[This Transcript is Unedited]



Full Committee Meeting

September 16, 2010

Embassy Suites Crystal City Hotel
1300 Jefferson Davis Highway
Arlington, VA 22202

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030


Agenda Item: Opening and Welcome

DR. CARR: Welcome to the meeting of the National Committee on Vital and
Health Statistics. I’ll encourage everyone to take his or her seat and
discontinue sidebar conversations.

I’m Justine Carr, Caritas Christi Healthcare, chair of the Full Committee,
no conflicts.

DR. SUAREZ: Good morning, I’m Walter Suarez, Kaiser Permanente, no

DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of
the committee, no conflicts.

DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the
committee, no conflicts.

DR. GREEN: Larry Green, University of Colorado, member of the committee, no

MS. MILAM: Sallie Milam, West Virginia Health Care Authority, member of the
committee, no conflicts.

MS. DOO: Lorraine Doo with the Office of E-Health Standards and Services at

MS. TRUDEL: Karen Trudel, CMS, liaison to the Full Committee.

DR. W. SCANLON: Bill Scanlon, National Policy Forum, member of the
committee, no conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and
Quality, liaison to the committee.

MR. HOUSTON: John Houston, University of Pittsburgh School of Medicine,

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee,
no conflicts.

(Introduction around the room)

Agenda Item: National Health Plan
Identifier, ACTION

DR. CARR: Thank you. All right, today the first order of business is
National Health Plan Identifier Action. Judy?

DR. WARREN: So what we did yesterday in our subcommittee meeting is we went
through both letters and taking into consideration the comments that we heard
in the full committee meeting, and then tried to get some clarity among the
members. And actually we had a very good discussion where we kind of went back
to first principles, pulled apart some of the basic issues, especially with the
health plan ID, and looked at it from a variety of perspectives, and that
helped us get some clarity. We also had Tammy from AMA, and we asked her to
help give us some information, and she was very helpful in bringing some of
that together and showing us some of the complexity that we were dealing with.

What we will do is try to get printed letters out for everybody. We have
them. As soon as the slides come up I’ll show you the high points that we
changed, and then just scroll through the letters and show you where we made
changes from what you currently have in your book.

This is not opening at all.

DR. CARR: Judy, in the interest of time do you want to just talk us through

DR. WARREN: Yes, so if you will just bring up the Operating Rule Letter

DR. CARR: You can still use your slides to give us the high points.

MS. DOO: Do you want the Operating Rule Letter or the Health Plan ID?

DR. CARR: The Health Plan ID is what is on the agenda.

DR. WARREN: So Lorraine, help me out here because there is a change there at
the beginning that wasn’t there in the letter that I had last night.

DR. SUAREZ: That is just what looks like a typo and or a quotation or a
citation. That first paragraph say, in parentheses, (improve the efficiency).

DR. WARREN: That was a direct quote with the three ellipsis coming in.

DR. SUAZREZ: It should be –

DR. WARREN: We can remove that.

Scroll on down, the changes are made in red text. I chose not to do the
strike through’s so that people could read what we have done.

DR. CARR: Judy, I am wondering if you want to take us through what are the
recommendations coming out and then bring us back to the specific language.
Will that work?

DR. WARREN: I’m sure it would work if I could figure out how to do that with
not having the slides. Let’s just walk through the letter. I think we’ll be

We were asked to put in there some sentence about that what we were showing
were examples that really were apples and oranges. There was no clear taxonomy
or anything in there. And actually that’s part of the problem. So we inserted
this sentence: “The above listing is provided for illustrative purposes
and does not constitute a recommended taxonomy that would assist in
understanding what is to be enumerated. There is no gold standard definition
for a health plan that can guide an enumeration process and who or what needs
to be enumerated.”

DR. CARR: I just need to do a check. I think what we want to do is to
articulate where we are with our recommendations, what we’re recommending, and
then to go through the letter. I think to get to the corrections, it’s hard to
follow the thought process without having the big picture. And so it sounds
like those PowerPoint slides are what you use. Is it something that you have a
copy of yourself that you could speak from?

MS. DOO: Walter has it and I’ll try and open it again while he’s speaking.

DR. CARR: Leslie, do you want to introduce yourself?

DR. FRANCIS: I’m Leslie Francis, University of Utah, Law and Philosophy, and
I have no conflicts and I am a member of the committee.

DR. WARREN: So, health plan identifier issues, there’s no consensus on the
details of the entities, organizations, and/or products to be enumerated.
That’s been a problem. So, over the last ten years industry has evolved and
created more products and intermediaries, which has really created some
problems in figuring out what needs to be enumerated. So, we recommend that CMS
consider entities that are not covered entities that are not subject to its
authority as being eligible to obtain health plan IDs. That will handle some of
the problems that are coming out.

Next slide. AEF and AMA recently submitted information that demonstrates a
potential consensus, and some of these should be pursued. And by recent I mean
within the last week, day, this week. Enhancements to —

DR. CARR: Just to clarify, submitted information that demonstrates potential
for consensus; consensus about what?

DR. WARREN: Of what a health plan ID should represent.

We’re looking to enhancements to Phase II operating rules should help
address some of the plan ID issues. And by that what we’re talking about is
within the standard there are several different places one could put a health
plan ID. So what we’re beginning to get some understanding is there may be more
than one health plan ID that needs to be in a transaction.

Now, I’m using health plan ID at the very global level, because we’re still
trying to hone in into exactly what it is that needs to be enumerated. There
are places within the standard for several different IDs. However, there’s no
agreement as to what should fit into each of those slots. And so the operating
rules would be a good place to clarify that, and then feed that information
back to X12 so that they can renew their standard and help us clarify that as
one of the processes that occurs.

We recommend that CMS identify and incorporate other provisions of the ACA
as appropriate. And so that was one of the things that Jim Scanlon was telling
us is that we’ve been given an assignment of certain sections within ACA. There
are other sections that the Department of Health is having to address. And as
they’re addressing them, they’re beginning to find out that they also have need
for a health plan ID. And they’re looking to us to develop that, but there may
be uses that we’re unaware of that they’re going to have that.

So Jim asked that we consider this and incorporate it. And that was a lot of
the concerns that Bill was having, because he’s been looking at other parts of

Okay, the next slide. So we got some help from our friends over the Internet
last night about the use of the BIN number and the routing information that
needs to go for the NCPDP standard. So the health plan ID should not be used
for routing in pharmacy transactions, the existing bin number and PCN must
continue to be used for the routing. There is a specific situation in
coordination of benefits where the health plan ID is used. There’s a place in
the NCPDP transactions for this coordination of benefit activity, and it’s not
for routing. So they will use the health plan ID, but not in terms of routing
the transaction.

Similarly, the X12 835 transaction is used to pay pharmacy claims, and the
health plan ID will need to be used by pharmacy industry in this transaction.
So this is where you start getting the overlap between the retail pharmacy and
the non-retail pharmacy transactions.

So those incorporate our major changes in health plan ID. Any questions?

DR. CARR: I know I’m going to be — I’m nothing if not consistent. But a
schematic that shows here’s the way the information flows, here’s what’s
broken, here’s what the fixes are, and here are the consequences, I think would
help us all to understand it. Some of this terminology is a little bit new to
us. I mean, is that possible in the next — can somebody sketch that out?

DR. SUAREZ: I mean, I think the question is in the letter what is it that we
needed to recommend. We have 15 recommendations; we talked about them
yesterday. There was only one area where there were issues, which was the level
of granularity of the identification of the health plans. That was only the
issue with the plan ID letter. All the other recommendations we talked about
including things like the actually number should be a 10-digit with the last
digit being a check digit, and things like that.

We talked about them yesterday. The group felt comfortable with them. The
only issue, of course, was this issue of how do we identify health plan. In the
letter we recommend two things. One, that every health plan at the legal entity
level be enumerated. And then, secondly, that beyond that we don’t recommend a
specific taxonomy for enumerating components of the health plan, like health
plan product. We didn’t feel that we had a good sense out of the hearing of
which way to go with respect to that. There was a wide variety of perspectives
on that. So our second recommendation with respect to that is that CMS would
work with the industry through groups that are already moving along to
determine which level of plan — below the plan — which level of taxonomy to
use to enumerate components, or plan products as we call them. That’s the
second recommendation.

And then we have a third recommendation about the fact that there are
entities that are not health plans that need to be identified in the
transaction, and that in order to get a number to be identified in the
transaction, they need to become eligible to obtain a number. So we make a
recommendation in the letter that CMS expand the eligibility of who can apply
for a number to include those entities. And those entities are intermediaries
that are, you know, that exist in the industry that we talked about yesterday,
like repricers and others, who without having any definition of who is eligible
to obtain a number, would not be able to be enumerated and would not be able to
be identified in the transaction. So those are the three recommendations we

The issue that was brought about was the second recommendation of the
granularity of the plan product enumeration. And that’s what we were trying to

DR. W. SCANLON: I think Justine’s point about a schematic, one of the issues
that it took a while to kind of come to these recommendations is it was hard to
visualize how these people would fit together. And given that we’re going to
have a discussion this afternoon about how do we influence our products, and
how do we adjust our products to have them have more impact. I think that there
is a potential role to try and be more explanatory to an audience that’s not as
steeped as we are. So the people that are intelligent can read this and say, I
get this.

We can’t do that this morning in terms of this letter. There’s a question of
whether we can focus on the recommendations, which I think are the right ones.
We’ve worked hard to get to these points. And then do a preamble that kind of
sets this out in some respects. It may be a verbal schematic, but it’s a clear
one. And that would be for the executive committee to approve that going
forward, because I think it really will add to the power of the letter if we
can make clear how these pieces fit together. And it wasn’t always clear; it
took us a while to get here.

MS. DOO: I concur with that. Partly what I was going to say is we certainly
made some effort through the environmental scan, and it’s still a very
complicated topic. And it’s really the standards experts that know it the best.
What Judy was referring to, we got a very good letter from AHIP and a very good
letter from AMA and a very good response from X12, which we’ve put into a chart
for ourselves to help us so that when it says financial responsibility, here’s
what the numbers could be. Here’s how they are presented in the standard, and
here’s the recommendation to reconcile it. We can share that with you, which
may help a little bit. But I still think that it’s appropriate from the
standpoint of NCVHS giving us input to focus on the recommendations because
it’s such a cumbersome process.

DR. CARR: Right. And so I agree that we should, I think with this framing
let’s look at the letter in terms of the recommendations and get consensus on
that. And, I agree, I think a little more work for the background material for
the final letter might be done and then approved by the executive.

DR. WARREN: The other thing is, in various testimonies, various people did
submit graphics of how they saw this happening. And all of that testimony is on
the web. Do you want those graphics extracted?

DR. CARR: If I were the Secretary, I would want to be able to understand the
letter as it — in my hand. I would probably not go to the web to look at those
other things. So I think to the extent that it’s one-stop shopping, I see it, I
get it, I move forward with it. Let’s take that offline.

DR. WARREN: Okay. So scroll on down to where the recommendations are. So, in
1.1 we have not made any changes other than to add the word “such”
for such enumeration.

DR. CARR: Okay. So let’s just read it. Clarify the definition of health plan
as specified in the HIPAA legislation for purposes of the health plan ID
eligibility and enumeration, including that property and casualty insurers and
workers comp plans are eligible for such enumeration.

DR. FRANCIS: Did you mean legislation or regulation?

DR. WARREN: Well, we’re not into legislation, we’re into the —

DR. FRANCIS: What’s the right term?

PARTICIPANT: Legislation. It was defined in the legislation.

DR. FRANCIS: It was defined in the legislation? Okay.


DR. CARR: Okay. So the first recommendation is to clarify the definition.

DR. FRANCIS: The reason I asked is that the citation is to the regulation.

DR. SUAREZ: So the first recommendation is really to clarify the definition
to include this other group.

DR. CARR: Great. Okay, Judy, do you want to read the second recommendation?

DR. WARREN: Work with the industry to reach consensus on names and
definitions for intermediary entities. Consider making these intermediary
entities eligible to obtain a health plan ID where there is a clear use case
for them to be enumerated.

DR. SUAREZ: So, here is the point that I was making that there are some
entities that need to be enumerated that are not currently health plans as we
know them. And in order for them to get a number they need to be made eligible
to obtain that number.

DR. SCANLON: It’s this question of elsewhere we talk about stakeholders, and
I think it would be probably best for a broader audience to universally use
stakeholders instead of industry, because that allows the flexibility in terms
of who it is we’re asking them to consult with.

DR. CARR: Okay. So the recommendation is to change the word from industry to
stakeholders. Is that acceptable?

DR. WARREN: I thought we had put stakeholders through.

DR. SCANLON: But right here it says industry.

DR. WARREN: I need to see the picture to see —

DR. HORNBROOK: Just a question, since I haven’t seen the whole thing, is the
word intermediary defined somewhere?

DR. SUAREZ: Yes, we describe it in the first page of the letter and give

DR. CARR: Is there someone who has the letter who could read the next

DR. WARREN: 1.2 was work with — and I didn’t catch industry there; it
should be stakeholders — to reach consensus on names and definitions for
intermediary entities. Consider making these intermediary entities eligible to
obtain a health plan ID where there is a clear use case to be enumerated. 1.3
is request industry input through groups such as WEDI, AHIP, NAIC, and the
DISMO committee for definitions of products to be used in plan enumeration by
October 31st, 2010, or other date as feasible by CMS.

DR. CARR: So, just to be clear, we’re recommending to the Secretary that
these groups as specified come together for consensus on the definition of
product, and that that be done by October 31st? And are they
configured to be able to do that? In other words, is there some standard
meeting? How does this happen? CMS calls a meeting?

DR. SUAREZ: This is not getting all the groups together; this is getting
input from the various groups. And so WEDI is already scheduled to have a
meeting next week that will come to provide input.

DR. CARR: So all of the groups will provide input to CMS? And then CMS will
decide based on the input?

DR. WARREN: Okay. So we’re recommending to the Secretary that they ask CMS,
who’s been tasked with doing the health plan identifier, to pull these groups
together in their deliberations.

DR. CARR: Okay. So that’s our recommendation, that these are the —

DR. WARREN: Right, and how CMS does that is up to them.

DR. HORNBROOK: Are self-funded companies considered HIPAA entities under the
HIPAA law? So if JCPenney offers its own health insurance to its own employees,
pays for it themselves?

DR. SUAREZ: Yes, they’re covered.

DR. WARREN: Okay. 1.4, collaborate across federal agencies and departments
to develop or identify consensus definitions affecting the identification of
health plans, including the Indian Health Service, Veterans’ Affairs,
Department of Defense, and the Federal Employee Health Benefit Program. And so
each one of these entities now, is currently working in this problem space. We
just want them all to work together so they come up with the same answer
instead of individual ones.

And then we had a friendly amendment, 1.5, written by our really good friend
and ad hoc subcommittee member. This is from Jim Scanlon. Coordinate to the
maximum feasible the development and implementation of the national health plan
identifier with other plan related requirements in the Affordable Care Act,
including the consumer health insurance web portal, the health insurance
exchanges, and the regulatory requirements for health plans. So that pulls us
in with all the other sections of the law.

DR. HORNBROOK: Why is FEHBP singled out here? If you’re going to put that
kind of energy in here, you should put in every single company that offers
group health benefits. And FEHBP is not an underwriter.

DR. CARR: You are talking to 1.4, collaborate across federal agencies and
departments to develop or identify consensus definitions affecting the
identification of a health plan. So, you’re saying if we’re giving examples, is
this an inclusion list?

DR. SUAREZ: I think what we’re saying is that the Federal Employee Health
Benefit Program contracts with a lot of health plans. They should be using the
same number.

DR. HORNBROOK: Yes, but so does Ford, and GM, and IBM.

DR. SCANLON: 1.3 is about consultation with private sector entities. 1.4 is
about consultation with public entities. And so we did try to expand 1.3 to be
an issue of stakeholders and have that. And the list is suggestive, such as,
okay? I don’t know who is the natural organization for the self-insured plans
or employers.

DR. HORNBROOK: Washington Business Group on Health?

DR. SCANLON: Well, but I don’t think we should go down that detailed. The
idea is take the “such as” seriously.

DR. CARR: Was there anyone else who wanted to comment about 1.4? Okay. And
we’ve covered 1.5; now let’s go on to 2. It may be good to just read the
observation so that the recommendations follow.

DR. WARREN: So the observation relating to terms and definitions associated
with entities to be enumerated, NCVHS observes that the health plan identifier
should fulfill the original intent of HIPAA to improve the efficiency of the
health care system by adopting standards for electronic exchange of health
information. As such the health plan identifier enumeration process needs to
ensure that the right entities, including at least the transaction recipient
administrator, and financially responsible party.

CMS defines the national payer ID, which is pre-HIPAA, as a system for
uniquely identifying all of the organizations and pay for health care services,
noting this is also known as a health plan ID, or plan ID. And this was a
suggestion from Larry that we incorporate that definition within the letter
itself, instead of just leaving it in the background information.

DR. CARR: Okay, any comments on that? Okay. How about recommendation 2.1?

DR. WARREN: Okay, 2.1. Initially enumerate all health plan legal entities as
defined in the HIPAA legislation and further clarified in regulation at — and
then we have a citation, and we’ll make sure those match up Leslie.

DR. CARR: Okay, comments? 2.2.

