[This Transcript is Unedited]



Subcommittee on Privacy and Confidentiality

September 1, 2004

Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703) 352-0091

List of Participants:

  • Mark Rothstein, Chair
  • Harry Reynolds
  • Christina Hyde
  • John Houston
  • Richard Harding
  • James Scanlon
  • Michael Fitzmaurice
  • Jeffrey Blair
  • Dan Rode
  • Simon Cohn

P R O C E E D I N G S  [3:12 p.m.]

DR. ROTHSTEIN:  You who are not on the subcommittee, you are certainly welcome to attend.  This session is not on the Internet.  That may cause you to want to leave if you have got speeches you want to make for the public.

I want to welcome Christine, who will be one of our staff liaisons from OCR.

MS. HYDE:  Christina.

DR. ROTHSTEIN:  Christina, I’m sorry, Christina Hyde.  She and Sue McAndrew are going to be our staff liaisons, and we will inform Amy of what we are doing.

You should have in front of you a copy of the agenda for the subcommittee meeting, as well as two versions of the fundraising letter that we discussed this morning.  Those are versions — one is a clean version, and an identical version that shows the changes.  I’d like to go over the changes that I am proposing that were made today after the full NCVHS discussion of this morning.

Basically, let me see if I can summarize those changes.  Aside for a minor word change here and there, let me call your attention to the following items.

In paragraph number three, the second sentence was added. We also received written comments from a leading health privacy advocacy group, and that is in line with the suggestion that was made earlier.  In the fifth paragraph, it now reads, Another witness representing a major academic medical center.  I deleted Johns Hopkins I didn’t want to make it appear too specific to the testimony that we received from one institution.  I deleted the last sentence in that paragraph, that talks about the Johns Hopkins rate of securing authorizations, because that is contradicted in the letter that we received from Georgetown, where they said the rate was much lower.  So I just eliminated that sentence altogether.

DR. HOUSTON:  What did Georgetown indicate?  I forget what the letter said from Georgetown at this point.

MR. REYNOLDS:  Wasn’t it 50 or 55 percent?

DR. ROTHSTEIN:  In Georgetown’s letter, they said — she is talking about what happened in Arizona.  The representative of an Arizona hospital that asks every patient to sign a form authorizing solicitation said that only a handful of patients declined to sign.  Only a handful had declined to sign, and Hopkins said that only 50 percent signed.

DR. HOUSTON:  That was Hopkins versus — is there an inconsistency, or is it simply that there are two separate sets of evidence as to the issue?

DR. ROTHSTEIN:  Well, we have to indicate that two sets of evidence came in, one only a handful, the other 50 percent.  I just think that we don’t need to do that to justify what we are saying.  If we were going to be relying on either of them,  we would have to probably get a third one or more, because they are so wildly apart.

DR. HOUSTON:  The one thing I am sensitive to is that Vicki — I believe it was Vicki who made the comment about that specific statistic.  I wouldn’t want it to be perceived that we took the statistic out because it was one that was questioned by a committee member.

DR. ROTHSTEIN:  No, no, no, this is not a response to Vicki, this is a response to my having read the Georgetown letter more closely.

DR. HOUSTON:  I’m just saying, the reason why I am concerned about it is because it was also brought up as a concern of a committee member.  Whether it is reality or perception, I don’t want Vicki to perceive that we took that out because it was something she questioned as being evidence of a privacy issue.

DR. ROTHSTEIN:  Oh, I see.  We can explain that.

DR. HOUSTON:  I think we should, in the interests of full disclosure.  I know she did bring that up as a specific statistic.

DR. ROTHSTEIN:  She raised the question, while 50 percent didn’t want to sign, —

DR. HOUSTON:  So I wold hate to say, we are going to take it off, and somebody says you took it out because you wanted to avoid the argument from other people.

DR. ROTHSTEIN:  Right.  Let’s see what else is new.  The key thing is on the second page.  The third full paragraph was added, that included this new information that we were urged to include.  Those are my summarization of the letter from Georgetown.

Then because we are now coming up with three separate recommendations, I put it in our standard bullet format that we use in other letters.  I couldn’t figure out how to get the bullets working on John’s laptop, so at the moment, they are little O’s.  So the last one is the only new one, which really makes more explicit the assumption that we had going into this.  So it says, the covered entities’ notice of privacy practices should inform patients that their department of service information may be used, et cetera.

MR. REYNOLDS:  Back to our testimony we heard about the specialty hospitals, would we assume that these same procedures would be used by the specialty hospitals?  In other words, one of our goals out of the hearing was a level playing field.  So I am just trying to make sure that the movement we just made didn’t tip it right back again.

DR. ROTHSTEIN:  No, my expectation is, this goes under the heading of, be careful what you ask for, because now we are going to be placing greater burdens on the specialty hospitals by putting in their NPP that the patients, even though they would have a right to opt out of being contacted.

MR. REYNOLDS:  But if I remember the testimony correctly, the regulation — doesn’t the regulation cull out specialty hospitals?  Wasn’t that one of the issues?

DR. ROTHSTEIN:  No, the issue was that if you go to Hopkins Eye Clinic, Hopkins can’t tell their fundraisers that you were at the Eye Clinic.  The only way they could raise funds from you is to treat you like everybody else.  Whereas, if you went to Wilmer Eye Hospital in Philly, they would know why you are there.

MR. REYNOLDS:  I got it.  I just wanted to make sure that we hadn’t tipped it back.  I think it says this puts them on a level playing field.

DR. ROTHSTEIN:  One of the other criticisms that we got at the meeting was that in the fundraising letter we are out of whack with the marketing letter.  I think we are answering that because one of the things we are putting in the marking letter is that the Secretary should consider the feasibility of opt-out from marketing.

MR. REYNOLDS:  So it has to be an opt-in to marketing.

DR. ROTHSTEIN:  I’m sorry, an opt-out to notification of services.

MR. REYNOLDS:  Treatment options.

DR. ROTHSTEIN:  Yes, treatment options.

