[This Transcript is Unedited]



September 25, 2007

Crowne Plaza Silver Spring Hotel
8777 Georgia Avenue
Silver Spring, Maryland

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway
Fairfax, Virginia 22030


D I N G S (9:15 a.m.)

Agenda Item: Call to Order, Welcome and

DR. COHN: Well, good morning, everyone, and welcome to beautiful downtown
Silver Spring.

DR. STEINWACHS: Why did we get kicked out of the building? Was is that we
haven’t been behaving well, is that how we ended up in beautiful, downtown
Silver Spring?

PARTICIPANT: I think there were security risks.

DR. STEINWACHS: That’s probably ending right now.

DR. SCANLON: Actually, I can answer that question.

Our Emergency Preparedness and Pandemic Preparedness folks have taken over
and expanded the operation center. So they are using our usual conference room


DR. SCANLON: So it’s nothing personal.

DR. STEINWACHS: Thank you.

DR. COHN: Well, despite these comments on space and location, I do want to
just acknowledge how beautiful the weather is, is likely to be, and I would
just contrast that to our February meeting where there was an emergency snow
closure of Washington, D.C. So I think the good news is that we should be able
to deliberate and meet today and tomorrow as planned, which is important.

Now, with that, I want to call the meeting to order.

This is the first day of two days of meetings of the National Committee on
Vital and Health Statistics.

The National Committee is a statutory public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.

I’m Simon Cohn. I’m Associate Executive Director for Kaiser Permanente and
chair of the committee.

I want to welcome committee members, HHS staff and others here in person
and also welcome those listening in on the internet, and I do believe we are
being broadcast. OK.

Let’s now have introductions around the table and then around the room.

For those on the National Committee, as always, I would ask if you have any
conflicts of interest related to any of the issues coming before us today would
you so publicly disclose during your introductions?

I want to begin by observing that I have no conflicts of interest.


MS. GREENBERG: Good morning. I’m Marjorie Greenberg from the National
Center for Health Statistics, CDC, and Executive Secretary to the committee.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina.
Member of the committee. No conflicts.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center. Member
of the committee. I have no conflicts.

DR. TANG: Paul Tang, Palo Alto Medical Foundation. Member of the committee.
No conflicts.

MR. LAND: Garland Land, member of the committee. NAPHS. No conflicts.

DR. STEINWACHS: Don Steinwachs. Johns Hopkins University. Member of the
committee. No conflicts.

DR. GREEN: Larry Green, University of Colorado. Member. No conflicts.

MS. MC CALL: Carol McCall. Humana. Member of the committee. No known

DR. FITZMAURICE: Michael Fitzmaurice. Liaison to the committee and staff to
the Subcommittee on Standards and Security.

DR. CARR: Justice Carr, Beth Israel Deaconess Medical Center. Member of the
committee and no conflicts.

DR. SCANLON: Bill Scanlon. Health Policy R&D. Member of the committee.
No conflicts.

DR. FRANCIS: Leslie Francis. University of Utah. Member of the committee
and no conflicts.

DR. STEUERLE: I’m Gene Steuerle from the Urban Institute. Member of the
committee and no conflicts.

DR. WARREN: Judy Warren. University of Kansas School of Nursing. Member of
the committee. No conflicts.

DR. STEINDEL: Steve Steindel. Centers for Disease Control and Prevention.
Liaison to the committee.

MR. BLAIR: Jeff Blair. Lovelace Clinic Foundation. No conflicts that I’m
aware of.

MR. SCANLON: Jim Scanlon, HHS. Executive Staff Director for the Full

(Introductions around room.)

DR. COHN: Okay. Well, welcome, everyone.

I should also comment that we’ll be seeing Mark Rothstein later on today. I
think, as you all realize, he has — he’s on special assignment from his law
professorship at University of Maryland, and I think is sort of trying to
figure out ways to make all of this work.

Marc Overhage will also be arriving, I think, tomorrow morning.
Unfortunately, he has a conflict this morning.

Now, before we move into the agenda review, let me make a couple of opening

We have a very full meeting today and tomorrow, so we’ll try to be as brief
as possible, because we really do have a lot to discuss and a lot of action
items to go over.

I think, as you all would observe, given our summer, the activities of the
committee continue at a very fast pace, reflecting the increased importance and
federal attention being placed on health information technology and the role it
can play to improve the quality and reduce the costs of healthcare, as well as,
obviously, improve the health of all Americans.

Within HHS, Secretary Levitt continues to consider promotion of
interoperable HIT, one of his key priorities, and, of course, in all of this,
NCVHS continues to play an important role advising the Secretary and the
department directly, as well as providing expertise and liaisons to other HHS
initiatives moving forward the vision of an NHII, including such things as AHIC

I do want to particularly note the major recent work products of the NCVHS,
which are being actively utilized within HHS, specifically, the excellent
report on privacy in the NHIN, and our report on defining a minimum but
inclusive set of functional requirements for the initial definition of the

Both are being used within the government. ONC with recent RFPs identified
both and referenced both.

We are also aware that ONC — to develop a framework for privacy and
confidentiality and security, is also considering our document on privacy and
confidentiality one of the base inputs for that document and work.

Now, today and tomorrow, we will spend considerable time discussing the
draft document developed by the ad hoc workgroup on secondary uses of health

As you all remember, we kicked this effort off in June. This work was
undertaken at the specific request of the department, and, in particular, the
Office of the National Coordinator.

Specifically, we have been asked to develop an overall conceptual and
policy framework that addresses secondary uses of health information, including
the taxonomy and definition of terms, as well as develop recommendations to the
department on needs for additional policy, guidance, regulation and/or public
education related to expanded uses of health data in the context of the
developing nationwide health information network.

And, of course, all of this with an initial emphasis on uses of data for
quality measurement, improvement and reporting.

Now, I want to just take a moment and thank Harry Reynolds and Justine Carr
for their leadership on this activity and as Vice Chairs.

I’ve been depending on them significantly and, really, both have my sincere
thanks, which, of course, we’ll see another piece of that today in our

I, of course, also want to thank Paul Tang, Bill Scanlon, Marc Overhage,
Mark Rothstein and Kevin Vigilante for their participation in what has been a
— really a summer of activity in Washington on these issues, and, of course,
the many of you who have been willing to be reviewers, our staff, including
Cynthia Sidney(ph), Debbie Jackson, obviously, Marjorie and Jim, who have
participated and been helpful in this regard, and, or course, our consultants,
and Margaret already introduced herself, but also Aaron Grant and Christine —
Anderson from Booz Allen, who have also been very helpful and instrumental in
this activity.

Now, I mention this to you both for the individual contributions that
everyone has made to this effort, but also as an example of the flexibility of
the national committee and the ability of our infrastructure to rapidly respond
to department needs.

It is a great example of how we’ve been able to leverage our broad
expertise in standards, privacy, security and population health, which, of
course, is represented on the committee, and do it in a rapid fashion.

Agenda Item: Review of Agenda

DR. COHN: But, of course, as I mention all this stuff, we have, obviously,
a lot of other action items to discuss over the next couple of days, and so let
me briefly mention what we’re going to be doing today.

We will be spending a little more time at the end of the day today talking
about tomorrow’s activities, but let’s at least take a look at the agenda,
noticing that it is being modified a little bit, partly because of car issues
and other things like that by some of our presenters.

This morning, we begin with a department update from Jim Scanlon. Jim,
thank you for being here to present.

Your agenda shows that after that, Karen Trudel was supposed to be
presenting the CMS update and also talking about HIPAA.

My understanding is that her car is being towed as we speak, and — we
will, hopefully, be seeing her later on today, and if not today, we’ll get that
update tomorrow morning first thing.

Following the morning break, we begin a discussion of a letter being
brought forward by the Subcommittee on Standards and Security, proposing
modifications to the current HIPAA transaction standards, which will be an
action item for this meeting, either today or tomorrow.

Then, we are pleased to have an update from the Office of the National
Coordinator. We have Charles Friedman and Kelly Cronin, who should be arriving,
to both talk about the current activities of the department as well as
providing an update on future plans and relationship to AHIC, and, obviously,
there’s a set of activities that the government is engaged in trying to
identify sort of successor and transition planning regarding that.

Before lunch and extending into the mid afternoon is a discussion of the
draft report being brought forward by the ad hoc workgroup.

I want to emphasize that this is for discussion and not for action either
today or tomorrow.

And let me just talk about the purpose of it. And I know that Justine and
Harry will also review this. But the purpose of the conversation has to do
with, one, assuring understanding, and given that this is about a 30-page
document, we want to make sure that everybody sort of understands what’s in it.
So that’s number one.

Number two is is that we want to identify areas of agreement and
disagreement as it relates to observations and recommendations.

And, then, three, we want to understand sort of what we’re missing and what
else needs to be included in the document to sort of bring it up to NCVHS

Now, what I will tell you is is that as much as we all love wordsmithing,
today and tomorrow is probably not the time to wordsmith the document, except
as it relates to content. I mean, if the meaning is unclear, we do have to talk
about really what the meaning is without getting into that.

We, of course, always accept and welcome redline versions of documents, and
it really does help improve the document, but I just want to sort of set that
up as an expectation of the discussion of the day.

Now, later on this afternoon, we begin a discussion of a letter report
being brought forward by the Workgroup on Quality for action at this meeting,
and I think you’ve all received a copy of that.

Now, at about four o’clock, we will prepare to adjourn into our
subcommittee breakouts, and we have, I believe, Populations and Privacy and
Confidentiality, which will be meeting between four and six.

At that point, we will talk about the next day’s agenda, sort of
expectations for the conversation, as well as the pre-meetings which will occur
tomorrow morning.

Now, as I say that, I do want to make sure that everybody does have a
chance to look at, even though we will not be discussing today, Tab 4.

Tab 4 was developed at member request, and it sort of relates to sort of
protocols and guidelines of functioning of workgroups and subcommittees.

As I said, we will not be discussing it today, but we will be discussing it
tomorrow morning, and if it’s something that everybody generally agrees with,
we will put it sort of into our protocol packets. It’ll be part of the new
briefing for members.

Oh, yes. OK. And I also, for tomorrow, want to mention what I thought was
excellent, which I read on the plane out — one of the nice things of long
plane flights — is the 2005-2006 NCVHS report, which we will also be talking
about and will be an action item for tomorrow.

I will tell you I’ve read a lot of these ones and I thought that the way it
was framed was actually exceptional. I mean, there may be some additional
wordsmithing that members want to engage in, but I thought the framing as well
as the fact that the document actually began to allude to and include
activities that we’re now engaged in sort of give it current life, as opposed
to just being a document that is sort of dated from the get go.

So —

DR. STEINDEL: Felt like we had a life.

DR. COHN: Felt that we had a life. Yes. Well, maybe after the ad hoc
committee, you will have a life again.

MS. GREENBERG: Unlikely.

DR. COHN: Yes.

(Dinner discussion.)

DR. COHN: Okay. Well, Jim, with that, why don’t we begin our department
update and go from there?

Agenda Item: Department Update — Data Council

MR. SCANLON: Okay. Thank you, Simon.

Well, let’s see. Since we met in June, a number of developments have

Let me bring you up to date on a couple of policy developments, including
updates to the Secretary’s priority areas, which I had mentioned previously.

And, in addition, HHS has just revised our strategic plan, which will be
2007-20012, and I’ll talk a little bit about the goals there are as well, and,
then, I’ll update you on some other projects and activities.

I think you have at your place a description of nine priority areas. This
is the revision and update of the Secretary’s priorities for healthcare largely
dealing with healthcare.

I won’t go through each of these, and we’ve gone through them before, but
the — you’ll see they’re slightly modified from previously, but let me give
you the titles at any rate.

And, remember, these are what the Secretary regards as transformational
kinds of activities in which, if progress could be made in these areas, a lot
of other activities would improve in public health and healthcare, and social
welfare as well.

The first one deals with health insurance access for every American. There
are different ways to do this. Some of these involves state health reform. But
the goal would be access to health insurance for all Americans.

Second is insurance for children in need. This is specifically related to
the state children’s health insurance program that’s currently awaiting
authorization in Congress. There’ll probably be some action this week.

A third initiative is called Value-Driven Healthcare. Here, the focus is on
providing quality — information about quality and cost to support better
choices in healthcare.

Information technology, obviously, that remains a secretarial priority.

Personalized healthcare really refers to probably the care — the potential
we see on the horizon in which the fruits of research, including genomic
research, are translated into research, development, diagnostic and therapeutic
tools and are brought to the bedside in everyday medical practice.

So I think we have a number of genomic diagnostic tests now, not a whole
number of therapeutics at the moment, and it’s fairly narrow. But I think
everyone looks at this area as a number of tests and therapeutic interventions
in the pipeline.

And the idea here is that rather than everyone getting the average approach
to treatment or prevention, clinicians would be able to tailor healthcare
treatments based on the genomic structure.

Health diplomacy. This refers to using public health to — in support of
national objectives, typically in developing countries. So Africa, South
America and so on.

Apparently, there are just very specific projects here.

Prevention has always been a major area, and, here, this refers to a lot of
healthy behavior and prevention activity.

Interest continues on helping the Louisiana and the New Orleans healthcare
system to be restored.

Actually, a different sort of a healthcare system that’s not so much
hospital based.

And, finally, preparedness, both pandemic and emergency preparedness. Focus
continues there as well.

So those are the areas that the Secretary is willing to spend a fair amount
of time on. And so he’s traveling a lot and he’s providing leadership in those

And, as you see, health IT and data play a big part in all of those, and,
in fact, health IT is one of the priorities as well.

In addition, as I said, HHS has just gone through a process of revising our
strategic plan. Again, you have the summary paper in front of you.

This covers the next five years, and it — these are fairly high-level
goals, strategic goals focusing on basically affordability, safety, quality and
accessability of healthcare, prevention — a whole range of prevention

On the welfare side, on the social welfare side, promote the economic and
social well being of individuals, families and communities.

And on the research and science side, to advance scientific and medical

And you’ll see specific sub-objectives in each one of those.

And, again, I think you’ll see that health IT and data are a big part of
all of these objectives.

Let me turn now, just briefly, to the legislative front.

As you all know, there has been for the past several years and continues to
be interest in health IT bills in Congress. And there are a number of them now.
But in the Senate, the Wired for Healthcare Act, I guess it’s called, would
include several activities in health IT.

Partly, it would codify the Office of the National Coordinator. So it would
place it into statute.

It would also codify the American Health Information Community, which is
actually problematic, since the idea at the moment in HHS is to transform that
into some other kind of a body.

But, in addition, that bill would — if enacted — would establish a number
of grant programs and loan programs for health IT. And it would also include
some studies on privacy as well, and some recommendations on privacy.

So, again, we don’t know how — whether that bill will get further
attention in Congress this year, given all the other activities that are

On the budget side — and this applies to all of our HHS agencies and most
other cabinet departments — we’re winding down this current fiscal year,
‘07. Basically less than a week left. Very few federal agencies have any
appropriations for ‘08, which begins October 1st. So we will
probably have a continuing resolution at which we can obligate funding at about
the same amount we did previously. So it may slow things down a bit in terms of
undertaking new projects.

But on the Hill, where Congress is considering the fiscal year ‘08
budget, there are a number of health IT investments.

There is one concern, the Office of the National Coordinator — and they
can speak for themselves later — would actually be funded at a reduced level
than what the President requested. It would be between $60 million and $70
million, rather than the amount that was requested in the President’s Budget.
So we’ll have to evaluate that.

At the population health data side, in general, most of our core
statistical systems would be funded at current levels. It’s not a growth
budget, by any means.

And the one concern there will be NCHS. We’ll have to see where exactly
that turns out as well.

And let me just — a couple of projects that our office and the Data
Council have undertaken in the past few weeks, let me just bring you up to date
on those.

I think I reported previously that the Data Council, working with NCHS and
CDC and others, sponsored a workshop on the potential utility of electronic
health record information for survey, healthcare provider surveys and health
statistics. And several of you were speakers and participated as well.

I think, generally, the conclusion was that there — for the purpose of
surveys — physician surveys, hospital-care surveys — the penetration of
electronic health records, at the moment, was not sufficient to support
representative sampling — we all knew that — though, there were clearly
providers and plans and so on where the capability is such that they can
support research and other kinds of activities.

We discussed this at the Data Council earlier this month, and we’re looking
at areas in which we could follow up.

So even if it’s not possible to do a representative survey of, for example,
a hospital — hospitals or physicians’ offices, based on electronic-record
information, there may be pilots that we could undertake to see what would we
have to resolve, what would be the nature of the content and so on to begin
along this way.

And the National Library of Medicine has offered some of its grantees as
potential pilot sites. So we’ll be following that up in the fall.

A couple of interesting projects our office has just taken up.

We have supported a survey at the National Center for Health Statistics.
This is a survey of hospital emergency departments. We’ll be — of hospital
emergency preparedness.

It’ll focus on pandemic preparedness as well as sort of all hazards
preparedness. And we’ll be getting some updated information on measures that —
we originally took a survey in 2004.

So we’ll be looking at what — the capability and standards and plans,
regional agreements and so on. I think we have some questions on diversion as
well — hospital diversion, emergency-room diversion.

So that will begin in January at the National Center for Health Statistics.

In addition, working with CMS, we are undertaking an assessment of
electronic personal-health records. These are pilot studies that CMS is doing
for the Feefer(ph) Service Medicare Program. So we’re just about to start that.

We’ll be looking at the pilots, the suitability, the capability,
functionality, privacy protections and so on for electronic personal-health

We are also — with some of our healthcare safety-net providers, we are
undertaking an assessment of health IT and health information exchange in
community health centers and the public healthcare safety net. And we’ll be
starting that in the fall as well.

And, finally, I think I reported previously, we have a study underway. It’s
really an assessment of the needs, requirements, competencies and projections
for the health IT workforce.

And let me stop there.

DR. COHN: Okay. Any questions?

Jim, I guess I’m understanding why I haven’t seen you much recently. Sounds
like you’ve got a lot on your plate.

MR. SCANLON: These are end-of-the-fiscal year —

DR. COHN: Marjorie, did you have a comment?

MS. GREENBERG: I just wanted to note, regarding — as part of the update of
the department that, in Tab 7, we have a very nice response from the Secretary
to the CHI recommendations. And this should be posted by now, I think, on the

And we’re going to try to — when we get, you know, really substantive
responses like this, we’ll try to be posting them along with our letter, I
think. There’s been some requests for that, and I think it’s a good idea.

MR. SCANLON: Yes. I think that was the final set of CHI recommendations and

DR. COHN: Yes.

DR. STEINWACHS: I understand that I guess both the House and the Senate
passed the FDA bill that would strengthen capacity for post-market
surveillance. And I assume people are hopeful the President will sign it.

And I was wondering if you had any comments about that, because I
understand that part of that would be to build a sort of data consortium that
would not only be a resource for FDA, but maybe a resource for researchers,
too, that might draw out both electronic health records, but also
administrative records —

MR. SCANLON: Yes, my office was involved a fair amount in the
reauthorization of the Food and Drug Administration. And the bills were passed
by both Houses of Congress, and the President will be signing it shortly, just
in time, because, actually — part of FDA depends on user fees, and, basically,
if it was not reauthorized, the agency would almost have to — would have to
just close down, which is a periodic threat —

But, at any rate, the FDA reauthorization bill contains a number of
revisions. One of them is really an attempt to get better — really using
information infrastructure to get — to help with monitoring safety after the
drugs approved and so on.

So part of this will be — and, again, we’ll have to see where this goes,
but this would be a project that tries to pull together large-scale databases
that are already available from health plans and others that would be marshaled
for analysis to monitor any potential drug-safety problems.

As you know, now, it’s largely — after the drug is approved, it’s an
adverse-event reporting system. And it’s — while it certainly works — it can
identify adverse events — this is a more systematic way, and this is probably
a more modern way to approach it as well.

In addition, there is something — a concept called Sentinel, which would
include, probably, a sample or a small number of emergency departments and
physicians offices that would agree to report affirmatively, rather than
passive surveillance on drug-safety problems as well.

MR. BLAIR: I saw two articles just recently, and maybe you could help me
understand them a little better.

One was the funding, which was nice to see. And, then, the other one was an
FDA announcement that it was going to start to hold hearings on the standards
that it should use.

And the essence of my question is that does the funding or the hearings on
standards relate at all to FDA — increasing FDA capacity or speed in being
able to support the information for National Library of Medicine to do RX Norm
or the sigs that were part of the e-prescribing standards?

MR. SCANLON: Well, you’re right, Jeff. There are a number of other — FDA
really has — you know, as budgets allow — has — really understands the role
of health IT and standards and so on.

And, as you’ll remember, it was a consortium of funding that helped with RX
Norm and Daily Med and the National Drug Code revision.

So there should be — I’m not expecting a large infusion of funds for FDA
for those purposes, but I think we would have at least the amount we’ve had
previously to move the standards along.

And to the extent — I think you’re exactly right. To the extent that FDA
could rely on modern information technology, including standards and
classification systems, to support adverse reporting and to support even the
initial drug application, it just makes the system more effective and more

DR. GREEN: Jim, could you just elaborate a little more about the thinking
of strategy and timing related to the personal health record to sort of clue
the committee in what we might anticipate coming down the pike there?

MR. SCANLON: Yes, that’s probably the newest of the secretarial
initiatives, and, in many ways, it’s a very high-level concept.

But the Secretary, last week, gave a talk in which he — he released our
HHS report — which I’ll make available to the committee — on what the concept
is and the framework for personalized healthcare, and the activities that we
have underway in HHS, again, with what we hope to be the outcomes.

And so this concept, again, includes taking the fruit of scientific
discovery and research, much of which NIH supports, but not alone, and hoping
to move the process from the discovery of the information into tests and
understanding therapeutic products and so on, so moving it through the
technology development chain, which would largely be pharmaceutical companies
and device through the FDA process and then into everyday medical practice and

Now, we do this anyway, and this will happen anyway, obviously. But I think
folks have estimated that an innovation in healthcare often takes the average
time with somewhere like 15 to 17 years before even a widely-recognized
innovation makes it into everyday practice.

Now, that’s not true in every case, but it does take a fair amount of time
for obviously beneficial developments to make their way into everyday practice.
So that the idea here is to use whatever levers HHS has to promote and
accelerate that process.

And from what I understand from FDA, there are already a number of — and
the focus, though not the sole focus, is the genome, what the studies and what
the research and what the discovery in genomic structure, and, then, what the
manifestation of the gene structure is in the body, will that information be
used to support diagnostic tests, therapeutic interventions, and, in some
cases, even to measure whether — what your response to a medication will be.

We just had an announcement from FDA last week of a look at Warfarin and
how individuals respond differently to Warfarin.

As you know, better than I, in some cases, it’s quite dangerous for
individuals. In others — others tolerate it. It works very well. Well, there
are specific genomic indicators about how to differentiate there.

And from what I understand from our FDA colleagues, there are a number of
— in the pipeline, there are a number of tests and measures on the horizon,
and, hopefully, they’ll make their may through.

But the whole idea would be to — it’s referred to as personalized
healthcare in the sense that it would be predictive. It would be preemptive in
the sense that it would, hopefully, intervene before the condition develops or
gets worse. It would be personalized in the sense that it would be based on
your makeup, to the extent possible, and participatory, in the sense that the
patient would have more discussion and more counseling and more say about it,
you know?

Details are just — you know, will have to come out of the research

DR. COHN: Yes, and there’s a variety of reports.

Larry, let me just clarify, though. I wasn’t clear whether you — were you
asking about personalized or personal health records?

DR. GREEN: I was talking about the personal health record. You know —

DR. COHN: Okay Fine. I didn’t want to break in, but I think that this
actually points out the interesting terminology issues that we’re beginning to
face where everything sort of begins to sound the same.


DR. COHN: Yes, and I just wanted to clarify, because I wasn’t — I thought
you gave an excellent answer on that one.

PARTICIPANT: Never mind.

(Several participants at once).

MS. GREENBERG: Is there anything in here about the personal health —

MR. SCANLON(?): No, we haven’t discussed —

DR. COHN: Let Jim answer personal health —

MR. SCANLON: Do I have a minute?

(Several participants at once).

MR. SCANLON: Well, again, this is — you’re all more aware than most of the
— besides electronic health records in the clinical setting and information
exchange, there’s great interest now, and, actually, a fair number of products
coming on the market that are electronic personal health records.

So this is really geared for the patient and the client, rather than the
clinician solely.

And, in fact, the NCVHS did a nice evaluation, I guess, almost two years
ago of the — what are the desired characteristics and functionalities of
electronic personal health records.

Well, now, we have, in HHS, the Medicare program will be supporting pilot
studies in the managed-care part of Medicare for the folks — for the
beneficiaries enrolled there and in the fee-for-service part of Medicare.

And we and AHRQ and ONC will be working with CMS, at their request, to
conduct an evaluation of sort of what are the — what’s the actual
functionality, how is privacy and confidentiality protected, what is it that
clinicians like or don’t like about them, what is it that the beneficiaries
actually like or don’t like, so that it will provide the basis, hopefully, for
— and I think the first step will be to look at the products on the market and
the — sort of an environmental scan. What’s the capability of the markets now
— of the products on the market now.

A number of health plans have already — are already offering these, and
they range everywhere from just a little bit of information about your benefits
to some consumer-health information, and others actually provide the basis for
appointments and other information, and some of them contain clinical
information as well.

I think Carol’s group has some. Simon, I think you guys have had as well.

So there are beginning to be more — a lot of health plans are now
marketing these to beneficiaries. Blue Cross Blue Shield as well.

But we’ll be looking at it from a fairly — again, this is — we’re not
trying to be cheerleaders here. We’re going to have to look at it in terms of
what’s really useful and what do consumers like and use and what they don’t.

So this is the end of the fiscal year. It’s when we award our contracts. So
we’re just awarding contracts for evaluations now.

But it’ll be fee-for-service Medicare. It’ll be the managed care part of
Medicare, and it’ll be looking at sort of what the offerings are, how do they
work, what’s the functionality, what do people use and not use, things like

DR. COHN: Yes, and I’m sure that we’ll be able to get updates as the work
progresses and we can also decide if it’s time for us to update our earlier
report on this area.

DR. TANG: In addition to the functionality and what works and doesn’t work,
one of the specific areas when it’s pretty populated, which I think is one of
the intentions with billing data, is how that affects the value to the

In other words, because the claims data may not be in concert with the
clinical data, how does that affect their understanding of their health and
questions that may arise. Is that an explicit part of the evaluation?

MR. SCANLON: Yes, we’re basing the evaluation — and, again, the first step
will be to make sure that we’ve covered all the variables, but really to look
at all of the factors we would like to look at.

And you’re quite right — and, in fact, we will get the clinician view as

You see, as these PHRs are being advertised now — I actually heard a
disclaimer on one of them that the information here would not be the sole
information for — you know, for — should not be used as the sole information
for clinical decision making.

So you can see — what does the clinician think the information is versus
what — it’s often claims data. It’s usually consumer health information and
it’s sometimes — sometimes goes beyond that to other functionalities as well.

So we’ll try to encompass the full range. We’ll look at a lot of products
and capabilities and then see sort of where this all comes out.

We are including focus groups. I think there’s the potential for a larger
survey, though. Though I think the survey might not make that much sense until
our measures are a little bit clearer.

We’ll have a technical advisory group as well.

DR. COHN: Others? Don and then Larry.

DR. STEINWACHS: Just quick.

A meeting yesterday, I understood from Google, the Vice President for
Health, that they’re going to make available a free PHR, and they’re hoping to
link that to all the payers. And so that — what may be interesting about it,
one, is how they design it and whether or not they follow our principles.

But the other, I guess, it makes it so it’s not an issue where you change
health plans and lose your PHR. This would actually allow you to, supposedly,
keep changing health plans and keep your PHR, which I thought was possibly one
of the limitations of sort of the health-plan approach.

DR. GREEN: Well, I just wanted to clarify again. These studies about
utility, the way you described that, could you clarify, are those studies going
to include people of all ages or just Medicare beneficiaries?

MR. SCANLON: This is just Medicare, Larry. This is a Medicare only.

DR. GREEN: Oh, that’s a topic for discussion sometime or another about the
utility of —

MR. SCANLON: Well, we could certainly look at — This one was focused on
Medicare pilots. We could certainly look at the applications more broadly in a
related evaluation.

DR. FRANCIS: This is really a question to link this to our later
discussions, but I notice a bunch of these initiatives raise questions about
secondary uses of health data, and I want to be sure that we are as — I wasn’t
on the Secondary Uses Committee, but I want to be sure that we’re as fully
responsive to the way the ground might be changing on this.

And, in particular, I’m interested in surveillance of the personalized
healthcare and the ways in which secondary uses might be —

Is there anything you think particularly we need to know or will you be —

MR. SCANLON: Well, what we — at the moment, we’re just starting, and I
think the first step will be what our researchers call an environmental scan.
It’s just basically looking at what is the — what does the situation look like

And you’re right. It’s changing fairly quickly. These products — offerings
of PHRs not only did they range in functionality from one extreme to the other,
but they’re actually changing in who’s offering them and who sponsors them and
whose data is it exactly.

So we’ll have more, I think, as we go along. The first step, though, in
about two months, will be an overall review. We could provide that to the

DR. FRANCIS: I was actually interested in the personalized healthcare and
secondary uses PHRs and whether the Secretary’s priority —

MR. SCANLON(?): Well, but let’s — have to think of a different name.

DR. COHN: You can talk to the Secretary about that.

But why don’t we reflect on your question after we’ve gone through the
report and see if it begins to address your needs?

Now, one last — I was actually going to let Paul have a last question or
comment. Marjorie, do you — you have to —

MS. GREENBERG: I have a very quick question.

DR. COHN: Okay. So, Paul, Marjorie, and then we will be moving to the next

DR. TANG: So maybe the question is whether — since NCVHS has had some
recommendations on both the PHR and the secondary use and privacy, is there any
role for interaction with this HHS project?

DR. COHN: Sure. Sure.

