[This Transcipt is Unedited]



Full Committee Meeting

September 15, 2010

Embassy Suites Crystal City Hotel
1300 Jefferson Davis Highway
Arlington, VA 22202

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030


P R O C E E D I N G S (9:04 a.m.)

Agenda Item: Call to Order, Welcome, Review of Agenda

DR. CARR: We have a very busy agenda today. I would like to welcome
everyone to this meeting of the NCVHS. We will go around the room. I am Justine
Carr, Caritas Christi Health Care, Chair of the committee, no conflicts.

MS. JACKSON: Debbie Jackson, standing in for Marjorie Greenberg, she will
be here momentarily, NCVHS staff, CDC.

DR. SUAREZ: Good morning, everyone. I am Walter Suarez with Kaiser
Permanente. I am a member of the committee, and I don’t have any conflicts.

DR. WARREN: I am Judy Warren, University of Kansas School of Nursing,
member of the committee, no conflicts.

DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the
committee, no conflicts.

DR. GREEN: Larry Green, University of Colorado-Denver, member of the
committee, no conflicts.

MS. MILAM: Sallie Milam, West Virginia Health Care Authority, member of the
committee and no conflicts.

DR. FRIEDMAN: Charles Friedman, Office of the National Coordinator for
Health IT.

DR. HORNBROOK: Mark Hornbrook, Kaiser Permanente, member of the committee,
no conflicts.

MR. LAND: Garland Land, member of the committee, National Association for
Public Health Statistics and Information Systems, no conflicts.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member
of the committee, no conflicts.

DR. FRANCIS: Leslie Francis, Law and Philosophy, University of Utah, member
of the committee and no conflicts.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee,
no conflicts.

(Around the room introductions)

DR. CARR: Thank you. I want to take a moment to recognize the enormous
amount of work that has been done over the summer since our June meeting.

We have two very important issues today, very challenging, very complex.
The co-chairs of the Subcommittee on Standards and Privacy have just done
yeoman’s work in working to pull the information together. Our agenda this
morning is to get a preview of what we will be talking about later on the two
standards letters. Then we have Chuck Friedman and Joy. Joy, thank you for
accommodating our calendar. Initially we were working to set up this agenda to
coordinate with your schedules, but since I see both of you here, I think
perhaps I would like to rearrange the schedule and ask Chuck to begin with an
update from ONC, and then Joy, welcome, we will hear from you about privacy.
Thank you.

Agenda Item: Office of the National Coordinator

DR. FRIEDMAN: Good morning, everyone. It is a pleasure to be here. I will
be doing what might be called part one of the ONC update, and then I will turn
the computer and the microphone over to my colleague Joy Pritts, who will do
what might be called part two, with a focus on her work on privacy and

My update will be a bit more like something I recall from when I was very,
very young, the Movietone News. Does anybody remember the Movietone News?
Before they showed the movie, they showed you this set of updates of the most
important things that happened, presumably since the last time you were at the
movies. So I am going to try to run through some things that I thought were the
most important things that happened since the last —

DR. STEINWACHS: Chuck, are these going to be in 3D?

DR. FRIEDMAN: Yes. No, but they will be so vivid that you will think they
are in 3D.

I am going to dwell on four things. I am just going to allude, since it
happened in July since the last meeting, to the announcement of the 2011
meaningful use rule. I don’t know if anyone else was going to talk about that.
Karen, were you going to say anything about that? Then I will very quickly
review some developments in the land of ONC programs. I am going to hopefully
tantalize you with one of the projects being undertaken by one of our SHARP
grantees, this is our research program, and then I will just say a few more
words updating you on what I talked about the last time, which is the work to
develop a rapid learning health system, also known as element three.

Very quickly, of course everybody has this slide etched into their brains.
The meaningful use concept is articulated in three states, coinciding with the
effective dates of what are seen as an ascending or escalating set of criteria.
Stage one coinciding with 2011, stage two with 2013 and stage three with 2015.

I have made a penchant of trying to summarize things in one slide, so here
is my one slide summary of the final rule for stage one meaningful use, which
includes 15 core objectives that all eligible providers and hospitals much
achieve that are expressed as objectives and criteria, and an additional menu
set of ten additional objectives, from which any five can be selected. I just
wanted to establish that this rule is out and announced and formally set.

The ONC CMS program to get to meaningful use is represented by this figure,
which I believe everybody has seen. I won’t dwell on it, but I will use it as a
basis for giving you an update. The first component of this quick update, I
would like to emphasize, with reference to the reference to the regional
extension center program, is the very recently announced supplemental awards to
46 regional extension centers, totalling about $20 million specifically to
promote the advanced meaningful use at critical access hospitals as part of the
initiative to be sure that rural health care sites have the same opportunity to
receive meaningful use as others.

In the land of workforce training, I did talk about our workforce training
program the last time. In early August we had a very successful workshop in
Portland, attended by 250 community college faculty members, where they were
exposed to and trained in the use of the materials being developed by our
curriculum development centers. This is proceeding very, very well. The
community colleges, just about all of them, and that is 84 in number, will be
launching their training programs by September 30, and all nine university
based grantees, which involves a total of 15 institutions, are in the process
of launching their programs by a separately funded grant activity.

In the world of state grants for health information exchange, the office
issued a very important statement of guidance to grantees, emphasizing that the
primary objective of these grants, certainly in the immediate term, is the
facilitation of the advancement to meaningful use and the primary objective is
to be sure that all eligible providers and hospitals in their state have at
least one option for health information exchange supporting stage one
meaningful use. The guidance is longer of course, and I encourage you to take a
look at it, but if it has to be reduced to one main point, it is that, which
really focuses the program on meaningful use.

Under the standards and certification framework, there is significant
progress being made on NHIN Direct, which represents another attempt from the
viewpoint of interoperability to focus our programs on what it is going to help
eligible providers and hospitals meet the stage one meaningful use criteria.
NHIN Direct is a program focused on secure and trusted push grants missions
from a place where information is to a trusted destination to which the
information needs to move. It is expected that demonstrations of NHIN Direct
will begin this fall.

We also announced very recently to authorize certification bodies, the
CCHIT, and the Drummond Group. It is expected that the certification processes
being carried out by these two organizations will begin this month.

Last but not least, in the land of Beacon communities, you may recall, a
first round of Beacon Awards were made to 15 communities. The program is now
complete with the announcement, I believe it was two weeks ago, of two
additional Beacons, one in Detroit and one in Cincinnati. The 17 that are now
funded will be the totality of this program going forward.

So that ends the Movietone News. Let me stop here and see if there are any
questions, and then I will move into a very quick excursion through one part of
the SHARP program and the rapid learning system.

MS. TRUDEL: Chuck, are you thinking that the two certification bodies will
be able to move through certifications of all of the products that come forward
by the time that the registration starts in January?

DR. FRIEDMAN: That is certainly the hope. There is the possibility that
additional certification bodies will be announced. It is not a closed set for
this stage, and it is certainly the intent to do exactly what you said.

DR. CARR: Chuck, could I just ask one other clarifying question? You used
the term health information exchange and you used the term NHIN Direct. Could
you clarify the definition of those terms and how are the same or different?

DR. FRIEDMAN: Sure. We are increasingly using the term health information
exchange as a verb and not a noun, or at least to connote the process and not a
type of organization. We are moving away from some of the earlier problems,
where HIE was a kind of organization. We are now in referring to organizations
referring more commonly to HISPs, health information service providers, as
organizations in this.

So that is what I meant by health information exchange. It is the process
of moving information from where it is to where it is needed, and there are
specific health information exchange — as a process — scenarios envisioned in
stage one of meaningful use.

NHIN Direct. NHIN stands for Nationwide Health Information Network. NHIN
Direct is a project which consists of a specific set of standards and protocols
that are being developed to support pushes of information, emphasizing those
kinds of exchanges which align with stage one meaningful use from where
information is to a trusted destination.

DR. CARR: I think that we have folks on the phone.

DR. FERRER: Justine, I had a question. Can you hear me?

DR. CARR: Yes. Who is this?

DR. FERRER: Chuck, what is the difference between the NHIN Direct and the
Connect initiative?

DR. FRIEDMAN: It is a good question. There are two initiatives going on
simultaneously, and I believe in a manner that is mutually reinforcing.

I just described NHIN Direct. There is another initiative which we are
calling NHIN Exchange. This is a direct maturation of the earlier NHIN efforts
which were undertaken by a group of organizations, some inside the government
and some outside the government, that have agreed to work together to develop
standards and protocols and agreements to exchange information in a secure and
trusted manner.

The NHIN Connect is a software application that enables the exchange of
information to address the scenarios that the NHIN Exchange group is
undertaking. So it is one way to implement the health information exchange
scenarios that the exchange group is working on. So NHIN Direct is a software
implementation. I hope that is helpful.

DR. FERRER: Very good. The NHIN Direct is not going to be producing the
software —


DR. FERRER: — the Connect initiative, and that is used in the NHIN
Exchange as the criteria by which the software will be built.

DR. FRIEDMAN: I think I misspoke at the end. NHIN Connect is a software
implementation largely supporting NHIN Exchange.

DR. FERRER: Very good.

DR. OVERHAGE: Just a matter of clarification. As I understand it, both
Connect and Direct are a set of protocols that have been agreed to, and there
are software instantiations of exchange that have been created with sponsored
by the federal government, and there are implementations that have been created
by others, which interoperate.

I’m not quite sure I see the distinction between — both seem to me a set
of standards and protocols, and then there are software instantiations of the
Connect, but not of Direct.

DR. FRIEDMAN: We are clearly in a world of fuzzy terminology here. As I
understand it, and I think we agree, but I want to be sure, Connect is one
software instantiation. Okay, then we don’t agree.

DR. OVERHAGE: There is a software instantiation, but there are more than

DR. FRIEDMAN: There are one than one.

DR. OVERHAGE: And they can interoperate. I don’t quite see the distinction
between the model that Direct will build on in terms of protocol standards and
implementation. That is what I am trying to understand.

DR. FRIEDMAN: Marc and I will talk at the break, come to some meeting of
the minds. Marc is just as involved in this if not more so than I am.

DR. FERRER: Yes, but Chuck, if you could publicly let people know what it
means, it would be great.

DR. CARR: That is Jorge speaking, correct?

DR. FERRER: Correct.

DR. CARR: And who else is on the phone? Leslie, did you have a question?

DR. FRANCIS: No, I just was concerned about the Connect mis-spoke at the

MR. LAND: CDC in the past has had their own software application for
interchange of public health records between providers and public health
agencies. How does Connect relate to the system that CDC has been promoting
along? Will this assume there will be takeover from what CDC has been doing, or
can you explain that difference?

DR. FRIEDMAN: I will also ask Marc to comment because he may know more
about this than I do, in terms of having the latest information.

My understanding is that CDC is participating in the group of organizations
that is participating in the NHIN Exchange work. As such, they are beginning to
use the protocols that are being — the standards and protocols that are part
of the NHIN Exchange activity.

Connect, I am getting into the difference between me and Marc, but the
overriding point here is that it is built into the assumption about how the
NHIN works. It doesn’t matter what software implementation you use to
instantiate those standards and protocols, as long as you are compliant with

So I don’t know what — to the extent that CDC is participating in
exchange, I don’t know what software implementation they are using to do it,
but at the end of the day it won’t matter as long as their implementation is

DR. CARR: Mike, you had a question. Then I do want to make sure that Chuck
has enough time to get through his presentation.

DR. FITZMAURICE: My question is where does a provider, his or her billing
service, his or her clearinghouse and the health plan, go for the standards and
protocols needed to route their reporting of meaningful use measures and their
attestations to the government, as well as to exchange it with themselves? Do
they early upon the state health information exchanges? Can they use the
protocols and the standards used by NHIN Direct or NHIN Exchange to fill in the

DR. FRIEDMAN: It is a good question, Mike. I think the overall philosophy
that is being advanced here is that they have a choice. It doesn’t matter which
one they use, as long as what they use is compliant with the standards.

NHIN Direct is being created as an easy accessible option to meaningful
use, to support the meaningful use exchanges that are required in stage one.
But my understanding is, no one has to use NHIN Direct. NHIN Direct is one way
of getting it done. The obligation of the states as expressed in the guidance
is to be sure that everyone who wants to be a stage one meaningful user has at
least one option open to them.

DR. CARR: Thank you. Chuck, go ahead.

DR. FRIEDMAN: It is 9:26. Justine, how much more time do I have?

DR. CARR: Why don’t you take another ten minutes?

DR. FRIEDMAN: Okay. Very quickly then, I have mentioned in previous
presentations that we have invested $60 million in four research grants under
the SHARP program, which stands for Strategic Health Advanced Research
Projects. The four grants are noted here.

I just want to tantalize you a little bit with some of the work that is
being done by the Harvard Group, which received the award under the category of
advanced network and application platform. What they are trying to do can be
seen as doing for health IT what the iPhone did for mobile communication,
stimulating through the possibility that one might run modules in an EHR that
are substitutable for one another, much like iPhone apps are substitutable for
one another. Create the kind of vibrant competitive market where within
specific functionalities that EHR software must perform, there can then be
competition among application developers around those specific functionalities
which will at minimum drive up the quality and effectiveness of the technology.

I would venture to add that the new certification criteria that have been
announced by virtue of having a modular certification provision anticipate this
kind of development.

Here I go dating myself again. One of the reasons that this might be
possible is seen in the history of the audio industry, which went from 1960,
where the only piece of sound reproduction you could buy was a pretty piece of
furniture with mediocre electronics connected in a proprietary way, in five
years to systems created through interchangeable components connected by
accepted electrical and physical standards. This change happened so quickly
that by 1965 or 1966, every single company that was making the furniture based
product was either out of business or making components.

So the project that the group at Harvard under Zach Cohaney and Ken Mandel
with a very wide range of collaborators is doing is called SMART, which stands
for Substitutable Medical Apps Reusable Technology. They are well along toward
building what they are calling a SMART platform. What this basically is, you
can think about it as a wrapper around any — that can be placed around any
existing system — this is easier said than done — which would make it into a
SMART enabled platform, and therefore able to accept interchangeable
substitutable applications which were designed to run on any SMART platform.

When you think about it, this is not only the iPhone, this is the iPhone
concept on steroids. This would be as if you could create interchangeable apps
that not only run on the iPhone, but also run on the iPhone, the Droid, the
Blackberry and other smart phones. It is an ambitious project, but they are
making excellent progress. I think from the viewpoint of the effect that this
could have from many perspectives on the technology, this really envisions the
kind of breakthrough that we had in mind when we created the SHARP program.

Yes, Paul?

DR. TANG: One question. Is there any privacy channel in there or app

DR. FRIEDMAN: Oh, yes. The privacy and security maintaining functionality
of the EHR would be preserved if not enhanced by this architecture. You can
think about some bright person who comes along with a bright idea about how to
implement increased security on an EHR through this approach. This might be
done by just inserting that app into the platform rather than having to go back
and redesign in some more fundamental way the entire system.

Moving on to the rapid learning health system. I will just remind you all
from my last presentation that this is a concept through which the nation might
move to very likely a federated model for enabling data to be safely and
securely moved among institutions and aggregated for purposes of conducting
research, public health and quality improvement.

This is an approach that does not anticipate persistent centralized
databases. It anticipates a model whereby information would be morphed
according to a set of policies and rules which govern it when and only when
needed for specific purposes.

We have coined the term element three, to refer to this project. This term
is being phased out, but it is still around. It is recognizing that adoption of
EHRs in this program that I show you here could be seen as element one, trusted
health information exchange can be seen as element two, and if the goal is a
rapid learning health system and one quickly recognizes that element one and
element two will not get us all the way there, although they will take us a
good significant step along the way, then element three is that bridge. It is
what is needed on top of meaningful use, on top of elements one and two, to
take the nation to a fully fledged rapid learning health system.

There are a couple of scenarios of what may be possible. Very, very
quickly, to illustrate some of the value of this kind of system, supporting
distributed research, where a member of this federation could broadcast a
research question that could be applied to any organization that has relevant
data anywhere across the nation. This kind of system would greatly support the
tracking of epidemics by taking advantage of data that will be increasingly
routinely stored in EHRs. From a quality perspective, results of care outcome
analyses can be fed back to feed a national knowledge library that might create
revised decision support rules that could be very quickly instantiated in EHRs.
One of the mantras I am beginning to use to describe this is that what has been
reported to take 17 years might be shortened to 17 months, 17 weeks, or maybe
even faster.

Just to update you on the progress, our very first step in formally
planning these element three activities, moving toward a rapid learning health
system, is a multi-stakeholder workshops which are being convened for us by the
Institute of Medicine. Two of these workshops have occurred and the third will
happen in early October.

The three themes which are pillars for developing this system that are
emerging probably won’t be surprising to anyone. They are technology,
governance and patient engagement. This obviously can’t work without a fabric
of public trust supporting it. The IOM will be publishing a report of the
findings of these three workshops, a coherent statement of a vision and a
pathway to get there before the end of this year. So I just wanted to be sure
that you all knew that we are not only embracing this idea, but beginning a
coherent movement toward it, building it out of and on top of the movement to
meaningful use and other initiatives and other organizations that are underway.

Thank you. Any final questions before I turn it over to Joy?

DR. CARR: I am going to ask that we hold questions now so we have ample
time for Joy.