MR. REYNOLDS:  You’re right.

DR. ROTHSTEIN:  Does anybody have any specific comments of — this is our chance before the meeting to clean up any language that people are uncomfortable with.  I have no writer’s affinity for this; I just threw it together quickly for our discussion.

DR. HOUSTON:  The only other area that was discussed that I don’t think needs to have anything in this letter, but I think we should probably bring up for discussion was Russell’s discussion about research being disadvantaged, which I don’t think is correct.  I think researchers within the HIPAA privacy rule have — at least to the extent that the researcher is a work force member of the covered entity, actually still has broad ability to contact patients for recruitment purposes under the perpetrator research provisions.

DR. ROTHSTEIN:  Right, and that was included in our research letter. One of the things that we pointed out was that it is perhaps too broad in violation of the common rule.

DR. HOUSTON:  I just wanted to make sure.  I don’t think it needs to be in this letter, either, but I thought we should at least make sure it comes up for the purpose of the discussion.

DR. ROTHSTEIN:  I think that is fine.  If Russ wants to read this and raise that issue, we will be happy to address it.

DR. HARTMAN:  Could you clarify in the second bullet just a little more about what a broad designation is?

DR. ROTHSTEIN:  Yes.  Let me ask you how we would do this.  We all know what our intent is.  Should we put examples of that, what we mean by a broad —

DR. HARTMAN:  I don’t know what that means.

DR. ROTHSTEIN:  What we mean is oncology rather than breast cancer clinic, which would disclose more diagnostic information than is needed.  Or surgery without saying — so that is what we have in mind.

DR. HARTMAN:  Being a psychiatrist, do you say neurosciences?  It has psychiatry, neurology, neurosurgery, neuroradiology.

DR. HOUSTON:  Can I make a statement about that?  This is something that is not ever going to be embodied in this letter, but from everything I heard from individuals involved in this area, you probably wouldn’t do any fundraising to begin with in psychiatry.  That is not something that is typically done.

DR. HARTMAN:  Not so much from patients.

DR. HOUSTON:  Exactly.  I think there is a sensitivity.  I forget who said it to me, but fundraisers don’t want to piss anybody off, so they are not going to be doing fundraising activities that have the effect of upsetting individuals, because frankly then they won’t want to give.  So they are very sensitive towards these types of issues, anyway.

DR. HARTMAN:  That is basically true, although Michigan just got $30 million from a grateful father.

DR. ROTHSTEIN:  But our intent was, we could put broad categories, infectious disease, surgery and so forth.  Do you think this letter is vague about that?

DR. HOUSTON:  I think we could put in parens, for example, oncology, surgery, medicine, et cetera, comma, and not specific subspecialty or more specific — I don’t even know how to say that.

MR. REYNOLDS:  I think short of putting in examples, we are going to keep picking words that just keep it unclear.

DR. ROTHSTEIN:  Right.  So you recommend putting examples as well.

DR. HOUSTON:  Why don’t we use oncology as an example, just use, for example, oncology versus.

DR. ROTHSTEIN:  In the letter we used oncology, ophthalmology, maybe cardiology is too narrow.  Maybe it needs to be medicine.  But I think the fundraisers would say, we want to build a new cardiology wing, we don’t want to talk to the people with colonostomy.

DR. HOUSTON:  Rather than cardiology, why don’t we change that to oncology because that is a better department to use for an example later.  Then within oncology you can —

DR. ROTHSTEIN:  So in the second paragraph, where it is ophthalmology or oncology, you say we should make that oncology or cardiology?

DR. HOUSTON:  Yes, just replace one of the two, because then we go back later in this bullet point and then use an example which is oncology and compare it to some of the specialty areas or some of the different diagnosis areas?

DR. ROTHSTEIN:  On the second paragraph of the second page, we say in the fourth line, surgical, oncology or similar unit of the hospital.  So the way it is written now, there are four different examples.  Should we make those consistent or just bring those four down into the second bullet where we could now say, e.g., ophthalmology, cardiology, surgery, oncology?  Simon?

DR. HOUSTON:  It’s your turn to pick on somebody.

DR. COHN:  As I was listening to this one, I was trying to think how in the heck we handle Dr. Harding’s area, his mass enumeration, I wonder if there is something that we could reference, an up to date, well kept up listing, that would be at the level of granularity that we are describing?

DR. ROTHSTEIN:  We want to have it at the least granular level possible.

DR. COHN:  That is what I am saying, but I guess I am struggling a little bit with what granularity is really — you heard oncology was, and they would not want to be involved in medicine.  So you are talking about medicine and subspecialties, it sounded like.

DR. ROTHSTEIN:  My sense is that this is something that OCR ought to do.  What we are doing is making the suggest to the Secretary, and if the Department wants to follow through with it, then they are going to try to come up with some sort of classification system that is appropriate.

My concern in this letter is that we just provide enough information so that they know what it is we are recommending.

DR. HOUSTON:  Is there something with JCHO or somebody that has these 20 departments?  I sense what Simon is saying is that there is some —

DR. COHN:  For example, CMS has a listing of practice specialties, which unfortunately this doesn’t quite apply.  I was trying to think if that would be — I don’t think that is going to quite work.

DR. HARTMAN:  The six required specialties of a medical school are internal medicine, pediatrics, ob-gyn, surgery, psychiatry, and what did I leave off?

DR. ROTHSTEIN:  Oncology?


DR. COHN:  Orthopedics?

DR. HARTMAN:  No, that is not required.  Internal medicine, pediatrics, ob-gyn, psychiatry, surgery.  There is one more.  It is a requirement in the medicine school.

DR. ROTHSTEIN:  Family medicine?

DR. HARTMAN:  Family medicine.

DR. HOUSTON:  Those are probably too broad, because you have oncology and everything else is subsumed.

DR. HARTMAN:  There is the hospital based things like radiology and pathology.  Those are the core medical student locations.

DR. ROTHSTEIN:  That may not describe it well enough.  Family medicine is not going to help us.

