[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

September 29, 2016

Courtyard Marriott
Congressional/Monuments Room
1325 2nd Street, NE
Washington, DC 20002



Agenda Item: Call to Order, Review Agenda, Clarifications, and Updates

DR. SUAREZ: Let’s start. Good morning everyone to day two of our National Committee on Vital and Health Statistics. Again, we are going to go around and introduce ourselves, organization, committee that you are part of and whether you have any conflicts with the business we are going to transact. We will start with the members.

My name is Walter Suarez. I am with Kaiser Permanente and chair of the National Committee and no conflicts.

DR. MAYS: Vickie Mays, University of California Los Angeles. I am a member of the Full Committee, Privacy, Pop. I chair the work group and RC and no conflicts.

MS. KLOSS: Good morning. Linda Kloss, Kloss Strategic Advisors. I am a member of the Full Committee, co-chair of Privacy, member of the Standards Subcommittee, Review Committee and no conflicts.

MS. LOVE: Denise Love, National Association of Health Data Organizations and All Payer Data, Claims Database Council. No conflicts except I work with All Payer Claims Databases in states.

MR. LANDEN: Good morning. Rich Landen, Harris QuadraMed. Full Committee, Standards Subcommittee, Review Committee and no conflicts.

DR. RIPPEN: Good morning. Helga Rippen, Full Committee, Population, Data Working Group and Privacy and no conflicts.

DR. CORNELIUS: Llewellyn Cornelius, University of Georgia, Full Committee and Population Health Subcommittee, no conflicts.

MS. GOSS: Alix Goss, Imprado. I am a member of the Full Committee. I am co-chair of the Standards Committee and Review Committee and no conflicts.

DR. COHEN: Good morning. Bruce Cohen, Massachusetts Department of Public Health, member of the Full Committee, co-chair of Population Health, no conflicts.

DR. STEAD: Good morning. Bill Stead, Vanderbilt University Medical Center. I am a member of the Full Committee, co-chair of Pop Health and a member of the Review Committee, no conflicts.

MR. SCANLON: Good morning. This is Jim Scanlon. I am the deputy assistant secretary for Planning and Evaluation at HHS and staff director for the Full Committee.

MS. HINES: Good morning. Rebecca Hines. I am the executive director, designated federal official and I am with the National Center for Health Statistics.

DR. SUAREZ: Do we have any members on the phone or staff? Anyone else on the phone?

(Introductions around the room.)

DR. SUAREZ: Thank you very much. First, I want to thank everyone for a lovely evening yesterday at dinner and personally for all your incredible, wonderful messages both in your card as well as in the book. Thanks to Debbie for putting together such a beautiful and memorable book. I had so many memories out of it, remembering a lot of wonderful experiences throughout these last eight years. Thanks to our former chairs that included messages as well, Justine and Larry. It was just incredible. Thank you. It was just an incredible evening and very touching moment for me. Thank you again for that.

We are going to go into our reports from the Office of Civil Rights. I believe ONC is going to join us as well. We will start with Rachel. I do not know, Linda, if you want to say anything at this point. Maybe we can take a short five minutes before we pass to Rachel to hear back from both the Standards Subcommittee and the Privacy, Confidentiality, and Security Subcommittee about yesterday’s – a brief report about yesterday’s activities. We will have some more time during the 9 to 10 o’clock period. I am sure we are not going to take the full hour on APCDs. We will have probably some more time to talk about more details on the work plan. If you can briefly just highlight some of the topics in your agendas and some of the outcomes.

MS. KLOSS: Our agenda for this meeting is a little bit different than it has been for the last couple, where we have gone into the Privacy, Confidentiality, and Security Subcommittee meeting immediately after the updates. In some ways, this is an agency update that we will hear from Rachel.

We did start diving into our next challenge, which is preparing the letter to the Secretary on de-identification and mapped out a work plan to do that. We also had some time to begin to discuss thinking through privacy of the future, the privacy environment of the future, but I think we will leave that until we get to our strategic discussion to report on where we landed on that.

MS. GOSS: From a Standard Subcommittee and Review Committee perspective, we spent our workshop working time yesterday afternoon looking at our plan for the coming year and garnering consensus around our prioritization. Clearly, predictability roadmap is very high on the list for the members as our legislative mandates along the lines of ACA 10109, HIPAA report, which will be the 12th report to Congress, doing our next Review Committee hearing, and related playbook for that. Our HIPAA 3.0 vision and how that links with the Privacy 3.0 and the Public Health 3.0 vision, which I think as you will may notice and what I have listed so far is there is a lot of cross committee or I probably should say full committee collaboration and discussion that needs to happen to produce several of these like the 12th report to Congress. We think our HIPAA 3.0 effort needs to be very much tied in with what the other 3.0 efforts are.

Finally, the SSNRI topic we discussed yesterday posed some priority interests I think mostly to make sure we do not have a problem coming down the pike that maybe we could help avoid.

Having solidified our priority areas, but having a much broader list than what I have just described to you, we realize that we need more of a regular meeting schedule and we will have a lot on our plate in 2017. The co-chairs and staff are going to figure out where the efficiencies can be found in these topics because a lot of them are interwoven or overlapping. We are going to try to figure out if we can tackle some of these together even if they might produce separate downstream work products. I am going to work on that to figure out how best to manage. There is just a lot of really great stuff here and opportunity to work on it.

MS. KLOSS: Before we turn this over to Rachel for her update, I just wanted to acknowledge and thank her for participating in yesterday’s meeting and for helping us, as you know, in the de-identification hearing and then pulling together a summary of the wonderful testimony that we had. A special thanks to her before we hear an update.

MS. GOSS: Just to mention one other item, which we felt was important, but not necessarily the lead for standards. The vital records activity that we had a phenomenal discussion on yesterday. Everybody believes is important and needs to be addressed, but we felt it was more in the population health realm and that we would support those activities, but we did not bubble it up as a priority work item that we would take the lead on.

DR. SUAREZ: Thanks both for those quick reports. Thanks to Rachel for all her support and her leadership in working on these last two hearings. It was incredible in the last four months. We had two major hearings and very significant topic.

Rachel, we are going to go to you. I do want to acknowledge that Lucia is here from ONC. We will go to Lucia in just a minute. Rachel, please.

Agenda Item: HHS Updates: Privacy and Security

MS. SEEGER: Thank you very much. I am sorry I cannot be there in person this morning. I did want to provide an update for you all and what is happening in the world of OCR. I am going to start first with enforcement. We have been very busy. We are going to start with OCR’s enforcement work.

On June 29, we had a settlement with Catholic Health Care Services for $650,000 and a corrective action plan that included two years of monitoring. This was as a result of – Catholic Health Care Services reported a breach to us following – an unencrypted mobile device. When OCR came out, he conducted an investigation. He found a lack of an enterprise-wide risk analysis – risk management plan.

I think I reported to you all before that many times – come out during our investigation. We find that covered entities have conducted a risk analysis only focused on the EHR system so that they could comply with meaningful use. The security rule, as you know, requires – risk assessment. This includes everything from mobile devices to networks, et cetera. While the breach triggers the investigation, what we found was a deeper pattern of noncompliance.

On July 18, we had a settlement with Oregon Health and Science University for $2.7 million as well as a comprehensive three-year corrective action plan. The investigation also began following multiple breach – that were highly publicized not only in local media, but as well as national – reports involved unencrypted laptops as well as very large breach involving a stolen unencrypted thumb drive.

The investigation uncovered evidence of widespread noncompliance throughout the uncovered entity including the storage of ePHI on a cloud-based server without business associate agreements. This particular settlement underscores the importance of leadership engagement and why it is so important to – to take compliance seriously. This was a very well publicized large-scale breach, as I mentioned. The covered entity had its own findings in the risk analysis that were unaddressed, including the lack of a business associate agreement before allowing a vendor to store their ePHI.

Next, on July 21, we settled with the University of Mississippi Medical Center. This was as a result of a breach of unsecured ePHI. When we came out and conducted our investigation, we found that this covered entity had really done nothing with respect to the HIPAA security rules since April 2005. There was no risk management activity going on here and widespread organizational deficiencies and insufficient institutional oversight over all.

They also had been using a generic user name and password for their entire wireless network. This is the state’s full public academic health science center. UMMC also operates for specialized hospitals as well as clinics throughout the state. A very significant enforcement action, again, at $2.75 million.

Next is Advocate. August 4, 2016. This is our largest settlement to date at $5.55 million. The price tag on this is really the results of the extent and duration of the noncompliance that dated back to the inception of the Security Rule in some cases. And the large number of individuals whose information was affected by – to breaches. Approximately 4 million people – with 250 locations throughout the state.

What we found was a lack of risk analysis, insufficient access control and insufficient business associate agreements and the failure to have adequate policies and procedures to manage their devices.

Next is our newest settlement with Care New England Health System, which was last week, September 22. This is – an affiliated covered entity that was providing a number of different functions on behalf of its covered entity members including Woman and Infants Hospital of Rhode Island. With this particular investigation, we found that there had not been an updated business associate agreement post-Omnibus Rule so that Care New England Health System do work using protected health information for its subsidiaries.

The settlement includes a monetary penalty of $400,000 and a corrective action plan. I think what is important here is that we have seen a number of different settlements resulting from organizations not understanding the various organizational structures under HIPAA, whether it is an affiliated covered entity, OHCA type or identity, et cetera. Hopefully, this sends an important message to the industry, especially for those organizations that are doing work on behalf of covered entities under their control for ownership.

I also wanted to mention that OCR has initiated a Small Breach Initiative beginning in August 2016, where we are going to move more widely to investigate the root causes of breaches affecting fewer than 500 individuals. Among the factors that we will be considering are the size of the breach, a theft of or improper disposal of unencrypted PHIs, breaches that involve unwanted intrusions to IT systems such as hacking, the number and nature and sensitivity of PHI involved and instances where OCR is using numerous breach reports from a particular covered entity or business associate that might raise similar issues.

The regions have been conducting a number of investigations based on these fewer than 500 reports. I have reported on many of these (indiscernible) we wanted to be transparent with the industry letting them know that we can and are opening up an investigation (indiscernible).

Next, I am going to move to policy update. Lucia may touch on this first one. We made an announcement yesterday of a new FAQ that addresses whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the PHI that is maintained by the business associate on behalf of the covered entity. The short answer is no. They may not.

A business associate may not use PHI in a manner or purpose that would result in a violation of the HIPAA rules. Generally, if a business associate is blocking access to PHI that is maintained on behalf of the covered entity, including terminating access privileges, the business associate has engaged in an act that we would define as an impermissible use under the privacy rule.

For example, we are seeing reports of business associates blocking access by a covered entity to PHI, such as where an electronic health records developer is activating a kill switch embedded in its software that would render that data inaccessible to its provider client to resolve a payment dispute.

Again, if a business associate fails to provide access to its covered entities, it has impermissibly used PHI. The FAQ gets into a number of different pieces of guidance. We are really hoping that people will pay attention to this. We have put it out on our listserv. We have put it out on Twitter. Hopefully, folks will continue to push it out to their partner organizations so that we can increase awareness of this important guidance.

In July, we worked with the FDA to address another FAQ on HIPAA and unique device identifiers, which clarifies that the device identifier portion of a UDI can be part of a limited or de-identified data set as defined under HIPAA.

While the Privacy Rule prohibits the inclusion of device identifiers and serial numbers in a limited data set and in data sets that are de-identified in accordance with safe harbor rules, the guidance explains that the DI portion of the UDI is not the type of device identifier to which a HIPAA Privacy Rule provisions refer. A little inside baseball but really important piece of guidance for entities that are using UDIs and limited and de-identified data sets.

I want to mention that OCR has been pushing out a series of monthly newsletters. All of these are related to cybersecurity. In August, we pushed out an important newsletter on insider threats. In September, we issued a newsletter on cyber threat information sharing. The latter was concurrent with an FAQ on cyber threat reporting that addresses what type of information can be disclosed by covered entities and business associates in this context. Again, typically cyber threat information sharing does not include PHI, and it should not include PHI.

All of this work also could be background to our guidance that I spoke on the last time. I provided an update on ransomware guidance. These are FAQs on how HIPAA can help covered entities and business associates recover from malware infections on ransomware, and offer such practices such as data backup plans, contingency planning, and the like. All of these are required under the HIPAA Security Rules, as part of security incident procedures and response plans.

But when covered entities and business associates are not paying to attention to the broader requirements under the security rule, it makes them vulnerable to attack from the outside and from the inside, whether it is insider threats or ransomware and malware.

What is to come? OCR is very close to pushing out our guidance on cloud computing. We are also very close to issuing guidance on text messaging. We have additional guidance in the work on social media. We continue our work on precision medicine initiative and research authorizations. And ANPRM on ways I which an individual who is harmed by a breach under HIPAA, may receive a percentage of CMPs or monetary settlements that are collected.

Next, I wanted to provide an update on audits. As you may know, our 2016 HIPAA audits are underway. Covered entities have received notification of their selection as subjects for our HIPAA audit. They were also invited to participate in a webinar held on July 13, where OCR staff walked through the processes that they could expect for the audit and expectations for their participation.

These desk audits required entities to submit documentation of their compliance with certain requirements of our rules, including policies and procedures, access, breach notification, risk analysis and risk management standards. Coming up very shortly in the fall, are our desk audits of business associates. The kickoff webinar will also apply to that.

Also, in October 19 and 20 is our annual conference on HIPAA security with the National Institute for Standards and Technology, NIST. Our keynote on Day 2 is our own Dr. Walter Suarez. We are thrilled that he is going to be providing his view on the 20th anniversary of HIPAA and the future of HIPAA security.

Sessions are going to include identity management and access controls, business associate liability, best defense tactics against ransomware and malware, and updates from our friends at FTC, the health care industry, Cybersecurity Task Force, ONC and OCR.

With that, I will turn things back over to Walter. Thank you.

DR. SUAREZ: Thank you so much, Rachel. We probably have questions from the audience. We have Bruce and Linda.

DR. COHEN: Hi Rachel. This is Bruce. Thanks. I always have mixed feelings about when you report breaches. The breach investigations quite often uncover widespread noncompliance and a real lack of understanding of privacy and security rules. I just wanted to get a sense from you whether what you end up discovering and investigating is the tip of the iceberg or whether you feel that you are getting most of the major breaches that occur and just your thoughts about how we could be more proactive and if you think you are just getting really the tip of the iceberg.

MS. SEEGER: I think that is an excellent question, Bruce. HIPAA is hard. It requires an investment of time, of resources and money. But what we are seeing in many of these investigations that are leading to settlement that are illustrating issues to the industry are some of the largest players in our space who have such a lack of overall compliance. The report of an unencrypted thumb drive or an unencrypted mobile device is just the tip of the iceberg, as you mentioned.

When we start to scratch the surface, we see that these entities have not addressed HIPAA security since 2005 when the rules became effective. When you have a large-scale breach as in the case of Advocate, you have four million people throughout this massive health system who are affected, myself included. OCR takes the harm that is done to individuals or the potential harm extremely seriously.

These enforcement actions are all unfortunate. Our preference would be to have complete voluntary compliance by the industry. But really leadership sets the tone and must take the culture of compliance. If there are compliance issues going on with HIPAA, one can only assume of other compliance issues going out throughout that organization.

Our message really to the industry is to get your house in order. These rules have been around – HIPAA just celebrated its 20th anniversary. Our rules have been around for a long time. This industry is under attack unlike any other with respect to cyber threats because these actors have realized how vulnerable the data is and how easy it is to take advantage of these organizations. In an ideal world, we would be out of business and not conducting any investigations and get back to the core work of civil rights enforcement. But unfortunately, HIPAA enforcement seems to be here to stay.

DR. COHEN: Any thoughts about how to be more proactive and really increase the industry’s attention to routine business practices that may be in violation. I would love to hear at some point your thoughts on that.

MS. SEEGER: I am happy to speak to that more at some point and maybe the best place to do it is in the Privacy and Security Work Group. But really the point is that we are speaking very loudly at OCR, but it takes a village. It might be beneficial for NCVHS to – you have heard me report on multiple enforcement actions over and over again. It might be beneficial for NCVHS to make a statement to the industry about best practices and what these enforcement actions are saying.

MS. KLOSS: Could you comment on when you expect to release the ANPRM on civil monetary penalties and just whether it would be helpful for NCVHS to weigh in on this? I know we talked about it as a potential area for focus in the past. Is there anything we can do?

MS. SEEGER: I absolutely think it would be helpful for NCVHS to weigh in. This is a longer track item on our agenda.

MS. KLOSS: Do you have any timeframe?

MS. SEEGER: Not at this time that I can share.

MS. KLOSS: Thank you. We will stay tuned.

MR. SCANLON: I am continually amazed at how many of the breaches and this is not just health care information, but information at large organizations. The breach consists of unencrypted information. I wonder if we have any insights as to why that is. Is it just too difficult to encrypt because it is too hard? These are often shared. There is often the staff in the doctor’s office or the welfare agency. They are sharing a computer and it may be too much trouble to encrypt. But it just seems that – and maybe the technology is just not easy to use just yet. Why would such a – this repeatedly comes up as a root cause. Certainly in HHS, we have had this happen in regional offices, not in the health area, but where someone stole a PC with personally identifiable information. If it had been encrypted, it would have just completely mitigated it. But what is the issue? Is it the technology? Is it just too hard to do?

MS. SEEGER: It is not too hard to do at all. One of these cases that I reported on, Catholic Health Systems, was an unencrypted iPhone. Anyone who has an iPhone even my daughter who is 11 has a password on it for whatever reason this iPhone did not. These are simple precautions that could be taken, as you mentioned. We say that leadership sets the tone over and over again. It should be the expectation that the – IT is the first layer of defense that they have in protecting the information that they hold whether it is financial, PHI, individually identifiable information, whatever.

Oftentimes both compliance and information technology is delegated to the director level. They never speak in front of the monthly board meetings. There is no report out on compliance and IT security issues to support the senior leadership. Personally, I think that that is part of the issue. It is a second thought where marketing and sales is number one. That is the vice president or senior vice president level in most health plans, in most large hospital health systems. Sales and marketing are on top. Compliance and IT are below.

MR. SCANLON: I get that. They are not in the business of privacy. This is a market economy. I get all that. It should not be that hard.

DR. SUAREZ: There is a difference between encryption in rest and encryption during transfer. I am going to ask us – Lucia has a comment.

MS. SAVAGE: Technical things. First of all, if you have certified EHR technology, certified in the 2014 edition world, it has a default setting of N point encryption at rest. But we know that that is incredibly underused. And also encryption at rest has very little impact on analytic processing speeds. Encryption in transit can slow down your analytic processing speeds as you acquire and redeposit data into whatever your relevant databases are. There is a lot of confusion about that.