DR. WARREN: 2.2 we changed. Determine what level of health plan should be
enumerated using input from stakeholders and identify these in regulation. This
is the whole problem that we have with what should be enumerated. And we really
felt that it needs to have a lot more looking into, because of the
intermediaries, and because of the different ways these are used in
transactions, we’re still not sure after yesterday that it’s the product. We
were using product in a very generic way, and there was a lot of concern about
the use of that particular word. And so we came in to determine at what level
of health plan should be enumerated. And so we’ve already pulled together the
groups that should be looking at this. So that’s our compromise statement. If
anybody has any other way of stating this, that would be —

DR. CARR: Well, it sounds like we don’t have — there’s information that
needs to be gathered. And we don’t have it today, and it will be gathered. And
I think it’s helpful to identify that that’s a key thing for evaluation. Mark?

DR. HORNBROOK: I just assume everybody understands that we have moved in
this industry way away from standardized benefits. Most health plans are
willing to negotiate a health plan product with any purchaser, tailored to that
individual purchaser. So inside Kaiser, every company can have a different
specific type of product coverage.

DR. WARREN: There are going to be a lot of numbers. And that’s why we took
out product level.

DR. CARR: And I think that’s why having a schematic of what it is that
we’re, you know, where these touch points are for people like me, maybe Bill,
it would be helpful; hopefully the Secretary, too.

DR. SCANLON: A number of folks, when they think about the plan identifier
and the context of the Affordable Care Act, I don’t think they would find it
useful if it wasn’t somehow linked to the products. So even if it’s not part of
the — you know, having a firm name — well, it would just depend on
definition, I guess. But if you were not able to link that to the products in
some degree and in some manner, are we as a principle saying that we believe,
or we heard that —

DR. CARR: I think the end game is that we take work out, so if you don’t
have sufficient information to understand what the person is eligible for,
we’ve done a lot of work without achieving the goal. So I think that that’s
really important to state.

DR. TANG: I just want to understand better. How do you do it without getting
each one of those variants?

DR. CARR: I think we want to state our guiding principle of what has to
happen. Things have to get simpler and we have to be able to know what someone
is eligible for. And how we get there may involve a lot of numbers, but it
needs further study.

DR. TANG: I guess my question is why does it need further study? How could
you not get it down to the product level if I want to know if this person is
eligible for this benefit and how much they should pay or not pay? I
fundamentally don’t understand it. And I think the states regulate the product
level, as well, don’t they, Mark? You literally have to get that product
certified or approved.

DR. CARR: I mean, would it help to have the recommendation say determine
what level of health plan should be enumerated using input from — what level
of health plan should be enumerated to achieve simplification or to achieve

DR. SUAREZ: We’re already stating the observation that the health plan
should fulfill the original intent of HIPAA to improve the efficiency of the
health care system. So we already stated as a principle of the observation.

DR. SCANLON: I think that this was one of our key recommendations and that
it was essential that we do have the word product in it. I mean we originally
had it as a health plan. What qualifies as a health plan at the product level
to be enumerated, okay? And I understand sort of that it increases the
complexity greatly, but what we’re saying here is through a consultative
process we’ll determine sort of what is both feasible and needed. And I think
trying to say what’s needed would be a much more expensive path. It’s better
for us to in some respects be ambitious in this recommendation as opposed to
sort of trying to finesse it and going some other way. And I also, with this
principle, level of health plan doesn’t — product level is ambiguous enough;
level of health plan is —

DR. CARR: Are you suggesting an amendment to this?

DR. SCANLON: We go back to the original, which is what qualifies as a health
plan at the product level. Determine what qualifies as a health plan at the
product level to be enumerated. That was the language in the draft that was

DR. FRANCIS: Well, I was wondering actually something along the same lines,
but maybe a little more vague, which was to determine at what level health
plans should be enumerated, rather than — because it sounds like there are
levels of plans in the way it’s currently done, and that’s kind of weird. So if
what we did was say something like at —

DR. CARR: All right. What I’m hearing us say is that we want to make it
clear that there has to be sufficient detail to achieve the goals of
simplification. And there are many ways to state this. I heard Bill say that to
just say at what level the plan should be stated leaves it open, needs a
modifier to achieve something. Or we can say product level, but product, the
implications of that are —

DR. CRONIN: So instead of (inaudible) product, can you enumerate specific
types of coverage that you think are important? And then you would have a
finite set of possibilities.

DR. CARR: I don’t think so.

DR. SUAREZ: At the bottom of the first page, beginning of the second page of
the letter we describe or explain that there are different types, forms, and
arrangements of plan components. They include things like lines of business or
market segment, such as medical, dental, property, types of products or
categories, such as PPO, HMO, indemnity, and specific products, such as PPO
Gold or Medicare. So we provide examples of the various levels of
categorization that one could go down within a health plan to enumerate. But we
explain in that segment of the letter that there is no way to determine that at
this point, the right way to do it.

DR. CARR: Okay. So why did we take product out?

DR. SUAREZ: Because that was one of the three or four different ways to
categorize health plans. You can categorize by product, by line of business, by
product specificity even within a product.

DR. WARREN: Part of the issue is once upon a time we had health plans,
everybody knew what they were, and it wasn’t that complicated. You know, since
HIPAA has passed there have been new ways of doing business, and so we have
lots more entities in there that are in the health plan arena. And these are
the repricers, the rental networks, and all of these people that work in the
background that are now part of these transactions. And so it’s trying to find
the appropriate things to call a health plan that we can identify that will
answer all of the efficiencies that we need.

DR. CARR: Is it possible to say at what level of detail a health plan should
be enumerated?

DR. WARREN: Well, but what may also come out here is that it’s going to take
us more than one in a transaction statement.

DR. FRANCIS: What about levels? That’s why it should be levels.

DR. WARREN: Well, but in a transaction statement there are several different
slots for different kinds of identifiers. It may be a cluster of identifiers
that we need. And we’ve only been tasked with doing one of those.

DR. SUAREZ: One way to address that is to suggest maybe determine at what
level a health plan should be enumerated, and then in parentheses give one or
two examples.

DR. CARR: We could, that’s a way — give examples.

DR. TANG: I want to go back to Justine’s principle of being simple, which
means being understandable. And I think because of what you said in terms of
how a health plan used to be one plan, one product, when we call all of these
things health plan identifiers, I think actually that’s very confusing and
contributes to this thing. If we separate from the end user, they just need to
know a number to go find out details and call that product number. Then on the
back end we can get all the information necessary to support that transaction.
Even if just relabeling it helps the understanding, that’s a big

DR. CARR: Right. So I think I heard Judy say that — or Walter — we’ve
enumerated products, lines of business, and so on. So it may be the term
product is already being used for the specific level.

DR. WARREN: Can I just ask Paul to clarify? So you’re saying that maybe the
use of health plan identifier is what’s creating the problem? And if we suggest
to get rid of that, and then come up with whatever it is that we’re supposed to
enumerate —

DR. TANG: Well, to speak of health plan identifier as the back end side, the
only thing that faces the doctor and consumer is the product number. It’s
almost like a UPC code. And when I zap that, I understand what that product is.
It really doesn’t matter to these folks who the plan is, et cetera. But clearly
when you zap this, you’re going to find out traceably where to go to the right
people to talk about particulars. But that doesn’t concern the people who see
the UPC code. And to me that almost makes it so much easier this side of the
house, and then puts some of the details in the back end. And I don’t know
whether that’s a helpful construct, but it certainly —

DR. CARR: That’s a great suggestion. Let me go to Marjorie, then Bill, then

MS. GREENBERG: I know I’ve been in other venues deliberating this issue for
about 20 years, so it’s not surprising that it’s so difficult. And over those
20 years, it’s gotten much more difficult. And so I can understand why the
committee at this point is not prepared to make a definitive recommendation and
is recommending that the department has to determine, ultimately, what it’s
going to recommend. And, of course, then there will be public comment — I
assume. There’s no public comment? Okay. It’s an interim final rule; so that’s
it? Well, I thought you could comment on an interim final rule?

MS. DOO: You can, but only if it’s substantive changes to be made.

MS. GREENBERG: Okay. But, given all of that, I think in addition to saying
determine at what level it should be enumerated, I really support what Justine
was suggesting, that the committee give some guiding principles. So, even if
you don’t want to say it should be done at the product level because of all of
the definitional or other issues, ultimately what does the committee feel that
this enumeration needs to accomplish? What does it need to tell people who are
using the transactions or attempting to — particularly in looking at the
crossover to the additional uses that Jim noted, which I think was a very good
addition — ultimately, what do people need this to identify for them? And
because I think there’s too much passing the buck, in a sense, saying this is
really complicated and you guys have got to figure this out. So somewhere
between a specific recommendation and guiding principles. I don’t know what
those are, but –

DR. SCANLON: Two things. One, I think, Paul, in terms of what you were
saying. One of the issues of confusion that we will hopefully clear up in the
preamble is that there will not be sort of a single number that a physician
deals with. Because that may not be adequate to deal with that physician’s
needs. There may be a health plan identifier that identifies the company and
sort of the type of product, but that particular physician may have to send
this particular claim off to somebody else, and that’s where the intermediary’s
role is, and there needs to be a number so they know where to send that claim.
And that may very within a product, so it’s kind of not like a unique mapping.

So, this notion of plural numbers — and this has been part of — we started
with legislative language, which is not helpful because the world has gotten
much more complicated. And so trying to clarify some of that in our preamble I
think is important for everybody then to understand things.

Coming back to this recommendation, the heart of this relative to the
recommendation that we added prior in terms of taking into account all of the
aspects of the changing insurance world, is the product level. And that’s why I
think that it’s essential that we have it here, because the earlier
description, which we made a comment that it doesn’t constitute a taxonomy,
because it’s just this collection of different things. If you go to the wrong
focus there, if you get line of business, whether it’s medical or dental, it’s
a total waste of time. Don’t even bother to get a number, okay? It’s not going
to help anybody anywhere. We need to have enough specificity that we know
something about what is being dealt with, because if we don’t, then we’re just
collecting data and we’re not being able to use it.

DR. CARR: So, are you saying that we put the product level back into this

DR. SCANLON: We either leave it as product level sort of, or product level
other categories. The word level kind of contains a certain amount of
hierarchy, and I think that’s the wrong impression. There are product level or
other categorizations. I mean, if there’s a concern, leave it vague, but I
think we get across the sense — and this is not kicking it totally to the curb
and saying we don’t have any views on this. It’s saying we do have a view:
product level is important in the broader context, not just the efficiency of
transactions, but the efficiency of the overall system.

DR. CARR: So I have Walter, then Mark, then Paul.

DR. SUAREZ: Well, I was just going to suggest in my previous suggestion
about including an example, determine at what level, including product level, a
health plan should be enumerated. So, if product level is one of the levels of
health plan enumeration.

DR. CARR: Okay. Would that work?

DR. SUAREZ: So determine at what level, comma, “including product
level,” comma, a health plan should be enumerated.

DR. CARR: Excellent. Okay. So that’s good. Okay, now Mark.

DR. HORNBROOK: One of the problems here is that we’re stuck with the notion
of health plan from the supplier side coming down. I wondered if it would be
possible without doing violence to all of the legislation to simply define the
health plan — that word — from the consumer’s perspective, so the health plan
is what the consumer actually has, which is therefore a specific product, set
of benefits. I mean, remember that you can have a health plan that’s a triple
option; same underwriter, but three different plans. And you can have consumer
directed health plans, you can have network plans — it’s just incredible
variety. And I would offer the national drug code as a model, because the
national drug code in one number comes down to a specific product from a
specific manufacturer and specific dosage for, and they’re the root of
administration by stringing all of that together because they need to identify
a unique pill at a unique point in time.

DR. WARREN: That’s what we tried to do in the last sentence of the
observation: CMS defined…

DR. CARR: CMS defined national payer ID.

DR. WARREN: Which is the same thing as health plan ID — as a system for
uniquely identifying all organizations that pay for the health care services.

DR. HORNBROOK: But you’re still following the dollars down rather than the
consumer back. I’m just trying to flip that on it’s head.

DR. WARREN: So from the consumer back, my health plan ID is all of those
people that pay for my health care services.

DR. HORNBROOK: No, it’s the plan that covers my health care.

DR. CARR: Are you saying that the number should have intelligence in it,
because I thought we initially —

DR. SCANLON: I think that’s a separate issue. I am in total agreement with
you. I’m using the word product level to mean exactly what you’re saying. If I
go and buy a policy and here’s my premium, what’s the set of benefits, what’s
the networks, and what’s the cost sharing? Those are the things that I want to
define the product level, because I want to know what happens under that

So we’re in total agreement. I guess the only concern I would have is if the
word product level doesn’t convey that.

DR. SUAREZ: That’s why we’re trying to leave it generic in the concept, you
know, because if we begin to granularly define specifically what a product is,
we’re already telling CMS to enumerated that.

DR. SCANLON: There’s a difference, I think though, between us defining the
product, and us basically making the recommendation that Mark and I are making,
which is this is the kind of detail that we need. And because the generic —
there’s the issue that they could opt for line of business. Again, I would
oppose that. I would vote against that because I think that does not provide
useful information. Whereas, what Mark and I are saying — and this is up to
the rest of the committee to think about — but what we’re saying is useful
information is going to be down at this level of what the consumer has
purchased as a policy.

DR. TANG: I want to check my understanding to make sure as you describe the
— actually this product, you’d have to go send your claim over here, and for
this product you have to — Now, it sounded like you were following the
fragmented footsteps of health information exchange. And I’m wondering if
there’s a way to leapfrog that and go to some kind of clearinghouse mechanism
instead of first figuring out how to go do the peer-to-peer, the
point-to-point, which contains all the knowledge at each of these nodes, rather
than just having a product number here — here’s my ticket to going to both get
information about the eligibility, as well as send it. But you’ve shifted that
over to a clearinghouse. Is that even reasonable?

DR. CARR: Even the clearinghouse needs to identify what they have.

DR. TANG: Then why did you say that you had to —

DR. SCANLON: Well, I guess this is because some of these issues are way
above my pay grade. But in talking about this through the hearings and the
discussions that we’ve had, it became clear that there are multiple purposes
going on, including sort of this processing of the transaction. We’ve heard
from the providers about the difficulties that they’re having. And the issue is
how do we accommodate all of these different objectives? And can you do it
through a single number, or do you need to do it through multiple numbers? If
there are multiple numbers, I mean there is this question of where do you get
the multiple numbers.

We also heard about wanting information, and there is this role for
potentially a clearinghouse, which is where a number points to a database. And
those kinds of things, I think, are not all in this letter.

DR. CARR: All right. Let’s go — what I want to do, we’re on page 3 of 7.
I’d like to get through the recommendations and keep notes on what we need.
Now, Larry had a comment.

DR. GREEN: I want to refer us back to our environmental scan for this
letter. And pages 12 and 13, that’s where the use case for using this is laid
out and these different levels that we’re talking about were characterized,
described, and referenced back to the law, and where we are with stuff.

And so, in that table that’s on page 12, we have the health plan, and then
further down we’ve got the product. There are definitions of health plan in
this scan; there is not definition of product. The closest thing to it is it’s
what the individual buys. So, to get this into the letter, it seems to me we
must incorporate into the letter something that declares what the word product
means in this letter to achieve what Bill, and Mark, and others are advocating

DR. SUAREZ: I thought it was in the first page of the letter.

DR. WARREN: So we haven’t looked at the intro to the letter. We did a lot of
that in the introduction to the letter.

DR. GREEN: So what is the definition of a product?

DR. SUAREZ: We actually define different things. We define line of business
or market segment, such as medical, dental, property, or casualty, types or
categories of insurances programs, such as PPO, HMO, indemnity, Medicare
Advantage, Medicaid, and the specific products, such as PPO Gold, inside PPO.
So it’s defined by virtue of providing example.

DR. GREEN: Okay. So, that’s consistent with what I’m saying the
environmental scan —

DR. SUAREZ: Exactly, we tried to pull it from there. What I wanted to ask is
if in the version 2.2 are we addressing what you’re — Bill and Mark? I think
we are telling in 2.2 that CMS should determine at which level including
product — and now we have benefit package in parentheses — level a health
plan should be enumerated. So, does that address at least that concern?

DR. SCANLON: Well, but I think also to Larry’s concern, in the original we
had a sentence in the observation that products typically are defined by
service areas, set of benefits, services and network of providers.

DR. CARR: And we can put that back in.

DR. SCANLON: And I think that is more instructive in terms of what it is we
mean by product level.

DR. CARR: Okay, great. Let’s add that back.

DR. HORNBROOK: One of the principles here I’ve heard around the table is
that there is an exchange going on between the consumer and the provider, and
they want to know the details of the insurance in that transaction. So that
might be a principle we should enumerate, that these two parties that are
dealing with point-of-service decisions, clinical decisions, need to know what
the business aspects are, what the insurance coverage is.

DR. CARR: I was talking about that in the schematic, but to know what is the
end game of, you know, after we’ve done all of this, what gets better. And how
will we know that we’ve achieved our goal? Right, we’ll come back to that. Do
you want to try number 3?

DR. WARREN: So, number 3 is observations for format and content of the
health plan identifier. The NCVHS heard testimony from a wide range of
potential users —

DR. CARR: If this will stand by itself, why don’t you go to that, and if we
need to go back, we will.

DR. WARREN: Okay, 3.1, adopt a health plan identifier that follows the ISO
standard 7812 with a Luhn check digit as the 10th digit.

PARTICIPANT: Do we need to be specific? What if we need 11?

DR. WARREN: This is a standard with nine digits, and there’s no way we can
use up all of the numbers.

