Transcript of the September 25, 2007 NCVHS Subcommittee on Privacy and Confidentiality Breakout Session

[This Transcript is Unedited]

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

September 25, 2007

Crown Plaza Hotel
8777 Georgia Avenue
Silver Spring, MD 20910

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

Welcome and Introductions

Confidentiality of Health Information, Privacy, and DNA collected in Survey Samples

Discuss Draft “Sensitive Information” Letter

P R O C E E D I N G S (4:00 p.m.)

Agenda Item: Welcome and Introductions

MR. ROTHSTEIN: I would like to start the Subcommittee on Privacy and Confidentiality. I want to welcome you. We are being recorded, but we are not on the Internet. What I would like to do is just take a couple of minutes to go over our schedules and tell you what we are doing with that. Sondik wants to talk to us, and then we will talk about our “Sensitive Information” letter.

We have scheduled on October 4^th, which is a week from Thursday, we have scheduled time from one to five to go over our “sensitive information” letter. I know that John is on vacation and will not be available, but Simon, Harry, Paul, and I will be here for the workgroup meeting. Leslie, are you going to on the phone?

MS. FRANCIS: I am going to be on the phone.

MR. ROTHSTEIN: So, that is our schedule. It is my hope that we can get further movement on our “sensitive information” letter. When Doctor Sondik comes back, he wants to talk to us about the issue of DNA in sample surveys. After that, let me just tell you what we are going to do. Maya has drafted – I do not know whether it was distributed, but it is really not relevant. She drafted a new version, I think it is version 7, that was distributed just to Simon and me for clearance. Basically, what it was an attempt to do was to respond to our last conference call. At that time, Harry and Leslie had some suggestions about reordering some of the sections and adding some additional information. Maya raised some questions and drafted some stuff. We are going to get to that eventually, but we are not going to deal with that today. So, the fact that you do not have it is really irrelevant. That is what you got, but we are not going to take that up.

What we need to begin to discuss is the areas in which several people have responded to prior drafts with serious substantive concerns about the direction of the letter. I have listed four areas and we will start going through them. I think taking up those issues because I think it is pointless to talk about the knits if we do not have agreement on the big picture. So, we will get back to that issue in a second. I want to welcome Ed and thank you for joining us. The floor is yours.

Agenda Item: Confidentiality of Health Information, Privacy, and DNA collected in Survey Samples

DR. SONDIK: What I wanted to bring to your

attention was an issue that I think the committee may want to weigh in on. The issue has to do with one of the studies we have which is NHANES. NHANES has DNA data. We make that DNA data available. We have actually been working on processes for making it available for some time. It finally arrived at a process. At the same time, technology in a way has overtaken us. It now is possible to actually sequence –

(asked to turn microphones on.)

In the beginning there was DNA. That is what I want to talk about is this DNA. It has now become possible to do mass sequencing of DNA in the sense that you can take someone’s DNA, it goes on a chip, and you can get one click on a chip and determine whether 500,000 particular lines of the DNA are present. We plan on doing this, we and our colleagues at CDC plan on doing this and making this available.

The question is, how to make it available and preserve the confidentiality of the respondents in NHANES. Now, NHANES is actually a truly unique data source. First of all, it is a very rigorous representative sample of the US population every year from 1999 on. We also have DNA from an earlier version of NHANES from 1988 to 1994. We are concentrating on the 1999 and beyond. It is a representative sample of the United States. It contains behavioral information. It contains a very, very high quality clinical information. It contains environmental information. We actually do environmental tests on the people who are the respondents – new set of respondents every year. We also do tests in the individual’s homes. So, it really is perhaps kind of a Rosetta Stone here to helping us understand how all of these things interact. We really won’t know until we really get into it.

The issue that I would like you all – I put on

the table for you to think about and to help us with is preserving the confidentiality of the respondents in NHANES. The reason this is an issue is even a DNA sample or a portion of it that is given to an investigator, it may be that there are other sources of information on DNA, and that can be crossed with something and someone can find out that that person is actually in the sample. That probably isn’t such a terrible thing if there is no other information linked to it. What we want to do is to link this information to all of the health information, environmental information in NHANES. The question is, how do we go about preserving the confidentiality of individuals? Now, the approach we have taken in this is that we do the disclosure review in-house in NCHS. Doing it in-house, we put the responsibility on us to release information that we think – our approach is to put it on us in terms of the responsibility to release the data.

Now, there is another approach. On this sheet here, and I should say we use our research data center, which is a cloistered environment to do this. The CDC effort we are going to call with our Atlanta colleagues, it is going to be called Beyond Gene Discovery. We have not yet sequenced all of this DNA, but we are looking for resources to do it. I am sure we will find those resources and that we will do it.

It turns out there is another approach that NIH

has. They have data repository called the Geno Wide Associate Studies Data Repository. They either have it or are going to be putting it in Framingham data, which would be valuable. No doubt in part because it would be data over time, although I do not know the detail on that. It is a population, if not completely representative of Framingham. It has certainly been tremendously important population in giving us information, particularly on heart disease but on other health problems as well.

Now, the NIH approach, which I will not attempt to give it to you in detail because I really think someone from NIH should do that, but their approach is to De-identify the data in taking off the major identifiers like name and address. Okay? How much geography they leave, I am not sure. In Framingham’s case, I know where Framingham is, so we have a fair amount of geography in that sense. Then, they reach agreements with the investigators. Investigators apply to be able to use this information. The ultimate responsibility here for maintaining the confidentiality of the data is the investigators and the investigators’ institution.