DR. RODE:  I would suggest such as, like you already put up in the observations, surgery and oncology or some unit of the hospital, as opposed to subspecialties.  I think that is enough direction for the OCR to go with that.  It is going to vary from hospital to hospital, but that would cover most of your teaching hospital experiences.

DR. ROTHSTEIN:  Thank you, good to have that expert at the table.

DR. COHN:  Did you write that down?

DR. ROTHSTEIN:  We are going to work on it now.  We are in bullet two.  Department of service information should apply only to broad designations, and now we are going to put in, e.g., surgery, oncology —

DR. RODE:  Surgical, oncology, or some other unit of the hospital, as opposed to subspecialty.

DR. COHN:  The question is, I thought oncology was a subspecialty.

DR. ROTHSTEIN:  As opposed to specific sites or leukemia and lymphomas or whatever.

DR. COHN:  I think I probably would not use the term subspecialty, as opposed to — I was just use a different way of describing the more granular differentiation.

DR. ROTHSTEIN:  How about if we put, e.g., surgery or oncology, as opposed to smaller units, something like that?

DR. COHN:  Yes.

DR. HOUSTON:  So after broad designations, parens?

DR. ROTHSTEIN:  Yes, e.g., surgery, oncology, rather than — but not smaller designations, or narrower designations.

DR. HOUSTON:  Do we want to say narrower designations or subspecialties?

DR. ROTHSTEIN:  Somebody said that subspecialty might have a term of art meaning, and people would get out their subspecialty listings.  I think the key is that we apprise the Department of what we have in mind, and if they want to follow through on it, they can take this and run with it.

DR. HOUSTON:  Was there another change, other than that?

DR. ROTHSTEIN:  That is the only one we have agreed to so far.  Sue and Christina, would that be adequate information for you to know what we have in mind?

MS. HYDE:  We have received lots of comments on this as well.

MS. MC ANDREW:  I guess it is a little — I’m a little unclear, in terms of — I presume that depending on the size of the facility, are we saying we just want to go one level down from Johns Hopkins?


MS. MC ANDREW:  Or do we want to say that you go to two levels down or three levels down?  How small is the unit, how big is the department?

DR. HOUSTON:  What I thought I was hearing from Johns Hopkins was that you give them one additional level down, and they would be satisfied, especially in comparison to what they have today.

DR. ROTHSTEIN:  I think that is right.  I would say one level down.

MS. MC ANDREW:  But it doesn’t matter on the size.  Anybody gets one level down.

DR. ROTHSTEIN:  Anybody gets one level down, but if you are M.D. Anderson or Sloan Kettering, you get no more levels, because that is your level.

DR. HOUSTON:  Yes, that is correct, especially if the hospital already is at that lab designation level already.

DR. ROTHSTEIN:  Right, because they are already at oncology, and all we are going to allow is Johns Hopkins and Georgetown and whatever to go down to that level.

MR. BLAIR:  This discussion seems very problematic.  I wonder whether we could even give guidance on something like this.

DR. HOUSTON:  We have to.  This is an issue.  What we heard is a detrimental impact on fundraising, which is the lifeblood of a lot of hospitals.

DR. ROTHSTEIN:  This is the third time we have heard it in this committee, and I’m sure OCR has been deluged for years.

MS. MC ANDREW:  I wouldn’t say deluged compared to other deluges we have been deluged with.  But it is a consistent issue, and it certainly was something we heard a lot about when we were doing the workability changes.  The option was at that time not to make any changes. Subsequent to that, there were several exchanges, including one meeting that we had on the Hill.  So it is an issue  we have been aware of.

DR. COHN:  Mark?


DR. COHN:  I was going to comment on a couple of things. I am sensitive to this.  I am just struggling as we all are with the wordsmithing.

First of all, I would observe that none of what we have all been saying is in any way incorporated in the recommendations here, at least as I see them.  At the very beginning of the letter, we talk about this distinction between general hospitals and specialty hospitals.  None of that falls in any way around the recommendations.

The other piece is, I am wondering — I think what we were talking about are large general hospitals.  I am wondering if this is something, given that we have been provided such wonderful advice by a variety of testifiers, I wonder if they might have some wording that we might be able to use, to help refine exactly the grouping that we are talking about.

I think the concept at 10,000 we are all in agreement with, but how do you specify this one, so an oncology hospital doesn’t start specifying head and neck versus breast versus female ob-gyn cancers, which is really not what you are trying to do, versus a larger hospital like Johns Hopkins, which I don’t even know falls under the general hospital designation, or whether it is described officially as something else.  John may know what that means.

DR. ROTHSTEIN:  You raise a good point.  Maybe in the first bullet we should put something like, HHS should allow comprehensive medical institutions and their related foundations, something like that, which makes the point that we are trying to address the problem where all these broad departments are together under one roof.

DR. HOUSTON:  I’d just need to know how to say it.

DR. ROTHSTEIN:  Forget the stating for a second.  What about the concept?  Is that something that would improve the letter?

DR. HOUSTON:  This is applicable to in my mind anybody other than the true specialty hospital that has one specialty.  It could be a large hospital system like the one I come from, which has cancer hospitals and psych hospitals and whatever else.  This also could be a community hospital that opens up a cancer center and decides it wants to do fundraising for its cancer program.

I suspect that the hospital could be fairly small, but it might even have an ob capacity.  It doesn’t necessarily have to be a large facility.

DR. ROTHSTEIN:  So maybe what we need to say is multi specialty institutions.  Would that be fair?

MR. REYNOLDS:  I worry that we go to any designation like that, I worry that we go to any organization chart one level down.  I think the examples that you used at least give the guidance.  There has got to be a lot of consideration of this when it goes forward as to exactly how to position this.  Any words you pick, anybody can spin.  Any time you tell me it doesn’t relate to a small hospital, I can open something.  I can change the name of a department and win.

DR. ROTHSTEIN:  They can do that now.

MR. REYNOLDS:  I know that.

DR. ROTHSTEIN:  They can reorganize in ten different units.