MR. SCANLON: I’m the — I mean, it’s out of my office. So we could — we’ve
already given them — in our write up of the scope of work, we’ve already
provided the framework from the NCVHS. So — and we expect that to be part of
the very framework itself — and we can see if there’s a way to perhaps —
we’ll probably have a small technical advisory committee, not that any of you
want to be on another group, but we’ll use the fruits of NCVHS.

DR. COHN: Yes, and I think just maybe also we could also arrange a November
— which probably things will be up and running by that time, we could get a
briefing for the full committee at our November meeting, since it’s literally
two months from now. Hard to believe, but true.

MS. GREENBERG: This is on the personal health record or the —

DR. COHN: Yes, it’s personal — No, no, no. It’s personal health —


DR. COHN: It’s the PHR project being sponsored by the —



MS. GREENBERG: I just wondered if — I should probably know this, working
for the department — but if there’s a more expanded version of the strategic
plan that does explicitly mention health IT or — because I know health IT has
always been one of the priorities, and I didn’t see any mention of it in here.

And, as you said, clearly, all these goals can be enhanced by health IT,
but, sometimes, it’s helpful if the actual strategic plan also mentions it. So

MR. SCANLON: It’ll be — Yes, this is just the outline of the goals and the
objectives, but the full plan will be going up on the web this week —

MS. GREENBERG: And it will mention the role of health IT?


DR. COHN: Jim, thank you very much. So, as usual, lots going on and lots of
intersections between the work and the NCVHS.

Now, let me just ask everybody. Right now, we are scheduled for a break. I
think maybe the — Do people want to go into the first action item and — I
mean, first discussion and then continue — have a break afterwards?

Okay. I felt it was a little early as I looked at the agenda, and I’m
checking with Harry and I think he is prepared to move into our first letter.

So what we’ll do is begin to discuss the first letter. We’ll take a break
after that prior to the ONC presentation.

So, Harry.

Agenda Item: Subcommittee on Standards and Security
Letter, Action September 26

MR. REYNOLDS: Standards and Security is bringing forward a letter today
that — you have a letter in your packet. You’re getting a new one. Don’t use
the one that was in your packet, please. That was an earlier draft with
comments in it that —

(Several participants at once).

MR. REYNOLDS: OK. You had what you thought was a new one that was an old
one. And, now, you have the new one that is the official one. So —

MS. GREENBERG: And it has nothing to do with personal health —

MR. REYNOLDS: And it has nothing to do with personal or any other health

Just a very quick background. This letter is really focused on the first
major change to existing HIPAA transaction standards.

So, as we go through the initial couple of pages, we’re giving you a
background in the original HIPAA and then a background as to what this changes
for it, so that you at least have a sense as to what we’re doing, and, then,
you’ll see the extent of the change, and then our observations and

So I’ll start by reading the letter, and I’ll read each section, the
background, and, then, each of the sections and stop for any questions.

And then the process will be is if there’s any changes or significant
questions we need to deal with, we will deal with them later today and tomorrow
morning in our breakout session for standards, proposing that we get this
approved in this session of the committee today or tomorrow, and we’ll go from

So, “Dear Secretary Leavitt, Under the Health Insurance Portability
and Accountability Act of 1996 (HIPAA), the National Committee on Vital and
Health Statistics studies and recommends healthcare information standards. To
fulfill this responsibility, NCVHS’ Subcommittee on Standards and Security held
hearings on proposed new revisions of the HIPAA transaction standards on July
30 and 31, 2007.”

As background, “The original HIPAA transaction standards were adopted
in 2000 and amended in 2002. Since that time, hundreds of requests for changes
have been submitted to the National Council for Prescription Drug Programs
(NCPDP) and the Accredited Standards Committee (ASC) X12N, the Standards
Development Organizations (SDOs) responsible for maintaining the transaction
standards. Both have developed and approved new versions of the existing HIPAA
transaction standards, and NCPDP has also developed and approved a new

“The HIPAA regulation process for reviewing and adopting proposals for
modifications and additions to the transaction standards flows through
Designated Standards Maintenance Organizations (DSMOs), consisting of SDOs and
content committees, such as the National Uniform Claim Committee. They review
the proposed standards after SDO approval, and make recommendations to the
NCVHS regarding adoption. On July 30 and 31, 2007, the Subcommittee on
Standards and Security heard testimony from providers, health plans, vendors,
SDOs and others on the need to implement new standards forwarded in May 2007,
the impact on the industry and implementation issues.”


DR. FITZMAURICE: I have a suggested sentence to the first paragraph. I
would add to it, “The purpose of this letter is to summarize the hearings
and to make recommendations to you based on our findings.”

MR. REYNOLDS: Denise, you got that?

MS. BUENNING: Repeat that, please.

DR. FITZMAURICE: I would add —

MR. REYNOLDS: Michael — Yes, if you’ll just — you have it written down
there, if you’d just give that to her.

DR. COHN: Yes. You know, I would suggest, for the purposes of this
conversation, that wordsmithing on this level, whatever we pass, will be
subject to wordsmithing. This is not substantive change. So, yes, Michael, and
we can take it off —

MR. REYNOLDS: Yes. Marjorie.

MS. GREENBERG: Oh, I just wanted to remind the committee that we have
agreed that all of our letters will have a tag line, so we’ll expect that from
you all.

MR. REYNOLDS: We will tag it appropriately.

MS. GREENBERG: I think it was a good innovation.

MR. REYNOLDS: No, no, no, that — No. Well said. Well said.

Under the ASC X12N Standards, “ASC X12N has developed a modified
version of their standards, Version 5010, to replace the current HIPAA
standards, Version 4010 (as modified by Version 4010A1) for the following

And just sidelight for a second, as you listen, you see that we are listing
every HIPAA transaction that has come out so far. So the changes that we are —
in this letter, affect all of these different transactions that are already in

So moving to the first bullet, ASC X12 834, which is health plan
enrollment; ASC X12 820, which is premium payments; ASC X12 270/271, which are
eligibility inquiry and response; ASC X12 278, healthcare services — request
authorization; ASC X12 837, which is the healthcare claims/encounters or
institutional, professional and dental; ASC X12 276/277, which are healthcare
claims, status request and response; and ASC X12 835, which is healthcare claim
payment/remittance advice.

“There are four basic types of changes in Version 5010: structural,
front matter, technical improvements and data content changes. Structural
changes include the physical components and either add new data elements;
modify length of existing data elements, data type, optional status; or remove
data elements. Front matter changes are organizational revisions to ensure that
each technical report covers the same topics in the same location, and that the
standardization of topics is clear, more instructional and accurate. Technical
improvements better accommodate the data collected and transmitted.
Specifications for Implementation Guides reduce ambiguities from the same data
having multiple codes or qualifiers or from appearing in different segments.
Loop and segment repeat counts that were not always logical and sometimes
excessive were reduced or removed. Unnecessary data content were removed and
redundancies lessened. Needed additions of new information occurred, as in the
ASC X12 and 278 healthcare services request authorization transaction, where a
lack of data content for medical decisions about authorizations limited
significant industry implementation.

“New 5010 functions, added in response to industry requests, include
additional audit controls in enrollment transactions; qualifiers when adding or
deleting dependents; support of ICD-10-CM for reporting diagnoses and other
health conditions and support of ICD-10-PCS for reporting inpatient procedures;
privacy issues, such as drop-off locations for other than home residences; a
place to report additional deductions to payments; indications of the
remittance method used by health plans; added support for 38 patient service
type codes; support for reconsideration requests, made prior to the formal
appeal; present on admission indicators; ambulance pick-up and drop-off
locations; remaining patient liability; national health plan ID (when an
identifier is adopted); alternate search options; requirements for the health
care eligibility response that improve the value of the transaction and tighten
situation rules; and information on the patient’s portion of the payment
responsibility. Certain functions such as ‘purchased service provider’ and
‘referring provider specialty’ were removed.”

Lot going on. Lot of changes.

Moving to the next one, the NCPDP Standards.

“The NCPDP HIPAA standards currently in place are the
Telecommunications message format standard, Version 5.1, and its equivalent
NCPDP Batch Standard Batch Implementation Guide, Version 1.1, used for
transactions involving pharmacy providers or their authorized billing agents
for pharmacy drug claims, and the main transaction between pharmacies, payers,
pharmacy benefit managers and clearinghouses/switches. NCPDP has developed a
revised Telecommunications Standard, Version D.0, to replace Version 5.1, and
an equivalent batch standard, Version 1.2, to continue support for eligibility
verification, claim, service, information report and prior authorization

“Version D.0 modified field and segment defined situations to be
‘not used’, ‘required if’, ‘required’ or ‘optional’,
addressing the situational versus optional requirements from the HIPAA privacy
regulations. Segment usage matrices now clarify which segments and fields are
sent for each transaction type, and segments and fields within each transaction
type. Enhancements to accommodate Medicare Part D include the addition of a
‘facilitator’ entity and eligibility transaction, to provide coded patient
eligibility information for Medicare Part D; and enhancements to identify and
process Medicare Part D long term care claims. Medicare Part D enhancements
include additional segments for processing of Medicare certificates of medical
necessity; and new data elements for processing those transactions and
assistance in the crossover of claims from Medicare to Medicaid.

“Version D.0 also supports coordination of benefits and collection of
COB and collection of rebates for compounded claims; clarification for pricing
guidelines; the addition of new data elements that give more specificity to the
COB process; a new section on prior authorization added to the implementation
guide; a prescription/service reference number increase to 12 digits; and
transaction codes for service billing.

“A new Medicaid Subrogation Standard Implementation Guide, Version
3.0, addresses the business need for a standard that addresses the process
whereby a Medicaid agency has reimbursed a pharmacy provider for a covered
claim, and is pursuing reimbursement from other payers for these claims. Some
states may choose to ‘pay’ all claims in full, through a federal waiver,
at the point of receipt, and ‘chase’ reimbursements from responsible third
parties after the fact. In the absence of such a standard, the proprietary
interpretation of the Batch standard or other proprietary standards often are
used. This is a new HIPAA transaction.”

Comments before we get into the observations and recommendations?


DR. FRANCIS: I didn’t understand the first sentence in the section called,
“NCPDP Standards.” Maybe a verb was in the wrong place, but it just
didn’t make sense to me.

MS. GREENBERG: It’s kind of a long sentence, I guess.

DR. FRANCIS: Well, I guess it was what are — Is it meant to say that the
format standard and its equivalent NCPDP are the main transactions between?

It just didn’t make sense to me.

DR. FITZMAURICE: Suppose at the very end we put a period after
“pharmacy drug claim” and start off the next phrase with “These
are the main transactions”?

DR. FRANCIS: That’s what I thought —

MR. REYNOLDS: Okay. Fine.

DR. FRANCIS: That’s what I thought it meant, but I just wanted to clarify.

MR. REYNOLDS: Right. That’s fine.

Denise, if you’ll note that, please.


MR. REYNOLDS: OK. And let’s move on to Observations and Recommendations.

“Observation 1: Industry supports transition to X12N Version 5010 and
NCPDP Version D.0 and adoption of NCPDP Medicaid Subrogation Standard 3.0.

“Based on the testimony to the Subcommittee from providers, vendors,
clearinghouses, pharmacies and other industry segments, the industry supports
the move from X12N Version 4010A1 and NCPDP Version 5.1 to Version 5010 and
Version D.0, respectively. The majority of the changes and modifications to
these updated standards are a direct result of requests by industry to address
demonstrated business needs and, in their totality, reflect a long list of
positive changes. There appears to be widespread consensus on the business case
for adopting D.0. While there is less clarity regarding the overall business
case for adopting Version 5010, there was general industry support for the
move. Moreover, there are specific business drivers (the need to accommodate
ICD-10 codes) that justify its adoption. There is support for adopting the new
Medicaid subrogation transaction, which will standardize the subrogation
process across states.

“While business rules (specific data) for Version 5010 are defined,
business cases (return on investment scenarios) are not. Version 5010 is also
complex. The Workgroup for Electronic Data Interchange (WEDI) conducted a
cost-benefit survey, but due to an extremely low response rate was unable to
provide statistically valid results. Without well-defined business rationale
and return on investment data, the industry will be reluctant and/or unable to
make the systems upgrades to implement Version 5010. However, it was clear that
without the impetus provided by a Notice of Proposed Rulemaking, there would be
little if any movement by the industry to begin planning for the adoption of
these updated standards.

Recommendation 1.1.

“The Secretary should develop and issue a Notice of Proposed Rule
Making (NPRM) to adopt NCPDP D.0 and its equivalent batch standard as

“Recommendation 1.2: The Secretary should develop and issue a Notice
of Proposed Rule Making (NPRM) to adopt the ASC X12N Version 5010 suite of
transactions to drive the industry toward standards harmonization and enhanced
code standards.

“Recommendation 1.3: The Secretary should develop and issue a Notice
of Proposed Rule Making (NPRM) to adopt the NCPDP Medicaid Subrogation Standard
Version 3.0 as a new HIPAA transaction.”


DR. FITZMAURICE: Just real quick. Before the first recommendation, two
sentences up, “Without well-defined business rationale — “ the point
you’re making — I was trying to link that to the proposed rule making. So that
is going to be addressed by rule making, is that what you’re saying?


DR. FITZMAURICE: That’ll be a persistent problem even after rules, even —

MR. REYNOLDS: That is —

DR. FITZMAURICE: — new rules are adopted.

MR. REYNOLDS: That is correct.

DR. FITZMAURICE: There’s really no answer to that other than —

MR. REYNOLDS: Well, yes, the point is that, as you see, it’s a significant
list of changes.


MR. REYNOLDS: Will improve the standard, but, as of yet, we have received
no significant testimony that talks about a stated or identified ROI, other
than, as we’ve said earlier, to continue this process —


MR. REYNOLDS: — of making the standards better and continuing a journey
towards things like ICD 10 and other things. So —

DR. FITZMAURICE: I guess the only comment was that sort of left me hanging
as if, you know, was there a need for more information about this? I was just
wondering — and maybe you’ll come back to it later, but I didn’t remember that
— about trying to look at return on investment or is it just — it is what it

MR. REYNOLDS: It is what it is.

MS. GREENBERG: On that point, an NPRM does have to include an impact
analysis. So, I mean, there maybe should be some reference to that.

First of all, you said without an NPRM nobody’s going to pay any attention
to this, but, also, the NPRM will have to include an impact analysis and will
engage responses on that, I guess.

MR. REYNOLDS: I think that would probably be a real good addition. Yes.

MR. BLAIR: Maybe it would be clearer if we — we came very close to
indicating this — matter of fact, I think in earlier wording we might have had
it in there — that it was the testifiers from the industry that requested we
move forward with the NPRM to get the process moving and get feedback.

So it was an industry request that we move forward and not just an NCVHS

MR. REYNOLDS: Yes, that was in there, but you’re exactly right. We may want
to make it clear.

DR. FITZMAURICE: Jeff covered my main point, but, still, as I read this
sentence, as Don reads it, one would say, if this doesn’t have a business
rationale or a return-on-investment rationale, why are we making the

And the answer would be the industry requested it, but more data is needed.

So I think maybe the sentence should be rewritten to emphasize the need for
more information not to prejudge the industry. Because the industry asked for

DR. FRANCIS: This may be wordsmithing, but I’m not sure. “Business
case” is used both in the singular and in the plural, and after it’s used
in the plural, the one example, you say, “that is return on investment

So I’m wondering is that one business case? Are there other business cases?
What are the business issues? Is there a pretty clearly-defined set of what
those are that — or is part of the reason you’re not getting data or responses
that it’s too defuse?

MR. REYNOLDS: It’s too what?

DR. FRANCIS: Too defuse; that is, what I’m curious about, when you say,
“businesses cases are not defined” — right? — what I’m curious
about is is it one business case? Because elsewhere in the discussion there is
a reference to one business case.

Is the business issue that you have in mind return on investment or is
there some other business issue that you have in mind? And, I mean, that is,
are the questions being asked business clearly defined? Is it just return on
investment or is it something else that’s a possible worry?

MR. REYNOLDS: Well, we heard that there are business reasons. OK. That’s —
and your point is well made, because we tried to play with these words, because
there are business reasons, and that’s exactly why the industry came forward.

However, building a business case that includes an ROI was what we did not

MS. MC CALL: A couple of thoughts — and I’m trying to put — while I
wasn’t at any of the hearings, I’m trying to put on a payer’s hat.

And what I would say is that it’s — to me, it may not be about business
rationale — I think you heard that in industry’s request — but it may be
industry saying that there’s not a set of compelling circumstances for adoption
right now or an overwhelming or obvious evidence of an ROI.

But what I hear your comments are that industry does recognize the need and
the Catch-22-ness of the situation, and what they’ve asked for and requested is
that we begin.

So it may be wordsmithing, but there’s something about the core idea.

There is a business rationale and they ask that you start. It’s just
there’s no compelling event.

MR. REYNOLDS: That’s a good point.

DR. STEINDEL: Harry, I think Carol’s point is very well made.

I think we specifically worded the recommendation not focusing on a
business case, that we said we should move forward with an NPRM because there
are other compelling reasons to do 5010 that we heard.

We did not hear the business case coming across as a compelling issue.

If the government is going to go forward and issue an NPRM just to find out
information, the government has other ways of finding out information without
going through the tremendous expense of the regulatory process of an NPRM.

So I would be reluctant to say that the reason we want to go forward with
an NPRM is because we need more information.

So I think we have to be very specific that we did hear reasons, and Carol
brought these out a little bit. There are other compelling reasons to move
forward with 5010, and that’s what we really said in Recommendation 1.2.

DR. SCANLON: My question is whether there’s a need for another
recommendation here, given our earlier discussions and entire meetings about
the length of time it takes to revise HIPAA standards, whether or not we should
be suggesting that it’s more than just an NPRM. It’s having the NPRM and then
responding in sort of a relatively reasonable amount of time to the comments
and issuing a final rule.

And the question is whether there’s enough belief in sort of what these
revisions involve and their value that we want to say that — I mean, that
we’re anticipating that the comments are not going to come back and say don’t
do this and that the conclusion’s going to be don’t do this, but that we would
say — well, why don’t you just — the comments, but we’ll act on them quickly.

MR. REYNOLDS: I would want to discuss that with the subcommittee, rather
than add another one right here. But so we will take that as — in

DR. FITZMAURICE: Part of it might be cleared up by wordsmithing the
sentence to read, “WEDI conducted a cost-benefit survey, but, due to an
extremely low response rate, was unable to provide statistically valid results
on business rationale and return on investment.”

And then I would strike the part of the sentence that reads, “The
industry will be reluctant or unable to make the systems upgrades to implement
Version 5010.”

So, in other words, it focuses on they tried, but they couldn’t get the
data needed.

MR. REYNOLDS: I would hesitate. I think we heard plenty of testimony on the
business rationale and business reasons.

If we were to add ROI there, I would feel a little — I would personally
feel a little better, because I believe we heard a lot of testimony on business
rationale, business reasons.

But due to our other letters that we’ve sent forward talking about trying
to really focus on making sure that these — some of these things have an ROI,
that would be my only comment.

DR. FITZMAURICE: So if we heard business rationale, then — we probably
shouldn’t say, “without well-defined business rationale,” because we
heard some business rationale, and that’s persuasive to at least some members
of the industry.

MR. REYNOLDS: I would agree with that.

DR. TANG: I guess I don’t understand why we would have a cause for concern
if the industry says there’s a business case for doing this.

In fact — HR has a poorly-substantiated — quote — ROI, but there is a
true business case that fits with our mission of supporting patient care.

So, clearly, these folks, presumably, have business rules and business case
for doing this. I don’t know why we wouldn’t leave well enough alone.

In some sense, you establish the rationale for doing it in the early part
of the paragraph, and then interjected some of these questions, which I
actually don’t even understand in the latter part.

Does that make any sense?

MR. REYNOLDS: Well, I think — well, let me answer your initial comment. We
are recommending moving forward.

DR. TANG: I understand, but — so I don’t understand why we interjected a
— in some sense, this superfluous requirement of the — there is no ROI. Well,
there doesn’t have to be if there’s a business reason for doing it that fulfils
their mission.

MR. REYNOLDS: Well, but we have — this committee has sent letters forward,
and one of the reasons that HIPAA has not been as successful in our previous
letters was that there hasn’t been a return on investment.

And, for example, we are going back and modifying some of the transactions
that have not been fully implemented, which would actually return the ROI. So
we’re trying to keep in front everyone that we’re still kind of focusing on

DR. COHN: Yes, I think, Harry, this one, without undue conversation, needs
clearly — the sentence needs to go back to the subcommittee. And I think we’re
all in agreement on that. And I think we’ve all — even in earlier versions,
many of us have commented that this is discordant with the recommendations.

I mean, if we believe this as it is written now, we probably shouldn’t go
forward with the letter. And I think most everybody is looking at each other
and saying this isn’t really — that something else —

So, obviously, the subcommittee will be discussing it tomorrow morning.
Paul, you might want to join in the conversation.

DR. TANG: Well, is there a philosophy that the whole ROI thing that we
should discuss regarding any of our recommendations related to HIPAA?

I think HIPAA has to make business sense and it has to fulfill a mission.

I wasn’t clear that it has to have an ROI the way it is discussed in
economics or financial terms. It has to have a positive impact, those kinds of

MR. REYNOLDS: If it had to have had an ROI, we would not be bringing
forward this recommendation to go forward.

DR. TANG: Then, I guess I would just recommend dropping that parenthetical
expression, perhaps. I don’t know why I’m —

MR. REYNOLDS: The subcommittee will take that under consideration.

DR. STEINDEL: I think that’s the best statement, the subcommittee will take
it under — but, actually, in the administrative simplification act, the clear
statement of it was to reduce cost. So it has to have an ROI.

DR. TANG: But an ROI — it’s very hard to prove the ROI — But we do know
that society benefits, but it’s very hard to measure.

DR. STEINDEL: But in this particular case, the HIPAA act stated that
administrative cost is now X percentage of health-care costs. I forgot what it
was there. I think it was 26 percent, and, by enacting this, we will reduce
that cost — that percentage.

MS. MC CALL: I would support discussions that looked to remove explicit ROI
components. And the reason is these are all things that enable other things,
and they then beg not only the definition, but the knowing of what those other
things are and the measurement thereof, many of which don’t even exist yet.

And so it’s — talking about an ROI on a technology enabler just seems very
premature. And to force that type of work just continues the Catch 22.

DR. SCANLON: Yes, just a question of how we’re defining sort of reducing
cost and thinking about the ROI here because in the context of HIPAA overall,
it’s the reduction in healthcare costs which are defused among providers,
patients, as well as sort of the insurers that are going to be processing some

And so there’s a question of whether that’s going to be taken into account
and calculate some kind of major — or aggregate ROI or we’re talking about
here a much narrower concept of ROI.

And I think they’re potentially — while the industry may not see an ROI,
we don’t know what’s happening if we change things for providers, we change
things for patients.

MS. GREENBERG: I guess since this conversation is going on, I feel like I
should mention that — I mean, as was noted, the 5010 enables the transition to
the ICD 10 code sets. And this committee is already on record with a
cost-benefit analysis that says that the benefits will exceed the costs.

Now, everyone may not totally agree with that, certainly in the industry,
but, I mean, that is a major aspect of the 5010 and you’re already on record
with that statement. So this may be contradicting that as well.

DR. WARREN: I just wanted to make one comment to make sure that my memory
of testimony is accurate or if it’s something that I wanted to hear.

But it seemed to me that when the testifiers were there, one thing that was
made abundantly clear is they all wanted 5010 to go forward. They saw the need
for it.

They also told us for them to go to their boards and get the budgets to
implement 5010 would be impossible until the NPRM was passed or issued.

So I think that’s what we’re trying to capture in the sentence.

MR. REYNOLDS: And, also, let me just say just a very brief history. If you
remember, we did a review of HIPAA as a committee. We submitted a letter going
forward as to whether there was or was not any return on investment and what
were the key transactions and other things that would add to that return on

This effort that we’re putting forward here changes every one of those
again. And there is nothing been put forward that says that return that we said
was not there as a committee will be enhanced.

Yes, it is a glide path for future things. But some of the things that are
going to be redone, which we already reviewed, are not, in fact, going to be
enhanced from any kind of a return that we heard from testimony.

Remember, we deal with testimony. We deal with the industry. We don’t just
make this up. So that’s one of the things —

So we will take this under consideration as a committee. We’ve heard
everybody’s input, but it’s one of the things —

So we have to look at our own history also, just like we do with the
privacy letters and everything else, which you’ll see when we come forward this

You know, if we’re going to contradict ourselves or go back on what we
thought was important, then, we need to have that as a discussion, so that we
rechange our own history as to how we viewed things, not just make it news.

Okay. Moving on to Observation 2. “Various types of testing are

“Testifiers acknowledged that there was a need to test Version 5010 in
real-life settings to ensure its interoperability and ability to support the
transactions for which its adoption is proposed. The process of pilot testing
and the parameters of that testing remain to be resolved. Three types of
testing needs were identified: Testing of the standards themselves for
workability; conformance testing of products and applications that send and/or
receive the transactions; and 3) end-to-end testing to assure interoperability
among trading partners.

“NCVHS recognizes the value of compliance testing services as a
precursor to end-to-end testing of the software mechanism for Version 5010, and
the need to pilot the use of the standard within organizations, as well as
between partners as was done with claims attachment transaction standards. We
also recommend that CMS and industry stakeholders work to standardize commonly
used terms such as ‘pilot testing’ and ‘compliance testing’ so that
all entities can make decisions based on universally-accepted definitions.

“Recommendation 2.1: HHS should develop a plan to work with the
industry and the standards organizations to collect and analyze requirements
related to testing (including defining the process of pilot testing) determine
under which conditions pilots should be conducted, and when this testing should
take place.

“Recommendation 2.2: HHS should advocate the use of compliance testing
services for software and/or applications that would demonstrate a covered
entity’s ability to create and receive compliant transactions.”


You’ll see that we build on this in Observation 3 and further
recommendations. So let’s go to Observation 3, and then we’ll come back, if we
need to, or, actually, Observation 4 really builds on it.

“Observation 3: Outreach to all stakeholders is critical.

“The Subcommittee heard from stakeholders that the need is great for
education and outreach regarding the adoption and implementation of Version
5010. Taking lessons learned from its experience with the National Provider
Identifier (NPI), testifiers reiterated the need to cast a wide net to better
inform and educate all industry segments as to how Version 5010 will impact
their workflows, operations and other aspects of their respective businesses,
as well as critical implementation dates. Special initiatives, such as a joint
CMS/SDO/stakeholder Version 5010 education summit, may be needed to target
small software vendors and other hard-to-reach groups.

“Testifiers proposed that HHS should undertake steps to collect and
analyze data about the Version 5010 process, business impacts (both cost and
benefit), return on investment and other information and make it available for
dissemination. Another need identified is that of talking points and/or slide
presentation to summarize this information. The presentation should be made
available to stakeholders to assist them in building their business case and
return on investment justifications relative to the expenditures of Version
5010 implementation within their organization. As this is the first update of
the HIPAA standards and NCVHS also heard testimony in favor of streamlining the
process to adopt modifications to the standards, possible changes to the
modification process could be examined.

“Recommendation 3.1: HHS should identify communication approaches and
strategies to educate and inform interested constituencies by partnering with
responsible persons and organizations.

3.2: “HHS should develop materials to educate the industry regarding
these standards, and in particular Version 5010 to enable industry and
stakeholder implementation efforts.

“Recommendation 3.3: HHS should consider a summit or other similar
event for gathering input regarding the adoption of these standards, as well as
‘lessons learned’ exercise at the conclusion of this implementation
process to identify best practices as well as issues/concerns to be applied to
future standards adoption efforts, which also could include ways to streamline
the adoption process for modifications to the standards.”

DR. COHN: I just have a comment that there needs to be something here that
relates to the NCPDP D.0 standard.


DR. COHN: I mean, and I — you know, you can choose what you want to put
in, but this is fully on the 5010.

MR. REYNOLDS: They’ve been so good at what they did, we need to add
something in there, yes. You’re exactly correct.

DR. COHN: Well, I mean, for example, I think Recommendation 3 — I mean,
right now, it appears that the only thing that — on is implementation of the

MR. REYNOLDS: Yes. No. Exactly. Well said and —

Yes, Bill.

DR. SCANLON: I think our explicit recommendations are fine and sensitive
from a prior environment to hidden recommendations, and the potential hidden
recommendation is another need identified as that of talking points and/or a
slide presentation.

I think that gets kind of too much into micromanagement for us talking to
the Secretary. We should be talking about this whole idea of developing
information and disseminating it kind of at the level that we have in
recommendations and not sort of imply that there’s a format or anything that
the Secretary should follow.

MR. REYNOLDS: Okay. Moving on to Observation 4. “The timing of
standards implementation is complex, and critical to success.

“Testifiers expressed the need to test and verify Version 5010 before
the implementation of ICD-10. Stakeholders testified that concurrent
implementation of the Version 5010 standard with the changeover to ICD-10 would
be burdensome to industry and result in errors, escalating system change costs
and other barriers.

“Because implementation of the ICD-10 code set is depending on the
implementation of Version 5010, it is critical that the industry is afforded
the opportunity to test and verify Version 5010 a minimum of two years prior to
the adoption of ICD-10. In addition, the compliance date for the new Claim
Attachment standards, for which a Final Rule has not yet been published, will
also necessitate significant system changes, and should not be done at the same
time as Version 5010 or ICD-10.

“Testifiers discussed lessons learned from prior HIPAA
implementations, and identified potential barriers and resource issues. The
importance of vendor compliance was stressed, as practice management system
vendors are key to provider compliance, and delays in vendor rollouts of
compliant products have delayed end-to-end testing. The resource-intensive
nature of testing, particularly end-to-end testing, was also noted.

“A variety of options for staggering the implementation of Version
5101 and D.0 modifications were offered. For example, the compliance date for
plans and clearinghouses could be a year before the date for providers in order
to facilitate end-to-end testing. Alternatively, different compliance dates
could be assigned to different transactions (for example, implementing the
claim and related transactions first.) Testifiers also attested to the
importance of allowing dual processing (old plus new versions) for a sufficient
period of time to allow end-to-end testing to occur.

