL: I think what we need to agree to in this particular letter is
the concept of increased transparency. I think there is general agreement
around the table that that should occur. What Marc is getting into is the
method of how we have increased transparency, and we might want to recommend in
the letter that the NCVHS would be happy to hold hearings or something like
that into this area. One example that I feel is good to think about is the
movie ratings. That is an area where we do have increased transparency.
Whenever you take a look at a movie rating, you can look at G, PG, et cetera
and you have some idea of the level of the movie. They have gone one step
further than that with movie ratings where they now qualify why it has been
rated that way. That might be a model type system that we could use to put it
out very quickly.

As was mentioned by a lot of people, some supplementary material may be
available in the doctor’s office or on the website or whatever the case might
be about what the details are. That is one way you could have increased
transparency relatively simply.

MR. ROTHSTEIN: I would like to see somewhere in the document a statement
that although we support transparency, there are limits to the effectiveness of
transparency. At some point you put so much information in notices that people
just tune them out and that transparency, although a good thing, is not meant
or cannot possibly be a substitute for other measures to protect the privacy
and confidentiality of the information.

MR. REYNOLDS: I think that is a much more positive way to put it because if
you sit and listen, every time we talk about this, somebody says, well that is
too complicated so we will not tell them. That is coming from a dramatically
different position.

DR. VIGILANTE: The chance to re-identify, I still am not sold on. I mean, I
just think we need – I am not sold on it because I do not know it should
be a requirement for transparency. I do not know what you do with the
information. I do not know how somebody calibrates that. I do not know how
complicated it is to report on it. Before we get behind something like that, I
would have to hear a lot more testimony about the implications for that

DR. DEERING: It sort of came up during the prior conversation. I think it
is applicable across the report. It picks up both the issue of what is it we
are trying to accomplish in each of these areas. It would also pick up on the
thought that things are changing. What we thought was unreasonable, unknowable
is now knowable, real, and acceptable. We do not know what is going forward.
So, as a general approach to the recommendations, we have just observations and
recommendations. I am wondering whether we should have desired end point so we
are very clear about what we think the end point should be. Then picking up on
this issue of what kind of regulations guidance, et cetera. I think it would
probably cover all of the areas that we have recommendations in, which is you
clarify absolutely rigorously, this is where you think the world aught to get
to. It is a moving target. We have different means available now. These are
preferred approaches now for getting there. So, it’s just a structural

MS. ANDERSON: This is one of the areas in reviewing the report where I was
stuck because the line between quality improvement and research for instance
was not defined or because some of the other boundaries were not defined. It is
hard to know to whom this would apply. So, for instance, if you think about
business associates that might be business associates around quality
improvement, and they did have identified data. So therefore, it does not apply
some of these requirements to them. So, we describe a published intent to link
data for instance. If they are linking it for the purposes of quality
improvement and there are business associates, does that apply to them or not?
So, it is a little fuzzy.

The other place that struck me in terms of characterizing it by the uses
rather than by the relationship seemed like it would make more sense from a
transparency point of view, which I think we have already heard. So, it was
hard to tell to whom anything would apply.

For instance, if – I am a patient in some cases. If I was to see that
my physician shares my data for quality improvement purposes and I might have a
one sense about that, and there is the other one that is sense of also for
pharmaceutical companies to do outcomes research. I might have another opinion
about that. But when you think about those other – Those different
relationships. The first relationship, you might have business associates that
you are doing quality improvement with. The second relationship might involve
sales data. Then I might want to know, what else are they going to merge
together when that other party gets that data to reach certain conclusions? So,
I am not really setting up the construct but saying that from a transparency
point of view, it seems like it was getting kind of obtuse. From a burden point
of view, I could not tell to whom it was applied.

DR. CARR: So, I just wanted to reemphasize the importance of the fact that
re-identification is a building block of being able to do longitudinal
outcomes, and it is a good thing. So, we want to make sure that we can do that
while at the same time addressing where we might not want to assume that it
could —

DR. STEINDEL: I would still like some clarification on this. Let us take
the example of the two inhibitors. If I recall correctly we heard during a
hearing if it was not this specific case that Kaiser Permanente actually saw
that relationship in their databases before it was reported. Now, they were
looking at it from a quality control point of view regarding their patient
population. If they decided to call the FDA because they notice something in
their databases and say, maybe you should take a look at it. I would probably
still look at that as operation and quality uses and be permitted. If they
decided, we are going to sit on this data because we want to publish a paper,
then it is going into the realm of research. I would like to see some other
levels put on it. That is why it is a very hard line to draw, which I think it
is why we never really try to draw the line.

MS. ANDERSON: I am not suggesting that you can draw the exact line but to
provide some better guidance about what you consider quality improvement to
include. So, I do not know that you can say this is in, and this is out. There
are some things that cross that line. Without some kind of an understanding
– let me give you a practical example from my previous life where I used
to work for a company that was a performance improvement vendor for hospitals.
Our contracts allowed us to use their data for research. The time the contract
was signed, the intent was to use it to build risk adjustment models. That is
exactly how we described research. That is what we did in terms of research. As
I was with that company, it was sold three times. What I heard from corporate
lawyers was, you can sell that data for research to whomever you want. It
really took a matter of the persons who were there when the contract was signed
to say that is not what we said. We need to go back. So, I think this issue
even though it is really hard, it is relevant.