So, it is really quite interesting that we have

two different approaches to this. On the one hand, what I would call the federal statistical system approach, which is the responsibility is on the releasing agency to preserve the confidentiality. The other approach, which is on the investigator to maintain the confidentiality and to not share the data beyond the a priori agreement to not attempt to identify people in the sample and even if that happens inadvertently do not share that information.

So, we are planning on having a meeting. We being

CDC and NIH, are planning on having a meeting. We were thinking when I first made this slide in December, but it will probably be a couple of months later than that, which I think is good in terms of the planning that needs to take place to focus on this issue about how to achieve wide dissemination of this data at the same time that we preserve confidentiality. It is not clear that either approach here is ideal. For neither approach do we have a probability that somebody could be identified. That probability doesn’t exist as far as I know. I try to think in those terms, but I cannot even put a bound on it actually at this point. I think it is important. The department is very interested in this, not to speak for the entire department, but the personalized health records and personalized health issues certainly will involve DNA.

I know they are very concerned, and they are

concerned on both sides of this. They are concerned about the inappropriate use of the information, and they are concerned about what the impact would be on the institutions that are responsible for the DNA if in fact it is misused if there are breaches.

So, I wanted to put this on your potential agenda for the future and to give you an idea that this is moving along at a pretty good clip. We would very much like your guidance in this and respond to any interest you have.

MS. GREENBERG: Well, if I could just add one thing, and thank you Ed for bringing this here because Ed also brought this up at the Board of Scientific Counselors last week. One thing I did not fully understand is that the question is not only how NIH handles its data and NCHS handles its data, but whether the HANES data should go into this NIH data repository. Isn’t that part of the question?

DR. SONDIK: NIH would very much like to have the NHANES in the repository. I get very concerned about this. There is sort of an issue of culture here and they way one deals with this. We are very concerned that a breach of confidentiality and of course the DNA data could be very sensitive, but a breach in confidentiality in any one of our surveys, we feel really could hurt us in the future in our ability to collect data. We have a responsibility under the 308D. Perhaps even more important, we make a pledge to the respondent that the data will only be used for the purposes outlined in the informed consent and that they will not be identified in this. We work very, very hard to maintain that.

So, NIH would be very interested in this. I would be very interested in using the software that NIH has to be able to hold this information. They have done tremendous things in building a software to have this repository. How we should work together on this is really kind of open. We all want the same thing though. We want data to be as widely disseminated as it can be while we maintain confidentiality. The issue is really how do you maintain that confidentiality.

MR. ROTHSTEIN: There is another NIH component to this that Ed, you are probably familiar with it. It is the Coriell Repository. I am on a committee that is charged with precisely this task that is protecting confidentiality with regard to bio specimens for DNA analysis within the Coriell Repository. So, we are meeting to go over these issues. I do not know whether our recommendations are going to be in accord with GWAS(?) recommendations or anything else. It is something that is going on all over the department and different agencies. Of course in the private sector as well.

MS. FRANCIS: I just had a couple of questions. Are these datasets that people will know that their data are in the dataset and might learn how the dataset has been used even if their own confidential information is not revealed? I guess I am asking whether you want advice not only about confidentiality, but about other questions about uses of the data.

DR. SONDIK: Well, my principle concern is confidentiality. In terms of uses of the data, appropriate, inappropriate, reporting back to the individuals, and so forth, I would be more than happy to have guidance concerning that. We are really in fact babes in the woods here. Actually a small portion of that data is in that repository from some years ago.

MS. HORLICK: I actually had a question. I wondered if you could clarify that because my understanding of 308D does everybody know what that is? It is a section of the Public Health Service Act that you get a certificate. It is a stronger protection. It would only be used for the data going forward, right? If you did not already have one, you could not get that kind of protection. Correct?

DR. SONDIK: Well, we have that.

MS. HORLICK: Right, you do, but does all the data that would go into this database?

DR. SONDIK: There is a somewhat softer use of the 308D, if you will, that I believe they are using in this for the GWAS. The GWAS is – I believe that is true. They have recently published – August 31^st they published a federal register notice about this. That was in a sense the kickoff of this. I must say I applaud what it is they are doing, which is to bring these studies – these population studies – as opposed to small clinical series or whatever, but bring population based studies together into a very large resource. So, NHANES would be a terrific addition to that because of its representative nature. The real question is, can we preserve the confidentiality to the degree that we feel we need to in that kind of a setting? Maybe there are things that could be added to it that would give us the confidence that in fact this would be a good home for it, or perhaps we can modify it, build another home similar but stronger at CDC.

MR. REYNOLDS: You mentioned you want to use it or share it and keep the confidentiality. I am struggling with that concept.

DR. SONDIK: So are we. There is no question that it is an issue. When we put the responsibility on us to release it, we look at it to see – our approach to this is to not release the entire string of information on Marjorie Greenberg if she were a respondent in this, but to look at this subset of the information and look at it in terms of the number of respondents in each cell to look at the geography and look at things like the dentist from North Dakota who has nine children. We figure if there is someone in NHANES like that, they probably can be identified pretty easily.

So, we actively look at the data before it is released. There will be hundreds of investigators and maybe more who would want to be able to use this information, particularly when we have already sequenced it. So, if we have a million of these SNP’s sequenced, and then the wealth of information – there will be literally hundreds of investigators. This is a challenge then to do this disclosure review. We have automated procedures for it, but it will still probably require some individual or manual assessment of this.

The point you make though is a good one. The only

way to truly preserve the confidentiality is to lock it away in a mayonnaise jar at Funk and Wagnalls doorstep. If that is what we are doing, then we should just not collect this information in the future, or perhaps we should only release the DNA and only one or two variables. So, we get rudimentary information, but it is not as expansive. Even that by the way would be very useful to do that. The studies they have done in Iceland that are able to show genes linked to diabetes and heart disease. They are not based on a tremendous amount of information.