“Testifiers indicated that it is important to engage industry in
end-to-end testing as soon as possible. It was noted that widespread use of
compliance testing services, which allow entities to test products and
applications to assure they can create and accept compliant transactions, could
simplify end-to-end testing by assuring that individual products are compliant
in advance. An alternative to staggering implementation would be to phase in
compliance by establishing consecutive periods for compliance testing and
end-to-end testing.

“Recommendation 4.1: HHS should consider establishing implementation
periods for two different levels of compliance. Level 1 compliance would meant
that the covered entity could demonstrate that it could create and receive
compliant transactions. Level 2 compliance would demonstrate that covered
entities had completed end-to-end testing with all of their partners. HHS
should also take into consideration industry feedback indicating that for
Version 5010, two years will be needed to achieve Level 1 compliance.

“Recommendation 4.2: The implementations of Version 5010, ICD-10 and
claims attachments should be sequenced so that no more than one implementation
is in Level 1 at any one time.

“The NCVHS appreciates the opportunity to provide these

DR. GREEN: I’d like to ask for just a little further clarification of the
implications here of the sequencing and the timing.

If it takes two years to get Level 1 done, an unknown amount of time for
Level 2 to be done and nothing else should happen until that’s done, someone do
some arithmetic and say when do we think the United States might have the
ability to do this.

MR. REYNOLDS: Okay. I think you misinterpreted what we’re saying.

What we’re saying is at the end of the — let’s say a two-year — whenever
— we’re saying that none of these can be in Level 1 at the same time.

So let’s say that you give — as we heard testimony — you give everybody
two years for Level 1. Immediately upon that you could put your next regulation

So every two years, you can start rolling new regulations out. It’s just
that it’s overlapped by the actual rollout period. But we’re saying that every
two years, you can put out a big new change is the way this thing is set up.

DR. GREEN: So let me go back to the issue of adopting ICD-10. When might
that happen?

MR. REYNOLDS: If you did a reasonable math on this, you’re looking at 2013
or so.

DR. GREEN: Well, I mean —

MR. REYNOLDS: Whoa. Time out. Just remember, we’re talking about a
structure. Let’s take NPI as an example, which we oversee.

We had a two-year implementation period, and then everybody said,
“We’re not ready.” And, now, we’re still trying to get it done,
because there is no good way to have any jurisdiction —

DR. COHN: Yes, and, Harry, it could actually be 2012.

MR. REYNOLDS: It could whatever it is. Yes, I was using that —

MS. GREENBERG: How did you get to 2013? Because this is the first time I’ve
heard that date, and I must say —

DR. COHN: Well, I think we’ve gone out of our way to not actually name
dates in this —

MR. REYNOLDS: Fine. OK. I’ll —

MS. GREENBERG: Well, I think it’s important, though, in relationship to
Larry’s question is to what are we really talking about here.

DR. GREEN: Simon, this is — I mean, you’re asking for substantive
discussion here as opposed to wordsmithing. This strikes me as a very
substantive issue to send a letter that when you do the arithmetic of it,
basically, is tantamount to saying we should not be anticipating implementation
of ICD, then, until 2013 —

DR. COHN: Well, while I think we can certainly discuss that, I do want to
just reflect on previous letters that the NCVHS has written which talk about —
and this is back — I think — back to 2003 when we actually recommended ICD-10
going forward that we talked about the industry needing a two-year
implementation at that point. That’s my memory of that letter.

MS. GREENBERG: Talk about what?

DR. COHN: We talked about a two-year implementation — back in —
recommended in 2003.

So I guess it’s a question of trying to figure out how to do the math on
this one.

But you’re right, it is a substantive conversation the committee needs to

MR. REYNOLDS: Yes, let me make one other comment. Regardless of — using
history and using the testimony of wanting two years, at least, for each entity
to be ready with the next big change — and there are over 1,000 changes to
5010 across all these things — the way this is worded, the Secretary could say
that Level 1 is one year and Level 2 is a second year. Then you start moving
things faster.

The point is that right now with the way it’s structured and the way it’s
happening, we end up with contingency periods that seem to go on and there’s no
way — there’s no jurisdiction over a contingency period.

And so this allows that covered entities have to be ready at a certain
point, and we’re not saying using reasonable math, not — right, wrong or
indifferent. And I’m not for or against whatever we’re — I’m talking about the
structure of implementing standards.

Whatever those dates are, it’s an industry moving together. We have already
written numerous letters about that the industry doesn’t move well together,
and so we’re trying to add more structure with having people have to answer to
certain levels of things, rather than right now we say everybody be ready in
two years, and then we go — everybody’s not, and then we go into a contingency
period which kind of leaves things open.

So we’re trying to build a structure —

The Secretary, if you noticed, it does not talk about any dates and times.
The Secretary has a right to, obviously, deal with that in whatever necessary
way that’s appropriate to allow the industry to actually implement these large

DR. STEINDEL: Harry, if I can comment directly on Larry’s point, this was
something that concerned me greatly during the hearings, and there’s several of
us who are aware that there are just specific structural changes that could be
made in the existing HIPAA transactions that might expedite the introduction of

And we did question the industry at length on this. And, generally, what we
found, from an industry-consensus point of view, that, in actual fact, it would
not speed up the introduction of ICD-10 significantly.

It has to do with the testing period, that even if we just make small
changes in the existing transactions, we still have to test them and verify
them. And while it may shave a year or so off the process, the net effect would
be that it would actually increase the cost of introducing the whole system.

And that’s why we decided to go this route, 5010, and then ICD-10, because
we just didn’t see any gain in introducing anymore expedited method. So we did
investigate it in testimony.

DR. FRANCIS: I was puzzled by, first of all, the way you said, “should
consider,” which is a really sort of fuzzy word there. I’m not sure what
that means.

But a more specific question: Do you intend to have — to recommend to the
Secretary that these time periods should or should not be part of the notice of
proposed rulemaking?

That is — that’s something that could be, you know, what are the — what’s
the timing for implementation could be part of the notice of proposed
rulemaking. The Secretary would propose implementation time periods. And then
there could be comment on that. That would be a much stronger way of trying to
get some discussion of what makes sense on the timing.

MR. BLAIR: If we look at our recent history with respect to HIPAA dates for
promulgation, the industry hasn’t — despite the fact that they’re listed as
mandates, the industry has missed those deadlines a couple of times, and it’s
backed up a year or even more than a year.

One of the things in this letter is an attempt to try to respect what the
industry is telling us about the time that they need, but, at the same time,
invoke a milestone.

So what we added to this structure is two levels of compliance and
certification, so that the industry doesn’t wait until a year or six months or
three months before a mandated date and says, “Oh, gee, we don’t have
enough time.”

So the addition of the Level 1 certification is an attempt to try to at
least ensure industry ability to meet the time lines that they tell us — that
they tell us — they can make.

So I think all of us are frustrated with the time frames, but it’s pretty
hard to go back to the industry and say, “I know that you testified that
you need these time frames, but we want to shorten them.”

On the other hand, what we try to do is constructive to say, “Okay.
You’ve given us these time lines. Then if you’re doing — if you’ve given us
these time lines, then you should be at a stage a year before it’s mandated for
use to have Level 1 certification.”

MS. GREENBERG: I think the idea of the staggered or the two compliance
levels is good. I think the idea that, first, everybody sort of — systems are
set, and, then, they have to then go through the testing process, as I
understand it, I think that’s positive.

What I don’t think, though, is that the subcommittee, at least — and I
think I attended the hearing — the relevant hearings — heard any testimony
about what would be the impact of not implementing ICD-10 codes sets until —
for, say, another six years.

It’s my understanding that ICD-10 — ICD-9 CM, Volume 3, is so broken, at
this point, that — I mean, to continue with it for another six years maybe you
don’t even want to collect it at all. I don’t know.

It’s completely — it’s supposed to be — run out of codes by — I think
it’s 2009 for it to be a sensible classification at all.

Not to mention that other countries — all the other countries that we
would associate with and exchange data with have been collecting ICD-10 for
morbidity since the early 2000s.

So I think — you know, you do have to do the math, and I don’t remember
hearing any testimony about the impact of going that long with the ICD-9 CM
code sets.

DR. COHN: Yes. I guess I’m reflecting on your comment, Marjorie, first of
all, that it may be very appropriate for Standards and Security, as part of the
next phase of activities, to go back and ask the industry about some of the

And we spent a number of years, in the early part of this decade, going
through some of these. And, admittedly, we did come up with recommendations,
which are now four years old.

I guess my thought is is that we probably don’t want to necessarily
adjudicate this particular issue in this letter. And I think it’s really an
issue for sort of a subsequent letter.

I guess I was sort of taken that probably in Recommendation 4.1 making some
sort of a comment in the last sentence, which talks about the peer
implementation as being something that they should consider. I think it was
Leslie who sort of commented that we should also probably put in something that
says this should be something that we should ask. We recommend that they verify
that as part of the NPRM process, just because, obviously, we heard something,
I think we need to make sure that the industry really has heard, in terms of
time frames, that makes for implementation.

But, as I said, my own concern, obviously, and when I began to see this
letter, you know, I mean, it could take a considerable length of time for us to
go back and completely revalidate the ICD-10 process. And I think we wouldn’t
want to see 5010 held hostage in the process, only because I think most of us
think it’s a precursor to moving towards any of these things that we’ve all
supported previously.

MR. REYNOLDS: The other thing —

DR. COHN: I’m sorry, Harry. That’s my comment.

MR. REYNOLDS: Another quick, it took five years to implement the first
HIPAA transactions. It’s taken four, by the time it’s all done, to do NPI,
which will be the easiest standard implementation that we’ve had to date.

The industry, in general, is also — we all know about AHIC. We all know
about the other things. Those things are also going on at the same time.

So regardless of what we do or don’t individually believe, being an
implementer at home, regardless of who you do or don’t work for, these are
1,000 changes that everybody has to do with everybody in their state and
everybody that they do business with.

So no matter who does the math or how they do the math, the point is we’re
trying to put a structure down that says — which is different than right now.
There’s a two-year period, and, then, whoops, we’re not done, but we’ll kind of
keep it going ‘til you get done.

We’re trying to establish a process, whatever the timing is, to put a
little more kick in both of those phases, so that people could complain if
somebody they want to do business with is not done at the end of Level 1,
which, right now, we get to the end of two years, everybody says, “I’m
personally done,” but we’re not done with each other.

So remember the process. We all have individual issues that we deal with,
and, trust me, all these are far out, unless you happen to be handed the
assignment. Then, they’re pretty close.

DR. COHN: Yes.

MR. REYNOLDS: So businesses have to decide. They have to get the money.
They have to get the resources. They have to put it in place. Then, they have
to test, for example, with 15,000 providers and other people.

So it’s just — it’s the reality of changing this whole industry, which we
underestimate sometimes, because of a subject. And so that’s what —

DR. COHN: Yes. Harry, Harry, what I’m going to suggest is got two more
people with issues or questions.

We need to get back — we need to give everybody a break and try to get
back to some semblance of schedule.

What I would also recommend is that those who have ongoing issues with us
that there is a meeting of Standards and Security tomorrow morning at 8:30,
and, obviously, that would be — I’m sure that the subcommittee would be more
than happy to have additional attendance to help adjudicate some of these

MR. REYNOLDS: This is setting a structure for the future that tries to put
even more order to it than it has. And we need help in any way we can, because
this will be a major move forward one way or the other.

DR. COHN: Yes.

DR. TANG: I have sort of more of an uber comment that I think just as a way
— because, in a sense, what I heard is a compelling case of an
industry-requested, an industry-endorsed revision to HIPAA transaction
standards that’s a prerequisite for carrying out an NCVHS recommendation that
addresses delivery of high-quality healthcare in this country.

And I think actually you introduced a little bit more doubt than you needed
to, that if you went forward with this kind of an approach, you could lay out a
series of steps and your new framework that would just fit your compelling case
that you essentially laid out, only planted seeds of doubt that were perhaps
unnecessary and confusing. Because by the end of reading the specifics, I then
had some doubt that I couldn’t cope with.

Yet, after listening to all the discussion, you have a very compelling
business case. And that’s sort of what I heard.

DR. STEINWACHS: Just one comment. I found very helpful the discussion we
had that you were talking about why this two-phase approach is important to
remedy the past problems.

It would be great in the text if there was a line or two that just said, in
the past, there have been failures to be able to get — reach full
implementation, and that this approach — you know, what’s being proposed is an
approach that this committee feels could help alleviate that problem in the
future. And I think that would help the reader understand those

DR. COHN: Larry had one final —

MR. REYNOLDS: Larry, you had a comment?

DR. COHN: And then we’ll wrap up.

DR. GREEN: Yes, well, I wanted to go back to my question and indicate two

First, I take your points very well about the need for structuring as
saying that this is the intent.

And, Simon, I take your point about this is not the letter to adjudicate a
lot of other things in.

That said, the word “industry” is an ambiguous term in this
letter. And I want to repeat, as I did at the beginning of the meeting, I have
no conflicts of interest here.

But there are other industries that need this structure and need this to
happen yesterday to achieve the aims of healthcare, to build the information
highway, to do what we want to do.

So what I believe to be the substantive issue pertinent to this letter is
to establish the structure, stay on task with the 5010 issue, but avoid
creating opportunity for further delays.

I heard histories of there already being delays. And I’m concerned that we
should not set this letter up with the notion that by being methodical and
careful this will go well and it’ll get done and it turn out that we find
ourselves — well, I guess someone else will be sitting here six years from
now, won’t they? — looking back at this letter and saying —

MS. GREENBERG: Including here, yes.

DR. GREEN: — “What the heck were they thinking?” You know, I
mean, we need to get on with this.

So that’s what I believe to be an important thing for this letter is to
avoid recommending to the Secretary that a system and a structure be put in
place that will guarantee delay.

MR. REYNOLDS: Any other comments?

Thank you — and you were all awake —

DR. COHN: That’s right.

And you were all wondering a) why we let Harry go through the whole letter.
Also, you were also wondering why we were going to not adjourn ‘til 2:45
tomorrow, and this is obviously part of the conversation.

Anyway, with that, why don’t we take a 10-minute break. We’ll reconvene at


DR. COHN: Our next session leads off with an update from the Office of the
National Coordinator, and we’re obviously delighted to have both Kelly Cronin
and Jodi Daniels joining us.

Congratulations to both of you, one of you on your intending marriage and
the other one on a child and being back at work. So congratulations to both of
you. We’re obviously very pleased to have you joining us.

Obviously, I think the purpose of this conversation was to talk some about
current projects and initiatives, as well as we know you wanted to brief us on
the — sort of the — what’s going on with AHIC and the successor plans and all
of that.

Now, from there, what we’re going to do this morning, before lunch, is to
begin to have discussions around the Secondary Uses Report. And the way we’re
going to sort of organize this is that, hopefully, before lunch — and we have
overheads as well as paper for discussion — but, before lunch, what we’re
going to try to do is to get through sort of the background common themes, all
of that stuff, using overheads.

And, then, after lunch, what we’re going to do is begin to drill down into
observations and recommendations.

The end of the day, you know, it’s not just us talking about them from an
overhead, but people need to be comfortable with the actual wording and the way
it’s discussed, knowing, as I’ve said, that we don’t want to do wordsmithing,
but that people — you know, that there is, obviously, always some sort of a
dissonance between people trying to do shorthands of recommendations or
observations that wind up not being quite what people thought it was going to

So what’s going to be the purpose on that is to make sure — you know,
finding out where people are aligned, where there are significant differences
or issues, not so much at the wordsmithing level, unless it deals with content.
And that will obviously move us through much of the afternoon.

Agenda Item: Office of the National

DR. COHN: So, with that, Kelly, did you want to lead off? And thank you.

MS. CRONIN: Sure. Thanks for the nice introduction, Simon.

I often tease David about, after his departure, all of a sudden, everyone
in our office seems to be having babies and big things are happening.

So while we can’t claim to have normal lives now with our office, at least
we have moved on personally.

Anyway, I thought you all probably have been updated by Rob and John
Linsk(ph) over the last six months with a lot of the activities going on in the
office, but we thought we’d spent at least a few minutes to give you an update
on where we stand with the American Health Information Community in terms of
transitioning to a public-private partnership —

We thought we’d give you an update on what’s happening with the planning to
transition the American Health Information Community into an independent
public-private partnership that will be a new legal entity and touch base on
where we stand with the — trial implementations.

And, then, Jodi can also give updates on other work in the office,
particularly that related to privacy and security or our state-based efforts.

So starting off with the AHIC, what we’re referring to now as 2.0, since
that’s an easier way to sort of brand this before it gets a life of its own.

Over the last six months, we’ve spent a lot of time trying to conceptualize
how this might work, and we started this through letting three different
contractors look at how such an organization could be designed from an
organizational structure perspective.

So how would a board be structured? Should it be a membership organization?
If it is, how might you represent various stakeholders in the healthcare and
public health communities? And how would you create a sustainable business
model that would be viable over time, in particular through transitions of
administrations or — you know — as we know that — as the market will evolve,
hopefully, for health-information exchange, and as the HR adoption increases?

So in getting some input from Booz Allen Hamilton, Avalier and a small —
consulting firm that convened sort of a network of healthcare leaders, Alchemy,
we had a lot of good ideas presented in June to AHIC and the Secretary around
how this might be achieved.

And so with that input, we then did a lot of internal planning and had the
expert advice from Dee Hock, who, many of you know, is the founder and former
CEO of Visa, who has really extraordinary experience to bring to this effort in
that, even though the banking analogies are often not directly relevant, the
organization that he created, both nationally and internationally, and how it
evolved is quite illustrative.

And he had a lot of insight into how to deal with the political
complexities, the legal complexities and how to make this, perhaps, viable from
a business perspective over time.

So we had the advantage of his guidance and advice over June, July and
August, and also had some senior legal subject matter expertise outside of
government helping us with some of the legal aspects of how this might be
structured and how can you ensure a definitive role for government, since we
are committed and realize the importance of having the federal government, and,
really, government at all levels, an equal partner in this effort.

This is not really an effort to privatize governance, per se. It’s really
an effort to make this more of a truly meaningful partnership across the public
and private sector such that decisions can be made and there could be actions
taken to realize a lot of the vision that we’ve all been articulating over the
last five or six years.

And I think, now, we all recognize — I mean, advisory functions are very
important. Not only has this organization played a really important function in
— you know — for conceptualizing the NHIN — and AHIC has done its part more
recently to try and engage people at a higher level and doing a lot of work at
a workgroup level, but it is just advisory.

I mean, technically speaking, you can only advise the Secretary and what
HHS agencies could potentially act on. And, in spirit, AHIC was designed to be
more of a public-private partnership where there would be an informal agreement
among those represented through private-sector committee members that they
could also be taking action. But, again, you have to think what are the
boundaries of such an organization.

And, if, eventually, what we want to evolve into is more formal governance
that could potentially play a governance role over the nationwide
health-information network, then we need to be sort of reevaluating what is the
appropriate type of organization to do that.

So in thinking through a lot of these issues, we have proposed some key
attributes and functions that we think the organization should take on or at
least putting it out there really for food for thought. So we released a white
paper in August.

We have received, I think, 52 or 53 comments, and many of them very
thoughtful. So we’re still in the process of really reviewing those and trying
to synthesize those and plan to release a summary.

And, then, we also had two public meetings in August, one led by the
Secretary on August 17th and another one on September 5th
that was really more targeted towards potential applicants for a cooperative
agreement to actually get this whole effort started.

So a notice for funding availability for this cooperative agreement was
published back in August, along with the white paper, and really spelled out
sort of what we would hope a potential applicant might consider in coming
forward to do this work, not really specifying how they should do it, but more
the process and the expectations of how they would come together and represent
different interests in the form of a collaborative.

So we expect that there’ll be sort of one trusted and neutral convener that
would sort of do all the heavy lifting in what we’re calling Stage 1, which we
anticipate will be from November to March or April.

And they really will — not only the grantee and the neutral convener —
doesn’t have to be one and the same, but it could be — would be convening a
planning board representing the different interests.

And they would actually be doing the organizational design. So they would
be thinking through what does this look like? Who should be represented on the
board? How should membership — if it is a membership model — be pursued? How
should people vote, both at the board level and the membership level? How do
you make money? How do you sustain this effort over time? What are the core
functions and the mission of this organization? Are they in agreement with what
has already been proposed in the white paper and in other public discussions?

So they’ll really have a lot of work to do between November and March and
April to really get this off the ground.

And, then, at the end of that time period, they’ll be expected to set up a
new legal entity, and that means articles of incorporation and all the formal
governing documents would have to be created and submitted.

And, then, under Stage 2 of the cooperative agreement, we, then, have the
funding from HHS going to this new legal entity.

So it really would have to be operating by the spring of next year, and, at
that point, we’ll really be more deliberately transitioning some of the work
that AHIC is doing now onto this other group.

So we would hope not to lose the current priority areas that we’re taking
on, but, instead, figure out a trajectory to transition them.

So there’s a lot that would have to be worked out in terms of how exactly
that will happen as the planning phase really gets underway. So we may not know
who specifically will take on, for example, quality and health IT issues.

And we’re also expecting that, in part, HHS will be providing up to $13
million over two years, but we would hope that — and have explicitly said this
in the cooperative agreement or solicitation — that we expect the resources
that will be required will go beyond that amount, and we would like to see
private-sector contributions to match that initial HHS investment.

So that’s more or less where we stand now.

We expect to have applications in for the cooperative agreement by October
5th. And then we’ll have a fairly quick turnaround in terms of an
expert-based review panel, and then expect to award the cooperative agreement
and get this all started by the AHIC meeting in November, the second week of

So we’re doing that meeting in Chicago, in conjunction with the AMIA annual
meeting, and should have everything wrapped up, in terms of the agreement, by
that date, and then the hard work will get underway.

So I can answer questions if people have questions on that.

DR. FITZMAURICE: Just a quick — how many millions of dollars did you say
that ATHS will start off the 2.0 with?

MS. CRONIN: Well, it’s, as you know, Mike, you can’t necessarily commit to
future budget years, but —

DR. FITZMAURICE: You mentioned a number. I didn’t —

MS. CRONIN: Yes, it’s up to $13 million. So we’ll start off with — you
know — whether it’s under CR or whatever our budget situation might be for
‘08 —

DR. FITZMAURICE: We won’t hold you to it.

MS. CRONIN: Yes. No. No. So I think, yes, that the intent is to make it a
multi-year commitment and that cooperative agreement will be multi-year, too.

DR. COHN: Yes. And maybe — I’ll just ask it — maybe an additional
question is is part of that — is that intended also to fund efforts around
HITSP in terms of its evolution or is that a separate piece?

MS. CRONIN: Very good question.

We have contemplated — I think Rob has also said this publicly — that we
would have contract dollars that — for the option years of HITSP, CCHIT, at
least for CCHIT, those that would be targeted towards developing the criteria
that that could be funneled through this new organization.

Now, a lot of that could play out in terms of — or be impacted by how the
organizational links are determined in this planning phase. So it would really
be up to the planning board to figure out what kind of organizational links
will be either more formal or less formal between HITSP, CCHIT and AHIC 2.0.

I mean, there’s pros to make them all part of one umbrella, in one fashion
or another, and there’s cons to that.

So I think, clearly, CCHIT has — you know, starting to develop a
sustainable business model. And they’re perhaps more mature, in some ways, but
we do recognize the importance that if AHIC 2.0 continues to sort of set
priorities for the national agenda that those priorities actually, then, can
follow and guide a lot of the activities. So having some kind of explicit link
between the organizations will probably be necessary. How that plays out
legally and from a governance structure perspective has yet to be decided.

DR. FRANCIS: I’m curious about how — what kind of thinking is going on
about how certain public priorities — say, if you think of privacy protection
as a public priority — will get represented in the structure.

MS. CRONIN: That’s a great question, and I think, again, the scope and
mission of the organization will be finalized during this planning phase.

But I think many people recognize that you can achieve interoperability
with appropriate privacy protections.

And the Secretary has been very clear in that policy development — federal
policy development will always be the responsibility of the federal government.

That said, there may be some role, in terms of complying with federal and
state laws and making those perhaps — have them implemented in such a way that
there is greater privacy protections or appropriate privacy protections. That
clearly could be considered by this planning board and the organization as they

It has been sort of — what’s been proposed is really more focused on
achieving interoperability, and, in the short term, trying to take on this role
of really setting priorities and trying to coordinate standards harmonization
and certification.

But as we start to see an emerging NHIN fostered by these trial
implementations over the next couple of years, and other market activities, and
there is more of a governance function, then, I think that the organization is
going to have to contemplate what is their role, not to replace or to develop
policies, but perhaps to make sure that there’s compliance with.

And in terms of representation of consumer interests, there is definitely a
very — I think a keen awareness of how important it will be to represent
different consumer groups. And there’s been a lot of thought about how that
might happen, how many board seats, what kinds of organizations, how do you get
the expertise and knowledgeable people to be voting on behalf of consumers.
These are all challenging issues that will be contemplated by the planning
board, and, in fact, I think some of the people who are actually interested in
applying for the cooperative agreement are actively thinking through that now.

So it’s definitely an important point, and no matter what the scope of the
organization, consumers will have to be well represented.

DR. STEUERLE: I’m just wondering, as you debate this new structure, I mean,
I see so much of what we work on is dealing with interoperability,
coordination, often very much avoiding violating privacy concerns, making sure
various consumer groups are representative.

But when one looks at the technological advance, there’s also sort of a
competitive version of this, which means you get competitors out there really
jumping out there, taking risk of violating concerns that others might have,
jumping ahead of the game, often, in some of these areas, creating natural
monopolies, because, in some areas, it’s — you know, that’s what IBM did and
that’s what Google does and that’s what — And we haven’t really got that
because we keep dealing with a lot of constraints.

And I guess I’m just struggling to think of how — how does this structure
not just promote cooperation? But I think that competition that’s going to
allow people to make some of these leaps ahead, as opposed to always worrying
about all the —

I mean, for instance, standards, I think we’ll be dealing with standards
for 100 years. We should be, because, hopefully, we’ll be developing them. But
we can’t let that constantly be a constraint on what I think some of us think
are some abilities to leapfrog ahead.

So I’m just curious how this structure is going to deal with that struggle,
which is, by the way, the same struggle I think this committee has at times.

MS. CRONIN: Yes. It’s a great question, and I don’t know that anyone has
the right answer right now, but I think, clearly, we’ve thought a lot and tried
to communicate, you know, this idea of being a very nimble organization and
allowing for a lot of ideas and innovation in the marketplace.

In fact, one of the ideas that came out of the original three contracts was
to create an innovation fund, sort of like a social capital fund. And we have
done some more thinking on that. It’ll be up to the new organization to decide
if they want to go down that road.

But there clearly — there could be a lot of very creative things that
could be done to allow for innovation at the local community level or local
market level, and, you know, what works and perhaps could thrive in a larger

I think that — you know, we’re so early on in experimentation on a
regional or state level that we don’t necessarily see how it’s going to play
out yet exactly.

But this organization would really be, perhaps, playing a role of
accrediting or qualifying organizations that would play on a national level if
they’re going to connect to the NHIN in some way, but, in doing so, not be
creating a barrier to health-information exchange or connecting, but, rather,
sort of making sure that there’s good actors in the system and that people are
acting responsibly and able to share data that we all think is sort of a
responsible way and an effective way of doing so.

So our hope is that this will allow — it’ll allow for enough flexibility
to really encourage the emergence of an NHIN, and probably think through some
creative options on how to best get there.

Another thing that we’ve all recognized, and the Secretary and Rob has said
this many times, we are, in many ways, very restricted by our budget process. I
mean, you know, we’re totally at the whim of the — you know, what happens in
the Senate and the House this next year is a very good example of how we got —
we’ll probably get close to half of what we’ve requested for our budget, which
makes us very limited to do the kind of trial implementations and get the kind
of experience across communities that we originally thought we would have.

So if, in fact, there’s real excitement and agreement across sectors on how
to make this real, you could end up perhaps having a much more rich set of
resources to make this happen, if you’re creative about it.

DR. COHN: OK. Mike, Jeff, and then we need to move on to Jodi’s
presentation at that point.

DR. FITZMAURICE: I had asked about how much would go to this committee, and
you said, oh, roughly $13 million you were thinking of, without being very
specific that would be the number.

And, then, Simon asked, “What about HITSP funding?” and you said,
“Well, there are pros to making them all part of one umbrella.”

“Them,” I assume, is AHIC, HITSP and maybe CCHIT.

So that one possibility, out of the many possibilities, could be that the
$13 million wouldn’t go just to one committee, but would be used to cover all
three entities. Am I right about that?

MS. CRONIN: Yes, I mean, that would be pure speculation at this point. We
haven’t really —

DR. FITZMAURICE: But that’s what it means.

MS. CRONIN: Yes. I mean, sure. I guess it could be one potential

I think that it’s really going to be up to those who are going to lead this
organization, and govern it, to decide how they want to use their own funds.

But if there were contract dollars that were filtered through in future
years, so let’s say the ‘08 option year, fiscal year ‘08, we have
option years for both CCHIT and HITSP.

If the money were to be funneled through the organization, it would likely
be funneled directly through them, and so there would be — it wouldn’t be part
of the $13 million. It would be a separate amount of money.

And in terms of how they would use up to $13 million, it would be up to
them to figure that out.

DR. FITZMAURICE: You answered my next question. I have no more. Thank you.

DR. COHN: Okay. Jeff, final question on this one before we move to Jodi.

MR. BLAIR: Yes. Thanks.

Kelly, on the NIHN trial implementations and on the accelerating public
health situational awareness from CDC, they’re on the same time frames. They
have many of the same tasks. Many of them are identical.

One of the use cases for the NIHN trial implementations is bias

Could you give us some idea of how these — they’re obviously — they were
obviously prepared in coordination with each other.

Now that there’s about to be selections of those, what’s being done to
coordinate overlaps? Where you have some states or entities that have been
granted one from CDC and the other from ONC, how are you going to be
coordinating that?