But I thought that Rachel’s example of the iPhone was a fantastic case in point. We put the seatbelts in the cars for the doctors and they are not buckling them. We see this over and over again as well as with the time out features. I know there are really significant time out features in a surgical theater. But on a regular floor where somebody is in a bed, it is just not the same level of issue.

There are usability issues here, but I think more of that is human behavior. More than half of the breaches we find whether it is the kind that OCR is reporting or fishing expeditions that lead to malware that ransoms your data are because of human behavior. That is where the leadership sets the tone. That is where the voice of an organization like NCVHS who is so well regarded could really help us move the needle. I am going to spend a fair amount of time on this as well because not only is it cybersecurity month in two days, but it has just been such a huge issue for us to grapple with. We are very small and mighty. OCR is fantastic. By billboard time at time square. We do not have a budget for that. We have you guys.

DR. STEAD: Let me share what I see from my perch and see if it computes from Rachel and Lucia’s perch about what the problem is and how NCVHS might help. When the security rule came out in large part, the only way we could respond at that time was by policy and education, depending on people. And the technology for things like encryption was ridiculously difficult to use.

Over the past two to three years, the encryption technology and the multifactor authentication technology have become very easy to use. At least our provider organizations as best I can tell still largely come at this with policy and training. I understand many of the enforcement actions are where they are not even doing that. The ones that are doing that are not using two pincers, one being policy and education to move the things we cannot simply hardwire and the other slowly stepping of the floor of the hardwired technology solutions that eliminate people doing the wrong thing.

I think it might be useful to begin to get a message out that there is now a best practice, easily achievable technology enforcement floor for at least some part of the problem. We can advance that floor every X years. But I think that is missing from the current dialogue within the provider space. I may be off guard there.

MS. SAVAGE: I actually have a specific response on it. We committed with OCR in our interoperability roadmap to develop some tools for the industry to better connect what is available in certified EHR technology right now if you have the certification on that module that meets which features as a best practice of the security rule. Rachel, please correct me if I described it wrong. That is a work that is underway right now and it is not ready for prime time. Of course, when we publish something like that jointly, lots and lots of input goes into it.

I think there are two key things there. One is we can identify what works right now in November of 2016, for example. But to your point, in November of 2017, that technology should be better.

The other thing to remember is nothing prevents an organization from doing better. We are setting legal minimums here, not legal maximums here. There are organizations. I work for a big organization. We had encrypted – even if you brought your own device, if that device had access to corporate email, it had to be password protected. Your laptop had to encrypt when you turned it off seven years ago. There is an adoption lag and it probably correlates to capital and size as well as how much the public is paying attention to your particular organization. But we are trying to flex the muscles we have. We do not have all the muscles that people wish we did because we rely on individuals to do the right thing. I do not know if you want to add anything, Rachel.

MR. SCANLON: But it is true outside of health care as well. It is not just health care. There is something more generic.

DR. SUAREZ: I am sure Nick will probably give some perspective as a CIO of a health care organization that has to deal with internal at rest encryption versus encryption of external controlled devices. That is a big difference. Nick, go ahead.

MR. COUSOULE: I think there are three or four different things going on. Bill is exactly right. The technology, I would even go back ten years, was either very expensive or it did in fact create significant operational problems by implementing it that would slow things down or make it difficult to operate. That has now been the case for a long time. It is not just the last couple of years. It has been a long time.

We had the misfortune of having a theft ten years ago, which created a level of awareness that most of my peers would have died for at this point in time. I look back. It was a pretty nasty event happening in our world that we have somebody breaking into a computer room and steal some hard drives. It was not a hack or a laptop left out. Somebody actually broke into the facility and stole some things.

That then created a level of awareness all the way up to our board of directors. I make presentations on a quarterly basis to our board of directors about what we are doing for the entirety of our security and risk management program. It is not just security and encryption. It is risk management across the whole spectrum. It is one thing to say we encrypt all the data and we do. We did this back in 2009. This is eight years ago that we encrypted everything. Our entire storage platforms at rest are encrypted – all the storage inside our data center, on laptops, on desktops, on printers. It was huge. We spent $17 million. It was a huge investment.

Part of that is the technology is there. You can do it without big performance issues. It is a big cultural change because there are changes you have to make. Bill hinted at that as well saying two factor authentication works really well. We do it in lots of different places. We get lots of pushback from people who say I do not want to do this because it slows me down and creates a problem. And then you have judgment calls to make. Is it worth the risk? Is it not worth the risk? Where is it worth the risk? Where is not worth the risk? That is where I get into it is not just a security program, but a risk management program, looking at that in its entirety.

Encrypting data in motion versus data at rest. Again, the idea is you would like to encrypt all of it because it just reduces the risk period for any kind of data loss of data access. There do come complexity issues. There do come investment issues. If I had to say what the three things are that would be most important, one is the level of management attention that you can get. Rachel talked about it a little bit, which is if it is relegated down into the bowels of a technology organization, you have lost. Then you have to get lucky to be at a place that is comprehensive enough to give yourselves good access to security. It has to be escalated up to a level that matters into the organization. You cannot mandate that. That is a hard one to mandate.

You can do things as a company to say we are going to make sure we get to the audit committee or board or whatever the right vehicle is there. From a policy perspective, it is hard to mandate that one.

On the other side of it, it is an awareness question and an issue and then it is an investment prioritization question and issue. All these things. They do cost money and they take time. They are not perceived by most people in the organization as adding real value to what we do every day.

That is the other trigger point that I would argue. It does not advance the cause of changing our business, delivering different services to our customers or to our members or to patients, et cetera. It is viewed as something the technology guys do in the back office. When you are making investments and weighing decisions about where you are going to put time and money and effort, it is not always on the top of the list. Now more and more we are seeing very public issues and breaches and public trust issues and all kinds of things that have come along with that. The level of awareness and angst is now growing and growing such that that risk weighting is now starting to tip more and more in favor of hold on a second, this is real work that really matters than what we are trying to do even though it may not advance the cause of us providing better patient care.

MS. GOSS: It is interesting how important it becomes once it becomes a public known issue. All of a sudden everybody is really on top of it. Nobody at the top wants to see their organization on the front page of the paper. They do not think about in the moment of the prioritization.

MR. SCANLON: You have to make choices. You have to decide. You do not have unlimited resources. You have to decide how much you are willing to tolerate and how much you are willing to do on security.

DR. SUAREZ: Clearly, as I can see, the intensity and passion on this topic is something that would be really important to the National Committee and the Privacy and Security Subcommittee can consider this concept. The whole concept of encryption and risk management particularly. I do think there are some perspectives in the industry that would be important to consider.

I still remember physicians arguing that if you do encryption in the internal systems of databases that they are going to access at the point of care. Any 10 second slow or 15 second slow on any time that they are going to be in front of a patient will impact that. That was several years ago. Maybe now the systems are certainly much more capable of responding in milliseconds instead of tens of seconds. That is part of what I think the committee can do in the future in a way of bringing different perspectives and understanding the system capabilities and the impact of those kinds of actions.

MS. SAVAGE: I am just going to comment. That exact scenario, Walter, illustrates the importance of each organization doing an assessment of its risks because you have to think about a ten-second delay versus I have no backup copy and I might get ransomed in which case I am going to have a 300-hour delay. People just need to think that through, which is kind of a great lead in for me. I did not prepare slides. I was the American College of Cardiology yesterday and out of the office on Monday. I just have a few web pages to show you and I will make sure that the one link that I want to solicit your input on is circulated to members.

Cybersecurity month is fast upon us. You all know that under the Cyber Information Sharing Act, Health and Human Services got a number of particular tasks, and one of them is the Health Care Cybersecurity Information Task Force.

That task force has actually been blogging. It was a lot of work and effort to take an organization that often looks just inward at health and human services activities and really collaborate with industry. There are actually two blogs up. This one is the one in particular that we have been – it is in the ONC Twitter feed and my Twitter feed as well, if you want. But they are actually – they got this blog up on the health care blog and they have six questions. There is a comment box at the bottom. You can solicit. You can comment on the comments. You can comment on the questions. This is probably the best way that we presently have for members of the public to participate and give feedback on these particular questions. I wanted to put that up there. I want to make sure the link gets sent around, but probably not until I get back to my office. Just give me a couple of hours.

They are really soliciting input from organizations and individuals who have particular interests here. Some of you may be involved in organizations that already got solicited by this from me through our federal advisory committees, through other organizations. We have been trying to reach out to you about this or you will have seen it on my Twitter feed or maybe you have subscribed to the blog. Members of the task force who do tweet and blog have been sending it out. Not everyone does. I encourage you to do this. Time is running short because the time – we hope to have these comments compiled for the committee’s meeting, which is at the end of October. That will be October 25 and 26.

There will be some public portions of that meeting and some private portions of that meeting. I do not yet have registration material or public agenda. But if you watch the ASPR website, which is HHS.gov/PHE, public health emergency, you should be able to get information about that upcoming meeting that will be located somewhere here in Washington, DC. That will probably be the last in-person public meeting prior to the time that that committee really digs down to prepare its report.

Secondly, in industry collaboration, just to highlight what we are all just talking about, last week I was at a summit on private security. Travis LeBlanc, who is kind of like the Deven McGraw of the FCC. He is head of enforcement at FCC. He spent about 25 minutes talking about their enforcement of security technology within the broadband spectrum that they have jurisdiction over.

They have the exact same issues we have. People are not doing risk assessments. There are easy prophylactic measures laying on the table unaddressed for the systems they have whether those systems are vulnerable to malevolent outside forces and the data they are collecting about their broadband users. The head in the sand is not unique to health care. It may be worse in health care than in the broadband spectrum, businesses like Verizon and AT&T, but it is not unique so if that gives you any comfort. It did not give me comfort. It made me frightened. But I was at least happy to see it was not unique to health care.

One more thing about the CISA task force. The other thing about the CISA task force is OCR does not participate in that task force, and that is a very intentional, strategic move. HHS wanted to create an environment where stakeholders were really free to talk about the things that really need to be talked about.

And with all due respect to Rachel and we love our partners at OCR, having a regulator in the room could have a bit of chilling effect. They do not participate in the staff meetings as well. We do keep them well briefed within our own cybersecurity coordinating methods with NHHS. We cross pollinate information. We let OCR know about blogging. They let us know about the NIST conference. We pushed that out to the cybersecurity task force members, et cetera. There is good but appropriate collaboration happening there.

That task force is really focused on congressional requests for how do we improve cyber threat sharing in health care. You heard Rachel briefly talk about their guidance about how does a covered entity share the diagnostics of a cyber threat without sharing PHI. People conflate information sharing and PHI sharing all the time. I am constantly getting my red pen out and say let’s just call it cyber threat sharing so that people do not think we are actually releasing PHI here. Just simple things like that. And that is great guidance and it builds off of some wonderful guidance that homeland security issued in June as directed by Congress.

What we have done and this was a project long in the works with ONC and ASPR, the relevant agencies, is we had in July announced a funding opportunity for an information sharing and analysis organization. Just to give you a little jargon, we do have a couple of information sharing and analysis centers in the United States, which are primarily focused on moving information about threats around or amongst their members. ISAO serves the function of taking that capability and connecting it to the federal government’s threat sharing apparatus. In health and public health, that is through Health and Human Services and Homeland Security.

We got some great competitive applications. We went through the normalized process. We will be making an announcement about that shortly and that will kick off in a way that we hope has a long – it is seed money, but it is intended to be seed money that is sufficient to really grow a project.

One of the things we noticed almost immediately after we put that funding opportunity on the street, there were two grant opportunities, was one of the ISACs created a whole new membership path, which is much lower cost, which meant that smaller organizations could now participate in threat sharing information and education about how to address threat sharing without paying five-figure annual membership dues. We thought if we accomplish nothing else with the funding opportunity, which was certainly a step in the right direction. More to come on that during cybersecurity month. But that work is essentially done and we will be making announcements shortly.

Thirdly, we have been busy at ONC besides our threat sharing grant. In September, we released a new version of the security risk assessment tool. I have it up here on the screen. Hopefully, people online can see.

We actually planned a further overhaul in fiscal 2017, but the budget is still being worked on. This is a great tool that was designed to accomplish two things. A lot of people think we did this tool just so that providers could honestly attest under the meaningful use requirement that they had done a security risk assessment. But those of us who are HIPAA experts will know that attestation was great, but the security risk assessment requirement has been in the security role for a very long time. Even if meaningful use never existed, it was a great exercise to build this tool. It is the number one download at HealthIT.gov. Obviously, we know unique users so they know when I click on it six times in a month to show it because I am not a unique user, but we do not know how many of those downloads are actually putting it into use. We actually got a request from a consultant through the secretary. Could we please take it down because it was interfering with their business? We said no. Thank you so much. The taxpayers think this is important. We are going to keep going. That was one of my favorites this past year. This is up. You will see a lot more discussion about this, maybe some Twitter chats and some blogging and educational materials about this as we roll on into cybersecurity month, but it has been up for about two weeks.

What this does is it creates a Q&A format. We have some new features like you can download it to your desk and share it with people in your organization. It gives you questions that you then answer about your organization. You document the answer and it helps you through that answer and identify if that is a risk area that needs remediation and to figure out priorities for that remediation within your organization. It is actually quite useful for a 1-doctor office and a 12-doctor office. It would be informative for a really large organization, but we also have the assumption that they are so complicated that they are probably using this in conjunction with many other tools to do their risk assessments because they have these complicated legal arrangements and complicated business arrangements.

In addition, just this week for health IT week, ONC launched its health IT playbook. It has a special chapter in it about privacy and security. What is the playbook? The playbook is a re-envisioned way of getting information ONC already has in its encyclopedic knowledge of health IT out to providers. It is the brain child of Dr. Tom Mason. I am sure he would love to come and walk you through it at your next meeting if you want to invite him. I am just going to give you a high-level overview from my perspective.

It has different chapters about different things. There is a chapter about patient engagement. It has in there case studies from providers in the field. Kaiser was one actually, Walter. I am not trying to brand. I just remember that one because I had my kids at Kaiser and it sticks in my head. Our stakeholders have contributed their case stories so that other provider organizations can see how these concepts are implementing in the field.

It has a specialized section on privacy and security. This does two things. It lifts up and floats to the surface a lot of the great interactive tools we have like our videos and our security risk assessment tool. And it also creates a new channel to get to information that we published a long time ago whether it was our fact sheets from earlier this spring, the 2014 edition of the privacy and security guide, et cetera. We are really excited about this and we think this is going to be a very powerful tool for providers in the field. There are comment boxes on all the pages. We will collect that comment. It will be a document or an interactive forum that evolves continually in response to provider input.

Again, we are trying to rethink our ways to engage the health care system in important issues of privacy and security, but you guys all know. So much of it is human factors that we can exhort, but other people really have to take up those exhortations for action.

I just want to briefly talk about the kill switch guidance that Rachel referenced. I saw a lot of faces when she was describing that. If you are a student of ONC history, you will know that this has been an issue for quite a long time. It played a co-starring role in our information blocking report. We get questions all the time both from developer attorneys and covered entity attorneys about this space and how much can a contract between those two organizations change the nature of the covered entity business associate relationship. We are just thrilled with the guidance that OCR has produced. We think it is a perfect pairing to our contract guide, which is also an item we released this week for providers. I do not have it up on my screen because the main focus of the contract guide is helping those two people, developers and providers, have a better sense of the complexities of things that have to be negotiated to get an effective contract. There is a fair amount of HIPAA tips in it, which we worked very closely with OCR to get included. More to come on that later. You will see us doing some more connecting the dots.

DR. SUAREZ: We had a briefing on it yesterday from Elise.

MS. SAVAGE: I did not want to steal Elise’s thunder. I just wanted to say that we worked really hard to make sure it was not just about identification and intellectual property. We really tried hard to include some key elements of privacy and security in there. I could not hear Elise’s briefing because I was covering something. Vendel is travelling this week and so we are all spread around covering for him.

The last two things are – we do have two more fact sheets in the pipeline, one that should be coming out very soon. I was hoping today, but I do not think it is going to make it. It is one on disclosures in support of public health activities. We have done this in collaboration with the assistant secretary for health and the CDC as well as OCR. Certainly in my tenure at ONC, we have had Ebola, lead, Zika. It is an endless list for the last two years of just significant public health crises. We were all around long enough to remember many preceding ones. We really wanted to drive home the point that public health is important.

For that reason, we give public health authorities some pretty awesome powers to understand at a community-wide level what is happening with individual people’s health so they are entitled to get identifiable data in many circumstances. We have illustrated that in a fact sheet. It has drawings. It has cute names of fake states you have never heard of. Hopefully, it is coming out soon. I think the CDC is excited.

The CDC is – people recognize it as a significant public health agency, but I think as we drill down in the public health structure to states and local public health agencies, some of that super power sensibility, people seeing them as having a super power, gets dissipated, but in fact a county can have a super power as strong as CDCs if its legislature has delegated that power to it. That is a message we wanted to drive home.

One in the pipeline after that is health oversight. Health care oversight is the authority that insurance commissioners and state-based exchanges and Medicaid agencies have in their administration of benefits function as opposed to their payer function.

MS. KLOSS: That is again about disclosure?

MS. SAVAGE: Yes. These are all about permitted disclosures. We have four categories: treatment, health care operations, public health, and health oversight.

MS. LOVE: Health oversight could include insurance oversight.

MS. SAVAGE: It depends on the scope of the insurance authority within that state, Denise.

MS. LOVE: It is state dependent.

MS. SAVAGE: The fact sheet is not finished. I do not know exactly what it is going to say, but all of these powers are about powers that the agency that has that power has. They have to legitimately have power and that power is going to have a scope and that scope is going to be limited.

MS. LOVE: Some interpretation has been and again by here say on my part, only the public health authority has health oversight.

MS. SAVAGE: Health oversight and public health are distinct in the regulations and therefore we think of them distinctly, but more to come. When we produce it, it will be something that OCR feels we have correctly illustrated how the HIPAA rule about health oversight works. And again, we are a federal agency, helping people understand another federal agency’s regulation in light of state law. At the end of the day, things like public health and health oversight derive from the authorities that states – how a state sets up their own authority.

DR. SUAREZ: Lucia, is this coming out from ONC or from OCR or from both?

MS. SAVAGE: For the treatment in health care operations, we co-branded them. We were thrilled to have OCR’s seal of approval. But whether their brand is – there is a logo on it or not, we actually do not publish anything without it being approved by OCR. It is called clearance. Everything we describe about HIPAA is a subject to intense scrutiny by Rachel and her colleagues.

DR. SUAREZ: Just a pure perspective on perception out there. When something comes from ONC, it has two major brandings perception wise. One is meaningful use and the other one is EHRs. When it comes from OCR, it has the big branding of this is about HIPAA. We have to do this. I am just giving you a perspective out there in the industry about the source. Again, when guidance comes from ONC, everybody knows that this is about EHRs, health IT, meaningful use, certification. The connection with HIPAA – until they see the seal of OCR in it and saying this is coming from OCR, which oversees HIPAA, privacy, security. I just wanted to give you that perspective.