DR. FITZMAURICE: We might be able to use up all the numbers if we enumerate
products and go across time. I mean, what is it, 333? I don’t know how many
digits that is, but God gave us an infinite number of numbers; why are we
restricted to ten digits?

DR. SCANLON: Well, but I think we’re not sort of into all of the operational
details here. And I think that one of the things that needs to be considered is
what’s the minimum amount of information that you need to do something. And I
think changing these IDs every time a product changes, when it changes
completely — like if I’m buying Humana Gold under Medicare Advantage for 2010,
and it’s constant for 2010; 2011 it’s different, okay? Take the date, and then
match it with the ID. Don’t change the ID every time the year changes. We know
that every year the products change, and virtually every insurance program. So,
thinking about how do you pull together information to get you what you need as
opposed to making this process so cumbersome that every time you turn around
you’ve got to go get a new ID.

DR. SUAREZ: This is the exact same ID as the NPI. It’s the exact same
standard, the ten digit — a ten digit will give you in one row starting with
a, say, eight, will give you a billion option — 999 million, 999 billion. And
we would have perhaps two or three rows, so we have three billion options. I
think we will be covered for the next several years.

DR. HORNBROOK: Bill just suggested adding in intelligence, that is adding
year information.

DR. WARREN: No, no, no; not in the ID. It’s in a separate part of the
transaction, a separate part of the database. We’re talking about one slot in a
transaction standard that the ID of a health plan will go into. What Bill’s
getting into now, is you don’t just have that one piece of information. You’ve
got a whole database somewhere that someone’s put together that they can put
that ID number into. So if you want to query that database, you can query it on
the ID number and a date. So don’t get databases and an ID number confused.

DR. CARR: So, is 3.1 stated in a way that we find acceptable in 3.2? Okay.
And 3.2 makes the statement not to have embedded intelligence in the numbers.

DR. FITZMAURICE: Justine, just a clarifying question: so the Luhn check
digit is the 10th digit. That doesn’t mean you can’t have 15 digits,

DR. SUAREZ: No, you cannot have 15. That would violate the standard.

DR. FITZMAURICE: It would violate the standard? Suppose we get up to a
couple billion. I mean, I can see that — I think Mark is right, you can
uniquely identify the product without a number and a date, and the number might
just as well include the date, or you have those two identifiers that have to
be concatenated in order to identify the product.

DR. SUAREZ: You don’t need that information in the actual ID is what I think
we’re saying. You need the ID and that information about the date when that
starts and what ends goes in the database.

DR. SCANLON: To get to a billion there has to be more than three health plan
IDs for every living person in the U.S. That seems — that’s a future I’m not
going to worry about.

DR. CARR: You’re saying three per person, you think that’s excessive?

DR. SCANLON: Three plan IDs for a person?

DR. CARR: Over their lifetime.

DR. FITZMAURICE: That’s not excessive.

DR. SCANLON: No, no. But I’m saying that we don’t have to know — there
doesn’t have to be sort of a different ID for every year. Each person has a
health plan at a given point in time. We know the date, we know the person and
their plan; that’s enough. I mean, I’m thinking that maybe three million would
be sort of more than adequate.

DR. CARR: Maybe I’m not understanding this, but there is a growing
literature of people hopping from plan to plan.

DR. SCANLON: And when they do, they — I mean, we’re not tying this to a
person. I’m just saying about how many unique plans are we going to have out
there. When they do, then their number changes. But the plan numbers don’t have
to change.

DR. SUAREZ: We’re not giving IDs to people; we’re giving IDs to plans.

DR. SCANLON: And, you know, think about what’s going to be the population
within a single plan. It’s probably going to be in the tens of thousands as
opposed to millions.

DR. WARREN: Just to make everybody happy, if we run out of numbers, we can
go to ISO and say instead of nine digits, shift to an OID that is a 32-bit
character or 64-bit character, and we’ll never run out. So, don’t worry about
that. We’ll shift that back to ISO.

DR. CARR: Thank you. Let’s move on to 4.

DR. WARREN: So 4 is about the database that is used to actually issue these
numbers. So we recommend that the Department establish a health plan ID
enumeration system and process supported by a robust online directory database.
This is the same way that we implemented the MPI. Any questions? Okay, 4.2.

DR. FITZMAURICE: Does that mean that when we enumerate the health plans we
go to the state insurance commissioners and say give us identification for each

DR. WARREN: We’ve not told CMS how to do this.

DR. CARR: I’m doing time checks here. I know that maybe we have less detail
in our next letter, but I want to just keep moving this along so that we have
sufficient time.

DR. WARREN: 4.2, direct CMS to work with stakeholders, including other
federal agencies, to identify the minimum necessary data elements for the
directory database. Consideration should be given to the employer
identification number, taxpayer identification number, National Association of
Insurance commissioner identifier, source of payment typology, and other
identifiers that may assist in supporting the need to appropriately identify
health plans and administrative transactions and in the development and use of
standards and operating rules.

The database should be sufficiently flexible to enable additional
information to be added initially at the discretion of the entity and
potentially in the future as a requirement by HHS. So I think that gets at what
Mike was concerned about. Any questions?

Okay, 4.3, require the entity enumerated to maintain all information
according to a published schedule of updates or more often as appropriate to
maintain accuracy. If there are no changes at the time of a scheduled update,
the date information was validated should signify that the entity is reviewed
and is confirming the data as being current. In other words, the health plans
themselves enter their data into this to get their number, and they are
responsible for making sure that everything there is accurate.

4.4, make available appropriate information from the health plan identifier
directory database to support the sufficient and accurate exchange of

4.5, consider for the future requiring that the health plan identifier
system enable electronic transactions with the directory database for users or
their systems to obtain information and route transactions more efficiently and
effectively. So we were trying to look into the future where we actually have
information systems talking to each other without people doing that. Any

Okay. Let’s go down to recommendations for 5. 5.1, not require the health
plan identifier to be used in place of the existing Rx BIN and PCN identifiers
for routing retail pharmacy transactions.

5.2, require the use of the health plan identifier on only those retail
pharmacy transactions that use ASC, X12, or other non-NCPDP standard
transactions. However, versions of these non-NCPDP standards should also
continue to accommodate recording the Rx BIN/PCN to facilitate retail pharmacy
transaction processing.

DR. CARR: Any comment? Hearing none, keep going.

DR. WARREN: Okay. Down to recommendation 6. So, 6.1, consider the effective
date of October 1, 2012 to be interpreted as the date to begin registering for
a health plan ID. As such, subsequent phases should include time for
enumeration and testing before a final implementation date. Phases should
include October 1, 2012 to March 31, 2013 as the enumeration phase, April 1,
2013 to September 30th, 2013 for testing, and October 1, 2013 for
implementation. We did this because we’ve had a condition of trying to make
reasonable request, and there was a little — they didn’t say implementation
date; they said effective date. And there’s some concern about how that should
be interpreted.

DR. CARR: What are we doing between October 1, 2010 and 2012?

DR. SUAREZ: Writing the regulation.

DR. CARR: Two years.

DR. SUAREZ: Establishing the system that will enumerate.

DR. CARR: Okay. It might be worth putting that in there, what we’re doing in
the time before implementation.

MS. DOO: Are you recommend we write the regulation —

DR. CARR: No, I’m just saying we’re writing the letter in September of 2010,
and the first action will be 2012. So, do we want to say what we’re doing
between now and 2012?

DR. SUAREZ: So maybe a statement about this will give enough time to develop
the regulation and establish the system of enumeration.

DR. CARR: I think it would help support why we’re not enumerating beginning

DR. SUAREZ: Absolutely. I think that’s a very good point.

DR. CARR: Or I would even put your timeline as, whatever it is, October —

DR. WARREN: We can do that. So add two bullets, one for writing the
regulation, and —

DR. SUAREZ: Well, I would caution about that because it’s like telling CMS
this is when you have to write the rules. They can take six months or six
years. So I would just say if we give the statement this will ensure sufficient
time for publication of the regulation and development of the system for
enumeration, I think that will at least give the sense that that’s why we are
asking that the interpretation of the date in the law be —

DR. CARR: Okay. I’m just saying, if we’re asking for that interpretation, I
want to have clarity around the reason why. And I think the sentence is
helpful. Are there any other comments? Okay, 6.2.

DR. WARREN: Describe in regulation the potential purposes and uses of the
health plan identifier, including its uses in standard transactions, potential
uses for health information exchange, and other uses. While purposes should not
be restricted, the initial focus should be on enumerating entities for use in
the financial and administrative transactions.

DR. CARR: Comments? Hearing none, 6.3.

DR. WARREN: Okay. And then 6.3 is we want them to accommodate bulk
enumeration of health plan IDs as applicable. That’s because a lot of companies
already have existing IDs and they have it where they can bulk load it instead
of entering one at a time.

DR. CARR: Okay. Number 7.

DR. WARREN: Okay, 7. 7.1, provide sufficient time and guidance for testing
of the health plan ID and transactions prior to use.

7.2, allow for a period during which dual use of legacy health plan
identifiers and the new health plan identifier is permitted in the

MS. DOO: The only challenge with this, and I don’t think anyone from X12 is
here, I don’t think the transaction allows for it. So that may be an issue that
either the operating rules will work on, or the industry will decide other

DR. CARR: So, do we need to add some qualifying language there?

DR. SUAREZ: That’s appropriate at the end: if it’s permitted in the
transactions. That’s appropriate.

MS. TRUDEL: Dual use can actually mean two different things. It can mean
that you can send a transaction with one or the other, or it means you can send
it with both. You can’t send both, but you could do a dual-use period with one
or the other.

DR. WARREN: Recommendation 8.1 is encourage the adoption of a health plan
identifier in health plan identification cards. That came up quite a bit in
testimony that it be used on cards.

DR. CARR: Okay, great. 9.1.

DR. WARREN: 9.1 — and this is our last one — is we strongly encourage the
industry to enhance operating rules for the financial and administrative
transactions to support the use of the health plan identifier.

DR. CARR: Excellent work. Is there any concern that anyone has that hasn’t
come out yet about this letter? Okay. Hearing none, I think that we’ve got our
recommendations well done, and I think that what we’d like — we haven’t’ done
a complete read through, so in terms of the final — how do we do this?

MS. GREENBERG: I think you can vote on the letter and to be finalized with
the executive subcommittee.

DR. CARR: Okay. Does someone want to make a motion to approve these


DR. CARR: Okay. All in favor?

(Participants affirm verbally.)

Any dissent?

(No response.)

Okay. So we’re good with the recommendations.


Agenda Item: Letter on Operating Rules,

DR. CARR: Okay. We need to move on to the operating rules, and I guess then
we have a break. Are we good with moving along? All right. Moving right along
to operating rules.

DR. WARREN: So, in operating rules remember part of our task was to tell the
Secretary whether or not an entity met the criteria in the law to become an
operating rules entity. So, in the first one, it’s NCVHS advises the Secretary
that: and 1.1 is CAQH CORE meets the requirements as the authoring entity for
operating rules for non-retail pharmacy related eligibility. We put in the
standards for that and claim status, and we added the standards in for that for
eligibility and claim status transactions. With additional qualifying
requirements addressed and recommendations below. Any question there? Okay.

1.2, NCPDP meets the requirements as the authoring entity for retail
pharmacy related eligibility transactions, telecommunications standard
implementation guide version D.0 with additional qualified requirements
addressed in recommendations below. And in parentheses, note the pharmacy
industry does not currently use the claim status transaction.

So now, recommendations for HHS. 1.3, require authoring entities to maintain
minutes, attendance, voting records, and other appropriate documentation that
will help NCVHS conduct verification that the authoring entities have utilized
an open, consensus-driven process with broad stakeholder participation, and
provided an opportunity for public comment in authoring any new operating rules
or new versions of existing operating rules consistent with such processes
followed by ANSI-accredited standards development organizations. Please note
that we’re not requiring them to become ANSI accredited, just to use those
processes of openness. Any comments?

And I just want to remind the committee at this point that this law does
require that NCVHS follow these entities over time, much of the way we’ve had
to follow the DISMOs under HIPAA. So this is an ongoing responsibility that the
committee will have.

1.4, continue to use NCVHS and its open process to evaluate, select and
recommend any new qualifying operating rules authoring entities when it comes
time to adopt operating rules for other transactions or for newer versions of
the operating rules for the transactions for which CAQH CORE and NCPDP are
being recommended to be the named authoring entities.

DR. CARR: We won’t wordsmith it now, but we think we know what it means.

DR. WARREN: Well, one of the concerns we had was trying to use the language
in the law, because they were very specific.

1.5, not require use of additional separate operating rules for use in NCPDP
transactions beyond those that NCPDP has already adopted and might develop in
the future as part of their implementation guides during normal versioning

DR. CARR: Any comments? No comments, move on.

DR. WARREN: Okay. 2.1, adopt CAQH CORE phase I and phase II operating rules
for non-retail pharmacy eligibility and then in parentheses we’ve listed the
standards. And claim status, again, we listed the status, the numbers for those

2.2, strongly encourage CAQH CORE to collaborate with relevant stakeholders
such as Medicaid agencies and states to identify priority elements and best
practices, and in parentheses, those items with the best ROI opportunities to
upgrade phase II using this opportunity to pilot new consensus development
approaches, and submit the enhanced phase II to NCVHS in time for its December

2.3, adopt for retail pharmacy related eligibility transactions the
operating rules incorporated by NCPDP and the telecommunications standard
implementation guide, version D.0.

2.4, require that the specific versions of CAQH CORE — and that should be
phase I and phase II — and NCPDP operating rules adopted by regulation not be
altered until a new version is adopted by regulation.

DR. CARR: Now, if we get recommendations in December, how does that?

DR. WARREN: The regulation will not have been written by that time. We’ll
just change our recommendation. We have this short window of opportunity before
the regulations get written.

DR. CARR: Do we want to clarify that?

DR. WARREN: It’s up in the observations.

DR. CARR: Okay, great.

DR. WARREN: Recommendation 3.1, ensure that any changes to the content of a
standards implementation guide being considered for inclusion in future
versions of operating rules be evaluated by the DISMO committee. This
evaluation would ensure that the operating rule is not attempting to add,
change, or remove requirements defined by the implementation guide.

DR. CARR: So, the DISMO committee will evaluate it? I mean, we’re assuming
then when they’ve evaluated it, that information would be fed back.

DR. WARREN: DISMO reports to us as part of the HIPAA process that we were
given. And we’ll get into some of that.

3.2, request, consistent with recommendation in section 2 above, that CAQH
CORE establish an open process to receive, evaluate, and incorporate into the
updated version of — yes, it should be Phase I and Phase II operating rules —
to be adopted. Additional items received from states and other entities that
have adopted standard operating rules, companion guides, implementation
specifications or best practices.

3.3, direct authoring entities to enable operating rules to be — recognize
that the content that NCPDP has incorporated into telecommunication standard
implementation guide version D.0 meets the requirements for the operating rules
for retail pharmacy eligibility transactions.

3.4, direct authoring entities to enable operating rules to be sufficiently
generic that they can be accommodated within any type of covered entity
business operations.

3.5, direct authoring entities to enable operating rules to be sufficiently
generic that they can accommodate needs of various types of providers, in
parentheses, for example, hospitals, clinics, nursing homes, et cetera, and
various forms of health plans, and in parentheses, indemnity, HMOs, PPOs, et

DR. CARR: I just want to be consistent, I guess, are you either going to
call them authoring entities, or specify who they are?

DR. WARREN: We can do that for clarity.

DR. CARR: Okay, 4.1.

DR. WARREN: How about 3.6? Okay. Direct CAQH CORE and NCPDP, to openly
collaborate with health plans and providers to include in existing operating
rules requirements for use of the health plan identifier in each applicable
field of the standard transaction. So here’s where we’re trying to bring
together the collaboration that’s necessary between the two letters.

DR. FRANCIS: The grammar of that one just somewhat confuses me, because you
want to have them collaborate openly to include requirements in the existing
operating rules; is that it?


DR. FRANCIS: Okay. Just fix that, because with the comma where it is, I
couldn’t quite follow what as going on.

DR. SUAREZ: You mean to include, comma, in existing operating rules?

DR. CARR: Let’s not wordsmith; excellent point, thanks. 4.1?

DR. WARREN: So, Leslie, if you could let us know where that is, because I’m
already confused.

4.1, require that any companion guides deemed necessary by health plans do
not conflict with the standards, implementation specifications, and operating
rules adopted by regulation and follow a standard format and content agreed
upon by the industry consensus across all sectors. The companion guide should
be limited to providing basic training to partner facts, such as contact
information, website, service phone numbers, et cetera.

5.1, designate operating rules authoring entities such as the DISMOs —

DR. CARR: Just so we have a consistency with what we do. I mean, generic is
probably preferable, but if you want to put them in parentheses or something
like that.

MS. GREENBERG: What if you say designate any operating rules authoring

DR. CARR: Right. I think when we do a little clean up on this, we’ll just
get a consistent representation and a definition. So we’ll live with that as
we’re reading it now.

DR. WARREN: Okay. So designate any operating rules authoring entities as
designated standards maintenance organizations and require their participation
in the DISMO. So they’ll become members.

DR. CARR: So your singulars and plurals are a little mixed up there now with
any, but go ahead.

DR. WARREN: There are plurals; and then there’s a singular.

DR. CARR: So designate any operating rules authoring entity as a DISMO.

DR. WARREN: Designate any entity as a designated standards maintenance
organization and require their participation —

DR. CARR: — as a DISMO, single.

DR. WARREN: — in the DISMO committee.

DR. CARR: Okay, 5.2.