MS. CRONIN: That’s a great question, and I think that there’s a strong
desire, in particular on behalf of the folks in ONC, to coordinate as
proactively as possible and really try to connect these communities in a sort
of social and technical perspective, because we see an awful lot of opportunity
to facilitate a lot of lessons learned and sort of work through issues real
time if the CDC trial implementations can be part of the NIHN cooperative.

So I think it’s our hope that this will be very well coordinated and that
as workgroups get together and the NIHN cooperative gets together that everyone
will be able to figure out some of the really tough issues with sharing data
and mapping and interfaces and data-sharing arrangements.

I think we’re very hopeful that we will be able to work closely together
and that CDC will be willing to encourage all their contractors to be part of
that process.

And I think — I know John Linsk has had a few conversations with folks at
CDC about that. I’m not exactly sure where the plans stand at this point, but
I’m sure he could report back with any progress.

MS. DANIELS: OK. I’ll be as brief as possible, so that there’s time for
questions and that I don’t hold up the agenda too long.

I was just going to give some brief updates on some of the state-level
work, particularly the areas of privacy and security, but also some other
policy and legal issues that are being addressed at the state level and that
ONC is encouraging along.

The first is the Health Information Security and Privacy Collaboration, the
HISPC, which I’ve briefed you all on before, just to give you the update on
where that stands and where we’re going to be going with that.

There were 34 states and territories that were involved in the effort to
look at privacy and security policies and practices in underlying state laws
regarding privacy and security, look at variations, look at where there are
challenges and identify solutions and implementation plans to address whatever
challenges they face that they identified with respect to these policies and
practices and laws and the effect on electronic health information exchange.

The 34 states did all this work, and our contractor, RTI, presented final
reports of the variations, solutions and implementation plans in a nationwide

A couple of the — I just want to highlight some of the challenges that
were identified in those reports that seem to be some themes that came out.

The first was before you even look at what the variations are and where
there are challenges, there was a lack of awareness among the stakeholders and
a lack of sufficient knowledge about health IT and health information exchange,
even to understand what the implications were of some of the privacy and
security practices.

They identified that consumers were unaware of some of their legal
protections under state law and that providers frequently didn’t understand the
state-law requirements because they would be multiple in various places within
the laws, and they had difficulty understanding the complexity of the state-law

So some of the solutions that some of the states identified were to do some
education and outreach to various communities, to consumer communities and
provider communities to educate them on what — on health IT and health
information exchange as well as on the existing privacy and security structure
that’s out there. And so some of the states have begun to look at those as far
as implementation within their states.

Second challenge were variations created by state privacy and security
laws. This is sort of what we expected to be the bulk of the discussion,
although it was only one piece of the discussion that they had.

Many of the states identified, again, that there were various state laws
dealing with privacy and security and they were sort of all over the code
within the state.

So there were privacy laws that were just directed to particular sectors of
the healthcare industry, like insurers or like hospitals or mental-health
professionals, and there wasn’t one place that a provider or a consumer could
look to understand what the laws were.

And there was also inconsistent or contradictory laws. There was confusion
about how to apply those laws. So that was a challenge that folks identified.

And some of the states are cataloguing — as far as their implementation
plans, they are looking to catalogue what laws they have, are looking to try to
reform their state laws to at least put all the privacy laws in one place so
people can figure out what they are required to comply with. And some are
looking at proposing some new legislation to bring some more harmony to their
state laws on privacy and security of health information.

The third challenge was obtaining and managing patient consent. This is a
recurring theme that comes up over and over again when you talk about state

There is clearly a lot of variation in consent laws related to health
information across the states, and there is a variation not only at the
state-law level, but also within practice of organizations and how they
obtained consent, what kind of consent.

And this was identified as a challenge when entities are trying to share
information and they have different consent forms, either because that’s just
their policy or they’re trying to share information across state lines and
there are different consent laws.

So some of the solutions that were identified and included in
implementation plans, we’re looking at how to standardize patient consent. Some
of the states, we’re looking at coming up with model consent forms, looking at
the issues that I know you all talked about in great detail on opt in and opt
out when you were talking about electronic health information exchange and
trying to come to some consensus on those issues and things like that.

The fourth challenge was variations in methods for implementing
authentication authorization, access controls and audits.

At the organizational level, looking at organizational policies, everyone
had varying approaches to addressing these issues, and it really impacted the
trust that a provider would have in sharing information with another
organization if they had different practices for authenticating individuals for
auditing disclosures of data and things like that. So this was a challenge that
was consistently identified as well.

Some of the states are looking at coming up with minimum standards for
these things from the standpoint of how to set policies so that there’s at
least a baseline that folks would comply with, so that they can have a minimum
level of trust when information is being shared from one organization to
another, and also specifically looking at role-based access and try and see if
they can come up with some guidelines for that as well, so that there’s some
consistency in policies.

The fifth is privacy and security oversight.

There was some identification by many states of lack of state-level
authoritative governing bodies to oversee development, adoption and enforcement
of privacy polices and practices for health information exchange at a state
level, and that was something that folks wanted to address as well.

As far as where we are now, we’ve extended — the first phase of the
contract ended this summer and we have the fund report identifying the
variations, solutions and implementation plans.

We wanted — there was such good momentum and such a desire for more
collaboration and bringing more states into the fold that we wanted to continue
this work and keep that momentum going because there’s some real opportunity, I
think, for the states to address some of the issues that — within their state
as well as start collaborating across states.

So we’ve extended the contract until December 31st of this year.
The 34 states and territories are continuing to do their work. The funding —
the continued funding is to focus on the foundation piece of the individual
state implementation plans to get them started on implementing their plans as
well as to foster multi-state collaborative workgroups among the states and

And what we’ve done there, there’s been a meeting with all the states that
were participating as well as any other state that wanted to join, and we had
nine states and one territory that had not participated in HISPC who joined
that meeting as well. So we’re now to 44 states that have — are actively
engaged to start looking at the areas where collaboration can help move their
implementation along.

And they started talking through some of those projects. They’re all in the
same areas that they identified challenges — consent, consumer- and
provider-education, harmonizing state laws and the like.

And what we’re hoping is there will be a HISPC 2.0 in 2008, and we’re going
to try to focus that more on the collaborative efforts across the states,
rather than the state-by-state efforts, so that we can start bridging some of
the — of the differences across the states and assure that information — that
privacy and security laws and practices are appropriately addressed for sharing
of electronic health information across state jurisdiction lines.

So that’s it on HISPC. I’m just going to do the two-minute update on state
alliance for e-health.

This is an initiative that OMC has begun with — in collaboration with the
National Governors Association to identify and come up with consensus on
solutions to resolve state-level issues that require state coordination.

One of the things that came up in the HISPC work was this was all fine and
good, but we’re — each state is looking at their own issues, and it’s hard for
the state to spend time and money to collaborate with the other states, and if
we could help foster that and foster those dialogues, so that they can come to
some common consensus on how to approach some of these challenging new issues
that they face, that there’d be more commonality down the road.

The other goal was to increase efficiency of the state effort, so that if
one state has gotten farther along in looking at some of these issues, this —
states that are trying to address health IT and health information exchange
issues can learn from some of the experiences of the other states. So it’s both
a consensus body as well as a communication effort.

The state alliance is made up of high-level state officials. There are two
governors that chair it, Governor Douglas from Vermont and Governor Bredesen
from Tennessee.

There are legislators, attorneys general, state health officials on board,
and they have three task forces that report recommendations — that deliberate
and report recommendations up to them not unlike NCVHS. And they have received
some recommendations from some of those task force in the area of health
information protection, as well as healthcare practice, specifically focused on
licensure of healthcare professionals and trying to coordinate the state
licensure processes across the nation, so that it would make it easier for
telemedicine for providers who are practicing in multiple states to deal with
the licensure requirements in various states.

There is the state alliance meeting coming up in — I think next week
actually. It’s in Tennessee, in Governor Bredesen’s home state, and they will
be getting recommendations from the third task force, which is the Health
Information Communication and Data Exchange Task Force that’s looking at how
public programs can participate in health information exchange and what the
state’s role could be in helping to facilitate health information exchange.

I’ll stop there and let folks ask whatever questions you have.

MR. LAND: When you talk about the states that are identifying these issues,
is there a particular state agency, the governor’s office or is it — what do
you mean by the state?

MS. DANIELS: That’s a very good question. Let me clarify.

What we did when we asked for participation in the health information
security and privacy collaboration is that we required the entity that
participates to either be the state itself, like their health department or
some state authority or that if it was a private organization that they have
the endorsement of the governor’s office, so that the state was engaged in what
was going on and endorsed this private entity in doing this work for the state.

So there was only one entity for each state that could participate and they
had to get the sign-off for the governor’s office.

It’s about half and half. Half of the states that are participating are the
state government itself, and about half are private organizations that are
engaged in health information exchange efforts within the state. So it’s about
half and half.

The state alliance — the committee members on the state alliance are all
government representatives. It’s governors, legislators, attorney generals. So
it’s all the government representatives, and they have technical advisors who
are from the private sector as well to give them advice on health IT and health
information exchange issues to make sure that they have the knowledge that they
need to deliberate.

DR. TANG: NCVHS is the federal advisory committee. We’re here to help you.

MS. DANIELS: Thank you. And we’re the government and we’re here to help.

DR. TANG: So, to be serious, how can we best help this effort in the policy
area? And a lot of what you talked about first, obviously, was in the privacy
area, an area which, of course, we do a lot of work in. How do we be most
helpful to you?

MS. DANIELS: That’s a good question.

I think, with respect to the state efforts, a lot of — I think what’s
helpful is trying to tease out which are issues that the federal government can
legitimately take on and which are issues that are really state-level issues,
either state-government issues or issues for public-private partnerships within
the states, as opposed to the federal government.

A lot of these issues, particularly in the area of privacy and security,
are really hard. I know you all know this, because you — you know — struggle
over these all the time, and we do as well.

With respect to — I’m going to be a little bit broader — our privacy and
security efforts generally, if there are — we obviously have to deliberate on
whatever recommendations come out of NCVHS or AHIC or state alliance or
whomever it is. But the more concrete the recommendations are, the more
actionable they are, and the more you all can really start teasing into some of
the really hard questions that there’s huge public debate over, I think the
more helpful that could be to us.

I know the next conversation is about secondary uses, and I think, in that
area, for example, the more that the recommendations can be focused on concrete
suggestions for how to deal with challenging issues and how to reconcile the
varying opinions and how to balance the need for information and the need for
protecting the information, I think that could be very helpful to us as we are
trying to set federal policies in these areas.

DR. TANG: So a tactic that NCVHS has taken with some of its letters is to
say, well, there’s people thinking on this side and there’s pros and cons, and
it’s a hard issue.

Are you suggesting that it could be even more helpful if there was a stand
taken where there’s a clear sense in one direction, even though it’s not
unanimous, because many of these issues couldn’t be unanimous?

MS. DANIELS: Yes. I do think that that would be helpful, because there’s
not going to be — you know, on all of these things, the debates are very —
they’re very charged. There’s always going to be dissenting opinions when
you’re talking about privacy and security issues.

And I think the only way we’re going to really resolve those is to
understand where there is at least a vast majority understanding of where the
issues should be resolved, and understanding what the difference is.

If you all are deliberating and there’s a strong dissenting opinion, it
would be helpful to know what the majority thinks, and then what the dissenting
opinion is that we can consider that.

And, specifically, if there are concrete recommendations, we have the trial
implementations for the NHIN that are coming up, and if we can — those can be
test beds for some of these recommendations. If there’s a majority opinion —
say from NCVHS — on how to deal with use of information for quality purposes,
which I know is the debate that’s been going on here, then we can try — we can
test out the majority opinion in NHIN trial implementation and perhaps we can
even test out the dissenting opinion, so we can get some real experience for
how the approach may work in the real world, rather than just what people think
around the table.

So I think the more concrete — if your recommendations are concrete, we
can then try to translate that into a trial implementation and real-world
experience that we can get more data in coming up with an ultimate policy

DR. COHN: Now, I’m going to let Jeff ask the last question on this one,
just so we can get into things.

Though I guess I should comment, Jodi — and I think we all see the world
maybe a little differently on this one.

I am reminded of the dissenting opinion that came out of MedPAC somewhat
recently, and that I don’t think did a lot to help move Federal Advisory
Committee recommendations or Federal Commission recommendations forward.

Probably, in areas where there isn’t consensus, suggesting pilots to help
testing is probably really what you’re talking about as opposed to eight to
five recommendation, recommendations with five dissenting opinions all on
different issues.

So I think be able to clearly identify where there isn’t consensus, but
still things to move the ball forward would probably be the way we could be
most helpful on that one. Just a thought on that.


DR. COHN: Jeff, final question, and then we’ll move into the other areas.

MR. BLAIR: Thanks. I’ll do it real quickly.

And, in a sense, it’s a partial answer to Paul’s, because, in New Mexico,
we’re one of the HISPC states that have the original contract and the follow-on
contract, and what we did with our follow-on contract is we’re reforming state
laws to protect the privacy of healthcare information when it is stored or
communicated electronically.

And, in terms of — you were saying how can NCVHS help? I think that it
already has.

I suspect what we’re doing is probably not that much different than a lot
of other states, but the privacy recommendations that NCVHS made for use in the
NHIN, even though it doesn’t say, “Here’s a consensus on every
issue,” it’s been extremely helpful to help discussions within a state
which otherwise might ramble among a lot of issues, and where there are strong
opinions, for them to see — to get focused on the things that NCVHS has
identified as areas and to see that, on a national level, there’s not
necessarily consensus and to craft the state legislation in a manner that is a
little more careful, because they could understand that there are appropriate
concerns on all sides.

So I think NCVHS has already — and I’ve spoken to another — you know,
many other states in the HISPC process, and they’ve been doing the same thing.
So I think that we’re already part of the process.

DR. FRANCIS: Simon, could I just ask how we could get a copy of that

DR. COHN: Sure.

MS. DANIELS: It is on our website.

DR. FRANCIS: Website.

MS. DANIELS: And I can give you the website. Well, it’s on actually the
AHRQ website. We did this collaboratively with AHRQ. It’s
HealthIT.AHRQ.gov/privacyandsecurity, and is written out. And that’s the
nationwide summary report from the HISPC project.

DR. COHN: OK. Well, Jodi and Kelly, thank you very much.

Now, what we’re going to do now is to move into the — as you commented —
the secondary uses conversation.

Obviously, we would invite you both to stay around as long as you can for
the conversation.

What we are going to do is to — I mean, we are well aware that we’re
getting towards noon. We would observe that there is a — right around noon.

What we are going to try to do is to go probably for a half an hour or so,
going through some slides.

Once again, you know, the first piece is understanding, and what we want to
do is to go through a set of slides to move us through sort of common themes,
premises, setting sort of the context for moving into observations and

Now, at that point, we were going to, hopefully, take lunch between this
higher-level piece and then moving, actually, into the observation and
recommendations, which we’ll take up right after lunch, and we’ll be moving, at
that point, between both slides and actually looking at the text of the
observations and recommendations, observing that we — when we really get into
recommendations, as I commented, everybody needs to be okay with what it is
that’s actually being said and that that is really an important outcome, so
that we understand where people are agreeing, where people are having
differences of opinions, sort of how we need to move on from here.

Now, I do also want to remind everybody that we actually have time tomorrow
afternoon — probably late morning, early afternoon, depending on when we get
to it — where we will talk about some of these things further. So this is
going to be the major phase this morning and this afternoon, but, then, there
will be some substantive conversations about next steps, recognizing where we
are by about four this afternoon or by three this afternoon.

So, with that, I think we’re going to hand it over to Justine, who will
lead us through the early conversations. Margaret will provide support and
assistance, and, then, after lunch, we’ll turn it over to Harry to sort of move
us deeper into the observations and recommendations.

Everybody okay with this?

Okay, Justine.

Agenda Item: Background Information and Draft Review
Materials to Consider — Secondary Uses of Health Data

DR. CARR: Thank you, Simon.

I’m struck by the timeliness of the topics that we heard this morning, how
many of them are tee-ing up this as a perfect segue, beginning with Jim talking
about the FDA post-market drug safety data sets, electronic health records for
populations studies, personal health records, personalized health, Kelly
talking about data sharing issues, Jodi talking about lack of awareness about
current regulations over privacy and security, also asynchrony and
contradictory laws, and also patient consent variation across organizations and
states. It’s very much consistent with the hearings that we’ve had this entire
summer — June, July, August and September and October.

So I’m going to do the background, and, after lunch, then Harry will begin
with the recommendations.

Just — I think you all know the group that has been active this summer,
tremendous participation and particularly special thanks to Simon for leading

What we’ll talk about this morning will be the scope of work, the premises,
the process, the term “secondary use,” and the current state under
HIPAA, and challenges, and then we’ll stop for lunch.

I think that our scope of work involved, one, developing a conceptual
policy and framework that provides guiding principles clarifies terminology and
includes a taxonomy.

Secondly, we are aiming to develop recommendations for HHS on policies,
guidance and regulation, and, of course, the focus of this is particularly the
use of quality data.

This began with a request that came from ONC, and the particular stated
interest there was HIT and quality, and the areas of focus included developing
clear policies and an initial set of recommendations for the quality-use case,
clarifying roles of various entities, consider the requirements around
identified, anonymized and de-identified data, and also clarify how
health-information exchanges and other entities of end users of the data relate
to each other and obtain appropriate disclosures and consents, as needed, to e
compliant with current law and to protect privacy and confidentiality.

Early in the discussions, there was concern that HIT was driving the
process of uses of health data, and, after discussion, we wanted to articulate
these premises that clarify that HIT is a tool in the service of quality

And so the premises are as you see them, that the common good for all
Americans is served when health data collected in the practice of caring for
individuals can be optimized to advance the quality of health and healthcare
for the nation.

Secondly, appropriate uses and protections for health information must be
transparent to individuals in order to reassure them that their privacy is

And, thirdly, application of health information technology affords an
opportunity to optimize use of health information for improvement of the
nation’s health and healthcare delivery system.

Our process was we had three sets of hearings, 58 testifiers, multiple
meetings, weekly phone conferences and we’ve worked closely with ONC.

Related work and documents, we’ve called upon earlier documents from NCVHS,
from AHIC, from AHRQ, from AMIA and from HISPC.

And, finally, you’ll notice that the title of this presentation was
“Enhanced Protections for Uses of Health Data.”

And we felt that it was important to talk about uses of health data and not
secondary uses, and the reasons are stated here.

One is that it’s difficult to define. There is no standard reference.

Second, grouping all uses under a single rubric may result in all of them
being treated the same, which might not always be the right decision.

And “secondary” connotes a lesser importance than other uses, and
we don’t believe that to be true. So we’re avoiding the use of the term
“secondary,” and we’re attempting and encouraging others to
explicitly and uniquely describe each use of health data.

OK. So why address uses of health data now?

There are a number of points that have come out in the process of our
investigations and hearings.

First, with the vision of NHIN, health information exchange is expanding
beyond what was envisioned by HIPAA.

Second, health information available for electronic transmission is
increasing with electronic health record, so no longer is it just claims for
billable services with ICD-9 CM codes and CPT codes and prescription claims.

Now, we have much more granular health data elements, vital signs, lab
data, discrete elements.

A third issue is that the sources of electronic health information is
expanding beyond HIPAA entities.

Fourth, linkage of large databases of health information creates a need for
stewardship for accurate and appropriate use.

And, finally, electronic solutions for patient consent following their data
are now becoming possible.

So what I’m going to do in the next few slides is just walk through HIPAA,
the privacy rule and security rule and show where we are and then what are the
gaps or issues that have been identified.

So if we start with Health Insurance Portability and Accountability Act of
1996, this was developed first to promote electronic exchange for
administrative simplification, and, as part of that, it mandated HHS to
establish federal standards for safeguarding privacy of
individually-identifiable health information.

So it regulates covered entities, and these are — covered entities are
those who electronically transmit health information in connection with
transactions for which HHS has standards, and these are payers, providers or
healthcare clearinghouses.

It also regulates the covered entity’s use of business associates, and, to
a lesser extent, their agents. So business associates or persons or entities
that are acting on behalf of a covered entity to perform a function regulated
by HIPAA or providing a service involving individually-identifiable health

So just to repeat, the covered entities are people who exchange claims data

The HIPAA privacy rule covers all personal health information in any form
— paper, electronic or oral — that could be used to identify an individual.

And there are two exemptions identified. One is that personal health
information that is used for treatment, payment or operations, and a second
exemption is de-identified data, and this has been specified by HIPAA that
there are 17 designated identifiers that must be removed to make it
deidentified, and, also, the eighteenth point is anything else that would
identify the data. So those are exemptions, then, not covered.

With regard to research, there is the common rule, and the common rule
addresses systematic investigation, including research development, testing,
evaluation, designed to develop or contribute to generalizable knowledge. And
research, under the common rule, requires IRB approval and informed consent.

HIPAA requires authorization for research, unless it’s waived by an
internal review board or privacy board.

Research may also be covered by the FDA human subjects protection

We talked about treatment, payment and operations being exempted from the
HIPAA privacy rule. So I want to give a few examples of what operations

MR. HOUSTON: “Exempted,” is that no patient consent is necessary
for the use of data in those three areas?

DR. CARR: Oh, exempted from authorization, right, right, right. Thank you,

MR. BLAIR: That still could be very misleading.

DR. COHN: Well, I’m glad it’s here.


DR. CARR: Sure. Let’s see. So exemptions from the need for specific
authorization, right?

MS. GREENBERG: And then it should obviously mention research as you went to
in public health.

DR. CARR: Yes. From changing slides around over breakfast. I apologize.

MR. BLAIR: Yes, and I guess I feel really uncomfortable with winding up in
a privacy presentation indicating that there’s this group that’s exempt, and I
think I’d like to phrase it a different way, rather than saying a group is
exempt from authorization.

PARTICIPANT: Not required?

MR. BLAIR: Pardon?

DR. CARR: Would it be helpful to say —

MR. BLAIR: You can get to it later. We don’t have to solve it right now.
I’m just sort of — you know, I just sort of wanted to be on the record that we
should find a different way to express that because there could be some
negative misinterpretations.

DR. CARR: Thank you, Jeff.


MS. GREENBERG: Also, there should be some reference in that first bullet to
covered entities.

DR. FITZMAURICE: It only covers covered entities.

DR. CARR: Yes. Okay. So we say that it covers covered entities. Okay.

DR. FITZMAURICE: In the hands of — the information in the hands of a
covered entity.

DR. CARR: OK. Thank you.

Examples of operations, and so these are areas that are permitted without a
written authorization from an individual for operations.

And so these are quality assessment and improvement activities, which is
the focus of what we’re — a lot of what we’re talking about. Also,
population-based activities, arranging for medical review, legal services,
business management, general administrative activities, establishing payment
levels, pay for performance, related efforts. Those are all examples of

The security rule. So we have HIPAA and HIPPA has a privacy rule, also has
a security rule, and the security rule applies to electronic-protected health
information. So where the privacy rule applies to any information — oral,
written or electronic — the security rule applies to electronic-protected
health information in covered entities and business associates, and it
addresses confidentiality, integrity and availability. So challenges within and
beyond HIPAA. Covered entity and business associate challenges.

One, individually-identifiable health information is also collected by
entities that are neither covered entities nor business associates, and that —
a second challenge is the accountability of covered entities and business
associates for uses of individually-identified health information.

This is not tracked, tested, audited or reported in a standardized fashion.

Treatment, payment and operations are challenges related to operations.
Definitions of what is included in operations is open to interpretation.

Second, boundaries of what constitutes quality within operations may vary,
including the distinction between quality and research.

DR. COHN: Yes, Justine, do you want to give an example of that very first
sub-bullet that you have there, just to make sure — See if you can go back
there. The very first sub-bullet.

DR. CARR: This one? Covered entity — individual —

DR. COHN: Yes.

DR. CARR: Can you read it?

DR. COHN: Yes. So give me an example or two of what you’re thinking of on

DR. CARR: Personal health records, for example, things that Carol brought
up, new — yes. Well, personal health records —

DR. COHN: Okay. So that’s primarily what you’re talking about there.

DR. CARR: Yes.

MR. HOUSTON: But you could also —

PARTICIPANT: Under covered entity.

MR. HOUSTON: Yes. You could have an entity that has a physician office
that’s not covered by HIPAA, because it doesn’t electronically bill.

(Several speakers at once).

DR. CARR: Okay. More challenges within and beyond HIPAA, and this relates
to de-identification of data.

HIPAA allows for release, without authorization, of data that is
de-identified in one of two ways.

One is the safe harbor method that we mentioned that lacks the 17-odd
designated identification elements plus anything else.

And a second is the statistical method which is a demonstration that there
is a very small risk of re-identification.

So the challenge is that there are also alternative de-identification
methods that are being used, and their definitions are unclear. So the term
“anonymized data” and “sud-otimized” data, for example, are

A second challenge is the safe-harbor method. Removing the 17 identifiers
may not always de-identify or may not adequately de-identify in certain
situations, we heard from Latonia Sweeney(ph).

Another issue is de-identified data may undermine utility in a quality
analysis where identifiers may actually be very relevant to the assessment.

And another issue is that the statistical — when you de-identify using a
statistical method, there is not a quantitative target or requirement that you
must report. So — leaves open to variability.

The next slide talks about sale of data and HIPAA.

And so HIPAA is clear about criminal penalties for wrongful conduct and
specifically states that if wrongful conduct involves the intent to sell,
transfer or use individually-identifiable health information for commercial
advantage or personal gain or malicious harm.

A question that has come up is de-identified data, which would not be
protected under HIPAA. Is it acceptable to patients that you sell their data?
Is it acceptable to providers that you sell their data in the de-identified

Data stewardship. This is my last slide.

HIPAA includes principles of data stewardship in addressing privacy and
security of data.

AMIA describes data stewardship in the following way: It encompasses the
responsibilities and accountabilities associated with managing, collecting,
viewing, storing, sharing, disclosing or otherwise making use of personal
information — personal health information.

An issue that was raised is there is a need for more attention in relation
to data aggregation and analysis when personal health data is used for quality

So I think that was our breakpoint.

MR. REYNOLDS: Simon, if you want to, we have a couple of slides on common
themes, and then — what our observations — at least list the categories of
observations and recommendations, then break. That would give everybody a kind
of a complete warm up before we come back and actually go into the details. So
why don’t we go to the next slide.

DR. COHN: Sounds good.

DR. CARR: Okay. So what I just completed was a quick trip through HIPAA
security and privacy, trying to identify where we have coverage and where we
have gaps.

The next slide is going to talk about some of the common themes that seem
to appear in the testimony of many individuals.

And one is just understanding the benefits and potential harms in the
enhanced use of health information technology.

So, as we said at the beginning, there is the tremendous benefit
opportunity to improve health and the healthcare system. Healthcare quality
measurement reporting and improvement is enabled. There’s an enhanced ability
for public-health surveillance and responsiveness. There’s new opportunities
for meaningful research. These are all benefits that we hope to achieve.

And the concerns that were raised about potential harm, so that erosion of
trust in the healthcare system’s protection of personal information could —
would undermine the benefits.

A potential harm might also be a person’s experience of discrimination, a
personal embarrassment if their data were released inappropriately.

A concern was raised for group-based harms and also concern about
misinformation resulting from unsophisticated aggregation of data, a
stewardship issue.

Additional themes. Uses of health data for quality measurement reporting
improvement enabled by IT and HIE yields new benefits and potential challenges.

I think this is just saying more of the same. You know, measurement and
reporting address the IOM Quality Chasm aims.

I think the challenges, again, that the uses of personal health information
for quality are — although allowed through TPO — are not well known or
understood necessarily by individuals whose data is being used.

A second challenge is the concern that linkage of information must assure

A third challenge, vendors who link data must not violate trust.

Fourth, data for performance improvement may evolve into research without
the protections of the common rule(ph). So looking at that boundary between
what is performance improvement and what is research was very often raised.

And, again, the issue about the data quality and the data — is essential
for data aggregation.

So what we will hear after lunch are observations and proposed
recommendations in the areas of privacy legislation, covered entities and the
chain of trust, covered entities and data stewardship, business associates,
health data uses for quality measurement reporting and improvement, health data
uses for research, cross-cutting data stewardship principles and exercising
choice within the NHIN.

DR. COHN: Paul, do you have a question?

DR. TANG: No, I would just put a period at the end of that and say it was
really a beautiful rendition of the issues and the statement of where we are. I
just thought it was wonderful.

And there’s one particular passage in the text that I particularly like,
and the reason is I think it’s a great operational test, each one of these
questions, and the way they wrote it is —

DR. COHN: Do you have a line?

DR. TANG: It is page 9, line 341 in the remainder of that package, and it
basically says, “Trust erodes and privacy concerns may increase, however,
when there’s a divergence between what the individual reasonably expects health
data to be used for and when uses of health data are made for other purposes
without the knowledge and permission of the individual — “I don’t know
what happened to this sentence or the way I read it.

But it’s really when the subject of the information doesn’t expect
something to happen, whether for commercial or other reasons, there’s a lack of
trust and there’s an erosion of trust.

And so for each one of these things, I think we should ask the question,
and so that’s particularly helpful when you get the de-iden, well, should you
let it out of its de-iden? If that’s not where the patient expects it to go —

MR. BLAIR: That’s the issue.

DR. TANG: That’s the problem.


DR. TANG: And so, anyway, I thought that was very well articulated, and
just the whole thing leading up to this point which is sort of like page 10,
well done in the document.

DR. FITZMAURICE: I also think it was well done, and on the previous slide,
I wonder if instead of the common rule was meant the privacy rule.


PARTICIPANT: No, it is the common rule.

DR. CARR: So, in other words, it is if it were in TPO, it would be under
the privacy rule.

When it becomes research, it’s no longer quality under TPO. It’s actually
research under the common rule.

DR. FITZMAURICE: That’s true, but that’s more protected by the privacy
rule. Common rule usually refers to things that are federally funded clinical
trials as opposed to any use for quality improvement that then evolves into
research ought to go in front of an IRB to get privacy-rule permission, if you
haven’t gotten authorization from the patient.