MR. REYNOLDS: So regardless what you would do, who would own the data?

DR. SONDIK: The federal government would continue to own the data, if you will.

MR. REYNOLDS: So, no matter where you put it, the federal government would still be the steward?

DR. SONDIK: The federal government is the steward. There is an issue of whether the data could travel. If one investigator gives it to another in the lab, let us say, and then that investigator looks at it more widely or thinks, maybe I can give a piece of it to someone else. We are all good people. That is possible. We think it is actually – it is certainly possible. In the past, we have seen that happen with samples that the samples would go to one place in the federal government and they will wind up some place else.

MR. REYNOLDS: Thanks.

MR. ROTHSTEIN: It is a very interesting issue. There are lots of models for dealing with it in the literature focusing on different aspects. We would – speaking for myself, I can’t speak for the subcommittee, I think this is an important thing for us to consider. I will certainly place it on our agenda for discussion for subcommittee action.

DR. SONDIK: May I keep you informed as this progresses? Right now, I do not see a meeting plan for December anymore, but I would think February or March is very, very likely.

MS. GREENBERG: You probably would like somebody from the subcommittee to participate in that meeting.

MR. ROTHSTEIN: I am sure somebody from the group would be happy to attend. Thank you.

DR. SONDIK: Thank you for the time.

Agenda item: Discuss Draft “Sensitive Information” Letter

MR. ROTHSTEIN: Let me go back to where I was a few minutes ago before Ed’s presentation. That is, I think before we get to the nitty gritty of the latest draft of the letter, it is essential that we double back and see if we can get some level of consensus on some of the key principles embodied in earlier drafts that have been flagged by some subcommittee members or members of the full committee that they have concerns about.

Let me just list the four areas that I have

identified. There could be others and other could be added, but here are the four from the various e-mails and correspondents. Number one goes to the issue of whether under any circumstances we should be recommending a strategy that includes masking. So, that goes to sort of the heart of the approach that we have adopted.

Number two, there is the issue of whether it is in fact the case that masking technologies are being developed elsewhere. So, that is something that appears in the letter. It is based on testimony that we heard, but there is some question as to whether that is an accurate statement.

Number three involved electronic decision support running over masked information and whether that is a good idea. Number four is whether we should include social and family history, assuming some other things. Whether one of the categories of data that could be masked at the election of the individual should in fact be social and family history information at the discretion of the individual. Now, there may be others, but these are four of the ones that I have identified that are areas of concern.

MR. REYNOLDS: Could you mention number two again?

MR. ROTHSTEIN: Sure, number two is there is a statement in earlier drafts that says that masking technology is being developed elsewhere. Elsewhere meaning in other countries. Remember we heard testimony to that effect, and other federal agencies are in the process of considering that including SAMHSA and others.

PARTICIPANT: Was it Paul’s comment that he did not believe that any of that technology was being created? That was part of the issue, correct?

MR. ROTHSTEIN: Yes, I believe that was Paul’s question. Paul has another obligation now from 5:00 to 6:00, so unfortunately he is not able to join us for this discussion although he will be at next Thursday’s meeting from 1:00 to 5:00 when we take up these issues.

So, my question now is, Simon, are there parts of one of these four that you think would be valuable to discuss from your personal standpoint? There are a couple of these where I know you embrace some issues. At least one.

DR. COHN: I guess there are sort of two dimensions here that we need to talk about. One is these sort of pretentious issues. The other is, what exactly might we be recommending about them? Are there research agendas? Are there demonstration agendas? Are there piloting agendas? So, to my view, my level of concern rises or falls based on investigating, masking approach. Are we talking about implementing masking approaches? It is just that sort of thing of like, exactly where on the graph do things begin to fall?

Certainly for a number of things and I refer to masking and all of this stuff, given that it appears that the subcommittee is talking about the actual data versus providers, which I think is something to my view is open.

MR. REYNOLDS: Can you say that again?

DR. COHN: There is the issue of data versus the provider. What I was meant was are we talking about masking a provider note and a type of provider note or are you talking about masking a provider note and a particular type of provider note, or are you talking about this issue of data that may reside anywhere in a record? You know, family history, social history, psychiatric information – I was depressed yesterday — that may be provided by almost anyone. It might be any type of provider note. Then of course the issue of if we are really talking about that, what are the risks of liability if that data is sort of out there? It all sort of comes together into sort of the level of the type of recommendation we are making.

MR. ROTHSTEIN: Well, Simon, let me go back to – I have in front of me the latest letter. This change that I am going to refer to was put in three or four drafts ago. So, I am not reading you anything that hasn’t circulated to everybody on the committee. In response to somebody’s comment raising this legitimate point, the following recommendation and statement was drafted. Let me just read it. It is under the heading toward the end after we make the case, research development and implementation. It says, the NCVHS recognizes that technologies and tools to implement the recommendations in this letter are not readily available for the electronic health records systems, health information exchanges, and other components of the emerging NHIN. We understand that much work will be needed to develop definitions and inclusion criteria for the various categories of sensitive health information and that a process needs to be established for ongoing research development and implementation evaluation and refinement of methods for isolating and masking categories of sensitive health information. We also realize that it will never be possible to have a system that perfectly masks all of an individual’s sensitive health information and none of the individual’s non-sensitive health information. Nevertheless, we strongly believe that the principles presented in this letter are conceptually sound, substantially achievable over time, and essential to protect privacy and confidentiality.