DR. WARREN: Incorporate into rulemaking that, as recommended in 3.1, all
future changes to operating rules and standards be made through the DISMO
committee to enable changes to be made to the applicable artifact, which is the
standard implementation guide or operating rule.

DR. SUAREZ: We should reconfirm that we still are referring to the 3.1 that
we meant. We might have changed the order.

DR. WARREN: Yes, we’ll check all of our numbers.

DR. CARR: 5.3.

DR. WARREN: Requiring these entities to adopt the standard versioning
methodology and phraseology for operating rules similar to standards
development organizations.

DR. CARR: Great. 5.4?

DR. WARREN: Designate CMS as a non-voting participant in the DISMO

DR. CARR: Good idea.

DR. WARREN: Okay. 6.1, require CMS to develop a certification process for
all standards implementation specification and operating rules in accordance
with the legislation, and this legislation is ACA. CMS may designate one or
more independent outside entities to provide health plan compliance
certification. Until such entities are formally designated, any current
certification process should be considered voluntary and not required.

6.2, enable CMS to work with the industry to identify free and low cost
options recognized by CMS for validating compliance with standards
implementation specifications and operating rules. And I think that’s our last

DR. FITZMAURICE: Could we go back to 1.1 and 1.2? I don’t have that version,
but in a previous version I noticed something. On the first one we see, CORE
meets the requirements as the authoring entity for operating rules for et
cetera. NCPDP meets your requirements as authoring entity for pharmacy based
eligibility transactions. They already are. Might we say, meets the
requirements as the authoring entity for operating rules for each of the

DR. WARREN: Yes, you’re right. The issue with it that makes it hard — and I
think why we have standards — is they incorporate their operating rules as
part of their standards package. So they go at it a little bit differently than
anybody else.

DR. CARR: Any other comments? Do I have a motion to approve these

(Motion made and seconded.)

Any discussion?

(No response.)

All in favor?

(Participants affirm verbally)

Any opposed?

(No response)


Well done. Well done. Okay, and we’re even early I believe, but do not take
that to mean you have extra time. I think we’ll take a ten-minute break and get
back here really at 10:15. We have a lot to do yet today, and we’re on a roll.
So please come right back.


DR. CARR: Let me just check, was there anybody who came who didn’t identify

DR. HORNBROOK: Mark Hornbrook, Kaiser Permanente, member of the committee,
no conflicts.

MR. J. SCANLON: Jim Scanlon, HHS Planning and Evaluation, Executive Staff
Director for the full committee.

MS. GREENBERG: Good morning, I am Marjorie Greenberg from the National
Center for Health Statistics, CDC and Executive Secretary to the committee.

DR. CARR: Did you want to have any comments as we’re getting this set up,
Jim? We didn’t get a chance to hear your comments yesterday.

Agenda Item: Sensitive Information in the
Med Record, ACTION

MR. J. SCANLON: Well, let me rather than giving my full report from
yesterday, I think what I’ll do in terms of future planning, as you remember
from our last discussion, HHS is working on our strategic plan for the next
five years. It’s still in draft form, but I’d like to give out — and it’s
available for public comment, I’d like to give a summary of what the goals and
the objectives are. Obviously they encompass all of the initiatives we’re
talking about today. So rather than go through that, I think what I’ll do is
pass that out, and you’ll have it for reference, and then I could discuss it

But, again, the five overall goals, as you would guess: transforming health
care including health reform, and a lot of the prevention initiatives as well.
Advancing scientific knowledge and innovation; this would be the NIH and the
FDA types of functions. Advancing the health safety and well-being of the
American people; there are a number of objectives here dealing with prevention
and welfare and child services. Increase efficiency, transparency and
accountability; this deals with some of the initiatives relating to open
government initiatives, data.gov where we try to post most of our data, and
generally efforts to make HHS activities more transparent. And finally, an
infrastructure kind of a focus, which would be to strengthen the nations health
and human services infrastructure and workforce. Workforce is a new one.
Typically the idea of workforce was thought to be let the market work. You
don’t have to support physician training; we do support nurse training. And the
thought was that the supply would adjust to whatever the demand is. The
thinking has changed a little bit now, and so there’s more of a focus on
workforce. Is the health workforce adequate, for example, in terms of
distribution capacity and so on? So, as a general rule we’ll be looking at

But at any rate, rather than take up a lot of the committee’s time, why
don’t I give this out. We’ll get it out to everybody’s place and you can look
at this in terms of the context of what we’re talking about today.

Let me say this too: as you look at our roster, we have a number of
potential vacancies coming up by December of this year; plus there are two from
Congress, the House and the Senate, along with Harry as well. So normally when
we have one or two vacancies we don’t really advertise that much and post the
federal register notice, because we end up disappointing most people if we’re
only appointing one or two. But three or more we generally think it’s a good
idea to publish. So we will be in the next week or two publishing a federal
register notice about vacancies upcoming on the committee and encouraging
nominations for membership. And we will list in the federal register notice the
areas of expertise; those are in the statute itself.

So that will go out as a general rule inviting nominations. And we’ll send
it around to the members as well, because a lot of you have good candidates. A
lot of your ideas have been the source of candidates already, so we’ll send
that around as well. And then we’ll work through the fall in terms of getting
everyone appointed.

The two Congressional spots, it’s doubtful that with all they have to worry
about, I guess it’s doubtful they will actually name someone before the
elections, but it’s always possible. I know of a number of people who have
contacted their representatives and Senators and expressed interest, but we
can’t get into that part of it until we actually get a letter from the Senate
or the House. But, again, for the other members, we’d really appreciate your
thoughts about the gaps we have and ideas about who would make good members.

DR. CARR: Thank you, Jim. Who’s on the phone?

DR. OVERHAGE: Hi, it’s Marc Overhage who joined.

DR. CARR: Anybody else on the phone?

MS. CHAPPER: Yes, hi, it’s Amy Chapper, CMS.

DR. CARR: Welcome. Okay. I think we are ready. I want to first stop for a
moment to —

(Phone ringing; wrong number.)

Has anybody else joined the call?

Okay. By way of introduction, I want to commend Leslie for unwavering
fortitude in getting this right.


History has shown, both in NCVHS and in other venues now and in the past,
that privacy is an enormously complex topic, and it becomes even more complex
in this evolving environment. We understand more, technology is evolving more,
and we are trying to continue the role that we’ve played for a number of years
in helping to inform and guide policy. And this letter is not unlike the
others, but like the others we were able to achieve a statement that we felt
was representative and added value, and I’m confident that we’ll do that today.

But, Leslie, really thank you for just working all evening — didn’t go to
dinner, but it’s such a statement and it shows the committee in such a great
light to have members with this amount of commitment. So, thank you.

So, what I’d like is that you take us through the letter and that we make
notes at our places of thoughts that we have. But let’s get through the whole
thing and then try to come back at is there anything in aggregate that we want
to speak about, or is there specific language. And what you have up here are
some comments that I made earlier this morning, but they’ve not really been
vetted, so feel free to —

MS. BERNSTEIN: Is this, what I have here, Justine, is your version or is it
Leslie’s version?

DR. FRANCIS: This is actually Justine’s version with — we were at
breakfast, and it is some edits that result from that discussion. Let me
preface this by saying that I took myself in drafting to be responding to the
kinds of comments that were made in the full committee, as well as the specific
directions that I was given in the privacy subcommittee.

I did say at the beginning of that marathon last night, that if we thought
there wasn’t a chance of coming out of this with a passable letter, I was going
to go to dinner and enjoy myself. And I was told that I thought we did, and so
I followed those guidance.

Let me just say in terms of the email that I sent out, what seemed to me to
be some of the crucial aspects of that. The first was to indicate that any of
these judgment — we need to indicate that this is about contextual access in
different contexts. So I’ll use the logician’s descriptor here. For each of
these suggested categories, there is an X such that X is a context in which it
would be important to exercise segregated capacity.

From the existential quantifier, it does not follow that for all X or that
for any other X that would be a context in which it would be appropriate to use
this segregative capacity. So, please, from the fact that there might be a
legal requirement for a particular transfer, do not assume that we are saying
anything about treatment. Okay? That’s critical.

Now, there may be legal requirements for some treatment contexts, but this
depends on the context, okay?

Second, the way this is now set up, is we go legal requirements first, and
we track the exact statutory or regulatory language of the legal requirements,
beginning with the federal and moving on to states. I will say when we get to
the states that I didn’t have time to do all of the legal research last night.
I cited one example of each.

Maya has been heroically sitting in the back here on Lexis, and I have many
other examples which what we would do is put them all in a footnote, or in some
way or another, we want to indicate that we’re not singling out particular
states. There are many, many states that do similar things. And these were the
examples I could lay my hands on with the Internet capacities I had last night.
But there won’t be anything that changes in the content. There will be more
exemplary states.

The third thing I want to say is that it was very important to make sure
that we referred to all the kinds of considerations that we might find out
matter at the end of the day. This is a recommendation to develop, that HHS
support pilot testing and the development of functional, technical capabilities
that would allow for the functional ability to segregate these categories. And
I wanted to make absolutely clear that during feasibility development and pilot
testing, we may learn that there are insurmountable technical issues. We know
there are technical issues now; we don’t know whether they’re insurmountable
because we haven’t tried.

We also may find out that the costs are very high, and that given the levels
of concerns that people have, the costs don’t justify at the end of the day. We
may find out that one or another of these categories doesn’t do a good job of
tracking privacy concerns. We may find out that there are patient care issues
that haven’t been anticipated or other unintended consequences. And attempt to
make that clear.

At the end of the letter we point out — but I should emphasize that the way
this is drafted, it’s at the end of the letter — that we may learn that
there’s a road not taken, that we should go back to the idea, or go to the idea
that different people have different ideas about sensitivity and that there
shouldn’t be a categorical approach.

Right now, of course, current law does take a categorical approach. And
that’s why I would recommend putting it at the end of the document, because if
we were to move to that approach, it would be a very different structure than
what one finds in law today.

Finally, I went to the actual titles of hearings, and titles of letters, and
quoted the actual recommendations in earlier letters to make sure that there
was complete accuracy.

So here’s the overall draft, the structure of the letter. There’s an
introductory paragraph. There’s then a prior history. Then there’s tracking
federal and state law, with some — you’ll find there are a few new categories
in there. There is then a recommendation with respect to — because we thought
it added value to have a couple of categories that don’t track law, but that
were regarded as being very important. You’ll find a mental health category,
you’ll find a reproductive health category, and you’ll find then some
overarching, crosscutting issues. The question of identifying a record of
somebody who is under threat, as sensitive — the entire record, you know,
having a special flag for that type of record. A celebrity record, which I
didn’t quote the HIPAA, but that is actually in there. And then there is the
question of the importance of some of these capacities for adolescent records.
That’s it, and we can now go through it.

DR. CARR: And so I think it’s very important that we go line-by-line on the
introduction. I think on the past history, if you want to just highlight —

DR. FRANCIS: I will do that.

DR. CARR: — this one showed this, this, and this, and kind of sprint
through that.

DR. FRANCIS: Let’s look at the introduction first.

DR. CARR: I really am urgently concerned about our time. And I think that
every minute counts here. And if you can just —

DR. FRANCIS: So the initial is our standard NCVHS “hi.” Then the
next paragraph —

DR. CARR: So read line-by-line on the opening paragraph.

DR. FRANCIS: We are writing to recommend that you explore testing and
demonstration of privacy controls for electronic health records and health
information exchange that will foster patient trust and increase patient
participation in systems for records exchanges. Our nation is committed to the
increasing development of interoperable health records to improve patient
health, health care, and public health. Patient trust is critical to this
development and we must invest in technologies that will promote this trust.
One possible strategy for advancing patient trust is the identification of
certain defined categories of sensitive health information so that health
record transfers can occur with contextual access controls.

Protection of some categories of sensitive information in some contexts is
needed to meet legal requirements and protection of these and other categories
may be needed to accommodate patient privacy concerns. We recommend the
selection of certain categories, their definitions in study, pilot testing, and
further refinement to assess — and here’s the list — technological
feasibility, effects on patient care, efficacy for privacy protection, benefits
and costs, and other potential unrecognized consequences and/or benefits.

DR. CARR: I’m debating whether we should try to go through the whole letter,
or we should say — because the introduction is so key to this. Is there any —

DR. FRANCIS: Maybe it makes some sense to see the letter as a whole so you
can see where — because we try to make sure that the issue of context is all
the way through. And we also try to make sure that the road not taken — I got
a little Robert Frostian last night.

DR. CARR: I’m going to keep bringing you back to the letter, Leslie.
Congress and the HITECH Act.

DR. FRANCIS: Okay. So, the next paragraph is just the HITECH Act, our prior
letters — Congress and the HITECH Act, NCVHS and prior letters, and the HIT
Policy Committee all have recommended exploring the definition of categories of
sensitive health information. And then the HITECH Act of 2009, specifically
requested development of — and this is the statutory language — technologies
that protect the privacy of health information and promote security in a
qualified electronic health record, including for the segmentation and
protection from disclosure of specific and sensitive individually identifiable
health information, with the goal of minimizing the reluctance of patients to
seek care, or disclose information about a condition because of privacy
concerns in accordance with applicable law.

Based on NCVHS’s past work concerning sensitive information, we are not
offering initial definitions of such categories. What has become clear with the
evolution of thinking about this topic is that any data element can be regarded
as sensitive by some people in relation to a particular context, and reliance
on an approach in terms of categories may ultimately be questioned.

That’s an edit that we may or may not want to leave in.

The recommendations below are intended to coordinate with the work of the
Health IT Policy Committee, which is separately addressing the technical issues
in this area and has held hearing on this topic. The Health IT Policy Committee
has also noted the importance to patients of controlling transfers of sensitive
information, and that meaningful, granular consent — and this is a quote from
their recent letter — must be generated out of further innovation and critical
testing of implementation experience as it pertains to policies related to
electronic exchange of health information.

MS. BERNSTEIN: Do you mind if I hide the changes for now so we can just —
do you want to see all of those changes.

DR. CARR: No, keep going; we’re doing fine.

DR. FRANCIS: Okay. NCVHS has held eight — that change by the way is just
the number 8 to the spelled out eight — to the topic of sensitive information
over a six-year period. Okay? These are the hearings and their titles exactly
from the NCVHS web page. Based on these hearings, NCVHS made a number of
recommendations concerning sensitive information. And the first is the June 22,
2006 letter with R6 and R7 in their actual forms. Then the February 20, 2008
letter with the recommendation that categories be defined for purposes of
health information that is made accessible over the NHIN for treatment

This letter also recommended that, quote, — and it’s the notational part,
the break the glass feature, and the development of the technological capacity
for re-sequestration and the development of audit capability. Then there’s also
the open, transparent, and public process to identify the possible categories,
and to define with specificity the criteria for inclusion and exclusion within
each category. We should take into account both patient concerns about privacy
and the concerns of health care providers about quality. And then there are the
five example categories. Wherever there are quotes, that’s exactly what the
letters said.

Then, next, unfortunately there is a recommendation in the PHR letter, which
would be quoted there, but NCVHS’s website link was broken, and I couldn’t
download — the link was broken to that particular letter, so it was therefore
not available on the web last night. But it would be the exact quote of that

So, next, legally define categories of sensitive information. Numerous
federal and state laws require special treatment for specified categories of
sensitive health information in various context. Again, the point that this is
context related. In these contexts, the records custodian — and we’re not
saying who that is — may find it useful to have the capacity to segregate
these categories of information for special handling — again, not saying what
that handling is.

These legally defined categories include the following. So first, there’s
GINA. And you changed it to “including the following in the category of
genetic information.” I had said define — actually it should have been
defining the category of genetic information as follows. That’s the exact GINA
language. Tests for DNA, RNA, chromosomes, or other features of the
individual’s genome, tests for metabolites, proteins or other factors that are
indicative of features of the individual’s genome, and the manifestation of a
disease or disorder in family members.

GINA prohibits employers and certain insurers — there is actually a bunch,
and in relation to the earlier discussion, that includes ERISA plans; there’s a
separate section that amended ERISA — from, quote, “requesting,
requiring, or purchasing genetic information thus defined. In order to respond
to requests for medical records that comply with these limits, records
custodians will need to segregate genetic information that comes under the GINA

Psychotherapy notes, here’s the HIPAA regulation definition of psychotherapy
notes: notes recorded in any medium by — In order to come within this
definition, psychotherapy notes must be created by a mental health professional
and separated from the rest of the medical record. If they’re not separated,
they’re not under the HIPAA definition of psychotherapy notes.

And what is the actual — again, what would be included is documentation or
analysis of the contents of conversation during a counseling session. That
includes — and I did not put that in here, but we could — both individual
counseling and group counseling. But I didn’t think we needed to be that

NCVHS recommends that the following not be included within the definition of
psychotherapy notes. And what we are doing there is tracking exactly what the
HIPAA privacy rule says are not part of psychotherapy notes. And those are,
again, quotes from the regulatory language.

Okay. The next category is the 42 CFS Part 2. These are the substance abuse
treatment records. And again we have quoted the exact statutory language. The
section of the federal regulations governing the confidentiality of alcohol and
substance abuse treatment records imposes, quote, “restrictions upon the
disclosure and use of alcohol and drug abuse patient records, which are
maintained in connection with the performance of any federally assisted alcohol
or drug abuse program. To disclose, or disclosure, means a communication of
patient-identifying information, the affirmative verification of another
person’s communication of patient-identifying communication, or communication
of any information from the record of a person who has been identified.”