MS. SAVAGE: We worked very hard. I think all of the HHS agencies are great at collaborating with each other and leveraging each other’s powers while staying out of each other’s way and we do not try to tell each other what to do. What OCR decides to co-brand with us is 100 percent up to them. I am always thrilled to see their brand. That is the best answer I can give you. It is really their decision.

And of course a lot of things that they do like the FAQs on guidance on access – we turn into other information, which our videos are now in HHS’ website as well. You basically cannot go to HHS.gov without running into an access video, which I think is fantastic. The FAQ on the kill switch came from a request we made to them. Help us give guidance on this. They did because they understand the importance of availability of digital health information for patient care and for safety. I cannot drive this enough. It is practically an everyday dialogue that somebody in ONC is dialoging with somebody at OCR. We work very closely together. So close we are practically the same agency without being the same agency. We have independent authorities.

Then we are planning ahead for 2017. I just wanted to give a couple of things that we have been working on. One is what are we going to do. We did an API privacy and security task force. We did our non-covered entity report. We are working on the model privacy notice and there is a Twitter chat this afternoon. You guys will probably be busy. For those of you who are tweeting, you can monitor it on the feed.

What else are we doing? We are in the process of planning what we do next relative to ensuring that people feel confident that the read only API we require to be made available is secure in particular and appropriately private. That is a dialogue that we are having internally. More to come. I can give you highlights of what the joint FACA said to us about that, which is they would really like to see us do something that has two aspects on. One, I am calling it digital acumen, but I think you could call it almost anything. How do we help the physician community in particular, especially ambulatory care where they do not have a CIO in the office next door, understand how this technology works and what it means for their practice. Some of that, in fact, is already in the play book where we talk at length about how automation can actually help improve your work flow as oppose to be a drag on your work flow.

More importantly, how do we help physicians understand what an app is, what an API is, why might a patient select an app actually be reliably connected to the patient they actually recognize from having walked in their office at various times and how does that all fit together with the right to get an electronic copy of your data?

I was at this ACC thing yesterday. Very famous health care physician stakeholder was talking about how his wife went to his academic institution to get an electronic copy of his records and was told that that was not allowed. It was mouth dropping for me. That like if it is happens to me, please do not tell me you cannot under HIPAA because then I will have to have an argument with you and I do not want to do that. Lots of planning going on in that regard.

Secondly, we have been doing a lot of work behind the scenes in my office to help our colleagues working on the alternative payment model universe kind of understand how health IT and the rules of privacy and security and how data can be used implicate a data structure for alternative payment models. It is really just an internal educational dialogue.

But I wanted to highlight that because that is a key function of the chief privacy officer’s office that most of the public does not ever see. One of our key jobs and it is right there in the statute is to explain how privacy and security work in a digital environment to the national coordinator and whoever else in HHS need to explain it so that they can take advantage of it or recalibrate their own policy development programs in light of restrictions that might in fact apply to the data. That is something we do all the time. I think that in particular is a really important one as we move towards the 2018 goal of 50 percent advanced payment models.

I think I have a few minutes for questions.

DR. SUAREZ: I will ask a couple of quick questions.

MS. SAVAGE: You always have a question for me, Walter. I have one for you today.

DR. SUAREZ: One is about a report that I do not think you mentioned, but I think it is very important that you just released. I know it has been presented a number of times in other venues. The report about non-covered entities.

MS. SAVAGE: In my dream world, I would have brought the entire non-covered dog and pony show to you guys. I am just going to be honest. I am sure that press is listening and they are going to be all over this. Honestly, I did not have time today to look on my calendar. I know we talked about the API task force and what that report was, but I could not figure out in time where I had been at my last NCVHS meeting relative to when that report was issued. But I am happy to give a five-minute overview right now if you would like it.

I am just going to pull up the slides from HealthIT.gov. It is all on HealthIT.gov because we did it for our federal advisory committee. Those of you who have been doing this a really long time know that HITECH in fact asked us to generate this report, which we finally pulled across the line on July 19. It is about a 45-page report in which we analyze how privacy and security are regulated when HIPAA applies and how they are regulated for digital health collection vehicles when HIPAA does not apply.

The report is available at HealthIT.gov. You can just probably Google non-covered entity report and pull it done. It is quite comprehensive and quite definitive. If you think we go through a lot of dialogue with OCR when we publish a fact sheet, you should imagine the dialogue we go through when we are sending a report up to Capitol Hill.

In this report, the first thing we did was define what it was we were talking about. This was really important. The scope of what was digital health media within our thinking on the report. We included certain things, which are highlighted here on this slide. One was we made this definition of mHealth technology. For those of you who have a wrist tracker, definitely your wrist tracker was in scope. Your step counter, your heart beat tracker, your sleep tracker or whatever is on your phone that you are carrying personally that is collecting directly from you was all in scope.

We also included health social media. I am going to distinguish this in just a second from casual social media disclosures. We were really thinking about platforms like Patients Like Me or Facebook pages that are specifically designed to create virtual communities around particular health conditions where people are actively engaged in conversation about their health for that specific purpose. We also had in scope of course because of the statutory charge of personal health records that are not sponsored by a covered entity.

Out of scope was what we decided were indirect collection of health or information from which health conclusions might be imputed, but it was not directly focused or intended specifically to be about health collection. Those were things like the GPS pattern if you had the GPS monitor on your phone turned on and how it might correlate with pollen counts in certain parts of a city that you get from NOAA. And then as well, we also excluded things like casual social media like on Twitter. I feel terrible today. I have a cold. Compared to a Facebook page or an Instagram page about a particular health collection. The rest of the scope is described much more specifically in the report.

Not reflected on the slide, but relevant to you is we also excluded equipment that is subject to FDA regulation. FDA has grades of regulation particularly looks at security relative to safety and efficacy. Is this a thing that is clinically safe enough? That was all out of scope for us, leaving that to the good work of our colleagues at the FDA.

By the way, Walter, thank you very much for reminding me to do this. I really appreciate the call out.

We found basically five gaps and five domains. The first is that consumers are pretty familiar with HIPAA, but they think it applies a lot more widely than it actually does.

The second is that HIPAA has very specific rules that we are all familiar with about identification and de-identification and what state of data can you use it for what purposes as well as sales of that data as well as when the data can be used to market services to the person from whom the data was extracted. None of these rules apply by law to non-covered entities. They may have terms and conditions in their terms of use that we are all clicking through. We did not get into the behavioral psychology either, but we all know that pattern. But there are no legal minimums in this space for these items.

I will say that the report has very thoughtful and comprehensive footnotes that refer to – we did not want to reinvent the wheel. Where the FTC has tackled a topic like data broker, we just referred to the FTC. We wanted to really build on work that had been done before. If this is an area that you are interested in learning more, the footnotes of this report are quite rich bibliography for you.

Thirdly, moving on to security, very similar set up. You will see an emerging theme here. The security engineers, Nick, really know what they are doing here. In HIPAA what we have is as weak as it may be, there at least is some kind of minimum that people have to try to attain or they get in trouble. In a non-covered entity space, there is not a legally required minimum. If an organization has really made an investment in the security of its brand and you can all think about what organization that might be and its encryption power, it may be far exceeded the rest of health care, the rest of HIPAA-covered entities. But if an organization has not made that commitment in its brand and publicly, it could have far weaker security than the ordinary HIPAA environment.

Fourthly, the topic of access. You guys have heard us talk about this at length this year. Obviously, HIPAA gives people a very strong right to get from their covered entity or that covered entity’s business associate, their PHI in a designated record set or parts of it under the ONC rules and in an electronic format if it is maintained that way. And that right does not exist as a legal right with regards to non-covered entities. Picking on your wrist tracker, you might have a wrist tracker. You might decide to volunteer for the precision medicine cohort. You want to deliver all that tracked information to your researcher. The only way to get it out of your wrist tracker is if the wrist tracker company agrees to send it for you to your PMI researcher.

Some of the companies have really stepped up to the plate in that way, but again that is about the company’s business plan and their terms of use for you as a consumer.

Lastly, you guys have heard us work a lot this year with the FTC and OCR and the FDA on guidance for developers, but I will just say it straight up, it is (indiscernible). The developers are confused. We are pretty sure the confusion is impeding innovation either because people are thinking they can do what things they cannot and consumers have expectations that are mismatched with the terms of the product or because the innovators are wasting time on stuff that they should not be doing. That is the gist of the landscape.

We did also provide a high-level overview of what protections do exist. Obviously, I am not going to go on about how HIPAA works. You guys know that probably better than any agency advisory group in the government. But we spent a lot of time talking to the FTC and very carefully writing the report subject to their input. We took every edit they gave us except some grammatical ones about what their authorities were in consumer protection and how those authorities work in the health space.

First of all, the FTC has a very well-developed body of what we call federal common law, which are rules that derive from litigation and enforcement actions. You can even buy legal treatises about how they enforce unfair or misleading practices relative to consumer’s privacy and consumer’s security.

Secondly, they do bring enforcement actions where they feel that security is patently unfair or it has been misrepresented to the consumer and they have some active litigation right now.

Thirdly is what are the concepts of misleadingness and unfairness. Misleading in general would be an organization makes a statement and then does not comply with it. They print something in their terms of service, but it turns out that that is not quite the case.

Unfair could be they have terms of service. They are complying with their terms of service, but the terms of service are patently unfair to the consumer because the consumer may not understand them or they are just not in the consumer’s best interest. The FTC is quite activist about this. In addition for the cherry on the top for Congress, we also describe in general what the FDA authorities were in this space.

We got a lot of questions about why we were publishing this report in 2016 instead of 2010. There are a lot of reasons for that. But I think the one that makes the most sense to me and is a true reason is by taking the time we did, we actually caught the analysis up to the technology. If we had published this report in 2010, it would be so stale technologically by now. We are not using PHRs in a way that was – Microsoft HealthVault was the big deal back in the day. We were really able to catch it up to the way social media is used today, the way people are in this mobile space today, the differences in how mobile platforms work relative to encryption and not encryption. We are actually quite pleased that we were able to deliver something that is so definitive as of June of 2016.

We think it is timely for other initiatives that the government is undertaking, precision medicine being one. I have alluded to that. Delivery system reform is going to require a whole new level of patient engagement. Trust me, you are not going to be sending it to the patient’s fax machine at their home. That is not going to be happening. It is going to be happening right here.

Consumers are mobile. They are using this stuff. I was just saying. How do we make the dialogue about using mobile technology in a way that advances health for everyone as opposed to ways that the consumer ends up being dissatisfied by it? There are some great facts in the last month about – Fitbit does not yield weight loss, but Pokémon Go does to summarize it for you because Pokémon Go is a lot more fun.

Lastly, how does this connect to work we are doing? We talked about the API task force. This was a missing piece that we were really trying to get across the line for that task force before they finished their work. Timing did not quite work out. But task force members are well briefed on it now.

It fits well with the issues we are trying to drive with our 2015 edition rule and the corollary stage three rule from CMS. It really helps us bring to fore some important privacy and security issues as consumers migrate further and further and deeper and deeper into the mobile space. I am happy to take questions on that too because next is cybersecurity and you already heard all that.

DR. SUAREZ: I will not ask any more questions. You said you had a question for me.

MS. SAVAGE: Actually, this is a brag and a question. My mother is in Kaiser Northern California. My husband’s mother is too. It turns out. You can get a proxy account in Kaiser. You have to go through the phones to do it. I was so excited. But it turns out the proxy despite their power of attorney cannot have messaging with the patient’s doctors.

DR. SUAREZ: We have some kinks to fix out.


MS. SAVAGE: I actually happen to be a national expert on this and there is not really a security reason for that. Let me know when I can get messaging to my mom’s doctors.

DR. SUAREZ: Thanks for pointing that out.

MS. SAVAGE: I think organizations that make it easy for caregivers to get a separate proxy account are doing absolutely the right thing. Kudos to Kaiser Northern California for doing that. I just think there is more work to be done. Every poster child gets held up as great and can’t you do this too because there are so many things we are not taking advantage of.

DR. SUAREZ: Thank you. Are there any more questions for Lucia on any other topics? Thank you so much for the update, Lucia and Rachel both. As you can see, this is such a rich area. We only touched on some of the many other wonderful work that both ONC and OCR are doing.

MS. GOSS: I like how we are having a nice block time with them because we need it. Thanks for taking the time.

MS. SAVAGE: On the non-covered entity, I realized I went over it really quickly. If people want to pool their resources and get online with me and have a deeper conversation, I am happy to set that up for committee members informally as a webinar. Just let your staff know and they know where to get me. Certainly, most of you have my email already anyway. It is a matter of scheduling. I realize it is a little bit short shrift for you.

MS. KLOSS: I think also we just started to talk about this in our subcommittee meeting whether there was anything that NCVHS could do to reinforce or help disseminate. It is such an important piece of work.

MS. SAVAGE: People ask me what next. I think the what next on the differences in oversight is what do stakeholders want. What do the innovators want? What do the consumers want? What is the Venn diagram on how those things meet in the middle? What are the policy needs to get to those places without stifling innovation?

We have to remember that HITECH was a stimulus package and we have stimulated incredible new activity that is beneficial in the health care sector. We have a whole new generation of consumers who are digital natives coming down the pike. How do we make the system work the way we want it to work?

I will also tell you that even in Europe where they have general data protection rule, I am going next week to an OECD two-day workshop on trust and mobile health in that environment. I think it is a situation that many thoughtful industrialized nations are thinking about no matter how the economics of their health care system works. Whatever dialogue you want to facilitate whether it is in the subcommittee or not. Connecting to the developer community. All of those things. We have been doing a lot of presentations about this report. Everyone gets the slides you just saw. They are stocked now. Different people have different responses. A smart business person will see their opportunity and drive to it even if it is not what I as a policymaker would think would be the best conduct.

DR. MAYS: We just yesterday had this conversation, the data access and use group, in terms of what some of these privacy issues were in the area of wireless, mobile health. It is a space that we talked about that we thought we should be actually – we could come up with several issues that we are aware of.

One of the places that the work group is thinking about doing a presentation and maybe we need to talk with you about that is that Datapalooza.

MS. SAVAGE: We were hoping to get the report out for Datapalooza too. That did not happen either.

DR. MAYS: One of our workgroup members is actually one of the organizers of Datapalooza. There may be some benefit in some additional conversations with you as we plan for what we want to do. Our goal there is to really hear from the creators, the people that are working in this space about what their needs are, but at the same time to educate them on some of the issues that we think are important. I think that there is something to be said about a further conversation.

MS. SAVAGE: Deven and I, at Greg Downing’s request, did organize the privacy and security datapalooza this year. I will say that our intention, our goal was to reach the developer audience, but actually most of the people in the room were HIPAA professionals, which is fine. But we really wanted to reach this additional audience.

At ONC, we are always looking at ways to do that whether it is conversations with their organizations. I was just talking to one of the Rock Health founders yesterday. Thank you so much for tweeting our stuff because we are doing some great stuff about privacy and security in the innovation space. It needs to get out to your people. Maybe it is just building those relationships.

DR. SUAREZ: Thank you again, Lucia and Rachel, for this wonderful time. I do not know how we would have done this without having cleared our agenda yesterday and have this extra hour to spend with both of you.

MS. SAVAGE: I am always happy to take your questions and your comments. They are always quite astute.

DR. SUAREZ: We are going to take a break. I know we have to go back to our APCD discussion. We will do that after lunch during the time we have for the strategic discussion. We will take some time to finish up our discussion on APCD just to have the committee provide more directions to the APCD group.

We are going to go to a break and then come back at 10:05. And then we will start with population health.


Agenda Item: Subcommittee on Population Health

DR. SUAREZ: Okay. We are reconvening. We are still and I want to acknowledge that we still have a full quorum for the committee to continue conducting business. We will proceed to our next agenda item. For that, I am going to turn things to Bruce and Bill to introduce very briefly the topic.

DR. COHEN: This is great. We are entering the population health block. I am going to turn it back to Walter to introduce the next speaker.

DR. SUAREZ: I am going to turn it in a minute to our speaker, but I wanted to introduce our guest speaker. I really am very pleased to have Andy Wiesenthal join us. I have had the fortune to know Andy for a number of years. He was a pediatrician and a physician executive at Kaiser Permanente. He had the really big responsibility of being one of the physician leaders that really helped and led the implementation of Kaiser’s very large electronic health record system and transition and train over 20,000 physicians and more than 50,000 nurses and other clinicians involved in this process and really serve in such an incredible important capacity as Kaiser. I am sure he can talk even more about that. Now, he is with Deloitte Consulting. He is the person on this Digital Bridge project that we are going to be hearing about. I am going to turn things to Andy. Andy, welcome. A very warm welcome from the National Committee to you.

DR. WIESENTHAL: Walter, thank you so much for that kind introduction. As Walter said, I am a pediatrician. You may not have known that many years ago I was an EIS officer at Centers for Disease Control in the midst of all my training as a pediatrician and pediatric – I have always had an affinity for public health and surveillance and population health. In fact, one of my motivations for implementing the electronic health record at Kaiser Permanente was precisely to enable the organization to do population health.

After leading that project, as Walter mentioned, I retired from Kaiser Permanente six years ago and joined Deloitte Consulting, but I never forgot my roots. Ultimately – a lot of work at the Centers for Disease Control and over the last couple of years have been talking with – about how to help promote electronic surveillance for all sorts of public health issues and interventions and hit upon the idea of bringing public health and delivery systems, which I have a lot of personal connections to, as you might imagine, and electronic health record vendors together to build on the work that has already been done and to try to solve the problem – approached the Robert Wood Johnson Foundation – struck a very favorable chord with someone well known to most of you, John Lumpkin. He and I are conspired to get this rolling. We are calling it the Digital Bridge.

A lot of the preliminary work culminated in a meeting that Deloitte calls a greenhouse. I will not get into the details of what a greenhouse is like, but it is not your grandma’s meeting. The intent is to bring people who are capable of making decisions and commitments together in a single room for one to two days and actually get them to sign on the dotted line. You can see here that we had that session. It was divided into three parts where a vision was expressed, common understanding was reached, and a series of commitments to each other were made by the organizations and entities that you see on the right hand side of that slide. It was a very meaningful session.

What did we decide? There is a vision that it is critical to have these large and increasingly multi-jurisdictional health care delivery systems work together with the vendors of electronic health record systems and public health to create a fruitful bidirectional exchange of health information. There was a lot of recognition that there are certainly challenges. Most challenges have been dabbled with over many years. But the challenges are technical. The challenges are organizational and a matter of governance will and application of resources.