MR. REYNOLDS:  I’m saying, once we —

MR. BLAIR:  That was the point I was trying to make also.  I don’t think that we are going to be able in the next hour or two or three be able to work out exactly — anything we come up with, we are going to find exceptions to that.  So I think we have to express the intent.  But if we start to get into examples, our examples are going to wind up —

DR. HOUSTON:  I think our intent is already here.

MR. BLAIR:  Yes, the intent is there.

DR. HOUSTON:  It is not like we don’t have somebody from OCR at the table who is listening to this, and when somebody says, what do they really mean, hopefully Susan and Christina will be able to say, here is what they intended by this guidance or this recommendation.  I am assuming that will occur, correct?

MS. MC ANDREW:  Yes, of course.

DR. ROTHSTEIN:  Simon, I want to see what your views are on this language, whether you still want to include something.  In the first bullet, do we need to say something like, HHS should allow multi specialty covered entities, and blah, blah, blah, or should we just leave it the same, as it is now?  We have already agreed that we are going to add in bullet two at the end of the first line, after the word designations, a parenthetical that John previously read.

The point that you raised to get closure on this, is it valuable, and does it improve this letter to try to add some additional words to modify covered entities?

DR. FITZMAURICE:  Michelle Williamson had a suggestion that I added a couple of words to.  I think the concern is that however number of levels down you go, the fear is that you identify the health condition of the patient.


DR. FITZMAURICE:  So we might just say about fundraising, as long as the designation of the area of the hospital does not connote the medical condition or health condition of the patient.

DR. ROTHSTEIN:  And the second bullet at the end of that sentence, we try to do that by saying that the privacy rule should retain the prohibitions on disclosure of information relating to diagnosis and treating physician.  So that would suggest that you can’t say —

DR. FITZMAURICE:  Wilmer Eye Institute.

DR. ROTHSTEIN:  Well, no, it would say not breast cancer institute, it would allow you oncology.  Lombardi Cancer Center would be okay, but not —

DR. FITZMAURICE:  You are saying that the patient had head cancer.

MR. BLAIR:  For some people that is too far already.

DR. HOUSTON:  But guys, what balances this is twofold.  First off, one of the existing provisions even in the privacy rule is an opt-out provision.  If somebody had a strong desire from the very beginning when they came in the hospital, they have the ability and will continue to have the ability to opt out.  What we are recommending is that either it be based on specific departmental information or whatever we want to call this stuff, these broad designations, or entirely opt out.  So there is that ability today.     I think secondly, this is something I had said before, this is not a hard and fast rule, but I think what came across in the fundraising testimony was that these guys aren’t going to get any dollars from anybody if they upset them.  So they are going to take great pains to try and engage patients in a way that is not offensive, because when they do that, they don’t get money, they don’t get the desired effect.

DR. FITZMAURICE:  Maybe you don’t need to specify what level of the hospital it is.  Just say, the patient is given the opportunity to opt out.

MR. BLAIR:  Yes.  If you already give the patient the opportunity to opt out and they choose to opt in, then it doesn’t matter what level of granularity you go to.

DR. ROTHSTEIN:  Right, but at the moment there is no requirement that at the present time, the hospital’s notice of privacy practices indicate that you have an ability to opt out of fundraising, correct?

MS. MC ANDREW:  The opt-out in the rule comes with the first fundraising solicitation.  In that first solicitation, they are required to provide an effective opt-out of future communications.  But you get the one letter.

DR. ROTHSTEIN:  Right, so what we are proposing actually goes beyond the current rule in terms of protecting the privacy of individuals, because it would allow them to opt out pre first contact.  In addition, it would give them two options.  They could opt out entirely, or elect not to have any department of service information revealed for solicitation purposes.

So I think this really strengthens the privacy rights of individuals, because they are given two choices up front that they currently don’t have, while at the same time we are presumably helping level the playing field of the institutions, that is, the multi specialty institutions versus the more specialized institutions.  At least, that in theory is what it is intended to do.

MR. REYNOLDS:  Re-reading the second bullet, I really like the way it is phrased.

DR. ROTHSTEIN:  Currently?

MR. REYNOLDS:  Yes, because you retain the privacy rule, and you are relating to diagnosis and treating physician.  You always try to use a litmus test.  If you wanted to send your fundraiser walking through the hospital, a lot of patient names are on the side, I know what department I walked into, that is now visible information in most cases, but it does not talk about the diagnosis, it does not talk about who is treating them, and it doesn’t go into anything more than that.

DR. FITZMAURICE:  But it is also protected health information, if the fundraiser is hired by that hospital.

MR. REYNOLDS:  I understand that, but the point is, if we are now authorizing to use some form.  We are not authorizing anymore than is already visible if I were their next-door neighbor.  That is where I am going.  The general public can walk down the hall and find out this information.

DR. ROTHSTEIN:  That is why in the last line of the second paragraph on the second page says, thus, patient service department information is now widely available to the public, including fundraising staff, unless the patient has opted out of the hospital directory.  They don’t even have to walk the floors.  All they have to do is view the directory, and they will know who is on the obstetrics wing and who is on the surgery wing and so forth.  Not that they would do that.

So Harry, you think the second bullet should remain —

MR. REYNOLDS:  I’m not hearing anything in the discussion that we have come up with anything —

DR. ROTHSTEIN:  Other than the parenthetical that we have added?  We have added a parenthetical after the word designations.


DR. ROTHSTEIN:  So I will take that as an abandonment of this point.

DR. FITZMAURICE:  I was looking at each of these bullets separately.  Taken altogether, particularly that third bullet that you mentioned to me, drew my attention to, the patient has the opportunity to decline the use of their department of service information, has the opportunity to opt out.  I think that is pretty good protection.


DR. FITZMAURICE:  I will note in the previous version that even Johns Hopkins was only able to get authorizations from about half their patients, so they might still expect that half of their patients would opt out.  But it still puts the control in the patient’s hand.  If the patient says okay, then it doesn’t violate the privacy rule to use that department information.