DR. GREEN: I appreciate this exchange, and particularly your passion for
the way you force this issue. I have question for the workgroup. Has the
workgroup reached agreement that the following two sentences are correct?
Number one, quality improvement and research are fundamentally different
enterprises. Number two, data can be De-identified.


DR. TANG: I would agree with the first statement, and I would not agree
with the second statement. I would hope that that is one of the educational
things that we can provide with our document.

MR. REYNOLDS: On the second one I think there is a definition of

DR. GREEN: Which we know does not De-identify data.

MR. REYNOLDS: I am not answering your question. We know that there is a

DR. TANG: There is a rule to apply. There is not a definition of –
Webster’s definition of De-identified would me you cannot identify.

DR. GREEN: I am not really asking about the rules or whatever. I am asking
about consensus. Is the group of one mind about those two issues? Does the
entire group agree that the answer is yes and no? That quality improvement is
fundamentally different from research and that actually data cannot be

DR. STEINDEL: I would respectfully disagree with Paul. I think the answer
is no to both of them. I think a prime example is what we just heard about
using data that was sent to a company for quality purposes that was then used
for what they called research, which was risk adjustment. I think in a lot of
cases when we talk about research, we talk about research as covered from the
IRB’s and NIH rules, et cetera, which is a totally different area than research
of that type of purpose.

DR. TANG: But those are two activities she described.

DR. STEINDEL: I think that that is – there is a continuum there
between quality and what he referred to as research. I think that continuum
exists even in operations within a hospital.

MR. REYNOLDS: Mike, Justine, and Mary Jo.

DR. FITZMAURICE: I do not think there is a line that separates quality
improvement from research. I think many cases use the same methods. You may not
have the same sample sizes, but as you get larger and larger, you move from
quality improvement to research. I do not think you can distinguish between
them. Secondly, I do believe that datasets can be De-identified. De-identified
is defined in HIPAA. You can remove the 17 variables, and then the
18th one is any other linking variable. Is that data truly anonymous
so you can never link a person’s name back with it? Possibly not, but in most
business associate agreements and most data use agreements you have to pledge
not to re-identify the data, having received it.

DR. CARR: I think that you are raising a issues that are very important.
What we are focusing on is how to fix it. So, I agree with Steve that you
cannot make a clear checklist of what is research and what is quality. I think
there is a continuum, but I do believe that we can oversight such that nothing
falls through the cracks and therefore the data is protected on each side. I
think that we have something that senior management use of data and operations.
I think that is really where we have opportunity because we will continue to
debate whether there is a difference. Then again, De-identified, I think it is
the same idea. We are now in the new world. There is capacity to re-identify
even beyond when we have removed the 17 plus things. So, I think trying to
hammer a different definition is less useful than to say, what protections are
we going to put in place understanding that there is this grey zone?


DR. DEERING: I guess I am in the emerging majority, but I also want to
state – I did want to observe that in the field of research in at least
biomedical research, one of the main emerging threats of research is
translational research which is explicitly provided to be fed back to improve
the quality of care. So, I would vote for those who say it is a meaningless

MR. REYNOLDS: Okay, Simon, I think we are going to take a break.

DR. COHN: Yes, I think we are going to give everybody a 10-minute break. We
know you want to keep going, but we will go in 10 minutes.

MS. JACKSON: Before we go, just keep in mind there is enforcement now for
the building that all visitors and guests need to be escorted even to the
cafeteria or to downstairs. So, if you could just align with someone with a

MR. REYNOLDS: But I do think you are allowed to go to the bathroom on your


MR. REYNOLDS: So we are going to go the last – Kevin?

DR. VIGILANTE: Can I make a comment relevant to the last discussion? I do
sort of want to go on record that I do believe that research and quality are
fundamentally different and that particularly at the extremes where they are
easy to identify what is what. There are cases clearly in the middle that are
very difficult to figure out, but just because those are difficult, we should
not feel obligated to say that these things are the same. I think there is a
danger in that. There was an interesting scheme in how you identify one from
column A, one column B at the back. It was interesting that one of the ways of
identifying something as quality is that poor research methodologies are used.
It was one of the things that went into the evaluation of why something becomes
– I think we accept now that in this new world of quality measurement,
very sad methodologies must be used. It does not mean it is synonymous with a
research enterprise.

MR. REYNOLDS: So, to play off of your question, you said at the extremes.
Do we define the extremes and leave the middle grey and make sure that
stewardship and guidance and the other stuff we talked about deals with it? How
do you see that playing?

DR. VIGILANTE: Well, I will invite others to – I think a couple of
things. I think that we should characterize what we mean by things that are
clearly quality – part of the quality enterprise and part of the research
enterprise where it is easy to identify. I do think that mechanisms to help
folks distinguish what side of the line something may or may not be on
understanding that it may not always be clear and be able to do that. I think
we had talked earlier – there may be IRB-like bodies in larger
institutions that take this on because it is just not possible to write
guidance at every level that can do this. I do not know what the right mix of
things are, but I do not think we should give up on that possibility.

MR. REYNOLDS: Justine?

DR. CARR: Well, two things. I just want to refer to one of the models from
MD Anderson in the Hastings Report. So, I will just briefly say it, but
different things between research and QI. So, the characteristic existing best
knowledge, research challenges that. QI applies it. Principle aims, research
tests the hypothesis. QI improves the process. Characteristic principle goal,
research generates new knowledge. QI improves advocacy, efficiency, and safety
of care. So, it goes like that. They do actually have a body that oversees the
clinical quality. So, again, it takes away from – it gives you some
guidelines of where things go, but everything gets overseen. It is not like
research has all these rules, so let us do QI because there is not that

DR. TANG: That is why I contribute to joining Kevin’s side so that it ties
up the vote.