DR. FRIEDMAN: I will dissolve myself here, Joy.

DR. CARR: Joy is the Chief Privacy Officer at ONC. Thank you for joining us
on somewhat short notice today, Joy. Welcome.

Agenda Item: Update from the Chief Privacy
Officer, ONC

MS. PRITTS: My pleasure. Good morning. Thank you for having me here to
speak with you today. My name is Joy Pritts. I am the Chief Privacy Officer at
ONC. I recognize a lot of you from the many years that I have been appearing in
front of the NCVHS before I had this job, and there are lots of new faces too,
so it is my pleasure to get to know you. I hope to get know all of you much
better, because we are working on coordinating with you very closely in the
years to come.

I am going to speak a little bit to you about the duties of my office. Then
I am going to give you an update on my office in particular, the office of the
Chief Privacy Officer — can’t have too many offices in there — is doing. I am
going to focus on the external activities because I think those would be of
primary interest to you.

My position, the Chief Privacy Officer, was created in the HITECH Act.
There you can see a summary of the duties, which is basically to try to
coordinate some of the privacy and security activity going on, both internally
within HHS and with the federal government as well as externally with the
states and other entities, dealing with privacy, security and data stewardship
of electronic individually identifiable health information. So as you can see,
this duty goes beyond HIPAA. This is forward thinking and looking at all of the
health information which will be exchanged electronically.

Right now my office has myself in it as well as three staff members, or as
of the end of September we will have three staff members. I put this up here is
that you can become familiar with these people if you aren’t yet. Deborah
Lafkyk is our point person on security issues. She has been with ONC for a
number of years now. Melissa Goldstein who you may have met or may not. She is
currently at George Washington University as an associate professor in their
health policy program. She will be starting with us at the end of September.
She is going to be a senior advisor on privacy. Melissa has done a lot of work
in health privacy and privacy in general, and has worked on a consent paper for
ONC and will be submitting a paper on data segmentation in the near future,
really in the near future, as in the next few days.

Scott Weinstein is also working with us. He is a legal intern. So here are
some names that you might want to become familiar with.

The office of the Chief Privacy Officer is working internally with all of
our programs to insure that privacy and security is embedded in all of ONC’s
programs. So we are working with the state regional extension centers. We are
working with the state health information exchange project. We are working with
Chuck’s project, the SHARP programs, which have security components in them,
and in curriculum development. So those are more what I would call the
programmatic things that we are doing.

On the more public facing issues, we have started working very closely with
the HIT privacy and security — it used to be the work group, it is now the
Tiger Team.

When I got to ONC in February of this year, there had been a lot of work
that has been done on privacy and security over the years, but it became very
clear very quickly that with our programs, there are very pressing dates that
we had to make some very quick progress in this area. So we formed the Tiger
Team. We took members of the privacy and security work group. We added some
members from the standing work group. In order to insure that we had some cross
fertilization with NCVHS, we also made sure that we had John Houston on our
Tiger Team as an integral part of our team to make sure we have —

MR. HOUSTON: Leslie, too.

MS. PRITTS: Well, let me get to that part, John. And when John wasn’t
available, Leslie Francis was tag-teaming with him. So we had a lot of input
from NCVHS as we went along to insure that we were not duplicating efforts.

There was an intense work schedule over the summer. When I say intense,
this group met twice a week for meetings at least three to four hours each
time. So they were devoting an entire work day every week over the summer on
this project.

We made sure that we built upon NCVHS’ prior recommendations. We did not
want to reinvent the wheel here, but we did want to make sure that we saw
whether things had changed since some of those recommendations had come out. As
we all know, HIT is a rapidly evolving area.

The two areas we focused on over the summer were consent — and I use that
term in parentheses to mean the exchange of health information for treatment.
They were focusing on treatment purposes for meaningful use. This is a huge
topic. People tend to spin around a lot when this discussion comes up, because
there are so many issues that it brings in. We focused on treatment purposes
primarily and meaningful use, so we could chop this into digestible bits.

They focused also on issues surrounding consent that had been raised from
our programs. These are broad ranging issues but that the programs themselves
also needed to have answered.

They had very long and thoughtful conversations on this and discussions on
this. The ultimate recommendations are quite lengthy, and I can’t begin to
summarize all of them, except for the fact that ultimately, they were
recommending that the patients have some choice when the provider itself does
not have control over when the information flows. Their full recommendations
are on the website that is devoted to the privacy and security Tiger Team.

They also looked at data segmentation from a technical view. This was
pretty hard to keep under control, but we even had a yellow card at one of our
hearings. If you are familiar with soccer, that is when you are getting out of
bounds. It was really a very fun technique. But that kept them focused on the
technology, because it is very difficult to separate the technology from the
policy questions that come up here. But we knew that NCVHS was addressing some
of those policy issues, and had already made some of those recommendations in
that area.

So what this group did is, they evaluated the technology, what the current
technology is, what it can do, what it can’t do, how widely it is adopted, the
costs associated with it, the work flow. There is a whole day hearing on that.
The video on that is available on the Web. It was a fascinating hearing. We
hardly lost anybody during the day, and we went very long.

The recommendations are that trhere are promising technologies. They didn’t
believe that they were quite ready for widespread adoption, but that ONC should
conduct more research and demonstration projects arising from some of the
information that we heard at our hearing.

The next step for this is, the Tiger Team is going to continue to meet.
They are having a slower schedule now that fall is in place. We could not
continue to impose on these people to the extent that we had over the

We are going to meet twice a month. There are a lot of parking lot issues
that they would like to take up, including what kind of notice an individual
should get. Yes, the HIPAA privacy rule requires a notice, but does it
specifically require a notice of how your health information is going to be
exchanged, and whether it is adequate to convey what they think is important
information to the individuals.

Some additional priority issues that we will be discussing this Friday as
to what the calendar will be coming up with. Provider authentication is clearly
one of the ones that was on our list.

My office has a list of priority issues that have been identified by some
of the projects within our office that we are going to be using going forward
to try to address on a calendar going forward. There are as you know numerous
privacy and security issues, all of which we wish we already had some
resolution on, but time is moving quickly and our projects are moving quickly,
and we are going to try to make as much progress as we can.

Our internal process for this is, the Tiger Team works, it goes up to the
policy committee itself, which accepts, rejects or modifies those
recommendations. Then they come over to ONC. We have put in place the beginning
os a process for addressing those recommendations, so that they are dealt with
in a prompt fashion. At a very high level we will have a senior leadership team
looking at those recommendations.

Some of those recommendations we will be able to act on directly. Some of
them we will not be able to act on directly because ONC itself has limited
authority. It is a government agency and there are all sorts of other operating
divisions in HHS that have specific authority. For example, the Office for
Civil Rights is the office that actually writes the HIPAA regulations. So to
the extent we get recommendations that say you really need to change the HIPAA
privacy rule, we cannot do that. So that is the process that we are going to be

In addition to the HIT privacy and security work group, there is also a
governance work group which I believe has formed and is beginning to meet.
HITECH issues a charge to the National Coordinator to establish a governance
mechanism for the Nationwide Health Information Network. The work on this issue
is going to be going forward this fall and into the spring of 2011. Again, we
are working under tight deadlines because we have the state health information
exchange programs which are instructed as part of their programs to engage in
exchange across state lines.

We are also participating across the federal government with the Federal
Health IT Interagency Task Force, which is comprised of a number of federal
agencies that have expertise in the IT area. ONC in particular is working with
the Cyber Security Work Group, which is being led by Howard Schmidt, who is our
cyber security czar now. We are receiving a lot of very good information from
other federal agencies as potential best practices on security issues.

This works on the same committee structure. The work group makes these
recommendations up to the task force level, and then those recommendations are
made out to the various federal agencies.

We are coordinating the effort with this work group with what is going on
with the federal advisory committee. This group is intended more to give the
federal best practices and what we have already been doing where our FACA
committees have their specific charges under HITECH.

We also are continuing to do some work in the personal health records.
HITECH here has a specific mandate for HHS to report to Congress in
consultation with the FTC on privacy and security requirements for entities
that are not covered with a focus on personal health records.

As you know, NCVHS has had a number of hearings on personal health records
in the past, and we intend to build on that, making sure that we do not
reinvent the wheel. As a matter of fact, we have Leslie Francis and a group
working on this issue with us. We are going to have a workshop in early
December of 2010, which is focusing on the emerging ways that individuals are
interacting electronically with their health information now, which go a little
bit beyond the traditional PHR models that we have thought about in the past.

In our next steps, we are of course going to continue all this FACA
activity. We have standards and certification work for meaningful use in
particular, stage two. There are privacy and security elements that we are
looking at to incorporate there. Those are very — we have to start working on
those now in order to meet the stage two deadlines.

We are going to increase our outreach to other federal governmental
agencies, especially in the context of health care reform. So while we have all
this business going over here that is really concentrated on electronic health
records and how that is working, we also have an enormous effort in the federal
government to bring about health care reform.

They do overlap significantly. There is a lot of data that is going to be
collected and exchanged, and there is a lot of consumer interface where
individuals will have to be reporting some of their own health information for
these systems. We will be working closely with those offices as we go forward
to try to coordinate those efforts.

We are also going to try to increase our outreach to the state efforts.
This is — for me and as you can see, the size of our office, this is a ongoing
process. We have a limited bandwidth, so we are hoping to — once we get things
a little bit more tightly under control on the federal level, to move out more
into the states.

I’m done.

DR. CARR: Thank you.

MR. HOUSTON: I just wanted to make one really brief comment regarding the
government’s work group. I am on it. Also, of note to the committee is that
John Lumpkin is heading that up. There is a public hearing on the 28th of

MS. PRITTS: I think that is right. I would have to look at my calendar.

MR. HOUSTON: Yes, I think it is the 28th. So it is definitely moving. I
think that obviously there is a lot of dialogue. I am trying to push some of
the privacy linkages in governance, so I think it is really important that this
committee is moving. I think it is going to make some very important decisions.

DR. SUAREZ: Thank you. Hi, Joy.

MS. PRITTS: Hi, Walter.

DR. SUAREZ: I wonder if you could say a few words about the work that is
being done on sensitive health information on things that are going on, what
kind of expectations does the office have about the development of policies
around sensitive health information.

MS. PRITTS: Well, we have NCVHS recommendations from years past on those,
and we will be receiving new recommendations. I would anticipate that those
would undergo the same process that we are using for the HIT Policy Committee
recommendations, where they will come in and they will be reviewed internally
as to how those recommendations should be addressed internally with our office.

Again, as I indicated, there are certain things that our office has
jurisdiction to do and other things we would need to defer to other offices
with in that area. We have been working very closely with SAMHSA. There is
money in the budget in particular to develop standards and some other means. I
am trying to remember what the Congressional language was, but I’m sorry, it is
slipping me right now. But there is four million items that is almost a line
item budget for dealing with SAMHSA and some of the

sensitive health information.

We see that as — although that is a particular type of sensitive health
information related to substance abuse and alcohol treatment, that clearly can
be a model for addressing other types of sensitive health information. We are
working with them to develop how we are going to move forward on a project with
them in particular.

And in addition to that, we are also working closely with the White House
Office for National Drug Control Policy, ONDCP, because they also have
initiatives going forward on some of these issues.

DR. GREEN: Joy and Chuck, both of your reports are just so rich with
interfaces for NCVHS’ agenda and the planning that we are undergoing right now.
So I have two questions for either or both of you. One is, what would you
recommend as the way forward to actively manage the interface between NCVHS and
ONC? Secondly, what is your budgetary future as the ONC?

MS. PRITTS: I’m sorry, I didn’t hear the last question.

DR. GREEN: What is your budgetary future as the ONC?

MS. PRITTS: Start with the first one.

DR. FRIEDMAN: I am unpacking my crystal ball.

MS. PRITTS: I don’t know the answer to that, the budgetary future. Do you?

DR. FRIEDMAN: I think what we can say at a very high level is that the two
billion dollars which was appropriated to ONC under HITECH is just about
entirely obligated at this point in time, through various grant and contract
programs that directly map that diagram I showed in my presentation. Those
things on the left and on the bottom of the diagram add up to just about two
billion dollars.

The future is of course uncertain. Nobody knows exactly what the budgetary
process will bring, but that has to be viewed as a one-time infusion of money
absent any other information, and we don’t have any other information, which we
have tried very, very hard to put to best use over two, three, four years, the
range of the lifetimes of those programs. ONC has a separated appropriated
budget which needless to say is much smaller.

DR. CARR: On to the first question, which I think has great importance for
us, the interface with NCVHS.

MS. PRITTS: I believe that we have been working very well together on the
privacy and security issues, because we have John and Leslie directly involved
in some of our efforts. So there is always somebody at the table who can give
the NCVHS perspective on, we have done that.

It has worked well to this point. I don’t know that you are comfortable
with that or if you would like a more formal relation.

DR. CARR: I think that what you have described is the growing landscape, a
topic that has grown year over year in its importance. We are proud of the work
that we have done. We want to be integrated. The tempo of work that you are
doing and the change in the environment in terms of what is possible, in terms
of acts or any new technologies, and the evolution of thinking, is all
happening very quickly. We recognize that and we recognize the great benefit of
coordinating through your office.

So I think that we are very much about where do we best fit in, how, what
topics. Am I saying that correctly?

DR. FRIEDMAN: If I could make one observation again, just looking into the
uncertain future, I have expressed to many of you personally and to my
colleagues at ONC my belief that as we look ahead to this work on the rapid
learning system, the thinking about policies, standards, technologies to
support that activity going forward, especially because of NCVHS’ traditional
attention to public and population health issues, is very much aligned with
that work. While I don’t see the details of this yet, I am very, very
interested as that work goes forward in engaging NCVHS around that work in some
appropriate way to be determined.

DR. GREEN: I will just observe that our agenda is an expanding agenda this
morning in my view. Our Quality Committee and our Populations Committee have
serious issues for discussion at this meeting that are quite definitive on this
rapid learning health system. It depends on the assumptions we make about what
can and cannot be done and where this is headed.

So the privacy and security interface that is going so well, it seems to
me, is a very encouraging exemplary piece of history that I just want to go
back and flag. I believe given the tempo and the metronome that is ticking to
that tempo, that we should not passively assume that we will be able to
informally and indirectly optimize our opportunities. I would just urge the
committee and the ONC to think about perhaps just a whiff of active management,
to be sure that we coordinate on this broad agenda in the next 24, 36 months.

DR. HORNBROOK: As far as NCVHS is concerned, I know that we want to have
access to electronic records for tracking the health of our society. It seems
like looking at NCVHS, you have got the traditional kind of survey approach,
where you create a sample and go ask people for permission to upload their
records for the NCVHS to put into the national health survey or whatever you
wanted to do.

I wondered if we wanted to ever think about the notion of tracking the
health of people who don’t give you permission, through synthetic averaged
individuals or some other masking approach, so that NCVHS has a tap on whether
the health status of people who say yes versus those who say no are emerging

Then, the other thing I was thinking about in terms of informatics is that
many times in disease registries, you promise the person who is reported total
confidentiality. I just had experience in Hawaii where there is a cancer
registry that say to the cancer patients, we promise not to give you data to
anybody without your permission, except in aggregated form, and to SEER as
another registry, because there is a SEER registry in Hawaii. They also have a
hepatitis registry which they promised the hepatitis patients, we won’t tell
anybody. Can you link the two registries? No.

From a public health perspective, we have literally promised privacy that
forbids us from looking at hepatitis as a cancer risk factor, which seems to me
from one perspective as the guardian of health in this country a little bit too
much lean towards privacy. It is just a personal example of where we get in our
way with privacy issues.

DR. CARR: I think that is an excellent insight into a huge conversation
that ties into the learning health system that I think we absolutely would want
to talk about. But I think I won’t ask any responses on that now in the
interests of time. So I am going to let Leslie have the last comment, and then
we are going to have a break.

DR. FRANCIS: Very quickly, Privacy is planning to talk to Populations about
some of those very questions later today, because we agree with you that the
current state of affairs is one that requires re-examination.

What I wanted to do was to say to Joy, first of all, I think it has worked
wonderfully well. I wanted to thank you for the level of involvement that we
have had, in the way in which it has been structured. Part of what made it work
was that we know that there is so much to do that we need all hands on deck.

What we in effect tried to do was to try to think about what the Policy
Committee could do with its mix of expertise, and where we had a mix of
expertise and traditional history of having worked on it. So in effect, they
did the technical discussion and we were charged with looking at how do you
actually define categories. That is just a little history of what — and some
of the policy around what is going to happen later today. That is how we ended
up where we are with the letter.

DR. CARR: With that, Joy, thank you so much. I hope we will be able to have
you come back again —

MS. PRITTS: I would love to.

DR. CARR: — because obviously there is great alignment, and your overview
was incredibly succinct and informative, and gives us great direction. So
thanks to you and also, Chuck, thank you so much.

We are going to take a break for ten minutes, and we will come back at

(Brief recess.)

DR. CARR: We are resuming after our break. Could you please introduce

MS. CRONIN: Hi. I am Cathy Cronin. I am from the National Cancer Institute
and I am representing Bob Croyle, who couldn’t make it today.