DR. ROTHSTEIN:  Right.  I think this helps both sides, but maybe we have succeeded in producing something that will antagonize both sides.

MS. MC ANDREW:  I guess the question is, how do you envision other than some information being provided, I should say buried, in the notice that gets received?  Are you envisioning an actual mechanism to exercise the opt-out?  And isn’t that the same kind of chilling effect that the authorization or opt-in process is presenting fundraisers?

DR. HOUSTON:  Let me answer that.  The opt-in is always a touchy issue, because the patient comes in, they may not be comfortable, they may be in pain.  It is a question of how much paper you want to put in front of them.  I think if you put in the notice, and even if you make it a part of the summary, that is the other thing you do to try to strengthen this; not only do you put it as part of the privacy practice, but as part of the summary that is supposed to go along with it you also put a bullet in there that also describes the fact that you can opt out of fundraising.

Maybe that is a way to assure that it appropriately stands out, rather than have it buried into what is typically an eight or ten page notice of privacy practices that few people have the willpower or the stamina to read.

MS. MC ANDREW:  Is this something that — is there an affirmative obligation on the part of the facility to —

DR. ROTHSTEIN:  I think that is why we went with the opt out as opposed to the opt in.  If it were an opt in, then it would be an affirmative duty on the hospital, we are in effect putting the burden on patients to exercise this.

Now, I recognize your point, and I am concerned about just adding another line on page 11 of something that nobody wants to read, and that is their rights.  But I don’t know how else to do it.

DR. HOUSTON:  I think this does provide a balance.  I think this taken with the fact that a patient after — I think our recommendation is that the current processes also continue.  So to the extent that a patient receives a fundraising solicitation mailing, and it says at the bottom, you may opt out of further fundraising communications, that is yet another opportunity for the patient to opt out.  So it is adding a reasonable opportunity for the patient to opt out, in addition to everything that is already there.

DR. ROTHSTEIN:  And Sue, I would guess that they would still have an opportunity to opt out again after first contact.  This wouldn’t necessarily —

DR. HOUSTON:  Yes, it would be at the bottom of the solicitation, yes.

DR. ROTHSTEIN:  Other proposed revisions of the letter?  So we need to vote as a subcommittee on the revised letter with the one change in bullet number two, the parenthetical that John added.  So is there a motion to accept the revised version of the letter?

DR. HOUSTON:  I make the motion.

DR. ROTHSTEIN:  We have a motion.  Is there a second?  Motion seconded.  All opposed, raise your right or left hand?  All in favor say aye.

(Chorus of ayes.)

DR. ROTHSTEIN:  Opposed?  Abstentions?  It carries unanimously.  We will make that change.  Marietta will make copies in time for tomorrow’s discussion.  Thank you for taking care of that.

A couple of other items.  First I want to report on the executive subcommittee brief in Princeton last month.  The result of that was, our work plan has been expanded for this year.  Let me go over our schedule of hearings.  November 18 and 19, we have hearings scheduled on the joint issues of e-prescribing and security.  John Houston is going to be working with Amy Chapper from CMS on putting that together.

Let me go through the whole list, and then we will come back to that.  We have another issue that we need to take up, probably with a winter hearing, and that is the issue of patient controlled limits on the contents of EHR, which would include not just the e-prescribing issue which we will talk a little bit about today, but the entire NHII version of a longitudinal health record.  It raises very interesting issues.

Mary Jo Deering has volunteered to assist the subcommittee with that, and I hope to be working with her on that, for a hearing sometime after the new year.

Then we have got three other items that are still on our plate, based on our last subcommittee meeting, the items that we had approved to take up.  I hope to do those this spring.  The three are, limits on disclosure of PHI to third parties via compelled authorizations, decedent and archival health information and patient identification.  We haven’t decided on what order to do those in, but those three items will be on our spring agenda, and they are all quite challenging in different ways.

DR. COHN:  I presume that last item is a joint activity between Standards and Security?

DR. ROTHSTEIN:  Correct.

DR. COHN:  Is that in relation to this issue that we somehow got pegged with from the NHII meeting?

DR. ROTHSTEIN:  That’s right, so that comes from John’s assignment.

MR. BLAIR:  Is that the words we want to use?  Do we want to call it patient identification?  What was the words that Dick Braylor gave to us, about the ability to identify —

DR. ROTHSTEIN:  The ability to identify specific individuals?

DR. COHN:  I personally like the way it was described in the letter that was sent to Braylor, which talked about best practices and issues related to use of indexes and other methods to assure that health care information can be reliably associated with the right individual.  I hope that is long enough for everybody.

DR. ROTHSTEIN:  Jeff, please rest assured that many hours will be spent trying to figure out the appropriate way to refer to this.

DR. HARTMAN:  I think mark of the beast is the way a lot of people are referring to it.

DR. COHN:  Mark, when have you thought about having that particular hearing?

DR. ROTHSTEIN:  April Fool’s Day.  I’m not sure.

DR. COHN:  Okay, I was just curious.

DR. ROTHSTEIN:  I think what we ought to do is just see how we come along with our first hearing, when we make our plans for next year.  I think it is a little too soon.

So if everyone is okay with those five issues for our next hearings, what I would like to do now is just to back up to our November 18-19 hearing and see if we can help provide John Houston with some guidance on putting together that hearing on e-prescribing and security.  Maybe you and Simon could talk about some sort of preliminary ideas that you have.

DR. HARTMAN:  Before going into that, I hate to do this, and I don’t want to talk about it very long, but could we consider the possibility of having hearings on the inherent conflict between HIPAA and the Patriot Act?

I realize this isn’t the time to do it, but at some point that is an issue.

DR. ROTHSTEIN:  Isn’t OCR coming out with FAQs on that week?

DR. HARTMAN:  Not before November 2.  I am saying it a little bit with tongue in cheek, but it is an issue.  Who is going to address that?

MR. BLAIR:  What is the conflict?

DR. HARTMAN:  Not that I am a world authority on it, but there certainly is a great deal of ability to access medical information without cause.