That leads to this recommendation 9. HHS should

properly begin supporting research and development of technologies and tools for masking designated categories of sensitive health information transmitted by the NHIN. So, I know you do not have this in front of you. I am not asking you to sign off or anything. Is this the kind of qualifying language that raises your sort of comfort level?

DR. COHN: Yes, this obviously helps significantly.

MR. ROTHSTEIN: Okay. Harry?

MR. REYNOLDS: I have actually given a couple of speeches using this as an example recently. Besides the other things you listed there in technology and other things, it is really the maturity of the business process to deal with this because we made a list. We made a list of here is the categories, and then here is the field, and then I will play off of Simon’s.

Anybody that deals with a large data warehouse right now, it was built a certain way with certain characteristics. Let us just take Ed’s as a great example. All of a sudden he talks about this. This is a data element, this DNA. It is a data element that kicks it to a whole other level. All you need is that string and who it is and you have a whole different game with them. What I am finding more and more and what concerns me about – as a technologist, I wouldn’t know how to mask this. Watching the immaturity of business process as we deal with information, pass it back and forth, control it, and do stuff with it I would want that in there to because the void of really strong policy devoid of really strong regulation of some kind, then there is no question that you could build a technology to do this. But you have people running that technology, people modifying that technology, and business process moving that data around, especially as you deal with warehouses and other things and who has access to it and what it means and doesn’t mean.

So, that is a piece of this that to me, we always tend to focus on, technology can mask it. People use technology. So, I think part of that research needs to be how we take the human element of how they set up business process as policies and so on, and not just the masking of it because at some point when you mask it, you are going to unmask it. The maturity level of whoever is dealing with that data mask or non-mask and what the access capability is and so on is also another category.

We never mentioned a business process a lot of

times. I am finding that we have a lot of people who have really good structure around their data warehouse, but they have terrible business policies on how the data gets handled. They do not quite keep it straight. If you look at all the elements that we said needed to be masked to meet a category, and we had them listed, and then you try to figure out so you have to keep an eye on the provider, and if the provider is not in there with all of those categories – so everybody defines a provider a certain way in the things they do. Well, if you do not have every provider you have identified by all six of those masking categories, you can inadvertently let one slip out.

So, when you look at the science of it, you have to have a very precise structure of what you are thinking and doing so you can put it together. So, as I presented it and talked to the information management people, that is the challenge because we do not think about providers in these categories. You do not think about procedures in these categories. You do not think about notes in these categories. They are out there. So, our maturity level of dealing with it is one other concern that I would add. I like the language, but we always fall short.

MR. ROTHSTEIN: Can I ask you about the overall response of these groups you talk to about the concept thing overall?

MR. REYNOLDS: The concept of being able to do this – people mask things now. You scramble them, and you do this and you do that. I would say to you right now very little if anything, that exists in the industry now has fought at this level. So, they have tended to think linear as to how they do it. So, you have to set it up by person or provider type. So, this will change dramatically. Forget the masking technology. It is the structures of how people have stored that data so you can put the mask over it. The maturity and the completeness of the data in the fact of how it is identified as a field will tell me whether or not I would need to get in there and parse that field and say that is something I have to mask. So, that is where the human element comes in.

Tell me the definition. I can take any database

and I can rework it and – that is where the insufficiency sits right now because things were not built thinking this way. They were built as inclusionary, not to be masked. As soon as you define the structure of a mask, now you look at it and go, aha. I have to think about this a little bit now. If I have a provider number that tells me it is this kind of provider, but they have a note because they happen to be a general practitioner but their not happens to mention these words Simon said, so now I have to look at every provider, not just ones that would be under one of my protected classes because I have had that as a breakout. That is the struggle, not insurmountable, but that is why I say the process of how we would go about doing that. The conversion from here and there is far more of an issue to me than whether or not you would do it. It is that you have got to think different.

So, this DNA, we sat here a little bit ago

thinking we kind of had this figured out. All of a sudden, if they put it in another place, and if this stuff gets out, it is a whole different deal. If we say the government owns it, it is a nice umbrella, but I do not feel like it is going to hold the rain out. So, that would be input. It has been a great debate. It shocked them. It made them think, oh, my God, my data is not – I haven’t been thinking about it right. It is a paradigm shift of a pretty significant, not insurmountable, but it is a significant paradigm shift.

MS. FRANCIS: And I think right now is the time to really think about it because there is a whole lot that is unformed as of yet. I found your first wave, Mark, of initial question whether we should recommend masking of any sort almost too broad because I think everybody in this group agreed that we need to have some way of getting patient trust. Of course an alternative to masking is an opt in or opt out model. So, I guess an initial question is, have we decided for sure that that is either gone, because it won’t work or less good than masking?

I took it that we did have agreement on that, but I may be wrong. So then the next question would be what type of masking where the type would be provider or information specific, and there the issue is, I suppose once you start, you can always talk about technology forcing. The answer that we do not have the technology now or whether or not somebody is developing it. When the Clean Air Act came down, that was not an answer for that. You can always say, try to develop the technology and we can see whether it works or doesn’t work and so on.

MR. ROTHSTEIN: Well, before the first draft came out based on our meeting in Washington, I thought, it turns out erroneously, but there had been more of a meeting of the minds, and apparently there was. So, what I am trying to do now is to just basically back up. Before we can go forward, we have to get everybody marching to the same beat. That obviously is very important to do. I am not sure exactly where we are in terms of the level of agreement. I would add – I don’t want to try and push this faster than the committee or subcommittee want to go, but I do believe time is of the essence on a recommendation of this sort because other parts of the department are at work on this. There are other models being developed in the private sector and other countries and so on. For NCVHS to have any sort of place at the table and constructive input, I think that time is now to get our two cents in. If it turns out that we are not able to reach agreement, then we are going to have to decide what is our fallback strategy? I really would like to move forward on that.