MR. REYNOLDS: Erin has a comment, and Steve, since you made a comment
earlier that has created this further discussion, I am going to both allow and
require and give guidance that you weigh in here.

MS. GRANT: Justine, to pick up on the point that you just mentioned in
terms of citing the MD Anderson Report in the model about the use. Is the
understanding that there would be a recommendation that that type of model be
in the actual document that we are writing that we say, MD Anderson has
developed this model, but there needs to be a model developed that other
organizations could use? I think they sort of act for that – there is that
need for that criteria. Could it be recommendation not – say, HHS refers to
another federal entity or an outside body to help develop that criteria that
other organizations could use because MD Anderson is a very large institution.
So, they have the ability to have a lot of staff and perhaps have an IRB on
staff whereas another smaller organization would not. But having that guidance
and maybe having that criteria to use would be helpful.

DR. CARR: I am putting that out there because we have to come to closure on
what level of granularity. We have something up there about stewardship, but
what does that mean? Are we taking it to a level that there is oversight over
quality and operations? So, I think we do have to come to closure on that and
how granular would remake it.

DR. STEINDEL: I was very intrigued by when you were reading from the
Anderson Report where they referred things as QI. It is much more to quality
than just QI. There is quality monitoring, and that falls on one extreme that
Kevin is talking about where that is really a quality initiative. How many
times a day are the floors mopped? That is a quality monitoring type
initiative. Now, what you might see is that there are instances related to
that, and you may start thinking, maybe I should start instituting some quality
improvement initiatives in this area based on the monitoring data that I have
saw. That may lead into research studies. So, that is where the continuum comes
in. QI is really somewhat where the boundary is between research and quality. I
have a lot of personal familiarity in that area because that area blurs totally
in the laboratory where you are actually looking at quality monitoring data on
a day-to-day basis. Then you start seeing things when you institute new method.
You are doing actual research to test the data, not publishing, but internal
research. So, there is a tremendous amount of blurring on what we call folly.

MR. REYNOLDS: So, Steve, you physically stated earlier that there was not a
difference. That is what I think has generated some of these discussions. So,
help me with that.

DR. STEINDEL: I think what Larry was asking is more or less is the
committee, are we clear? Have we reached consensus on what this difference is?
Is there a difference? That answer I think is no. I think this discussion
clearly shows that we have not reached consensus on what we think that
continuum looks like. I think everyone in the room agrees with what Kevin just
said. We can define quality on one end and we can define research on the other
end. The question is, what does it look like in the middle, and how do we say
when does quality turn into research? That we can say.

MR. LANDAU: Usually I do not make comments, but I guess I was encouraged to
make a few. The first thing I want to talk about regarding quality and research
was I wanted you all to be at least aware of the fact that there has been
guidance already published under the NIH website. I do not know whether you all
have seen it dealing with the primary purpose regarding the privacy rule. If
you want me to read it I will, but I assume you are familiar with it. That is
the first point. That is, what does primary purpose mean, and where do you draw
the line?

Going back sort of broadly about what Mark talked about regarding
regulations and guidance. From ONC’s point of view, the key goes back to the
scope. I will tie this back together. The scope is to make actionable steps
that are practicable. So, regarding quality and research, I think it requires
some granularity to include some language that this is what we would like
quality to mean including but not limited to. So, you provide some guidance in
that regard. So, I guess the bottom line is, what is helpful is the thought of,
what do you mean test? What do you mean by quality? I think it is not an
exhaustive list, but some type of line drawing would be probably somewhat

Agenda Item: Review Themes and Issues – Resolve
for Report

MR. REYNOLDS: Okay, thank you. Let us go on to the next set of
recommendations and then after that we will go through what everybody’s
consideration is, what we aught to have Margaret working on this afternoon. We
talked about it briefly, but we need others’ input. So, the last slide on the
recommendations is, it talks about transition to the NHIN. We have heard a
number of times this morning this whole idea that we had the past, we have the
present, and we have the future. So, this is kind of leading to that. And we
talked about it being more addressable if functional requirements and
demonstration projects are used toe valuate individual choice. Part of this is
where we had the opt-in and opt-out and consent and some of the other things
that maybe hadn’t been brought out as much. So, individual choice, what are the
consent options? We heard a lot of testimony on that. Impact of quality
oversight and data stewardship including opt-in and opt-out for various uses of
data sets, De-identification techniques to determine effectiveness to protect
identity and protect chance of re-identification, impact of stronger sanction
policies or cell policing, impact of chain of trust mechanisms, education
localities, and then working towards inclusive federal privacy legislation and
expand the definition of covered entity, anti-discrimination legislation and so

So, basically a different structure in the letter. If you remember last
time, we started out with the first recommendation being legislation. We felt
instead that we could make the first set of recommendations be guidance and
other things that can be done with the fact that legislation would be there as
where an ultimate outcome could be if it ever does or does not occur,
especially since we have already has NCVHS made clear that we believe that
there should be some kind of a legislation rather than to start there again
necessarily. Start through the guidance as to how we continue this transition,
not necessarily say right up front, here is the legislation. If you cannot do
that, pull our second idea. So, that is why you see this listed a little bit
differently than it was. Not to demean or lessen the call for legislation, but
to understand that there is a big world. As we have said, there is a world that
has been changing fast. If there were to even be legislation, there is going to
be a lot of world going on between now and that legislation and to make sure
that we try to make some kind of an impact on that guidance and that transition
between now and when that would or would not happen. With that, I will open it
for discussion of these items.