MR. BLAIR:  My understanding of HIPAA is that HIPAA had a few exceptions in it which were grandfathered in, that any local state or federal law enforcement agency had the right to look at our patient records, anyway.

DR. ROTHSTEIN:  There is also a national security provision.

MR. BLAIR:  Right, so the privacy regs of HIPAA in my understanding does nothing that limits law enforcement agencies from looking at our medical records.

DR. HARTMAN:  I’m not against completely the Patriot Act.  I think there is a place for being able to access under certain circumstances.  But I just think it is fraught with difficulties.

DR. HOUSTON:  Can I ask a question?  Are these fundamentally HIPAA issues or are these considerations of the Patriot Act directly, which whether it is patient privacy versus banking —

DR. HARTMAN:  No, it is just that unfettered access to health information.

DR. ROTHSTEIN:  Richard, let me tell you a very practical problem that we are going to run into.  As you know, we wanted to have a hearing and take up the issue of law enforcement provisions under HIPAA to see whether in the privacy rule there needed to be some further restrictions placed on the ability of law enforcement to get access to information.

We could not get anyone to testify.  We went to all of the major law enforcement organizations and government agencies, and I think they thought — probably rightly so — that no good could come of this.  So the only people we could get to testify were from DEA.  We issued a letter to the Secretary some time ago on the relationship between HIPAA and DEA.

MS. MC ANDREW:  It was in June.

DR. ROTHSTEIN:  Was it only June?  I didn’t mean that as criticism of anybody.

MS. MC ANDREW:  Very sensitive about that.

DR. ROTHSTEIN:  So we did issue a letter dealing with the DEA issue, and we had to drop the others because we had no evidence.

I can’t imagine that we will have more luck with this group.  We don’t have subpoena power, you know.

DR. HARTMAN:  We have discussed it adequately for my concerns, but I just wanted to have that as something that in the future we may consider.

DR. ROTHSTEIN:  If we were a Congressional subcommittee, we could take that up.

DR. HOUSTON:  By the way, that is a good point.  Doesn’t the Patriot Act — doesn’t it have to be renewed?  It has a term to it, and I think the term is coming to a close.  I believe that frankly these types of issues will come up in the context of some type of Senate or House committee that will look into issues related to the Patriot Act, and I am sure if there were abuses on the medical side, it will come up in that, those types of hearings.

MS. MC ANDREW:  I think there may have been a recent executive order creating some sort of privacy committee in the area of national security.  So those sensitivities are now given a forum to be discussed.

MR. BLAIR:  My understanding is that even if the Patriot Act had never been passed, that local state and federal agencies, even without a court order — I remember that Senators Dick Armey and Patrick Leahy got together and wrote a letter requesting that HIPAA at least require a court order for federal law enforcement agencies to look at our health records, and the rest of Congress declined.

DR. HARTMAN:  Mr. Chairman, I suggest we move the agenda back to —

DR. ROTHSTEIN:  Okay, but I am glad you raised that, so I hope you feel better.

DR. HARTMAN:  I feel much better.

DR. ROTHSTEIN:  Good.  One other thing I just want to alert — Marietta found and will be copying the OHRP guidance on research involving current privacy information on biological specimens.  You don’t have it handy, but I would ask you to turn to page six, where it says comparison to HIPAA privacy rule.  Regarding distinctions in the privacy rule, all these distinctions, and they say, therefore some coded information which the codes that have been derived from identifying information links to or relates to the individual would be individually identifiable under the privacy rule, but might not be individually identifiable under the common rule.

So they have created another area in which there is a divergence.  So because you don’t have it in front of you and we have other things to do, I don’t want to discuss it now.

MS. MC ANDREW:  It is not clear to me whether they actually — the memo as a whole talks about a lot of other things, but they simply mean, as opposed to creating a new riff, I think they may be clarifying an existing riff, which is that in the privacy rule, we said to qualify as de-identified information, you may give a unique identifier, but it can’t be derived from any identifier that is individually identifiable, such as, you can’t do something spun off from the social security number.  You can give it a random number, but you can’t give it a number that is derived from the identifier and make it privacy rule de-identified information.

I think all this does is say that they have a much more lax standard under the common rule as to what can be considered not individually identifiable information, and carry just a coded number assigned to the case.  Under the common rule, you can derive that coded representation of the case from a social security number or other identifiable information.  So that is just —

DR. ROTHSTEIN:  Right, and the significance of that, for those of you whose eyes are glazed over, is that it would therefore not be considered research for purposes of the common rule, but it could be considered PHI for purposes of the privacy rule, and therefore would be subject to the privacy rule but not subject to the common rule.  That is a situation that is not optimal in my view.

DR. HOUSTON:  What it says is that an IRB doesn’t have to approve the activities because it is not considered human subjects research.  But it still stands silent.  You still have the other HIPAA requirements.  So all it really does is say IRBs don’t need to be involved in approving this type of research that it is not human subjects research.

DR. ROTHSTEIN:  Let me just say as a footnote that because the HIPAA analysis is limited only to privacy issues, there are a range of other issues that are not going to be considered now because the IRB does not get a chance to look at it, because it is not research.

So the IRB considers privacy, but they consider all sorts of other things as well.  By taking this out from IRB consideration, that other stuff which we don’t need to talk about is lost.  So that is my concern from a research ethics —

DR. HOUSTON:  I assume you are taking about research integrity and things like that?

DR. ROTHSTEIN:  No, not just that, but I am talking about group harms and stigmatization.  It could include demographic information that is not linked to an individual.

Let’s get back to the issue of e-prescribing.

DR. HOUSTON:  And security.

DR. ROTHSTEIN:  Well, e-prescribing and security is a joint hearing, right?

DR. HOUSTON:  Right, but there are two separate issues being handled through the same hearing, I guess is a better way to describe it.