MS. FRANCIS: I agree. Do you think that the dispute is about whether to mask at all or what type of masking?

MR. ROTHSTEIN: Frankly, I do not know. I wish Paul were here. I do not want speak for him. I am not able to from his various communications able to answer that question. Only he can.

MS. FRANCIS: One other thing. I assumed we all agreed that whatever else happens, we do think a break the glass feature should be included.

MR. ROTHSTEIN: I do not think that anyone challenged that. Somebody could raise that later, but that is not one of the issues that has been flagged.

MR. REYNOLDS: I worry about only speaking about masking on its own. I guess because we are looking at it solely from just a patient. To me, if every time we say masking, the fact the data is masked would be available to anybody that would be a caregiver. You know, we talked about some kind of flag. It did not say which one. I think as we try to make a service with the whole industry, talking about masking alone immediately evokes that caregivers won’t know it or they are not included and they are.

So, I struggle just to talk about on its own because it is the data that if we believe in the NHIN and somebody says I am in the NHIN, which means their data is going to be transferred electronically. I have been looking at a lot personal health records air based or whatever. All of a sudden the data comes and there is no flag that says, this is not it. We had talked about the idea of, we have six categories and we say, some of this data has been blocked.

At least give Simon, as a doctor, the

opportunity to say to the patient, I don’t want to do something to you that is not right. As John Paul and I were just having a debate out there whether or not you cross something off a privacy notice and if you say, you have to cross it off then he has the right to say, okay, then I am not going to treat you.

So, as soon as we evoke only masking, then we evoke this idea that nobody else matters. I think they do. I think they caregivers matter. So, I think if we say both of them at the same time. So if you are going to mask, then you have to at least notify people. If you are going to notify people, at least they have the right to do it. So everybody is in the game is in the game all the way. The same committee is also selling NHIN kind of as a way to – So, I struggle with just picking it out and going, that is the whole thing. So, that is where it evokes an issue from me.

MR. ROTHSTEIN: Yes, in recommendation number 3 says, when a healthcare provider accesses health information with one or more categories masked, a standard message should note that sensitive health information has been masked at the request of the patient.

MR. REYNOLDS: Right, but I am saying that every time we say masking we aught to make sure we point that out again.

MR. ROTHSTEIN: Okay.

MR. REYNOLDS: All I am saying is saying that is the complete discussion about masking. It is, what are we going to mask? What kind of categories? How do we do it? And the fact that people would know that it was good. That is the complete story to me.

MR. ROTHSTEIN: Okay. John?

MR. HOUSTON: I am just – I think it says that though. I have kept my mouth shut here, but I am a proponent of the version of the letter we were moving towards and the way it was structured. So, I just wanted to get on the record and say that. I agree with Mark that it needs to get out. I personally really liked the way the letter looked. I thought it pulled everybody’s concerns and gained a consensus.

MR. REYNOLDS: I was not in any way saying –

MR. HOUSTON: I was taking my turn to weigh in on this one.

MR. REYNOLDS: My point was if there is contention. I wrote down what you said. If every time we say masking and we do not say with the caveats we have in the letter, then I am just saying it evokes a response from people.

MR. HOUSTON: I think if you set it forth in a separate section and say you are going to do that, I think we – I understand your point that we want to be clear about it. I think in large measure it is there though.

MR. REYNOLDS: I am talking about making sure the rhetoric stays at a structured level. That is what I am saying. It is all about making sure we are collaborating and getting there.

MR. ROTHSTEIN: That kind of concern, Harry, I think we can take care of without too much trouble. I just wanted to ask Simon before I call on you, it seems as if the people who have expressed reservation so far about this concept. Paul, Justine, yourself, and Marc Overhage, are all MD’s. So, is there something that we can say or do that will somehow reassure the physicians on the committee and beyond that should the letter get out, that the system that we are proposing that should be researched and possibly implemented will not in fact tie the hands of doctors or lower somehow the standard of care and their ability to practice? That obviously is not our intent.

DR. COHN: You are trying to reassure that?

MR. ROTHSTEIN: I think unless we can satisfy the physicians on this committee, then we are going to have a problem with the broader audience.

DR. COHN: It is a very thoughtful question. I said at the end of the day, it is hard to give you a very thoughtful response. I guess – early on in the letter, there was a comment made, this masking only applies to treatment positions, and we have to consider how we deal with payment and everything else in a subsequent letter. I think clinicians do sort of scratch their heads a little bit where in a situation where a health plan then a treating physician.

MR. HOUSTON: I do not think the health claim gets any of that data. I do not think there is any thought about masking it. The masking of data is, it would be sensitive data coming from third party sources that would not even make its way to a health plan in terms of a claim, or –

DR. COHN: Well, I think claims go to payers.

MR. HOUSTON: No, when we are talking about masking here is, maybe I am wrong, this is in the context of the NHIN. This is in the context of, if you as a physician is sitting in an emergency room and a patient comes in, and there was data external to your clinical information system, which you were relying upon of a sensitive nature that it would be masked, but you would have the benefit of –

MR. ROTHSTEIN: Well, that is true, but I think Simon’s point is actually correct in the sense that if I go to Dr. Floyd for psychotherapy, and he submits a bill to Harry to pay, and there is some sort of code that shows. Now, I go to Simon for internal medicine treatment, now I can elect to block the Dr. Floyd visit, and he would not see it, but the payer would actually know.