DR. OVERHAGE: A couple of things that are near and dear to my heart. One is
I worry a bit about a recommendation to – One thing is I think it is
important to recognize where ONC is and their process and that the trial
implementation contracts have been left, but not announced. And changing the
scope of those would be challenging. So, I think we have to think a little bit
about what this could mean. What is the outcome of this? Clearly they could
change the contracts and what not, but adding this into the scope of work would
be a fairly significant change from where they are today. So, I think that is
one question. So, does this go in the five-year time horizon? Is this something
they should come back to in two years, or is this something we feel so urgently
that it aught to get baked into the current route of trial implementation work?
Maybe we do not get that specific, but I think it is a question that we have to
understand what we are recommending.

The second thing is that this gets really tricky because I think it depends
on the model that a nationwide health information network evolves into whether
any of this applies or not. For example, in the model that we have developed
locally that we favor the exchange that does not have any data and does not do
anything with the data. It is always the institution’s data. I think the
general direction that ONC has gone has been network of networks that how far
that goes is a question that where that data is not in the middle anywhere. So,
it begs a little bit of an issue of what this means in that kind of a model.

MR. REYNOLDS: Well, I think that is the key point. Margaret?

MS. AMATAYAKUL: As we transition, there will be even in a network a
networks scenario. There will be more ability to aggregate data, to collect it
into one place even if it is not in your location, but it is going to be
somewhere that the NHIN puts it to.

DR. OVERHAGE: Not necessarily.

MR. REYNOLDS: But not defined – that is what part of this is trying to

MS. AMATAYAKUL: But at some point you try to bring this together to do
comparative analysis, et cetera. Right? At some point, you have to bring it
together even if it does not reside there for any period of time. You still
have to bring it together to work it. So, is there a way that we could say when
that happens, facilitate it by this network of networks. Would that help?

DR. OVERHAGE: I need to think about it more. I think it does help. I guess
one of the – the reason I say I think I have to think it through a little
bit more is in some models anyway, it is not an entity doing this. That is what
makes this a little bit tricky. What I mean by that is, it may be three covered
entities who decide to collaborate for certain quality improvement efforts.
They each sign a BAA with a single entity that as you describe virtually merges
the data for the purpose of generating a number and the data goes away. So, who
does this apply to? Who does sanction policies and self-policing apply to? The
covered entities?

MR. REYNOLDS: Yes, but I think what is key – we did at NHIN an effort
as to what the functional requirements are going to be, and there are pilots,
but there has been no acceptance that that is it. We are also in the midst of a
privacy letter right now that we are going to work on this afternoon. The
reason this group is not continuing where we are talking about what people can
and cannot do with data and what we think they could or could not do with data.
We also heard significant testimony about this idea of opting in and opting
out. What is the NHIN? Nobody knows exactly what it is or anything else.

So, I think there is no question that if someone gave us four models and
said it will not be any more than these four models, I do not think there is
any question – But right now as we continue to hear testimony, we have to
take that testimony into consideration. As we continue to realize that people
are going to want at some point – We are all on board about some kind of
way that you are either in or out or involved in the NHIN because to those of
us around the table, it is clear that this would be under a covered entity or
something else. But anybody else that is not close to the NHIN, it is still
somewhat of a nebulous discussion of a technical nature. The network of
networks does not go all the way out to some consumer understanding of what
just did or did not occur. So, we are trying to take these other things that we
know are issues that have been put on the table to us. They may not be as
deftly worded as we may want to do them. I think we need help on that, but
trying to say that we are transitioning into this thing and there are issues
that are on the table and that is why we talk about the demonstration project.
So, do they change the current demonstration problems? Probably not. Do they
change as we continue to think and as they continue to find it? It may. So, I
think that is where we are trying to go with this.

DR. OVERHAGE: I think this disappears. The reason I think this is
completely a way is we should address those issues because this is getting into
the mechanism and process of something rather than the outcomes. I forget who
was talking before about we need to focus on what we want to have happen at the
end as opposed to the how we get there. I think this is an example of a how we
get that piece. Like you say, we have no idea what shape it will take if it
will take shape or whatever. Maybe we should be saying instead of having a
separate section here, going back to each of our other parts and saying,
thinking that projecting forward there may be a nationwide health information
network, what are the implications for all of the other pieces that we talked
about? And not hold them out here. I think that really helped me Harry.

MR. ROTHSTEIN: I have a question. For the last four bullets of the first
big bullet, I am clear how they relate to the earlier part of the report and
recommendations. I am not clear how they first two bullets relate. If we are
going to include those, I think we need to say why we think that is important.
In other words, we have never made the arguments in the paper. I may have
missed it. That individual choice is a goal of ours in the context of this
report, and now we are recommending that we have these pilots to further
individual choice. So, I think if we are going to go this route, we need to lay
the groundwork better. Maybe I am just totally off. What is the connection with
our other NHIN stuff? That is the link that I am missing.