DR. HOUSTON:  I’m glad we have had a delay because it has taken more time than I thought to line people up, but I have started to make contact with a number of companies, contacts that I have, as well as, we have retained outside counsel to — he is extremely well based within the medical community in terms of large companies, and he is helping me get to a number of large companies and get people lined up from them.  I am supposed to meet with him.  I have talked to him a couple of times by phone.  I meet with him on Friday.

My plan is frankly to have him make some overtures to the likes of GE and some other medical equipment companies to line up people on the security side to talk about medical equipment, lining up manufacturers to talk about issues with security of medical equipment.  That meeting is supposed to take place Friday.  I am sure that his contacts typically go to the very top of some of these companies.  I am thinking of GE, Verion, Siemans, SNS, places like that.

Cerner has already testified once.  I can get Cerner, that is easy.  I have also put in calls to McKesson Automation, who makes pharmacy robots, things like that.  So I am hopeful within the next couple of weeks, I can have at least two or three companies.  I also talked to Microsoft.  Microsoft has agreed that they are going to try to get somebody to come in.  They have been working with the FDA.  I have some contacts in the FDA that I haven’t tried to contact yet.  I’m not sure whether it should come from you guys or —

DR. ROTHSTEIN:  Can I ask what issues you are talking about?

DR. HOUSTON:  I probably should have said that.  In talking previously with Simon, we had decided that there is a blossoming issue with regard to medical equipment, and issues relate to the fact that a lot of this equipment, since it is FDA regulated, can’t necessarily be patched at the level that otherwise we would patch equipment, because of the fact that there are FDA certification issues.

Say for instance you have a PC connected to a perfusion pump, and it is on a network because it is passing —

DR. ROTHSTEIN:  Network meaning —

DR. HOUSTON:  Clinical network, clinical system network, and because it is on that network, it potentially could be infected by or cause problems to the network if it should become infected.  But because it is controlling a piece of medical equipment, there is a patch process that the vendor would have to go through to certify that a patch that Microsoft might release to address a bug or a known vulnerability, there is a process that has to be done through before that patch can be put on that piece of equipment.

So there are issues to the timeliness that these medical equipment manufacturers can respond to, issues of viruses and other types of threats and vulnerabilities, and it is also directly related to the HIPAA privacy rule because of the fact — or security rule, I should say, because we may not be able to take the same steps with regards to this type of equipment that we would otherwise be expected to take with other types of computer equipment and software.

So the thought was that we wanted to make sure that because of these potential issues, that we got the input of some medical equipment manufacturers to describe, are they having problems and to what degree.

I can give you one real-world example where my institution had a problem with specifically medication administration cabinets.  We had a case where we had one of the larger virus outbreaks.

MS. MC ANDREW:  Computer virus or human virus?

DR. HOUSTON:  Computer virus, actually a computer worm, which was making its rounds.  It was rather aggressive.  The worm itself caused some real problems.  We couldn’t patch these cabinets with the latest Microsoft patches because the vendor hadn’t certified them as being acceptable and wouldn’t cause adverse functioning of the equipment.

These cabinets ended up getting infected.  They ended up bringing down parts of our network.  So here is an example where we had a real issue that potentially would impact patient care, because these cabinets, the way they function is, you want medications, you have got to log into and administer the medication through the cabinet itself.  It dispenses the medications.  So there were real issues in that regard.

There has been a lot of discussion, if you look around in the industry, about whether it be perceived or real concerns about the ability to implement appropriate security on some of this medical equipment.

DR. ROTHSTEIN:  So is it your sense that this would be one panel?

DR. HOUSTON:  It could be as many as two.  But when we talked before, we didn’t think it was a whole day.  It was maybe a half a day at most of effort.  There weren’t any other issues that we — I am not hearing much myself, personally.

MR. REYNOLDS:  I want to ask a logistics question, which Simon can jump in on.  We as a full committee owe to the Secretary the final responses in March, right?

DR. COHN:  For e-prescribing?


DR. COHN:  Okay.

MR. REYNOLDS:  With the discussion that went on this morning which could get lengthy, on privacy and e-prescribing, if we set up a day and a half meeting, of which the e-prescribing takes longer than necessary, and there is no other hearing scheduled until at least January that could follow up on that and make a recommendation out of this committee that could be fed into anything that is going on to the e-prescribing, I’m not sure how that works.

It would appear to me, if the privacy group is going to hear e-prescribing, it needs to hear it and take some kind of a position or stance or something, so that can be factored into all of our hearings we are having on e-prescribing, or at least the deliberations we are doing on e-prescribing.  Otherwise, the worst thing that could happen is in January, we find out something coming out of privacy at the same time we are trying to finalize what we are recommending to the Secretary as our next steps.

I am asking it more as a question than a challenge.

DR. COHN:  Let me try to address it.  I agree with where you are going, though.  I think what we are thinking about in November was a half day on security, because security goes into effect in April next year, so if we are going to make any comments or if there are any issues, that is the time that we need to be talking about it.  But like John, we were hearing about biomedical, we probably need to hear from CMS about a whole bunch of FAQs and issues that somehow though we heard about them in July, we have never seen FAQs addressing any of these.

DR. HOUSTON:  They did release FAQs.  I think HHS did release a set of FAQs.  I read them, but I wasn’t involved with them.

DR. COHN:  They didn’t address these issues.

DR. HOUSTON:  No, they didn’t address these issues.

MS. MC ANDREW:  There was a series of eight to ten — it was security 101 or something like that.

DR. COHN:  We never heard about the emergency room and definition of what a security incident is and things like this, which I don’t think I have seen.  So the question is, these are things that we need to — if they haven’t gotten them out by that time, we probably need a conversation.  Regardless, I think we are talking about a half day.

DR. HOUSTON:  I agree.

DR. COHN:  Now, Harry, you are absolutely right about — before today I wasn’t exactly sure what we would be talking about, with e-prescribing and privacy.  On the other hand, I can imagine —

DR. ROTHSTEIN:  These are thorny issues, right?

DR. COHN:  Not being aware, I didn’t know what the issues were.  So I think the question number one is, a day would be very appropriate in terms of us to get into it, but the question is whether that is going to be sufficient or not, and recognizing that these are some recommendations that probably need to come to the Secretary as part of those March recommendations.