Agenda Item: Standards Letters: Operating Rules
on Eligibility and Claim Status

DR. CARR: Excellent. Thank you for joining us. Our next topic are the two
letters — that the Standards Subcommittee held hearings that were directed to
NCVHS by the Affordable Care Act. Through very diligent vigorous efforts over
the summer, hearings were heard and data reviewed and synthesized. We are going
to hear — we have two letters that are coming forward today.

But before we get into the details of the letter, I have asked the
co-chairs to succinctly articulate what is it we are being asked to do, what
did we hear, what are the considerations, who are the stakeholders, what are
the implications and what are potential recommendations. I want the full
committee to understand that. I think when we get into the details of the
letter, those who may not be as familiar with the standards might be challenged
by some of the detail. But I want everybody to understand what is it we were
asked to do and what it is that we are doing.

So with that, I will turn it over first to Judy. Thank you.

DR. WARREN: What we are going to do is, we have a set of slides that we
spent quite a bit of time trying to elevate to the level that Justine asked us
to do this presentation on, so that we don’t get down into a lot of details, so
that everybody on the committee can understand where we are coming from, so
when you do look at the letters, you have some background to do that with.

We also put in your briefing booklets a briefing packet that we had
prepared for us so that we could be more knowledgeable going into the hearings,
because we thought that would also be of benefit.

Then we did put a set of briefing slides into the packet. This is a new
set. These slides you don’t have a copy of, but they are kind of lifted out of
the slides that you have in the briefing booklet. So if you want written ones
of these I’ll be glad to make them available to you.

With that, these are the questions that Justine asked us to answer.

DR. CARR: Do you want to say them for people that are on the phone?

DR. WARREN: I’m sorry. Back to the slide, the questions were, what are we
being asked to do, we spent a lot of time trying to figure that out ourselves;
why are we doing it, why are we doing it, who are the stakeholders and what do
they want, and then what are we recommending.

We had two tasks given to us in the Affordable Health Care Act. The first
one was to recommend operating rules and an entity to develop those. That slide
was just a reminder. Here is the question. It is to further the administrative
simplification, so we have given you the actual citation, not line numbers, but
citation from the Affordable Health Care Act of our charge.

We were to advise the Secretary — by we, NCVHS — as to whether a
nonprofit entity meets the requirements of an operating rule authoring
organization; review operating rules recommended by the nonprofit entity;
determine whether such operating rules represent a consensus view of the health
care stakeholders and are consistent with and do not conflict with other
existing standards. We were to evaluate whether such operating rules are
consistent with electronic standards adopted for health IT, and then to submit
to the Secretary a recommendation as to whether the Secretary should adopt such
operating rules.

There are several steps of operating rules that are in the law. Each of
them have due dates. The first two are the ones that we are going to be
addressing today, and that has to do with eligibility and claims status. So,
operating rules are defined in the law as necessary business rules and
guidelines for the electronic exchange of information that are not defined by a
transaction standard or its implementation specifications.

Just as a little bit of background, most of the work that the Standards
Subcommittee has been doing on NCVHS since about 1998 has been working on these
transaction standards, adopting them, working with the DSMOs. We have had
reports coming in. You can see that work reflected in our work with electronic
e-prescribing. You can see it reflected when we came back to you to adopt
version 50-10 and the NCPDP standard of telecommunications D.0, and then moving
to ICD-10. So this is one step more on working on that platform.

So operating rules, why are we doing it. Industry right now has over 1,000
companion guides which increase the complexity and reduce efficiency that we
hope to gain with administrative simplification through the adoption of
standards. What these companion guides do is, they tell people how to fill out
forms, how to submit, who to contact. There are all those business rules around
using the standards.

The use of current transaction standards often does not yield sufficient
information necessary to expedite the business process. For example, full
eligibility information for patients, who to contact about claims status

Our goals for operating rules then are to improve administrative
simplification and achieve return on investment for health care. We want to
standardize the business requirements to reduce need for companion guides. We
want to supply patients and providers better information. We want to provide
valuable input to the standards development organizations during the
development of updated versions of standards to insure their relevance to
stakeholder needs.

Who are the stakeholders and what do they want? The challenge that we have
is, the legislative time frame that we have for this is very short. The first
two operating rules — the entity needs to be identified for the first two
operating rules by July 1, 2011, and needs to be effective by January 1, 2013.
Our letters for recommendation to the Secretary have to happen like this month
in order for all of the work — and we work backwards — to happen.

Today there is no single authoring entity that has operating rules for both
non-retail pharmacy and pharmacy operating rules. This is our framing of the
question to try to make it easily understood, so that understand could
understand what we were talking about. So there really are two areas of
transactions that we need to consider when we select an operating rules entity.

Operating rules that exist for retail pharmacy transactions which are NCVHS
standards are embedded in the standards, though there are also payor sheets
that appear to be similar to non-retail pharmacy companion guides. So that was
information that we elicited during our hearings.

Operating rules that exist for non-retail pharmacy transactions, so this
would be inpatient, outpatient. If you went to a pharmacy to buy dressings and
other kinds of equipment, all of those are non-retail pharmacy transactions.
The organization that has been working at operating rules is CAQH CORE. They do
not have the broadest market in adoption or extensive history of open consensus
based development process, so that was a concern that we had. There are at
least two states with standard companion guides that differ from what CAQH CORE
was presenting. Minnesota wonderfully had mapped the differences and sent them
to us so that we could understand some of the things that were happening here.

What are we recommending after hearing all that? We came up with three
options for NHIN. The first option are three options for the non-retail
pharmacy. Option one is to recommend CORE phase two with additional input by
December 31, 2010. To have an open consensus process may put CORE at risk for
not meeting the deadline. That is just through all the stuff they would have to
do to put that in place rapidly, especially if other states — the examples
here are New York, Texas, Minnesota, Virginia, Utah, if they would bring forth
changes that they want to have in these, and it would be difficult then for us
to approve whatever this unknown set of operating rules would be at the end of

Option two is to recommend CORE phase two as it is, so as it currently
exists for everybody, under the notion that something is better than nothing,
and retrofitting later change is too difficult.

We did hear lots of input from a variety of people as well as CORE
themselves, saying that they are very willing to change their processes to
become open, become consensus based, and have already started making some of
those changes and making sure that we know that those changes are happening. So
we feel fairly comfortable with that.

Our third option is to make no recommendation at this time. The
Congressional timetable does not appear to be flexible to permit an extended
process to enhance the current set of operating rules. So we would miss the
first round of ROI.

The other concern I have is that this was a task that was specifically
given to NCVHS with a time line by Congress. So we also risk our own
reputation, et cetera, for not producing a recommendation.

Here is one of the things that we see could happen. CORE phase two has less
market adoption than CORE phase one. However, there are additional commitments
to adopt phase two and especially support for the people that are in phase one
adoption and moving rapidly to phase two. There is also a lot of support from
various industry segments that all of this is moving in the right direction.
Lorraine has been keeping a tally of the number of personal letters that Walter
and I have gotten addressed to the two of us, and the e-mail has been
incredible. I don’t think NCVHS has ever experienced before the co-chairs of a
subcommittee being lobbied as heavily.

DR. CARR: Oh, yes.

DR. WARREN: We have? Well, we have been. Then there has been a heavy lobby
on Lorraine’s e-mail as well. So the industry is fully involved in this.

CORE phase one does not address claim status, while phase two operating
rules begin to address claim status transaction. If you remember, our charge
was to recommend a nonprofit entity for the claim status transaction to develop
operating rules.

NCVHS has a responsibility in the law to review and submit to Congress
annually information about the implementation of HIPAA transaction in code
sets, and that will include these operating rules. So this is another ongoing
assignment that Congress has given NCVHS to be responsible for.

The Affordable Care Act facilitates faster time to adopt new versions of
standards. I just want to reiterate, this is something that NCVHS has been
trying to make happen for a long time. So we were pleased with the faster
turnaround in this.

The DSMO involvement — and these are the designated standards maintenance
organizations — have been working with us very closely. They were established
under HIPAA. We will need to make some recommendations for a change in their
organization to include the operating rules entity to be involved, so you will
see those recommendations in the letters as well.

Other recommendations. These are the key ones. As we looked at this, and we
went back to the legislation quite a few times checking this, we are
recommending two entities. We are recommending that CAQH CORE meets the
requirements as the authoring entity for operating rules for non-retail
pharmacy related eligibility and claims status. We are also recommending that
NCPDP meets the requirements as the authoring entity for retail pharmacy
eligibility transactions.

The reason we did this is, neither organization does the other task. It is
clearly split right down the middle, and they have each carved out their
territory. So this was our best recommendation that we could come up with.

I must say that both organizations did tell us that they would consider
trying to come up to speed to include the whole set, but at this point with the
time lines we had, we felt this was the best recommendation to be made.

We also recommend that HHS should require authoring entities to use an open
consensus basis process to maintain the operating rules, that we adopt a
version of CAQH CORE phase two operating rules for non-retail pharmacy
eligibility and claim status as updated with stakeholder input by December 31,
2010. I want you to just hold on for that a minute, because we have come up
with two other options that can go in there.

We adopt for retail pharmacy transactions the operating rules incorporated
by NCPDP in the telecomm D.0 standard. We recommend that the specific versions
of CAQH CORE phase two and NCPDP’s operating rules adopted by regulation not be
altered until a new version is adopted by regulation. That is allowed for
within the Affordable Health Care Act.

We continue to recommend that the designated operating rule authority
entities as DSMOs, and require their participation in the DSMO committee. That
then reports back what they are doing to NCVHS.

We designed CMS as an non-voting participant in the DSMO committee. That
has not happened in the past. We felt with everything that was happening that
we needed to have a CMS rep on that committee.

We require CMS to develop a certification process for standards,
implementation specifications and operating rules in accordance with the
legislation. So they have been designated in the law as that. CMS may designate
one or more independent outside entities to provide health plan compliance
certification. Until such entities are formally designated, any current
certification process should be considered voluntary and not required.

So that gives us the time to move into that arena. With all the
requirements coming in, we wanted to be sure that was there.

Do we have another one of the operating rules? Let’s go back. We did come
up with three other options. We told you the recommendation that we had that we
adopt the phase two rules, we look at CORE to bring in the states and to try to
bring consensus and to have that all done by December 31 of this year. That is
because regulations have to be written and to be put into place. So we are on a
very tight time line.

There is concern among the committee that with us recommending these phase
two rules, there is no time to see how they may change between now and December
31. So we would be making some recommendations for some rules that we have not
seen. So we have tried to put in place some processes for where we would be
part of that process.

The other concern we have is that we are asking CAQH CORE to do a piece of
yeoman’s work that may be setting them up to fail. They may not be able to get
all this done by December 31.

The second possible recommendation we can make is to adopt phase two rules
the way they are right now. They are going to be a moving target, and we will
take a look at their revisions when they come up.

DR. SUAREZ: You had a slide on that before. Do you want to go back to the
previous one?

DR. WARREN: These are the options that we have. I forgot that we had put
the slide in there, my apologies.

So these are the three options we have of recommending CORE. It would be
one of these three. We either ask CORE to take additional input and to bring
rules back by December 31, this is where it is difficult to approve the set, or
we just recommend it the way it is, or we make no recommendation at this time.

DR. CARR: Judy, could I ask you for one elaboration? A lot of people don’t
dwell in a world of these types of rules. Can you give one example of what gets
simpler with this? The whole point of it is administrative simplification, so
just give a very concrete example of today, thus and so happens, but when these
operating rules are in place, what happens?

DR. WARREN: I can give you one, and then I would like Walter to give one as
well, because he authored a companion guide for Minnesota.

When you look at the companion guides, right now we are asking people to be
up on hundreds of companion guides to fill out these forms. So we are still
back in the need to hire a lot of people to figure out how to fill these forms
out and make sure that they are transmitted in the correct way.

If we go to operating rules, it should replace those companion guides and
bring it down to a much smaller number where people can get more direct —

DR. CARR: Let me just see if I understood from the hearings. When HIPAA
first came out, there were these fields that were available and presumed would
be used. What happened was, there was opportunity for flexibility in how those
fields were used and in some cases if those fields were used. Therefore, the
electronic communication that should have happened seamlessly took on a life of
its own, because there were descriptions of, in our institution we use this and
in this state we use that. Further, some people elected not to use some
required fields. The net result is that we have created extra work with these
companion guides to describe how it will be used here. Further, not using
fields breaks the chain of electronic communication and obligates additional
phone calls.

Am I saying that correctly?

DR. SUAREZ: I don’t know. Karen, do you want to jump in and maybe say —

MS. TRUDEL: I have a very high-level example. The way the eligibility
transaction works now, it is perfectly fine for a plan to respond, yes, the
person is eligible. That is not very useful for the plan.

There is also the ability in the transaction for the plan to provide a good
deal more information in terms of deductibles, coinsurance, whatever the
patient is eligible for. That is the kind of value added that is helpful for
providers and would move them towards being more willing to implement the
transactions and use them.

DR. SUAREZ: Generally speaking, companion guides are created because they
are a regional implementation specification. They are implementation guides for
a particular transaction, left open for interpretation of many of the segments
and data elements in the implementation guide.

So one plan decided that this particular data element they needed here in
this situation, another plan said no, we don’t need that. Another plan said, we
need that plus this other thing. So that created thousands literally of
companion guides.

The operating rules, the intent is to reduce or eliminate as much as
possible the variability in the interpretation of the companion guides, and
consistently require the usage of under reporting and the exchange of data
between all the participants, not just one deciding this one we need and this
one we don’t.

But in addition to that, the operating rules cover four or five additional
aspects that are not covered by the standard or the specification, the
implementation guide. For example, the way in which the communication between
the provider and the payor happened in terms of the technical exchange, the
message standard, the security exchange, the telecommunication exchange, all
those things that are right now, we have to deal with thousands of different
ways of doing that element, get now standardized through operating rules. That
simplifies immensely the exchange.

DR. CARR: So as I look at this, what we are seeing is, CORE has a set of
phase two rules that we could just say, this is it. Then every state that has
other rules, we will just have to align with CORE phase two. Or we could say,
as quickly as you can, bring everybody else together to amend those rules
through a consensus process, and get it done in three months time. A question
is, is that possible to have consensus and to have that speedy time frame.

The third is to say, the acceleration, taking the phase two rules and
trying to do it by December, runs the risk of compromise of some of the
outcome. It needs more time. If we had more time we could do it, and simply not
to meet the deadline outlined.

DR. SUAREZ: Yes. The challenge that we have between one and two
particularly, between adopting the CORE phase two as they are today, or
adopting it with additional elements. The reason why states have additional
elements is because phase two doesn’t meet the current expectations.

So the opportunities to find ways in which a number of those, if not all of
the items that are the most common issues not covered in understand can be
incorporated in the phase two plus version between now and December, that is
the one that gets adopted, so as an enhanced version of that phase two that
incorporates those elements that are not currently.

DR. CARR: So Karen, could I ask you to comment on what are the implications
of not meeting the time line set out in the law?

MS. TRUDEL: We need to have a regulation out on the street next July. It is
going to be difficult to do that under the best of circumstances. So if we go
past December, we really are in a place where we are not going to be able to
meet that date.

So I think the consideration here is that there is a tradeoff between
places where what the states are doing actually does add value and adds to the
ROI, and places where there may be a distinction without a difference. In other
words, part of this is looking for best business practices and part of it,
well, A did it this way, B did it this way, and there is really no difference,
you just have to pick one.

So I think my question would be, would it be possible for the process to
concentrate on that, looking for anything that the states have identified that
actually adds to the ROI.

DR. CARR: So you are saying that if you got something by December 31 and if
that work was focused on making changes that add value, that the December 31
deadline would work?


DR. CARR: And shrinking the agenda from all the companion guides to top ten
best practices that should be added to the phase two, that would be the time

Yes, Marjorie?

MS. GREENBERG: Thank you. It is complicated I know, and we really
appreciate all the work you and CMS have been doing on this.

I just needed one clarification. If you took phase two as it currently
exists, would it include claim status?


MS. GREENBERG: It would?

DR. SUAREZ: It would.

MS. GREENBERG: You had said something about, claim status wasn’t currently

DR. SUAREZ: No, it wasn’t currently on phase one.

MS. GREENBERG: It wasn’t in phase one. So phase two as is includes both the
eligibility and the claim status that are required.

DR. SUAREZ: And claim status.

MS. GREENBERG: Okay, thanks.

DR. CARR: I would like to invite additional questions or observations
around the table.

DR. FITZMAURICE: On the slide that comes after this, I wasn’t sure who or
what was being certified, the authoring organization, the user of the operating
rules, the administrative software or the operating rule itself.

DR. SUAREZ: You are asking about the certification, Mike?

DR. FITZMAURICE: Yes. I wasn’t sure what was being suggested for

DR. WARREN: Do you want me to answer?

DR. CARR: Yes.

MS. DOO: As part of the AHCA regulations, part of health care reform,
health plans are required to certify their compliance with all of the adopted
standards and operating rules. So, we will have a process that they will be
coming through us, which we will also decide shortly what that will be. So that
will give a certification that every health plan is compliant with the
standards and the operating rules.

DR. FITZMAURICE: That makes it perfectly clear. If we can get in there that
the certification process applies to health plans.

DR. SUAREZ: The first certification I think is due December 31?

DR. WARREN: 2013.

DR. CARR: Do we have an indication as to whether this interim step of
incorporating best practices through a consensus process and be complete by
December 31 is thought to be achievable.