MR. HOUSTON: You could also decide you are going to private pay. That would therefore not show up either. What I thought the intent of this was, was try to split the middle. The current state of things is if there is a sensitive data type, the physician would see nothing. There are a lot of environments where the physician would see absolutely nothing. What I thought we heard was an overwriting concern was, there is certain limited information we think we need to see because it really does impact the type of care that we provide and is important. Medication history and things like that, so you make certain limited amounts of information available because the alternative was to make nothing available. So, you are trying to provide additional information where you grossly mask the base point sensitivity you would see nothing.

MR. ROTHSTEIN: Well, that is half of it. The other part of it is we do not want to discourage people from obtaining care for sexually transmitted diseases and mental health problems and all sorts of other sensitive information because that their information will be available to any future physician that they see forever and ever.

MR. REYNOLDS: NHIN is one of the subjects. As I have reviewed recently some fear-based personal health records. They would make available to physicians some of these things that we are talking about that we wish were masked. That is not the NHIN. So, I guess where I am going is –

MR. ROTHSTEIN: Say that again.

MR. REYNOLDS: There are payer based health records or personal health records that take all of the claims that you get, and I have seen them and they put them up on a screen into categories. If I am a doctor and I am already working with that payer and a patient comes there and the patient said, I am okay with my personal health record, then it would show the drugs and procedures and everything else. A lot of them are doing the opt-out and so on. We talk about the NHIN, well the problem is we have a whole set of technology and a whole set of business practices that is not just the NHIN. I guess my point is that we really are thinking about the NHIN, but there is so much stuff going on right between treatment, payment, and healthcare operations and NHIN there is this whole layer that is just flying by right now.

I am just asking as we become pragmatic in this discussion that we may protect something out here that is in this next layer up that doesn’t exist right now, and it is the network of networks and there is a lot of stuff going on between there right now.

MR. HOUSTON: If I am looking from the clinical side of the house, if I have a clinical information system and that is a sensitive data type, by default I am not going to provide it. If you are telling me that you have all these claim-based systems out there where they are throwing up claims based information related to the sensitive data types that scares the living bejesus out of me.

MR. REYNOLDS: Well, let us be careful. I am not telling you anybody is throwing anything up. I am telling you there is processes and there is structures and they communicated with the people. I am making a statement that there is a whole lot of difference between treatment, payment, and healthcare operations we have been talking about and the NHIN we do not know about yet. There is business models and other things going on in the middle there. So, whatever these processes and functions are – I would say that our categories are woefully inadequate in their total definition. What would make up the pieces the way I would parse them is woefully inadequate at this point.

So, people are doing business, and they are doing the business of their members and the business of their patients and the business of anything else. So, I cannot go as far as they are not nefarious and they are not thugs. All I am saying to you is that we are thinking out in the future about – when do they want to get on the NHIN. It is no more than the discussion of what is the secondary uses of our data earlier –

MR. HOUSTON: Going back to the reason why this letter was even proposed was because there was great concerns about with the creation of this NHIN that there be sensitive data types and that people would not want this data to be contributed to the NHIN and how do we split the middle between opt-in or opt-out and providing a reasonable amount of information to provide quality care. How could we split that in a way that might be less offensive to patients while still providing clinical information that would be necessary to improve the outcomes or ensure that some catastrophic failure did not occur where somebody was prescribed a medication only to find out that some psychotropic drug that they were taking contradicts it. That is why I thought this letter was being formulated was specifically in response to that type of situation.

MR. REYNOLDS: I am not disagreeing with that.

MR. ROTHSTEIN: Just to follow up on John’s statement. In the June 22, 2006 letter, we specifically stated that individuals should not have their information sent by the NHIN over their objections. We left open whether that would be opt-in or opt-out and so forth. This letter as John suggested goes to that point because if we do not figure out some way to limit the disclosure of sensitive information, anybody who has got mental health information or reproductive health information or whatever in their files, the only way they have to protect that from disclosure to all providers is to opt-out or to not opt-in or whatever. That, we thought, was not something that we wanted to encourage. This is a way of trying to limit that and put greater detail onto our additional recommendation.

MS. HORLICK: I am actually trying to go with you mentioned like the psychiatric. I am trying to really understand that with the example you went through earlier. Suppose I block my psychiatric history so therefore my medication, and then I go to Simon so he doesn’t know it there, but he sees the category. So Simon says, well, I want to prescribe this but I am concerned because it could interact with something else you are taking, and you have blocked categories, and I do not know. So, is that something that the concern is then the patient? I might be able to say, okay, I am taking X, Y, and Z, and Simon decides. It might be that I sign it and I let him get that information because I am thinking after Katrina when people were saying I take blue pills and yellow pills. So, I am trying to understand, if I block it, they actually do not get the medication history either?

MR. ROTHSTEIN: What they might get – if Simon puts in I want to prescribe antibiotic X for your infection. If you are on Zoloft, you might get a drug interaction notice assuming that we adopt the proposal on the decision support running through the block information. He would get a drug interaction notice, even though he doesn’t know exactly what it is dealing with. He also could see that you have this and say, look, people that I prescribe this, this is the first line drug for the condition that you have. If you are on any SSRI, which would be Paxil, Zoloft or Prozac, you could get very sick, and I need to know that. Then you might say, I will tell you.

MS. FRANCIS: The way I see that, there is really a technical point because I think we all agree that a physician should not be placed in the position of unknowingly prescribing something that puts people at risk. I think we also agree that it is kind of a problem just to rely on patients in the way you were describing it, which is why the suggestion that decision support mechanisms be explored. I do not think that anybody is saying we have all the answers here.

MS. HORLICK: No, no. I am just trying to understand.

