Department of Health and Human Services
National Committee on
Vital and Health Statistics
Full Committee Meeting
September 14, 2018
P R O C E E D I N G S (8:30 a.m.)
Agenda Item: Welcome
STEAD: I’d like to call us to order. Rebecca will do the roll call.
HINES: Good morning and welcome to day two. Bill Stead.
STEAD: Here. Bill Stead, Vanderbilt University Medical Center, Chair of the National Committee, no conflicts.
HINES: Alix Goss.
GOSS: Alix Goss with Imprado, a member of the full committee and cochair of the standard subcommittee, no conflict.
HINES: Bob Phillips.
PHILLIPS: Bob Phillips, American Board of Family Medicine Center for Professionalism and Value in Healthcare, a member of the full committee, cochair of the Populations Health Subcommittee, no conflicts.
HINES: Bruce Cohen.
COHEN: Bruce Cohen. Massachusetts. Member of the full committee, cochair of the Population Health Subcommittee, no conflicts.
HINES: Dave Ross.
ROSS: Dave Ross, Task Force for Global Health at Emory University. I’m a member of the full committee, member of the Population Health Subcommittee, and no conflicts.
INES: Denise Love.
LOVE: (no response)
HINES: Jacki Munson.
MUNSON: Good morning. Jacki Munson, Sutter Health, member of the full committee, member of the Subcommittee on Privacy, Confidentiality, and Security. And no conflict.
HINES: Linda Kloss.
KLOSS: Linda Koss, member of the full committee, cochair of the Privacy, Confidentiality, and Security subcommittee. Member of the standard subcommittee. No conflicts.
HINES: Lee Cornelius.
CORNELIS: Lee Cornelius, University of Georgia, member of the full committee, Population Health Subcommittee, no conflict.
HINES: Nick Coussoule.
COUSSOULE: Nick Coussoule. Member of the full committee, cochair of the Standard Subcommittee, member of the Privacy, Confidentiality, and Security Subcommittee, and I have no conflicts.
HINES: Roland Thorpe.
THORPE: Roland Thorpe. Johns Hopkins University, member of the full committee, member of the Population Health Subcommittee. I have no conflicts.
HINES: Just to keep you on your toes, Rich Laden, I went out of alphabetical order.
LANDEN: Good morning. Rich Landen. Member full committee, member of Standards Subcommittee. No conflicts.
HINES: And Vickie Mays.
MAYS: Vickie Mays, University of California Los Angeles, member of the full committee and member of Pop and Privacy, and I have no conflicts.
HINES: So we do have a quorum. Let’s continue with staff. Are there people on from the Assistant Secretary for Planning and Evaluation that have an open line? So I know we have Maya Bernstein with ASPE and Suzy Beebe. They do not appear to have an open line. Let’s go to CMS.
HERRING: Good morning Geanelle Herring. Staff to the Standards Subcommittee. No Conflicts.
HINES: Don’t believe Lorraine Doo is on at this moment. Thank you Geanelle. Rachel Seeger, she is not on. So we have Rachel Seeger, who will be on as lead staff to Privacy, Confidentiality, and Security. And I also want to acknowledge the NCHS team for the committee on today. We have Debbie Jackson and Marietta Squire and Geneva Shaw. Is there anyone else who wants to read into the record that you are here.
AULD: Vivian Auld from the National Library of Medicine.
HINES: I see Vickie Boothe. Good morning.
BOOTHE: Good morning.
HINES: Vickie Booth is with CDC. I believe that takes care of the roll call, and you all now have the housekeeping down. Just remember to unmute and mute yourself as needed, and I will turn it back over to our chair.
STEAD: Thank you Rebecca. Again welcome, and again thank you, Vicki, for being up at the ungodly hour in California. Before we start I just want to mention that this is Dave Ross’s last meeting. We were hoping to have a celebratory dinner last night, and we will hope to find a chance to do that at one of our upcoming meetings, when it works with his schedule.
From my perch, Dave has been a wonderful partner in always sort of helping us connect to the value and purpose that really connects to people in various walks of health and healthcare. Dave, I cannot thank you enough for your help during the last few years.
The agenda is going to be busy. We’re going to spend the first block working our way through the predictability roadmap, and with a particular eye I believe to coming to agreement around the nature of the recommendations so that those can feed into the hearing in December.
We then have a work block on health information, privacy, and security beyond HIPAA where we hope I think to get agreement around the draft model that the subcommittee has developed, and possible actions going forward that would feed into the 13th report and into subsequent letters. And probably into a hearing in the workshop in the early part of calendar 2019.
We then have a break for lunch and then we’re going to get into the report to Congress in more detail. We only have an hour for that, it’s very clear to me we need more time if we could get it. So one of the things I would like people to think about as we get closer to that time is whether since we’re not all together we might shorten the lunch break so that we might have a little bit extra time.
But we can deal with that at that time. And then we have public comment, and then we are intending to close down at 2:40 eastern, 1:40 where I am in Tennessee. So if there are any suggestions or questions about the agenda, put your hand up. Not seeing any, then I will turn it over to Alix and Nick and Lorraine to lead us through the predictability roadmap.