DR. STEINWACHS: But, Mike, what happens, frequently post hoc, is that you
do the quality-improvement study. Then, you decide you want to publish it.
Then, you go to an IRB and say, “Well, we didn’t ask consent. We didn’t do
all these sort of things. We want your approval to use the data.”

And so it provides a kind of loophole if someone is a little bit sinister
by orientation to say, “We always do quality improvement. Oh, but by the
way, we want it in the New England Journal.”

DR. COHN: Yes —

DR. FITZMAURICE: That’s not my point. My point is that it’s covered by the
privacy rule as opposed to being a common-rule violation, most often.

DR. COHN: Well, it isn’t — Yes, it’s not a violation of either.

DR. STEINWACHS: No, is the problem.

DR. COHN: Is the issue.

DR. STEINWACHS: If you undertake research. It’s a gap.

DR. FITZMAURICE: Without patient authorization?

DR. COHN: No, no.

OK. If you’re doing quality improvement and subsequently it turns into
something that has to do with generalized knowledge, sort of slips through,
that there be a problem.

Want to talk about this after lunch. So why don’t we hold that particular
issue, recognizing that this is one of the areas where there’s just been a
little bit of conversation.

Now, Jeff, you had a question at this point or a comment?

MR. BLAIR: Justine, I think you made the statement that after you go
through the de-identification process that there’s still a question of the use
of the patient’s data. And so this is just an open question just to think
about. I don’t know if there’s going to be a specific answer at this point, but
I don’t know that the patient still — quote — owns their data after it’s been
de-identified. So that’s the question I had.

DR. CARR: Well, I think maybe does that get back to what Paul was saying
about trust, that if you’ve taken data you’ve de-identified it. Now, you’re
selling it.

MR. BLAIR: Right.

DR. CARR: I mean, I put it as a question, not as a statement. It’s a
question that we heard.

MR. BLAIR: Oh, OK. OK. I’m sorry. I didn’t catch that.

DR. COHN: Yes.

DR. CARR: Yes.

DR. COHN: It’s a question because we’re going to try to answer it in our
observations and recommendations.

MR. BLAIR: Okay. Great.

DR. COHN: Because I think that there is a — at least some level of
discomfort about the multiple different ways that de-identified data seems to
be being sold, utilized or whatever, and is there some issue there.

MR. BLAIR: Thank you.

MS. GREENBERG: Or whether it’s really de-identified.

DR. COHN: Well, there’s also that, whether it’s de-identified.

But I think that this gets into the nubbins of the observations and

Other questions and thoughts that you can all think about — begin to think
about this one over lunch?

MS. GREENBERG: Chew on it.

DR. COHN: Chew on it — OK.

Now, Justine, I want to thank you, because we’re actually just at 12:30. So
this is good. So we’ll adjourn for one hour.

(Luncheon recess taken at 12:35 p.m.)

A F T E R N O O N S E S S I O N (1:45 p.m.)

DR. COHN: This next couple of hours will be spent talking more, moving into
the observations and proposed recommendations for the secondary uses report.

Harry’s going to review them — these basically at sort of the slide level.

We know some of you haven’t probably read the report. Others of you
actually have, and so what we’re going to try to do is to allow for sort of
each recommendation time for discussion.

Certainly, those of you who have actually read the recommendations and have
particular opinions about them, this is the time to get them on the table.

As I said, really, the purpose here is to understand where there’s general
agreement and where more work needs to be done or whether there’s divergent
opinions or whatever in terms of all of this.

Now, after we’re done with that, assuming that there’s some time, we may
very well go back through the earlier parts of the document and talk about

But, anyway, but I’m expecting this will take much of the afternoon to do
all of this.

My understanding is we do have one other action item today, which is a
quality workgroup letter, and that we’ll spend probably the last half an hour
before we break for our subgroups going through and talking about, and we’ll be
primarily just looking at the recommendations there.

So, Harry, with that, I’ll turn it over to you.

Agenda Item: Secondary Uses of Health Data,
continued discussion

MR. REYNOLDS: After the applause for Justine, next time, I’m going first.

Moving right along.

So you see that the observations in the areas of proposed recommendations
that we have.

I’m going to go through them one at a time. We have eight recommendations.

If you’re following along in your letter, we start on line 737, which
starts the observations and recommendations.

DR. COHN: Page 18.

MR. REYNOLDS: Page 18. So if you want to do that.

So let’s talk first about the subject of the privacy legislation.

You can see on the lefthand side that we list a number of problems, such as
increasing privacy concerns in HIE.

The HIPAA privacy rule only has the force of regulation and is not

Definition of HIPAA-covered entity limited to relationship to financial and
administrative transactions. New users not covered.

New users being some of the other entities that we’ve talked about as we’ve
gone through this, since this is somewhat of a changing environment, other than
the administrative transactions, and going into other things.

And then the root cause of — it’s the root cause of many potential harms
and uses of health data is a lack of comprehensive discrimination legislation
and regulation.

Then, if you go to the right-hand side and you look at our recommendations,
and I’ll go through those.

1.1 is — we talk about comprehensive federal privacy legislation, and a
lot of that is, in fact, based on what we did with our previous privacy letter
out of this committee where we talked about how we would like to see that dealt

1.2 focuses on enhanced definition of covered entities.

As you notice right now, it’s only providers, payers and clearinghouses,
but there are significantly more entities that will be dealing with this data
as we go forward.

And, then, 1.3 being focused on the anti-discrimination legislation and

So under those first three — and what we want to do is you have the letter
and some of you have read the letter. So if you feel better making comments
about that —

But, first, if we could have everybody have some discussion on kind of what
we call as our Recommendation 1, and the observation that we have in the letter
as to where — you know, what you feel about it, where you think it goes, where
you may or may not have issues or concerns, and those types of things.

So let’s start with there.

DR. TANG: I think I would support the three recommendations.

Under Recommendation 1.2, which I guess matches your enhanced definition
statement, there is a statement here that I agree with. Just wanted to make
sure that that — included, “Included in this legislation or regulation
should be a clear statement that personal health information includes any
health data that may be individually identifiable or de-identified.”

DR. COHN: The line that you’re referencing?

DR. TANG: 774.

MR. REYNOLDS: Through 776.

DR. COHN: Are you adding — making a change here?

DR. TANG: No, I’m just saying that is a topic that came up when Justine was
presenting her overview. It is included — I’m just pointing out that it is
included in your recommendation 1.2.

It’s not as clear in your summary statement, but I think it’s an important
topic, and I would support that.

MR. REYNOLDS: Also, it is also discussed in 7.3 or it doesn’t still point
there, does it, Margaret?

MS. AMATAYAKUL: Yes, it does.

MR. BLAIR: Could you just help us understand why de-identified data is
still protected?

DR. TANG: Is it a question you would like me to respond to, Jeff?

MR. BLAIR: Or whoever in the task force —

MR. REYNOLDS: No, agreed, but Paul’s got an answer, good, he can start.

DR. TANG: So if I use my primary filter, which is what would the patient
expect, then that statement would be consistent with my impression of what a
patient would expect.

MR. REYNOLDS: Margaret, can you tell me the reference now? The one that I
have references 7.3.1, and, in this document, there is no 7.3.1. So what I’d
like to do is make sure people see where this points to as I mention again.

MS. AMATAYAKUL: Yes, I think that’s because we moved these things around
and I didn’t —

MR. REYNOLDS: I know, but that’s why I want to make sure —

MS. AMATAYAKUL: It’s 2.3.1.

MR. REYNOLDS: Which one?


MR. REYNOLDS: OK. 2.3.1.

MR. BLAIR: Paul, your answer to my question was because that’s what the
patient would expect, and —

DR. TANG: So there’s two parts to the answer. It’s — one part may be
actually it’s an assumption that was discussed in the workgroup, which is
calling the question is there really de-identified useful data.

So almost — I mean, here may be a personal opinion, an interpretation,
almost any data that can be useful will contain information that can lead to
its re-identification.

If that’s true, then, a patient would not expect information, period, to be
going somewhere for any other purpose than the care purpose or things
supporting that care.

And so that clause is just making explicit de-identifiable or what may be
labeled as de-identified —

MR. REYNOLDS: And it all works together. You’ll hear us later talk about
definitions, because one person’s de-identified — as we heard in testimony —
is not somebody else’s de-identified. It’s a term of art, but not used that

The second thing is as you look at 2.3.1 — which we’ll get to in a minute,
but it’s what we reference — it talks about how easy it is to re-identify, and
we heard a number of testifiers actually talk about how you can take data that
somebody says may or may not be identified, de-identify it and actually turn it
into something identifiable.

So, again — and that’s why it was good — As you remember Justine’s
themes, you know, we’re going through these linearly, but the problem is all of
them really intersect with each other and interact in many ways. So that’s why
I want to make sure any reference we make, you’ll understand, and then when we
get to that one —

MR. BLAIR: Now that I understand the definition, it makes sense, but the
corollary of that is that if the patient’s identification is anonymized, does
this still hold true?

DR. STEINDEL: We actually heard from Latonia in that particular case, and
it does hold true. You can re-identify.

MR. BLAIR: Even with anonymized?

DR. STEINDEL: As long — depending on what the data set looks like.

And we also heard cases where you could create a truly de-identified data
set if you modified some of the variables to variables that might be useful in
another way.

MR. BLAIR: Well, going down the spectrum, how about when you have
aggregated patient data? Is that still protected?

PARTICIPANT: Statistical? You’re thinking of statistical?


DR. STEINDEL: Yes, and in that case, it depends on the degree of
aggregation and the cell sizes that you’re looking at.

DR. COHN: Well, I actually just want — for a minute, just want to get on
— obviously looking at this one, and I think I understand what it is, but I’m
not quite sure.

So I’m going to ask for a little bit of clarification, perhaps from our
co-chairs as well as other committee members, because I guess the question that
I’m listening to with Jeff is, I think, fear that he can’t use it at all.

And I guess I’m sort of just trying to think through, as I’m thinking
through this, what we mean when we say the personal health information includes
any health data that is identified or de-identified means that it — and, then,
once again, help me — I just want to make sure if I understand what it means.
It means that it can be used, but needs to be used under —

DR. TANG: It cannot — So there is an assumption that — quote —
de-identified data can be used without any restrictions.

So one point is that we don’t believe there is such a thing as
de-identified data that is useful. So, therefore, it’s of no interest to

And, second, so this statement is saying all data should be under the
regulations of — should follow the rules that apply to a covered entity.

DR. COHN: OK. So let’s think about what that means in relationship to
de-identified in this context.

I mean, I think it would mean that, obviously, that this is that business
associate agreement pieces that we’ll talk about —

DR. TANG: Well, later.

DR. COHN: Well, no, but I mean that there’s a sort of change of trust, but,
also — So what sort of cases would this allow de-identified data to be used
without —

DR. TANG: It’s not so much permitting things to be used. It has the — once
you have personal health information, you have responsibilities that are
similar or maybe the same as a covered entity.

MS. GREENBERG: I think in personal — an individual form is what you’re
talking about. I don’t think you’re talking about — although cell size is an
important factor, but, in response to Jeff’s question, I don’t think you’re
talking about aggregate data at the regional level or whatever, unless there
happens to be only one person and there are a few people in that region who
have a particular diagnosis and everyone knows who it is.

But you’re really talking about record-level data. I mean, individual —

DR. TANG: So another way — so pretend a covered entity that lives by all
the rules over covered entity created aggregate data like you described that
could be used by anyone for any purpose.

One of the important loopholes we’re trying to cover is to give somebody, a
non-covered entity, the ability to access all these identifiable data and then
create an aggregate report, they still have access to all of the PHI, and
that’s what we’re trying to get addressed.

DR. STEUERLE: I’m not sure this has helped, but I deal a lot with this
question of de-identifiable data with the IRS Statistics Division, which, in
the end, often concludes that I can’t release any data at all.

I mean, let me give you an example. If John has a — you know, one of his
patients in the hospital spends $433.33 for a particular procedure, and somehow
or another they send — he puts it on his Master Card, his $433.33, and
somewhere there it says, “Sum statement,” like it went to that
hospital there, and somebody else has another data set that identifies the
hospital, and he’s the only person in the world who’s paid $433.33 in
Pittsburgh or Pennsylvania, that person might — you might be able to link that
to another data set and determine things about them.

So, at some level, any data that has any specificity to it is
re-identifiable if merged with the right data set, and that’s the dilemma that
statisticians deal with.

And so you have to be very careful as you write these rules that you don’t
prevent certain natural things from happening, which, by the way, goes all the
way — all the time. And I don’t know whether there’s a capability of showing
this to people in the finance field. That’s one of the huge debates in finance.
We know that all of our personal information is all over the lot out there with
the finance companies, and the finance companies fight against a lot of these
rules that prevent them from using the information, in some cases, incorrectly,
but, some cases because they couldn’t even operate if they had to worry about
this re-identification.

And I don’t know if that helps or not, but it is a dilemma we have to deal

MR. REYNOLDS: Yes, and I would remind everyone around the room, it’s us. So
those of you who haven’t been on the committee — hearings, welcome. We’d like
to welcome you right now.

DR. SCANLON: Gene’s point is very valid. I mean, but I think we also — we
have to be very careful about terms, and aggregated is a very imprecise term.

You know, NCHS has rules in terms of releasing survey data, and they will
aggregate it and they will suppress cells when they are below a certain

Now, the question is what is — we’re not specifying that there is that
kind of a standard for what is going to go on with covered entities or anybody

And so when you talk about sort of aggregated, if I am a covered entity and
I have claims from all the hospitals in my area and I do an aggregation — and
I start to report on an individual hospital basis by diagnosis what happened —
there’s a question there of what are the risks.

And this, I think, is the kind of thing we need to think about, because
this is the reality we’re dealing with today. People are interested in
reporting at the individual provider level. Hospitals are actually big
providers, compared to people wanting to report at the physician level about
what’s happening with respect to certain types of care, and when the care
becomes more narrowly defined — it’s this diagnosis, this type of treatment,
this provider — we’re suddenly down to small — very small sample sizes, and
that’s where the risks start to increase.

And I’m not convinced that we have any ability to draw lines, but it’s what
we have to be aware of as we use terms that may — I mean, aggregated fits, but
the aggregation can be very, very sort of small.

DR. WARREN: Okay. I have a clarification question. I thought I understood
the recommendation until Paul explained it. Sorry, Paul, because you put a spin
on it I had not thought about.

So that last line, includes any data that can be individually identified or

Is there any other kind of data besides those two?

MS. GREENBERG: Only aggregate data.

DR. WARREN: So it includes all data, regardless of whether it’s identified
or not.

MR. BLAIR: Or de-identified or —

DR. TANG: Regardless of how it’s labeled, because, again, one of the
assumptions is you cannot adequately de-identify data that remains useful.

DR. WARREN: Then, I think that needs to be kind of recrafted a little bit,
but I don’t know how to do that, because this gives — I mean, we have the
impression under HIPAA that there’s de-identified data we can do stuff with,
and, now, we’re coming back and saying not really.

MR. REYNOLDS: The other thing we may want to say throughout the document,
when we use de-identified, we tie it to the HIPAA definition of de-identified,
not the imprecise definitions that we heard as we heard —

DR. WARREN: That’s why I wanted to clarify with Paul, because if you’ve got
identified data and de-identified, and those are the only two kinds we have,
then we can really just say all data, unless there’s a third kind of data
that’s out there that we’re talking about.

DR. TANG: Being explicit, using the term that HIPAA uses, which includes —
quote — de-identified, that’s to bring that into this restriction.

DR. STEINDEL: Yes, Harry, I just would like to make a comment that may
organize this discussion a little bit better, because I think we’ve taken off
on a complete tangent.

What we are talking about in Recommendation 1 specifically are the
attributes for a new piece of privacy legislation, and once we’re introducing a
new piece of legislation, what we’re just saying is we think these are three
attributes that should be in there.

If they pass new privacy legislation, there may not be such a thing as a
covered entity. There may be all sorts of things that are changed.

And, now, when we start discussing these attributes with respect to the
HIPAA definitions, we have I don’t know how many pages of recommendations that
go into it with respect to HIPAA in gory detail, and I think we should refrain
from discussing, in terms of this recommendation, those details until we get to
the specific recommendations, because I think we’ve found that most of the
points —

MR. REYNOLDS: I think that’s a good point.

DR. STEINDEL: — have been covered.

MR. BLAIR: If I understand your thinking correctly — and, Paul, I’m kind
of looking to you, because you clarified, the boundary isn’t whether it is
de-identified or anonymized or aggregated. The boundary is whether the data can
be re-identified from what I heard you say, in which case if you simply use
that as the qualifier for this sentence, then I think it would be consistent
with the explanation or clarification you gave us.

DR. TANG: I think that’s a fair interpretation of what I said.

And, also, the Recommendations 1.1, 1.2, 1.3 are actually three separate

So 1.1 — what you said, new privacy legislation.

1.2 is a way to cover what was called — well, sort of a loophole of
HIPAA-covered entity.

And 1.3 is to try to address the harms that can happen outside of the
context of HIPAA.

MR. REYNOLDS: We do mention legislative or regulatory measures, not just

MR. SCANLON: Three quick points.

I think it would be good to include such language like based on a gap
analysis of HIPAA and other privacy legislation and where gaps remain.
Otherwise you’re throwing the baby out with the bath water and what you get
might be much worse.

And we’re not saying that it should be HIPAA legislation, particularly.
We’re saying that it should be privacy protection, whatever is the suitable
level of protection there.

Number two, there are uses of information that I think were alluded to —
Justine alluded to that are not necessarily privacy issues, but they’re
appropriateness issues, and even de-identifying data. So it may be more of a
data-stewardship issue.

There’s an example given of the Framingham study where de-identified
information was going to be made available for drug firms and others for
profit-making purposes, and the community board was very upset with that. Not
that it was a privacy issue. It just was an appropriate issue. That’s not why
they were participating in a Framingham study.

And, then, third, I think you may be throwing the baby out with the bath
water when you add the de-identify concept into this term, because you’re
trying to — you’re working on nuances that no one else will see, and you’ll
literally shut down virtually any record-level information by throwing — and
it’s just an impracticality to implement or design.

It’s a very useful concept in HIPPA. It provided a nice balance between
legitimate public uses and protection, and I wouldn’t design a policy on the
resources available to one person at a big university who can spend all day
checking records. I think you sort of have to do it for the likely threat, the
more reasonable risks.

MS. GREENBERG: Amen. I mean, you would be saying — I mean, you might be
implying — couldn’t be any record level public-use data tapes or whatever,
even if they met those requirements of HIPAA certified by a statistical agency
and what have you.

So I agree completely with Jim that it goes too far.

MR. LAND: I am concerned that with this 1.2 there’s an exclusion for
public-health agencies, and I’m reading this right now, this would eliminate
that exclusion. That will just eliminate vital statistics completely.

MS. GREENBERG: Yes, that’s exactly what I was thinking of.

MR. REYNOLDS: Okay. And that was not the intent.

MS. GREENBERG: The use of vital statistics.

MR. ROTHSTEIN: I just want to say that the re-identification is one of the
concerns, but there are other concerns that underlie this kind of
recommendation, and Jim’s point, I think, is a good one, but it goes beyond the
unusual study like Framingham.

If you have patients who don’t authorize or don’t sign anything and don’t
receive anything besides the notice-of-privacy practices, and the — let’s say
a hospital takes their information and de-identifies it, and, now, suddenly,
sells it, just because it’s de-identified doesn’t mean that the individual has
given up all interest in that information and wouldn’t feel that — and this
goes to Paul’s point earlier — it exceeded the reasonable expectation of what
sort of rights, if you will, you give up.

And so I think there’s another side to this. It doesn’t — as I sort of go
— and to a larger sense on this — it’s not necessarily that you couldn’t use
the information. It’s that there might be some higher level of permission —
not necessarily an authorization or some higher level of notice that you might
have to give to individuals before you can use this information, even in a
de-identified form.

DR. TANG: So to put the sense that I took out of context into context, what
it said, in making recommendations on expanding definition of covered entity
under HIPAA, they should consider personal-health information as all of this

So it would be discussing the responsibilities of dealing with personal
health information, identifiable and de-identified. So it’s really not an
exclusion. It doesn’t necessarily change anything that HIPAA has to say. It
just has to include both things.

DR. FRANCIS: I have what I don’t think is really a wordsmithing question,
but it’s a question about what the function of these recommendations are.

The first two start out by saying HHS should work with other agencies, and
that’s not a very strong recommendation. That sort of sounds like HHS should
cooperate, not take the lead.

And I don’t know what’s meant there, but it seems to me that what these
recommendations should do is say something like, HHS should, in cooperation
with other federal agencies, propose or develop or something like that, rather
than the more minimalist, “Well, if somebody else wants to do it, we’ll
cooperate.” It just doesn’t sound like we’re urging that something be
done, and I’d like to see us urge that.

Then, there’s another small point. I think 1.3 needs to be reworked a
little bit, so that it’s consistent with the ADA. I’m not sure it is in its
present form.


Margaret’s taking notes on this. So if you don’t see the rest of us taking
notes, it’s not because we’re remembering everything.

DR. COHN: Can I just ask a question of clarification?

Leslie, what do you mean consistent with the ADA?

DR. FRANCIS: Well, actually, if you look at it, I think the ADA — the last
sentence — I think the ADA’s language is actually stronger than what’s in the
last sentence, because there’s no comment about reasonable accommodations and
so on.

MR. HOUSTON: This maybe is — We spoke at lunch. So I’m not sure where we
insert this in the dialogue regarding the issue of covered-entity coverage. Do
we wait to the business —

MR. REYNOLDS: Yes. And, then, if you need to tie back to this, that it
didn’t do something that —

MR. HOUSTON: And do we want to simply just tee it up just the first —


MR. HOUSTON: Yes, I mean, I think the point that I had made to Harry before
was is that I think there is some opportunity to look at trying to merge the
concept of a covered entity as well as a business associate and provide a
framework for the privacy rule directly providing some type of regulatory
framework over both, rather than having a business associate simply be an
animal that the covered entity has tried to manage.

But that’s really where I was going with my comments, and I’ll wait
‘til the — later.

MR. REYNOLDS: Yes, because we talked more about data stewardship and we
talked more about the business associates and so on, and, again, in the end,
then, if everybody needs to come back, we can tie it back.

DR. DEERING: And I apologize that I’m only now seeing this, having
participated in these discussions so long.

My question gets to the relationship of 1.1 and 1.2.

1.1 appears to imply that this new privacy will supersede HIPAA, because
the only clarification there is that it will cover all entities, including
those not covered by HIPAA.

And, then, the second one it says, at the same time, that we’re going to go
ahead and strengthen HIPAA.

And so I’m just asking more in the form of a question, is there a need to
harmonize those two recommendations more fully so that — because if you have
1, do you need 2?

I mean, clearly — I mean, 2 is one particular issue that we meant to
address, but it’s a question of —

MR. REYNOLDS: Steve, do you have a comment on that?

DR. STEINDEL: Yes, I have a comment on that, and, basically, this goes back
to what I said earlier. I’ve always read 1, 2 and 3 — 1.1, 1.2 and 1.3 — as
being in the context of new federal privacy legislation, healthcare privacy

Now, if we think about the HIPAA process, originally, HIPAA called for that
law, and regulation was only introduced if Congress failed to pass that law
after a certain date.

So HHS did not craft the regulations until Congress said, “We’re not
going to do the law.” And what I’ve always viewed this section as, as
another call to Congress to go back and revisit the issue.

And, then, when we used the term, “HIPAA,” in 1.2, what we mean
is that there are certain things that you defined in the HIPAA regulation that
we find problematic, and if you’re going to craft new privacy regulation, we
want you to avoid those problems.

DR. DEERING: So it’s all subsumed. So there’s an omnibus privacy
legislation, which includes all three of —

DR. STEINDEL: Yes, that’s the way I’ve always read this.

DR. DEERING: .1 subsumes 2 and 3.


DR. DEERING: In your view.

MR. REYNOLDS: OK. I think we’re out of people that were commenting on this.

DR. COHN: Well, yes, you know, I’m not — you know, this, obviously, is a
nuanced conversation at this point, but I guess I am reflecting that I think
that there are — there is legislation on the Hill currently that talks about
1.2, and there’s not legislation that talks about 1.1 or 1.3.

So, you know, I mean, we can describe this as omnibus, as Steve is
describing, or this needs to be somehow nuanced that these are potential
separate elements and separate initiatives and all of that. And so there’s just
that observation that it isn’t an all-or-nothing piece here.

DR. STEINDEL: Yes, there’s nuances there, and, actually, what we’re talking
about, the bills on the Hill actually modify the HIPAA Act. They’re not

DR. COHN: Right. Exactly.

And so we probably just need to make —

MR. SCANLON: I was going to say, it’s really — 1.1 could be interpreted as
based, again, on a gap analysis. It could be for whatever legislation is
necessary to fill in the gaps at HIPAA, not necessarily superseding and
replacing HIPAA. And, then — so it fits in where there appear to be gaps.

But, again, it should be based on language suggesting a gap analysis, so
that it’s a fairly nuanced and targeted kind of an effort.

DR. DEERING: But if I could only just point out that there is a difference
between the committee recommending an approach based on a gap analysis versus
the committee making a recommendation for new comprehensive privacy
legislation. Those are very distinctly different approaches.

And I just wondered whether the committee wanted to be — to make — come
down, you know, on one side or the other.

DR. GREEN: I agree with that point. I agree with that last point, and I
wish to come down on one side of it.

I think this discussion and the work of the summer, all the stuff I’ve read
leads to — me to the following conclusion. It’s 10 years after HIPAA. We know
more about it now, and it’s time to do something fairly substantial with it.

And we have also got tucked into here Paul’s issue that the substantial
shift cannot be based on the assumption that we can sort data into identified
and de-identified data.

And that’s the thrust of this thing that it seems to me is worth doing,
particularly given where we’re about to go next to the stewardship idea,
because my reading of this is where we’re headed is saying, you know, this idea
of data stewardship is crucial to the next phase, and that’s what we really
want to emphasize.

So the gap-analysis approach on HIPAA, I think that’s a mistake for us to
put our recommendations there.

I agree with — your other point is it’s time for some serious legislative
work here, folks, if we’re going to get to the HIT infrastructure and the
healthcare system we want.

MS. MC CALL: I guess I want to add on to some of Larry’s comments.

I would agree that — you know — on a tenth anniversary, with all of the
evolution that we’re talking about in healthcare IT and uses, that we come down
on the side of needing something substantial.

However, I don’t want to throw the gap baby out with that bath water

I think it’s important that we take a point of view — I think we need to
take a point of view that our opinion is based on two things simultaneously,
that there are, in fact, gaps, and I think we need to acknowledge them.

I also think that we can take a point of view that says merely addressing a
gap and filling it is necessary, but not sufficient. All right?

And I think it allows us to do a couple of things, and one may be this
whole bit about all the different pieces under — you know — this first area,
1.1. through 1.3.

1.2 seems to me temporary, but moves us forward, and, yet, 1.1 says we’ll
go farther, right?

And so I just don’t want us to think of this as an either/or proposition.

DR. TANG: So my question back to Jim and Marjorie, then, is why would
removing the concept of de-identified hurt your purposes? Because you are
covered by public health.

MS. GREENBERG: Well, it doesn’t mention public health at all here.

DR. TANG: No —

MR. HOUSTON(?): This one says all entities —

DR. TANG: Will be included in a discussion of personal-health information,
and we have very explicit clauses about public health, research, et cetera.

MS. GREENBERG: Doesn’t say anything about that here.

DR. TANG: Well, but it just isn’t in this section. That’s all.

It is trying to raise the notion that, as Larry said, we’ve learned that we
actually can’t — quote — de-identify data in a useful form.

However, there are a lot of good uses for data. We heard a lot in the
testimony, and they’re all basically being handled in a responsible manner as
with public-health data.

I’m not sure I see why this new distinction of whether there is or isn’t
de-identified data would hurt the public-health cause, as long as that was
still an exclusion.

DR. OVERHAGE(?): My issue is the way this reads is that all entities —

MS. GREENBERG: Any entity.

DR. OVERHAGE(?): — any entity will now be a covered entity. That means
this is one example that a doctor cannot report a communicable disease unless
he gets permission from the patient to report a communicable disease.


MR. ROTHSTEIN: Even covered entities today can report that information,
even in an identifiable form. So if you include more people as covered
entities, they would, presumably, have the same rules apply to them that apply

MR. SCANLON: If you keep the same framework as HIPAA.



MR. SCANLON: — about throwing HIPAA out, then —

DR. TANG: No, just the concept of that there is a useful way of having —
de-identifying data.

DR. FRANCIS: I was going to say I think part of what’s a little troubling
here is that if you go back and read the beginning part of the report, one of
the really good things that the report does is it distinguishes various kinds
of secondary uses, and it makes clear that different standards might apply to
different ones.

And so if you bear that in mind, this is just saying these data are within
the purview, too. It’s not saying what ought to be done with the data, but that
these are data you need to think about, too, and they are, for the reasons Mark
and Paul have been —

MR. REYNOLDS: And for purposes of today, I think, as we move on to the next
recommendation, I think we’ve heard real good things.

I think the public health is clear. We need to look back and normalize as
to whether we have actually — we can look back and decide whether or not we
need to normalize this to the rest of the discussion and whether or not we’re
actually hurting things that HIPAA allows, because there are things that HIPAA
allows, some of the public health and others. So I think that’s what the
subcommittee is hearing.

So rather than putting all the words — I think it’s documented. It’s on
the list. It’s on the parking lot. I mean, we got more work to do.

And so I think all these are great, great inputs to us making sure that we
put this down so that it doesn’t hurt something that was there okay, and then
and/or supersedes something that’s already agreed to, whether we call it HIPAA
or whether we call it new legislation or anything else.

DR. COHN: Well, I was just going to suggest that, actually, there’s been a
fair amount of language in the various privacy letters that talk about these
things are not meant to preclude traditional relationships —


DR. COHN: — that deal with public health and all of that.

MR. REYNOLDS: Yes, that’s exactly right.