MR. REYNOLDS: Well, the other NHIN stuff we did where we had the functional
requirements. The farthest functional requirements, as you remember, we stopped
short of opt-in, opt-out and some other things. Okay? So, those things were on
the table. We heard testimony. Now, there is two ways we can go about this. We
heard significant testimony about new systems that would consent differently.
We heard from consumer advocates about consent. We are saying that if you go
through this structure, and the reason we put it the way we did, we are saying
that we are making operations include some of this quality improvement. Then
there is going to be this thing where it is going to go outside into this thing
called the NHIN. Is that where we pick up these other things where people are
saying, I want this kind of consent. So, that is a picture that is being
painted. We heard an awful lot of testimony that there is a concern. The only
thing I would hesitate on is Marc’s earlier comment. We make a lot of testimony
go away. We make a lot of opinions and other things go away if we completely
removed it.

Now, I like your idea of thinking about it throughout, but the point is, we
did ask for it. We did get it, and we did hear clearly as we said earlier. When
it goes to the NHIN, some people may want to be in, some people may want to be
out, and other things. We listened to Mayo. We listened to a lot of other
people. So, the point is, this is a significant subject that if you start from
HIPAA and you build up from operations, you do not pull it in until kind of now
when we go to something a little bigger, it becomes some kind of an elephant
anywhere between 200 and 900 pounds sitting on the table, and we have got to do
something with it. That is why this discussion —

MR. ROTHSTEIN: So, Harry, I am just trying to get clear. The purpose of
this then – So are you basically saying that notwithstanding all of the
other stuff in the report which addresses at least the initial uses of
information by covered entities as we contemplate the wider dispersion by the
NHIN, the additional issues that are raised, some of which we talked about
earlier, but these are some of them and we need to do research.

MR. REYNOLDS: That is what we are saying. That is kind of where we are

DR. STEINDEL: I think a lot of this discussion has clarified the first part
of my comment. I was having problems with this transition to an NHIN sort of
coming out of the blue. But that has been kind of explained and clarified in
the discussion that we have now and how we might reword things then.

My next comment is just a practical observational comment. Mark ground some
of these proposals to the demonstration projects coming out may be a feasible
approach, but my observation has been every time NCVHS recommends that we do
demonstration projects and evaluate, we send letters on a one-year, three-year,
five-year basis asking why hasn’t it been done? So, I just wonder about the
usefulness of a recommendation like this.

DR. CARR: I agree. I go back to what Mary Jo recommended. Maybe as we can
figure this report, we follow what Mary Jo said. We actually have set the stage
to say that it is a new world and there are new issues that were not envisioned
by HIPAA, but that we address each of these issues about what is the future
state. What is the electronic state? What is the evolving state? What are the
gaps and grey zones? Then, how do we address them? It might be something
learned from a pilot. It might be holding hearings and Quality Workgroup
suggested that we hold hearings more on quality versus research. It would be a
variety of places to look. I really think that this model of here is the issue
future state, current state, and gaps and needs and recommendations will help
us very much to stay on top and to be sure that we have addressed – and
also to help us kind of say why opt-in, opt-out is not something we can do
today with claims data or whatever, but that we are building toward it and we
are thinking about it and learning so that as we are ready to get to it, we are
well informed.

MS. AMATAYAKUL: I was going to only add in addition to as Mark described, I
think it really was the intent, and we can elaborate on that. I think Kelly
also asked us to make a list of things that could be evaluated in some
demonstration projects. It does not mean they will do that necessarily, but
that was one of the purposes.

DR. DEERING: Having read the RFP that went out for the trial
implementations and through other anecdotal evidence, which is not data. It is
a fact that what the NCVHS says has an impact out there. I do believe that
functional requirements were in the RFP. In other words, part of 7.2 has
already been accomplished. It was written into the RFP. Secondly, those who are
recipients or even applying for these, they listen to us. These things that are
out there that are the results of thoughtful processes, these are
extraordinarily valuable. So, we should never hesitate, I do not think to put
them out there because they can be voluntarily picked up regardless of whether
they are written into a requirement by HHS.

DR. GREEN: So, what I just heard is that there is quite a bit of consensus
following Mary Jo’s advice about this earlier articulation. The way I heard
Justine say it is it is a new world. We have got some suggestions about the
directions that need to be followed to that new world overall about where this
comes out and meanwhile we still have to get along and get things done. We have
got some suggestions about how to get along while we are awaiting the birth of
the new world. Is that the deal?

MR. REYNOLDS: Yes. I think another thing to play off some of the other
comments, as we listed some of these things however we end up saying them, we
did hear testimony on them. The important thing is, it adds to the debate as
pilots are put out there. So, Mark in your case, you have a certain structure.
If your structure fits and answers that and fits with HIPAA and does the other
things, then good. There may be four other things that are set up that might
not be able to pass some of these tests or do some of these things. Then, back
to what we heard from the individual is, somebody please care about me.
Somebody please care about my data in one way or another. As this thing
continues, which a lot of us have been working on for a long time to figure out
exactly what it is going to be. I think that is part of what we heard, and I
think that is part of our responsibility. So, it is not to be prescriptive, but
it is clear to say that these issues do not go away. The structure of whatever
it turns out to be has to at least use these as some kind of filter. If
whatever turns out to be that meets all these criteria without doing anything
draconian past what is here, then fine. At least make sure these things are in
the debate just like our functional requirements. It is nice that they are in
RFP’s. That is what we are trying to get to here.