MS. FRANCIS: I think what the recommendations are, look, we see this as a technical problem. This is a real problem because if you cannot design a system that figures out how to get that information in, then you have got a situation in which the only alternative may be a bad one, which is opt-in or opt-out. Given the importance of trust and given the importance of good care, it seems to make sense right now to say, look, let us try some new design possibilities – unless we try them, we are never going to know.

DR. COHN: Leslie, I appreciate your comment. First of all, I think 80 percent of it is very good. I think most everybody else it is sort of like fundamentally most of this is fine. I actually just want to follow-up on your view about – I think one of the things that has bothering me a little bit is despite the fact of the last recommendation, which sort of says, yes, we should research all of this. We should do piloting R&D and all of that. The way that the report is overall developed is that it is sort of like yes, we are certain of all of these principles and the question is, you need to figure out how to do it and all of that stuff.

Whereas I think there are certain areas where I would say, that is an interesting idea. I do not know whether it will work or help or is even the right thing to do. I present it and probably include this idea of running decision support against masked information. I could make an argument that this is a good idea or I can make an argument that someone on the subcommittee had made, it is not practical and maybe detrimental to care especially given that we have a recommendation which says that the design of the NHIN should permit patients to authorize selected healthcare providers to access masked health information. So there is another way that a provider can get that. I think it is worthy of something that should be evaluated. The way it is presented here is that it is being presented as a principle, but then the focus becomes, well let us do pilots to figure out how we can build this and do it where that is a piece of, that is something that should be evaluated –

MR. ROTHSTEIN: Simon, I do think it is possible

That the spirit of recommendation 9 can be infused in some of the other recommendations and in some of the language throughout the document to make it less directive and less certain. In advance of that, it would be nice to get subcommittee unanimity around the organizing principles. I am not sure – well, I know we do not have that yet, so I want to – if we got the go ahead from the subcommittee, then I think that your concerns about basically softening the language and making it less certain and so on, that wouldn’t be too hard to do. If people are going to say, well, I just do not think we aught to go in that direction. Now, we need to sort of rethink everything. Harry?

MR. REYNOLDS: As I see the journey now, I would start out with first, since we do not know what the NHIN is and we may not know any time soon that we need to make a decision on opt-in, opt-out because whatever it becomes and whenever it becomes and then wherever the piece of the country or anybody that comes first, people need to have the right to be in there or out of there.

Then, playing off of these earlier comments, these other things we think might make it more robust would be the possibility for studies and research projects so that you would leave whichever one we pick in place. As you are finding out whether these other things work, how they work, and so on, then that is when you start ratcheting down further what it looks like. The problem to me – So let us say for example, sometimes I sit at the table and say, okay, whatever we decide it is going to be handed to me to do. So my comment becomes, okay, fine. You are going to tell me to mask it. I do not know where I am even sending it yet. I do not know how that is even set up. I do not know what that means, but you want me to start it, and you want me to support ENCHICO(?), which is one of our local environments trying to do these things and I am going, I cannot do it. So, there is a journey.

First, I think it would be helpful that whatever this comes out to be, whether it is pilots or whatever, people get in it. Then, as we recommend some of these things to be further and that it not be taken off. Maybe it is opt-in.

MR. ROTHSTEIN: Are you suggesting that in this

Letter we make a recommendation as to whether we think it aught to be opt-in or opt-out? Is that correct? The reason that I am kind of leery about that is if you think back to 2006, there was a spirited discussion of whether we should have opt-in or opt-out, and in fact the final letter said, HHS should decide on the method for which individuals can choose not to be part of this, and it could be either opt-in or opt-out or differing to the local RIOs or HIEs to each make their own determination of whether they should have opt-in or opt-out. So, there are at least three ways in which the committee was divided.

MR. REYNOLDS: Fine leave it there. I understand. I do not care if we just leave that. My point is though because I would equally argue that without defining one of those and having the NHIN unclear, and as soon as you start saying this, you talk about evoke – that that evokes discussion – this evokes just as much discussion. Without some study, without some knowledge, without some further discussion this same thing is masking in this other stuff. It is like we are building a journey. The problem is we are trying to jump way ahead. I tell you what, the masking, in my opinion, would take the next 6 to 8 years.

MR. ROTHSTEIN: No way of know that.

DR. COHN: This is a 6 to 8 year document. I wouldn’t say anything about this that is any way implementable or doable in the next two to three years. That may be an important role that we play in privacy. I was actually fascinated by this document that it did not really require us to resolve the opt-in or opt-out conversation. I do not know that it even benefits from one side or the other.

MR. REYNOLDS: I may have said that poorly. I am good with the language.

DR. COHN: I was going to say, one of the nice things about this document – now we can talk about the types of things that need to be masked or whatever, which to me are – there are some things that we have some regulatory or legislative direction on. There are other things that maybe we want to – there is an evaluation about do-ability and importance to the consumer. It might be a useful thing for us to help come down on. Opt in or Opt out – I don’t think we are going to solve today.

MS. FRANCIS: The only reason I brought it up was because I was the one that put it on the table, I think. If there isn’t a way to be all in or all out, if there isn’t a middle way, then the only options are going to be, we require everybody be in or we have an opt-in or opt-out. So, you do not have to take a position on it, but I do think it is important to point out the relationship that we back to that square if we do not think through seriously some way of figuring out partial-in.

DR. COHN: We don’t have a partial that applies to either opt-in or opt-out.

MS. HORLICK:(?): I think part of the problem with even thinking about that now is to really opt-in and make an informed decision you have to understand what you are opting into. Really, I do not think I know once person outside of this circle here or where I work that even knows what NHIN is. These are educated people. We forget that. I go back to immunization registries, which are pretty simple to understand. If you explain to somebody what it is. They can either decide yes or no. But how could people make an educated decision about opting in or opting out now when we have trouble conceptualizing and defining it exactly what the NHIN is. I do not think we can ignore it, but I do not see how we can take a position on it until we know more about what it really means to be on the NHIN.