Record means any information whether recorded or not relating to a patient
received or acquired by a federally assisted alcohol or drug program. Treatment
need, so there’s the definition of treatment. Those are all listed straight
from the regulatory language.

Accordingly, NCVHS recommends that the following be included within the
definition of 42 CFR. Alcohol and drug abuse patient records maintained in
connection with the performance of any federally assisted alcohol or drug abuse
program as, quote, “federally assisted is defined in regulations and
guidance.” That definition changes, so we didn’t want to give a specific
version of it. And communications of any information from the record of a
patient who has been identified in connection with — that tracks the
regulatory language.

DR. SUAREZ: Leslie, just a quick comment on that paragraph where the cursor
is. Accordingly, NCVHS recommends that the following be included within the
definition. Just to understand, are we saying that this should be the

DR. FRANCIS: Yes, these are what are included in the regulatory language. We
did not put anything else here.

DR. SUAREZ: I’m just asking what are we adding?

DR. CARR: Excellent question, but I want us to hold the questions — just
make notes — and get through all of that.

DR. FRANCIS: What’s going through in this section is what we’re adding is
the pilot testing of the functionalities to try to comply with this. And we
fully recognize — so that’s the added value here. We’re not changing the
definition. This is the definition that’s in regulation. What we’re doing is
saying — so it may be hard, for example, to figure out how to pick out the
communication —

DR. CARR: Let’s just keep going.

DR. FRANCIS: The next one is HITECH Act cash payment. This is in the
statutory language under the High Tech Act, such as required by law: patients
may request restrictions on the following disclosures. A disclosure is to a
health plan for the purposes of carrying out payment for health care operations
and is not for the purposes of carrying out treatment. And the protected health
information pertains solely to a health care item or service for which the
health care provider involved has been paid out-of-pocket in full. So, in order
to comply with such requests, records custodians will need to be able to
separate out items or services for which the provider has been paid out of
pocket in full.

The next one; now we’re moving to state law. And here we have an example of
New York public health laws protection for HIV. There are a multiplicity of
state law protections regarding HIV and other sexually transmitted diseases. As
I said, we will be citing additional examples.

But this is the exact language with the statute cite there. So, in order to
comply with New York law regarding disclosures of HIV-related information,
custodians of health records will need to segregate information that comes in
the different parts of this statutory definition.

And then the crucial next paragraph, because state laws vary in how they
define these protections, it will not be easy to define a single category of,
quote, “protections for HIV information or other information regarding
sexually transmitted diseases. Accordingly,” — and for every one of the
state law defined categories, you’re going to find the same accordingly —
“NCVHS recommends that HHS identify the types of information that might be
included within this category, the context in which disclosure limitations
might apply, and how the particular types of information might be identified
for the purposes of disclosure limitations in these various contexts.”

For example, — the example here is of a contextual variation. Under the New
York statute, disclosure limitations differ when the information is required
for treatment, so this type of information should be identified for separate
handling. And Justine added the following language; that’s fine with me.

Now, the next category is there are a remarkable number of state law
statutes that protect mental health information. This is one example. It is not
an atypical example at all. We’ve got a list now on my laptop with Maya’s and
we will put in other examples and show that this is a deep concern for many
states. And again, we did the same, state statutes vary in the definitions of
mental health information to which they give special protection, as well as in
the contexts to which these protections apply.

Accordingly, NCVHS recommends that HHS identify the types of information
that might be included within this category, the contexts in which disclosure
limitations might apply, and how the particular types of information might be
identified for purposes of the disclosure limitations in these various context.
And then, again, there’s the West Virginia example, but as I said, West
Virginia is not at all unique in this context. And we will actually give you
different examples.

State law provisions regarding access to information in the records of
children and adolescents. State laws differ regarding the rights of adolescents
and their parents to the health records of adolescents. For example, Idaho
provides special rules with respect to access to the records of children who
have received involuntary mental health services. Those are both involuntary
services in facilities and also in outpatient, so that’s why it’s stated like
that. These limits include, quote, “no person in possession of
confidential statements made by a child over the age of 14 in the course of
treatment may disclose such information to the child’s parent or others without
the written permission of the child. There are limits to this restriction in
some contexts. Disclosures that are,” — the grammar is off here —
“limits such that such disclosure is necessary to obtain insurance
coverage to carry out the treatment plan or prevent harm to the child of
others, or unless authorized do disclose such information by order of a

Then again, the notation as to state law variation, concluding with, for
example, under Idaho law disclosure limits differ when the disclosure is
necessary to obtain insurance coverage. So the illustration here is how the
state law will require contextual variation.

Here’s our concluding paragraph to this: Legal requirements impose special
handling restrictions on each of the above categories of sensitive information
in some contexts. However, without a definition that allows the capacity for
separate management, even where electronic medical records are in place, the
current practice is by necessity to prepare in formation in response to
requests for this information by hand. This process is inefficient, cumbersome,
and expensive.

Alternatively, a custodian may be forced to withhold information when it
would not otherwise do so because it lacks the capacity to differentiate the
sensitive portion of the record. For example, psychotherapy notes may be filed
separately — just in a separate bucket completely — or records of treatment
for adolescents may not be placed in electronic record systems.

That is something we heard, I will point out to you, testimony from the
pediatricians about that one of the great concerns is that because of the
inability to put into place separate controls where adolescents might want to
exercise consent, that particularly adolescents are massively underrepresented
in the electronic world.

In such cases, patients lose the benefits of both EHRs and exchange and
other uses of the information, such as for public health or quality improvement
may be curtailed.

And finally, we should also note that this is by no means a complete list of
categories of sensitive information that have been enshrined in federal or
state law. It represents, however, categories that were called to our attention
as especially important or frequently protected by legal requirements.

Additional potential sensitive categories. NCVHS heard extensive testimony
about the definition of sensitive categories of health information that extend
beyond these categories that have found legal recognition. These were
categories that were singled out for protection in at least some contexts as
important to maintaining patient trust. What follows are two of these
categories, together with information that may be important in defining them.

The first one of these is mental health information other than as found in
HIPAA psychotherapy notes or state law definitions. Dissemination of
information about mental health diagnosis and treatment may pose significant
risks to patients, and most people regard it as highly sensitive. On the other
hand, the distinction between mental and — these are the considerations we
heard in the hearings — the distinction between mental and physical health is
regarded as artificial. We welcome the day when this information will no longer
need to be singled out for special concern.

The definition of mental health information recommended to us in testimony
is, quote, “information gathered or observed relating to a person’s
emotional, perceptual, behavioral, or cognitive experience, as well as
associated physical symptoms.” And I noted there that this definition is
consistent with the definition of mental health information found in some state
laws. This information, however, may be difficult to identify for segmentation,
as it will be scattered throughout many parts of a medical record, as well as
across many records, and would require the use of advanced natural language
processing for identification.

Additionally medical notes, test procedures, imaging and laboratory studies
performed in a mental health facility that would otherwise be considered
medical data, such as evaluation for reported chest pain, should not be
included in mental health information.

Then NCVHS heard testimony that in addition mental health diagnoses and
descriptions of traumatic events by patients should be included in the
definition of this category’s sensitive information. NCVHS also heard testimony
that a past history of treatment for depression and for bulimia or anorexia
should be included in this category. Panelists advocated that information about
educational testing and testing for ADD should also be included in the category
of mental health information to be segmented.

On the other hand, NCVHS also heard testimony about the importance of some
mental health information to current patient management. Panelist recommended
that the following critical mental health information not be defined as within
the category of mental health information to be segmented in the record:
medication lists, allergies, non-allergenic drug reactions, and dangerous
behavior within medical settings. Information about current medications is
crucial to avoiding drug-drug interactions.

Another expert suggested the importance of a problem list of current care,
for example, knowledge of alcohol abuse may be relevant to diagnosis and
treatment in an emergency setting. Testimony emphasized that this information
may need to be available in emergency settings or when patients with mental
health diagnoses are being treated for other conditions.

Now, this is only a recommendation about consideration, okay? So, NCVHS
recommends that the following be considered in additional definition of the
category of mental health information: psychiatric diagnoses, descriptions by
patients of traumatic events, descriptions or analyses of reports by the
patients of emotional, perceptual, behavioral, or cognitive states. Those were
from the testimony. Except as required by state law, NCVHS recommends that the
following critical mental health information not be included in additional
definitions of mental health information because of its importance in many
contexts: medication lists, allergies and non-allergic drug reactions,
dangerous behavior, information for medical notes, test procedures, imaging, or
laboratory studies not related to the mental health treatment that would
otherwise be considered medical information.

And finally, about psychiatric diagnoses, just what we heard, NCVHS heard
conflicting testimony about whether information about a psychiatric diagnosis
should itself be included within the category of sensitive mental health
information. On the one hand, this information may be important for patient
care. On the other hand, it may be very sensitive to patients and they might
expect to be included within the category. So, no recommendation on that; it’s
just the observations and what we heard.

The second category is sexuality and reproductive health information.
Information about sexuality and reproductive history is often regarded as very
sensitive by individuals. If the reproductive issue is long in the past, its
relevance to current medical care may be limited — only may. Many reproductive
issues may expose people to political controversy, such as protests from
abortion opponents. People asked me what that meant; that’s the kind of thing
it means. I mean, abortion opponents will show up at people’s houses. And
knowledge of an individual’s reproductive history may place him or her at risk
of stigmatization.

There are actually examples. I could give you case cites of people who have
lost jobs when an employer learned about an abortion history. Additionally,
individuals may wish to have their reproductive history segmented so that it is
not viewed by family members who otherwise have access to their records.
Imagine a parent whose child learns that — okay?

Parents may wish to delay telling their offspring about adoption, gamete
donation, or the use of other forms of assisted reproduction in their
conception, and thus it may be important to have the capacity to segment these
records. I didn’t cite there, but I could cite for you the ethics advisory
opinion of the American Society for Reproductive Medicine that recommends that
as an ethical matter.

NCVHS recommends including under the category of sexuality and reproductive
health information the following: sexual activity, sexual orientation, gender
dysphoria and sexual reassignment, abortion, miscarriage, or past pregnancy,
infertility or the use of assisted reproduction, sexual dysfunction, the fact
of having adopted children. Some of this information, for example, sexual
orientation discussions, may be especially sensitive in adolescent records if
they are accessible to parents under state law.

Finally, considerations applying to entire records. NCVHS has identified
three circumstances in which the entire record might be deemed sensitive. It’s
not just domestic violence; it could be an abstract stalker — where we heard
testimony. In cases of domestic violence or stalking, identification of the
fact that the record exists with a given provider might provide the potential
perpetrator with the information necessary to locate a potential victim. So
might information in the record that is otherwise not sensitive, such as the
patient’s address or school.

NCVHS heard testimony from victim protection organizations of cases in which
the medical records served to provide the victim’s address or indicate the area
in which the victim had sought treatment, and thus was likely to be found. In
several of these cases the result was the tragic death of the victim who did
not realize that her record had been accessed.

DR. CARR: Leslie, I think these are — if we can speed through these, I
think they sort of speak for themselves.

DR. FRANCIS: There are the public figures, and then the minors. Let’s go to
the end.

NCVHS recommends that we use the above categories of sensitive health
information for pilots of technical solutions that reflect the content and the
context of this information. Aims of this testing should be to understand the
feasibility, effects on patient care, efficacy for privacy protection, benefits
in labor and costs, and other possible consequences of segmenting these
categories and implementing granular patient consent for their use in
particular contexts.

Recommendations regarding management of sensitive information will always
confront a road not taken. For protecting privacy, an alternative would be
letting patients decide what information, if any, each of them considers
sensitive. This was the alternative discussed yesterday. In NCVHS’s 2008 letter
we rejected this approach as unduly confusing and costly. It may be that after
pilot testing efforts are concluded and assessed that HHS determines that one
or more of the above recommended categories cannot be implemented. It may also
be that after pilot testing HHS determines that the strategy of selecting
categories of sensitive information should be reassessed. NCVHS stands ready to
help HHS in this continued endeavor.

DR. CARR: I’m going to, in order to help do this, I’d like to go around the
table and I’d like each person to have one headline of thought about this
letter that — constructive criticism; so one thing that we could do, or one
concern that you have.

DR. HORNBROOK: I was wondering whether the reference to cognitive issues or
data in the mental health field would be interpreted to include cognitive
impairment, memory loss. This is a quality of care issue, because providers
need to know that a patient really doesn’t remember what they’re being told.

DR. CARR: Okay. So, you’re looking for specificity at a granular level.
Let’s just keep going. Chuck?

DR. FRIEDMAN: Sorry I’m late; I’ll pass for now.

DR. CARR: That’s okay. But I actually want to come back to you because ONC
is looking for guidance from NCVHS, and I want to know if we’re providing
what’s being looked for. Sally?

MS. MILAM: On the last page, when we look at the purpose of the letter,
limiting it to pilots in technology I think is a missed opportunity. I think it
also should apply to ongoing policy deliberation.

DR. OVERHAGE: I was wondering where that was in reference to, in the first
paragraph, is that where you were pointing at?

MS. MILAM: We’re not there on the screen. It may be in the first and the

DR. GREEN: I want two headlines. One is, I wish to express great
appreciation to you for doing this. My second one is you called out in one
paragraph that NCVHS recommends consideration of, and then there was a list of
things. And in other places it says NCVHS recommends the following be included.
I’m wondering about the possibility of using that language — recommends
consideration of — throughout all of those consistently. If there is a good
rationale why we want to make stronger statements for some, then —

DR. FRANCIS: Can I actually try the following just quickly —

DR. CARR: I really would like everybody to give their one-time comments, and
then let’s get in aggregate where we are with this letter. Don?

DR. STEINWACHS: I wasn’t here for all of it, but I thought it was really

DR. WARREN: So, in the spirit of criticism and as someone who doesn’t deal
with privacy issues, one of the things I found problematic in the letter is
when I’m reading through them, I can’t look at it and find where the
recommendations are. So, if we could call out and also number the
recommendations, so even in your review of the previous letters you identified
previous recommendations by their numbers. In this letter there is no way to
identify what recommendation is being followed and what one is not. So, I find
that very difficult to follow through. And so as a result, even though we’ve
read through the whole letter, I’m still really unsure what we’re recommending,
because it’s so embedded.

DR. SUAREZ: I have two quick notes. The first one is I think in the
recommendations, particularly in the ones related to the state laws — not the
state laws — the categories that have laws and regulations behind them, the
NCVHS recommendation talks about include the definition of. And I think it
turns out to be a little bit confusing to know if what we are saying is HHS
should use the definition in the law, or modify the definition by including
only the following in the definition. I think that’s part of the confusion.

I noted that in one of the instances we actually quoted back again from the
previous paragraph that said this is the specific law definition, and then
below we say NCVHS recommends the following definition, and then we quote it
again. So, it becomes confusing. What is it that we’re recommending, you know,
inside each of the categories with respect to the testing and all of that.

The second comment I make is, in many places we say do this for
segmentation. Or, you know, the system will segment this. And we don’t refer to
have the capability of segmenting. I think every instance where we say
segmentation or segmenting, if we just say straight ahead this has to be
segmented, it give the impression that we’re calling upon that. Rather, it
should say the system should have the capability of segmenting.

DR. CARR: That’s a good correction. Marjorie?

MS. GREENBERG: Okay. I’m not a voting member, but I really want to thank
Leslie also. And I know Maya and a few others helped her as well. I think it’s
very balanced. I think it’s very informative and reasonable.

I have the same comment that Larry made that unless there’s a good reason
for it — and I guess when you get a chance to respond you’ll tell us — on the
two additional categories that you added — reproductive health is the second
one; the first one is mental health — I think it would be preferable to use
the same language. And that is that, you know, should consider including. Why
one would be consider and the other recommend, I’m not sure. If we want to
change that, if you want to treat those two separately, I think you have to
make more of a case for it.

DR. FRANCIS: No, there’s no intent to treat them separately. We should just
change the second one to be in line with the first. The distinction was meant
to track legal and non-legal, and the only reason is Leslie got tired.

MS. GREENBERG: Okay. No, that’s fine. And then I also agree that I think
what you’re trying to say is that those legal ones you think should all be
included as sensitive information, but it also has to be clarified that you’re
not changing the definition or recommending a change to those. So I agree with
both of those.

DR. CARR: Okay. And I again thank you for your efforts. I find it extremely
hard to follow a 12-page letter. And I think I would recommend that we not go
into such detail on the testifier’s exact language, but rather synthesize up,
these are the types of concerns that were expressed. I think we could also not
go into the detail on what West Virginia law says. We could say state laws
include an array of things, footnote West Virginia, footnote New York.

And I think that we — Judy was saying I don’t know what the recommendations
are, and I don’t know that numbering it is going to help it in its current
form. I think we need to make this actionable for ONC so that if we are talking
about mental health, I would recommend doing an aggregate of mental health.
This is absolutely required, this is required in some states, and that leaves
us with this gray zone of patients.

I think there are similarities in HIV, and STDs and psychotherapy. There are
things that might be related to that or might not be. So I would try to just
talk about it as there are the obvious state laws, and there’s a continuum. And
we need more thought and work on those things that are in those gray zones. So
I violated my rule by saying three things, but that’s the gist of it. Jim?

DR. SCANLON: A couple of things. I think if we could just make it clearer at
the beginning that to some extent these are recommendations for research and
exploration, number one. Secondly, that at some point very early in general
this would not involve treatment, if we can do that. And third, like Justine if
I could have one more organizationally, this is really too long for a letter. I
almost wonder if it should be in a report in which we have a cover letter and
attach it and say recommendations for research on sensitive information.