Everyone in the session committed to move forward in a rapid, timely way with broad engagement of their constituents. There was a creation of a governance body. A temporary chair of that governance body is John Lumpkin. And the governance body is comprised of representation from the entities that were actually at the greenhouse session. It is to recognize that that is the initial governance body and the intent is to ride herd on the work that is progressing now and then ultimately transform itself into a permanent governance entity for the exchange of information between public health and the delivery system.

The first phase of executing on the vision will be complete by July of next year. It will involve several proofs of context, using some of the delivery system sites that participated and the vendors that participated to exchange electronic case reports between the health care delivery world and the public health world.

Governance has already begun. A technical solution will be built and the vendors, by the way, and there may be some representation from these vendors in the room. I am not aware if there is or isn’t. They can confirm this. The vendors committed to working together to not holding anything back, not being proprietary and to in fact develop the technical solution based on the requirement that the other participants denotes and to donate that technical solution to the country. They will charge for the work. The beginning is notifiable disease data, but that is not the end. The end as part of the grander vision is to use these electronic surveillance tools to guide population health assessments and interventions.

This is what we did. We obtained consensus. The governance body has been meeting. There were four work group – requirements, regulatory, technical and sustainability. There were some very interesting ideas promulgated about sustainability. We will talk about those if there are questions.

There is the intent to finish with the full requirements in the next couple of weeks. Walter can attest to the intensity and the detail of that work because he is on the requirements work group. That group is meeting two to three times a week for several hours – to try to build on work that has already been done and flesh out key requirements.

This is the I-Chart. It is a timeline. One of the most interesting moments for me in the greenhouse session in June was those of us who were supporting the meeting laid out a suggested timeline that would get us from the point of that meeting to deliverables on July 1 of 2017. Those of us who did that preliminary timeline were concerned that the participants would be very worried about the front loading and speed that was necessary to get there and would start to shift some of these tasks to the right. In fact, what they did was shift them to the left. There was an extraordinary commitment of time and energy. You can see that these boxes are very high level statements of what is going to occur. There is a lot of work underneath all of them and that work is actually being done.

There is a lot of other information in the appendix, including some information about the working group structure. Again, there is a notation here about these are built for speed and the ideas behind it. The principles behind it are that they will work fast and iterate and continues to try to get it as good as they can and as quickly as they can and improve as they go along.

I do not want to spend a lot of time on these slides. I know I have done a very rapid run through something that actually took almost two years to accomplish an ongoing complex effort. I feel like it would be much more important for people in the room if it is reasonable to ask questions and try to help them understand on whatever level of detail they would like about the kind of work that we are doing. I will stop with the formal part of this update and open the floor through Walter to questions.

DR. SUAREZ: Thank you for that overview. Yes, we do have questions. We will start with Bruce.

DR. COHEN: Hi Andy. This is Bruce Cohen. I am co-chair of the Population Health Subcommittee. I really see how this Digital Bridge could interface with some of the work that we are hoping to do. In particular, we had a very generative discussion yesterday about what role the National Committee could play in visioning and developing the new generation of vital statistics. I really see the potential intersection of case reporting, EHRs and public health surveillance in vital statistics. I was wondering whether you have thought at all about vitals in this model or whether you would be open to considering how vital statistics could fit into some of the work that you are doing.

DR. WIESENTHAL: We are not only open, but we certainly have thought about it. I do not want to pre-judge what the solution is going to look like, but let me paint a possible future state for you. I think you will be able to see how vital statistics could fit into that future state.

What these people imagined is setting up essentially a public-private partnership utility, almost a new company perhaps, that would be governed by these kinds of stakeholders and that utility would maintain all sorts of rules and information. As one discrete example for the first group of concepts, what it would mean is the set of codes whether they are diagnostic codes, procedure codes, or laboratory procedures, or result codes. It would maintain a set of codes that would be consumed through the Bridge by all of the delivery system world through their EHR products and that would trigger a report. The vendors are imagining that they would send not just little bits of information, but everything they have a patient and the encounter in particular that generated a report or that was triggered by one of those codes. It would go back to this utility where whatever rules were desired would operate on it. From the public health reporting standpoint, it would be, for example, what jurisdiction is asking or needs a report, what information that jurisdiction requires in a report let’s say of a sexually transmitted infection or another reportable condition and so on.

But you can imagine a world in which in the simplest form one of the codes that would generate a report to this utility would be the birth of a child. All of the information that is necessary to populate a birth record and other information that might be required by vital statistic entities and to state, local, or national level would come through to the utility, be operated on by the rules, and then be acceptable with the proper authorities to the vital statistics entity. Does that flow making sense to you, Bruce?

DR. COHEN: Kind of. I need to think about more.

DR. WIESENTHAL: I am not presupposing that that is the way it would be done. Perhaps you tell me. I will turn it around and say what is the most pressing vital statistics use case that could be helped by this work.

DR. COHEN: This is a two-beer conversation at least. It is a little early in the morning for me. I would love for us to continue this conversation in the context maybe of the Population Health Subcommittee so we can get more into it. I am getting a better sense of what we are talking about. I think for now I will hold off. We will continue this conversation. That would be great. Thanks.

MS. GOSS: I think I am sort of in a similar space as you are, Bruce. I am trying to get my arms around what are they trying to do here. When I heard the word utility, I am starting to think that they are inferring or implying that there is an exchange platform hub wrapped around with a bunch of rules that you want a bunch of industry players to follow in extracting data at EHRs to get them to —

DR. WIESENTHAL: No. That would not be how it would work. The EHR vendors would not follow any rule. If they want to keep it simple, they do not actually care what the rules are. They want the rules to work outside of the EHR in some other place. What they want to know is tell me whose encounter and whose data you want. After that, what you do with the data is up to you. I am going to send you everything I have. Public health has the right —

MS. GOSS: I guess I am still trying to figure out what you are trying – when you say the word utility, what do you mean?

DR. WIESENTHAL: Don’t dictate on that. Forget I said it. What we are trying to do – and that is just one model. It is a virtual place that would be governed by all the stakeholders where once data flowed out from an EHR, it would be saved and accessible with the proper authority to whoever had the right to see it for whatever purposes they have the right to use it.

MS. GOSS: This is a way to take the investments we have already done under HITECH and enable more efficient sharing of information for public health purposes, which is something the states have already been doing. I am confused about what space this is filling and what I am missing.

DR. SUAREZ: Maybe, Andy, if I could add perhaps a perspective as a member of the governance group of this initiative and now also a member of the requirements group that is helping to develop this. The way I say it is I think there is two big pieces that might help people understand the concept. One is triggers and the other one is routing of messages and information. Triggers mean basically what are the requirements that CDC, local public health, others would have to generate to trigger a public health case report. Those triggers can be then translated into computable algorithms that becomes clinical decision support rules that can integrate into the EHRs so that when I am seeing a patient and the patient has this then the triggers that are generated and created through the work in public health and federal public health, they generate the expectation in my EHR that I need to report this. That is the first effort.

MS. GOSS: It does not track with what he said.

DR. WIESENTHAL: It should because that is exactly what I was trying to say.

DR. SUAREZ: We are using different terms I think in talking about platforms and other terms. It creates some perspectives. We all have prejudices about different terms and perspectives on what they mean. In reality, it is about triggers and about routing messages. The triggers are the critical part because they are the ones that tell me as a provider in my EHR. I am seeing a patient. According to the rules in public health, I need to report this case.

MS. GOSS: That does not mean the EHR needs to have those rules —

DR. SUAREZ: The EHR needs to be able to consume those rules from a source. There are already standards being done. There are already standards being developed to establish those CDS-like rules that can be then interfaced. Talk about API capabilities. Talk about all these new technologies that allow the EHR to interact with sources of clinical decision support. There is already one that we use all the time, which are immunizations. In the immunization world, there is already even in meaningful use requirements that the immunization registries have the clinical decision support rule that tells the EHR system what are the current immunization schedules and things like that. That is one example. Triggers.

And then the message routing and the transferring of the message. Once I generate the message, there is a whole workflow process to put together the package, the right information that is expected by public health based on this case depending on what case it is, and then send that information to the appropriate agency that needs to access it. That is why we have in this group providers like Kaiser. We have certainly public health, local and state and federal public health represented. We have the vendors, both the EHR vendors as well as the public health information system vendors. All those are the ones that are interacting in this discussion to develop the workflows and expectations that can be then ultimately converted into computable elements that can be used in EHRs. Andy, I do not know if I said anything —

MS. GOSS: You made one distinction for me, which is that I thought I heard him say that you were not looking for the EHR vendors to do something and that is not what – I think I misheard that. What I am hearing from your clarification is that EHR vendors are going to be more effective in supporting their providers and meeting public health needs because of this initiative.

DR. SUAREZ: I think so.

DR. WIESENTHAL: They want to be. Part of the problem that – delivery systems and the EHR vendors are facing is that they – dozen of jurisdictions with different rules and designing a solution that is a one off for Delaware and New Jersey and Pennsylvania and it is different is too much – they do not want to cope with that heterogeneity. And the delivery systems are no longer single jurisdictions. They transcend jurisdictions. They are trying to stamp down the heterogeneity of the reporting system world. Devise a solution that will work for everyone and deliver real-time data and much more ample data about the things that are of interest to public health that they have ever gotten before.

DR. COHEN: Andy, you have provoked a lot of interest in this subject and what you are trying to do. Unfortunately, our schedule requires that we move on to the next presentation around population health. We will talk to folks here on the committee to see if we can reschedule a conversation with you to explore more about what you are doing.

DR. WIESENTHAL: I would be very happy to do that. If you can spell my name, you can find me.

DR. COHEN: Thank you very much. I am going to take the prerogative of the chair to move on to the rest of the population health report.

DR. WIESENTHAL: Thank you.

DR. COHEN: What we would like to do in the rest of the population health block this morning is first of all to give an update about the workshop that took place on Tuesday and save a little time to begin discussing some of the plans for our upcoming population health 2017 work plan.

I also want to announce now that Bill is becoming chair, we have a new co-chair of the Population Health Subcommittee and that is Bob Phillips, who is hopefully on the phone.


DR. SUAREZ: Bob, can you hear us? He said on his email he can hear us.

DR. COHEN: You might be on mute, Bob. Bill, take it away.

DR. STEAD: Congratulations to Bob. What we want to do briefly this morning is to walk through at high level the vetting process that we use to develop Version 3 of the framework, the purpose and people that we are able to bring to the table for the workshop that we held a couple of days ago, the input we have received from the workshop participants, and the suggestions for recommendations that came out of that effort and then have a discussion of that and then the pop health work plan. We will be busy over the next hour.

Over the summer in June coming out of the last Full Committee meeting, we put Version 2 through a broad electronic vetting process that included all the participants of the November 2015 workshop, the people in addition to that that were invited to this one, and a variety of organizations and experts that were identified by the subcommittee.

We received over 100 individual comments from these different types of organizations in our partner echo system. The comments were four categories. Some of them were about the domains and subdomains themselves, which you will recall are the framework is at the level of domains and subdomains. It is not at the level of indicators and metrics. And others were about specific indicators. And then a lot of comments around the interaction amongst domains and among indicators and questions about how the framework would be used.

This summarizes the evolution of the framework. I think one of the things we heard in the workshop is that the content of this slide that shows how this has evolved is actually one of the most important contributions of this effort to date because we have been – unlike other efforts, we have been trying to get an unbiased framework of domains that match to the degree they can federal departments and use terms that they are used to so that the departments will be able to see metrics of how they can move toward them in a way that have collective impact on health.

The changes in this that happened between V2, which we had when we were together in June, and V3, were largely in the areas first of education, adding achievement to go beyond attainment as leading communities are now doing to promote food and agriculture to the domain level because the majority of comments we had were around food and nutrition.

And then to really rework extensively. Vickie was very helpful in this. What we are now calling community vitality and to call out in that social capital governance in particular and social inclusiveness. We also balanced infrastructure and capacity amongst the various domains. That is where we went into the workshop. If you will chime in, I will click slides for you, Bruce.

DR. COHEN: This is our final tag team match unfortunately. It has been a wonderful partnership. I have to really thank Bill. I have learned a lot from him as co-chair. It has really been a pleasure to work with him. I am really happy he is going to be our new chair.

It was an incredible workshop on Tuesday. The purposes of the workshop were really to strengthen this multi-sectoral effort to improve community health and well-being. Of course, our target are to help HHS and other federal agencies re-energize their focus on sub-county and local data and try to create this framework that provides a guide where everyone could see themselves in terms of an organizational structure that would be beneficial at the community level as inputs into whatever community initiatives are occurring and at the federal level across departments for organizing and generating data.

The fourth purpose of the workshop was to create this hand off not only to continue federal work, but to stimulate a collaboration with the private sector who has been in this space for much longer than HHS and many federal agencies.

It was an incredible group of really brilliant people who I learned a lot from and I think there was joint learnings. Many of you were in the room. If you have anything to add to our descriptions, please feel free to chime in.

Just a plethora of federal participants and health organizations. You can see here. Foundations, nonprofits. It was really a great exchange. Our facilitator, Monte Roulier, did a really wonderful job of helping us work together to distill essential ideas. It was a combination of very short presentations by experts in different areas and a lot of small group work and the interaction and flow of the day I think was really wonderful.

DR. STEAD: I want to thank the subcommittee and others. We really did have the right people in the room. It was unbelievable as we went through the sausage making to get there. The right people landed and everybody lifted weights to make that happen. It was what was necessary to make it a useful day.

Feedback. First, there was clear agreement that the framework of domains and subdomains are directionally correct. The participants overwhelmingly affirmed that while at the same time suggesting changes. Another I think important point that should be followed as this is carried forward in a public-private forum is that there be a periodic review and update as we learn as is done by county health rankings. I think we think this one has begun to stabilize. But it will still change over time.

Another suggestion was to alphabetize the domains so it is very clear that the order is unbiased. We need to clarify the intent that our goal is to accommodate two complementary objectives. First, the framework can accommodate a parsimonious multi-sectoral core set of indicators, a very small number that can guide federal and state process and policy and resource allocations on one hand and can allow communities to compare themselves against others for the purposes of benchmarking to be able to identify best practices. Alongside that, it can accommodate a flexible set of multi-sectoral indicators to strengthen health and well-being efforts at the local level.

We think that showing both together in one framework will do two things. First, it will allow us to identify as we learn over time metrics that are in the flexible set that should be promoted into the core because of success across numerous communities.

At the other hand, I think that one of the difficulties, one of the challenges of getting agreement on a parsimonious core is everybody has to give up their favorite metric or indicator in that process. And the fact that they are still around and still usable, but not being the focus of what we are really trying to do in a consistent way and that there is a way of promoting them based on experience, I think might actually help break through that political conversation.

We think it is extremely important that both the core level metrics and indicators and the broad ones be accessible at the sub-county level.

There were lots of suggestions of indicators that should be represented. Those of you that have worked with the document know that after the framework of domains and subdomains, we include what we called a sample of the framework with examples of indicators that were already accessible at the sub-county level and were ones that were not and therefore indicated gaps. We want to expand that sample to appropriately show how the types of things referenced on this slide fit into that. I will not go through them individually.

DR. SUAREZ: Just for those who may be following, this is on page 166. That is the start of the measurement framework on the eBook.

DR. STEAD: The sample is. But these items are ones that were – should I read through them for people on the phone? Self-reported well-being, community resilience, child care, public health capacity, readiness to collaborate, readiness to share data, metric of organizational change, what people are experiencing, gun violence, lethal and non-lethal force, racial inequity, tax base beyond local income, environmental justice or the key things that I had in my notes. I do not know if other people who were in the room remember things that we missed. We have the transcript so we will pick it up.

PARTICIPANT: Food safety.

DR. RIPPEN: From the environmental perspective, they use the term built environment as opposed to neighborhood characteristics. Again, I think there might be little nuances and polishing stuff.

PARTICIPANT: It is on our flip charts, which we will be —

DR. STEAD: The challenge we have to figure out is do we want to put built environment under environment in place of or in addition to neighborhood characteristics, recognizing that those indicators will also appear. Some of them will also appear under housing and transportation. Since we have been clear from the beginning that we are not intending that indicators only be able to fit in one place, that would be fine. That may ease the conversation a bit like getting agriculture up at the domain level. That is a good point. Thank you.

Other pieces we have missed? Let me turn it back to Bruce for suggested recommendations.

DR. COHEN: Again, there were I think three buckets of recommendations. One had to do with creating a federal work group to continue with these efforts. Again, the focus would be around the data to improve community health. There were a bunch of ideas about in order to create this federal presence, should we recommend that OMB create this organization. Should there be congressional action or how do you go about creating a federal hub? Is a home for this the National Prevention Strategy as a possibility? You can see on this slide some of the conversations that we had.

The second recommendation has to do with transferring or developing a collaboration not only amongst the feds, but creating this public-private partnership. Soma Stout, from the Institute of Healthcare Improvement, who is leading the 100 Million Lives effort, volunteered at the end of the day to help facilitate a small working group of nonfederal folks to think about how all of the work in the nonfederal sector and there is an enormous amount of work in this area already could be coordinated and carry on these efforts.

Some of the issues there – again, we always come back to what we mean by community and what is the actionable jurisdiction size for which data should be available, recognizing the need to protect privacy of individuals for whom the data are generated. And certainly, we do not have the expertise to populate the domains and the subdomains with the appropriate core indicators and broader set of flexible indicators. There has been a lot of work, which we do not want to duplicate in the private sector in this area.

We need to work on the framework, Version 4 of the Framework. That is one of the recommendations. And the two other recommendations have to do with continued federal work, private sector work, and then certainly the integration of the federal work and private sector work.

Let’s stop here and take some questions and feedback.

MS. KLOSS: I heard another recommendation that I think probably should stand on its own and that is that some outreach to gain consumer feedback happens sooner rather than later and that the current roadmap shows that happening a little further down the road. At least at our table, there was strong comment that that needs to begin now. We press that discussion a little further. Actually, I was fortunate to sit at the table with the representative of Robert Wood Johnson Foundation. She said what could our organization do to support this because we are just doing planning now for a budgeting and priority setting. I suggested perhaps you would be in a perfect position to help convene this early consumer feedback initiative. She seemed receptive to that. I just think that some early follow up with them might yield a way to move forward on that.

DR. COHEN: That is wonderful. We were hoping to stimulate that kind of interest and to know that RWJ is interested in helping and support this effort is just fantastic. We will definitely reach out. Was this Caroline? We will reach out to RWJ to continue this. Thanks for that insight that I overlooked. We do more community involvement in this development.

DR. MAYS: My comment is in some of the same space because at our table, the issue of who was not in the room and what it is that we actually need to do to reach out. There was also a foundation person with us. I really think that we need to step back and say in the roll out of this, what do we need to do now because what I am concerned about is that – I know we want to go ahead. Believe me, I have nothing against Soma, but it is like maybe you need to have a team of people involved. Maybe it needs to be a broader inclusiveness and a planned inclusiveness. Soma said it is just a matter of people. Raise your hand who wants to be in this group. But maybe we need to think about strategically that foundations should be in that group. We need to think about the way to really make this a stronger hand over.