I don’t care how we get to that March recommendation, but I don’t want us to have a major set of recommendations in March going to the Secretary, having identified privacy as one of the issues we were going to evaluate, and oh by the way, we don’t have any privacy recommendations because we did one in November and we will do one in April, and maybe we will get it to you for the June hearings.  I don’t think that will be particularly helpful to the Secretary.

So even though I know we don’t have meetings scheduled, I guess we need to be thinking probably about a January session or something.

DR. ROTHSTEIN:  I think that is certainly doable, to schedule a mid, late January session for any followup time.

DR. HOUSTON:  I think we do need a little bit of time for the HIPAA security rule, simply because even though we are not hearing a lot about issues, I think we do have an obligation to at least indicate that we have tried to determine whether there are issues.  So half a day of this in the few issues that we do know of I think is appropriate.  I agree, I don’t want to take up too much time, either.

MR. REYNOLDS:  I wasn’t trying to make one win over the other.  I was trying to live with the logistics of both, and how does that work with the schedule that we have seen.

MR. BLAIR:  As you begin to pull together the agenda for the security hearings, you may want to check with David Braylor’s organization.  Security for the NHII, I think they are beginning to start to want to gather information on that.

Steve Steindel has bridged off of that activity with a set of rules for the road we are going to explore in the NHII work group.  One of them I noticed which was really fascinating is the security exposure of health care information so great that we have to look at some type of private network for health care information.

I jumped at that and was a little bit surprised, but what John Paul wound up saying is, with virus threats to radiologic equipment, when somebody could get overdosed, to something that could corrupt information in e-prescribing systems, to something that could corrupt an electronic health record system or gather information, the security topic starts to get very big.

So I don’t know how you want to deal with that, but you may want to take a look at some of those pieces so that the agenda on security that you have in either November or January is a bite sized piece that fits in with the broader agenda.

DR. ROTHSTEIN:  I just want to note that we do have a subcommittee that deals with security as its main mission.  So I think that I am very confident that Simon is all over that issue, and will be anxious to pursue it.

MR. BLAIR:  That was not the intent of my comments.

DR. ROTHSTEIN:  As for us, we have got all sorts of things, and they are quite challenging, some of which keep getting pushed back and pushed back because of deadlines.

I want to ask if we can get some more direction on how to proceed with privacy issues on our e-prescribing day and a half.

DR. COHN:  Day.

DR. ROTHSTEIN:  Day, sorry.  We have a day and a half hearing, half on security, one on e-prescribing.

The main issue that we talked about today, and I think clearly the most difficult issue, is the degree to which patients should be able to control their records, that is, what is in their e-prescription files and what is going to be disclosed back to their physicians and so on.  That of course ties in with the broader issue that we are going to talk about in the context of NHII.

Are there other issues that are of immediate concern to the e-prescribing report that are directly within the province of privacy and confidentiality?

MR. REYNOLDS:  Not so much that, but I think during the hearing, especially since this committee hasn’t been through everything, we have been going through the steps of the process and identifying where there are privacy issues in each step.  You would or wouldn’t want the physician, the patient, the pharmacist — where the privacy comes into play is the issue.

I think until you go through those pieces and decide something is in or out, a decision out of this committee could completely change one of the things that is in the regulation that talks about medication histories.  So all I’m saying is, we are about to change the way this information flows in the treating of patients.

DR. ROTHSTEIN:  In one sense, we don’t know what comes first, because I hear you saying that there are going to be privacy issues raised by all the specifics as we go through the  e-prescribing system.  On the other hand, the e-prescribing system is going to be affected by our overall decisions about privacy.

So maybe what we can do is start working at our November hearing about coming up with general principles, general considerations, what are the concerns, where are the points at which privacy may be breached and so forth, but I don’t know that we can get down to the level —

MR. REYNOLDS:  No, don’t misunderstand.  There are key points where it will be — if a patient opts out and you have got to make sure you have got a whole process set up that they can be opted all the way out if that is their case, and all the way out means pretty significant.  So I’m not saying we have got to dive through the weeds, but we do have to understand the flow of this information, and when they say no, how does no get affected, and can no get affected, and if it gets affected, did you just eliminate the physician’s ability to get the quality that we all agreed on was the whole reason this thing was going to happen.

MR. BLAIR:  I’d like to make an initial suggestion for how you might set up the agenda.


MR. BLAIR:  For privacy issues related to e-prescribing.  The first entity I think we should hear from on that day is the CMS perspective on the privacy issues, the areas where they feel there are issues and the areas where they feel that they are taking action or defining the issues in a way to address whatever concerns they have identified.

So I think CMS should be the first on the agenda, identifying the concerns and what actions they are taking to address the concerns.

The second entity should be OCR, and what exposures they have identified in the MMA law for e-prescribing, that eight-page section of the law that identifies the program requirements and the basic functions that are there for e-prescribing from the OCR perspective.

I think the third thing on the agenda is that we should hear from outside privacy advocacy groups that are saying their perception of the privacy exposures in the MMA law, so that after we have heard from them as well, we will have heard from three entities.  After we have heard from those three entities, I think that the privacy subcommittee can then wind up discussing the exposures that have been identified and the proposed actions to address those exposures.  I think that will give you a good start.

DR. ROTHSTEIN:  I thank you.  I would add a couple to the list.  I think we need to hear from physicians, and we need to hear from pharmacists, and we probably need to hear from some of the software experts who are putting these systems together.  That might be very helpful to us.

DR. COHN:  And from some of the demonstration projects that are already out there.

DR. ROTHSTEIN:  Yes.  At this time, there is another meeting in here, the NHII is meeting, and so we need to wrap things up.  Is there anything else of pressing importance before tomorrow?  I think we are all set with our revised letter.  I thank all of you, and I apologize to John for running late.

DR. COHN:  I presume we will be looking at a January 2 next meeting?


(Whereupon, the meeting was adjourned at 4:37 p.m.)