MS. THOMASHAUER: I am Robin Thomashauer. I am the Executive Director of
CAQH. We will certainly give it our best shot. We have been working very
closely with the states. We very much understand the needs and what they have
done to date, and we will certainly do our best to get it to you by then.

The other thing, we are talking about phase two. Phase two built on phase
one. So when you talk about phase two you are actually meaning both phase one
and phase two?


MS. THOMASHAUER: Okay, I just wanted to clarify that point.

DR. WARREN: We need to clarify that in the letter as ell.

DR. CARR: I want to push a little bit harder. I fully believe that you will
give it your best shot, but do you have a road map right now of what would be
the top ten best practices and who would be the key stakeholders that need to
be at the table?

MS. THOMASHAUER: We know who the stakeholders are at the table. We also
know what has been important to the states that we don’t have. So we could jump
right into it. I feel fairly certain that we could get there, Justine.

DR. SUAREZ: I have to say personally, I think the hearings which happened
in July serve as a catalyst for a lot of the connections between the health
care industry, CAQH and everybody else. I think a lot of work has already
started before we even had the discussion about the letter, so the ball is
already rolling around convergence of a lot of these key elements that need to
be included in any operating rule, whichever gets approved. I am very
encouraged by that convening and that type of work that started already.

DR. FITZMAURICE: I am trying to look at how we can have our cake and eat
it, too. Maybe that is not the right phrasing, but we could do something like
recommend that this process, that is, CAQH to NCVHS to the Secretary, and the
willingness of CAQH to move to more openness. Then we could urge the Secretary
to examine and give strong consideration to adopting the phase one and phase
two operating rules from CAQH. In other words, we are heading a little bit
because we can’t see them.

DR. CARR: We have a set of phase one plus two today, and we know that there
are opportunities for enhancements that states have in place. If we accept
phase one plus two, today, that is what goes into effect in July.

If we can do a two-minute hurry-up offense, carrying on Harry’s tradition
of sports analogies, and let’s say we have ten best practices, but we can get a
consensus on five, we are five rules better than where we are today. We have to
also think about, the committee meets on December 1, so that makes it an even
shorter period of time. But if you can do the 31st, I’m sure you could do the

DR. WARREN: What the subcommittee is recommending is that we take the
option that has the December 31 deadline, so that we can make the best option.

DR. SUAREZ: The previous slide already has that recommendation.

DR. CARR: Would you like to make a recommendation to put before the
committee, a motion?

DR. WARREN: I was going to say, just say yes.

DR. CARR: No, I wanted to make it clear, make a motion, and I want a show
of hands. This is important. We will miss our deadline, but we will do it in a
time frame that we believe will not compromise the ultimate deadline and the
ultimate ROI, and we believe that we will enhance the ROI by taking those next
few months.

DR. WARREN: So the motion is, the slide is phrased the way we want the
recommendation to read in the letter. We do need to make a correction there
that it is phase one and phase two operating rules. We want to adopt the
version of CAQH CORE phase one and phase two operating rules for non-retail
pharmacy eligibility and claim status as updated with stakeholder input by
December 31, 2010.

DR. CARR: Any discussion?

MS. GREENBERG: I don’t see that we are missing any deadline by making the

DR. WARREN: We aren’t. The key piece here is, looking at those operating
rules when we are done with them by the end of the year. We have been in close
touch with them. One of the things that you can do as the subcommittee would be
to look at those operating rules and insure that they don’t conflict with any
existing standards, et cetera, the same way we did that, if that makes
everybody feel better. We are going to be in this space for awhile and looking
at operating rules.

We do have a directive that we are to continue to evaluate operating rules
as the years go by, just like we do the transaction standards.

DR. CARR: Bill Scanlon is testifying at another meeting today and couldn’t
be here, but he had some concerns. Did you have a chance to speak about this
intermediate option with him? Bill’s inclination was —

DR. WARREN: I think that is why we came up with the three options. Bill’s
concern was that we wouldn’t see the standards. So his concern was that if we
just adopted them the way they were, they weren’t considering the states that
loudly testified that they wanted to be considered. So he felt that we should
not make any recommendation. I think that would be a bad option for us.

MS. GREENBERG: As I understood his position at the time, and I had a call
last Friday, was that the committee should make the first recommendation about
who the entities are that meet the requirements. But he had concerns about
making the second recommendation regarding adoption of specific operating

DR. SUAREZ: I should probably point out, there are two separate parts of
this recommendation. The first one is the authoring part. I think that is a
very important point, that we are recommending CAQH CORE to be the authoring
organization for the eligibility and claim status for non-retail pharmacy and
NCPDP for retail pharmacy.

Then the second set of recommendations, because there is not a single one,
is, covers several items. One of them is the recommendation about adopting
specifically the CAQH CORE phase one and two. But there are other elements. I
think his only concern was the phase one and phase two, the other one.

MS. TRUDEL: I think possibly an alternate way to frame the recommendation
that might address some of Bill’s concerns would be to add on to the point that
Mike made earlier, that the recommendation could be two phased. One being that
the recommendation could be currently CORE phase one and two, and that the
Secretary should examine any additional changes accomplished in a consensus
open based way by December 31 and determine whether she would rather adopt

So it could be contingent on the process being completed and the Secretary
having reviewed it. Then it becomes contingent on the Secretary to do it.

DR. TANG: With an incomplete understanding, do we fulfill what we are
supposed to do in that scenario? I thought we were supposed to do that.

MS. TRUDEL: I would say so, because the default recommendation is CORE
phase one and two as now specified.

DR. CARR: So there are two ways of phrasing this. One is to conclude our
responsibility by this time, we have a letter that comes out that says two
things. One is, recommend CORE phase one and two, and second, we recommend that
the Secretary seek additional updates by December 31 and as appropriate, to
accept them.

The alternative is that NCVHS stay in the loop, review those
recommendations, and pass it along to the Secretary.

DR. TANG: Why wouldn’t that meet the deadline, meet the full obligation,
and be the cake and eat it too?

MS. TRUDEL: It goes a little bit farther, I think, too. I am speaking for
Bill and he is not here, but his concern was that simply saying right now that
that is what the committee recommends is sort of buying a product that doesn’t
exist yet.

DR. TANG: That is what I thought this was —

DR. CARR: So the recommendation that I heard was that we will have a
recommendation by December 31. That recommendation, window of opportunity for
CAQH CORE to come back with best practices from a consensus process from input
from the states.

DR. SUAREZ: I think today we are recommending adopting phase one and two as
it is.

DR. CARR: Right.

DR. SUAREZ: Then we can make later this year by December 31 a new
recommendation. We have reviewed and we have looked at phase two enhanced, and
now we recommend that one.

DR. CARR: So we are in agreement that we are recommending CAQH CORE, and we
are recommending NCPDP, so that is off the table. What is more helpful, that we
say our letter will come in in December when we have seen the product of the
consensus, or that we make a recommendation today, write a letter today as is
with a follow-on letter in December?

MS. TRUDEL: I very much would like to have a recommendation in the short
term with the follow-on.

MS. GREENBERG: Just commenting on Karen’s possible alternative, and I
appreciate everybody’s creativity in trying to make this work, but I think the
advantage of keeping NCVHS in the loop is that NCVHS is serving as not only the
advisory mechanism to CMS, but also the public advisory committee to which
states and other stakeholders can come forward and say, we didn’t get what we
wanted and it didn’t work well.

I am hoping that it will work well and that won’t happen, and of course
they could always do that to the Department. But I think in a sense we would be
ceding that responsibility if we just then turned it to the Department.

DR. SUAREZ: We’re not.

DR. CARR: Let me summarize where we are, because we have a lot of other
work to do. Karen.

MS. TRUDEL: Following up on Marjorie’s point, I was not trying to imply
that additional involvement wouldn’t be helpful. In fact, it would be very
helpful. I was just trying to provide some alternative language in the event
that there still are sensitivities.

DR. CARR: I want to give direction to the subcommittee that is going to do
some more work today and make the letter reflect what we said. I am going to
say what I think we heard and then give the opportunity for an objection, if it
is something we didn’t hear, and with that ask you to take it forward, and get
onto the next topic.

What I think we heard is, there is agreement that NCPDP should do the drug
related part and that CAQH CORE should do the operating rules.

DR. SUAREZ: No, the non-pharmacy.

DR. CARR: The non-pharmacy. Second, we heard that we would make a
recommendation now on phase one and two, with the proviso that we expect to
come back in December with a further recommendation for the Secretary on an
update that will be achieved by consensus through rapid work with CAQH CORE for
some value added enhanced ROI recommendations to the operating rules.

Is there anybody who is in disagreement of that? Great.

DR. TANG: Just to be clear, and that may or may not be approved by NCVHS.

DR. CARR: That’s right. We will come back, having reviewed that with an
additional recommendation by December 31. Thank you. You guys, all of you, have
just done spectacular work in taking something extraordinarily complex and
helping us understand it.

Now let’s hear about the health plan ID.

Agenda Item: Standards Letters: National
Health Plan Identifier

DR. WARREN: Another easy one. I have to tell you a story. When I heard that
we were doing this, I thought, that is great, I know exactly how to enumerate,
no problem. There are standards for that, this will be a slam dunk.

The issue is, what is a health plan. I could probably go on the Night Show
or something and do a standup on this. In the law what we were asked do to do
was to provide input into the process of rulemaking for the establishment of a
unique health plan identifier.

To give you a little back story, this was also requested of NCVHS in the
HIPAA legislation. Don Dettmer actually wrote a letter, because I pulled it up,
his letter was like three paragraphs, one page, that said, here is the way the
numbers should be laid out, and go off, the number of health plans. It was
never implemented. I am now understanding why. So this is our task.

Next slide. Why are we doing this? Proprietary identifiers are
inconsistently applied to different entities within our standards for
transactions of — health care transactions. A lack of a standard identifier
contributes to the challenges in efficiently and effectively using the

For example, patients and providers have a difficult time discerning who to
contact with specific issues. Providers are unable to match provider fee
schedules to remittance amounts. We have to think — the AMA had done a
tremendous job analyzing all of these problems that they were having in
physician offices.

The other issue is the reduced ability to conduct studies on impact of
payor on health care spending and outcomes.

So our goals would be to comply with HIPAA to adopt a national standard
that enumerates health plans the appropriate entity level that addresses
business requirements of plans and providers. Then lastly, to insure that the
HIPAA standard transactions can be used to their fullest extent with the
appropriate plan identification.

So who are stakeholders? There is a need for a better way for providers to
manage their business information and for patients to have better information.
A balanced desire for adoption — we need to balance the desire for adoption of
a standard identifier with no embedded intelligence, with insuring that needed
business information is available.

This is the best practice that is out there. It is from an international
standard that identifiers should have no meaning in them. They should just be a
set of numbers. We already have a way to distribute those numbers, because HHS
has bought the privilege of issuing ISO compliant numbers which gives us the
unique identifier. So we would fit into things that are already in place.

There is little agreement on the definition of a health plan, product types
or intermediate entities or entities that should be enumerated. We found that
there were things happening out there that none of us had ever heard about
before, with names that some people knew by heart and other people, we had no
clue what they were talking about. One of them was a rental network. I thought,
what is that thing? So that is what we were dealing with. So trying to make
sense of all these things that people were saying.

So here is what we are recommending. First, the easy one. We adopt the ISO
standard 7812 with a long check digit. What this says is a ten-digit number,
nine digits are the identifier, the tenth digit is a check digit. We enumerate
the plans. Plans are in quotes here because that is the problem as defined in
HIPAA. HIPAA does not give us a lot of specific direction in their definition.
It is still pretty vague as to what a health plan is.

That we determine what is a health plan at the product level to be
enumerated using input from stakeholders. So that is our answer to the second
bullet. If we want to comply with HIPAA to do that, we need to determine what
qualifies as a health plan, and then to enumerate that, and we are pretty sure
it is the product level that needs to be enumerated.

We need to establish a directory database that must be kept up to date by
the plans. This is very much like the national provider identifier, so using
that same process.

What we heard from the retail pharmacy piece is, within their transactions
they do not use a health plan identifier. So there is no place in those
standards for one to exist. What they use is the Rx bin number, and they had a
strong request that when we adopted an identifier, that we did not break their
standard and their operating rules. So we are recommending that for the NCPDP
standards, that the Rx bin number be used there and not a health plan

That is it.

DR. CARR: So you are saying that we are recommending the ISO standard.
Again, what is a check digit?

DR. WARREN: It is a way to make sure that you have inputted the previous
nine numbers correctly.

DR. SUAREZ: It is the exact identical standard used for the national
provider identifier.

DR. CARR: So who is enumerating the plans as identified by HIPAA, and when?

MS. DOO: The legislation only gives the compliance date or a date by which
this thing will be adopted, which is October of 2012. I think it is probably
not part of the recommendations. Then the question is, the enumeration would
either begin then or would have to have been completed by then in order to be
used in the standard transactions.

That is something we have to figure out, but it will be enumerated by
probably a company and a system that will be developed. Those are all things we
have to sort out.

DR. CARR: Enumerate means assigning the number?

MS. DOO: Yes. So a plan would come in and say, I need a number.

DR. CARR: Who will determine what qualifies as a health plan at the product

MS. GREENBERG: That was my question also. It sounded like we were going to
do it, but the letter says, direct CMS to work with stakeholders.

DR. SUAREZ: Industry is already working on conceptually how to do this and
provide input to CMS as well. For example, WIDI next week is hosting a two-day
policy advisory group with a large set of industry representatives to discuss
specifically that point. So we know generally who is a health plan from a legal
entity standpoint, but beyond the legal entity health plan definitions, what
are the types of plan products. When we say plan products, we mean different
types of products that a particular health plan offered.

DR. CARR: So what is NCVHS doing?

DR. SUAREZ: We are recommending that CMS work with the industry groups,
WIDI and others, to define the appropriate level of plan enumeration beyond the
legal entity.

DR. CARR: So we are just asked to outline a process, is that it? These are
the words from the Affordable Health Care Act.

DR. SUAREZ: We were officially legally asked to provide input to CMS on
this. So in the Affordable Care Act, we weren’t provided with the directions
that we were provided under the operating rules of going down into specifically
recommending operating rules and this and that. Here, we were just asked to
provide input into the process. What we are doing is providing that input. We
are recommending these items that Judy mentioned.

DR. HORNBROOK: I want to go back to medical care organization 101. In terms
of the word health plan, there can be a health plan that is offered by a single
organization that is a legal entity authorized to sell insurance in a state.
That organization could be an insurance company or it could be a vertically
integrated health system.

But I can also have companies that are self funded, so Penney’s buys the
health care for their employees and does the underwriting themselves, and
therefore does J.C. Penney become a health plan? Then there is the whole
question of, is that kind of health system regulated and by whom, and do they
have HIPAA regulations, are they a HIPAA entity.

I think the rules that we just saw, the HIPAA entity rule would tend to
move you towards more physical definitions of health systems as opposed to
these health plans that are totally virtual, that exist on paper. You can have
a company that exists only on paper and it has got a series of contract
arrangements. Health Partners in Minneapolis carries hardly any risk, because
they pushed it down to the consumer and pushed it up to the provider groups and
the hospital groups.

DR. SUAREZ: I can just say that we are recommending that we use the
definition of health plan as in the HIPAA regulation, which encompasses all
sorts of — 13 different types of health plan groups or health plan entity
type. So if they are an entity that is subject to HIPAA currently and that must
comply with the HIPAA standards and must comply with the HIPAA privacy
regulations and all this, then they must also get a number to be enumerated and
that number to be used in the transactions. So we are not departing from that

DR. CARR: So are you saying that we would address right now HIPAA covered
entities and make a note of, there may be others outside?

DR. SUAREZ: Generally speaking, I think we are doing that. We are saying if
you are a HIPAA covered entity that is a health plan you need a number. Now,
just like with providers, with the health plans you might have beyond the HIPAA
legal entity products inside the legal entity that need to be enumerated.

For example, Health Partners has a Medicaid product in Minnesota, or they
have a commercial product or they have a self insured product, or they have a
Medicare product. Those types of products, the health plan legal entity would
have a plan ID and then the products can be enumerated as well, to be
identified in the transaction.

DR. TANG: I am not a teacher of health plan 101. I am a student of health
plan 101. I have a very innocent question. Is the problem we are trying to
solve, to be able to for a patient figure out how to transact the financial
coverage for that care? If that is the problem we are trying to solve, does it
have anything to do with a plan which is an organization? Is what we are really
trying to do is have payment product IDs?

DR. SUAREZ: We are trying to resolve three specific items all with respect
to identification of plans in the transaction. We are trying to identify which
is the entity that receives the transaction, number one. Number two, who is the
benefit administrator that administers the benefits that are being described in
the transaction. Number three, which is the entity that is financially
responsible, because it could be different than the administrator of the plan.

Those are the three things that we are attempting to identify in the
transaction. Those are the things that the transactions identify when sending
data between providers and payors.

DR. WARREN: So am I eligible to receive care. What you as the physician
want to know is, is this patient eligible to receive care, and will this
insurance company pay for it, or will the health plan pay for it. So you want
to know that.

DR. TANG: So it seems like all I need to do is know the product ID. Then
how you all figure out who does what is behind the scenes. Is it that simple?

DR. WARREN: That is the way I am looking at it. So if it is simple, then
both of us are on the same page.