MS. GRANT: Following on that comment, something that Margaret referenced in
terms of what Kelly had stated. I think what they are trying to possibly
understand is whether or not consumers do get to choose whether or not their
information is available for quality measurement, improvement, or other
secondary uses. It is not necessarily yes they do, and here is how you do it.
It is sort of answering that question and throwing out opportunities for how
you may measure that impact and when they do or do not.

MR. REYNOLDS: Again, I think that is why we started like we did. When you
say that most of the quality fits under operations, you answered that question.
Then as you move further out where we said research, here are some certain
things. Now you go to the next step, which is something none of us can put a
hand on, which is the NHIN exactly. We are saying there is another set of
things you have got to consider. That is all that is being said as an approach.
That is really the steam of this being built as we go through it.

So, that ends our slides. What we would like to do next is we are going to
just touch base briefly. Justine already had some clarity to things. Most of us
are in a privacy hearing this afternoon. Margaret and others are going to have
a little time to work on what we are going to do. Rather than have Margaret
spend her afternoon going back to the front part of the document and making
another revision, we are going to have her focus on these recommendations,
especially on the things that we dealt with today. The suggestions you made as
far as the expected and unexpected and the commercialization. In other words,
take all this list of stuff that we heard today and try to build it into these
observations and recommendations. So, once we agree that that is where we are
going, we can go back and adjust individual pieces. We know we are going to
shorten the document anyhow, but go back to the front and make sure that
becomes a crescendo. It is not just a front that does not match the back. That
is what we would like to see. So, tomorrow we look at it again.

MS. AMATAYAKUL: By looking at it in terms of the recommendations, are you
looking at high level slide view or specific? I would like to get down to the

MR. REYNOLDS: Specifics are fine. At that point tomorrow then we would
spend the morning just going through the actual wording of the recommendations
so we are not pulling it back up and saying, oh by the way, this is what we
really mean. So, you would see real words recommending real things. Yes?

DR. CARR: Would we be wanting to start with modules? Here is an issue,
current state, future state, and recommendation. We have it somewhat modular,
so it would not just be the recommendations. In the absence of identifying
where these are future states and what are the gaps, it is hard to say how the
recommendation helps. I would see it sort of modular saying, here is an area we
are going to focus on. This is okay. This needs work. This will be addressed in
the future. Here is our future state. My question is, what defines the modules?
We have heard two things, we framed it for two weeks in terms of, and here is
HIPAA. Here is what falls outside of HIPAA and how we work within HIPAA. We
also heard a recommendation of when we put together uses of data. I guess I am
saying, what is the framework for getting to each of these topics? Is that a

MR. REYNOLDS: Comments?

DR. GREEN: I am going to take the afternoon and tonight to restudy this
letter again and come back in the morning better – I have a need to
understand what Justine just said a little better. I am glad we have tomorrow
morning to come back to it. I do not have this fully digested. Can I ask for
clarification about whether or not we are going to be looking at the report
that say something akin to this: the rules and regs for quality improvement
really are not working very well. The rules and regs for IRB’s are not really
working very well. We hear that and understand that. There is actually going to
be this new type of thing. We are headed toward some sort of new institutional
oversight process to accommodate these findings that we have. I do not see that
in here. I am wondering if this is beyond scope? Is this in scope? Are we going
to make any commentary about that?

MS. AMATAYAKUL: I think what I was initially wanting to say was, to me the
observations and recommendations kind of go together. So, the observation is
going to have to be structured whether it is structured from sort of the HIPAA
perspective or this use perspective. Also with the, where is today? Where do we
want to be? What are the gaps? Still, I think the outstanding question is, is
it HIPAA or is it this use? So, that would be helpful for me.

MR. REYNOLDS: We had had some discussion and Christine put forward an idea
of rather than the approach we are taking, maybe looking at it from what are
the uses of the data rather than the relationships. In other words, we had
covered entity, business associate, and so on. Or should it be looking at it
from the uses of the data? So, that is what on the table, and that is what is
being considered.

DR. OVERHAGE: If I could say a word in favor of the use oriented approach
as I think about this. Two things. One is that we start out and say do not use
secondary uses because then you need to talk about each use. Then we have to
turn around and try to lump them all together. It has caused us some pain. The
second thing though that I think is more important is it seems to me that we
talked about this threshold where the boundary of unexpected or unanticipated
use seems it lends itself more to that where there are some things that are
clearly expected and anticipated use – clearly, if I am selling your data
on the internet, that is not expected. Then there is some grey zone in between
that we probably cannot resolve, but maybe we can at least say, here is a set
that can clearly fall in this here. Maybe there are some things in the middle
that we aught to talk about more.

DR. VIGILANTE: I think this goes back to one of the conference calls we had
when we were thinking on how we were going to write this report. One of the
things that we did talk about was providing concrete examples. I think we have
a lot of abstraction here about a lot of words that sound very similar to each
other. I think if we could go back to that earlier hypothesis that the concrete
examples would be clarified in certain cases. That is something that is very
focused. Without a lot of room, without taking up a lot of space might be very
helpful to illustrate what we mean and what is in and what is out in certain

DR. TANG: Just to go on what Marc was saying. I think we can and should be
explicit on the uses. If there is a grey zone, we should turn it over to the
consumer patient to decide.