DR. TANG: I think this is a very good piggyback to what Jim just said. So,
for example, I like the way that the letter started out: We’re writing to
recommend you explore testing and demonstration, research privacy controls to
foster patient trust. That’s a perfect statement of what we would like to do
with this letter.

What I found missing was we glossed over other possibilities, which I think
is an important contribution that we made. We discussed this yesterday on how
categories, even though we came up with the idea first, may not be the right
approach for a lot of good reasons that were discussed yesterday morning. And I
would explain some of that. And I’ve written a paragraph that we could go over

So you start out with one possible strategy, that’s good. What did we find
that would cause us to think there might be other strategies for you to do the
research? It’s clear that this didn’t pan out like we originally thought. We
just need to be able to inform people. And I think that’s a big contribution.

MR. HOUSTON: I don’t have any comments. Thank you.

DR. FITZMAURICE: I learned an awful lot and got a lot synthesized by reading
through the letter. I would go with, was it Don or Judy who said number the
recommendations. That would be very helpful to help sort them out.

And consider — but I’m not sure this is a strong statement — this also is
going to inform policy deliberations and discussions. But I don’t know that we
want to say this is a policy letter. So I go along with Jim saying the
recommendations are for search and demonstrations, but it really does inform
policy understanding of the complexities of privacy.

DR. SCANLON: I think I’m sort of along some of the same lines in terms of
emphasizing the notion that this is about testing. I would be very
uncomfortable with the specificity as a non-clinician if it was for total
implementation. But I think that given that it’s for testing, it’s very, very

And part of my — it’s not just my lack of clinical knowledge, but it’s also
the issue here where dealing, in terms of the problems that we identify, with
problems that are due to inappropriate disclosure and discrimination. And
rather than attacking those two things directly, we’re saying sequester the
information. It’s almost like we’re admitting failure in terms of being able to
deal with what the real root cause is.

And there is a price to sort of admitting that failure, that this is no
longer a paper record that’s been disclosed, this is now an electronic
information that maybe through pooling has real benefits for people. I mean
think about the genetic exclusion. That person that excludes their information
may benefit tremendously from it being pooled with other people’s information
and something is learned about that particular condition. So I think we’ve got
to — we’re at a stage where we can’t deal as well as we want with
discrimination or inappropriate disclosure, so this is where we may be.

But I still think sort of the idea that we’re testing is the most important
thing to emphasize. So making that clear up front, that all of the
recommendations that follow are in the context of testing. And I know testing
is like in the second line, but I think we need to make it bolder.

MS. TRUDEL: I don’t have anything additional to add.

DR. CARR: Okay. Mark Overhage?

DR. OVERHAGE: Thank you. I do appreciate the hard work that everybody has
put in to try to get this letter to reflect all of the work that the
subcommittee has done to think through this. First of all, I want to support a
number of the comments about not losing some of the learning and insight that
we’ve gained both through the testimony, and our thinking about this, and our
discussion over the last days. And I think several people echoed that sense
that we should include somewhere here that there’s a direction or trajectory
here, but there are other roads that are perhaps worthy of further
consideration. I wouldn’t want to lose that.

And then the second thing that I want to — and again, this is reinforcing
more than adding — I’m still worried about including some of these broader
other categories, and in fact I’m even worried about including some of the
state law sorts of categories given that it feels like it weakens the message
in some ways of take some things that are well defined and work through the
issues using these examples of the framework.

It’s sort of like we’re — it gets back a little bit to the question of
what’s the recommendation. It feels like we’ve put so much on the table that it
isn’t clear. And I would support the notion of pairing back the categories that
we hold out for examples to those few that are clear, national consensus. It
just simplifies the world and the context that we’re asking people to think
about these things in.

DR. FRANCIS: Okay. Could I go through what I’ve heard and try some things?
Could we put the letter back up, please?

The first thing I want to be absolutely clear about is that this is a
research enterprise. So let’s try to figure out how we can put in — this is
not about what should be done with patients now. So we recommend research
involving the selection of certain categories, their definition and study,
pilot testing; how about that? Or something that puts in that we recommend that
you explore research, testing, and demonstration. So we put research in the

A second thing that I think is really important is let’s go back to my
mistake that Larry pointed out. It’s under reproduction.

What I’m trying to do — so I spent time last night under the assumption
that there would be a vote on a letter today. And I’m going to want to request,
respectfully, that there be a vote on a letter. I think a white paper is a
mistake. I think it does several things. First of all, it would take a great
deal of time. Second of all, it would say that NCVHS is unable to step up to
the plate when we were asked to do so in a coordinated way with the Health IT
Policy Committee.

So, I’m trying — now, I may be wrong about those things, but I’m trying to
find out a way that we can get a letter that we could agree to today.

DR. CARR: Right. And as we did with the others, we’re going to say what are
the recommendations. So let’s start with that: what are the recommendations.

DR. FRANCIS: Okay. So we changed the bit about putting in research. Let’s go
to GINA. And then copy — right there. Recommendation one, take out the

MS. GREENBERG: I think the problem with this whole area is the one that
Walter mentioned. What I’m assuming is you are recommending that those items
that you then lay out that are in federal law should be included within the
definition of sensitive information for this testing and for this purpose.
You’re not recommending any changes to the definitions in federal law.

DR. FRANCIS: Exactly. Including the following elements of federal law.

MS. GREENBERG: So you need an overarching definition that says we have
reviewed those major categories that are in federal law and recommend that all
of those should be included in the testing in this process.

MS. BERNSTEIN: Right. As opposed to saying they’re in the category, saying
that we intend for these that have already been defined in law to be tested and
to have a demonstration process.

MS. GREENBERG: Yes. And then as for the issue of a white paper, I just want
to put it to rest because I only recommended that yesterday when it seemed like
we weren’t going to have a letter. My preference obviously is to have a letter.
Some of the information, some of the detail could be in an attachment, which
would be a report of some type. It could be an attachment, because I think
there’s a lot of very informative information in here, but I also agree that
when you’re sending a letter like this, you want it to be relatively crisp. So
that is not one or the other; I think we’re all working on the letter right

DR. FRANCIS: So suppose what we did is say, recommendation 1, NCVHS
recommends pilot testing the federal law definition of genetic information,
which includes…. Okay?

MS. GREENBERG: Testing what’s in the law; right. And you’re not changing
those definitions.

DR. FRANCIS: Exactly. The federal law definition, which is….

DR. SCANLON: I guess I would ask the question then are we going to make
every recommendation NCVHS recommends pilot testing blank? I think that in
terms of trying to change the introduction, you’d lose it. If you’re going to
start to number the recommendations, which is a good idea, and they’re going to
be in bold, the first recommendation in my mind should be NCVHS recommends
pilot testing. It’s take what’s at the back, the very end, and the pilot
testing should incorporate the following. And that’s where everything else is

MS. BERNSTEIN: Well, you could put it at the end of the statutory section,
Leslie, so it refers to all of the statutory things with one recommendation.

DR. CARR: So, Bill are you saying recommends pilot testing, and then
enumerate those things, and there’s one recommendation with ten segments?

DR. SCANLON: Right. A, B, C, D, E, F, yes, right. It seems to me that’s
where this letter is going. We go through all of these detailed
recommendations, and then we finally say at the end pilot testing. Now that
doesn’t import what Sallie said about policy.

DR. CARR: I see Chuck, and then Paul, and then Marc Overhage.

DR. FRIEDMAN: So, Justine, you asked me to put on my virtual ONC catcher’s
mitt and think about what we would do with this when it came our way. And my
comment really goes to the pilot testing and research preamble that would seem
to apply to several of these recommendations. I’m having trouble visualizing
what a pilot test or research agenda would look like.

I mean, we can generate it, but I think it behooves us to generate it and to
be a little more specific about what a pilot test or a demonstration looks
like. A demonstration of what? Is it a demonstration of how a health
information exchange and electronic health record systems would implement the
segmentation and sequestration of these kinds of sensitive data? Is that what’s
being demonstrated? I’m seeing vertical and horizontal headshakes.

DR. FRANCIS: The first question would be is it feasible.

DR. FRIEDMAN: Is what feasible?

DR. FRANCIS: Is it feasible to identify. Actually, that’s why the original
letter had the difference between segmentation and sequestration. And we
actually heard testimony about proposals for developing the technology to
separately identify genetic information that meets the GINA definition. So, the
initial question would be — this is not at all meant to be a recommendation at
the first step that you pilot test putting it in patient care records. You
can’t do that now.

The question would be — Sallie used the language in our earlier discussions
of a glide path. And this is about starting on a glide path whereby the first
step is you try to figure out the technical capabilities. Then you try to see
whether or not you could actually do it in a record that would be requested by
an employer. Remember this is all context related.

DR. CARR: Does this make sense: mechanisms to protect sensitive information
in the following categories, or something like that? I mean, I hear what you’re
saying — pilot test what? So are we pilot testing to protect —

DR. FRIEDMAN: Well, identify, and once identified —

DR. SUAREZ: I think you need to insert also electronic, because right now we
have to do this. If we say it that way, it gives the impression that we’re not
doing what we are required to do.

DR. CARR: So mechanisms to identify, manage, and protect sensitive
information in an electronic environment.

DR. FRIEDMAN: Right. And that’s a very good start. But I think we need
something like a paragraph that really defines how the identification of these
types of information, which is so nicely laid out here, translates into things
that have to happen in the world down the road.

DR. TANG: I want to help construct how I think the letter should start out,
which is basically the Scanlon brothers —


What I would first do, I think we have learned through the entire course of
hearings and our rich discussions that we’ve had, with the diverse perspectives
we’ve had, which I think has contributed. I think we’ve had a lot of learning.
And that has led us to question whether the original recommendation of
categories is correct. And I can submit a paragraph to help document that.

And that’s what leaves us the recommendation of doing further research and
pilot testing of — and I’ll address Chuck’s question. So what Justine said,
which was mechanisms to identify and protect sensitive health information when
being exchanged, let’s say. And the follow-on proposal I would do as far as the
categories is to try it out with two categories we know already need to by law,
have to implement. And I think that’s all we need because actually they are
very rich and will bring up almost all of our issues we’ve discussed.

So let’s — instead of inventing new ones and having to argue about what’s
defined in and out, let’s take the existing one, see if we can using categories
implement that, and be open because of our uncovered weaknesses and the
approach of using categories, other methods. And we can sort of enumerate other

But it would do a number of things. One, can we implement what’s currently
in law? Two, well then if we can’t by using categories, let’s try a different
approach. Or if we can’t find any way, feasible way to do it, one would have to
question the way we write laws about sensitive information. And all of those
things are really very constructive.

DR. CARR: Thank you, Paul. Walter?

DR. SUAREZ: I want to offer a couple of suggestions. I think the first one
is we should not assume that nobody is doing this, and so we need to start from
scratch and pilot test. So we should first ask that an assessment be made on
how this is currently being done in the electronic world, first of all. And
secondly, identify some of the best practices that might exist already in how
to do this. By saying how to do this, I just don’t mean exchanges. I mean
disclosures of health information for various purposes.

I don’t want to go to the use part, but just at least to ensure that we’re
talking about disclosures that are done electronically, from electronic health
records through whatever means. And that there should not just be pilot testing
and research, but actually evaluating how this is currently being done and
identifying potential best practices. I think that’s probably going to be a
much more direct recommendation.

MS. MILAM: Listening to Chuck’s comments about what ONC might do with the
letter, I was thinking about Jim Scanlon’s comments yesterday with regard to
the other letter and how there would be implications possibly for the portal
and the health insurance exchange. And I think that would be true of this
letter, as well. So we might want to look at our opening comment, particularly
with regard to the health insurance exchange. You still have HIPAA covered
entities and HIPAA covered information flowing. So it probably would be useful
in that context as well.

DR. HORNBROOK: Are we envisioning that the patient could eventually release
their own health information through the web? So I would go to my website and
say send my medical record to X because I want life insurance, or I want
disability insurance, or I want to apply for camp or something.

DR. CARR: It’s on the table.

DR. HORNBROOK: I just want to recognize that if somebody has sequestered
part of their health record, they forward it without reducing or relieving that
sequestration, they could be putting themselves at risk of a partial disclosure
so that the benefit they get will then allow the company to deny them the
benefit because they didn’t give the full record.

MS. BERNSTEIN: Right. Well, one doesn’t normally sequester it from
themselves, right? If you’re making it, you have the control.

DR. CARR: I think you raise a good point. But I think we’ve got a couple of
themes going on here, and a couple of things to clarify. I heard Paul say that
to focus on mechanisms to identify, manage and protect sensitive information
being exchanged in an electronic environment, as regards to GINA and HIPAA
mental health rule.

And a question I would have, because as I read through this, there are
thematic elements that are related to mental health or to HIV and so on, which
is where the elements reside, whether in the history, the problem list, the
medication list, and so on. So whether it’s HIV or whether it’s mental health,
we’re still struggling with that. And so I do agree that if we solved it even
just — well, GINA as well actually — if we had things we learned from those
two that we actually have to comply with, we could then build on them for the
next round. HIV is not part of this, but I mean they would be applicable to

My feeling with the letter is that there are so many things that we’ve
raised that we’ve heard, and I think that it’s fair to say that there’s an
array of areas. We’ve got to get this understanding, but we’ve got to then go
back and think about it in the context of all of these things that the
testifiers told us. But I think we have to have something to do that is big
enough and actionable, and that will have an endpoint that can be built upon.

And so I’d just like to put that out there for additional comment about
whether we want to go back to the recommendation that came yesterday of
limiting it to GINA and mental health for HIPAA and develop that more fully, or
whether we should consider other things.

DR. FRANCIS: Could I just say a couple of things about that quickly? The
current design of it, those aren’t the only two federal, right? And of course
there are many states. So, my own comment about that is of course it’s a start,
but it’s a start everybody knows you have to do. So if we’re adding value, I
think we would be adding value to calling attention to the fact that beyond
psychotherapy notes, there’s the pay cash and so on.

DR. CARR: Just to add, because you have the mental health in three different
parts. And do we roll that all up and think about mental health. We have a
partial responsibility —

DR. FRANCIS: I’ll tell you why in this version I didn’t. It’s because as I
heard the discussion yesterday, one of the concerns that people had was that a
one size and one context fits all is a real mistake. And I think that’s
correct. And so although there’s a sense in which psychotherapy notes and the
state law definition are all related to mental health, they actually are
delineated in a different way and the context would be different.

So the analytic framework that I used last night — and it may be a mistaken
framework — was to really have three categories. The first category is the
federal law ones. The second category is the state law ones, which do vary and
were the recommendation is that we identify the elements that — this is
further work — to identify the elements and see what the contexts are in which
these elements are, and is there anything feasible.

So that’s the second type. So there would be the federal law, then there
would be the state law, and then the third one would be we’re just giving you
the information we have now that you consider for further development another
category of mental health information and the sexually transmitted disease. We
also have to be really careful not to lose the part that’s at the end of the
letter, the domestic violence and so one, which is absolutely critical to
people’s safety.

MS. GREENBERG: I would support the approach that Leslie has recommended. And
I think that for all good reasons this letter has taken a somewhat different
approach than was originally recommended. It has taken really the approach of
recommending what needs to be tested, and I think that seems to be consistent
with what most people are comfortable with, but also consistent with what has
come out of the HIT policy committee saying that all of this testing is
necessary. We’re not ready for prime time.

But, I think we do have to remember that the committee agreed with the HIT
policy committee, and has been working on for a number of years now even before
that committee and before ARRA, try to identify sensitive information and how
to define sensitive information. And I think to strip all of that from the
letter would be unfortunate and would — again, I think it’s in the context of
consideration based on hearings and based on testimony. So it’s very balanced
and not prescriptive. But I think you could say start this research with these
two categories. But to only mention those to categories in the letter I think
would be not as useful.

DR. CARR: I’m going to preempt my chair position to just say one thing. I
agree with what you’re saying. We have identified a growing list of sensitive
information, and then use of sensitive. But really on the ONC side of it, when
you think about the electronic exchange, you really are talking about five
categories: the notes, the meds, the labs, and the problem list. I mean these
are sort of the building blocks that you play. Whether it’s HIV, whether it’s
mental health, or whatever it is, those are the variables. I mean, am I being
too simplistic?

They’re going to be playing with those same building blocks under each
category. And that’s where the uniformity is, that if we’re trying to give a
recommendation to say what can you do with these elements of an EHR to protect
information, and then pick whatever topic you want.

DR. SUAREZ: I don’t think you are being too simplistic. You pointed out
exactly the reality. Those are the building blocks. So those were the building
blocks for things like electronic health records, the meds, and the allergies,
and the problem lists. These are the building blocks for the sensitive health
information: the mental health, the GINA, and the sexual. These are the actual
building blocks.

They’re building blocks in the following sense in that they cover the vast
majority of the critical elements of sensitive health information, just like
meds and allergies are only part of the medical record, but they are the
building blocks in terms of the most critical elements when we need to use
electronic health records. So, in that sense I see them as building blocks.

I think, again, offering this array of lists categories, not just to do
testing in an artificial environment, but to look at how things are being done,
again with this idea of assessing how is it being done currently. What are some
of the best practices that are being done with all of these categories; not
just two. Why start with two? Why don’t we try to cover the core ones that we
have already identified to assess, to look at how they are being done, to look
at piloting each of those five or so, areas. I think that’s the opportunity
that we have.