DR. TANG: But then you don’t have to worry about — everyone who has a
product must have an ID, and that is the only problem we need to solve.

DR. WARREN: There is a little bit more than that. The bigger insurance
companies may have multiple products. They need to enumerate those products.

DR. TANG: Right. That is still consistent with, every product has an ID.
Then we don’t have to decide the question that Mark posed. I’m just trying to
figure out how to not have to decide all these questions. Is there a way to
describe the problem so that — if every person that wants to offer a product
has an ID for that product, isn’t that the end?

DR. WARREN: That is some of the premises we were talking about. Then
Lorraine asked me to also share with the group, since people were concerned
about our recommendation that CMS engage in this whole definition of plan, we
have already gotten recommendations from AMA and AHIP, which is America’s
Health Insurance Plan, with recommendations and a willingness to step forward
and work with CMS on developing this. So we have already started setting into
motion some of the things that we are recommending. They came forward after the
hearings wanting to be part of the process.

MS. GREENBERG: Karen may provide some clarification here.

MS. TRUDEL: I think the other thing that is important for people to know is
that there really isn’t a consensus out there. During the hearings we heard
very, very different notions about what a health plan ID should enable. From
one end of the spectrum was, the identifier should tell you where you send the
transaction, and if an insurance company has one gateway then they have one
plan identifier, to the other end of the spectrum, which is that people want to
be able to know from the enumeration process and the database not only what the
product was, and whether the patient is eligible, but also how much is going to
get paid, where can I go to look at the fee schedule, what network is going to
be involved in the care. So there really was not a lot of consensus out there.

MR. J. SCANLON: Just to answer the complexity in terms of the context that
Karen raised, these provisions were in the Affordable Care Act. There are other
provisions in the Affordable Care Act that were not probably logically related,
but they are logically related in terms of health reform.

So I think the committee would do a service if somehow we brought about the
link between the potential uses of the plan identifier and some of the health
insurance reform. So for example, the portal that would provide information on
insurance products available to consumers, they are probably going to need some
sort of identifier and database.

The health insurance exchanges, when they come along in 2014, they will
probably need some sort of a registry and a plan identifier and set of
characteristics, as well as the regulation, all of the regulation of the
insurance companies, medical loss ratios and so on, there has to be some way of
— again, what I would not want to see would be an identifier and a database
for every one of these purposes separately. It just would be unsustainable.

So I don’t know what the answer is. Really it would have to be at a product
level to some extent. But I think the committee would do a big favor if it
linked these two at least conceptually. In whatever manner we go forward, to
the maximum extent possible, all of these other requirements be considered.

DR. SUAREZ: Jim, we did talk about beyond the HIPAA covered entities and
the HIPAA transactions, the use of the plan identifier for a number of other
entities, entity type not currently referred to as HIPAA covered entities,
health plan HIPAA covered entities. Also, other uses beyond the HIPAA
transactions, where quality assessment for across payor population analysis,
for a whole host of other things.

In our recommendation, these are the highlights of the most important
recommendation, but in the recommendation we also mention looking at other uses
and other entities that can be identified through this number.

DR. HORNBROOK: Just to take this to its ultimate detail, if you are looking
at writing information on what a consumer’s options are, in my particular
situation it would be Kaiser Permanente plus the intersection with each
purchaser, each employer, and the cafeteria of benefits inside that employer.

So you have got essentially a company plus a benefit array that defines the
full package that applies to each individual. Now, insurance companies have to
operate to know that. It is something they have been working with for years. It
is just like the banking industry; they are pretty good at doing that. So it is
not beyond informatics capacity, but it is a pretty complex phenomenon.

You also have to add in third party liability, car insurance and property
insurance, workmen’s comp. Finally you need a code for the person who is paying
totally by themselves, there is no insurance company there.

DR. FRIEDMAN: This may not advance the agenda at all, other than to educate
me, but if you will indulge me. I hear from the discussion the potential to be
over engineering a process and making something brittle. So my question is,
what status does having an identifier convey on an organization? Does it convey
any status at all other than the ability to identify it uniquely?

DR. SUAREZ: The same as the provider identifier. By virtue of identifying
the individual or in this case the health plan, in a transaction, the recipient
of that transaction would be able to specifically know where to send the
transaction, who is going to pay that transaction, and what are the
eligibility, where the eligibility coverage of a particular member of that
organization, confirming that that person is there.

But it conveys all that through the information. The number itself doesn’t
convey anything, just like the NPI doesn’t convey anything about the provider.

DR. FRIEDMAN: Right, so why then create any threshold for getting a number?
In other words, if you think you are one, then you should get one, because
having one conveys no status, and no one will address you if it has no reason
to do business with you by virtue of your not having status to conduct whatever
kind of business is involved.

DR. CARR: This is what I would like to recommend. I would like to just go
around the room and get the thoughts, but not answer, and then take it back to
the committee. In a minute we want to get a preview of the privacy letter. So
thank you, Chuck, for your comments.

DR. GREEN: I pored over the consultant’s contracted report, pages nine
through 11, concerning this. I basically just have another question. Is there
some reason why this letter cannot use the yield off of that consultation and
those definitions there, that start with 6.1 as the definition of a health
plan, and it goes to the statutory definition, and then render an opinion.

DR. CARR: I think that is great. So let’s take that back.

DR. GREEN: The CMS definition, just to put it on the record here right now,
is that CMS considers a health plan to be an entity that stands in relationship
to an individual that legally obligates it to pay claims for some or all of the
health care provided to that individual.

I really like that definition, as one that is relatively permissive, not
overly constraining. Then when you keep going in this document and you start
looking at all these other definitions, it unravels.

DR. CARR: So that is helpful information for you to take back.

DR. STEINWACHS: Let me just add my two cents. I like the idea of a product
identifier, but since products keep changing, we now trust the insurer to keep
modifying and changing those products. That seems to me to be a hard thing to

So it comes back to the idea that maybe the identifier has to be what is
the insurance entity, and then there may still need to be another identifier
for products within that. I don’t see how we can get by with one.

MS. GREENBERG: It is very much related to the question that I was going to
ask. Given the different purposes that were expressed and desired, is it
possible for there to be — or can the transaction carry more than one
identifier, such as Don has suggested, or would that all be handled in the
database? As I understand it right now, they have one place to put the
transactions and one place to put the identifier.

DR. CARR: I think I want when we come back to be able to say, this is the
simplification we want to achieve and to achieve it this is needed because. I
just want to go around the room for comments.

DR. TANG: I am going to try to build on that side of the table in a
framework that is this lumping thing. So what I hear is, it uses a phone
number, the phone number equals the product ID. Who answers the phone doesn’t
really matter to either the consumer or the provider trying to deliver a

So if we can establish a phone number, which is the product ID, that serves
a benefit for this user. We do have to figure out who answers the phone. That
is a separate piece of information that is useful. I think when we separate
those two things, rather than call the whole thing plan ID, we may have to
clarify the situation.

So if it is helpful, that is a way to present the recommendation to me.

DR. CARR: On the left side of the table, any further comments?

DR. FITZMAURICE: I am struck with Chuck’s suggestion to give an identifier
to all who want one. Then I am thinking, what are the criteria for getting an
identifier? Would you have to require that the health plan show you a state
licensing bureau certification number in order to say, I am a health plan, and
can just anybody say they are a health plan?

Then might there be a second variable or identifier for the product? I’m
not sure how to define the product, because as some said, they change a lot,
and new things will come down the line. I’m not sure you can have a typology
that is fairly stable. But I can see giving an identifier to everybody who has
been given a license by the state licensing bureau.

DR. CARR: Closing comment, Karen or Lorraine? Not. What I would ask is, if
you have not read these two letters, that you read them now with this very
informative background, and then you will take back the comments that you heard
today, and come back. We will get a draft out and be prepared to comment on it

We will break for lunch a little after 12, but in anticipation of a
discussion this afternoon, I would like some framing analogous to the way
Standards did it about what is the topic and the letter we are going to discuss
this afternoon, and what are the considerations the committee should be mulling
over during lunch.

Agenda Item: Privacy Letter: Sensitive
Information in the Medical Record

DR. FRANCIS: May I take the initial laboring oar on this as co-chair? I
want to pick up to begin with two phrases that I think Chuck used, maybe Joy,
spinning around and evolving environment. I think it is fair to say that we
have been doing a great deal of recognition of the evolving environment, and
that in a context of change there is quite a lot of spinning around. You have
probably already in the e-mails that have gone around seen some evidence of

Let me give you some process history, and then tell you what is on the
table and probably what is the —

DR. CARR: I think they said a great model, this is what we thought our
charge was and this is what we did.

DR. FRANCIS: Exactly, okay, right. In 2006, the NCVHS issued a letter that
had many recommendations about the NHIN, including some recommendations about
doing more with sensitive information.

In 2008, we issued a letter about sensitive information. In that letter we
stated some possible categories and recommended further work to select and
define categories as sensitive information. That letter, the letter itself, was
a follow-up on the 2006 letter. It was not a letter — the hearings themselves
were not specifically about NHIN, but that letter was a follow-up on the 2006

In 2009, we issued a PHR letter that also mentioned sensitive categories of
information, our wanted definitions of categories of sensitive information, and
what we took ourselves to be doing in hearings.

Our charge now is to define categories of sensitive information. I give you
that context because that is the history of it. We had conversations with the
ONC Policy Committee, that they were going to be looking at the technical
questions and that our charge, again under a very tight time frame, was to
develop definitions of a list of categories of sensitive information, and to do
it in such a way that what we do could be taken into account in timely fashion.

In the spirit of going back to a prior chair for analogies, Simon, I want
to make very clear that it is not a good idea to drink wine before its time.
There are several drafts that have gone around, earlier drafts, that may be
drinking wine before its time.

Yesterday, we were not able to meet with Paul until 4 o’clock, but
yesterday members of us worked on another draft, which is sitting on your desk.
That is where we ended up at 6 o’clock. Please don’t assume that the words in
the earlier drafts are in this draft. But please do assume that the kinds of
comments that have been made reflect what is the serious issue we need to talk
about, which is whether a letter that goes forward should be a letter that says
explicitly it is about the NHIN, whatever that might be at this point, whether
it is a letter that when it goes forward should say it is about health
information exchange, whether it is a letter when it goes forward that should
say it is about uses and disclosures, or whether it is a letter when it goes
forward should say nothing at all about context.

The present version contains references to uses and disclosure, although we
have tried as much as we can to strip it of references to context. But I should
say that is — I hope I have outlined that as the issue on the table. You can
judge whether this is a premature sip from the cup at this point.

DR. CARR: Thank you, Leslie. Paul and Marc Overhage, I would like you each
to raise the considerations that you also have, begin with Paul.

DR. TANG: My concern with what Leslie said is stripping the context from
the latest letter of recommendation, I don’t think that is fair to the process.
Clearly when you ask for information, you ask for it in a context and you
shouldn’t represent that outside of the context. People always say, don’t take
me out of context.

So the context for the 2006 letter, which was our charge, and the letter is
entitled Privacy and Confidentiality in the Nationwide Health Information
Network, we all recognize that was the way we stated this concept in the past.
The more current — and I think Chuck mentioned this — way of describing it is
electronic health information exchange.

The February 2008, also said individual control of sensitive health
information accessible via the Nationwide Health Information Network for
purpose of treatment. I.e., in both those cases, and particularly in the first
letter, which is 2006, we asked for testimony which included a lot of folks
including the practicing physicians, about privacy protection when you disclose
it in the Nationwide Health Information Network.

That testimony led to the concept of categories of sensitive information
when you disclose it. That is carried on through both of those two sets of
hearings, and now this current letter as drafted, that as Leslie says strips
that context away, I think that is important. In my opinion, we should not
strip the context under which we acquire the data. It is essentially
repurposing the opinion outside of context.

So my suggestion is to maintain the context, write the information that we
have, and the receiver of that information, the letter, and understand it in
the context we have got it and can apply it in whatever ways they see fit. It
is important to me that the context be communicated with the conclusions and
the summary of the data that you uncovered. That is probably the biggest thing
where we disagree.

DR. CARR: Paul, could you comment on what are the consequences of using the
information in the absence of that context?

DR. TANG: Before, when the early testifiers in 2006 talked about whether
there is category of sensitive information, it was in the context of disclosing
information. The implicit extensions in this letter talk about segmenting data
and with the potential for sequestering data inside the EHR. That is an
important difference to the practicing clinician.

The EHR is a tool that was designed to help the clinicians make sure they
use all the data to make a perfect decision for that patient. It is the
clinician that created this record, not talking about ownership of data, et
cetera. Sequestering was not something that they thought they were going to do.
They certainly understand that with the Hippocratic Oath they have to maintain
the confidentiality of that data that they acquire. So it is the concern that
sequestering data inside an EHR is a fundamentally different concept than
segmenting data when you exchange it with others.

DR. CARR: So data at rest versus data in motion.

DR. TANG: Data at rest versus data in motion.

DR. OVERHAGE: Thank you. I do agree with all of the points Paul made. In
addition I want to highlight one other, which is that as Leslie has helped me
understand through some e-mail exchanges over the last couple of days, the
objective is to define these categories of sensitive information.

My major concern beyond the ones that Paul outlined is that we have got two
anchoring points, it seems to me, in the work that we have done to date. The
first is that the committee recommended opt in/opt out as not sufficiently
granular for patients. We have also said that extremely fine grained patient
specific things are not feasible; we need something in between.

I think my discomfort is — well, it is more than discomfort, I think my
reservations are that there is a long space in between those two options, and
we have in the current draft letter picked a place along that continuum that
might satisfy some, but certainly not all patients’ concerns about control of
which information, that I don’t think takes into account the costs and
implications to the patients in other ways of making those choices.

So my crude graphic is that increasing granularity to the right and
increasing difficulty of identifying data in those categories going vertically.
I fear that we have chosen a point that is on this flat part of the curve. I
don’t think we have any testimony that addresses that. We didn’t ask that
question. Although I wasn’t at the hearings and didn’t review all of the audio
and transcripts, I read the written testimonies. I think that we may have
chosen a spot in this letter which is impossible to implement.

Just a case in point, abuse is a good example of that, where as a primary
care clinician, somebody who comes into the office, a housewife who looks
fatigued or perhaps who has a bruise, I would routinely ask about the potential
for abuse. I think that would be considered the standard of care.

Now when I do that, I am going to have to flag or identify that information
as being in this bucket. We are going to do that for every patient. There are
some patients, and this was the term repeatedly used in the letter, who might
want that information sequestered.

So I think that we have got to give thought to balancing the desires of
some and the impact on others. If your physician is busy, and you see this
every day, trying to take care of patients, and you add 30 seconds to their
per-patient care, you have just denied another group of patients care. You have
just denied that extra 30 seconds to another patient. You have just increased
the cost of care.

There are very real impact and cost of care issues that by making this
choice we may be weighing. I don’t know that that dimension, and in fact, the
categories that we outlined in the letter of the criteria for defining these
things, on the top of page five in the current draft that was handed out, don’t
even identify that as a risk or a problem. I think it just reflects that we
haven’t addressed those.

DR. CARR: I would like to ask Chuck. As Leslie pointed out, there was a
good collaboration with ONC in terms of concepts being articulated by NCVHS and
tools by ONC. Following on to what Marc was saying, how do we define that
boundary? One easily slips into, in some ways it seems like a logical sequence;
you have this information, do you segment it.

But where do you see the boundary, Chuck, in terms of the value we can add,
so as to get the concepts across and yet be respectful of the work of ONC, and
actually have others as Joy told us after her comments this morning.

DR. FRIEDMAN: No, it is a very good point. I want to interject the concept
of skating where the puck is going to be, because we are dealing with a world
that is changing. I think Paul outlined a key aspect of that that may be
helpful in shaping how we think about this problem. That is, separating the
data itself from its context, or in more technical terms, separating the data
from the meta-data around it.

If I had to look into my crystal ball and see what the future holds, I
think we are headed toward a world where the meta-data around data represented
in various information systems are going to become richer. What we should
therefore be thinking about is how to portray context, so that the context
would hold the key to whether the data can move, as opposed to making a more
all-or-nothing kind of statement, which is data of these types can’t move. It
is under what circumstances as might be captured by the meta-data can these
data move.

I don’t know if that is helpful, but I think from a more technical ONC
perspective, I think that would be a very useful way to start thinking about
this problem. I’m not sure I answered the question you wanted.

DR. FRANCIS: That is actually how we are trying to think about it.

MR. HOUSTON: A couple of points, one to answer one of Paul’s comments. If
you look carefully at the testimony we heard in June, those hearings were not
specific to either PHRs or NHIN or HIEs. There was rather a hearing about
trying to understand what information we would consider to be sensitive. Again,
we tried to remove the context from those hearings to get information. In fact,
we did get information that frankly I think is relevant even within the EHR
space, as is the case with a lot of past testimony.

I think also, one of the things that I think is important is that we tried
not to, as Chuck talked about, impose a context, nor did we — we steered away
from any type of a recommendation as to what to do about this data. We are not
saying that thou shalt in some way, restrict access to this data in whatever
context. We just simply said, there are a lot of people that are interested in
understanding what is sensitive information, so that they can take that into
consideration as they are looking at potential technology solutions or policy
considerations and things of that sort. So again, we tried incredibly hard to
simply say, let’s try to define what are potential categories of sensitive

Thirdly, I think there is a lot of experience that I think some people
would argue is outdated as to what is sensitive and why. However, I think what
we have come upon in my mind is that when dealing with exchanges and EHRs,
there is a fairly small group of people that have very strong opinions about
information that is sensitive to them. What we tried to do is say, of those
people what is the far majority of what they consider to be sensitive,
recognizing that any individual might consider a piece of information, however
benign to us, to be sensitive.