DR. CARR: So, I am just trying to say then how we would put this together.
So, use then would be kind of the rose would be under identifiable data. It is
TPO quality, research, public health, and all of that. On the so-called
De-identified non-HIPAA covered uses of data, how do you define these uses? For
sale? For aggregation? How would you define these uses? Then you would modify
what is expected or unexpected. Then if there is a problem, what would you do?
I am just trying to get a list of uses.

DR. TANG: One of the issues you brought up was this term aggregated and the
term De-identify. I think there is a big tendency towards going away from
relying on De-identification as a way of protection. I think you probably can
define aggregate data in a way that can be not re-identifiable. I guess I have
to get back to you on the uses.


DR. OVERHAGE: I was just going to say, I do not think it has anything to do
with De-identified or not. That is a whole separate dimension and really has to
do with appropriateness and patient risk. Rather I think the kind of uses are
things like academic research. We may have to wordsmith to determine academic.
Public health and patient safety surveillance is a use. For marketing to the
individual consumer or physician are uses. Those are the kinds of things that
come to mind for me as categories of uses. The tricky thing of course is to
cover the ground without having a list of 9,000 uses.

DR. COHN: I would apologize for jumping out of the conversation. I guess I
am struggling a little bit with the distinction in the conversation we are
trying to have here. I am just looking at the observations and recommendations.
I would completely agree with everyone that we need concrete examples to help
ground the recommendations and the observations and all of that, but I am
struggling. Once again, I guess I am just reflecting the hearings that we had
about the fluidity of the uses of data. So, I am just not sure that trying to
categorize or reframe all of the recommendations and observations around uses.
We actually have discussed uses. We have research versus quality. We talked
about TPO. As you start dividing things up finer and finer in uses, suddenly
all the recommendations apply to all of the uses. So, I am just not sure if
that really helps us a lot. Maybe I am off point on this one. Margaret if you
think I am off on this one – I guess I am just trying to argue the middle
ground here in terms of how we can ground things in uses, but not completely
restructure everything.

MS. AMATAYAKUL: It seemed to me that early on there was discussion about
following the data. So, to me that is sort of the uses. Then I think there was
discussion that any time you follow the data, the action has to be conducted by
an entity. The jurisdiction resides in an entity. So, it falls back to as a
covered entity, business associate, or whatever. I am concerned that from a
practical standpoint, we could be more diligent in each category-covered entity
and so forth to describe different kind of uses within that and the range of
uses. I am not sure that restructuring it solely on use will help.

DR. STEINDEL: A very brief comment. This is to refer to Simon and now
Margaret’s comment. My comment is ditto. Those are the observations I was
making as well.

DR. TANG: The usefulness of the first exercise, which was to make sure we
have a checklist to bounce off. One of the things was the clear testimony we
had heard was people were concerned when their data was sold. So, instead of
trying to innumerate all of the uses, the areas that we need to concentrate on
is where there is financial benefit. The reason I say it that way is because I
am reminded of the AHIC group and there was questioning of this one testifier,
and they swore they did not sell the data. It finally got to the point of, we
share it with our sponsors. So, there are ways people have gotten around
couching what happens. So, that is why I am calling it financial benefit. When
there is financial benefit that applies to someone other than the subject of
the data, we need to have an explicit way that the consumer can make the
decision in these grey areas.

DR. DEERING: My comments will come from a communication perspective. The
first one will be to just support the utility of a use approach as opposed to a
stakeholder approach. They both have value because you want the stakeholders to
recognize themselves. So, there is a clear communication utility there. Oh,
this applies to me. On the other hand, the strength of the use approach is
exactly as Paul had said. There are clearly only one or two uses for which
there is considered to be true problems. Everything else is really acceptable,
you just have to explain it and tighten it up here or there. We do not have to
write 30 pages about it. It is really pretty fine. Let us just tell people what
we are doing and make sure there are no sloppy loose ends and that it is being
done appropriately. Then there is this one big thing. I do not see any other
way to effectively address that other than somehow through a use-based

MR. REYNOLDS: You mean that one specific category?

DR. DEERING: Well, somehow to make sure that that comes out. I will go no
further. I will just leave it there.

My second observation was that some people want to be very concrete, but
then we want to project this future desired end state. The very first NHIN
Report had scenarios that were considered as useful as anything else that was
in that report because it was trying to project this future end state. The
workgroup put as much effort into those scenarios as it did into the
recommendations. I do not think that anything is more than one column on a
page. Since we want to project the benefits of the new uses as well as the
harms, we could take a positive approach and show what is needed to enable it.
You could have one that shows protecting from the greatest harm of all, which
is the sale of one’s data, which is unexpected.

MS. ANDERSON: Just for clarification too, I agree that both matter.
Essentially, you have to kind of build the matrix to see where they apply. I
think a first recommendation was to try to build a matrix because I think it
would help us think about, business associates only have so many uses that are
within their business associate agreements normally. They may have agents that
may have different sets of uses. I think my comments were particularly whenever
you are introducing new oversight for accountability to be specific about to
whom that applies by considering whether or not that entity will have different
accountability for different uses. So, that way, when you are imposing what
might be accountability and new burden that they are applied with the spirit
rather than be blanketed and/or too narrow. I think that is where I was coming

DR. COHN: I think both Justine and I were actually looking at Appendix D,
which is the risk benefit analysis framework. I do not know if that begins to
address some of what we are talking about. I guess I would wonder about that.
Number two, I guess I am just seeking clarification from Paul a little bit
about the framework of what we have here versus what I heard him mentioning. I
think what we were talking about, the way we were trying to address unintended,
unexpected uses of data was at least to my view sort of a multifactorial
approach. It was increased transparency. There was also the view of better data
stewardship within healthcare organizations and tighter business associate
relationships. Then we got into the issue of what I want to describe as consent
management. Trying to figure out how to do them, at least what we had described
in the document was almost more of like, it is a really good idea. We need to
investigate, evaluate, do demonstrations, see where it is appropriate and how
it might work as opposed to just saying, everybody aught to be able to opt-in
or opt-out.