DR. GREEN: I want to hit the pause button. I want to go back to what I
interpreted about 45 minutes ago as a near moment of progress in the purpose of
this letter. I want to make the following argument: this is a hell of a good
letter. It’s a long letter, but I believe Leslie and John and this committee
have presented us this morning with a proposed letter that is responsive of
what we asked them to do. That’s my personal opinion.

I do not think at this point we should rewrite this letter or deconstruct
it. I believe what is required at this moment in our story is that this letter
requires a little reorganization and some reformatting, and that we should
accept a couple of limitations. One, it’s going to be a longer letter.
Secondly, it is not going to define the pilot testing.

Third, in the last 30 minutes or so of conversation I heard a very important
adjustment in the letter, and it was to follow up on Bill Scanlon’s suggestion
about focusing it on research and stuff. We need to include in it that bullet
that we recommend an assessment of currently attempting approaches. That needs
to go into it in addition to the pilot testing.

DR. FRANCIS: Absolutely.

DR. GREEN: If we did that, the letter really comes down to, I believe, three
recommendations. And what Leslie has written here and presented this morning
can be organized under these, I believe, to our benefit and to help deal with
Justine’s point about you’ve got to know what we’re recommending here; it’s
kind of messy.

But it comes down very close to being we’re recommending research focused on
segmentation and sequestration strategies to achieve privacy and
confidentiality requirements. It’s something like that. And that has two
components. One is, an environmental assessment of the state of the art and
where we are with this, and the second is pilot testing some stuff.

It secondly says this research needs to be cognizant of and aligned with
existing federal and state law. And the third recommendation basically is that
we say here are areas that we recommend you consider for the pilot testing. And
that’s where we’ve been arguing whether there’s going to be two of those, or
five of those, or whatever. But that’s basically the three recommendations.

Those are the bold, bulleted headlines that need to be 1, 2, and 3 in my
opinion in the reformatting. However, I don’t care how it’s reformatted all
that much just so long as it retains this fabulous amount of information. This
is a very good piece of work, and we should not deconstruct it at this point.
We should actually vote on it, and approve it, and move it forward in some

DR. CARR: Well, let’s not get ahead of ourselves here.

DR. TANG: Can I ask a question? Yesterday you had some different words and
talked about how you didn’t think that these categories could help. What’s the
reconciliation that went on?

DR. GREEN: The reconciliation was quite substantial in my opinion. The one
is the way context was brought into this throughout the letter. This is really
strongly stated that this is context-dependent stuff that we’re talking about
here. That helps a great deal.

The second one is not saying these are the categories of private, sensitive
information that need to be defined — NCVHS recommends as the information that
needs to be protected. It says we need to figure out how to segment and
sequester if we’re going to use our previous recommendations about using
categories of information.

If we’re going to use these categories, we’ve got to start getting clear
whether or not we can find them, whether we can sequester them, and to do this
testing we’re going to have to identify some areas that we can look at. The
Secretary, or ONC, or someone else could decide to only test in one area. We’re
not saying you’ve got to test all of these areas and all of this has to be

This is a research recommendation. I think we’re staying in our skin. I
think it builds on the prior work. And although I like brief letters, I like
things that just come out with two recommendations — we’ve already handled a
couple of very long letters. Let’s handle another long letter.

DR. FRANCIS: I would second Larry’s motion and I would volunteer to work
with Larry to craft the exact language that Larry just stated.

DR. CARR: Larry has just been recruited. Thank you. That was very helpful.

DR. SUAREZ: I would second Leslie’s second.

DR. CARR: Okay. But wait; we’re not there yet because we have a couple more
discussions going on. I believe I had Chuck.

DR. FRIEDAN: Yes, Larry just really moved the needle I think.

DR. MIDDLETON: And Justine, this is Blackford on the phone.

DR. CARR: Blackford Middleton. Wow! Where are you?

DR. MIDDLETON: I’m calling in from South Africa.

DR. CARR: That’s dedication. For that purpose I’m going to let you jump the
line in front of Judy. Go ahead, Blackford.

DR. MIDDLETON: Thank you very much. And I apologize I couldn’t be there in
person. I came to Medinfo, which was terrific, and I’ll tell you about that
later. I have read the letter and I’ve been following this conversation today
only for about the past half an hour.

But I guess the main question I have is someone could just repeat perhaps
the conversation you’ve already had about how this letter goes into some form
of evaluation and testing phase for implementation. I think, while the
categories are sensible, there certainly is a huge implementation consideration
or implication to be assessed as this moves forward. I don’t know understand
from today’s conversation how that will be handled.

DR. CARR: Yesterday, Blackford, we had extensive discussion about the
burden, human factor burden, or cost, whatever resources needed to achieve
this, whether it be in the setting of an office visit and so one. And so for
that reason, we’ve added that part of the analysis; what is the effort, cost
needed to achieve these various scenarios. Is that helpful?

DR. MIDDLETON: That is. And I guess the principle I would just like to
espouse, which other may feel, is to the extent that we can recognize the value
of privacy and security and confidentiality of data, it does have to be
measured against, of course, the burden of maintaining that privacy, security
and confidentiality, whether it is in technical terms, you know, provisions
technically, or human terms. And as long as we are aware of that, I think we
can arrive at something that is practical and doable.

DR. CARR: Well said. Did you get the copy that was sent out last night,

DR. MIDDLETON: Yes, I did.

DR. FRANCIS: I sent it to the full committee distribution list that I had.

MS. GREENBERG: It should have gone to the liaisons. I didn’t get it either,
so there may have been some breakdown.

DR. FRIEDMAN: So, as I was saying, Larry really did move the needle and
reflected many of the things I was going to say. I would just add one point.
I’m hearing an emphasis on projecting this on information exchange, but it’s
very important to note this is not just an issue for information exchange. It
will be important to emphasize that disclosures within and institution are
strongly affected by this.

DR. SUAREZ: Well, disclosures within an institution would be considered uses
within the context of HIPAA. But absolutely, I think this doesn’t stop or start
at the exchange.

DR. FRIEDMAN: Right. It’s not restricted to matters relating to movement
across the boundaries of institutions. It’s intra-institutional as well as

DR. SUAREZ: Essentially we had that in the original letter, uses and
disclosures, but we started to move away from uses and try to focus more on
disclosures. But I think we all agree with your perspective.

DR. FRANCIS: The beginning actually says electronic medical records and
health information exchange.

DR. CARR: Do you have a concern about that, Chuck?

DR. FRIEDMAN: Just that we keep the scope broad.

DR. WARREN: So, I’ve been sitting here looking at the letter. And I don’t
know whether you’re aware or not, but you have 16 recommendations in the
letter. And when you look at the recommendations that you’re asking us to do,
they’re really kind of fragmented.

DR. FRANCIS: I’m sorry. I can’t hear you.

DR. WARREN: In the current letter you have 16 recommendations. I counted
them, highlighted them, I can check them with you. I took everything that says
NCVHS recommends and highlighted it. And when I look at those recommendations,
as I pull them out, it really fragments this whole discussion. Or at least in
my mind it does. So I was very relieved when Larry took what I was beginning to
struggle with and broke it down to the basic three. That I think really should
be the recommendations, and then take these 16 and blend them more into the
discussion, because they’re all about creating definitions. They are about
identifying what data is there. And I think if you keep that, but take out the
word recommends, you’ll have a real crisp one.

And then at the end of the letter you can write his three recommendations
without having to do a whole lot more reconstruction of the letter. I agree,
there’s a lot of information that I did not get the first time around that made
me more comfortable with it. It was just finding all of these little pieces and
not being able to figure out what I was supposed to agree to.

DR. HORNBROOK: On the research issue, I haven’t heard anybody talk about
research on patients. I mean all of this disclosure stuff, one of the key
actors is what are patients going to do. They’re the ones that have to make the
decisions about what’s sensitive and how to implement that. So, the letter
seems to be talking about the research from the informatics side, as if
somebody had a big information exchange, how are they going to prevent data
that’s sequestered from entering the exchange stream. But Chuck is right, from
a patient perspective, how the data moves even within their own health care
institution is important to them.

Inside our medical group we have a long history of discussions about
disclosures within the medical group. And at one point mental health
information, including your diagnoses and your drugs, were protected and a
primary care physician couldn’t see that. They didn’t know a person was being
treated for depression.

So they’ve reconsidered that, and now primary care can see everything
because they made a very successful argument that’s part of high quality care.
You need to know a patient’s full medical history. What is sequestered is the
literal content of fantasies, and discussions within the psychotherapy. So that
record, section is walled off. We need a higher level of security to get to it.

And I’m thinking here that you need to think about a research agenda for the
EMR vendors. How in the world to they create the tools to sequester whatever
block of information you want to block off? And how do patients then get how to
interface with that? Is it even possible for a patient to understand what
you’re talking about here?

DR. CARR: So we’re going to — your points are well taken, but we’ve got —
I mean, part of the assessment is what is feasible to do. And you’re raising a
good point about patient input. And you’re also actually recommending Kaiser as
one of the landscape entities that we would look at.

Okay. We are approaching — I want to ask, is Marc Overhage back on?

(No response.)

Okay, Paul, did you have a comment?

DR. TANG: May I read a paragraph? What I’m trying to do is make sure that
the learning is about whether there are alternative categories that get put in
there. So if I can read the paragraph that’s up — it would be the second
paragraph. So, after paragraph one that says, one possible strategy is such and
such —

DR. FRANCIS: Let me get to where you are. You’re where?

DR. TANG: It’s your second paragraph on the screen. In the middle it starts
with the on possible strategy, and that’s fine. And then the “we recommend
selection of certain categories,” what I would do is propend that with a
phrase: “To further explore the feasibility and implications of using
categories to segment data, we recommend,” et cetera, just to say that’s
not the only way.

The paragraph that I would add is: “As we began to specify the details
of categories, we immediately uncovered questions about whether to include a
particular data element in the sense of the category. We assume that the data
that most people would consider sensitive would fall into one of a few
categories of information. However, as we probed the inclusion and exclusion of
data in a category, we found the classification scheme would propose to be
inclusive, but not very specific, i.e., there’s a fairly high probability of
segmenting data as sensitive when the data element is not particularly
sensitive to an individual, and when it’s sequestered, it may adversely affect
patient care decisions. For these reasons we’re not convinced that segmenting
data based on categories is the best approach to protecting certain data
elements that patients may consider sensitive and not want to share. We
recommend that the Secretary undertake further research to explore other
methods of protecting sensitive data that may not depend on the use of

DR. FRANCIS: May I just make a comment about that? First of all, recall that
we’re talking about context different controls. So we’re not talking about
necessarily treatment. And what you suggest, number one, doesn’t track the law,
and number two, we actually don’t have any testimony that supports that
alternative. So, that could be — we could say something about how as part of
— what I was going to say is as part of the current best practices we see
whether anybody is doing that — we could certainly do that — and take it from
there. It’s certainly part of the landscape.

DR. CARR: I’m confused. There’s a fundamental dialogue that’s going on here
that doesn’t sync out. I thought I just heard Chuck say that we’ve got to think
about the continuum. And I thought that’s what Paul was saying, that we’re not
just going to have a category that it’s all the uses and all of the elements.
And I don’t see a divergent; I see that a kind of conformance.

DR. SUAREZ: I think you’re talking about two different things. What Chuck
was referring to was uses and disclosures, not about granularity. It was not
about categories or not categories; it’s about whether the data is to be
protected within an organization or also externally.

DR. FRIEDMAN: Yes, I agree with Walter.

DR. GREEN: I think Paul’s suggestion could be incorporated to advantage, and
it would improve the letter in the following way. The letter actually has as a
strength its focus on building on prior work, where we were, what we thought,
and says we’ve got to come to terms with this. Either we can or we can’t do it
by category. And if we’re going to do it by category, we have to have the
capacity to segment and sequester. So we recommend that that get going. We need
to recognize that we have reason to believe that this may not work, and that
other approaches may have to be taken.

DR. CARR: No, that’s what Paul was saying, though. That’s just exactly —

DR. GREEN: But where I want to push back just a little bit is, I don’t think
we should recommend in this letter a new area of research for which we don’t
have support. This letter stays inside its skin if it stays with categories,
stays with sequestration and segmentation. But I think we should incorporate
into the letter what Paul just said, which is fundamentally we are no longer as
confident as we once were that this is doable, feasible, practical, helpful. It
may not achieve the desired end, and we may have to be prepared to study other
approaches. I think that should be put in the letter somewhere.

DR. FRANCIS: That is at the end. That is the final paragraph, and that’s
exactly what I was trying to —

DR. TANG: There’s actually a difference between, I think, the motivation for
Bill saying this is about research, this is not about the solution — it’s got
to have a motivation, because if we were always right about the categories, and
the way that we constructed law as by categories, then we would just go
implement it.

So when you say it’s not supported by law, it may turn out that — I don’t
understand that comment because there are certain things that they want to
protect. How you do it is irrelevant. Also, we can only restate things that
have been said in testimony. We obviously have an assimilative role here.

My purpose of bringing it up in front is the same that Bill said, we’re not
done yet. We understand that actually — we’ve discovered through this process
that categories may not work. And that needs to be said up front to set up the
argument for why we believe this letter primarily is about research on figuring
out to protect information.

DR. SUAREZ: I think, Larry, you said it very well. We all agree, I think,
that we need the capability of doing segmentation and sequestration. I think we
all agree on that. There could be three different levels — or more perhaps.
One is segmentation or sequestration of the whole record at one end. The other
end is segmentation and sequestration of data elements. And in the middle
there’s some way of organizing the data elements to make them be able to be
sequestered and segmented. And we think that today some organizations, some
HIEs are in this end of the spectrum saying all or nothing; that’s wrong. We
don’t think we should go to the individual data element level, because that’s
wrong. And we need to find a good middle ground with a series of categories of

Now, it is understandable that one data element could be in one or more
categories at different times and for different contexts. But we still have to
have the capability to segment and sequester data based on categories of data,
at least as we see it feasible.

DR. CARR: What I would like to do now is to summarize the contributions that
have been discussed today that would be worked into the letter through the
efforts of Leslie and Larry. And then I would like to entertain a proposal to
accept the letter with the changes as recommended. There will be some rework.
And then I would like a show of hands for acceptance of the letter.

So, I’m going to read at least what I understand to be the additions that
we’ve come up with. The recommendation is NCVHS recommends research and pilot
testing that will address mechanisms to identify, manage, and protect sensitive
information being exchanged in the electronic environment. That’s one
recommendation. And those recommendations would include an environmental
assessment, pilot testing, alignment with current federal and state law, and
patient input. So that’s one thing.

The other was that the letter will incorporate mention of all of the areas
that have been identified. And the decision about where to test it could be one
or all of those areas.

Now, I heard Paul’s language saying that we used to think we had all the
answers with categories. And now we think that categories don’t quite do it,
and there’s a continuum. And Larry was going to take that and incorporate that
into the letter. What else?

MS. BERNSTEIN: Well, that’s what I wanted to respond to, that specific last
statement. I think that the organization of the letter when we worked after
hours last night, the reason that we put the federal law up front is because —
we didn’t think of it as the fact that we don’t know the answer or whether this
is going to work or not as the motivation for doing this. The original
motivation comes to us because the law requires us to do it in certain cases
anyway. And so we’re going to see how to do — I mean, if it doesn’t work,
we’ve got much bigger problems than just finding another way. We have to change
the law, because we can’t actually implement what the Congress has asked us to

DR. TANG: And can you say what law you’re saying you’re trying to implement?

MS. BERNSTEIN: Well, for example, GINA.

DR. TANG: But GINA didn’t say categories; they said kinds of data.

MS. BERNSTEIN: No, GINA is an example of a category that you have to do
something with and manage separately. Paying cash is an example of type of
record that you have to learn how to manage. If we learn how to manage — I
mean, we can learn how to manage those.

But the other point I want to make is that we don’t want to hamstring those
people who are testing or doing research or whatever to only those narrow
things that have already been agreed to by the Congress, the President, and so
forth. We want to be a little more open about the possibility for it.

As Walter suggested in particular, this is already going on out there. The
developers are already developing this stuff. And we should look to what
they’re doing, see what the best practices are. I mean, I thought that was a
great addition today that we hadn’t captured in a letter before. Recognize that
this is actually already ongoing and we’re really expanding on this and asking
the Secretary to support that work.

DR. CARR: We need to take a next step. I’m going to let Marjorie have the
last word, then I’m going to ask Larry to make a proposal.

MS. GREENBERG: I do think it’s very important that we clarify this last
point, because just what I hear is — and with respect to everybody’s points of
view, this letter states that there are already categories that have been
identified. The committee has made recommendations about identifying sensitive
categories. These are the categories that are already in law. There are other
ones that are already in some state law, and there are others that we heard
about in testimony.

The committee recognizes that at the end of the day after testing, et
cetera, taking this categorical approach could be problematic, and it says
that. It isn’t a simple approach, and it needs a lot of study. That’s what I
think the letter says.

I hear Paul saying he would like the letter to say that we now realize that
identifying sensitive categories is probably not the right approach. I think he
has come to that conclusion. Those are really different. And so, I think the
letter — either you have to vote on two versions, or vote on the first version
and then if it doesn’t pass, try another version. But I think, with all due
respect to the chair, if you tell the people trying to revise this letter to
incorporate Paul’s position, then it’s a different letter.