But if we look at this, what we have defined probably meets the needs of
about 95 percent of what people are concerned with, maybe even higher. So if we
have a small group of people that are concerned, then we take what represents
the vast majority of what they are concerned with, I think we are able to
reasonably identify what is in large measure to be those types of sensitive
information that we need to be concerned with addressing.

But again, no context. We are not saying that thou shalt apply this to
EHRs, to PHRs, to exchanges. It is, here is sensitive information, go forth and
use it as you are considering if and how you might want to add restrictions to
or allow patients to make requests for additional restrictions.

So again, it is intended to simply be out there as a data point for people
to use.

DR. CARR: Sallie, did you want to add anything, or Walter?

MS. MILAM: I think part of what the definitions are intended to address are
existing requirements under law today. State law and federal law require
special protections for sensitive information. Exchanges are fairly new. A lot
of electronic health record systems are new. I don’t know that it is decided
where these things apply, but we know we have these requirements out there.

So the letter doesn’t seek to add any clarification or standards around who
must do X, Y or Z. It is about what is mental health information. So we tried
to give some very concrete examples of what should fall in those categories and
what shouldn’t. So it is really to get some up-to-date thinking from people in
the respective areas of what might be sensitive.

So it is our attempt to add clarifications to requirements that are already
in place by law over which we really have little control.

DR. CARR: What I am still not clear about is, we have the law that talks
about these categories, and we have restated them. Marc, can you say what is it
that makes this expensive, what language in the letter brings us to a place
where we have unintended consequences?

DR. OVERHAGE: If you never use the recommendations in the letter, then it
has no implications. That is what I am hearing from John and Leslie and Sallie.
There is no use for this, therefore there are no concerns about the burden. Any
of the use cases, however you would choose, if it would be used, pick anything
that you would use it, requires that the information that they have segregated
— and Sallie, you said that this was just reflecting what is in the

Yet we have gone another step in saying that certain things are
quote-unquote in or out. We have said, if you have an adverse reaction to the
drug used to treat this, then that is okay, that is okay, that doesn’t get
segregated, but other things do.

I think we have gone further than that. If you go through the specific
items, sexual activity, great example. Every patient seen in a primary care
setting, that is a bit of information that the provider assesses. And given the
way we keep records today, and by the way, since there are no boundaries, this
applies to paper too, I must identify that information as being segregated. I
must tag it. That takes work and effort.

DR. FRANCIS: Can I pick up just on another example to give people a sense
of something? Genetic information, I will tell you that there should be an even
further update of the version you have in front of you.

The GINA language includes genetic tests and a history of disease in family
members. Clearly the latter would require natural language processing of some
kind, or it is more complicated to figure out and clearly much more costly.

On the other hand, now the employer is not permitted to request any of that
information. So wherever it is in the health care system that a record goes out
to an employer, somebody has to deal with the fact that family history
information has to be redacted.

So our aim in this letter, and we can talk a lot about how to try to
achieve that aim, is to say that there should be piloting and further work on
how to do technically. Admittedly, the costs here of software, a kind of
meta-tagging, so that you wouldn’t have to do it but the meta-tag somewhere
would do it, to pick out the information that would have to be segmented in
response to a request that would comply with GINA. That is just an effort to
put a little flesh on the bones.

DR. OVERHAGE: So I hear you accepting the argument that the effort is
important, and it is a factor that we should reflect in the letter.

DR. FRANCIS: Absolutely the cost.

DR. OVERHAGE: So we need to reflect that.

DR. FRANCIS: We should reflect that in the letter.

DR. OVERHAGE: But a second is very important. You described redacting
information on request. That happens in one of tens of thousands of patients.
Segmenting and identifying the information happens for every patient. So it is
a question of whether you do it on the front end or the back end.

Just as a concrete example, the recommendation here that tests for
metabolites, proteins or other factors which are indicative of features of the
individual’s genome, for example, means I cannot share a blood smear.

DR. FRANCIS: That is the GINA definition again.

DR. OVERHAGE: Well, that is fine, but I am just saying, the recommendation
here implies that every blood smear has to be flagged and segregated from the
rest of the data, because the blood smear is indicative of features of the
individual’s genome.

DR. CARR: Luckily we have a chance to come back after lunch and continue.
In fact, we could even come back early if you want. I have the following people
who want to make a comment. Again, I would ask that you make a comment to mull
over on lunch, and then I would like to break for lunch so we can start
promptly at one.

DR. SUAREZ: I do have two comments. As a member of the Privacy and Security
Committee, I have worked on this quite a bit.

The first one is about scope. I think maybe for the first time in my own
mind, Leslie, you have clarified the source of the scope issue right now. I
think it is very clear now that for the hearings that we had June 15 titled
Sensitive Information in Medical Records, we were asked, in coordination with
ONC and with the security and privacy Tiger Team, to look at the specific types
of sensitive information and order the discussion and definition of them. That
was it, that was the charge. We had nothing to do with NHANES from 2006 or from
HIEs from 2008. It was specific about, we need definitions from a policy
perspective on the categories of sensitive health information. That is what we
tried to do with this letter.

The second comment is, Marc, to your point. I don’t think the expectation
is that now every time you see a patient and have some genetic information you
have to flag it. I think the expectation is that this type of data that the
consumer will at some point have the right to ask that it not be disclosed or
used or shared for any reason, that then the entity will have the
responsibility to do it.

We have to do it today in many instances. This is not required that every
single instance for every case, for every patient, you have to flag it. This
only means that this type of sensitive information as has been defined, even
when there is a regulation or an expectation in the law that patients will have
the right to segment tests for DNA, then the information systems will have the
capability to allow the provider to meet that law. That is all we are saying
with this.

MS. GREENBERG: I just want to build a little bit on what Walter is saying.
I think the ultimate question for the committee is, is there something that the
committee can say about this obviously very complicated, contentious and
evolving area that will be useful to public policy in general and to those who
have more specific responsibilities to address this issue of what to do about
sensitive information in particular.

So I just wanted to point to a few things. I’m not giving an answer to that
and you don’t want me to at this point, but that is really the question, I
think. We know that in the ARRA, the HIT Policy Committee was asked to make
recommendations among other things on technologies that protect the privacy of
health information and promote security in a qualified electronic health
record, including for the segmentation and protection from disclosure a
specific and sensitive individually identifiable health information, with the
goal of minimizing the reluctance of patients to seek care, et cetera.

Now, it doesn’t actually say anything there about the NHIN or HIE or
whatever, but obviously there is a context here that this information is going
to go somewhere or could go somewhere. But it doesn’t say that, it says in the
electronic health record.

So since it mentions sensitive individually identifiable health
information, the question is, is there a definition for that. Think about the
health plan. How can we enumerate health plans if we can’t define them? How can
we do this, come up with these technologies to deal with sensitive individually
identifiable health information, if we have no idea what sensitive information

So then we heard this morning from Joy that regarding segmentation, which I
assume is related to this very specific issue of segmenting sensitive
information, there are some promising technologies, but they are not quite
ready for widespread adoption. We need more research and demonstrations. So
clearly the policy process as it is moving is not prepared to say X data must
always be segmented. There needs to be research and demonstration.

We at the National Committee have held now several hearings, including the
one in June, to try to get at what sensitive information is, how you would
define it in a reasonable way based on the needs of patients. We did hear from
providers as well. Whether everybody was heard from who needs to be I won’t

So would our know providing this information with all the caveats that were
mentioned by — have been mentioned around the room and have been mentioned by
Joy, be useful at this point in time? We have a body of information that comes
from testimony, et cetera that will shed some additional light on our view or
the committee’s view from testimony and consideration as to what sensitive
individually identifiable health information might be.

So again, going back to the operating rules, is the risk that by now
revealing these findings cause more trouble than not, or would it be helpful
now to put that information forward with all the necessary caveats? Enjoy your

DR. CARR: Thank you, Marjorie. I have Paul, John, Larry and Mike.

MS. GREENBERG: I thought I would have the last word.


DR. TANG: I just want to comment on what you brought up, Marjorie, in the
sense of, nobody is suggesting that the question of whether the segment data in
an EHR is not an important one. I would say that if we wanted to explore that
question, we should explore that question with the full knowledge of those
people we ask to testify.

I only am suggesting that we in our letter put the context under which we
got to where we got to, which is having categories of sensitive information
that was in the context of exchanging in NHIN, so that we should get the
information out there so people will know how to interpret it.

The question to mull over, at least I want to mull over it at lunch, was
stimulated by what Chuck said about context in the meta-data. In some sense we
got it wrong in 2006 when we said there are such things as predefined
categories of sensitive information, and that sensitivity or desire for
protection of confidentiality of information is totally dependent on the
context. Can an individual, patient or provider, decide whether something is
quote sensitive for this moment now, and can those same two people predict
whether it is sensitive at some point in the future, just by belonging in the

I am wondering whether that was not an appropriate recommendation to make.
We made it under whatever circumstances we made it. It could have been find
now, but maybe the puck is headed in a different direction and we should
consider other things. I need to think about that at lunch and come back, but
that is something I would like to propose that others think about as well. We
need to raise it.

MR. HOUSTON: Just one follow-up comment. I think that one of the
motivations too for looking at this in the context just not of NHIN and HIEs
and PHRs and expanding it, is the fact that at my institution we have
internally within our EHR environment dealt substantially with how do we manage
sensitive categories of information, and putting certain bounds around it to
insure that A, we respect patients’ expectations of privacy, as well as their
expectation that they receive quality health care.

So we have taken an enormous amount of time to try to sort through that,
one very specifically in the psych context. There was a lot of deliberation, a
lot of discussion. I think that part of my hope in all of this was that we
could help give organizations guidance on what types of information they could
focus on if they chose to go through a similar undertaking.

I think that had I known then what I know now, I think it would have helped
streamline the process. We end up getting to a lot of the same conclusions
about things, but it did take a substantial amount of time with a substantial
involvement of physician leadership and others to try to get the right answer.

So I was also hoping that we could make this portable in many contexts.

DR. FITZMAURICE: I am impressed with the breadth and the thoughtfulness of
the information that is contained in the letter. I am also impressed with the
views of Paul and of Marc.

So I am wondering, should the letter limit its scope? It might say
something like, in considering how to categorize sensitive information, we
sought no input on the cost issues, the work flow issues, or all the
implications of the uses of these categories in electronic health records or
personal health records. Accordingly, we make no recommendations with regard to
specific segmentation at this time.

In other words, we have looked at this and we have seen that these are
important to people, but we don’t give you any action to take.

DR. CARR: Last one, Mark.

DR. HORNBROOK: I just wanted to reiterate Paul’s notion of relativity.
Think of someone who gets a diagnosis of a devastating disease, and they just
don’t have the emotional ability to handle everybody else around them also
hearing it. They want it quiet. Think of cultures where the patient isn’t even
told about the disease. The culture wants the other members of the family to
hold that information, not the patient. Think of somebody who is in trouble
with the law and wants certain information held from the police department.

I don’t think we can get around the issue that it really is
individualistic, regulational, situational and not universal.

DR. FRANCIS: Could I make an observation about that? I don’t deny anything.
I don’t disagree at all with what you said and what Paul said.

In an ideal world, it might be a good thing to have people be able to have
— this is a sensitive tag, they work it out with physicians, and that is the
end of it. On the other hand, that is not how the law works. So what we are
trying to do, and this goes to some of the tensions with the Standards
Committee too, we are trying to find a middle ground.

Marc had his chart about the cost considerations. It is really hard to try
to find a middle ground. As you think at lunch, one of the things to think
about would be, should we give up on middle ground categories?

DR. CARR: To follow on with that, going to Mike’s comments as well, I think
there are two tensions. One is, what is in the law today, whenever those laws
were written, and you were trying to build a trust environment for patients to
participate in this new world.

The word meta-data didn’t exist probably when the hearings began, and that
changes everything. So as we are trying to anticipate and go toward the future,
we have to recognize that it is evolving. So I think a key question is, do we
say something that is in between granular and minimal, or do we just say
something that is safe to say now and tee up other areas that need further
attention, and then partner with what Joy is doing. I heard her say there is a
lot of work there.

So with that, let’s have lunch, and we will meet back here at one o’clock.

(Whereupon, a luncheon recess was taken at 12:15 p.m.)

N S E S S I O N (1:20

DR. CARR: Welcome back. We want to take the next 45 minutes to get an
update on the discussions that occurred at lunch, continuing on our topic of
how NCVHS can add value in this realm of privacy. So I will start with Leslie.

DR. FRANCIS: This is a report from a table that had Marc Overhage, Maya
Bernstein, Amy Chapper and Leslie Francis at the table.

There were two things that we talked about. The first was with respect to
context, that we might take the last paragraph and put it at the front. The
last paragraph of the current letter basically says, here are the
recommendations that are in the last paragraph, that HHS undertake further
refinement of the suggested categories below, that we study the technical
implementation issues, and engage in pilot testing. We can take out ultimately
provider/patient education. I don’t know, we didn’t talk about that. That the
context be of these recommendations for definitions, that the next steps are
technological development and pilot testing. That way, any implication that
this is ready for regulatory prime time would be removed.

The second point, and to be honest I didn’t have a copy of the letter. We
meant to be sure it is in here, so I want to emphasize this. We all recognize
that there is a real cost tradeoff here, so the importance as all of this goes
forward of course is recognizing the competing considerations. We meant to have
all of those in the letter. So Marc’s point about costs, sure, we will make
sure that goes in, but the idea was to think of the context of this as using
these categories for the next steps of technological feasibility and pilot

DR. CARR: Excellent. Marc, did you want to add anything to that?


DR. CARR: So it sort of like continuing the theme of administrative

DR. OVERHAGE: But it is more than cost tradeoff. There are other tradeoffs,
including costs.

DR. FRANCIS: We have those others in the letter.

DR. CARR: Additional thoughts on this suggestion?

MS. MILAM: I like it. The only thing I would add, since this is providing
some guidance in terms of technology, is that those who are receiving this
guidance recognize that they need to meet any jurisdictional requirements that
exist, that this provides high level guidance. They may have additional privacy
requirements at local and state levels.

DR. CARR: Other tables?

DR. TANG: The good news is that Chuck gave me permission to blame it on
him. He will be back here tomorrow morning. There are many representatives at
the table to see whether this is right, but it is stimulated by Chuck’s remarks
about how important the context of the data is when it is received and
particularly how it is used and when it is used in the context of this moment
or trying to predict the future.

To retrace our steps as a subcommittee and committee, we thought we could
— and many people would assume that you can come up with some really obvious
categories of what people would think of as sensitive information. Then we
charged ourselves with, these are obvious categories, let’s just be more

In the process of trying to get concrete, that is of course where the
subcommittee had difficulty reducing that to becoming very concrete and very
prescriptive about it, which in a sense is how we discovered what Chuck said
was so right. It was almost impossible — I think our table committee felt it
was nigh impossible to predetermine what was sensitive to an individual for a
context. So is it better to try to force something or to provide the insight
that once you go through this process?

As I said, we started out saying there are some obvious things, that turn
out not to be obvious when you drill down with the number of people with their
diverse perspectives and opinions, that maybe that is not necessarily the right
or the contributory way to go.

So the alternative opinion is to offer that insight. I think it is
something new that a lot of people would find new, that when you work really
hard at it, it wasn’t necessarily doing the right thing for one, patient care
and two, protecting individual health data according to the wishes of the

DR. FRANCIS: Could I ask you a question about that, Paul? Did you envision
that as one more opportunity to pilot? One other thing that could be piloted
would be a system under which people could define their own categories. That is
something that in the 2008 letter got taken off the table, because it was
thought that it was not a middle ground at all, but way too complicated on the
provider side and so on.

So another pilot that we might add to the mix would be the possibility you
suggest, rather than having that be the only one.

DR. TANG: So I guess what you are saying is, we are recommending that
further exploration of this topic be undertaken through demonstrations and
pilot. I probably wouldn’t put any restrictions on that.

DR. FRANCIS: One pilot could be each of these defined categories. Those
could be piloted. Another pilot could be the possibility of having full patient
granularity as another option, which is certainly something that — if people
want to pilot that, I think it would be a great idea.

DR. FITZMAURICE: I am with Paul on not putting a whole lot of restrictions
on letting people who are thinking about doing it explore the possibility with
pilots. But an ethical question comes to my mind. Since I am not a physician or
specialist, I don’t know how this would be treated.

Let’s suppose that you are referring a patient to a specialist. The patient
says, don’t mention anything about my X condition. He says, this could affect
your health care and could be detrimental. No, I don’t want you to do it, I
want you to sequester that information, don’t let it be revealed. So you send
the patient information to a specialist, and the specialist treats the patient,
and then later on finds out the patient had this condition that would have made
a difference.

Is there a moral obligation? Do you feel betrayed if you are the specialist
that you didn’t have all the information that the other doctor had? This seems
to betray a trust that exists today.