I am just reflecting against what you are saying. Am I even describing this
correctly? Secondly, is this something people generally agree with the way we
have been framing this particular set of issues? This is obviously a key issue
about this unintended consequence.

DR. TANG: Christine brought up another reminder in terms of one of the
discussions we had, which I think resonates with a lot of folks, which is the
position of accountability. So, instead of – and I think it is a nice
marriage of what you said about consent management, which is really touch,
burdensome, and ineffective. So, rather than do that, it is sort of like the
pornography thing. You cannot define it, but you can recognize it. In truth,
most people can recognize it. This is not something I would want people to know
that is happening.

So, I would say that this grey area that basically if people are
accountable for what they are doing with the data – it is really going to
be the financial benefit occurring to others than the subject of the data. The
organization that is going to be releasing this or disclosing this has to be
accountable for the harm that is caused by it. As I say, people are pretty
straightforward even though we cannot innumerate the thousand uses – what
is likely to be unexpected and potentially harmful to the subject of the data.
If they are willing to take accountability, that is one operational test that
is not particularly burdensome. I think that we are trying to be practical, yet

MR. REYNOLDS: I think if you think through the document, I think what I am
hearing as far as uses are concerned is people want more discussion about what
the uses are because the actual recommendations in the framework more than
likely are going to be the same. We still are saying we are basing it on HIPAA,
but we are not spending enough time – some of the subjects that were in
here were more individual subjects and not started with the unexpected and the
expected. So, it is not telling that story up front. It is just saying
individual things. In the end we go, we are going to start with the HIPAA
structure, and here is what we are going to do.

DR. TANG: It may be a new way of framing the problem. That I think is a
contribution of this report and this activity.

MR. REYNOLDS: If you go back for example to the very first set of
recommendations we have on these slides where it talks about – we still
might base it on the whole HIPAA thing. That is under stewardship now more than
it is under HIPAA. Because of the uses we described, that is one of the steps
that allows good stewardship, things that are already in place.

DR. TANG: Another thing that came up, I think we are moving from an
organization based HIPAA to a data stewardship based on expected use. I think
that is just a new framework.

DR. CARR: So, Simon mentioned Appendix D. It begins to get at this matrix
with some adjustments. So, I wanted to also make note of the fact that do we
need this other matrix on source of data and all this stuff? I do not think so.
When we chose the glossary of terms in the taxonomy, I would just like to
suggest that we identify what is the net we are casting to include a term in
that glossary. Is it any term we have heard in any of the hearings? Is it any
legal term that comes up in HIPAA? Is it terms that are confusing? I feel like
we need to say why they are in here because there are some terms in here that
maybe we are not addressing but we are putting in here. That might be
confusing. I would just ask for a strategy about what goes into the glossary.

DR. COHN: This is good. We were talking last night over dinner and we were
talking about really what we are trying to do is enhancing HIPAA. We talked
about it as a new framework. We actually do have recommendations for a whole
new framework, which of course requires legislation, but we are also trying to
deal with whatever you describe as practically possible, which means taking
current vehicles that we have and significantly improving them to make them
capable of dealing with the new world. I think we are in agreement in spirit of
what we are talking about here. I guess I just prefer – recognizing that
we are trying to take this vehicle and outfit it for the new world in some way.
Hopefully we can mention that in here.

Now, with that, I know we are at 12:00. I know Margaret has a lot of work
to do. As we are talking here and recognizing that it may be that the Appendix
D, even though – I am actually wondering – I mean, we tried to put in
the recommendations and observations, and it was such a show stopper because it
was just sitting right in the middle of the recommendations.

DR. DEERING: One thing that I have been struggling with Margaret with
trying to figure out is it seems to me that the one thing that is missing from
Appendix D is a statement of the current attributes for the data and how we get
that in there. It is not just what you want to do with it. So, that has already
been taken.

DR. COHN: I think taking a different approach to getting the same
information. So, thank you for giving us a fresh set of eyes.

Now, let me just sort of talk about the rest of today and tomorrow. Around
1:00 or 1:10 we are coming back as Privacy and Confidentiality. Margaret is
going to be working on aversion. I know some people will be calling in tomorrow
that are in person today. We will try to get a next version out sometime later
today would be – maybe. So, Paul, check your e-mail.

Now, I think we will just have to judge tomorrow at the end of the day
about this plan about when we can more publicly distribute advance drafts of
this document. I said we all have to be nodding our heads and feeling that we
got it right. We also – I think there is an urgent need to make sure that
we get some secondary input in all of this. So, we are just going to have to
balance that and make judgments tomorrow.

With that, I think we should adjourn until 8:30 tomorrow morning for this
group. Others will be back here after lunch. Thanks.

Whereupon, at 12:07 pm, the subcommittee meeting was concluded.