DR. COHN: And I think it’s a question of just pulling that out —

MR. REYNOLDS: No, no, and that’s — I think that’s what we’re hearing, and
so —

Gene, you had one other comment, and, then, I’d like to move on.

DR. STEUERLE: I mean, I’ve raised this issue before. I think of this issue
between privacy and improved health through things like electronic health
records is statistically involving Type 1 and Type 2 errors, and, generally
speaking, if we reduce Type 1 errors — Type 1 errors being we’re not getting
the improvements in health we could get through things like electronic health
records, we’re going to increase Type 2 errors, which are the threats of
privacy and vice versa.

And, of course, the political out is we always talk about the standard.
Well, given a given amount of Type 1 error, less — Type 2 or given a minimum
amount of Type 2, — Type 1, that gets us into the political out that the
politicians want to deal with. We’re never creating losers.

But what I liked about the first part of this essay was it’s really talking
about the tradeoffs.

And I wonder if we really want to be a little more explicit and talk about
these tradeoffs, because, at times, it gets to a level of abstraction.

I think members of this committee — I’m not sure everybody agrees with
this, but I think most do. I’m probably thinking of a lot of things I’ve heard
Mark say over the years — is I think we have real concern —

We talk about improved health. We’re not just talking about improved
health. I think we need to be very clear. We think that there are probably
thousands, maybe tens of thousands, of people who are having worse health or
perhaps even dying prematurely because we are not improving in areas like
electronic health records, public-health sharing, and those costs to society, I
believe, we generally believe are much higher, that Type 1 error, than are
these dangers of privacy concerns.

So if we’re going to try to go towards expanding the spreading of
information, we know that we will increase privacy risk.

And I think sometimes we need to make that fairly clear. We want to
minimize that, but we’re not — you can minimize privacy risk altogether by
never sharing any information.

But I think we gotta make clear, ultimately, that one of our objectives
here really is the — it’s not just improved health, but, I mean, I think we
need — some examples of why this improved health is so important.

And I’m just — I’m not sure, by the time we get through everything, that
just talking about the tradeoffs quite makes that quite explicit.

And so we get down back to these arguments in the end of trying to — of
worrying about every — worry about every privacy loss we’re going to have.

We are going to increase privacy concerns, and we are going to — if we
expand the spreading information, we are going to violate — through accident,
through error, other things — some people’s privacies, and that’s the tension
we’re dealing with.

But I think worry that we spend too much worrying about minimizing this
Type 2 error, and then — and it’s got a real cost, and I —

MR. REYNOLDS: Can you recommend to the subcommittee either some wording or
where you would see something like —

DR. STEUERLE: I think the first part doesn’t — the tradeoffs —

MR. REYNOLDS: Yes, but I’m saying if you —

DR. STEUERLE: — making it a little more explicit —

MR. REYNOLDS: Feeling your passion, you could — a few of those words down

DR. STEUERLE: I’m not sure I’m speaking for other people here or not.

MR. REYNOLDS: No, no, no. Understand. Understand.

I think what we’ve done — and we’ve got X amount of time to get this done.
What we’re trying to do is put it on the table today, have good, open
discussion, and if people really think they can improve a section or an issue,
we’ve already had red line from a number of people. We’d love to have some
other comments.

So that’s what I’m saying. I’m really not — I’m hearing what you’re
saying, but we need to get it in our process.

Paul, do you have a comment on this —

DR. TANG: I do. I think there’s — the elegance of the solution is I think
there is a way to decrease the Type 2 error without increasing Type 1, and it’s
actually the heart of the matter, which is people are afraid of the commercial
uses of data that do not contribute to their or society’s health, and that is
actually the problem we’re trying to deal with.

That’s a Type 2 error that does not impact in a negative way the Type 1

And so if we focus our attention on closing that loophole of basically the
commercial gain that is not productive to —

PARTICIPANT: Well, who’s to say?

PARTICIPANT: Who’s to say?

MR. REYNOLDS: OK. Well, let’s do this: We’re going to — we have plenty of
time to wordsmith exactly what that is, so we won’t have a give-and-take across

(Several participants at once).

MS. MC CALL: I guess I would not describe commercial use as a Type 2 error.

(Several participants at once).

MR. REYNOLDS: As I said, Gene — Going back two comments earlier, Gene, if
you would give us some input —

OK. Now, as we move on to the next slide, Margaret —

Again, one of our goals today is to make sure we get a good thorough
discussion of each of these.

I would draw your attention to line 788 — All right. Listen up. I would
draw your line to 788 in the document, please.


MR. REYNOLDS: So that you — 788. So that you understand the transition
between Slide 1 and Slide 2.

OK? We knew, as a subcommittee, that 1.1, 1.2 and 1.3, as Larry said and so
on, may or may not occur in the next —

So, therefore, we have tried to come up with a transition that said, in
lieu of that, and, actually, in inclusion of that, even if that happens, then
what we’re going to talk about next, we believe, is important.

OK? So I wanted to make sure you saw that transition, so that it’s not one
or the other. You see a smooth transition that we’re including, because, again,
not to be victims of the fact that legislation may or may not happen, but
actually go ahead and move forward.

DR. COHN: I just have a slight question. I think we’re on Recommendation 3,
it looks like. What happened to Recommendation 2?

MS. GREENBERG: It’s up there. 2.1.

DR. COHN: Do I have an old copy in front of me?

MR. REYNOLDS: No, I got — Recommendation 2 is Cross-Cutting Data
Stewardship Principles.

DR. COHN: Right, and Recommendation 3 is HIPAA Covered Entities and Chain
of Trust.

MR. REYNOLDS: There we go.

(Discussion of numbering).

MS. AMATAYAKUL: I think the numbering is wrong. We’ll get it fixed. Just
worry about what it says.

MR. REYNOLDS: Yes, hang with us.

All right. So we are on — for those of you who have a written copy, we are
on number 2.

For those of you that look up, it’ll be number 3. Work on the translation.
You don’t need the Standards Subcommittee to help you translate that. OK? We
got it. Good point. OK. We’ll let you do that.

OK. So covered entities and data stewardship. And if I draw your attention
to the slide.

Our problems are —

DR. WARREN: I still can’t find what we’re talking about.

(Discussion of where they are in the document).

MR. REYNOLDS: We are on the letter. We are on page 19. We are talking about
number 2, which is line 797, and that’s where we’re starting, and so we’ll —

MS. GREENBERG: Do you want to read that transition sentence?

MR. REYNOLDS: Yes, I will read — actually read 788 on.

“In the absence of comprehensive privacy legislation and regardless of
the scope of such legislation, the following recommendations provide
practically possible solutions for the near term. Recommendations for guidance,
such as the HIPAA Security Guidance distributed by CMS on December 28, 2006,
and/or further enhancements of regulations are made that would serve as a means
for covered entities to demonstrate good faith efforts in compliance with
applicable regulations. NCVHS commits to monitoring the usefulness of this
guidance and offering further recommendations as may be needed.”

So what we’re talking about in number 2 is really getting down to the idea
of regardless of what occurs, and I’ll play off of Larry’s comments and some

We are entering a new world and that new world is moving quickly.

The stewardship over the data which entity, regardless of what they are
called, regardless of the form of the data, regardless of what their purpose is
and regardless of what they do and don’t do is really about as we care about
the individual and care about people knowing what’s going on with their data,
it’s all about the stewardship.

And so we tried to capture that in looking at this, because — and that’s
why we call it cross cutting because whatever you’re termed as an entity, you
get into that environment. There are those key things.

So what I’d like to do, then, is if we could go to — and let me read the
two recommendations that are here, 2.1 and 2.2, and then we’ll go back and
anybody can anything they want to say about the actual — the verbiage in the
observation. Let’s go to them, so that they’re on the table, and then we’ll
move accordingly.

So Recommendation 2.1, it reads, “Recommendation on guidance for data
stewardship principles: HHS should facilitate the establishment of guidance for
data stewardship to ensure fair information practices for all uses of health
data, including those for all forms of quality measurement, reporting and

2.1, “The Health Data Use Risk/Benefit Analysis Framework below should
be tested for use in informing HHS in its guidance development.”

And if you’ll look at the bottom of your page and — are we back on the

So our problems. Our large databases increasingly have richer data,
enhanced data-linkage capabilities, as we’ve heard others mention already a
little bit ago, and fully automated data-collection process, so data can be
transformed from one company to another company instantaneously. So it moves in
and out of place.

But despite enhanced data-protection techniques, heightened concerns about
— there’s heightened concerns for the potential for risk.

So our recommendations are, one, data stewardship guidance.

2.2, data collection should require a risk-benefit analysis with the
intentionality of use involved.

And, then, 2.3, the identity protection, where we’re talking about
statistically-determined and published and data-linkage intent.

Whoa. Go back, Margaret. I wasn’t finished right now.

Data-linkage intent and processes established.

Now, you can go on.

Data security management, role-based access, continual improvement,
retention and deletion of metadata.

Why are those numbers?

MS. AMATAYAKUL: I only changed the 2. I didn’t change — I didn’t have time
to change all the —

PARTICIPANT: I know you can do it.

MR. REYNOLDS: It’s a long way from North Carolina, and I’m tellin’ ya.
Okay. Good.

Moving right along, acting like we’re altogether here. Go back — Go back,
Margaret. Don’t take it away now. I just got the 7 figured.

7.4.4, accounting for disclosures, including breeches by business
associates or agents.

And then 2.5, and it’s subsequent sub-bullets on release of data.
Data-release agreements, correction medical identify theft, and minimum
necessary for appropriate data aggregation.

So what we’re talking about, as we go through this is building a framework.

And, then, Margaret, before we take any questions, can you put the chart up
that we referenced, please? You have that chart?

And, again, the reason — what we’ve done with this chart — and this came
up in some discussions some of us had earlier — this whole idea of this is a
long document. It has a lot of pieces and a lot of parts, but the idea is who
is the user? What is their intended use? What kind of analysis are they going
to do?

And you can see the four bullets or four buckets that we have there.

And, then, what are the data-stewardship-type approaches — Jeff, I gotcha
— that they would need to consider and include as they are doing this.

So the reason this is in here is, as we continue to debate this and deal
with this document, this might be a chart that we go back to on a consistent
basis, as we are — so if we’d have taken some of the other subjects we did and
we’d have put it up there, then you might be able to better walk it down and at
least keep some order to the discussion, not necessarily make that an end
product, not necessarily say that’s the best chart you ever saw, but at least
it allows some kind of an honorable bucketing of a discussion as we go forward.

So, with that, Jeff, I saw your hand up first, and then —

MR. BLAIR: Yes, the first comment —

MS. GREENBERG: Let Margaret —

MR. REYNOLDS: Margaret, do you have a comment?

MS. AMATAYAKUL: I just discovered that this slide deck is not the latest
slide deck. So I — Justine added slides, but not to the latest one. So I’m
going to switch while you’re talking.

MR. REYNOLDS: Good. Well, we’ll act like we don’t notice that, and then
we’ll be right back on track as we — this is —

All right. We have Jeff, and then we have Paul, and then we have Mark.

MR. BLAIR: Despite the fact that this may not be the latest slide set, I
really want to commend this framework. I’m finding this framework very helpful
to build upon.

And, as I start to build upon it, I have one set of questions — there’ll
probably be more later, but — and the set of questions that I have, Harry, you
pointed out or I heard somebody point out, which I also thought was part of the
framework and very useful, was risk-benefit considerations.

So my question is when we talk about risk, obviously, we think of the risk
of violations of protected health-information privacy.

Do we also include as a risk patient safety? And do we also include as a
risk the health of the population as a whole?

There’s three areas of risk, and I’m just wondering if the framework has
been expanded to include that notion of multiple risks.

MR. REYNOLDS: I think when we listed the potential harms in the slides that
Justine showed, and as we go through this, yes, Jeff, I think we list —

MR. BLAIR: Great.

MR. REYNOLDS: A couple of places we list benefits and potential harms, and
I think this chart, as we go through the buckets, does, in fact, touch on that.

MR. BLAIR: Thank you. Great.

MR. REYNOLDS: Maybe not completely to your satisfaction, but it does.

DR. TANG: I’d just like to propose that we delete the allowance for
statistically — use of statistical methods to de-identify information for the
reasons that Gene mentioned earlier.

MR. REYNOLDS: What are you saying?

DR. TANG: It’s on — well, I don’t know what — it’s on — 2.3.1 said that
we would — I don’t know if you can show it, Margaret.

MR. REYNOLDS: We will. OK. Can we — let’s hold you ‘til she gets it
set up. All right?

Let’s go to Mark.

MR. ROTHSTEIN: I have a question about the scope of this entire set of
recommendations, the 2.1, and follows.

This isn’t a section that is prefaced by the language that Harry read that
said in the event that or until there’s new legislation, so we’re basically —

MR. REYNOLDS: No, and even if there is new legislation —


MR. REYNOLDS: — these things —

MR. ROTHSTEIN: OK. But, for the time being, we’re still — these would
apply in the HIPAA era.


MR. ROTHSTEIN: And so my question is do these recommendations on data
stewardship apply to both covered entities and, currently, non-covered

I mean, they could apply to non-covered entities in the sense that they’re
only recommendations and sort of standards or guidance that the department is
setting out, but if the department wanted to, at least as to covered entities,
it could make them more of a requirement.

And so the question is should we have the same language or the same
approach with regard to the stewardship issue apply to covered entities and
non-covered entities — maybe that was the intent — or do we want to consider
the possibility or put in here the possibility that there would be different
levels of requirements?

MR. REYNOLDS: Simon, do you have a comment on it?

DR. COHN: Well, I was actually just going to try to answer it, and, then,
obviously, part of the issue, I think, is we’ve been playing around with the
ordering of all of this.

And what I think we’re trying to do, and I think we see this later, is
really tightening up the chain of trust, so that non-covered entities that are
touching all of this would effectively become business associates, by and

And so my view, in a sense, they — if they aren’t fully-covered entity,
they at least become quasi-covered entities, and, therefore, would be covered
by the —

So I guess I would say the answer is yes, and I think we were trying to
figure out a way to sort of tighten that up.

MR. ROTHSTEIN: Yes, as to which question?

DR. COHN: Well, yes to both, that it should cover equally the covered and
non-covered entities. Though, obviously, the strength may be a little

MR. REYNOLDS: And I think, as I listened to a lot of the comments, this
whole idea of business associates — covered entities, business associates, the
whole idea of the stewardship, as we’re listening, I think your question brings
us to where we have to knit this altogether at some point —

DR. COHN: Yes.

MR. REYNOLDS: — and say, so — because next you’ll hear us talk about a
chain of trust and you’ll hear us talk about what covered entities should do
with business associates and so on, and, in the end, your question fits well.

So when we step back and say, “OK. How do all the pieces really fit
together, so, in the end, if all this happened, what have we got? And I think
that’s maybe something we need to make sure that we cover in the subcommittee,
because I think every one of these points taken alone is good. Knitting them
together is even better. So do we really help somebody see what — you know —
what the end game is not the end pieces.

MR. ROTHSTEIN: So at some point —

MR. REYNOLDS: The end game.

MR. ROTHSTEIN: So at some point, at the end, we’re going to go back and
make sure that each section, it’s clear what they —

MR. REYNOLDS: Well, and I think your question reinforces that further, that
we go back and knit it together, you know, so there’s a flow, and that’s why
we’ve been moving stuff around in the letter, too. If we move this up sooner,
then it would fit. Then, when you went to the rest of the letter, and I think
that would be helpful. So — yes, Carol.

MS. MC CALL: In terms of the concept around data stewardship, I’d like to
discuss expanding the concept a little bit.

I see a lot here about it’s protection, the housing of it, you know, the
movement of it, but not anything here, in this framework, about the quality of

And, for me, when I look at data stewardship and the role that I play,
stewardship includes the quality of that which we are collecting, and it’s
going to be a vital component. When I start thinking about the report on
quality, it becomes a garbage in, garbage out. I may have great protection and
collection mechanisms, but if it’s still junk, we can’t do anything that we

So I’d like to open for discussion the concept of including a
responsibility to that within the concept of data stewardship.

MR. REYNOLDS: Right. And I think if you remember Justine’s presentation, we
had almost that exact statement in there. So we need to normalize from what we
said up front, and it’s probably in the front of the report saying that the
quality of that — and then we talked about aggregation, whether the quality of
aggregation or the quality of the data itself, we said that, and I think —


MR. REYNOLDS: So we’ve actually stated it. It was on our charts earlier.

MS. MC CALL: Right. Because I think the framework’s great.

MR. REYNOLDS: It’s just not — it has just been not dropped — been forward
here. So I think —

Now, do you have a question on this?

DR. SCANLON: No, it’s on —

MR. REYNOLDS: OK. Then Judy’s next, no matter what anybody else wants to
talk about. Judy’s been patient for me.

DR. SCANLON: I think we came up against quality in another perspective,
too, which is the issue of when somebody does the analysis and does it right
and people are harmed or when somebody does the analysis and it’s wrong,
they’re harmed, that these are harms. OK?

And there’s also — there’s harms that are coming from good data or bad

But there’s a question of what’s government’s role in providing the
assurances that data are always good, that an analysis is always right, and
that right analysis is suppressed when it’s going to harm somebody.

I mean, those are all seemingly beyond the role of government, because it
involves a pervasiveness that we would not find tolerable.

So the question is we’ve identified these as issues, but is there anything
for government to do with respect to them? And I’m, at this point, not sure
there is.

DR. WARREN: I have a question about 2.3.1. It’s about the first sentence,
and I don’t know whether this is the one where Paul wants to throw it out or

But when I look at the entity be required to statistically determine the
ability to re-identify individuals in the data set, what I wonder about then is
if a hospital is running an EHR and they’re going to make the data in the HR
available for educational use and research use, are we now going to require
them to certify what the possibility is of re-identifying these patients and
their data.

And the reason I ask that is that’s putting a huge burden on future
research in that they’ll have to account or pay for out of their research
grants for hospital to do that or it’s going to put the cost burden on the
hospital to do that or it’s going to make our schools have to come up with the
money to run these statistical studies or am I reading this wrong?

MR. REYNOLDS: These hands that are up, are they comments on that? John and
then Kevin and then — OK. John.

MR. HOUSTON: When I read that, my first — I didn’t think that there was
much of a — an enormous amount of burden associated with it, but that I
thought that if it was done on the front end, in terms of being able to provide
some quantitative value to the quality of the de-identification —

DR. WARREN: Which would require the ability of whoever hosts that original
data to have a statistician who can do that.

MR. HOUSTON: I don’t know if you can get information that could help you
determine that or how you do it, but if you knew it up front and when you
submitted it to an IRB or whatever, then I think that there’s a value in
determining whether that risk is sufficiently low, in conjunction with the type
of work you were planning on doing to allow that research to go on.

DR. WARREN: So, then, let me take this to the next conclusion. I mean —

MR. HOUSTON: If I can answer your question.

DR. WARREN: — we’re already facing a lot of places that will refuse
researchers access to data, and, in some cases, refuse students access to data,
because of HIPAA regulation. Whether it’s accurate or not interpretation, it’s
out there. So I just don’t want to add another hoop to some of this.

MR. REYNOLDS: Let me comment on the testimony we heard is that
de-identified as defined by HIPAA as a threshold — was it 0. —

PARTICIPANT: 0.4 percent.

MR. REYNOLDS: .4 percent. So that is already in place. That already exists
as the threshold for de-identification.

PARTICIPANT: What is 0.4 percent —

MR. REYNOLDS: Possibility of having it re-identified.

PARTICIPANT: That’s the statistical — I never heard that.


DR. WARREN: But it says here, “to statistically determine the ability
to de-identify the individuals.” And so do we know what statistics to use
to determine that?


DR. STEUERLE: But — matching data sets you have and you might not even
know what they are.

PARTICIPANT: Depends on what the —

MR. REYNOLDS: OK. Hold on. OK. OK. Good point. OK. Kevin, you had a comment
on this, and, then, Paul, you have a comment.

DR. VIGILANTE: So a comment on three levels. I am concerned about the
burden this would impose to actually determine that.

Concerns about what the threshold would be above which you would rise that
would deem it inappropriate.

And, thirdly, it’s the statistical capability varies — as you were just
about to point out — on the other data sets to which you may or may not have
access which serve as the intermediate bridges for identification.

So when Latonia — what’s Latonia’s last name?


DR. VIGILANTE: Presented to us her work at Carnegie Mellon, she happened to
have access to voter-registration lists, which were the intermediate step that
enabled her to start to sort of form this bridge, but suppose she had access to
Visa financial data. Then, it would be probably much more robust.

So the ability to do this is so variable that I don’t think one can make
definitive judgments about what the statistical capability is or is not to
re-identify the data in any given case.

DR. WARREN: I just wanted to rebut Kevin.

I’m trying to read this the way that —

DR. VIGILANTE: I’m agreeing with you.

DR. WARREN: Oh, you’re agreeing with me?

MR. REYNOLDS: Thank you.

Paul, will you please continue? Judy doesn’t recognize who’s for and
against her. So we gotta work with her. Paul.

MR. HOUSTON(?): Judy, we’re all against you.

DR. TANG: Okay. So two comments.

One is that is the —

DR. WARREN: Shows you how confused I am.

DR. TANG: So the first is — I guess I’m in agreement with you — that is
the sentence that I proposed to delete. So that would have solved your problem.


DR. TANG: And then the second even higher level is to say that all of these
bonafide, acceptable uses that are overseen — public health, research,
education — already have a bi, in a sense. So I do not think that it imposes
any additional restrictions or burdens on top of HIPAA.

So I think, in both cases, they are not doing the harm that you were
reading into it.

DR. COHN: So, Paul, what are you recommending?

DR. TANG: I’m sorry?

DR. COHN: — about what Paul’s recommending.

DR. TANG: Well, I’m saying that she — her concern is not — the way she’s
reading it, creates a concern for her that isn’t present, and, further, if you
delete the sentence that I proposed deleting, it would also remove her concern.

MR. REYNOLDS: Which one are we reading?

DR. TANG: 2.3.1.

MR. REYNOLDS: Thank you.

DR. COHN: The whole section or just the first sentence?

DR. TANG: It’s the whole section that her question’s about.

MR. REYNOLDS: All right. We got Steve. We got —

DR. WARREN: I want to rebut Paul.

MR. REYNOLDS: — John. We got Judy and we got Justine.

PARTICIPANT: Point of fact. What sentence does he want to delete?

DR. COHN: Yes. Was it the whole thing or —

(Several participants at once).

MR. REYNOLDS: One conversation.


DR. TANG: I was hoping to delete the following words —

MR. REYNOLDS: On what? 2.3.1?

DR. TANG: 2.3.1.

MR. REYNOLDS: What line? What line?

DR. TANG: 903.

MR. REYNOLDS: Thank you.

DR. TANG: The sentence, “be required to statistically determine the
ability to re-identify individuals in the data set, based on whatever method is
used to obscure identity and publish that information as part of its collection

PARTICIPANT: You’re going to delete that line.

DR. TANG: Yes.

PARTICIPANT: Then there’s no recommendation.

PARTICIPANT: There’s no recommendation.

PARTICIPANT: There’s no recommendation.

DR. TANG: I would take it out.

DR. COHN: That was what I was trying to get to. So —

DR. STEINDEL: Yes, and I’m opposed to deleting that sentence, and I also —
I feel that it also does not add really that large a burden over what — Yes.
I’m serious on that, Larry.

MR. REYNOLDS: Keep going. No, just — Steve, state your case. Keep going.

DR. STEINDEL: Yes, and this is because it just says, “be required to
statistically determine the ability to re-identify individuals in the data set
based on whatever method is used to obscure identity and publish that
information as part of its collection process.”

Now, if you de-identified your data set using the HIPAA requirements, that
level is 0.4 percent. You don’t have to determine anything.

DR. WARREN: Yes, you do, according to that statement.

DR. STEINDEL: No. It says, “be required to statistically
determine.” I determined it using the HIPAA de-identification method. That
has been published as 0.4 percent, and it’s against the voters’ list, Gene.

So you are totally correct. If you go to multiple linking, but that’s part
of what this says is use whatever method is used to obscure it.

So if you’re saying that this is de-identified, it’s pseudo-anonymized
data. It contains birth dates, birth date and sex of the people in — of the
pseudo-anonymized group, and you are running it against the population of the
State of Mississippi.

Demographers can tell you, just based on what that piece of information is,
what’s your chance of re-identifying a person.

So it’s not really statistically burdensome, because you are saying exactly
what you are basing that statistic on.

Now, other people who look at that — and that’s the whole purpose of this.
Other people who look at that may say, “But you’ve included the date of
treatment and the credit-card charge for that treatment, and if I link it
against the Visa database that has that charge, I can find the person.”

That’s totally correct, but, now, they have some understanding of the level
of de-identification that exists in that data set.

MR. REYNOLDS: Okay. We have Mark and Simon. Mark and Simon.



MR. ROTHSTEIN: OK. Thank you.

MR. REYNOLDS: I don’t see another Mark.

MR. ROTHSTEIN: I understand. I was just looking around.

MR. REYNOLDS: I got the wrong numbers on the slide, but I got one Mark.

MR. ROTHSTEIN: OK. In 2.3, the word, “entity,” is that intended
to mean a HIPAA-covered entity or any user of information? I’m in line 900.

MR. REYNOLDS: My understanding is it’s any.

MR. ROTHSTEIN: Well, that’s what I would think, because, based on my — the
answer to my earlier question.

So maybe we need to, instead of the word, “entity,” any user of
information or something like that.

And the other question I had was in 2.3.1, Steve, would it satisfy your
concern if a new sentence were inserted in line 905, before the word,
“it,” that basically says what you said?

In other words, compliance with HIPAA — and we can put in the section
number with the 18 elements — will satisfy this requirement, and, under those
circumstances, we would not have to do any additional work.

DR. STEINDEL: I have no objection to a clarification like that.

DR. COHN: I’m just — this moment of grace and delight that we actually
were able to come to a solution on that one.

MR. REYNOLDS: We need to keep going —

DR. COHN: Well, I actually just had a quick question about on line 900
whether the word, “de-identifying data” — I guess I’m getting a
little confused about all the terms we’re using in the sense of
de-identification I thought had a particular meaning that we were using under
HIPAA, and I don’t know whether we’re throwing in de-identification,
pseudo-anonymization, anonymization, Jeff’s way when he does something and all
of that stuff or are we just talking about HIPAA de-identification? I guess
that was just a question.

MR. REYNOLDS: Yes, I think — yes, I think it’s a good point. I think —
and that’s why I said earlier, we have to be very —

DR. COHN: Careful with our words.

MR. REYNOLDS: — pragmatic that when we say de-identified it means the
HIPAA de-identified, and if we are talking about any of these other numerous
definitions —

For example, we actually heard testimony on scrubbed de-identified, which
has to be an empty data set. I’m not sure how else you would determine it, but

So the other thing I ask the group to do — we, in this room are fairly
knowledgeable and can come to a discussion on de-identify, but if you heard the
testimony we heard and the significant numbers of definitions, so that the
envelope could be pushed, and the envelope was being pushed further and further
and further out as we heard it, that’s the other thing to keep in mind.

So we kind of get ourselves into a little going back and forth on
de-identified, but there’s a world out there that if you had sat and heard all
the testimony and heard the definitions so that somebody could use it, but
still say, “But I’m really — I really care about the person,” or,
“I really care about this,” or, “I really care about that,”
that’s why a lot of this has to be — we have to be very pragmatic exactly what
word we use.

MS. MC CALL: Is that worthy of an appendix —

MR. REYNOLDS: We talk about definitions a little later, but I’m saying, you
know, we’ve got a lot of this in here. It’s just as we go through them one at a
time, you feel like you gotta sweep all these other things up to bring them up.

But the definitions is a major theme that we saw that there is no — Other
than de-identified by HIPAA, there is no other definition out there that is a
term of art that is used by anybody, except whatever their intended use.

And back to our chart that we have for you, remember the intended use has a
lot to do with, “OK. So what are you intending to use it for? And, now,
you’re saying it’s pseudo-anonymized or something else. Well, does that fit —

So that’s why this whole practicality of where this stuff plays is really
the hardest thing that we’re all trying to put together, because we only have
one definition, but we got an industry that’s using 12 or 13 of them.

MR. LAND: I just noticed that in this 2.3, it says — that it’s qualified
for the purpose of longitudinal data aggregation. So it’s a very specific,
limited reference that relate to these two recommendations, and I’m not sure I
know what longitudinal data aggregation really means — use the word “data
aggregate” — “to data aggregate” means that there is no de- —
I mean, you’re talking about statistical data.

Where this — it implies that it’s aggregating personal information into a
longitudinal history of a person.

So I’m not sure what that phrase means, and if you really want to have it
as a limiting factor.

MR. REYNOLDS: And what line are you on? I’m sorry.

MR. LAND: It’s line 901.

MR. REYNOLDS: Any comments by the subcommittee?


DR. CARR: I think you raise a good point.

I don’t think that belongs there. I think that there is a — one of the
interests of the AHIC Quality Workgroup is to be able to link data about a
patient longitudinally to understand their care over time, and there was
discussion about that, but I don’t recall that it was the intent that that
would be a modifier of that recommendation.

So we’re saying HHS stewardship guidance should include that the entity
de-identified data, and then it says, “for the purpose of longitudinal
data aggregation.”

So longitudinal comes out, but, I mean, you don’t need to de-identify data
to aggregate it, because, otherwise —

MR. REYNOLDS: I think we need — Thank you. We have that as a note.

DR. WARREN: I have two points. One is just a quick one about the
longitudinal, I would leave that in there, because I think we are looking at
the data to understand what happens to people over time, and it’s the over time
that’s critical, which is the longitudinal.

But the main thing I wanted to come back to is when you take a look at who
reads our reports and the recommendations, the whole issue that I brought up,
one of the reasons I’m bringing it up is I’m involved in, right now, working on
some grant writing, where some hospitals and researchers and things are going
to start collaborating, and I can just see that if the hospitals are required
to statistically determine the ability to re-identify individuals from the data
sets that they provide, that’s going to be a huge requirement in that.