DR. CARR: Okay. Let me just clarify, because I’m not hearing this the same
way. I think that our vernacular led us to talk about categories because that
fits with our experience. And categories are a roadmap. I mean, it’s not the
law. The law is about GINA, or the law is about HIPAA. To me, the categories
are a roadmap leading us to these sensitive areas. And as we’re seeing, even
beyond the law there are more sensitive areas. And as we have our discussions
they’re extremely context sensitive areas. So, while the categories provide a
good starting point, it’s not an endpoint. And so I thought that was what Paul
was trying to say, that we may not find the term category to be as — it will
always guide us, but it should not limit us, because there is sensitivity —

MS. GREENBERG: I think the letter says that now.

DR. CARR: Right. But I want to be really clear because I think you think
that there is a difference, and I think we’re saying that the taxonomy of
categories brought us to this point. Our experience, our insights, our dialogue
and our understanding has evolved to say that taxonomy of categories, while
helpful, may not be complete or sufficient. So, let’s just clarify that. Am I
saying that correctly?

DR. TANG: Yes. And the whole reason for bringing it up front is to justify
why we would ask for further research. If we were already convinced and further
convinced that categories is the way to go, we would just pilot, test, and
implement rather than understand the implications and the possibilities that
there may be other ways of looking at data, other than a category that you can
predefine. That’s what I’m trying to say.

DR. FRIEDMAN: I’m concerned, and this gets back to something we were
discussing yesterday and I’m now seeing, now that I see the new letter, is
still in play. There’s a risk, in my opinion, by virtue of the way we frame
this up front, of setting this up in a retrograde way that doesn’t reflect the
way people are already predominantly thinking about this problem. And the idea
that one would assign a kind of data in some permanent, persistent way to a
category, whatever that category is, is running counter to I think an emerging
view that any element of data can take on attributes by virtue of its local
context expressed technically in its local metadata.

I think we have to reflect in the report that kind of thinking, which
affects the way people frame the challenge both from a policy perspective and a
technical perspective. I don’t think this is a substantive change to the
report. It’s just the way it gets framed up from the outset.

And I’m a little bit on thin ice here in saying what we would say about the
specific elements of data that are called out in the report. I still think
there is something important about all of — something very important about all
the categories of data that are called out. But it shouldn’t be implied that
these have some permanent, persistent property.

DR. CARR: Okay. So now, Marjorie, are you in agreement that what we heard
from Paul and what we heard from Chuck resonates with the direction that we’re

MS. GREENBERG: I have to admit I’m a little confused. I think what Chuck
said is fine. It’s a nuance. It relates to what is already said in the letter,
but something could be sensitive to anybody. And something that’s sensitive in
one context may not be sensitive in another context. Address was given as an
example in the letter. You know, that could be very sensitive if someone is
trying to track someone down to abuse them or something. I’m okay with that.

I heard Paul say — but maybe I’m wrong — but I heard him say that he would
like the letter to start off by saying after we’ve really studied this we
really don’t think categories is such a good idea. That’s what I heard him say.

DR. CARR: Okay. So we want to clarify that. Are we throwing out the concept
of categories altogether, or are we saying that categories bring us part way
there, but not all the way.

DR. TANG: Do you want me to read it again? I believe that I’ve said what
Chuck said exactly. And the reason is because we need to alert people — the
entrenched stuff. People came from categories; that’s why we have certain laws
that feel like they’re categories, and it could be not true. And that’s my
alert. It’s just an alert to the reader. If you bury it at the end, you haven’t
done — that’s what Chuck is saying.

DR. SUAREZ: I think it’s going to be important to point out to that we refer
to here categories are attributes of data. We’re not, by virtue of saying
categories here, we’re not negating the fact that they are attributes of the

MS. BERNSTEIN: Also, more than one might apply. What I heard Chuck saying is
more than one might apply. We’re not — if it’s mental health, that doesn’t
mean it’s only mental health and it’s always mental health, but that the
attribute might change. It could be more than one attribute in one of these
categories. That’s part of what I heard you saying.

DR. SUAREZ: We’re very much in line with your concept that the categories
are attributes of data.

DR. FRIEDMAN: I don’t feel like I have any fundamental difference with Paul,
with what Paul is saying. I’m saying, say it up front in the way you frame the
problem. And what Paul is putting at the end is a logical deduction from the
way the problem would be framed from the outset.

DR. TANG: No, actually it’s in the end. I’m proposing to put it up front. So
that’s why we vigorously agree.

DR. GREEN: I move approval of the letter with the following understanding.
One is that the initial framing will capture the reason we’re writing this
letter now. And we’re writing this letter now because there’s been very little
progress on prior recommendations and work related to privacy and security and
remains a serious concern that threatens the utility of this nation of the
national health information network that we’re going to a lot of trouble to do.

We’re writing it now because we have learned more about it, and it’s kind of
a confusing mess. We believe that there is a need for the Secretary to initiate
some research efforts that would include an assessment of the state of the art
now, where they field is and where it’s moved, and also some pilot testing of
strategies that have been previously proposed and instances are required by
law, both federal and state.

So, that captures Paul’s intent, I think, about the framing that where he
makes it very explicit that this categorization thing may not be the way to
think about this thing at all. And it leaves room for Chuck’s point that data
that have attributes don’t require this step or whatever. It doesn’t foreclose
any of that, but it does position the letter to be driven off of our prior
work, the hearings, the testimony, and what exists. It stays where we are.

With that framing, then the letter will be reformatted to simplify and call
out the recommendations to enhance its understandability and that will be
reviewed and approved by the Executive Committee.

DR. WARREN: Second.

DR. CARR: Okay. All in favor? Oh — discussion, sorry.

DR. TANG: We spend a lot of time on words in all of our letters. I would
like to see if I can get approval for the words that I’m writing to express
what Chuck and I feel about — I’ll read it.

MS. GREENBERG: He’s actually recommending an amendment to the letter.

DR. CARR: Let’s hear it again. So what we’ve heard is that the
recommendation includes incorporating the content of Paul’s paragraph.

DR. WARREN: We have the motion that I seconded.

DR. CARR: The motion that we just heard captures Paul’s intent.

DR. GREEN: So to get very explicit, Paul’s comments – we have to fix
this right now if this is wrong, Paul. Paul’s comments are not saying abandon
categorization and start a new approach. He is saying that we’re not making
enough progress on this thing, and that it’s possible that this whole
categorization idea is not going to work. So we frame our letter with that
reality, but it is not a recommendation that we abandon categories.

DR. TANG: Right. And I’d be happy to read the text if that helps people. And
I am recommending that it be up front, and it’s very much in concert with what
Chuck said. It is something that we have discovered through this process, and
because there are so many people, I think the way he said it, that are sort of
entrenched in some of the former ways, like we were, we need to bring this to
people’s attention. That is the contribution.

DR. CARR: What I’ve heard is that the letter as it stands is not what’s up
for a vote. The letter that is up for a vote is the content of that with the
specificity on the recommendations to be as I mentioned earlier, and a framing
paragraph in the beginning that points to the fact that our learning’s have
brought us to a place where categories are helpful, they are not always
sufficient to help us get to sensitive data.

MS. BERNSTEIN: That is the very question, I think, that this letter is
whether we are there yet. Paul has already, I think, gone to a place where he’s
determined –

DR. TANG: Can I read it again and let people decide.

MS. BERNSTEIN: We’ve heard it already. It’s on the record.

DR. CARR: So, there is discussion about what we recall hearing, and so in
order to enlighten this discussion we will ask Paul to re-read that.

DR. TANG: As we began to specify the details of the categories, we
immediately uncovered questions about whether to include a particular data
element in a sensitive category. We assume that the data most people may
consider sensitive would fall into one of a few categories of information.
However, as we probed the inclusion and exclusion of data in a category, we
found the classification scheme we proposed to be inclusive, but not very
specific (i.e., there’s a fairly high probability of segmenting data as
sensitive when the data element is not particularly sensitive to an individual,
and its sequestering may adversely affect patient care decisions.) For these
reasons we’re not convinced that segmenting data based on categories is the
best approach to protecting certain data. We recommend that the Secretary
undertake further research to explore other methods of protecting sensitive
data that may not depend on use of categories.

DR. STEINWACHS: Can I just make a suggestion? This is going to be — you’ve
made a recommendation, Paul, for a way to say it, but it still has to be put
into the letter and integrated. And it then comes to the executive
subcommittee. And you are on the executive subcommittee. I think it’s almost
impossible to approve the paragraph, and then say Leslie and Larry are going to
go rework the letter and then bring it back to the executive subcommittee. So,
you know, I think we agree on the concept; at least I certainly do. And we
ought to go ahead with the vote.

DR. FRANCIS: What I just wanted to say about that is where I get off of this
is a recommendation that says that we reject categorization.

DR. STEINWACHS: We’ve got three recommendations I think. This talks about
the rationale and the concerns.

MS. GREENBERG: I just think we have to recognize that we can’t send a letter
that basically has all of this discussion about categories and fundamentally
undermine the letter in the first paragraph.

DR. GREEN: I agree with Marjorie; we can’t do that.

DR. SCANLON: I think we could modify what Paul just said by saying,
investigate others in addition to, and that would cover it.

DR. CARR: I think that we are not prepared to accept the exact wording
because we have to see the flow of the letter, but we are prepared to accept
the statement that our understanding is evolving, and that in addition to
categories, there are other dimensions. There may be, and we’ll learn.

DR. SCANLON: Could I just say from a procedural perspective, I think that
while in the past we have said we’re approving something and we’re giving it to
the executive subcommittee to approve, this is a bigger change than what we’ve
done sort of in the past. And I think from a good procedure perspective, what
we should approve is in essence a charge to revise this letter according to
this charge, and then the entire committee gets it and we approve it without —
we approve it either via email or over the phone. There’s at least one
precedent for that in the past that I remember.

DR. SUAREZ: If I may say, I think we have 90 percent of the letter pretty
much in consensus, if I understand what I heard. I think the only part that is
not defining wording is the introduction, except the clear points that Larry
makes. That is where we are; we are 95 percent there.

DR. CARR: Yes, I do agree. I mean, is there anyone here who feels that
there’s anything that will appear in this letter that needs further discussion
before we go. Chuck?

DR. FRIEDMAN: I just want to make it clear that what I’m about to say can
all be handled in the framing. But it’s very important to get the framing
right. I am very concerned that unless we get the framing right people will
read this letter and say these guys are stuck in the 80s, and it dawned on them
that maybe something has happened since 1980, but they’re not quite sure what
it is.

So, I think we have to, instead of saying it that way, acknowledge that
there is a different view of the world that captures data in context. And we
can say this in a way that makes it technically possible to do the kinds of
things envisioned here. Then we have to find a way to say, but calling out
these specific kinds of data would sort of default to sensitive, even though
context can change that. Or other kinds of data that default to non-sensitive
can be made sensitive. That’s the point that we want to make.

Identifying those data that default to sensitive is a major push forward by
this report. It’s just how we write the first two paragraphs, and I think that
can be very easily done to reflect the sentiment Paul is trying to convey —
and others. I just don’t want people to say, oh my God, they’re stuck in the

MS. GREENBERG: All good discussion; it will all be in the transcript. I
guess, as the executive secretary, but I defer to the chair, I think there was
a commitment for an up or down vote on the letter. We have a — and so to say
no, just give them a charge, I think doesn’t advance us very much. But it might
be. If people vote against the letter, than that’s a second motion.

We do have a motion from Larry. We have a second from Judy. I think it’s
time for an up or down vote on the letter, and then see next steps after that
happens. That’s my view.

DR. MIDDLETON: So, just to clarify, is the movement or the proposition then
on the letter as amended by Paul’s language, or as originally stated?

DR. CARR: No, the letter will be amended by the recommendations that came
forward today about specificity in terms of the pilots and what they’re
intended to accomplish and by the addition of some framing, two paragraphs as
Chuck just outlined, to demonstrate that we’re not in the 80s, but that we’re
aware of the evolving landscape. And thirdly, that we trim some of the
narrative to put in footnotes where possible.

DR. MIDDLETON: So another point of order or clarification, this vote then
only votes to move forward with the process; it’s not voting on a final letter,
is that correct?

DR. CARR: No, it’s a vote that we have communicated clearly to the final
writers, Leslie and Larry, the intent and expectation of the committee, and
that we give them the right to go ahead with this letter. But it would still go
to the executive subcommittee before the final release.

MS. GREENBERG: The vote is on the letter with all the caveats that have been
described, though no specific language that has been offered. It would not have
to — if it passes, it does not have to come back to the full committee. It
will go be reviewed by the executive subcommittee for, you know, finalization
like we often do. That means that all the members of the executive
subcommittee, which includes the liaisons, that includes you Chuck, will have
an opportunity to look at it and say, “Oh this wasn’t what we
thought,” and you know. But it’s not going to come back to the full
committee, and the executive subcommittee —

DR. CARR: Will exercise its right on behalf of the committee.

DR. TANG: I didn’t hear — you said it did not include my edits?

DR. CARR: It includes your concepts up front as framed by Larry’s statement
and Chucks. So it sounds like Paul’s asking are we going to have it just at the
end of the letter, or is it going to be in the beginning of the letter. And I
thought I —

DR. GREEN: It’s going to be — the concept will be part of the framing, as
will Chuck’s point.

DR. CARR: The introductory framing comments. Not his specific language, but
the concepts. It may or may not include his language. Okay. I’m going to just
call on one at a time so that we get this count correct. Mark Hornbrook, do you
support that; yes or no?


DR. CARR: Sallie?

MS. MILAM: Approve.

DR. CARR: Larry?

DR. GREEN: Approve.

DR. CARR: Don? Judy?


DR. CARR: Justine, yes. Paul?

DR. TANG: I’m afraid I’m with Bill. I can’t — that amount of change is —

DR. CARR: Okay. Leslie?

DR. FRANCIS: Approve.

DR. CARR: John?

MR. HOUSTON: Approve.

DR. CARR: Bill?


DR. CARR: And are we missing anybody? Blackford?


DR. CARR: Okay. Marc Overhage? Okay. We have 13 people voting; is that


Twelve, with Blackford it’s 12. So we have three no’s and nine yeses. What
did we say last night, 25 percent, 75 percent?

DR. FRANCIS: You said four no’s and you would move it forward.

DR. CARR: Yes, so I think we go forward with the plan that Larry and Leslie
will aptly represent the discussion today, and this will come back hopefully
within the week to the executive subcommittee for final approval.

DR. STEINWACHS: Let me just ask, the executive subcommittee is going to do
the final approval, but will the letter be circulated to the full committee at
the time the executive subcommittee gets it, too, so that there’s an
opportunity for non-executive subcommittee at least to talk to those and talk
to you.

DR. CARR: Sure. Larry?

DR. GREEN: Is there any reason why we would not, having done that, then
invite the response of the entire committee to look at it?

DR. CARR: We’re going to circulate it and invite the response of the full
committee. Our motion was that it goes to the executive subcommittee, which is
how it’s done almost more for logistics, but I think the actual circulating
will give ample opportunity for input from everyone on the committee to members
of the executive subcommittee.

MS. GREENBERG: Actually, I thought what Larry was going to suggest is if
those who have voted against the letter, once they actually see the final
version, then their comfort level is raised, they could change their vote, I
think. They don’t have to.

DR. CARR: Well, they’re just saying — yes, we’re still going to review the

DR. SCANLON: And I thing our vote — or at least my vote is on the process,
not sort of on the substance of the discussion. And I think it’s more of how
sort of external parties would view our deliberations. But if you listen to the
discussion we had, which was rich and varied, and then you ask sort of, okay,
what does this imply for the letter, it’s very difficult to envision that it’s
going to imply for the letter. And so there’s this question of voting with,
sort of with confidence in terms of what is on the table.

DR. CARR: So, let the record reflect that Bill and — Paul is that your, do
you share Bill’s view that it’s a process issue? And Blackford, are you voting
because you don’t support the letter or because you don’t, you prefer a
different process?

DR. MIDDLETON: I don’t support the letter as it’s currently written, and I
thought the process was — I mean what I understood was that the executive
committee would still receive a revised letter, so my final determination I
could offer at that time.

DR. CARR: Okay, right. So really no one is voting against the content until
we see the final letters.

DR. TANG: I mean, I’m like Blackford, which is, I’m not happy with the
content now, and I’m not happy with not being able to vote on the content. And
I just got and email or text from Marc and he’s voting no.

MS. GREENBERG: That is not the way we vote.

DR. CARR: I think we just have to get the next iteration, and there will be
an opportunity — well, let me ask you what’s the process then? If the letter’s
not satisfactory to the executive subcommittee, what’s the process?

MS. GREENBERG: The executive subcommittee would have to recommend that it
ask the committee to reconsider it.

DR. CARR: Okay. So, if it’s not acceptable to the executive subcommittee, it
comes back to the full committee.

MS. GREENBERG: Yes, the executive subcommittee has the right to say, we were
given this charge, we aren’t happy with what we got and take it back. The
committee could then say, no, we told you the first time to go with the letter,
or it could say, fine. But you have that right.

DR. CARR: No pressure, Larry and Leslie. Do you want to state a timeframe? I
said within a week, if we could get the draft within a week; does that seem
realistic? Thank you.

Moving on. I think we’re at the end of our — we’ve exceeded the end of the
hour. There are a couple of things that I think we’ll do the subcommittee — we
have an executive committee retreat this afternoon, and we’ll do the
subcommittee report outs at that time. We’ll postpone the updates from the
summer meetings.

Are there any other comments? I thank you all. The amount of work that went
on in these two days is really exceptional, and I applaud the efforts and thank
you for them and look forward to our December meeting. Adjourned.

(Whereupon, at 12:45 P.M., the meeting was adjourned.)