I think I said this before. Robert Wood Johnson can reach out to the hundred cities. A person with an agency can reach out less. I think we just want to think about the next steps in a way in which it is open, but that it is impactful and effective. Remember, there were people who were not in the room, not because they are not interested. Do we want to have a broader kind of outreach again to make sure that other people who really can serve us well can be at the table?

DR. COHEN: Thanks. Soma just agreed to help facilitate the development of a work group. Any suggestions about who you think should be in that work group or who was not in the room that needs to be involved? Let Bob and me know. We will certainly pursue that.

DR. MAYS: I do not think it is a who. I think we need to say what are the components that should be at the table to make this work. It is not just about people.

DR. COHEN: It is about organizations.

DR. MAYS: It is about the perspective and strategically how to use that to make this hand off work. For example, if I were the planner, I would say things like I want the foundations at the table. I want some of the major states, cities, et cetera that have accomplished these things already. There are a lot of people that want an answer. I would want some of the people at the table who have already tried some of this out as opposed to bringing those who are just very interested and eager to sit. But I want the experienced people at the table. It would just be to think about how to do it.

DR. SUAREZ: Can I say just one very quick comment? I just wanted to quickly – there is a larger table to who else should be and who should be. I think that is a second step. The first step is the smaller group that was agreed to begin the process of getting those questions on the table. It has to be a small group that gets started with a little bit of work that can organize these. That was a point. The first step is a smaller group like five or six or seven people that can put all this together and then the larger group can be engaged.

MS. LOVE: Mine is not really a recommendation, but at my table it came up repeatedly. I would be remiss if I did not bring it up. It seems to be an unresolved issue, which is the data availability and the growing data gaps like substance abuse data. Every time that we have one of our small group discussions that percolated to the top. I wanted to keep that in mind as we move forward.

DR. RIPPEN: Again, I thought it was a really great job and pretty exciting. The only thing I was thinking as far as missing from of an inclusion perspective is perhaps NOAA. If you think about climate as an environmental component, it is very different from what people think of a natural environment, especially because they have some really cool data about particular matter and the growing changes in the climate and the implications. Just to think about it as maybe a bucket even if it is under environment.

MR. SCANLON: Three thoughts. Number one. Whenever you do this, we find this out in Healthy People that everything is connected to everything else and you have to be careful intellectually and practically to not to be drawn into a lot of relatively minor – not that they are not related, but on the other hand, it is a never-ending journey if you do that. I think some concept and criteria for what is in, recognizing a lot of other things might be related, but otherwise it is an impossible task.

Number two. I think we have to start thinking about managing expectations. The committee’s role remember – you are a committee. You are not an operation agency. You do not carry out working on that. At some point, the committee is going to have to say we have finished. This is our best thinking – officer of the role of thought leader. We have to hand this off now. I do not know who will take it up to be on this. Certainly the federal agencies can help with data. You need more than that to be honest. We have been there before. Statistical agencies do not have a lot of – they do not have even sub-state data particularly. In many cases, it is state data. County and sub-state is even harder.

Again, I do not think the committee should be developing the indicators. I think the committee’s role is the concept. This is our best thinking about the various factors and dimensions to consider. At some point, it has to be others who will fill this in.

You quickly run out of fuel when you are looking for sub-county data. A lot of it is administrative. The economic world. And, Mike, you know this world pretty well. The economic indicators are actually – there is a lot of – local county data comes up in various ways. There is an agreed-upon set of indicators. That is a whole area that are not ever here, which I think you can just refer to under the employment –-

There was one more thing I wanted to mention. In the context of public health 3.0, I think public health service will be issuing where we are with public health 3.0. They will have some recommendations. Part of public health 3.0 remember is the data and analytics and metrics for the community level as well. I will get that to the work group as soon as we can. I would want us to at least be aligned not contradictory and then we can build on it.

MS. HINES: Can I speak to that, Jim? In fact, there were people from the department in the room representing public health 3.0. Claire was there and Healthy People was there. I have been talking with the Healthy People folks and they are interested in hearing about this work as they start the developmental process for 2030.

MR. SCANLON: But this is different than Healthy People, I hope, anyway.

MS. HINES: Except that Healthy People is looking at shifting a little bit their approach and developing 2030 in acknowledging the role of the Healthy People framework also being applicable below the national and state level and to the extent that metrics can be selected. It helps them.

I feel like there is some alignment and that was actually intentional so that we were not going off in separate not aligned directions. This subcommittee has worked very hard to stay in alignment with that so that we are on parallel tracks. I just wanted to make sure people knew that.

DR. COHEN: You see in our work plan convergence with public – 3.0 is one of the goals of this effort within the department and certainly aligning with Healthy People as it moves forward.

Bob, I know you are on the line. Do you have anything to add to this discussion at this point before we move on?

DR. PHILLIPS: Thank you, Bruce. Thank you all for your confidence in letting me join Bruce in co-chairing this committee. I am really grateful. One of the perspectives I think that was missing in the room is what I was trying to raise in the technical presentation was the issue of clinicians. We had Charlie Homer there from ASPE. He has partners on the other side of ASPE who are supposed to lead these recommendations next year on how the quality payment program will adjust payments based on social determinants. There is quite a bit of angst about that because in a clinical setting, we really do not have any mechanisms for bringing social determinants in at the patient level or the population level.

I think this list of metrics becomes important to the clinicians. And that then comes together to meet up with the public health needs, which is why I was presenting the IOM reports from 11 and 12, calling for the share platform and why at least three of the papers that were released by the IOM on Monday also speak to the shared platform. I think we need to engage the clinicians and the other side of ASPE on this. It increases the incentives and the interests in having these data available to sub-county level and figuring out how to use them in both public health and in personal health care. I think it is going to be an important part of our strategy for getting both buy-in and movement.

MR. SCANLON: We have a report, which we can share with the committee. But the rule there was looking at social and economic – SES as a potential to risk adjust health care payments. It is different than community health or public health. You find out that a lot of these variables are correlated so you do not need 100 of them. You need probably two. I do not know where that will go, which is a little different than this where you want an indicator or you want a domain separately. I will get that report.

DR. COHEN: This will emerge as we move forward I think in the population health subcommittee as a potential area for us to investigate how we could support QPP and directions that that is moving.

DR. RIPPEN: I was just going to say that the nuance as far as responsibility for capturing determinants of health. I know from a clinical perspective, people are overwhelmed with capturing more and more data as the clinical sector being responsible. There are a lot of issues.

DR. COHEN: Let’s move on to the —

DR. O’GRADY: I just wanted to speak to the issue that Jim brought up. It is just an efficiency, assuming kind of running this out logically. Let’s say we are successful. It builds up this inertia. The momentum goes. You are doing it. Given that we have moved well beyond health into these other areas, which is appropriate. You find a home at let’s say at OMB and they are willing to take some responsibility and go with it. I think that Jim because he is always very diplomatic about these things. At some point, if an agency takes over responsibility, which is a good thing and you want, they are not going to take it as a fully baked cake with the icing and the candles already on it. They are going to want to have their own input. They are going to want to make it their own. In terms of just efficiency of how far you take this before the hand off, you just want to be a little – it will hurt your feelings if you find – you will be happy that they take it over and then you will go what about domain three. We sweated blood on domain three. They decided that that was – if justice wants to do it, justice can do it, but we are not going to do it anymore. That sort of thing.

I am just thinking. You have this. You have the interest built up. You really have done your homework in terms of getting this refined. I think that strategy of what is the right time to hand off while the momentum is still high is just an important thing to think about because you do not want it fully cooked and then people go that is somebody else’s baby. That is not my baby.

DR. COHEN: Point well taken. My two initial responses are clearly this is a dynamic process and we try to design the framework so that all departments could see themselves in it. It fosters cross departmental work. But clearly, if communities or departments want to focus on particular domains, they have the ability to expand those to their hearts delight. We are trying to set it up in a flexible manner that would allow pride in ownership within domains, but general pride in the federal approach across domains.

DR. STEAD: Let me put a fine point at least from my perch on the time to do the hand off. The time to do the hand off is as soon as we finish this report. We have used all of our bandwidth and we have come close to running as an operating entity thanks to the unbelievable energy of Kate to get to this point. We now need to bring this phase of our work to a closure with the report as we help this other group begin to start up and we make the recommendations and we then hope people will act on the recommendations.

As that effort moves on if we are successful, we will then – the committee will have other things about that where we will undoubtedly be helpful in looking at different aspects of the public part of the public-private. We are really committed to making a transition at this juncture. There is no doubt about that at least in my mind.

MR. SCANLON: Don’t make it together, as Mike says, like IOM did – everybody should use these. That is not —

DR. CORNELIUS: I would like to really put a bigger period at the end of that sentence to amplify what I was picking up from Michael. We have to be ready to let it go. I hear things like helping and transition. For me, that sounds like enabling active processes. I understand from being a fed. Once it goes someplace else, it is there. When we get to that point where we close this out, it is a whole different thing. There will be other actors. In our minds, we have to let it go.

DR. COHEN: Thank you. I need that admonishment.

MR. SCANLON: I would stay away from naming some of the organizations that you have named – the last people you want to ask.

DR. SUAREZ: I think there are three things here. One is the summary report. A different thing is the draft letter with recommendations. And I think those two activities will go and continue through February 2017. But I think the let go has to start now in the following sense. Tuesday during the session at the end of the session I distinctly got the sense that this group that what is going to get started is what is going to be independent now. Let’s not wait until February 2017 to get this started. I think this group needs to start tomorrow. I volunteer to be part of it. I am not going to be part of the committee anymore so I will be in that group. I really think that that group is going to be the one that creates the transition. By the time this gets out, the other group has already met a couple of times and had already planned to move it forward. I think it is very important to do that starting now.

DR. O’GRADY: Can I make one last comment here? To keep in mind that one of the lucky things about this is that ten years ago at ASPE we were sitting around talking about – Tommy Thompson came back and heard about this interoperability and we stole some talent from RAND and there were about six or eight of us. But that is what ASPE does. There is something new. There is not already an agency. There is not an office of fill in the blank. They put together. Is there a there there? Is there a critical mass to get this going? Will there be funding? Will there be staffing? How do you do this sort of stuff? And now we are sitting here listening to updates of our 14 different programs and our $20 billion budget. That was just eight people in a conference room ten years ago. We borrowed some CDC guys. They were pains in the ass.

You have the tail here of who – the people who birthed these sorts of programs right here in the room. This is what they do. Depending on your opinion of ONC, maybe they do it well. Maybe they create more bureaucracies and what were they thinking of. This is your teed up well just given who you are working with, given the issue, given what you have been able to do so far. I am optimistic.

DR. COHEN: The hand off will happen. We are talking about work that the Population Subcommittee will be engaging in in 2017. Certainly, bullet number one is finish the workshop report and the recommendation letter and framework V4 and hand it off.

The other things that clearly emerged. I thought we had a fantastic initial discussion about getting more involved in vitals.

DR. STEAD: As I pondered last night, yesterday was a very opening up day around vitals. I think that opening up is very important. But as I pondered last night, I just wondered is there a need to do a relatively quick limited step to get the definition of the birth and death record standard so that that can begin to get plugged in. The vision is much bigger than that. But my guess is that standard is still going to be necessary. I did not know whether there could be a very contained step of just getting that standard done or whatever recommendations we need to make to help the SDOs, et cetera do it and while we then continue with the visioning beyond that. Maybe that step is not necessary. But if it is necessary, I am not sure it should wait until after the visioning. The thought put in yours and Bob’s thinking.

DR. SUAREZ: Just a quick note about the standards that you mentioned. The standards are done. HL7 has completed the electronic birth reporting standard. It is approved. The standard is approved. It is ready to be used, the same with the electronic death reporting. I would even bring in what we just heard about electronic case reporting for public health and wrap those three around vitals and electronic case reporting.

DR. STEAD: I am just wondering. Is there a narrow set of statements or recommendations that would help begin to get this embedded into the certified EHR technology, et cetera or is that unnecessary? Should that precede the visioning work just so that it does not get pushed out?

MS. GOSS: I think it needs to go into the EHR certification program. I think that under the meaningful use vetting process to get to MU3, it was on the table and got taken off. It is work with our federal partners to elevate this as to an essential requirement I think.

DR. SUAREZ: I suggested it yesterday. There is right now an open common process for the ONC interoperability standards advisory, which defines all the standards that are currently in place and that are looked into for the near future. There is no mentioning of any of these standards. One opportunity to begin is right to do it. Not as a full committee to comment on it, but as individual organizations. We mentioned it yesterday during Delton’s and Michelle’s conversations. There are some initial steps to try to push the standards.

MS. KLOSS: Why not as a full committee make a comment about this as a missing consideration?

DR. SUAREZ: We could come together in five minutes and come to an agreement that we should submit a quick comment to the ISA to consider incorporating the standards into the ISA. If people feel comfortable to create and submit that comment, I think we can —

MS. KLOSS: If you do not, the consequences are – it is a long time before that perhaps gets revisited.

MS. GOSS: If we are looking for the idea of convergence in a roll in trying to pull the pieces together and reuse – let technology leverage the data and let us focus our energy elsewhere. It is a hugely missed opportunity. We keep kicking the can down the road on getting that clinical data to be effectively used for all the end use cases.

MR. COUSSOULE: — is a good idea, not that you have to own it now and do – inclusion now I think is actually a very strong statement.

MR. LANDEN: I am not sure we are at that point. I am certainly not comfortable with that because before – I am not sure it is ready for uptake. We have standards. My basic question is I think we need to talk with ONC to see why it was not included in this year’s ISA. Their next update is not due for another year.

DR. SUAREZ: This draft is intended to be completed by November of this year to be published officially for 2017.

MR. LANDEN: I thought we were passed the comment date for the draft.

DR. SUAREZ: No. The comments are due in the next few weeks or so. And in many ways, ONC has a little bit of leeway. We can submit a letter anyway if we want to two days later. We can comment on that.

Just one quick point. By virtue of suggesting including it in there, we are not suggesting nor by being included there is a mandate to do it. By including it, it is a recognition that the standard has been developed. It is in place. It is ready to be adopted. There is out of the 120 standards listed in the ISA about 60 percent of them have a little column that says require, no. Most of the standards listed are not required by federal or state regulations. This is one of the ones that should be recognized in the ISA as a standard. It is recognized as an element that should be connected to the EHR, but it is not something that is mandated, but at least listed. That is the idea is to recommend that type of a recognition in ISA without the intent of mandating it because there is no mandate.

DR. COHEN: I am hearing a desire to consider this. I am wondering whether someone can take the lead in drafting that note or that very brief letter for circulation among the Full Committee. I do not know whether we could vote over the phone or what is required to do something like that. Maybe that is an immediate action for us to take based on our conversations and discussions yesterday and today.

DR. CORNELIUS: I am just thinking about these baby steps. Somehow in the back of my mind I keep thinking about the Board of Scientific Counselors and NCHS and wondering whether they are having these discussions the same time we are because this is part of their bailiwick. If we are going to continue down this road, maybe we might want to have a conversation about that. I understand we are talking about vitals. Did I miss it?

DR. COHEN: We are talking about short-term steps for vitals and longer term considerations. Maybe in the public comment period, we can get Mark who is on the Board of Scientific Counselors to comment on what they are doing in that area.

DR. SUAREZ: Very quickly. I just checked. Comments are due October 24 at 5 p.m.

DR. RIPPEN: I just wanted to highlight something that is interesting in the process and it is something we may want to think of at a broader perspective perhaps. When you think about vitals as being so core, we all get born and we all die. It is a core component, but not everybody deals with it. A lot of the process for making recommendations of what is in or out from a meaningful use perspective is really about whom does it impact the most as opposed to the perspective of an individual and what are the core measures. Perhaps even thinking about are there certain groups of data sets like vitals that we really need to think about including or having additional processes for inclusion and that is just something for us to think about. None of us would think vitals would not be part of it.

DR. COHEN: The discussion yesterday and today around vitals makes it clear to me that we want to be in this space, but we need to spend more time figuring out where the talents and experience of this committee can make a different. There might be a short-term goal around this letter, but we need to think in the subcommittee or in the full committee about other opportunities for vitals. The plans for a winter workshop, I think, were very premature and we need to spend more time thinking about how we can make a difference in this area.

MR. SCANLON: I thought we did include in the framework. Isn’t there a domain that would encompass the rates associated with births – infant mortality – so we have a place holder at least —

DR. COHEN: In that framework, yes. I think we are talking about additional activities for the subcommittee. Vickie, you have been very patient.

MS. GOSS: Where do we land on writing a letter or a comment? I am lost. Did we or did we not?

DR. SUAREZ: Let me just make sure. Is there anyone concerned about preparing a short letter that simply states that the National Committee – this is a letter directed to ONC that simply states that NCVHS is recommending the inclusion of the electronic standards that have been already developed and are in place for electronic birth reporting and electronic death reporting. Those two at least. We can add to it. Those are the only two.

MS. GOSS: It is more to recognize them and to get them starting to be socialized and make people aware of them.

DR. STEAD: We want them on the list as not required.

DR. SUAREZ: They are not required. There are five columns that you have to suggest in there. This is the standard. And the five columns are – the status of the standard is a draft. Is it a normative standard? These two are actually normative. The second column is has it been implemented or is it simply in development or testing. The other column is are they free, which these are and the last column is are they mandated by federal and this is not. We can actually simply state. I will be happy to draft very quickly and – starting tomorrow.

MR. LANDEN: I am concerned about that because I think we have heard the pros of abusing that approach, but we have not heard any definitive discussion of what those standards are and whether there are any cons from the industry. Before we recommend something for inclusion, I think we need to look into it and understand what it is we are recommending and not just recommending something because it sounds like a good idea. I think we need to do some due diligence.

DR. SUAREZ: How do you suggest doing that?

MR. LANDEN: I can get that started. I can consult with the EHR Association and see. I think the presentation yesterday mentioned that there was one EHR developer that has incorporated that and to some extent at least has rolled it out.

MS. GOSS: I think one of the things that I am noticing is the benefit that some of us had from a demonstration that was given to this organization, which may have preceded some of our current members. Five of them. I think from that perspective, we heard from public health vendors, EHR vendors. We heard from HL7. We saw NCHS. There was a very robust discussion. That may be why some of us are more comfortable, Rich, than you are because I have seen the birth/death standards development and industry use piloting really mature over the last couple of years and feel very comfortable that those are ready for recognition and for people to start working with. Maybe that is part of the disconnect.

PARTICIPANT: I will look at that too if you can point me.

MS. GOSS: It was a physical demonstration they brought to NCVHS needing to showcase it to us.