DR. CARR: The situation exists today as well. If you go to a foot doctor,
you don’t mention your history of rheumatic fever necessarily. If you are going
to the dermatologist, maybe you are not mentioning your anxiety medication, I
don’t know what.

The way I see this is that we have a very dynamic world today where all of
these things function in an integrated fashion, almost like the autonomic
nervous system. We don’t think to expand our ribs, stretch those intercostal
muscles, open up the trachea, close the epiglottis. We don’t think that way, we
just do it.

What we are trying to do is to lump or split. We are taking on an exercise
where we believe we can identify the component parts and map them to where they
go, but they do in many places. So in the dynamic world today, patients
sequester information all the time. I have to say, this is a 180 for me,
because a year ago I might have said the opposite. But it is a fact of life.

So I think that transparency is our friend. If every record has a tab that
says secured information, then there is no stigma. Everybody has that tab and
the provider says, do you have any information that is not apparent to me, and
they can say yes or no. It is simplistic.

The other point I want to get to is that because this is evolving, this
whole concept of meta-data and the technology and the iPhone apps and
everything that we are seeing at these meetings happening at such a rapid pace,
NCVHS does a great job at teeing up the concepts, the issues, the challenges,
and allowing these other technical specialists to work with that to say, did we
remember this, did we remember that.

DR. STEINWACHS: Just a couple small things. If you think about research,
you allow the person you are collecting information from not to answer some
questions or to have the tape stop, if you are recording something, and then
start it again. So it is interesting to think about what is the parallel in the
medical record context that would say, we are going to put this in a
sequestered place, or it is not going to be recorded. That is part of what we
are talking about, the person’s rights.

It was also interesting at the table, we got into a discussion of how
sometimes physicians don’t tell their patients what the condition is they have.
Psychiatrists don’t always tell a person they have schizophrenia. So the record
also is caught in a different direction. Since you now can have access to that
record, and if for some reason you decide that you don’t think it is in the
patient’s best interest to share this information, I’m not sure what that
means, either. That complicates it further.

But it was a discussion around the contextual effects, where it is hard to
say always you do X or always you don’t do X.

DR. CARR: I don’t want to reflect that my comments are suggesting we take a
pass. Only to reiterate what Paul was saying, that we thought this was easy,
and the fact that we have had so many e-mail exchanges and discussions tell us,
no, it is not easy. There are many different dimensions that will go in.

DR. SUAREZ: Just a couple of comments, too. I think we are doing today in
different ways control and segmentation and access restrictions. So yes, as a
doctor I might be able to see some data, ideally all the data, probably in most
cases all the data for treatment purposes. As a receptionist I might not be
able to see some data, because that is not what I am able to access. So there
is role-based access controls that allow systems to limit who accesses what.

It occurs to me that within focusing a lot on the concept of restricting
access or somehow segmenting data from providers for treatment purposes, and
that is truly not even the intent or the five percent of the 95 percent of all
these issues. I think the vast majority of issues are disclosures about
sensitive information or other purposes, not treatment. I think that is where
we can provide a lot more headway with respect to the background and the
context of this letter.

I think the concerns and the fears that I have been hearing tend to reflect
more the risk or the perception that we are restricting access of clinical
information from providers, or suggesting in the letter that somehow the
segmentations of these categories of data, restrict access from individual
physicians and providers for treatment purposes when we are trying to do the
reverse. We are trying to identify areas where it is commonly today believed
that the sensitive information needs to be allowed to be controlled for
disclosures that are non-related to treatment, payment and operations and other

So I wanted to introduce that, because I think it is important to take our
mind set from that perception that this is all about restricting data from
providers. I think we all are very much mindful of the significance from
quality of care and patient safety of the need for providers to access all the
data whenever possible and as needed. Even in today’s world with paper records,
providers don’t even have access to all the data.

But this letter in no way in my mind was intended to try to portray that.
It was on the contrary trying to identify certain categories of information
that need to be appropriately controlled for purposes other than treatment.

DR. CARR: Is there a value in us enumerating all of the traps that we fell
into, information at rest, information in motion, what is treatment, what is
payment and operations. These are all the traps that we fell into. Maybe we
don’t have to solve them, but we have to say clarity of thought is paramount to
what is regulation and what is patient preference and what is required. So just
a thought.

DR. GREEN: I want to make three points. The first one is, I want to go on
the record as being very sympathetic and highly supportive of the principle of
patient autonomy and individuals should be in a position to have authority over
critical information about themselves.

That said, I want to make two other points. The first one of these would
be, I wish to challenge unstated assumptions in this letter, such as that there
is such a thing as knowledge out of context.

DR. FRANCIS: Of what? I’m sorry, it is hard to hear.

DR. GREEN: One would be an epistomological challenge. The epistomologists I
think have argued very persuasively that there is no such thing as knowledge
without context. This letter assumes that there is. I’m not sure that is a wise
position to take.

Another one is that there is such a thing as non-sensitive information in
health care. I keep trying to — forgive me for being a physician, but I keep
trying to think of something that the patient has revealed in which they might
just prefer that that not be exposed.

Let’s take something like age. There are people who come in who don’t want
to tell you how old they are for various reasons. There is a list of reasons
for that. I don’t want to get us off track here. My real point is that the
whole idea that there is such a thing as sensitive information and
non-sensitive information, I remain today unconvinced that that distinction
exists in real life.

I want to make a quantitative comment about the letter as it sits. I go
through all of the proposed categories for segmentation. I just use the
knowledge that I carry around in my head from epidemiology about distributions.

I am quite confident that this letter is proposing segmentation
possibilities that will include a large majority of the entire population. We
should not go forward with this thinking that this letter is about a small
subset of the population. This letter as proposed, I am relatively confident,
is about the majority of the population.

I hold this very dear as a physician. I think the radical proposition in
the health policy stage of the United States is to try to make care patient
centered. That is the radical idea out of the Chasm series of the IOM.
It is the fundamental principle, and that is the one that disrupts old ways of
thinking and doing things.

The very idea of patient centered care is to be specific to an individual.
Patient centered care as a principle has a very nasty qualitative problem, in
that it is specific to this individual. The sequestration and segmentation
notions, we need to recognize that as we do whatever we are going to do, say
whatever we want to say, pilot whatever we want to pilot, we need to be
realistic, that we may be working against ourselves to move toward highly
personalized patient centered care.

To get very detailed about this, I just simply can’t bring myself to be
supportive of this letter’s statements where it says, the NCVHS recommends the
following be segmented. There are just too many exceptions on the list. I think
it would be very difficult for this nation’s practicing medical community to
say that is a really good idea, to put that in a position where that can be
segregated and segmented, because of the rolling ripple effects of the clinical
enterprise’s ability to provide excellent care and support for these people.

So other than that, I really like the letter.

DR. FRANCIS: Justine, may I as the co-chair of this subcommittee make a

DR. CARR: Yes.

DR. FRANCIS: I am only making it for myself. First of all, we have had no
testimony in the last four years that have recommended the fine granular
patient centered. So we could not possibly send that forward as a
recommendation, because we have had no testimony that supports it. I certainly
wouldn’t support that.

DR. CARR: We have testimony specifically against it.

DR. FRANCIS: Against it. We have actually lots of recommendations against

The second is that we were trying to be very careful, and quite clearly it
hasn’t worked, to distinguish treatment as Walter pointed out — to distinguish
disclosure from treatment. What Larry was talking about was about treatment,
patient centered care. What we were talking about, or thought we were trying to
talk about in the letter, was about disclosures.

So here is what I am going to offer as something I would take on myself to
try to draft. There are some disclosures where the law is in place, where it
would be enormously helpful for people to have a software methodology that
could meet those legal requirements.

The examples I have in mind are the GINA definition, which is there, and
the second example I have in mind is SAMHSA, which is also there. I am going to
say, I don’t think we can get a sensitive information letter. I think there is
something that is a trigger that is sensitive information.

I wonder, and I am going to try this out, could we get a letter in which we
recommended to ONC that they pilot test and support the technology to develop
methodologies to meet the GINA definition and the SAMHSA definition, and say
nothing more about anything else.

DR. TANG: A lot of times when you get into tough situations and one thing
complicates another, it is a good time to go back into what is the problem that
we are trying to solve.

In my mind, in 1996 when we passed HIPAA, what didn’t arise in the
three-year window they gave themselves in Congress was national a comprehensive
privacy law that says whoever touches it has the responsibility and
accountability for what they do with it.

We have been working for over a decade to try to make up for that lack.
What we have said was, it is too hard to pass that kind of law. First of all,
it may not be as hard in 2010 as it was in 1996. Second, is this really easier
to try to cope with what we don’t have? What we are trying to do is chase after
the folks who misuse in harmful ways, when we should just hold them accountable
and not have to do so much chasing, and fix the underlying problem.

I would like to raise that again in 2010, what we couldn’t do in 1996, but
now may be easier and the better of two evils and possibly the lesser of two
evils in terms of effort.

DR. CARR: Can you say a little bit more about what is different than if we
say you are fully accountable?

DR. TANG: The whole notion of covered entities and only covered entities
have certain accountabilities and responsibilities excludes a big chunk of
organizations and individuals from accountability, and they are free to use
information in ways that society does not condone, e.g., discrimination, and
that causes other harms to individuals. If we could make all people who are
guilty of those kinds of violations of individual rights that society
determines are harmful, then we will be trying to prosecute the harm instead of
preventing — inadvertently preventing a lot of what we are even chasing after.

So we have said that the primary objective is to get information to where
it needs to go for the benefit of the patient. Most of the effort and burden of
making sure it doesn’t do the opposite falls upon the people trying to help the
patient. That is what I mean by spending all our time coping with the problem
of the burden we have added to this. This is a high cost venture for society.
We are making it higher cost and higher effort in order to take care of the

That just seems like underlining the wrong thing to do. We should be
penalizing and holding people accountable. We should just go after the people
who are misusing the data.

DR. FRANCIS: Of course, non-discrimination law exists. But we have some
statutes that attempt to be further up front about what kinds of disclosures
can be requested.

That is what GINA does. GINA says that employers and various types of
insurers cannot request certain kinds of data. It was a deliberate choice by
Congress two years ago as a kind of prophylactic, so that we prevent the
request for the data ex ante.

I just want to say that once again, the only question that I was trying to
put on the table, and it may be that there isn’t enough consensus to get this
question on the table, but whether there should be a recommendation that we ask
ONC to pilot test technologies that would allow that GINA condition to be met
on disclosure, nothing about treatment.

DR. CARR: Let me just give a little orientation check here of what we want
to accomplish in the next 15 minutes. I think there is tremendous knowledge in
this group about what is difficult about protecting privacy.

I think that our conversations along the way and including today have taken
us to some insights that are not really out there and have in a way brought us
full circle from where we began. I think we have heard very clearly from ONC
that with the many parallel tools coming along, we don’t want to be
asynchronous. I think we have heard that there is a sense that there are laws
and we need to address that.

I would like to ask that the comments in the next 15 minutes be
contributions to the Privacy Committee to take back and think about what
valuable insights can we put forth from NCVHS that represent a recognition, not
the solution, but here are the considerations that have to be taken. So we will
do as we did before.

MS. MILAM: Listening, Paul, to your questions, I think I heard you asking a
different question than the kind of question Leslie was asking. So I think it
would be helpful if we focus on exactly what is the question we need to answer
to see what the letter should look like.

DR. SUAREZ: I absolutely agree with Sallie. I think we are continuing to
change the way we have been thinking about this letter more and more. Now we
are even beginning to depart from the content of the hearing itself, which is
the basis for the findings and the recommendations.

We heard the specific ideas and suggestions and comments and reactions
about specific categories of health information. The purpose for which the
hearing was set, consistent with the request from ONC, to work on defining the
official sensitive categories of information.

Larry, to your point, it is not like there is sensitive and non-sensitive.
There is sensitive and more sensitive. More sensitive requires a special
treatment due to regulations and other reasons. Nonetheless, I think it is
going to be helpful to decide as a committee whether we continue the path of
helping define categories of more sensitive health information or we step back
from it and start talking about pilot studies and harder investigations on
certain kinds of data, regulated data, for the most part. I think we are now
even departing more and more from the original purpose of this letter.

DR. CARR: When we had the meaningful measurement hearing last year in
October, we heard fantastic scenarios for great things to do to measure
quality, and not one of them overlapped with the other. We came away from it
not saying a word about what we heard, but we talked about what we didn’t hear.
We said we don’t have a national data strategy and we need building blocks to
build measures.

I bring that up as an example to say, we invited four groups and said do
you have sensitive information. They said yes, but we could have invited 100
groups. We could have invited urologists and gastroenterologists, and they
would have said —

DR. FRANCIS: We did that in an earlier hearing.

DR. SUAREZ: We have a body of evidence of at least those four.

DR. CARR: Right, but the list is infinite.

DR. SUAREZ: In future letters we could invite four new groups of categories
of people to further this goal. We can go down the path.

DR. CARR: Right, but I’m just saying, we can say the dog that didn’t bark,
as they had in Sherlock Holmes, is an okay thing to comment on.

DR. BERNSTEIN: I am somewhat frustrated by this, partly because of the
amount of work that has gone into it, but a lot of the conversation around the
table is asking for things that have already been done by this committee and
that are in previous letters.

For example, the idea that what is sensitive to one patient is not
sensitive to another patient is discussed in a previous letter on which this is
jumping off, or in some detail the fact that not every patient is going to have
the same sensitivity. It is not that we didn’t recognize it, but we didn’t feel
the need to — they didn’t feel a need to again put it in this letter.

What happens if data for treatment which we talked about previously, is not
shown to a physician, how does the physician know about that? There is an
extensive discussion about whether you flag that information to the physician,
how much detail you put in the flag and so forth. Role-based access, contextual
access controls.

I think having categories of information is — Leslie has been talking
about the GINA law as one example, but there are numbers of examples of this.
Psychotherapy notes, is an example of a special category. Substance use records
are a special category. The GINA disclosures. The new HITECH requirement that
you can pay cash to your physician and have them hide the information from the
plan is kind of a special category of sensitive information, but it is whatever
that patient decided was sensitive.

We have had a discussion about the fact that — okay, it is in the law, but
before that we said this is very difficult to do. We don’t want to have — and
we had an extensive discussion of granularity versus uniformity. When you have
granularity, you have more choices available to patients, but it also costs
more, it is more complex and more difficult to implement.

Then we had a discussion that said, if you have more uniformity on the
other hand, so that everybody is on the same level, you reduce patient choices.
Yes, it is easier to implement and cheaper, but we are not getting to the right

So the subcommittee has been trying to find a middle ground to identify
things that will cover most people most of the time, and that will be used not
only for treatment — we talked about that in a previous letter — but for
other things, disclosures to employers, disclosures to outside auditors that we
heard something about yesterday for health care operations by the provider.

We are already required to come up with some kinds of categories, so
somebody is going to have to develop the technology for doing this, unless you
expect for the rest of all time to be printing it out and hand redacting stuff
every time you make a disclosure. I don’t think that is the world we want to be

So I think what we are trying to do is say, we are going to have to develop
this technology anyway, can we give patients some more controls at the same
time we are developing this technology anyway, that might be useful for a
variety of things. One of them is patient control, one of them is for other
kinds of disclosures.

One other thing I want to say is in response to what Paul said about
holding people accountable, the bad actors accountable. I don’t think anybody
is going to disagree with holding the bad actors accountable. The problem in
the privacy context is, that happens after the fact. If somebody discloses
information and you punish them after the fact, for the patient the information
is out there and the damage has been done, and it is a toothpaste tube problem.
You can’t get that information back once it is out there, and it is very, very
difficult to repair the damage to reputation and so forth that happens when
information gets out there.

So yes, that is the reason why we have the HIPAA rule, so that we are
controlling the good actors. But that is generally what you do and we try to
prevent bad things from happening because we recognize that in the case of
information disclosure you can’t fix the problem after the fact.

MS. GREENBERG: Thank you. I think Maya’s summary there was very good.

I agree with everybody, let me start that way. I am the Executive Secretary
and I agree with all of you. You know that I love this committee, all 60 years
of it. This is one of the reasons why. There could be a reason why you might
say you hate the committee, because it is painful. But because everyone is
being thoughtful, they are bringing their experience and their knowledge to
bear, and as Justine said, that is a real strength of the committee.

I am uncomfortable completely walking away from this, but the decision is
the committee’s. But I thought I should share with you why I am uncomfortable
with that. I think Walter mentioned some reasons why that might not be a good
thing to do, or might not be the most responsible thing to do, though it
certainly would be the easiest thing to do, that is for sure.

I think although Leslie would like to salvage something, and I appreciate
that, but I think it may be too minimalist, although it could be part of what
is salvaged.

We clearly have very different views on even what this letter is about,
what it should be about, whether it should be, et cetera. But there is so much
content that has been thought about. Although we did pull together the past
letters and put them into that publication, they just included information on
sensitive information, so it was lost in that. But now this is an attempt
although in shorthand to bring out everything the committee has said to date
about — and heard to date about sensitive information.

So I am wondering, and it probably can’t be done by tomorrow, but if one
approach would be to develop a white paper for the next meeting that lays out
the past recommendations in hearings, notes all of the difficulties and
challenges associated with this, and does try to specify as this letter does
what the best thinking seems to be on the most sensitive information,
recognizing that sensitive is in the eyes of the beholder.