Now, if it’s been modified the way that we just said, that the
de-identification is done the way HIPAA is, then the next thing I can imagine
going on in these dialogues is, “So what is the official process for
de-identifying data? Is there an official one?” or, “Can you use any
process as long as it accounts for the 18 variables or whatever it is that’s in

And so I think we get into a huge area of understanding what the words

MR. REYNOLDS: I agree.

DR. WARREN: In this particular area, almost every word, as you put it
together, is just loaded. So I really think we need to work at this.

And, again, I apologize for not thinking about this earlier when I read it
and reviewed it.

MR. REYNOLDS: No, that’s why we’re —

DR. WARREN: I wasn’t thinking —

MR. REYNOLDS: All right. We’ve got Steve. Larry, did you still have a


MR. REYNOLDS: OK. We got Steve and then Leslie and I want to move on to the
next recommendation —

DR. STEINDEL: In the comment, based on what Judy’s just said, you know, for
instance, if you undertake a research study, and a multiple-institution
research study, and it’s covered under an IRB and has approval — it’s under
the common rule, et cetera, you know, all those good words — and you have
totally identified data, then, you’re required to statistically — the ability
to re-identify the individuals. The answer to that question is 100 percent. I
can re-identify every one of the individuals.

But it’s okay, because it’s covered under all sorts of other provisos, and
when we go through what we’re talking about data stewardship and —


DR. STEINDEL: We do later on.

That we talk about the risk benefit of the re-identification, and, in this
particular instance, while the risk of re-identification is extremely high,
well, that’s the way we set up the study, because it was approved by the IRB,
we justified the reasons for the study, the benefits are considered acceptable
for that level of risk.

MR. REYNOLDS: Okay. Leslie, did you have a comment that would move — I
want to go on to number 3 then.

DR. FRANCIS: I just wanted to ask about 2.5, because it wasn’t clear to me
what exactly you’re talking about there about forms of consent management, and
it seems to me some illustrations would be helpful.

MR. REYNOLDS: Those would have to do about individuals, what are the type
— Justine —

DR. FRANCIS: Well, what I was interested in was whether, by consent
management, you meant substantive standards for consent or whether you meant
things like when you use the phrase, “management,” it sounds to me
like what you mean is documentation, and I wanted to be sure it was the —

MR. REYNOLDS: Justine, did you want to comment on that?

DR. CARR: I believe that was — that represents the discussion about there
are models right now about opt-in, opt-out, how many people use it and how
often, and we heard testimony at least on a couple.

So the idea was, as Kelly had raised, take existing models and learn what
you can from these funded models.

MR. REYNOLDS: And that was mentioned in Justine’s slide this morning.

DR. FRANCIS: Yes. No, I think that should be specified here.

MR. REYNOLDS: Okay. Margaret.

MS. AMATAYAKUL: I would just add to that that there were also different
technologies that we heard about for consent management. So I’ll add both.

MR. REYNOLDS: OK. I’ve only got 45 minutes. We’re going to move on to
number 3, so that we can, again —

Again, a key thing is we’re together for X amount of time. We want to make
sure — we’ve had good discussion on these. We want to make sure that we at
least get some discussion on each one of them, because, then, when the
subcommittee picks this back up again, we’ve at least heard some of the will of
the full committee.

So let’s go to number 3.

DR. COHN: Well, Harry, just to clarify, not to rush anybody — Seriously.
We obviously need to make sure we have full discussion about these, but we also
have time tomorrow, and so, you know, we don’t have to do everything that’s
wild, but we do want to have — I mean, I think 3, it’s critical that we
discuss this and get people’s perspective, and, then, probably from there, you
can review the other recommendations with everybody with the idea that we’ll
take that on in depth tomorrow, if that’s —

MR. REYNOLDS: Yes, I think if there’s any way we can get through 3 and 4, I
think that will be very, very helpful, very helpful, because that’s — it’s all
this same thing on stewardship and covered entities and business associates,
and I think if we can kind of get through part of that, that would be good.

So let’s go to number 3. And our slides are actually in line with what
we’re going to talk about.

So problems. There’s an increasing erosion of trust as more uses of health
data are made further from the nexus of care. That’s why we were talking using
secondary uses over — a while earlier.

Second is confusion and lack of clarity surrounding HIPAA. Adherence to the
letter of the law does not mean trust is assured.

We also heard discussions about what level the current privacy notices are
written at, which is right around the twelfth-grade level, in most cases.

Covered entities have only a weak relationship with businesses associates
and their agents. We heard testimony that many of them are contracts rather
than relationships.

Oh, under recommendation, 3.1, business associate contract enhancements,
and you can see the details for those in the letter.

3.2, require agents to have business-associate contracts with business
associates. So this is really a chain of trust. You know, if you just look at
it as it kind of sits, it says you got a covered entity and they only got one
layer deep of business associates.

On the other hand, it can go ad infinitum for lots of reasons, and it gets
further away from the covered entity, and it gets further away from the actual
person whose data is involved.

3.3, explicit requirements for when and how identity protection is

3.4, attestation of business-associate contract compliance. The idea that
once a year or once periodically, rather than just signing a contract and then
for three — not doing anything for three years, that the covered entity does
some kind of an attestation. A little bit like CMS does right now for most
people that are Medicare contractors. They send out an attestation each year
saying, “Are you still doing business? Are you still following the same
things?” And here’s — what we do.

3.5, de-identified data use by business associate or agent, only if
identified in a business-associate agreement. In other words, not necessarily
letting them take that data and then start using it in whatever way they would
choose to. That’s what it’s —

3.6 is enforce FTC requirements for privacy policy statements.

Those are the ones that we have there.

DR. TANG: I think we’ve talked about it in the past in this forum that the
business-associate agreements are completely ineffective, I think in principle
and in practice, and so hinging any of these recommendations on that, I think,
is also likely ineffective.

The strongest recommendation up there is the one to try to use the FTC
requirements and its ability to enforce its regulations by if an organization
publishes their privacy policy, then they are obligated to follow it and FTC
can pursue that.

Your mention of the CMS attestation has an enforcement, an accountability
backup that Attestation 3.4 does not have, and that’s why I think it would be

But if we could construct an attestation of accountability, sort of like
the Sarbanes-Oxley, where you did have culpability and accountability, that
would be powerful, but we almost need that or the FTC, things that can use
existing legal mechanisms, and I almost think it’s not worth doing anything
about business-associate agreements, because —

MR. REYNOLDS: Just a quick clarification, though, most of the
business-associate agreements are contracts.

DR. WARREN: Yes, you don’t believe in contract law.



DR. TANG: Well, as Harry pointed out, it quickly — I mean, then you have
subcontracts — I guess it’s subcontracts with all their associates, but the
requirements are probably infeasible to accomplish and unenforceable.

So the requirements are that somehow the covered entity has an ability to
follow all the things that the business associate is doing, even have
awareness, let alone —

MS. MC CALL: We actually talked a little bit about this on one of the phone
calls I was able to join, and my understanding was this, that what we wanted to
do for a person was actually have a single accountable party, that being the
covered entity.

However, when I look at what’s up here, I actually see that as increasing
my covered-entity responsibilities and how I manage every single
business-associate agreement, whether it is one degree of separation or n
degrees of separation, but that it’s being explicit about what the expectations
are on me as a CE in how I do that.

And because of that, I think that they do have power, because I think
they’re explicit.

DR. TANG: Well, the contract law, you’re saying, there is no — there is
not a contract between the party about whose information we’re — the party
whose information is being discussed does not have a contract with that who can
violate my privacy.

MR. HOUSTON: This might take a little while to completely describe, but —
and I think the business-associate concept, I think, is very difficult to

I think that covered entities were all supposed to have separate
business-associate agreements in place with each one of these organizations
that’s doing something on our behalf.

Yet, you know, each business associate, I suspect, has many covered-entity
relationships — you know, business-associate agreements in place with many
other covered entities.

And the thought that I’m going to have specific terms that I want that
business associate to agree to, and then another covered entity has their set
of terms that they want them to agree to, and the thought that anybody’s
really, in earnest, able to comply, I think, is probably naive, especially when
you’re talking about business associates are doing high transaction — or
transaction volume type of services, such as billing services and the like.

And the reason why I bring all of this up is that I’m almost of the opinion
— and it dovetails into some of the other conversations that, really, what we
almost need to have is some type of statutory business-associate agreement or
status and that — like there’s a covered-entity status, and that it wouldn’t
— you know, even though there had been a recommendation about trying to expand
who’s a covered entity, I wouldn’t want to give organizations that are business
associates today covered-entity status, because that gives them a lot of rights
to do things that they don’t necessarily have today.

But what I think would be much more feasible and supportable and
enforceable would be if you said, “There’s a set of business-associate
requirements that fall under HIPAA — or, you know, HIPAA 2 or whatever — that
all business associates must comply with, that there are certain
statutory-enforcement principles that would allow not just covered entities,
but the government to be able to ensure that they’re doing appropriate things,
and that there’s some teeth to it.

It would also make it consistent, so that it wouldn’t be that I, as a
covered entity, have a set of terms I’m going to impose upon you and another
covered entity has a set of terms, and, again, almost to the point where
they’re not enforceable, because there’s so many different varying terms that
how does a business associate even know what their obligations are in total
with respect to all of their covered-entity relationships?

So, again, I think you can streamline it, simplify it, but, I think, also
make it much more supportable by doing something like that.

MR. SCANLON: Sort of a model set of —

MR. HOUSTON: But we’ve tried — there was a model that came out when HIPAA
came out, and, unfortunately, every covered entity in the world went out and
changed it, and I think that became problematic.

MS. GREENBERG: That gives a lot of power.

MR. REYNOLDS: Yes, I’m a little — I’m troubled by not the discussion, but
if you look at how this is being administered — using those words — so
covered entities and others are throwing their hands up because the data is
going somewhere and they don’t know where it’s going and they don’t know what
it’s doing.

So if you’re looking at the eyes of it from an individual, wow. Business
has thrown its hand up and said, “Have a nice day. I don’t know what’s
going on with the data,” and I got a problem with that.

MR. SCANLON: There’s hundreds —

MR. REYNOLDS: No, but I mean, I’m using the premise — using the words in
the premise, it says it’s too complicated and nobody’s accountable, and I think
that’s the troublesome —

MR. SCANLON: So let’s regulate more. I don’t think that’s the answer
either. So create more —

MR. REYNOLDS: No, no. I know, but that’s — no, so that’s what I’m saying.
So I don’t think we can — I worry about taking that as a position for us,
because, then, we’re basically just kind of throwing the needs of the
individual or what their data kind of —

We got Gene — I got a whole list, but I know on this particular — is this
on this comment?

DR. STEUERLE: Yes, yes.


DR. STEUERLE: When I think of this issue in the context — and I’m not a
lawyer, so John and others, the lawyers can correct me, but it seems to me one
of the issues is ultimately if something goes wrong, who’s going to get sued
and for what, right?

And there is a tendency among lawyers, if something goes wrong, you sue
every point of the chain of the axis, especially if you’re the plaintiff

In certain tart law, you know, if they’ve got some expectation of getting
something from anybody, it’s worth doing.

And so then the thread is that all along the chain the people — say it’s a
hospital providing data for research to a university might decide, “You
know what, there’s no real gain for us outside of for the public good, and,
now, there’s an expected cost. Let’s just forget it,” even if the law sort
of mainly excuses them.

And what I see happening is going on with the business user and with
actually the earlier chain where we identified the users.

It seems to me the logic of a lot of our statements are is we’d like to put
a lot of the onus of responsibility — we know we can’t put it entirely, but —
comes through this document on the ultimate user that maybe it’s the business
user or maybe it’s the researcher where we really need to put on whatever are
the fairly strict requirements we want on the use of the data for the right

And then the question is is the way — can you back up the chain, so that
the entities further up the chain, the hospital that provides the data to the
consortium that provides the data to the university or the hospital that
provides the data to Visa, Master Card that provides the data to a group that
analyses maybe medical data across the board for purposes of saving money or
something, somehow or another you back up the chain, we’re not putting the
provider of the data in a situation they just can’t monitor, because they don’t
really know. They don’t have the ultimate protections over the people down the

It seems the logic of what John is saying and the logic of the earlier
diagram, which identified the user, even though all the later statements talked
about the provider, was trying to put as much — can’t put it all — but as
much of the onus, the fiduciary responsibility, the threat of the suit for
doing wrong on the ultimate user, and trying to be a little bit — to the
extent where you don’t think we can enforce further back up the chain, deciding
maybe the chain just has to make sure that that user has in place the proper
IRB techniques or proper things, so that when they send the money off to Visa
or they send the money or they send the data off to the university, they’ve
done their fiduciary responsibility by making sure that university has in place
— not they, the provider, has to examine research the university’s going to do
or whatever else —

MR. REYNOLDS: And that’s why, in privacy, we had talked about anybody that
touches it.

DR. STEUERLE: But I wonder if there might — ultimately — my ultimate
point is maybe the weight of the emphasis here needs to be more on the user,
whether it’s the business user or the researcher or whatever, in terms of these
requirements we think we need in place.

MR. REYNOLDS: Okay. We got — Simon, do you and — I saw you and Jim. Do
you have a comment on this piece?

DR. COHN: Yes.

MR. REYNOLDS: Okay. Then, good, and then I’ve got Mark, Mike and Leslie.

PARTICIPANT: My comment’s on this, too.

MR. REYNOLDS: OK. Go ahead, Simon, please.

DR. COHN: Oh, OK — And, actually, it’s really more a question for John
Paul, just for getting — trying to get some further clarification.

You know, the concept, and I think the important view here is chain of
trust. I mean, to my view — maybe it’s a little different than Gene’s — but
you don’t want to have just sort of things happen that no one knows about that
no one takes any responsibility for and just sort of happen, regardless of
whether you have civil rights a penalty or not.

I guess the question, John, I would be asking you is, you know, there are
many ways to construct a chain of trust.


DR. COHN: I think we have one right here.

You were proposing almost sort of another way of doing that.


DR. COHN: And, now, of course, I tend to think simply, not being a lawyer,
but I tend to think of things that require legislation as being — if it’s
legislation, we should put it in Section 1, and it not likely happening anytime

If it’s regulation, it goes 2 to 7, and we might have some chance, just
because it’s secretarial discretion and the NPRM process and all of that.

And then there’s the issue of guidance, which is, you know, ways or models
or —

MR. HOUSTON: Best practices.

DR. COHN: — the practices or whatever, things that may be a little softer,
but recognizing that the security guidance recently was not among the softer
things I’ve ever seen that happened.

But I’m not a lawyer, so I don’t know where what your proposal fits into
all of this. I mean, is it a better tool and —

MR. HOUSTON: I’m just thinking — I don’t know the answer. I understand
some of the dilemmas associated with having to use the different avenues to
address this issue, and mine’s probably — what I propose is probably the most
difficult, because it involves a legislative change.

DR. COHN: Oh, it is?

MR. HOUSTON: I would think so, I mean, because you’re really creating a new
class of entities under HIPAA that were previously called “business
associates.” Now, they’re called — I don’t know what you’d call them, but
they’re not really covered entities, but they’re something under HIPAA, and
there’s a statutory obligation, then, for them to do something, rather than
having a contract with a covered entity in order to obligate them to do
something. That’s the issue.

DR. COHN: Can I respond? Because, in that case, what you’re talking about,
I think that that actually is covered in 1 as our hope for the future, but not
one that, based on my observations of history of privacy legislation in the
U.S. recently, that I would necessarily bank on.

I guess the question is what can we do that is sort of real — what is it
called? — practically possible?

MR. HOUSTON: Yes, that’s —

PARTICIPANT: Actionable.

DR. COHN: Actionable. Practically possible, even if not perfect, and this
is one of those things where perfection gets in the way of good here.

So what can we do here?

MR. HOUSTON: But, see, the problem with what I think we’re talking about as
recommendations here is they all still come down to a private contract, a chain
of contracts that occurs, and they’re difficult to deal with today, at best.

And, as I said, whether we use model language or whatever, we’re still
dealing with a covered entity trying to manage a business associate who has an
agent, and that is — it’s difficult in the best of circumstances.

And it’s not a bunch of covered entities not willing to do the right thing.
It’s, you know, when you have literally hundreds, if not thousands, of those
relationships, try to ferret out the issues or when an issue comes to your
attention trying to deal with it, it is not something that I think is really
working well today.

And I think — again, I think that these business associates may take a
different view, different tack, if they recognize that they have a direct
statutory obligation and that somebody somewhere down the road might enforce
something against them. That’s my only reason for looking at a different model.

MR. SCANLON: Just a couple of observations, and, remember now, every time
you add or recommend another requirement, whether it’s legislation or
regulation, it’s the covered entity, whoever it is with this associate, you’re
adding regulation on them, and you’re probably lessening the availability of
secondary uses. So, again, you’ve got to balance this.

Secondly, though, even — rather than regulation or legislation, you know,
in regulatory policy, there are different ways to look at things, and sometimes
it’s best practices, which become a standard. Even if it’s not a requirement in
statute, it often becomes the standard by which courts and others would judge
the behavior of that entity.

And the concept of stewardship is actually very appealing because they
don’t have to be requirements necessarily. Could be best practices. They will
become standards. They’ll become standards. They’ll become the standard against
which behavior of organizations will be judged.

But, again, every — we just have to be careful here that we’re pulling
everything together in overall gestalt.

If we’re just adding requirements here, it’s becoming a house of cards,
and, as a practical implementation matter, you won’t have to worry about
secondary uses, because there’ll be so little of it, no one will ever want to
change it.

So just keep in mind the balance, and, clearly, we don’t want to suggest
that major structures within HIPAA are or are not working, unless we know that
they’re working — or not working.

And I wouldn’t dismiss the concept of business-associate agreements, unless
you have very strong overwhelming evidence that that’s the case.

Otherwise, it just creates — well, I think it just creates credibility
problems and seriousness problems.

MR. ROTHSTEIN: On that last point, Jim, I think we did hear ample testimony
from a variety of witnesses that the business-associate agreement is really a
problem, and I don’t recall hearing testimony from anyone who said that
business-associate agreements are working well now.

I’m not sure we could make a quantifiable statement, but we did hear this.

I would like to — and based on my view that business-associate agreements
are not working well, I would propose that we make Section 3 a requirement for
covered entities, instead of providing guidance. I think we should write HHS
should require covered entities to blah, blah, blah, blah, blah.

Now, let me explain why I say this. First of all, if you look at the
requirements, I don’t think there’s anything in there that is really onerous.
They’re already executing business-associate agreements anyhow.

Now, what this would say is in those agreements you need to have certain
information in there, perhaps directing that your business associates follow
the data stewardship guidelines that already have been set forth in this

The covered entity, statutorily, is the only hook that we have to, at the
moment — it may not be the best, but it’s the only hook that we have to
enforce these requirements, and I think an annual attestation, a requirement
that there be something in the contract — I would go further and, in fact,
require that covered entities post on their website a list of their business
associates that handle protected health information, perhaps annually or
something like that, and I don’t think it would be burdensome.

And as to Gene’s point, regarding liability, I think what this would do
would be to set out the standard of care that’s required, and, as a practical
matter, covered entities would require — and perhaps some already do in their
contracts — hold-harmless clauses which basically would say that in the event
that the business associate violates the terms of this and releases
information, and the covered entity is sued, that the business associate is
going to have to reimburse the covered entity for any litigation costs or
expenses or whatever that are paid out as a result of the business-associate’s

And the result of that is that covered entities will not do business with
fly-by-night operations who don’t have the wherewithal to reimburse them in the
event of a breech.

So I think, overall, it would not be onerous to make what I think are very
good recommendations of requirements, and I would suggest that we think about

DR. FITZMAURICE: I agree fully with what Mark just said.

What I see is that business-associate requirements are spelled out in the
HIPAA privacy rule. The business associate cannot do anything with the data
that the covered entity cannot do by law, by the contract. You have to have a

So the business-associate contract can lead to a chain of subcontracts that
get further and further away from the covered entity, and it’s said, “Gee,
they’re difficult to manage.” So if they’re poorly managed, it causes a
burden on the covered entity to manage them.

Well, what the covered entity has to do, under HIPAA, is we find something
out, you tell them to stop that practice. If they don’t, then you’re supposed
to terminate the contract. If you can’t do that because it would threaten your
viability — your accountant has all this data and if he goes bankrupt or he
stops doing it, he walks away with your data.

So, then, what you have to do is tell the Secretary, and then your
liability is ended, and leave it to the Secretary to find out how to get the
problem solved.

If sued, you want to have, in your business-associate contract, a
hold-harmless clause that the business associate agrees to hold you harmless if
you are sued. The only hook is the covered entity being sued.

So where should the burden fall, if not on the covered entity who is
entrusted with a patient’s data to get care? It properly should fall on the
covered entity. At least the framers of the privacy rule felt that way.

So what’s needed? If there are egregious examples of agents and
subcontractors doing things that the provider or the covered entity couldn’t do
— I have not seen an awful lot of that, but if there are, they should be taken
to court.

You could argue, then, there ought to be better enforcement by HHS on the
covered entity to monitor that, but it’s not a requirement that it be
monitored. It’s a requirement in HIPAA you do something if something is brought
to your attention.

So are you saying that HHS is not doing its job, that covered entities are
not doing their job? Because the job seems to be fairly clear to me.

DR. FRANCIS: I want to add my voice to the suggestion that there should be,
at a minimum, certain standards that have to be built into contracts, because
contract law is about private enforcement, and if you say a contract has to
meet certain standards, then you’ve got a regulatory hook.

So I think we should push that, but I also think we shouldn’t forget that
minimum standards are a separate question from chain-of-trust questions. So, I
mean, I would urge proceeding on both fronts.

MS. MC CALL: Yes, I like what I’m hearing. I’m not going to take a lot of
time, but I would agree with what I’ve heard Jim say and Mark say, and, I
think, now, Leslie say, which is I think that covered entities should be able
to demonstrate that every single agreement adhered to a set of guiding

And I also agree that that canon should become part of data stewardship.

And in that first box, transparency and education, but also best practice.

DR. TANG: Well, I like what Leslie proposed, because it creates an
obligation that really the covered entities didn’t have before, when you traded
in statute as amendment. So I really like that hook.

What I wanted to ask Jim for further clarification — you know, I respect
your counsel as far as we do not want to throw the regulatory book at this —
I’m trying to figure out actually — if that isn’t actually the good news.

OK. So —

PARTICIPANT: What’s the bad news?

DR. TANG: Well, okay, because you said, well, actually, so if we did that,
we wouldn’t have any secondary use anymore.

I think the modifier to that clause is of the kind that’s not already
protected by HIPAA. So if I think through HIPAA does protect taking care of
patients, paying for claims, doing research, doing quality, doing public

And if I’ve prevented all the other stuff or made it really hard on
regulatory constraints, why wouldn’t that be a good thing?

So that’s an open question. I didn’t — I’m not trying —

MR. SCANLON: Can I just say quickly, we, in HHS — and you probably do, too
— we hear every day from providers and plans and hospitals and researchers and
everyone else that this is a big regulation and it’s diverting resources away
from all the other things we should be doing, but everyone understands it’s an
important value to protect.

And we have heard from researchers who say, “We can’t — there are
institutions that won’t work with us anymore, particularly those inter-site
collaborative studies. It just becomes — when you add on all the regulation,
it just makes it complicated.”

Now, again, you hear this on both sides, but I think the idea of adding
regulations without some sort of a clear threat or risk-based approach — and
we do this in regulatory policy generally.

You don’t just say, “Well, let’s regulate this. Let’s stop people from
doing this,” unless there is some obvious threat, evidence-based threat,
and it’s proportional to what the risk is and it’s proportionate to what the
existing burden is and it’s proportionate to what the outcome expected is.

And so, again, every time you make a recommendation for a new requirement
or a new statute or something, you’re building on the regulatory burden already
on the health industry, and, again, you may reach the point where you just —
people just won’t do it anymore. It’s just more trouble to do it than not to do

DR. TANG: So just to follow up on what Mark said, in terms of the testimony
we heard, as one example, we heard about Mayo talk about their research and
what they do about protecting the data, and all was good in the sense of they
got to use the data, they protected it, and their patients also agreed with it.
That sounds like a good world.

And so if it’s true that all the — what we would think of are the
productive — you know, the health-productive uses are, one, being allowed to
happen, and, two, are being handled in a responsible way, and what we are
really trying to do — because we heard the opposite story about the ones that
are — quote — unexpected and face no legal or regulatory restrictions, that’s
actually what we’re trying to control. So, ironically, your statement might be
a good thing —

MR. SCANLON: Or is the cure worse than the disease? I mean, are you laying
on a level of regulation for everyone to get at the potential relatively
low-risk or maybe high-risk bad actors?

DR. FRANCIS: If you clarify what’s in the contract, what needs to be in the
contract, though, it might actually help.

MR. SCANLON: Oh, absolutely. I think the expectation —

DR. COHN: And, obviously, this is sort of in the interest of trying to move
us forward, I actually think that we’re — it feels like we’re getting pretty
close together here in terms of increased clarification of model laws. I mean,
model business-associate agreements —

PARTICIPANT: Not models. She said a statutory minimum —

DR. COHN: A statutory minimum. OK. Statutory minimum. Whatever.

You know, I guess I’m sort of thinking that this is something that we
should have Margaret work with both Leslie and Mark around trying to put
together, framing it the right way, and that that might get us to where we need
to be.

PARTICIPANT: And John Paul, maybe.

DR. COHN: Well, and John Paul. Are you willing to go along with this one?

MR. SCANLON: I was talking to Mark about —


DR. COHN: Yes, he is. OK.

MR. ROTHSTEIN: That’s what he’s telling me. He’d be happy to work with —

MR. SCANLON: Right. Absolutely.

MR. REYNOLDS: OK. We’re going to Steve and then Kevin, and, then, we’re
going — you think you got it — you think you’re feeling good, we’re going to
4. Going to number 4.

DR. COHN: And, then, we’re going to try to deal with the other letter and
then break up into subgroups.

DR. STEINDEL: I just have a very brief comment, really, and that’s
concerning Mark’s language on using “should require” instead of
“should provide guidance.”

And I think the only reason in crafting this we said “should provide
guidance,” instead of “require” — I think everybody is in
agreement that it should be “require,” but we used the language
“provide guidance” in hopes of giving HHS maybe a means to do this
and a suggestion to look at doing it without regulation, to do it through

MR. ROTHSTEIN: But that’s not mandatory.

DR. STEINDEL: That’s — you know, but when you say, “require,”
then, there’s a very strong sense that we wanted them to go through the
regulatory process, and there was also a strong sense, from the crafters of
this letter, that we would like it done in this millennium.

MR. ROTHSTEIN: No — I’m not sure that’s right, and I would defer to Jim on

There already is a provision, of course, in the privacy rule that spells
out the requirements for business associates, et cetera, et cetera, et cetera.

So what I am suggesting could be done without amending that, but providing
an interpretation or a guidance of the existing rule of what that requires in a
contract, and, then, that would be enforceable against —

DR. STEINDEL: And I was just explaining why we used “provide
guidance,” and if Jim is in agreement that the stronger word,
“required,” actually fits into what you’re talking about, I think
that’s perfectly acceptable.

What we’re just trying to do there is we wanted to avoid regs.

MR. REYNOLDS: We’re almost expanding current requirement.

OK. Now, Kevin, and, then, we’re moving to 4.

DR. VIGILANTE: (Off mike).

MR. REYNOLDS: Kevin — we wore Kevin out. We keep them long enough on the
list — .

Let’s go to number 4. Margaret, if you’ll put it up there, please.

And this follows along that same line, and it might be interesting to look
at this from a standpoint as to whether or not — just how different 3 and 4
really are, and whether or not we — they may not end up together, just looking
at them quickly.

So the problem, potential for personal and group-based harms. Enhance the
ability to achieve benefits of HIT and HIE.

And, again, back to some of the earlier comments, our goal is to really
enable some of these things by putting some things in place, not to shut them
down, as some of the other discussion was on research — We got these new
things that we really want to continue to grow.

And then misinformation from poorly-aggregated health data. And if we added
poor quality and poorly-aggregated, we’d get to what Carol had kind of
mentioned earlier.

So recommendations for the guidance for enhanced privacy and security

Strong sanction policies and heightened self-policy — policing. I’m sorry.

Aggressive enforcement of HIPAA by HHS.

Multi-faceted national education initiative.

Transparency, especially clarifying notice of privacy practices and
including availability of additional information on business-associate
agreements and public-health reporting.

And, then, state law guidance for harmonization and mapping variations.

So this is kind of where this fits. So I’ll be happy to open it for

DR. TANG: Since God made us with only 10 fingers, I would like to take this
opportunity to propose perhaps that this is encompassed in set 3
recommendations, and since all these things were — provide guidance on this
and that, that it might — we could just strike these.

MR. REYNOLDS: So is that a second of my earlier idea?

DR. TANG: Yes.

MR. REYNOLDS: OK. No, it’s a thought. I think one of the things we can do
is make sure that — well, let me ask first, rather than just wiping it out —

PARTICIPANT: (Off mike).

MR. REYNOLDS: Well, I know, but what I’m saying is are there any up there
that people feel are significantly different than what we talked about already
and that would move us forward?

DR. COHN: Huh?

MR. REYNOLDS: No, what I’m saying is his recommendation is to get rid of
this whole thing.

I’m saying rather than just go there, we spent a lot of time on 3, and an
awful lot of these things just follow on to the covered entity. So it’s like we
had covered entity 1. Now, we’re doing covered entity 2.

And so the point is is there anything that really jumps out there that has
to be there or is it the will of everyone that that’s complete?

Larry, I saw your hand up.

DR. GREEN: Yes, it’s to ask for people who heard the testimony to interpret
and explain just a little bit further 4.2 and 4.3.

What are we talking about here about strong sanction policies and
aggressive enforcement? What’s the idea? What’s involved?

(Several off-mike participants at once).

MR. REYNOLDS: Anybody on the committee want to comment on 4.2?