DR. COHEN: You might want to talk to Michelle about it. I do not know whether these demos have been done before and I do not know whether any of them have been actually recorded and available to view.

MS. GOSS: They have done them at HIMSS as well.

DR. COHEN: They have done them for the National Association of Public Health Statistics.

DR. SUAREZ: I understand your level of lack of comfort.

DR. COHEN: I am very aware of the time. I want to make sure that –

DR. SUAREZ: I just want to know where the status is with the letter.

DR. COHEN: I think we are all in favor.

PARTICIPANT: I move that we prepare such a letter to ONC —

MS. GOSS: I think Rich should also do his outreach and report back so we can do it in the next couple of weeks. If there is any new thing we need to really consider, let him do his due diligence and check with his community, give us that input and we will see if it materially changes the direction.

MR. LANDEN: My suggestion is let’s do the draft and then the vote. That will give me time to get comfortable.

DR. SUAREZ: We do have a motion on the table to do draft a letter. Do we have a second?

MS. GOSS: I second.

DR. SUAREZ: We have a second. Any further discussion? Everyone in favor say I. Anyone opposed to drafting the letter? Any abstentions?

DR. COHEN: I am abstaining. To draft the letter, but not to send the letter? Are we going to need another vote to send the letter? I withdraw my abstention.

DR. SUAREZ: We do not have a letter to approve.

DR. COHEN: I apologize. I did not understand the vote. Thank you for the clarification.

DR. SUAREZ: We consider the motion approved unanimously. We will draft the letter.

DR. COHEN: I have two minutes before I want to leave time for Vickie. The other things that we are talking about that we will continue to discuss as part of the work plan for population health for 2017 is something that was – both of these things were mentioned before. One is converging with public health 3.0 to see how the framework and the efforts that we have done can help support those activities. I think that will also integrate with our connections with healthy people because they are in the same kind of space.

And the other that Bob began to mention was doing some work for QPP, which is the Quality Payment Program, which is a key provision of MACRA, which is the Medicare Access and CHIP Reauthorization Act, which contains two programs: MIPS, Merit-based Payment, and the APMs, the Advanced Payment Models. Essentially, I am going to turn it over to Bob because I am passed my pay grade already. These are ways to pay for clinical payment that have to do with improve quality.

Bob, do you want to give us a 30-second overview of what you are thinking is about this?

DR. PHILLIPS: Sure. Thanks Bruce. As I mentioned, there is going to be some effort to adjust payments. As Jim said, it may be on select variables. But to Helga’s point, how you collect those, which data you wind up using is going to be pretty important. These maybe ecological, not patient-level measures. But it gives us an opportunity to explore what those may look like.

On the other side, MIPS and APMs have four sets of measures: quality, what used to be meaningful use, practice improvement activities, and value-based payments. There is also the idea of how you might use population data to inform and direct clinical practice improvement activities. It would require that clinicians have access to the same kinds of data so they can decide what kind of either population or community-level interventions they may want to try as clinical practice improvement activities. There is a host of ways that population health might be able to inform the QPP programs. Is that enough?

DR. COHEN: I think that is a great start. That gives us a summary outline of the space that we might be moving towards in population health.

We are also having a population health subcommittee later this month for other members on the population health subcommittee and actually for the full committee. If you have any suggestions about areas that you think the population health subcommittee might pursue over the next year or so, it will be really helpful to get those cards and letters into me and Bob for discussion and consideration. I want to stop here to make sure Vickie has enough time. Thanks.

DR. SUAREZ: Thanks Bruce and thanks Bill for wonderful leadership in the Population Health Subcommittee and the incredible work on the workshop and the plans ahead.

Let’s turn it to Vickie for her report and update on the data access and use work group.

Agenda Item: Work Group on HHS Data Access and Use Update

DR. MAYS: I think the most exciting thing that I can start with is announcing that we have a lead staff person. Let’s welcome – do you want to just say a few things about your background.

DR. SORACE: I am a medical officer in science and data policy at ASPE. I am a pathologist by training. I have a Masters in information systems. I have been lucky enough to do a lot of work over the years in both EHR adoption and in large-scale –

I look forward to this because I think – it is a very interesting time in terms of facilitating big data and large-scale data analysis. I think we are at a very interesting opportunity within the federal government of developing systems that not only meet the needs of researchers and patients and providers outside, but also in developing systems that enable us to – mission more critically – has been involved in fits both sides of that equation.

DR. MAYS: We are happy to have you. I think this will be a good start for us in terms of having a person with his background.

In your e-Agenda book, there are several materials that – I think staff is passing them out. There is one thing and that is the guidance on increasing use and access to HHS health data. I think that that is going to get passed out as well. If you go to page 187 in the e-Agenda book, you will have it.

Let me get started. Part of what I wanted to do today is to start and give you some background as to why the issue of access and use is so important. There are many ways in which this has come up. But I think the frame of it is important so that we have a sense of where NCVHS via the work group fits into the larger HHS as well as the White House has a big focus on open data. We will start a little bit by talking about open data, which as you can see here was really motivated by Obama’s memorandum in which he wanted to talk about open data, open government. I think this is probably some of the history of the push by HHS for data to actually be much more transparent and open.

I borrowed this slide from Conn because I thought it was very interesting of the push to see that part of this openness, some of the principles that are promoted in the open data movement. And here what you see is data is the new oil. I think what that really gives us the sense of is the eCommerce that is really associated with the issue of open data.

Principles. That is something that we are thinking about in terms of developing guidance for HHS on ways in which to do open data. We want to think about what those principles should be. These are the principles that are also flowing from the White House in terms of the belief about open data, open government. It belongs to everybody. It comes with public money. Anybody who is funded by NIH knows that when your grant hits a certain level, that level is to be made public after the grant is over. Part of thinking about public money and making data public is – there is a big push on that. It generates economic value. The issue of more informed citizens. I think the focus also is the issue of accountability, transparency, innovation, participation, and economic development.

Here, again, this is just a quick reminder. You saw the president again in 2013 bringing this up. Here, as you can see, it is like the push is that if you think about making data more accessible and usable, the hope is that there is going to be innovation. Unfortunately, Josh is somewhere in the airport or the air or something like that, but this is something that Josh often talks about the ways in which, for example, Google and ProPublica and others have taken data from HHS and developed a number of innovative uses for that data. Again, that is part of what we are hoping as we work with data entrepreneurs that we are able to do by making the data easier for them.

When we talk about open data, the question is the idea of open data is great. But the question of trying to determine the right way. That is a lot of what we are going to struggle with in the work group. We can say quite easily that it should be complete and it should be primary and all of this. Those are ideas that cost money, that take time. We have to think a little bit about not making the prefect the enemy of the good, but instead thinking about how to do this in a way that is feasible and reasonable because it is the only way that we are going to get buy in. I am going to talk a little bit about the importance of buy in.

What is it that we are looking for when we talk about making open data platforms? These are some of the ideas. I want to start to have this discussion early on and have people involved in it. We want search engines that can really locate things. That is easier said than done. It is easy to have a search engine, but how, for example, you tag data, how, for example, and the public is able to understand that field is very important.

Meta data. We have talked about that so much here. We want detailed meta data.

We want capabilities to interact with the platform. What happens in some instances is there is data that you have to be in a secured data center to do that. Are there ways in which we can make that easier to make it more accessible?

You also want the ability for people to give you ideas and feedback. If Damon were here, he would also talk about that. He wants ways to be able to hear from people about what we can do better. On the back end, there are ways to build in the capacity to find out how people are using your data, how easy or difficult it is. Some of you have probably seen this. You will go on to a website and a little thing will pop up and say are you willing to take a survey. Are you willing to give feedback? Most people say no. You have a feel for that because that is the ability to be able to learn sometimes is by asking people directly or the ability to be able to learn is by having things in the back engine that captures information.

DR. SUAREZ: One of the big requirements right now pretty much is standardized requirement now for most of this and not all of them is you heard – where it is coming from Lucia. API capability is pretty much one of the most ubiquitous new expectations on open data platforms basically. Nowadays when you go to any of – a number of them. That is the goal. It is really every one of the data resources that are available should be capable of interacting through APIs.

DR. MAYS: Exactly. I think that is why timing for us of thinking about some of this is actually good. There is the push. Josh talked about push and pull in a different context. I agree.

And the other thing that I think we have not talked a lot about has been visualization and the extent to which in these data sets, you actually want for individuals some visualization of what is available, what is there. Sophisticated users. We will download it. Do quick analyses. But there is some consideration when you are trying to be more open that there is a way for a person to see. There is a table that shows me in a pie chart what the gender is and what the race ethnicity is so that people will then be able to further utilize that data if no more than to just see that that tells them who is in the data set.

This issue of what is available in terms of what kind of data and what kind of information. The interesting thing is – this is kind of the workshop on Tuesday even. How do we deal with the issue that some of the data that will actually help people utilize the health data may be outside of health? I smile because you talked about Helga at NOAA. For example, thinking about meteorologic data. That is very important for our disaster planning people. It is very important in some of the planning that we need to do. The question of what data and information that we want to impact I think is important. We can talk about administrative data. We can talk about census data.

Part of what we need to think about for the work group in terms of the work we want to do is what are the bounds. It is like we do not have endless resources. We do not have endless times. I think that we also have to think about where do we think we can make an impact. We have to have a sense of what other groups are already doing that we can build upon within HHS. These are just considerations of the kind of data. I do not think that we can be all things to all people on a first cut. Getting a sense of the priority where to spend our time and energy is something that I want the full committee to actually talk about.

This is just a model in terms of thinking about it. It is not just an issue of the data itself. This is just one of these reminders that what people find powerful is not just the data, but sometimes when it is analyzed. To the extent that data is there for people to be able to go to that gives them an answer as opposed to there is a data set is also something we want to talk about when we think about making data open and accessible.

I am going to talk about some of the results that have come from the effort in New York State. Erica Martin, who has just joined our work group, was actually funded by Robert Wood Johnson to make their public health data open data. She brings to us a lot of findings that I think we should think about in terms of again what will be a best strategy for developing guidance, where we want to go, et cetera.

For example, one of the things that Erica talks about as an anticipated benefit is going to have to be the business case that we provide in terms of getting parts of government involved. What we are talking about is more efficient public health operations, data quality, and external researchers being involved, whether or not it improves the health care delivery and the built environment, which was very interesting that the built environment was included for them. Health literacy was one of the cases. Consumer decision making. Reaching new audiences who bring innovative ideas. But reaching audiences who bring innovative ideas, the notion was being able to have some kind of loop that the State of New York could hear those innovative ideas. Create new applications for the public and promote government transparency and fairness.

This is part of what was the buy in for them. This is part of what they saw as anticipated benefits. This is why they were willing to engage in the amount of work that they did.

At the same time, the issue is what were the challenges encountered when trying to do open data in New York. The first one is one that I think we will encounter when we start talking about this with HHS, which is how much time of individuals it takes. I think we are going to have to address issues of cultural resistance in data sharing. We also know there are legal and regulatory issues. We have to think about what the quality is for the data and hence the meta data. The issue that is really in the realm of privacy is thinking about re-identification risks and balancing the value against the issue of potential risks.

Technical issues. Again, it is like nobody wants to change because their legacy system is there and it works and it gets it out. Sometimes questioning whether or not you can actually change the platform is one that people will struggle with.

Knowledge gaps. We have, for example, sometimes a shortage of individuals who have the capacity to do some of these tasks and then in an open system trying to deal with the diversity of users.

What they did find was successful in being able to move the State of New York to have more open public health data is I think some interesting things for us to consider, one of which is needing sufficient resources, needing to have legal review, making sure that there is a strategy to deal with the resistance. Again, I think the cultural notion of how it is that one moves to open data really is something we have to struggle with. The tasks that we are being asked to do I think is not an easy one, but it has to start at the top. I cannot remember who said that earlier in terms of data change, but starting at the top.

And then being strategic about how to do the improvement and one does not want to recreate the wheel. We do not want to do that. The issue of trying to really see where we want to start with some low hanging fruit probably.

Some of her recommendations for how to be able to accomplish this open data model are really to start with high-value data sets. It is like let’s start in a place where it is non-controversial in terms of the release. You are not worrying about things like re-identification risk as much as you are actually adding value. Cultural change in terms of the organization. Leadership has to buy into this. Considering what the legal guidance of de-identification techniques are in this open data in terms of thinking about tradeoffs between that value and the risk.

We have two things that we have developed. One of them is a data matrix and that is something that came from having this crosswalk to population health’s framework. We were originally asked to try and do a crosswalk to that because they had done some work with identifying important areas. For us, the question was how do we then translate that into making data more open and accessible.

What happened in this task, which both Helga and Josh were working on, is that I think it grew beyond just the framework that you were using to thinking about this much broader.

Helga, do you want to talk about these next set of slides?

DR. RIPPEN: Many of you saw the high-level matrix as it relates to what is necessary for data consumers to really get a sense of whether or not the data would be relevant to them or useful to them before they do big investment. As you know, if you are trying to consume data and you are looking at sites, it is really hard to know.

What we are really trying to do is leverage the framework to tag across all of the domains and subdomains. Now that there is a consistent way of us to tag data sets by data owners of where it falls and it could be multiple and then describe in more detail in a consistent “standardized” way their data set so that there is a way for us to do a quick look and make a decision. That becomes really important because if we can use something like the domains and subdomains and we also have details about the methodology of the data, what the interpretative quality is, but also what geocode level is it. People can then make a decision quickly and you can automate this of what is available, what is not and actually get to it quicker.

We actually did a lot of cross walks with a lot of different groups including some of the work that was done by the California Health Care Foundation, but also New York to make sure that all of the basic summaries of the data sets would be included. It is really important for you to look to say – and then it is doable by the data owner. It is really important if you can review the matrix to say if you are looking for data, would this provide you some insight? Josh did a great job of actually reaching out to his data users when they look at data sets to say with the information that you would find in this be useful. Would it have answered the questions before you went after the data? He actually said that everybody actually had what they wanted. And different types of data users wanted different pieces depending on what you wanted to do. That was a nice check off as far as that was concerned.

The other thing I would like to get some feedback on is if you think about National Library of Medicine and how they have Medline and they have this abstract of all published documentation that if we think about can we do something similar to data sets that are going to be shared one way or the other, you can quickly see how a standardized way of capturing this information could be really powerful and whether or not NLM would be an appropriate card catalog system for it or not would be kind of an interesting question. That is really the thought.

It also provides another opportunity because we are going to be tagging it to these dimensions as far as where are the gaps in data. Again, we would love to have your feedback and reactions as it relates to those sorts of things. I am hoping that the next step would be actually for some of our colleagues in the Department of Health and Human Services that actually produced the data to say give us feedback on what is the level of effort and what are the implications of this. Maybe some people who are more in the non-government space to say if you were going to publish your data or description of your data and you are making it available, did it seem reasonable or not? That is the high-level overview of what Josh has taken leadership on for a while and what we are working on with our colleagues.

DR. MAYS: The issue around the data matrix is that we are going to have a set of guidance and the matrix would be almost like here is the how to.

DR. RIPPEN: It is even smaller. The things that she described are really encompassing. Ours is just how do you describe it that reinforces to your point.

DR. MAYS: Part of what we want to do before we get too far out there is to really start talking to some of our colleagues in HHS. For example, we asked Susan Queen to be at the meeting. We know that her view of NCHS will help us immensely to spot any areas where we have missed or to have us rethink how we ask some of the questions. It is not going to do any good to do all this work if we really do not get buy in because this is one of those efforts where we could put a lot into it and then it just falls on deaf ears. There are a lot of issues around – it is almost like if you have seen one data set, you have seen one data set in terms of how it is designed. Try to think about, for example, having the ability to survey the HHS data owners and it not be onerous.

When we think about this matrix, we want it to be very reasonable about it. Comprehensive, but reasonable. Thinking about the extent to which, for example, change can come about. Typically, these data sets have contractors. The contractors make these major changes. It is not like everybody can do it all at the same time. There are a lot of variables that are going to come into play in terms of thinking about how it is that we can get people to respond.

You have the matrix and one of the things that we would like you to do is to be able to give us feedback as to whether or not the things that are in the matrix you think are comprehensive enough and then we are going to go out and do some piloting of that within – we are going to go out and consult with some of our colleagues within HHS. I think piloting is a bit much.

Questions that are going to get raised within thinking about this matrix are things that you brought up in terms of some of the encounters. I think there is also this issue of push-pull models. There are philosophically some things that we need to think about before we engage in just the matrix itself and that is whether or not within this concept of push-pull which is the orientation that we really want to promote here. I think each has its pluses and each has its minuses. We are going put that on your plate. I want to rush through a couple of other things so I have time for discussion.

Let me ask you to turn to – I do not know if you have – but to actually turn to the guidance because that is where the set of questions are that we are working with. The guidance appears on page 187. The guidance is a document is where what we want to do is to be able to talk to HHS about recommendations that we think can make a difference in terms of this. It is like the philosophical background, the principles that we think people should follow. Some of this will include things like data stewardship principles. Some of this will be principles around privacy and confidentiality.

Part of what we want to do is to be able to think about what the bandwidth is. What I want to get to are some of the questions that we asked people to look at. When you look at this document, we were trying to find out whether there are major items, sub-themes that are missing. Should things be in smaller detail, larger detail? Do you have any suggestions for ways in which to collect this information? Let’s just go down and then you will see what our boxes are.

A conceptual frame for increasing use of and access to health data. This, of course, is the open data health principles. We are trying to decide what kind of framework that we want to use. At the end of this document, there are some proposed frameworks. One of the frameworks is the one that was used in New York. One of the frameworks is the one of the ones that we have tended to use in the past, which has been that of – there is this framework which Erica has used in the past in New York that is for consideration. We have used our health statistics visions for the 21st century. We are really trying to get a sense of the frame that we are going to utilize. That is part of the discussion that we are going to have. It is part of our request for you when we give this over to you for you to give us some feedback about. I see have 11 minutes. Have people looked at this? If people looked at it then rather than my going through this in detail, I would like to be able to open it up for discussion.

Jim, before I do that, let me allow you to make some comments as well.

MR. SCANLON: A couple of observations. And, again, it is expectations because – again, I think we do not want a one size fits all kind of a guidance. Even on our data.gov, there are some that – I think the resources that you put into the dissemination and access is proportional to the demand and the value. Everything is not equal to some extent. Some sense of the proportionality of the support for the data relative to the potential value.

Number two. I would again be careful now to suggest that HHS agencies have to do this. This is really meant to be the best thinking from our external community. If they want to – if it is helpful to them, fine. If it is not. I would just keep in mind that we are learning this in our data work groups at HHS. Sure we have a trillion dollar budget, but the folks who are actually working on these dissemination activities are fairly – is relatively few. And often it is administrative data that one person has part of their time doing this. We are trying to systematize the policy for this should not be a one off every time.