MR. ROTHSTEIN: Okay, I have Harry, John, and Simon and then I want to summarize where we are.

MR. HOUSTON: Yes, a couple of things. Simon made the comment, and I think we need to be careful in assuming that. It may be a 6 to 8 year time horizon for the NHIN, but I can assure you that this type of functionality in some way, shape, or form is getting out there today. I will give you an example of how this is occurring. What is the name of the pharmacy exchange? RxHub. Today, we implemented all scripts in our psychiatric facility, the patient was in there and they were with their physician and the physician said, I see you are on these five medications. The patient said, how did you know that? I did not get them through you. They weren’t related to the psychiatric illnesses, but it came through RxHub. Let us put the shoe on the other foot now. If the patient was in the emergency department and had been prescribed physiatric medications, that information would have bene available in the emergency department to that physician. So, the reason I bring it up in these terms is that whether we are masking data or not masking data, we are talking about certain subsets of very sensitive data such as some psychotropic medication that now will be made available for treatment.

MS. HORLICK: Is that an electronic record?

MR. HOUSTON: RxHub is a pharmacy exchange. The point being is in some context already this train is leaving the station. So, we just have to be aware that it may not be through the NHIN, but other ways they are getting that third party pharmacy data today, which may itself in certain contexts indicate that somebody is being treated for a physiatric disorder and people would determine this to be sensitive. So, unless we start to get this issue framed, I think we are going to find that people are going to say, RxHub is already doing that.

MR. REYNOLDS: That is the point I was making earlier about the – not at the NHIN but these prescribing and other things are already going on.

MR. HOUSTON: But this letter is in the context of the NHIN so I think we do need to get —

MR. ROTHSTEIN: In fact, as we discussed in the prior section in the letter, in the context of the NHIN may well be making policy that is going to filter down to other levels as well. So, let me see if I can summarize where we are. We are going to meeting again a week from Thursday from 1:00 to 5:00. There will be four of us in person at the Humphrey building. Leslie is going to be on the phone. John will not be here. I think it is fair to say that you are generally in agreement with the recommendations that we have so far. What we are going to try to do is we have identified five areas that we think are points of contention. The masking overall, the statement that masking is being developed elsewhere, the decision support issue, the social and family history as a category, and whether it should be masking by provider or by category. We will just start sort of slogging through those and see where there is agreement and where there is not agreement.

Simon, I am sorry to drop that bombshell on you

about representing the 800,000 physicians in the United States for this conversation. I would ask you if you have the chance to think about that because I have no question that some of the physicians on the committee may need some reassurance that we are not going to totally destroy their ability to practice, and they are just going to be flying blind in everybody they treat. That is not something they want to endorse.

DR. COHN: I guess it also gets down to the framing of the letter. We just need to recognize that there are statements of certain policy. There is also letters that have to do a lot with research and development and piloting and testing. We think this is a good direction, but we think a lot of it needs to be tested. Observation 9 talks some about that, but I think the more we can put around that – the issue of masking and the issue of masking in the NHIN I think is a critical issue. I think we would be diluting ourselves if we all thought we had the right answers right now. We want to make sure there is work being done in the area. We want to see development. We want to see piloting. We want to see evaluation all the time. We just need to make sure that sort of sensor goes through the letter. That is my point of view.

MR. ROTHSTEIN: From my view point that is not a problem at all and probably should have been done a couple drafts ago as we brought 9 in. This has been a very different kind of letter.

MS. FRANCIS: There is a value point that I think there is the technical question and there is the value question. The value question is, we really want to have a lot of patient control. I do not know whether there is agreement on that.

MR. ROTHSTEIN: We do want – We are on the record as saying the patient should have limited control in our earlier letter.

MS. FRANCIS: Yes.

DR. COHN: The issue is we have a couple of objectives. One is that we want to assure improved healthcare for all Americans. We want to improve the healthcare system. We want to also give patients and consumers as much control as is practical overall for this to process. The problem is trying to make all of those come together. This gets to be the difficult piece.

MR. ROTHSTEIN: Well, as we say on page 3, our goal in developing our recommendations is to ensure patient safety, improve quality of care, and develop a network that is practical, affordable, and inclusive while protecting the confidentiality of individual health information.

MR. REYNOLDS: Yes, and again I would like to put technology last because it is really the least significant of this is the technology. Give me the business rule and I can mask it today.

PARTICIPANT: Oh, really?

MR. REYNOLDS: Sure. If you give me the business rules and I know what data I have –

PARTICIPANT: Oh, okay.

MR. REYNOLDS: This is really about the business rules of what you want masked, how you want it masked, and what you want done. I can do that but the funny part is the technology is missing – I don’t know the NHIN – so when I get the ready where am I sending it.

(Laughter.)

MR. HOUSTON: Some of the technology though, especially related to the issue of decision support, is much more of an issue because how you do decision support at the destination when you do not have all the data at the source. That gets a little sticky. That was Paul’s point, I think.

MR. REYNOLDS: I do not disagree with that but what I am saying, back to Leslie’s point, that we have some foundational things that we have either got to agree or disagree on. If we keep throwing technology in, that is not the number one question. That might be question five.

MR. ROTHSTEIN: We should not lose the importance of values and process and technology is just a tool to try to implement.

So on that note, I want to thank you. We are adjourned until 1:00 a week from tomorrow, Thursday the 4^th at the Humphrey building.

[Whereupon as of 6:06 pm the subcommittee meeting was adjourned.]