And, again, I think part of what Paul said and part of what we did, these
are good words, but back to the earlier comment, does stating this, when, as we
all look at it now, again, stepping back from it, does it really add anything
to it?

So, Steve?

DR. GREEN: Could I just observe that, to my reading, 4.2 has two rather
remarkably divergent ideas in it.

MR. REYNOLDS: Right. OK. Steve and then Leslie.

DR. STEINDEL: Yes, I think both — first of all, I disagree with deleting
Section 4, but I think that’s —

MR. REYNOLDS: Give us some words on that.

DR. STEINDEL: — Larry’s point first.

MR. REYNOLDS: Because then I’ve got one vote for and one against.


MR. REYNOLDS: But give us some words.

DR. STEINDEL: And Larry’s point first, but I think both of those were
reactions to comments that we heard throughout the testimony that, right now,
the enforcement of HIPAA privacy — and this is one thing we’ve observed
constantly through privacy hearings, et cetera — right now, the enforcement of
the HIPAA privacy regs can be politely characterized as weak, and I think
there’s others in this room who would like to drop that level down even

And, you know, these are in reaction to that that we do have a regulation
on the books that actually can do a lot, and that what we would like to do —
and this addresses the point why I would like to keep it as well — that if we
start really enforcing the regulation, but we also teach people about the
regulation and what it means, and that we change the notification of privacy to
be something that’s actually useful, and that — what was the first one? Well,
whatever the first one was — that we would gain a lot of ease within the
current structure of HIPAA in making a lot of the changes that we want to make

We find that the present privacy reg, a lot of people were commenting, it’s
not understood. It’s not used. When you get a notification of privacy, you
don’t look at it. Everybody is blind to it, that it’s either over-enforced by
institutions or ignored, and so we’d like to institute some consistency in

DR. FRANCIS: It seems to me that, logically, where, at least the
recommendations for enforcement, education, transparency and the relation with
state law, they don’t belong in something that’s just about covered entities.

They belong, early on, maybe, in between where the first part of — You
know, the 1 series is about on beyond HIPAA.

Then, the next bit could be, “Well, let’s make the most of what we
have — “

MR. REYNOLDS: Which already had one piece, and this could be a second


MR. REYNOLDS: That’s what I think —

DR. FRANCIS: — which would be the next thing.

And, then, the third thing is all the 3s and 4s, which are about the gaps
— which is — Yes. So anyway.

MR. ROTHSTEIN: I’d just like to quote from our letter to the Secretary in
June of 2006, in which we specifically addressed this issue.

We said, “When the privacy rule was promulgated, HHS recognized the
business-associate relationship and imposed some limitations to protect the
privacy of financial transactions, but the current rule is inadequate to deal
with relationships in which personal health information is shared directly
between covered entities and their business associates.

“If the privacy rule is not amended, the new system of EHRs and the
NHIN would permit domestic and overseas business associates to be able to
attain much more personal health information without any more oversight.

“Indeed, in the case of” blah, blah, blah, blah, blah.

And our recommendation, R-23, specifically says, “NCVHS endorses
strong enforcement of the HIPAA privacy rule with regard to business
associates, and, if necessary, HHS should amend the rule to increase the
responsibility of covered entities to control the privacy, confidentiality and
security practices of business associates.”

So I think we all already are on record, and, therefore, 4.3, I think is an
important part of this document, but it’s not anything that’s different from
what we said before.

MR. REYNOLDS: Nothing new. Which, again, may be a reason to — necessarily
have to say it again.

MR. HOUSTON: It’s good that Mark actually read that to us.

I guess my reaction — and maybe I’m getting a little teeny bit personal —
is that, you know, me being one of the people in the room that actually does
very directly deal with the privacy rule — and I’m a privacy officer and deal
with it at an extremely large organization — I guess that when I look at
things like enforcement of HIPPA by HHS and strong sanction policies and things
like that, I hate to say it, but I believe that the enforcement program that’s
in place actually works, and that some people may say there are problems with
it, but, yes, I deal with OCR periodically, and we deal with privacy complaints
on a weekly basis and more often that that, and I’m very much involved in those
things, and, frankly, the process that is in place, I think, though it involves
typically OCR working with you and asking what you’re going to do about it,
often it’s — we’ve already investigated the issue before they even contact us.

But my point is is that it gets us — we take these things very seriously.
I think most covered entities take these types of things very seriously,
whether they get a complaint from a patient or a call or a letter from OCR.

People — I think covered entities, in a large measure, really do
understand their obligations and really do take those things seriously.

So when I see things like enforcement of HIPAA by HHS, I really think their
enforcement strategy actually does work, and it does cause us to improve our
privacy and look at processes that have failed. We do it all the time.

MS. MC CALL: Yes, I want to go back to your original question, which was
kind of a Sesame Street one if one of these things is not like the other,
right? And there are a few things that are different.

The things I think that are unique here, and worthy of saving out, are
education and transparency, and the states, working with state guidance.

And when I look at those, my eye is then drawn back to the data-stewardship
framework, and what I realize is that we’ve made explicit families of
recommendations around everything that’s in the middle, but not enough,
perhaps, around the very first one, around transparency and education, and the
last one, around consumer empowerment.

And then what I then further realized is that the title of this is not
about enhanced protection. It’s about data stewardship. It’s more than just

If we do everything to protect, but don’t educate and make it transparent
— You know, where’s the J.D. Powers award for how well I do? Where are the
irreverent and delightful commercials on TV?

To borrow a line that we heard in our quality Workgroup testimony, you
drive a safer car, because Consumer Reports exists, whether you read it or not.
And so where are the things that must exist that know that I drive a safer,
personal-health-information car? And so I think that can get drawn in.

MR. REYNOLDS: And to concur with that, I like those three also, and I
really like if you listen — you heard the testimony that we heard on 4.5,
where it talks about the transparency and the level.

I would agree with John that when somebody is challenged on their privacy,
they care, but, for those of us that have read an awful lot of privacy notices
for an awful lot of different reasons, I’m not sure that they help in the up
front as much as we take them seriously if we have somebody say something about

So I think that alone, and the testimony we saw, and the actual writing of
some of those that we saw when the people came in to testify to us is a very
important point.

MR. BLAIR: I’m kind of resonating to Carol’s comments, and, before that, to
John Paul’s comments.

And my thinking is that, in terms of this framework, which I really like,
if we emphasize the transparency, we almost could do away with other
specificities, because if transparency is there — and I’m getting to Paul’s
comments from before lunch, where Paul said the key issue is the trust of the

So rather than all of the details about what somebody can and can’t do, in
terms of using the data, it just seems to me transparency gives us an
opportunity to dramatically simplify the framework.

DR. SCANLON: I was just going to say that, I mean, I think, John, you’re
sitting in an institution with a good conscious, and having seen sort of the
difficulties of enforcing regulations, sort of another context that I think we
have — we have to worry about sort of the enforcement side, because, even
though the vast majority of covered entities may be sort of good actors and
take this seriously, it doesn’t take a very large fraction before you’re
talking about a lot of entities that are misbehaving.

I mean, probably, on the provider side, we’ve got maybe 800,000 sort of
providers, sort of — that are involved here, and so 10 percent is 80,000 that
are — you know — saying, “Oh, yeah, you caught me. I’m going to correct
it,” and, then, tomorrow, it’s another story.

So I think we have to be focused on this and not rely sort of on the good
character of the majority, but, still, that there’s a minority to worry about.

MR. HOUSTON: Back to the issue of transparency in the notice, a little bit.

You know, having drafted the notice for my organization, too, I — you
know, it’s — in a complex healthcare environment, it’s difficult to make
something as clear and precise as possible that can be read by a certain
majority of your patients and contain everything you want to tell them, you
know, it becomes pages upon pages upon pages, and we’re talking about adding
more pages to this.

That concerns me because I don’t know how you do this. I don’t know how we
do this. How we make it more transparent.

If somebody wants to really understand what our obligations are and what
our commitments are, it takes some reading, and people say, “I don’t want
to read this thing. They throw it in the garbage can.” Yet, we want to try
to — you know, we’re saying here we want to try to tell people what the rights
and obligations are. That’s a problem.

And I think that — you know, in addition to that, we get questions every
— It’s funny, last week, I got a question from the Pennsylvania Department of
Health about why didn’t we have something in our notice of privacy practices on
a very, very — to me, it was — I won’t say a nit, but I was surprised they
asked us. “Well, we think you should have this in your notice of privacy

And so, literally, the reason why I bring that up is that people question
every day, “We should add this.” “Should we add this?”
“Should we add this?”

We could go on forever adding things to these notices, and it becomes even
that much more difficult to get something that the patient population can go
through, can understand and people just simply don’t throw in the trash.

How do we do this? I don’t know. But when I read things like 4.5 and talk
about clarifying notices of privacy practices, I really get troubled, and I’m
maybe reacting a little bit, but, boy, I’ll tell you, you know, if somebody
could figure this one out, they could make a lot of money, because there’s a
lot of people who’ve tried to make these things very clean and very concise and
very legible, and when they do that, they drop off content like the Department
of Health wanted us to include.

But when you put the content in, people complain it’s so darn long, they
can’t read the thing. “It’s in 2-point font, and I can’t read it,”
and, you know, they get mad. Where’s the balance?

And you almost want to say, geez, there should be a national standard, and,
then, if there’s any deviation above it, maybe that’s what you should put in
your notice. I don’t even know if that would work — do it because what we’ve
got today, I’m not sure that 800,000 covered entities — and I don’t’ think
anybody’s figured it out any better than I think what we’ve done —

MR. REYNOLDS: But we had testimony showing how it could occur.

MR. HOUSTON: I’d love to hear it.

MR. REYNOLDS: Well, fine.

Again, our responsibility is to also hear the testifiers and make sure that
we take into consideration what they have to say.

DR. DEERING: I think you actually — I initially was going to respond to
Jeff and then make a comment, and, now, if I might, I would respond to Jeff and
John Paul and then make my comment.

And in responding to Jeff’s point about transparency being sufficient, I’m
going to channel Mark Rothstein, because I think we’ve been through this before
–yes, but you can be transparent about bad policies, and, if, in fact, there’s
no recourse, then the fact that you’ve told consumers that you’re going to do
X, Y and Z, and, in fact, it’s unacceptable, then, you’ve been transparent, but
you haven’t necessarily rectified the underlying situation.

So I think I’m quoting Mark on that.

MR. ROTHSTEIN: If I didn’t say it, I endorse it.

DR. DEERING: From years past. And, actually, Harry, I think you did answer
John Paul, that, in fact, there are efforts underway to do this. There are
serious efforts underway. People are taking — it’s not easy, but, then,
writing privacy legislation isn’t easy either, and so, you know, it’s not a
reason not to try it, but whether to enforce the efforts underway.

I had a very specific comment, though, about Recommendations 4.4 and 4.5.1,
at least, which is to endorse what someone said — and I don’t know if it was
Leslie — but that that at least — and I think we raised this — or at least I
raised it — in an earlier meeting — that that does not belong under covered
entities and that it be brought forward almost on the same level as one of our
other cross-cutting, high-level recommendations, because we were even asked
specifically by ONC. Education was one of the very specific things that they
asked us to address. It wasn’t —

MR. REYNOLDS: You’re saying a common theme, rather than a —

DR. DEERING: Something higher, and certainly not buried under the section
where it is.

And I do see that 4.5.1 sort of goes with it. I’m not sure that 4.5.2 is
quite as clear a link, but, anyway, it could be, but I would be willing to work
with Margaret on 4.4. and 4.5 and anyone else who cares about it to see if
there’s an acceptable way to elevate it.

MR. REYNOLDS: OK. Mark and then Paul, and, then, we’re actually going to
have another part of the meeting, something else.

MR. ROTHSTEIN: Just two quick comments.

Number one, I think transparency is necessary, but not sufficient basis —

PARTICIPANT: I just said that to him.

MR. ROTHSTEIN: — for policy in this area.

PARTICIPANT: I violently agree.

MR. ROTHSTEIN: And, number — you could just agree.

And, number two, transparency should not necessarily be equated with a
notice of privacy practices. I mean, that’s only one way in which that can be
done, and there are all sorts of other methods for transparency, and even
though that’s in this recommendation, and I don’t propose to change it, I think
we’re going down the wrong path if we view the notice of privacy practices as
being the document that’s going to bear all this weight of disclosure.

And I think John is exactly right. People with a pain in their gut are not
going to read to page 16 before they get their hospital room.

MR. REYNOLDS: OK. Paul, you have the final comment, unless you stir
everybody up — rebut you.

PARTICIPANT: That’s a challenge.

MR. REYNOLDS: So please, be gentle.

DR. TANG: So to answer John’s questions, I have two statements we could
make an either/or.

So one statement would be to apply the filter we talked about earlier and
just plain don’t do bad things that would surprise your disappointed patients,
and if we had laws that would make us do that, that would suffice.

If that doesn’t happen, point two, which we’ve said we wanted, if we could
just write to the patients and say, “Everyone who has access to your data
has an authorized purpose, a responsibility and accountability prescribed by
law to protect it,” I think it would be easy to understand.

PARTICIPANT: The Golden Rules —

MR. REYNOLDS: With that, Simon, I’ll turn this back over —

DR. COHN: Well, thank you —

MR. REYNOLDS: We’ll be back tomorrow. By popular demand, we will see you

DR. COHN: Yes, and I am thankful in that last context that we do have
experts in education and educational theory, Paul, not to anyway disparage your

DR. COHN: Now, we have one thing that we want to do before we break into
subgroups — and I do realize we’re running just a couple of minutes late.
Actually, we’re about an hour late — but Justine already knew that I took some
of this time.

Well, there is an item for action at this meeting that we actually haven’t
had a chance to discuss yet, and it is a report coming forward from the Quality

I think you’ve all received this. Hopefully, you’ve had a chance to review

I do want Justine to review the recommendations, and I think then the
question is is this an action item for tomorrow, something you want to deal
with today? Exactly where are we on this? And I will take sort of all of your
perspectives and views.

DR. TANG: I could repeat something I said earlier, what Justine just said.

DR. COHN: Oh, but don’t.

DR. TANG: Put a period at the end of it and approve it.

DR. COHN: Justine, please.

Agenda Item: Quality Workgroup — Upcoming Report on
Quality Measurement, Action September 26

DR. CARR: Thank you, and I will be brief, because so many of you have
worked on this, it’s not a surprise.

But I just want to thank Carol and Larry, Don, Paul, Marjorie, Bill, Mike,
Mary Beth and Susan Canon all gave great — and Simon as well — gave great
input on this. So I feel like it’s been well vetted.

Just briefly, last January, we met with Carolyn Clancy and discussed what
role NCVHS Quality Workgroup could play to amplify activities ongoing and be

And we arrived at the idea of holding a hearing on current state of quality
reporting, running the gamut from administrative data to electronic data and
sort of the hybrid world in between.

And Mary Beth Farquar helped us tremendously in putting this together.

So we had a tremendous hearing, and there were four themes that came out of
it, and then we have a number of recommendations.

So my inclination would be to read the themes and then the recommendations.

I would add that this is not in the form of a letter, because Carolyn asked
that we combine — that, ultimately, these recommendations be combined with
recommendations about future states(ph) that are coming out of AHIC Quality
Workgroup, and that it be one letter to the Secretary. And so we are working —
pondering and working on the logistics of how this collaboration happens. So
today’s work is simply to approve the content.

And so there are four themes.

One was that an organization’s commitment to performance measurement and
public reporting is a major factor in improving quality of care, some of the
observations, but we really heard very powerful testimony about how
transformative public reporting was.

Second, quality measures must be reliable, accurate, valid and
comprehensive, and we heard from an array of models. We heard particularly
interesting and exciting testimony about the fact that many institutions are
relying and will rely for a long time on administrative data. We saw some very
elegant work by Anne Elixhauser and others on doing risk adjustment on
administrative data to at least be able to make comparisons more valid.

The third theme is quality measurement must not unduly burden
administrative infrastructure. We had heard a few years ago from AHIMA, heard
again that in the current hybrid state we still have a substantial
administrative burden related to data abstraction and that we want to alleviate
that as much as possible.

The fourth theme was quality measurement and data sources are continually
evolving, and we heard about two major themes.

One is our understanding of how to think about quality, what to measure,
what to look at.

And, secondly, the tools for measuring quality are becoming more

And so you can read the details on that, but I’d like to move to the

So with regard to public reporting, one recommendation, which is promote
public reporting of quality, in a standardized format to promote consumer
understanding and otherwise enhance comparability and learning.

PARTICIPANT: (Off mike).

DR. CARR: Yes, and I think the sense was the perfect should not be the
enemy of the good, that we have things today, we have evidence of how
transformative it can be.

All right. Under data quality, we have five recommendations. One is support
the standardization of specifications of quality measures and their widespread
acceptance by a consensus of users, and, parenthesis, as the National Quality
Forum has already begun.

Under data quality, I’m going to — it’s going to be called 3. It’s the
third recommendation of the report. Number 3, define a core set of data
elements for assessing quality.

Number 4, work with CCHIT and the National Quality Forum to ensure that
electronic health records certification criteria includes support for capturing
and reporting these core quality measures.

Five, accelerate U.S. adoption of ICD-10 CM and ICD-10 PCS by publishing
the required notice of proposed rule making.

Any objections?

Six, support research for improving measurement accuracy and validity,
including risk adjustment of administrative data by the addition of clinical

That’s on data quality. Kind of ties in with what we’ve been talking about

Moving on. Performance measurement reporting infrastructure. So this
becomes Recommendation number 7. Provide incentives to providers and health
plans for reporting quality measures that include additional clinical data of
proof and utility.

Number 8, support research for A) specifying, updating and maintaining core
measure sets, including prioritization of target areas and modification of
measures to align with evolving evidence, cost benefit of ongoing measurement
and criteria for retiring unproductive quality measures or reducing the rates
of collection and reporting.

B) of recommendation 9 is developing and testing tools that can be used to
search free text for easier abstraction of quality measurement data from the
medical record.

And, finally, the last theme, evolving landscape of performance measures
and electronic health records. Two recommendations, number 9, accelerate
adoption of electronic health records as an integral part of the quality
reporting and improvement functions of healthcare organizations.

And, 10, develop a roadmap for migrating from quality measures that rely on
administrative data to ones derived from clinical data in NEHR with provision
for research and development as well as pilot testing.


DR. WARREN: Eugene’s hogging the microphone.

Could you describe a little bit more on number 3 about how we would go
about identifying this core set of data elements and what kind of granularity
are you talking about for the data elements?

DR. CARR: Well, some of that work is already underway, under AQA.

To come up, for example, on the ambulatory side, there are, I think, 15
measures that are perceived to be evidence based, relevant, value added, and
standardizing those is part of it, that we ask for the information in the same
way that each requesting organization can ask for A1C in a different way, for

So I don’t know. Paul, would you want to say anything more about that, the
core data? In other words, Judy said, say more about define a core set of data
elements for assessing quality of care.

DR. WARREN: And I guess the question, too, would be would there be a core
set for each quality metric or would you standardize the elements among the

So like if one quality indicator has — I was looking at the same thing as
a data element, would it be standardized between the two?

DR. TANG: It’s more the latter. So there’s a set of data elements that go
into measures that clearly are higher quality, and quality of the data element
is defined as accurately obtained, accurately recorded, reliably there, et
cetera, all those kinds of things.

And if you had that high data quality data element in your measures, you’re
liable to have a more reproducible, comparable, et cetera, measure. And so
that’s a core data set that can feed multiple measures.

DR. WARREN: OK. So you’re not talking down to the level of a standardized
data dictionary for these.

DR. TANG: It could include that or it seems like it should include that.

PARTICIPANT: Ultimately, I think you want to get there.

DR. TANG: Yes. Yes.

DR. COHN: Yes.

DR. TANG: Yes. Why did you say you aren’t — why did you start out saying
you aren’t —

DR. WARREN: Well, like hemoglobin A1C, we know there’s multiple ways to
report that. Are we going to say there’s only one way to report it, and so
every EHR captures it the same way, so that it can then be — you know —
queried from the EHR and sent on?

DR. TANG: I think, on the one hand, it’s yes. If you’re saying that
everybody has to use the same analyzer, that answer is no, but, yes, everybody
should understand what a hemoglobin A1C percent is.

MR. REYNOLDS: Who does this go to?

DR. CARR: Ultimately, to the Secretary, but through a blend of a report
from AHIC.

DR. COHN: Yes, and let me clarify this — it’s less than clear how this is
all going to work out.

I would observe that this is formatted this way this moment, but also works
very well as a letter. So I think the conversation will be, which Jim will take
the lead on, as well as the Executive Subcommittee, is exactly how this finds
its way to the Secretary.

MR. REYNOLDS: Yes, because — OK. So — that’s good.

Now, second, in both the letter we were just discussing earlier and in the
standards letter, when we use words like, “provide incentives,” are
we asking HHS to pay for this —

DR. CARR: Good point.

MR. REYNOLDS: — or when we say, like on 8B, we say, “developing and
testing tools,” are we saying that we want HHS to develop and test tools?

In other words, the reason I’m asking who it goes to is — I totally agree
with the comments, but once you tell me who they’re going to, then, it becomes
a different vehicle asking different things, and so that’s what I — I’m not
quite clear of yet.

So I don’t disagree with any of it, and I think they’re all good, but soon
as we say who it’s going to and what we’re asking them to do —

DR. CARR: Right. No, very good point, and Paul might want to speak to this
as well, but I think the idea was, as part of the incentive to adopt an
electronic health record and clinical element reporting, and also the provision
of clinical elements, allows for risk adjustment of the administrative data

So — I mean, I don’t encourage provision of through or P for P or —

MR. SCANLON: But it’s not just HHS. I think it’s any — I think you’re
referring to the more general situation of payer, payers. It could include HHS,
but other payers —

DR. CARR: Yes, encourage payers to —

MR. SCANLON: Including HHS, I guess.

DR. CARR: To incentivize provision or — All right. We’ll work on it. Yes.

DR. SCANLON: I was just going to say — HHS responsible for about 600
billion in expenditures, and so —

DR. COHN: That’s right.

MR. REYNOLDS: No, no. I know — Yes.

DR. SCANLON: That’s a lot of carrots, potentially —

MR. SCANLON: And we’re already paying for reporting —

DR. STEUERLE: I’m reminded of a debate that also goes on all the time that
I’m involved in peripherally, but it’s on reporting of educational quality,
which is an ongoing debate, and, you know, and there are all sorts of issues.

So you finally do test and you measure the level of proficiency of certain
students, and you find out, well, that’s not really good, because you want
value added. Then you get into debates over how do you measure value.

I mean, basically, you know, there is no pure ultimate standard for
quality. Basically, we do so badly in measuring quality that we can quickly
identify things that should be standardized and compared across hospitals.

But even if we had them, we’d quickly think about 500 things we might
otherwise want and other things.

I’m wondering if some of the recommendations ought to be more along the
lines of funding groups, and I’m not quite sure what those groups are, but I’m
thinking whether they’re the consumer reports groups or the watchdog groups or
something that actually go out there and try to access reporting by hospitals
on quality, given that some of them might come up with a different standard or
a different way of reporting quality that might be better than others.

I just wonder whether that’s not one way to get at improved quality, as
opposed to trying to impose sort of a uniform system of quality reporting, even
though I recognize that’s needed, too, but I just wonder if that’s missing.

And I don’t know if I expect you to respond, now, but —

DR. CARR: Yes, I don’t think we heard testimony, but it’s an interesting

I will say that a milestone happened today. New England — this week — New
England Journal had an editorial called, “Eulogy of a Data-Measurement
Element,” and, apparently, beta blockers for myocardial infarction were
something that was about a 30 percent — the lowest — the tenth percentile had
only 30 percent compliance with that, and, as of this last year, the lowest
percentile — the lowest tenth percentile has 90 percent compliance.

And so, with that uniform compliance of that life-saving intervention
across the country, they’ve decided to retire that as a measure of quality,
because we have nationally achieved that level of quality.

More questions, sorry.

DR. COHN: Aaron, Leslie, Steve and Larry.

MS. GRANT: For those of you who don’t know me, I’m Aaron Grant with
Booz-Allen, and I sort of act as the liaison between the AHIC Quality Workgroup
and NCVHS.

And we may be beyond this point, but just to clarify something for Judy
with regards to the data elements, that recommendation was based off a
recommendation that the AHIC Quality Workgroup made to the Secretary in March
with regards to funding a panel to define the core data elements, and I think
Paul helps chair that panel that’s NQF. It’s an NQF panel, and once those core
data elements have been defined, they’re going to be turned over to HITSP to
define the standards.

So, in terms of your question about standards, they’re sort of trying to
close the loop there, and, then, once the standards have defined, it then goes
to C-CHECK(ph), for certification.

DR. COHN: Aaron, thank you.


DR. FRANCIS: I just want to make sure that the header of this clarifies
that this is not about the issues about the use of data in quality. This is
about how to do quality or about the spillover QA research questions that are
— all the stuff that’s taken up in the secondary uses discussion.

And the only reason I say that is you don’t want this to look like —
because of what it writes about and what it doesn’t write about — that it’s by
a kind of negative implication suggesting that it’s not as worried about those

Just a line in the title that makes clear that this is not about the
problem about getting data or when quality becomes research.

DR. CARR: So this is within TPO.


DR. COHN: We’ll think about that one.

And I think, actually — let me maybe even more generalize that that — for
example, I noticed in Recommendation 5, we need to reference — assuming
there’s a letter that comes out tomorrow on 5010, we need to be referencing
that other HHS letter that relates to that.

Similarly, there needs to be — I think what you’re describing is something
that frames that this is one of a set of recommendations that relates to
quality, et cetera, et cetera. I mean, that’s what you’re saying, right?


DR. COHN: Okay. Good. Steve.

DR. STEINDEL: This is just dovetailing a little bit on what Aaron just

You make no mention of HITSP, and HITSP is developing an interoperability
specification that really is focusing mostly on 2, but somewhat on 3, as well,
and I think there should be a reference to HITSP —

DR. CARR: Okay. Will do.

DR. GREEN: I have a comment and a question.

The comment is I wish to applaud Justine Carr. She has given me an
operational living definition of patience and resilience as we rewrote this
thing. I was very impressed.

DR. CARR: I’d like to acknowledge my mentor, Harry Reynolds, who’s taken me

MR. HOUSTON: This evening, at dinner, we’re going to do a Justine Carr

DR. GREEN: My question rose from my satisfaction with this document. I have
no complaints about it. I’m quite happy with it.

And I know that we started off focusing on hospital data, and it’s titled,
“Hospital Data,” and our testimony was from hospitals and about that.

But now that it’s nearly a completed document, it strikes me as how it’s
really not about hospitals, and that it’s really about quality measurement in
public reporting in the current healthcare environment.

And we do have these threads that came through the testimony in our
hearing. Case in point, needing point-of-admission data, that half needs to
come from another source.

And this little document, seems to me, is delightfully positioned now
between all that care that happens before you get to the hospital and all that
care that comes after you leave the hospital and that this is sort of like our
entry point to the real agenda about quality.

And my question is is there a way to — as it’s clarified whether this
becomes a letter to the Secretary or a part of something else — is there a
prudent or useful way to position it as a good starting point in this
conversation in the continuum of care about public reporting?

DR. CARR: Trilogy.

I agree with your comment. I think you’re right. We can — although, our
testifiers were from the hospital environment, our report recommendations go
beyond that. So I agree. We should take that out of the title.

And I think we’ll speak tomorrow at the workgroup meeting about the — as
you suggested — other venues and other avenues.

DR. COHN: Yes, and, actually, one way to handle this one, given that you
actually only did hear testimony from the hospital environment, so be careful
about expanding your scope without having data to support it.

But, certainly, I think there’s framing language that you could put in here
that I think maybe almost says what Larry was just saying about — with
hospital and we would observe that most of this also applies across the
spectrum or part of the spectrum or whatever. So —

DR. GREEN: To my ear, our strongest support for doing this was — were
those comments made in the hearings about how it’s not fair to hold a hospital
accountable for certain quality issues that are really not reasonable or
feasible for a particular patient, because of the circumstances under which the
hospital received them or because of the circumstances into which the hospital
sends them.

And it’s sort of — I’m just looking, Simon, for a way to sort of continue
on the quest for the quality enterprise and getting the information that we
need to advance it, and this is good, and it seems to me like it’s got two
hands that can sort of reach both directions if we could just figure out some
way to do that.

DR. COHN: Well, I think we’re talking about wordsmithing or framing
language also on all of this, which I think would hopefully deal with what
you’re describing.

You know, I guess I’d say a couple of things, and I’m undecided exactly
what we should do as a next step on this one.

A) I think it’s very good.

I would observe that I think what people are sort of asking for is is that
the recommendations sort of lack sort of like who and exactly what, and they’re
more along the lines of truth and beauty and the American way, and, “Go
North, young man,” and — you know — and things like this.

Having said that, given that we have this sort of funny — you know, funny
sort of dance right now that we’re doing about what happens with this thing,
it’s hard to know whether we should be trying to get to that level of
specificity at this point.

I’m just — we don’t exactly know exactly how this is going to be packaged
exactly to the audience.

So I guess I’d ask the — rather than voting on this right this second —
maybe the Quality Workgroup could confer about that in the morning — knowing
that you do have a meeting — come back and provide us guidance about, you
know, given that, I think, Mary Beth will be joining you tomorrow morning and,
hopefully, will help provide some guidance about all of that.

You know, it would be nice if we could pass this tomorrow, even though we
may not have all of those pieces settled, maybe allowing the Executive
Committee the leeway to modify some of that with guidance.

But I would defer to all of you on how we want to proceed on that.

But, fundamentally, I think we all look at this and go this is a very good
document that’s had a lot of polishing and is very thoughtful.

Does that make sense in terms of moving forward on next steps?

I’m not hearing anybody having any major issues. People are only having the
desire to make it better.

DR. CARR: And thank you, again, to all of the committee members who
participated. It was a very excellent collaboration.

DR. COHN: Yes.

Now, having said that, 26 minutes late, at this point, and we do need to
break into subgroups.

(Whereupon, the plenary session was adjourned at 4:30 p.m.)