And the other thing is where the value and the resources are are places like NCHS, one part of CMS and some of the statistic agencies used to be – again, it is a proportionality. I do not think, for example, vital statistics data or the claims data from CMS is quite the same as trying to find every conceivable administrative data set that we have in posting it. That is not helpful, the one size fits all. That is what I would think of. A little more nuanced when we go ahead. The expectation is that this is our best thinking. Apply what is useful. It may or may not apply to you. There is not a one size fits all.

At some point, we are going to have to really be a little more sophisticated about this open data. Data is used as a term to mean everything from a telephone directory or a grantee directory to scientific knowledge to almost anything. Everybody looks at it differently. The researchers and the public health folks who want to analyze data. It means one thing to them. It means something different if you are looking for a hot line to call or the community health centers in your areas. We have not done this in open data particularly ourselves. The idea was to get it out there and let people adapt it. I think at some point we are going to have to sort out what it really means.

What a researcher needs is very different than consumer health information or as a directory of where do you go or where do you find out about different diseases. Again, if we keep in mind that this is our best thinking, this is the first crack at it is directed to the agencies, we could probably get some folks to look at it for you. When it is a little further along, we can have you come to the data leads meeting or something like that. But, again, it is highly variable. I want it to look like it is flexible and it is meant to represent best thinking. It has to fit into what the agency has yet to do.

I do not think all data is equal to be honest, not that it should not be made available, but there are different ways to do it. Some of it will never be open data, but it does not mean it is not accessible. You have to go to the research data centers. You will always have to go there for some of the most high-valued data sets even for the Medicare data just down the road.

If we just keep talking about open data generally, it is hard to know what am I supposed to do about it. But if we start to become a little more nuanced, I think it will help our agencies. It is exactly what we were looking for is what is the thinking from the developer community and the technology community about how you could get to our HHS data a little better.

DR. SORACE: I was just going to say that many of the goals of open data really overlap with what we need to be doing more of to run our own data systems internally of HHS. In other words, they are very similar. I want to know what data is available for policy analysis. I want to know where it was who collected it. We have many of the same questions. I suspect that the overlap between what we need to do can meet our own needs at HHS and what we need to do to meet the public’s needs is actually substantial. We could be our own greatest consumer of a lot of these tools.

MR. SCANLON: It depends on what they are looking for. Again, if it is – information, that is one direction. If it is research data, it is a somewhat different approach. Again, I think you just need to adapt the situation and be a little more nuanced.

DR. MAYS: I think our goal will be to actually have use cases. I think we have already ruled out that we are not going to start at the level of the consumer, but instead we are going to start at some of the other levels. I think that is part of what we wanted to hear from the committee. If there are particular types of data to start with. I agree with you. I just put a list of the different – to show you that we cannot do all of that. And what we are trying to do on our bandwidth is to really say where is a good start point for this. It may be that what we are starting with are the surveys, the NCHS. Again, if there was any compelling area of start given that HHS is our customer, that is part of what we wanted to hear. From that, what we will do is use cases so that we are very clear about – even when you give guidance then you are able to give a little case study. You are able to demonstrate. Again, what we gave today and what is here is the outline that we are going to start with to discuss where we want to come down to because the job is very big just like the task for the work group is very big.

We want to stay focused. We want it to leverage convergence where possible. For example, I think that there are a lot of privacy and confidentiality issues that are here. I think Leslie Francis who is in our group talked with you, with Maya, with Susan Queen. What we are trying to do is to really say this is a big agenda. If there are particular places that there is a timing that we need to land in, that is what we wanted to hear from the committee. The particular areas that you know are in need of an answer that would be a quick response for us then that is what we wanted to do. Otherwise what we will do in the work group is really to sort out these issues. What we are trying to share at this point is what the overview is that we are working with and how we want to get down to.

What Jim Sorace said is that I think there is both the issue of responding to Damon’s request of the things that can help him as well as then responding to the outside communities.

DR. SUAREZ: I just wanted to say that I was so impressed with the level of detail and extent of this framework. I do think having it identified in terms of the topics and the areas that these were focused, really the next step is to test it against – use cases. I do agree. I think having a conceptual framework that provides some of the guidelines or guidance to agencies is – that accumulates and brings all of those elements into one place I think is very valuable. I am very encouraged by that work anyway. I think it is really a matter of beginning to test this with a few cases. Generally – data that a researcher is trying to access – data that a consumer is trying to access – data that is organization whoever the organization is. Some of the data is important to know. Some of the data might not contain individual consumer or even if it is de-identified, but not – some of the data is about the health care system and the system infrastructure components, hospitals, health plans, and those kinds of volumes of enrollments. It is aggregated data that is to be accessed. Some of the data might be more detailed data that comes down to potentially individual-level information, de-identified, and all of that. There are all those kinds of elements that have to be tested with the framework.

MR. SCANLON: As I am thinking about this, I wonder – again, I think this is a great start. We just need to nuance it and it will be fine. But I wonder if it would be worth – it started out giving guidance to open data. If open data is healthdata.gov and it is not all the other ways that agencies make the data available – is open data meant to apply to all the other research data centers, the virtual research centers? Just think about that. You might want to say that the open data sites are one way that agencies make the data available. There is a whole spectrum maybe of how this is made available for various purposes. The directory-type information like the phone numbers, the quitlines, where is the nearest community health center. That is public. It is not quantitative. It is really meant for consumers or local planners. It is not quantitative.

What you will recommend for that is very different than what guidance is for the surveys and the claims data, for example. My own bias is there are just two different worlds.

Consumer information is a whole other world. And the data, the survey results, the claims data, the quantitative programmatic data, and the surveillance data. It is somewhat of a different – you are probably not going to see that on open data. If you really want to analyze it, you have to say that these other ways are available; otherwise, people will always be why can’t I get claims data on open data. You are never going to get claims data. This is overall gestalt and we are dealing with the following. You probably have to pick one or at least diverge.

DR. RIPPEN: And then there are best practices. If you are – these abilities and pull versus push and all kind of what is the best way to do it and then there is the question of how do you summarize what you have. And then the summary of what you have could be broader because it does say if it is available or not if people want to publish it and want people to use it. I think that it is a continuum and they build on each other. I guess it is just a question of what is helpful.

DR. MAYS: I think that is the question of what we are bringing in terms of a particular start point. If there is one place better than another in terms of what is needed, we have heard from Damon. We will hear from others to get a sense of that.

MR. SCANLON: That is when it would help to talk to some of the other folks.

PARTICIPANT: Is there someone else in the department that we should be connecting with?

MR. SCANLON: I know the survey folks – the data leads group at some point. You probably want to run it by them. But I do not know if they will see themselves here unless —

DR. MAYS: I think if we change this from talking about it as open data and then just go back to – originally, it was that and then I was trying to scope us down. I may have scoped us down too small. Scoped us differently. Let me say it that way. I think that is something then that we need to —

MR. SCANLON: If you make those distinctions, I think that would help because then the data producers could say that is what I do and then it applies to them. And then there really is the whole other world of restrictive access – they will never be on —

DR. RIPPEN: And actually that is what Jim’s point was, I believe, which is at least for that smaller piece, it is really about the summary. Everyone who is a data producer if it is internal or not can summarize everything in a consistent way, which becomes very important because then if you need to find something that is internal, you can do it. External groups that collect data and use it can use the same thing because now what we are doing is making recommendations potentially for this might be a way where people might want to consider if they are publishing their data to meta tag. It is one very small piece.

Now you are building an ecosystem, going back to pull or push, where everyone is using the same way of describing things. If you do say it is push and you can do API and all the rest, people that do that kind of stuff can go to it and pull these things together. Again, it is a building block of a broader concept.

PARTICIPANT: You are trying to get everybody on the same framework to start with.

DR. SUAREZ: Let me just say. We are a little over time and we want to come back early. I know there is a number of quick questions, but if you could be short.

DR. COHEN: I want to vote for and endorse the matrix as a tool that might help bridge the gap between understanding open data and restricted data. In particular, I really like where you guys have taken it. I think the first target audience is you need to be very clear about segmenting your target audiences and the first audience here is the researchers who are looking to use the data rather than consumers or the public and other groups.

I think a way to begin this would be to just – not really a pilot study, but choose a survey or two or a claims data base or administrative data base like case reporting or a registry and play out the matrix and then give it to people who might be more naïve researchers who are looking for data and then more sophisticated researchers who have already used data and see how they react to the value that needs descriptions.

DR. MAYS: It was more a who. I am not sure exactly why the researchers – rather than say the developers or community organizations. I would think that is what we were looking for input for.

DR. COHEN: — really key here now is researchers for me for the first cut to understand because we are at the interface of open data and restricted data and it is really the researchers who are going to want to weigh the use of data there initially around that issue. It does not mean you cannot expand it, but I think part of the failing for the use of federal government data is just not understanding these simple characteristics. This is around ease of use. I think the matrix could be a really wonderful tool to help create that guidance –

PARTICIPANT: Josh actually tried it already and entered a few things. I built it in an access data base.

DR. STEAD: I want to applaud the effort and just share with the group the conversations Vickie and Helga and I have had about how this works with the health data framework, which is what we are now calling the all original framework and keep it from being confused with the measurement framework. I think those were your words actually.

Basically, the characteristics that would be used to tag the meta data are a subset of the characteristics from that framework, which is one section of six of the methods. To take that, morph it as these people say it should. Well then change some of the terms. Change those back in the apparent conceptual things so it keeps getting better. We will pass the baton to the data group to do this. It will evolve. It will get real use in some set of space. We will learn from that. When somebody needs some additional piece of information, the framework will be a source that you can consider for grabbing meta data and therefore this will be a very nice limited way of beginning to get real traction and real use. I am grateful that you are moving in this direction. I just wanted to share with the full committee how we think the new efforts will evolve. It is not like we need to align this with the population health. Right now, what we are doing is formally passing the baton. You can edit as you will as you go through this process and then pass it back to whatever the next group is that wants to take up and pick another piece. It will evolve over time.

DR. MAYS: We appreciate that. I think the flexibility as I said. When we started, we started with your – I do not know if it was Version 1 or 2. Then we consulted with other groups. It grew a little bit from that as well.

MS. KLOSS: A quick observation. You have really made great progress. Could it be helpful to have, picking up on Jim’s comment and on what we heard from Lucia earlier to show the data across some kind of continuum and make it very clear what this is targeted at? What is included and what is excluded and being explicit show that you are showing the range of data, but at least in this initial period, you are targeting probably that mid space that is not fully open and not the closed research restricted, but in that area in the middle that everything else that is causing confusion. I can envision a continuum like that living over the matrix so that when you are drilling down, you are just drilling down to things that – so array that list of what kinds of list across the continuum.

MR. SCANLON: I think that would help a lot – and then they would know what applies to them.

DR. MAYS: I think it is a great idea to have a visualization of that. I think that is good. Thank you.

DR. SUAREZ: Are we done? It is 12:25. The ideal would be if we can get back and start by 1 rather than 1:15 because some people have to leave around 2. We want to have a chance – if we can grab some food outside. If people are comfortable bringing it back and having lunch here or if they can have it and come back at one. We will try to reconvene at 1 p.m.

(Lunch Break)


Agenda Item: Full Committee Strategic Discussion and Work Plan Review; Summary of Next Steps

DR. SUAREZ: I think we are going to get started again. We are able to continue our discussion. Thank you for coming back and joining us again. I think the goal for the next hour is to really achieve two things. One is finish up our discussion on the APCD and then have some prep discussion more than anything for the November meeting and clearly have a little bit of a debriefing on some of the overarching activities of the National Committee into the future. Let’s start with APCD.

Yesterday as we were discussing, we talked about one of the areas of recommendations particularly interoperability and standards. I do not know if we have the slides from yesterday about the APCD.

MS. LOVE: I have a sense of the standards part. We need to reword some of the recommendations.

DR. SUAREZ: We will go back and show that because I want to highlight a couple of things and make sure that is there is clarity among people about a couple of points. We started with – just to get us all in the same place where we were. We talked about all the background about the claims-based databases and APCDs and the findings and the highlights from the hearing. We are now at the committee recommendations area, again, eliciting feedback. If you could move ahead several slides, that would be great.

This is the first slide. The first thing I want to say because we want to be clear and I know we have gotten already some feedback. In the concept of recommending adoption of this type of common data layout that it has been referred to as common data layout, but it is really a list of data elements and the conditions. I think the expectation is that that will not be really replacing or competing with the efforts that have been and are being done of the standards developmental organizations as we mentioned yesterday. There is an effort. There have been a couple of years to develop a guide, X12 actually, which is because of most of the databases collect data from claims. We, in the United States, have a standard for submitting electronic claims and receiving and capturing the claims payment information. It was a logical place to have the standard development organization that developed those standards and have been adopted under HIPAA to develop a standard that allows the capturing, using the same basically standards to allow the capturing and the reporting of this data.

The expectation is that the common data set is consistent with and is basically generally aligned with the standard having been developed by X12 and it is not going to be competing. In fact, it is going to be actually more really supplementing that and framing it in a way that it helps states and others that are collecting the data to focus on the – pointing to these types of standards.

MS. LOVE: And really administrative simplification for payer reporting to multiple states.

DR. SUAREZ: I wanted to clarify that. We talked about this particular slide quite a bit. We got quite a bit of feedback.

MS. LOVE: We have a lot of terminology work that we went through yesterday that we do not want to rework today. What you see up there will change significantly.

I think we left with a sense or I left with a sense that whatever layout, I do not even know what term to use now, but whatever term is appropriate to use would not be regulated nationally or federally in any sense. It would just be – states could incorporate into their regulatory mechanisms, but it would not be required to regulate it.

DR. SUAREZ: There would be a federal law that would –

MS. LOVE: I just wanted to clarify that. That was not the intent.

PARTICIPANT: Be careful of the language –

MS. LOVE: And again that will change significantly.

And then what we heard at the hearing and what the subgroup mentioned on their call is that just as this emerging data set is pretty early in its development and an increasing number of states are using the claims-based data and private sector claims-based data initiatives are growing importance. We need new kinds of analytics and tools and methods. Modernizing these analytics tools and methods will be a challenge. One of the models that I knew best and we talked about on the phone and is the standard measures like quality indicators have been for cross system bench marking and measurement of hospital data, similar down road measures that are comparable across states should and could be developed. There is really no recommendation just – I guess that is a visioning statement to think about some sort of bench marking and tool development.

At the hearing we heard quite a bit of discussion about these data gaps. We are working on the Department of Labor ERISA data gap, and that is still unknown, uncertain. And SAMHSA had a rule out for substance abuse data. That rule has not been finalized. Some states submitted comments and NADO submitted comments, to encourage SAMHSA to really think about how these databases capture and are useful sources of substance abuse data, if used properly. I do not know the outcome of the first two.

DR. SUAREZ: One comment. You mentioned yesterday that the common (indiscernible) has been extended.

MS. LOVE: For Labor. SAMHSA is closed. They are just reviewing those rules now. We do not know the outcome of that. We are keeping our fingers crossed. If it does not go favorably, that is a real concern. That is something the committee may want to have on its horizon because there is really no source of system-wide substance abuse data. And with all the opioid concerns going around, some of the APCDs have been the reporters of the magnitude of problems in some of the states. I think that is one to watch.

OPM is another data gap that hits a few states like Virginia, Alaska, and Colorado actually pretty hard, the FEHB. But I think that their letter to the committee sounded quite favorable that they were working on it and there was nothing precluding it in their statute. They just wanted to be sure they had it right before they moved forward. I do not think there is a huge issue there. It is just a data gap.

CMS. We are getting the Medicare data from them. We just are getting some early indication that perhaps Medicare Part A that is in these databases – some of the payers are saying we cannot release it. And Medicare is saying news to us. Yes, they can. There is this perception.

DR. SUAREZ: Who is saying who cannot release it?

MS. LOVE: I do not want to name names. One state and one payer just says I do not think we have the authority to release Part A to the state mandated data collection even though they have been doing it for two or three years. All of a sudden the labor thing started this domino effect.

DR. SUAREZ: Actually, this would be another recommendation area within here. Some guidance that CMS should issue with respect to –

MS. LOVE: We have been in touch with them and they assured me that there is no preclusion.

DR. SUAREZ: It feels like an FAQ.

MS. LOVE: Just to clarify so that as a plan looks at their reporting obligations that they know that they are not violating any law or contract.

DR. SUAREZ: Let’s make sure we capture that because I think that is a very important recommendation is CMS to issue guidance and clarification via FAQs or other mechanisms to help payers and states understand the real actual ability to share that data.

MS. LOVE: These are little things. Again, VA and IHS are not part of the databases. No one is moving that direction. I just think in the future a voluntary or special arrangement that states could make would make sense. But I think it is premature to even go there.

DR. COHEN: Had folks approached the VA or Indian Health Services?

MS. LOVE: They have with hospital data and some of the VAs are providing hospital discharge data to the states, not under a mandate, but as a contract and use agreement. I do not think we are there yet.

DR. COHEN: — law or regulation prohibiting the sharing of those data?

MS. LOVE: No. It is just that state law does not trump federal law.

DR. COHEN: But there is nothing in federal statute or regulations that preclude IHS or VA from sharing these.

DR. SUAREZ: There are two aspects of it. One thing is VA is the provider and having all the provider include clinical information. Another thing is the VA payer, including the VA as a payer and any contracted VA payers that have some of this data. We are not talking about the VA as a provider submitting provider clinical VA chart-type data. We are talking about the payer. And then the question is if it is an internal VA within the VA, are there claims to be reported?

MS. LOVE: That is what I am saying. I could even mark that off right for now. I think for the committee I wanted to just bring that up that there are still gaps and we are okay with these gaps. We are not okay with some of the other gaps, but the VA and IHS. I think down road might be important to bring in state by state like New Mexico. And you go up to Alaska and they talk APCD. They start looking at the federal employees and the Indian Health Services and Department of Defense and then you have carved out a huge chunk of their market already so they did not move forward at this time. Again, that is on the back burner.

DR. SUAREZ: In addition to this one, what about Medicaid?

MS. LOVE: If there is an issue, it is a state-by-state issue. The Medicaid directors generally are on – they have to be approached and it has to be worked out state by state. CMS is not against any of that and most Medicaid directors see some value. In fact, the value of the APCD is tremendous for Medicaid. That is not an issue. Maybe an issue in one state, but it is not an issue —

DR. SUAREZ: I just did not know if there was any reason to recommendation to CMS – Medicaid —

MS. LOVE: Just the match. Just give us the match and we are okay.

DR. COHEN: Although it is not federal. The other missing data system is workers comp, which would be huge for a variety of reasons.

MS. LOVE: It would be huge, but they do not have comparable data. Their whole system is so different. But, again, I think that is a state-by-state conversation because we sit around tables and states with people around tables like this and bring in those people and say what are the questions. What do you need to know? What would benefit you? What data do you have that you could contribute? How could it work? I do not think there is one size fits all answer in workers comp either that we can pull.