I mentioned to Sallie that in our population surveys at NCHS, people will
tell you anything about their sexual preferences, but don’t ask them their
income. They won’t tell you their income. We are not even talking about income
now, but that just shows you, it is not necessarily intuitive. But there are
reasons for that.

I think there is more agreement on a lot of this letter than we are giving
it credit, and to put it aside would be unfortunate. For example, and I don’t
know, maybe there is not 100 percent agreement on this, but as opposed to
looking at the things that this letter says should be included under the
definition or considered under the definition for sensitive information, what
about the things that the letter says shouldn’t be, or that the committee
doesn’t think should be.

I have always heard that once you know a person takes a medication, you
know they have a condition, so right away that is sensitive information,
although the risk of not knowing what medication the person is taking and then
prescribing medications or other things is so high, that this letter actually
says allergies and past histories of medication reactions, current medications,
are not included in the definition. I think if there is consensus on that, that
is a very — that is not something that is out there as a position. I think
that is a very thoughtful and responsible position personally.

So I guess my feeling is that the only recommendations that would come out
in this white paper or this other next version that I am talking about are for
possibly further study in certain areas, possibly additional hearings which the
committee might carry out, certainly demonstration projects, plus the body of
knowledge and where there is consensus that is reflected in here and in the
previous letters or reports would be there for people to say, the National
Committee has identified these areas where there is agreement, not in the form
of recommendations, but in the form of definitions, et cetera.

I still come back to the fact that there are — somebody is going to do
this. There is legislation that says we need policies for doing something with
sensitive information. Somebody has got to decide what that is. It could just
be as everyone defines it, but that is irresponsible in a way. That is what I
think this letter is saying, letting people say medications. That is fine. If
you don’t want to tell people what medications you are on and they are treating
you, maybe they can say I can’t treat you. There are costs to certain types of

So it seems to me that as I said, maybe really limited on the
recommendations, but really strong on the findings and observations in more of
a white paper type of format could contribute, and might be a possible

DR. GREEN: I like Marjorie’s suggestion about not losing the richness of
the observations and the findings about the complexity of this in some sort of
format, whatever is suitable.

I also want to go back and support what I heard Leslie saying just a few
minutes ago. Leslie, fix this if I am distorting what you said, but bear with
me. On page four of the letter I think you have created a splendid timely
definition of a problem that needs urgent attention with the phrase, the lack
of sequestration capacity.

I have a logic model from NCVHS that goes like this. The National
Information Network is a stunning, stunning opportunity to use health
information to improve population health and individual health. We have been
figuring out how to get this done now for a decade plus, we have been working
on this.

Along the way, we realized that for the national health information highway
to function, for us to get to the value we seek, the American people are going
to have to trust this sucker. They are going to have to believe that it has
their interests at heart and it protects their interests.

A particularly troublesome spot is when an individual person within this
country thinks there is something in their health record that is sensitive to
them and threatens their well-being in some way or another, and they wish to
have a mechanism whereby they can protect themselves from harm, some way or

So we then made a decision along the way where we said we don’t think it is
possible to do that data item by data item, but we might be able to figure out
a way to do that if we created segments of information, some of which were more
sensitive than others.

So that is my recounting of the history that I know. This letter makes a
very strong point that the lack of sequestration capacity threatens the trust
of the American people, and is achieving what we are trying to achieve out of
these huge investments at the ONC and elsewhere.

I heard you say you wanted to get out of this something for the ONC. That
defined the audience for me. An immediate audience for the recommendation would
be the ONC. An immediate problem to address would be the lack of a
sequestration capacity. The recommendation could be to conduct pilots
immediately about strategies that would allow us to sequester some information.
By the way, we have got a list of possibilities that you might want to use for
your pilots.

DR. FRANCIS: That is exactly what we were hoping to do with this letter.

DR. GREEN: That could be done in about two paragraphs.

DR. FRANCIS: Well, we have to have the list of the categories.

DR. GREEN: But if you also have this background paper about those
categories, you could say we are happy to refer you to such-and-such a place
about the possibilities.

I think the letter goes beyond our abilities to make hard recommendations
about what to include and what not to include. But I believe it makes a strong
case that there is an urgent need for pilot testing of sequestration

DR. CARR: The Chair would like to be able to recognize the next speaker.

DR. FRANCIS: What I would like to try to understand, because it is possible
that I will end up doing some of the working out of this, I don’t want to spend
a lot of time trying to write something that nobody is going to be at all happy
with. So let me just try to test out some understandings.

DR. CARR: If you could, I would like to annote what you are saying. What I
want to hear is if there are people in the room who are not in support of that,
I don’t want to spend a lot of time developing something that they are not in

So my thought was to pause after Larry’s thing and say to Marc or Paul or
what Larry described and what your concerns were, are we on the same page or

DR. FRANCIS: So that was pilot testing, that we need sequestration capacity
and that is pilot testing and technology development, right?

DR. CARR: It was the statement that the lack of this is an issue. An add-on
is, maybe we need some pilot testing. I am just breaking it down. Because we
heard the objection from Marc on this earlier, I would like Marc to comment on

DR. OVERHAGE: I apologize for having to step out and not hearing all of
Larry’s well developed and thoughtful comments. I think that captures some of
the key issues. I think it is a good way to try to identify how we can move

DR. CARR: That’s great. Paul, do you have any concerns about making that

DR. TANG: I guess I would have to add that the context be part of all of
the pilot.

DR. FRANCIS: We could say pilot testing in different contexts.

DR. CARR: I just want to know, are we on the same page. We have a proposal.
We have a sense we want to add context, we want to talk about pilots. Is there
anything else that should or shouldn’t be there?

DR. SUAREZ: Does the proposal only do that?

DR. CARR: We will get there.

DR. SUAREZ: One thing, we defined sequestration to be the technical part.
We defined segmentation to be the way in which the information will be
classified. So testing sequestration techniques or technology without an
understanding of what is the policy definition of the data that is to be
sequestered is going to be challenging, I suppose.

So my addition to your suggestion, Larry, is to also include that
definition of what is it that needs to be tested in terms of sequestration,
with respect to the categories and the definitions of them. Without that, we
are testing sequestration of data that —

DR. CARR: There are a couple of other proposals out there. Marjorie thought
there would be value in saying, as you approach these sensitive things, here is
something we believe should not be sequestered. Is that something that ought to
be in the letter? Any objection or for or against consideration? Just let me
wrap up around the table. Is that something we should consider?

MS. GREENBERG: The things that you have already said in the letter.

DR. FRANCIS: That is what I was going to ask actually. If what we are going
to try to do is say some things about categories, we I think need to know from
everybody around the table whether there are any of these categories that
should be dropped completely, whether there are any categories that should be
added, and whether there is anything that was said about one of the others,
this was what I was trying to follow up on there, that should be dropped
completely or anything that should be added.

MS. MILAM: Thinking about the tension between the status quo, where we have
defined categories in law, where from the testimony we heard they don’t always
match, I am hearing from a lot of the physicians around the table, they don’t
need the contextual needs, and they may not be relevant today.

I wonder if as part of these pilots we could revisit — this gets back to
what Paul said — the old HIPAA preemption issue. When HIPAA was passed, we
ended up with preemptions. So we have different rules in different places that
sometimes get in the way of health information exchange, and put in place the
difficult implementation specifications, constructs, barriers, and may not be
relevant today.

So I am wondering if part of the demo could include a comparison of these
categories versus the ability to have everybody have the same rules, but allow
the patient to identify information sensitive to them based on the context.

MR. LAND: I look at some of these categories from a public health
perspective. Some of these are already required under statutory. For example,
on the birth certificate, we have assisted reproduction on the birth
certificate. We have past pregnancy history on the birth certificate. Then you
have all your other public health laws in terms of genetic testing and newborn
screening and so forth.

So I get concerned here; we say these are sensitive, but we already have
agreed in a public arena that they are to be collected for certain purposes,
that we have a mixed message here.

DR. BERNSTEIN: There is nothing in there that says they shouldn’t be

MR. LAND: Well, I have the same argument that Marc has. If we are taking
the first step, then what is the second step? What is the implication here?

DR. BERNSTEIN: I just want to ask a question about that. If assisted
reproductive technology for instance is in the birth records, that is not
something that is automatically disclosed though in vital records for many
states, is that correct?

MR. LAND: It is being disclosed outside of the medical records to another
entity in the public health department.

DR. BERNSTEIN: But it is not a vital record you get in the newspaper when
your birth is —

MR. LAND: No, none of this is being disclosed anyway.

DR. BERNSTEIN: I just want to ask one question about the conversation. I
want to understand how the proposal that is on the table differs from what is
in the conclusion to this letter written now.

DR. CARR: Were you here for the before lunch discussions?

DR. BERNSTEIN: Yes, I was. But this says that we recommend HHS undertake
further refinement of the categories, studies of their technical
implementation, pilot testing, and provider and patient education. That is what
the conclusion of this letter is. It sounds like what we are proposing.

DR. CARR: We said we want the conclusion to be the opening paragraph.

DR. BERNSTEIN: Yes, I understand that. But we are talking about changing
what this letter is when it seems like the letter is doing what you are asking
to change to. I am missing something.

DR. CARR: I am trying to get on the table what are the areas of consensus.
You will then have building blocks to take back to work with and see what we
can come up with.

DR. TANG: I am going to refer back to Marjorie’s comment and particularly
Justine’s about how can be of use to the community, including ONC, and build on
what Sallie said and what Larry said.

Larry pretty much said what is not helpful and possibly in his mind is not
correct about what we did, which was attempt to define sensitive categories,
period. So what I think we might offer in contribution, which is following
Leslie’s lead, is, that is probably a major statement. If we understood what
makes categories inadequate or insufficient in helping people protect their
information, and what would make it sufficient, and Sallie mentioned context, I
think that is a new contribution that hasn’t been in the popular discussion
about this topic.

So in Marjorie’s white paper idea, I think that is the concept that we are
putting forward, and would need to test, rather than test something that some
of us think may be an old and unwise way of approaching the problem.

So I guess I am hearing a little bit of a — I hear the pilot testing and
developing more understanding about, but I’m not sure I hear the right thing
that we want. I know that is what you are trying to get out.

DR. CARR: We are at 2:15. We have work to do in the Standards Subcommittee,
Populations. Is there a cadre of people who are not in Standards and Population
who are available, who could meet with Leslie to begin to work on something for
discussion at the privacy meeting at 5 o’clock? Is that the next step?

DR. FRANCIS: I need more guidance, I think. Here are the three questions
that I don’t have a feel for at all. One question is whether there should be a
strategy of defining categories. A second question is whether these are ball
park the right categories. A third question is whether there are some aspects
of these categories that are just way wrong-headed as they currently sit.

It seems to me that unless there is clear full committee consensus, we
don’t know where to go on that.

DR. CARR: Let’s do a straw man now. Your first question is?

DR. FRANCIS: Should we continue to try to come up with tentative
definitions? All we are doing here is suggesting pilot testing of some
definitions, and technological feasibility of categories, should we keep with a
categorization strategy.

DR. CARR: So we are going to make an attempt to say these are the
categories and these are the considerations?

DR. FRANCIS: No, should we continue with a concept of categorization, where
what we are doing — whatever it is we are doing with it, whether it is about
disclosures, meeting legal requirements, whether it is about thinking about
this as tentative and pilot testing, or should we abandon any thoughts of

DR. FRANCIS: Is there anyone in favor of abandoning any thought of
categorization? Is there anyone who thinks we should abandon a strategy of
defining at least some categories? Not an exclusive list, but a list of at
least some.

If Paul thinks we shouldn’t, we are not going to have a consensus letter,
so that faces us with the question of where to go.

DR. CARR: What were questions two and three?

DR. FRANCIS: Question two is —

MS. GREENBERG: Did Paul say he was against it?

DR. CARR: Yes.

DR. FRANCIS: — are there any categories here that you would have us take
off the list, and are there any categories that aren’t on the list that you
would have us include?


DR. FRANCIS: Okay, which ones?

DR. GREEN: Most of them I would take off as categories. Sexual history,
social history, those as big categories, I would take them off the list as
saying you should necessarily pilot test that. So categorization, I have heard
no one propose a better idea for how to get to prudent sequestration other than
to do categorization.

This list, it is my opinion that this list is not achievable regardless of
how well ONC and the vendors might do in creating the capacity to do it. That
is why I would take some of them off.

DR. FRANCIS: So suppose we started with a list of four. We took those two
off the list. We took the sexual history and the social history off the list,
and we started with genetic information where there is GINA, substance abuse
where there is SAMHSA, because those are two places where there is clear law,
the mental health where there is law in many states, and the psychotherapy
notes, and the STDs —

DR. SUAREZ: STDS is sexually —

DR. FRANCIS: Yes, that is sexually transmitted diseases, that is not sexual
history, that is not reproductive history.

DR. CARR: There is law on genetics, on SAMHSA and in most states on mental

DR. FRANCIS: On mental health, and there is also law in most states on

MS. GREENBERG: What has the committee contributed if you are only citing
the law?

DR. SUAREZ: Larry, I don’t know if what you meant was the entire categories
or the way currently the category is practiced. Clearly sexual quality and
reproductive health information is an extensive category. There are laws that
affect that data. But maybe the way we are defining it in the letter is
bothering you.

DR. GREEN: Genetic information is inherent in any family history. Mental
health information is part of virtually every visit that any human being makes
to a doctor.

DR. SUAREZ: You are close to voting against categories, Larry.

DR. FRANCIS: Yes, why are you objecting in the first place?

DR. GREEN: Just find one that is narrow enough for pilot testing. I believe
what we are really after is the technical capacity to sequester, and that our
means to get there requires some segmentation of the database that can be

So for pilot testing, I don’t feel like we have to solve the problem of all
the information that we might want to segment, but we do have to find one or
two or three types of examples.

DR. FRANCIS: So let’s pick. What would be the types of examples that we
should pick?

DR. GREEN: I like the idea of dealing with something that is already the

DR. FRANCIS: So GINA, the GINA definition.

DR. GREEN: It seems to me from a policy perspective, that makes eminent
sense. That is something that we are being told we have to do.

DR. FRANCIS: So we will do the GINA one.

DR. CARR: So we have that. Paul, if we say we need to learn more and we are
going to use these two examples to help us learn more, substance abuse and
genetic, which are already law?

DR. TANG: That’s fine. When I say no categories, it is other than
prescribed by law.

DR. CARR: Okay, good.

DR. FRANCIS: Should we try the STD and the mental health ones too? I want
to know. Should we just stick with GINA and SAMHSA?

DR. CARR: I think so, because they are very clean. You have a third point.

DR. FRANCIS: Okay, we will do GINA and SAMHSA.

DR. CARR: Your third point was — ?

DR. FRANCIS: The GINA definition includes family history information. That
is a hard one. So it would be a good one to test. SAMHSA includes not only the
current treatment in substance abuse, we tracked the exact federal language in
SAMHSA part two, the part two regulations. Okay, we will do that.

DR. GREEN: I want to resurface Marjorie’s suggestion, because I believe
that this Privacy Committee work is quite substantial. I think it is better
than just about anything else that I am aware of. I would not like to see us
lose that. Marjorie’s suggestion about possibly creating a manuscript of some
sort that becomes an NCVHS document of our testimony, our hearings and our
findings and that sort of thing, I still think that is a good thing to have.

DR. CARR: I agree with that. Marjorie also had the suggestion, would it be
out of context to say we don’t believe you should sequester meds from med

DR. FRANCIS: That is all off the list, because those were all in different
— we were trying to be, we thought, leaders there, because we were trying to
balance the patient care questions. That is why that was in there.

DR. SUAREZ: Morphine and methadone.

DR. FRANCIS: Right, but that is why that was — so that capacity will be
developed in a way that meets SAMHSA, not in a different way, given the
guidance that we currently have. That is going to produce something — I don’t
know whether I can write or try to even draft a summary.

DR. CARR: I think we have a plan. I think we heard about the SAMHSA and the
genetic and what we put forward. Then I think the plan about a white paper to
pull together in a more opportunity to reflect. So the closing word, Marjorie.

MS. GREENBERG: Let me just say, if you want to stay with this multi-pronged
approach and do some type of white paper that I described the expectation would
not be that Leslie has to write this white paper. I would think that Leslie
could oversee a contractor or a consultant, a writer, who would take the
materials and —

DR. FRANCIS: That would be very nice. Can you hire us one, please?

MS. GREENBERG: Yes. No, I don’t want to leave that on the table that we are
then expecting Leslie to do that.

DR. CARR: Very good point.

DR. TANG: Larry, you have to join the Privacy discussion this afternoon.

DR. GREEN: I am going to Populations.

(Remarks off the record regarding dinner arrangements.)

DR. CARR: Now we need to adjourn. Bill, do you want to announce that you
were here, just for the record?

DR. SCANLON: Bill Scanlon, National Policy Forum, member of the committee,
no conflicts.

MS. GREENBERG: Jim and I probably should also, since we both got here after
the — Marjorie Greenberg, National Center for Health Statistics, Executive
Secretary to the committee.

MR. J. SCANLON: Jim Scanlon, Deputy Assistant Secretary for Planning and
Evaluation, staff director for the committee.

DR. CARR: So this full committee is adjourned.

(Whereupon, the meeting was adjourned.)