DR. SUAREZ: Workers comp has different types of data. They generally actually use in some places, most places actually, they use the same standard, 837 to submit claims.

MS. LOVE: Anyway, there was not a lot here except to start thinking about these analytic directions that these nascent databases will be moving in the next few years. Right now, we are just now starting to think about we need more in the analytic arena.

I combed through the testimony and then I mapped to these broader categories. These are the domains I recognized from the comments and the testimony.

And then there are future developments. And we heard at the hearing a lot about centralized or federated in decentralized. We got in that discussion. I put this in a pocket of future developments because first off there was no one at the hearing who outside of the FDA sentinel and they were not there how a decentralized database can work for a claims database. I do not think the committee wants to get into the dictating of technology for all these states. Even Blue Cross is not using decentralized, but I did not want to dismiss it. I put it as a future issue. And what I heard this morning with the digital bridge is they were kind of hinting at some sort of approach that way. It is not going to go away for the committee these decentralized, federated ways of getting data. For public health, I have real concerns.

DR. SUAREZ: I should clarify it. I do not think in any of the mechanisms that is talked about — the only federated element of the digital bridge project is really the pursuit of what we call triggers. The triggers are located in different places. The EHR – but the data has to be sent.

MS. LOVE: The technology is still going to evolve. We, as a committee, will be faced with those kinds of new questions. I put it in a future discussion bucket because I did not think it really was addressed properly under an APCD only arena. It is bigger. Just to be fair, I brought it up as a future need.

DR. COHEN: Actually, it might be something more general for the committee to get more information on because it is popping up in a variety of sector, the notion of people holding their data, but having access through permissions and federated hubs. It is a way of data sharing – that might be a robust area for —

MS. LOVE: As just a public health data person working in the field for – and I am old school. I do not think that one or the other approach should be the argument. It should be we need various approaches, but our public databases – I hear it out there in the field. Why don’t you do a federated approach? We just give you little data feeds of certain measures. That is fine, but we also need the denominators for data mining and data studies.

DR. SUAREZ: Just to comment on that because there are major initiatives. Actually, the ONC, the last five years, has invested significantly something called DAF, data access framework. And the data access framework is a mechanism using templated queries, a mechanism to use a template and go to a source and request that data based on that template. It has been looked into for public health, for example.

MS. LOVE: That is why I do not want to be in a position saying one is good or one is bad.

DR. SUAREZ: I do not think we are saying that. We are just saying those are mechanisms.

DR. COHEN: — that mechanism as a general public health surveillance tool needs to be explored.

MS. LOVE: That is where I punted this. This is not going away. Let’s put it in a future bucket instead of this APCD hearing. And then Bill brought up the supplemental. We know that claims data are the work horse of a lot of the system, but we also know that value-based purchasing and alternate payment models are starting to appear. I do not know the percentage, but I think it is fairly low at this point, but with macro that could change significantly.

The states are approaching it this way. We still get the encounter – if it is a capitated system, they still take in the counter data without the payment fields. But the supplemental financial information comes in a different mechanism, not with the claim. And we have written on this for some states. States are seriously looking at what are the supplemental fields that come in quarterly perhaps instead of with the claim. That is a future sort of data feed that will come up. I do not have a solution today. I have a slide on it, but I do not have a solution.

DR. SUAREZ: There is one more slide.

MS. LOVE: Getting input from the National Committee is step one. We will go back and rework the draft based on what we hear. I will work with folks in the committee. Then we will bring it to the Full Committee I guess in November – revision. No rush here. And finalize late October and November. We will work on it in October. The exec committee will receive the revisions in early November and then the Full Committee will —

MS. HINES: We are thinking that we would push this back. We would bring a draft to the committee in November, finalize after the committee meeting and bring for action at the February meeting.

MS. LOVE: That is fine. In fact, that will give us time to see what Labor is doing. I am in no rush. I think that works.

DR. SUAREZ: Thank you. I have to commend Denise for her leadership, her incredible amount of work as well as I do want to acknowledge the APD Council and certainly all the members of the committee that have participated and attended our hearing and contributed to all this. It is a very important topic and one that I think we will continue to see evolve and play a major role in the information that is being collected and used to do policy. Talk about evidence-based policy making. We are trying to get to the best level of information that we can gather to make those policy decisions. I do want to commend again Denise.

I want to also express openly here publicly her fairness to the process and to the balanced approach because we heard a different perspective during the hearing and certainly those are being reflected in the draft of the letter as you will see when this letter gets completed and presented to the committee. You will see the balance was able to be incorporated into the letter. This is not a letter that is only one sided, if you will. I do want to commend —

MS. LOVE: Thank you, Walter, for co-chairing and guiding me in one of my first work products for the committee. I needed a little guidance, but it was a good learning process. Yes, it was a lot of work, but I was pleased at the hearing. It went well. Thank you staff. Rebecca put hours into this.

DR. SUAREZ: Any other questions?

DR. STEAD: It is because of the conversation we had and trigger us back to the bridge conversation. We need to make sure that somebody in the bridge work, which sounds like you are in a place you could do, pays some attention to minimum necessary. The idea that the EHRs do not need to do anything but pay attention to the trigger and then they pump everything out to this entity. It then figures out how to – the agreements made can be put in place to manage it. But just given the way we have framed our recent letter around minimum necessary and the appropriateness of paying attention to that in the context of released public health, we just need to be careful about that.

DR. SUAREZ: Great point. I think it is important to consider that. Of course in most cases, the trigger is issued by a public health agency in its authority to require the reporting of certain elements.

DR. STEAD: Certain elements are the key word there.

DR. SUAREZ: There is a trigger that says you must report and then there is the package of the data that needs to be sent. Those are two different things.

DR. STEAD: I totally get that. But what I heard and maybe I heard wrong was that this was going to be made easy for the EHR vendors because when one of those triggers fired, everything was going to be set.

DR. SUAREZ: Everything should not have probably been. There is never everything. There is a very clear definition of the data elements that are required to be reported in a public health case report. Now on top of it, there is of course – I am sure Bruce if he was here would agree. There is clearly a lot of back and forth. In fact, I was on a conference call about this. The whole workflow includes of course the definition of what are the triggers that activate the need to submit the data.

The EHR vendor is not the one sending the data. The EHR vendor is incorporating the capability of reading the trigger. The provider, of course, is the one that sends the data. That is the first note.

And the other thing is that the data itself is not like the provider is going to send everything. I know Andy mentioned everything, but he did not mean to say everything. The case report is defined by the public health agency. In fact in many cases, the case report gets sent. The public health agency comes back and says thank you for that. I need these additional pieces. And now I have to send back more information and keep going back and forth. Absolutely minimum necessary is a key element to consider, but we have to also be mindful that these are in the context of require elements within a public health authority, which is what Lucia would probably argue. It is an authority that makes a requirement to submit the data. Good points to bring up. Certainly the letter has already said it in the context of the discussions of the digital bridge. I will make sure to transmit that.

MR. LANDEN: Let me just add that for an EHR vendor to send everything that is not easy. In order to have the data element be sent, it must somehow be structured or tagged to be accessible to the program to read the element and move it. My assumption and thank you for bringing it up is that we are talking about very precisely specified sets of data —

DR. RIPPEN: — kind of the broader ecosystem. There are a lot of different groups doing different things. Again, from an HIE perspective given the challenges HIEs are having, they are looking for opportunities to add value and many are moving in the same direction. Again, as groups think about what problem they are solving and trying to figure out how one might even implement something that would support HIEs or something like that or compete with them, you just have to remember it is in the broader context of a lot of other things going on.

DR. SUAREZ: We are going to wait until the end of our meeting to open up for public comment. Certainly we invite anybody in the public to join us.

We are going to transition to wrapping up our meeting and talking about a little bit of what is coming up. I think it is always important at the end of this meeting to highlight some of the things that we are going to expect to do in the coming months particularly in preparation for the next meeting, which are coming up in nine weeks. It is very quick turnaround. But also take advantage of the time to look at a longer term. We have used in the past our work plan template. You all probably remember that. I do not know if we can display it in the screen. It is an open template that we have created to keep track. Every quarter that we meet we then for the next version remove one of the columns of quarters and add the next one at the other end so that we keep moving it along the timeline. I think from a strategic perspective, from a programmatic perspective and from a staff perspective, it helps lay out what are the things that are coming up.

In many ways, this is going to be a transition certainly to new leadership within the committee, but also a transition in terms of an opportunity to have a chance to look at what is coming down the pike in the future. Yesterday and today the subcommittees and the work group have talked about what are some of their priorities. We are not going to be rehashing. I am just going to be highlighting some of them. They are plotted in the work plan in a way that they are just simply place holders.

Originally the work plan that we had been distributing before had started to look at when the committee would have the 2017 review committee hearing. We had plotted it in there like June of next year. I think all that is empty now. It is sort of like Bill, you are going to start with a black slate. The first – is going to have some of the ideas of the committee and the subcommittees in terms of the topics.

MS. HINES: One question I have is while we have a bunch of folks here, we can review what we have talked about for just the next meeting. I heard a number of members say we would like to use a lot of the next meeting to actually do some strategic planning for the next 12 to 18 months. That was one of the agenda items for the next meeting, but there were a few others that I am not clear on other than having the committee review a draft APCD letter, maybe a draft – maybe just some outlines of recommendations.

DR. COHEN: And from pop health it would probably be a draft of Version 4 of the framework and then an update on the progress around the workshop related activities as well as strategic planning.

MS. HINES: And then the other items I have from the last two days’ discussions are do we want Vindell Washington from ONC to come say hello. That was one item and then there are a few others.

DR. STEAD: I think if we basically say our objective for the meeting is to have enough time to really align the work across the subcommittees and the committees so we can make maximum progress with bandwidth management and resource management. Then that says to me that in terms of DID and in terms of APCD, what we really want to do is not have text of letters even draft letters. We really would like an updated framework of what we think the key pieces of that content would be so that we can – since both of them are going to be very important full committee sign offs so that we can really move – we can move the committees understanding and move us so that we will basically have buy in so that when we get to February, approving the text will be a little bit like yesterday was. I really would keep that these are the key things we need agreement on so that when we write the text, it is easy. That will constrain that.

And then I think what we need to think through is what input could be obtain that would drive our strategic planning. I would prioritize that so that we really protect the time so we are not just going at the things we want to know. Which of those things would actually drive our decisions about what we want to know?

MS. HINES: On the table of just things that were suggested over the last couple of days was an update on the census race ethnicity proposed change. Perhaps an update from the OMB census work group. I heard someone suggest that.

DR. SUAREZ: I am not sure that all of those were related. I think those were topics for the committee to consider.

DR. STEAD: I would keep us a tickler list and then as we develop the key points of our strategy of what we want to work, we will say which of those items do we want to pull forward for February. Which do we want to pull forward as we just line up?

MR. SCANLON: I would say the other thing is, as I always remind the committee, timing is everything. You may want to use the November committee meeting, not to lock in more detail, but to keep your options open in terms of what future issues and emerging issues might bring.

DR. COHEN: We heard that we want to be operating in the vital space, but we are not clear on what that might be. Don’t mention that there is a vitals retreat between NAPHSIS and NCHS happening in October. That might be good for an update for us as well as any other ideas about how to focus whatever our vitals-related activity is going to be. Maybe we need to figure out some more inputs to help us be educated so we can figure out where we want to make a difference in that area. That is the only other thing I can think of. Hopefully Bob and I will be discussing in October some ideas with the subcommittee and maybe we can flesh out some more ideas about QPP that will be more directed to a set of activities. That is my initial thoughts on pop health.

Maybe again if we are going to be trying to synchronize this activity with public health 3.0, we might do some preliminary work to think about what that might look like.

MR. SCANLON: We will have the recommendations on PH3.0 by then.

The other thing just quickly – it is not just populations. We want to have someone come over from the commission. We are going to send out the RFI right after the meeting.

DR. STEAD: I think the commission might be one of the things that would influence our strategy. I think the final public health 3.0 might influence our strategy.

DR. SUAREZ: — organizing before we get to – one is there is going to be at least three types of reports coming back. One is from population health. We are just talking about the report. One is that. The other one is from APCDs and the other one is from privacy so far.

Then on top of that we talk about specific special topics. We just heard about population health critical topics. From the standard side, I do not know if there is anything concrete and from privacy or even – also from the work group side if there is anything. I do not know if you have anything thoughts about special topics that would be worth inviting a speaker on that would influence the strategic – committee.

PARTICIPANT: If we could get somebody to come in and talk about the 3.0.

DR. STEAD: And again, we can maybe get some of this done before then. It seems to me one thing we clearly have to have is the list of the must haves for 2017. What are we legislatively or otherwise required to do? I know that Alex said we might not be bound by that and I guess that is okay. But we at least ought to know what that list is.

It seems to me that we would like some time to explore either advance or during the meeting the disruptive changes that could provide opportunities to do something in a new way. It must have some ground level disruptive opportunities would be more visionary. Then we need to know where do we have customer pull. What would be helpful to ASPE? What would be helpful to the national center? We can think of how do we have those. Are there things – and we do not need reports for that. We need to reach out and do that.

And then it seems to me we need to – we can then figure out which things can we actually narrow the scope to deliver in 2017. In many ways, it seems to me, that is what we have to figure out how to do. Which of these items do we work in a subcommittee level? Which do we work as a full committee?

MS. HINES: Does anyone know off hand? Are all of the must haves in the standards RC arena?

DR. SUAREZ: There are three requirements exactly. There are only three main requirements. Vickie, you wanted to say something.

The document that – is available. It includes a listing of the topics that everybody has talked about and of course it does not include some of the newer ones. But it does include the priorities that every subcommittee has been discussing. Some of the elements of potential places. And again, this was created before all these discussions. Some of them are not anymore relevant. For example, as you can see, the very first blue on the second column of the letter report. It says claims-based database. That is not happening in November anymore. That is being pushed out. This is a document that will keep changing if it is going to continue to be helpful to the committee to plot some of this into the future.

I think at this point basically anything in the columns after this month’s column are pretty should be considered empty because everything is open for decision by the National Committee in November. I think there are, as Bill pointed out, something that the committee has to do or is requiring the statute to do and something that our priorities based on customers like OCR wants us to consider this or CMS wants to make sure we consider this.

We talked about, for example, on the CMS side a possible hearing around the social security number replacement initiative. If CMS thinks that is a valuable element, they can certainly come back to NCVHS and – really important aspect that we want to do.

All those are aspects that need to be plotted as we have been continually doing with this document to help really plan not on a – this quarter we plan next quarter, but really have a vision of what is coming up down the road so that the committee can begin to organize some of the resources.

The last thing I wanted to say is really there are some topics that are committee-wide topics. We used to do a lot more work group or subcommittee topics. Now we are seeing more and more committee-wide topics. APCD was one of them. Certainly the HIPAA report to Congress even though it is driven a lot by standards, it is truly a national committee report that engages everyone. There are other topics like public health standards even though it is driven by population health and standards. It is truly a committee-wide topic.

I wanted to leave that thought in people’s minds because I think more and more the committee is going to be operating that mode in many of the topics led by one or two subcommittees, but really engaging most if not all of the members of the committee. These topics are so cross – they are just going to be needed.

I think really the last message I wanted to leave is we have the way I see it really a transition also in terms of what is coming up in the coming years across the board. We have been talking about in terms of 3.0. We heard about the HIPAA administrative simplification 3.0, the third iteration of standards. The first standard was 4010 in 2003 and all its companions. The second wave was 2012 and 5010. And the third wave, 3.0, is coming up as probably next year as a recommendation for the National Committee. That is moving in the third wave.

There is also the HIPAA – we talked about privacy and security, the future of privacy and security. We heard a lot of things from Rachel and from Lucia about how to think about in terms of privacy and security in the digital age, as they say. I think that is going to be another major overarching evolutionary step for the National Committee.

And certainly we talk about public health 3.0 and how that is going to look like and how vital statistics and the future vital statistics and all these other elements including eCase reporting and all the other parts of – connect clinical care with public health are going to be interplaying much more.

In all of those, the committee is going to – the way I see it really – it is very exciting to see that. It is going to start in November with a huge opportunity to think long term, big picture and then certainly fulfill some of those with these projects that are going to come up. I think it is very exciting.

I will be watching you all from behind. I only finish by just wishing you the best. It has been an honor to be part of the committee. It has been an honor to be working with you all. I have nothing but an incredible set of memories and truly the commitment that each of you put into the National Committee is incredible. The amount of time. The thoughtfulness. Everything really pays off in terms of the products and the influence that it has in the nation. Thank you again. I do not know if there are any other final comments.

MS. LOVE: You have set the bar so high though.

Agenda Item: Public Comments

DR. SUAREZ: We need to get to public comments too. Are there any public comments on the phone? Let’s see if there are any comments from the public on the phone.

MR. FLOTOW: Mark Flotow, advisor to NCHS. I wanted to make two points about the birth and death standards relative to electronic health records. Before lunch today, this was brought up in the context of the need to push those birth and death standards as part of electronic health records and maybe not making the required list per se, but at least that they were in the mix that they were included. Dr. Cornelius asked, has the Board of Scientific Counselors been discussing getting these standards pushed forward? During the interim, I was looking through old reports from our meetings of the Board of Scientific Counselors. We do have some mentioning of electronic health records, book ending the life span. Yes, they do need to be part of EHRs. It is still coming. Charlie Rothwell, the director of NCHS, saying in a few years, this is going to be our biggest source for health care data. I know he would want to see births and deaths as part of that mix. That is the history part of my comment.

The second comment is more about NAPHSIS. Here I am with my past president hat on. There have been detailed discussions on those birth and death standards. I remember four years ago being on the committee for all the HL7 details on that and voting on those and so on. What we talked about the analogy was be able to get on the electronic health record train with those birth and death standards. Apparently, we are still waiting for our ticket to be punched. We do not know whether it is going to be first class in terms of required or other class or at least second class.

I just wanted to say that NAPHSIS had been doing their due diligence and had worked with Michelle and so on. They have been at the national conferences. They have been demonstrating I heard. Alex mentioned HIMSS. Our contact person for that or NAPHSIS’ contact person for that is Rich McCoy from Vermont. He was the one who chaired that committee. For some time, the co-chair has been Lynnette Scott. Now moving forward to now, Rich McCoy is president elect of NAPHSIS and Lynette Scott is now chair of the Board of Scientific Counselors. I see some things coming into alignment where we can hopefully push these forward.

DR. SUAREZ: Thank you for those comments. Anyone else? I think we are officially adjourning. Thank you so much again for joining us today. We are going to transition to the Data Access Work Group in this room. Thank you.

(Whereupon, at 2:00 p.m., the Full Committee meeting adjourned.)