Agenda Item: Predictability Roadmap
COUSSOULE: This is Nick Coussoule. Thanks in advance to everybody for coming and participating today. We’ve got a lot of ground to cover roughly two hours and 20 minutes or thereabout to do it, along with the break in the middle. So we’re going to move rather fast, I’ll explain a little bit more as we go along.
Before we get started I do want to give thanks to my cochair, Alix Goss, and our support staff, Geanelle Herring and especially Lorraine Doo they have put in many hours to help us get to this point today. And I also want to thank the other subcommittee members for their continued support. And oh by the way we’re not done, so this is another step along the process.
So I’ll walk through the agenda. Let me cover a little bit about what we’re trying to accomplish today. You see on the agenda we’ve got three main objectives that we’re trying to get to. The first one is to provide a historical review of our predictability roadmap and efforts to date. We started this most recent effort early in 2017. We have made some great progress. I know some of you in the committee and others listening to this discussion may argue that we’ve been doing through these topics for quite some time, but that’s for another day.
Today what we’re going to focus on is the future, but we are going to review the past couple years in this effort to understand and set everybody in the same grounding of what we’ve done so far to date that will help us get a clear understanding of the process that we’re involved in, and then when we’re in the process and the steps that are going to come next.
Where we want to spend the bulk of our time though is on the second item, which is presenting a detailed draft of our recommendations. This will take up, as we said we’ve got two kind of chunks of time, I think if I lay it on out the schedule it’s roughly 80 minutes or so before we take a break and then another 45 minutes afterwards. This portion will be handled a little differently than you might be used to and expect.
And what I mean by that is we are going to go over, Alix and I, we’ll tag team a lot through this presentation and this segment, we’re going to go over all of the recommendations first, with a bit of color to make sure that we can at least understand what they’re saying, and not take a whole lot of comment and discussion on each one, and then we will go back kind of to the beginning and start to get the discussions.
And there are two reasons for that. The first one is that we want to make sure we get through them all. In some cases we could talk about one and take up an hour, and then we’ll realize we have to rush through all the rest. But the other reason is that many of these do not stand alone, and you have to understand context around some of them. Sometimes there are dependencies, sequential dependencies. Sometimes things are related to each other that really need to go together.
So we want to provide a bit of an overview of all of them first, make sure we at least understand what we’re saying, and then we’ll go back and talk about are they appropriate, are they framed up correctly, are there things that we’re missing, things that we need to take away, et cetera. And then following that we will finish up with our next steps.
So we’re reviewing feedback from the full committee to adjust the draft recommendations, providing these for review by the participants in a process as well as any other interested stakeholders. And then conduct a hearing in December to gain feedback prior to formalizing the recommendations to the secretary. But we’ll cover that in a bit more detail a little later on in the presentation.
So what the roadmap is, I think to ensure that we have the same understanding of what we mean, because there can be sometimes semantic differences or understanding, so I want to tell you exactly what we mean by the predictability roadmap. And I’ll do this by covering at a pretty high level what problems we’re actually trying to address, why might a predictability roadmap address them, and how the roadmap has been developed i.e. what we’ve done to date.
The word predictable has several meetings and extensions here. If we look at the wording on the slides, part of the problem we’re trying to solve is the standards, development, adoption, and implementation are not predictable, and are not keeping pace with the business and technology innovations. I think that’s the fundamental framing of the challenge we’re trying to address.
And to make sure we all know what predictable means, it really is do we know what’s coming, do we know when it’s coming, and then do each of us know individually what we’ll need to do once it happens. As we understand the administrative standards process, having a clear understanding of that allows all kind of industry players to be more prepared and to move along faster into generating the efficiency and effectiveness that standards have allowed us.
The second point is the predictability roadmap is an initiative to evaluate the barriers to the update adoption and implementation of standards and operating rules under the authorities of HIPAA and the PPACA, so the Patient Protection and Affordable Care Act of 2010. And I think that gets into what the roadmap is at a high level.
I’ll skip down to the next bullet which says what we have done. So for the past 18 months we as a national committee have been collaborating with industry stakeholders to understand the challenges and develop actionable recommendations for the secretary, covered entities, SDOs, Standard Development Organizations, and operating rule authoring entities.
So our industry stakeholders in this case includes we believe all parties involved in the process, from the standard development organizations coordination and governmental entities responsible for establishing the statutory framework and promulgating the rules.
Software and system developers who must build those rules and capabilities into their systems, to the end users who kind of run the healthcare business every day and use these standards every day to operate their businesses. So we believe we have involved a pretty wide swath of players in this to help understand not only how the process works but what the impact of the existing process or changes to that process might be.
So when we lay out the vision, I’m going to read this word for word along with you, and then I’ll make a couple of comments. Our vision in this is for covered entities and business associates to be able to use up-to-date HIPAA standards consistently, garnering increased value from the standards by avoiding one-off work arounds, and to reliably know when updated versions will be updated and adopted in time to prepare systems, resources, and business processes.
Now that’s a good bit of words, vision statements are usually small and pithy, and this is a good bit of words. But it’s a little more complicated, which is why we want it to lay out that text.
So let me make a couple of key points, and then I’ll turn it over to Alix to go over the next session of what we’re talking about. One is I’m going to stipulate that administrative standards have significantly improved the efficiency of the healthcare system. Now that’s not always immediate, but over time we believe they have.
And that by improving that process we continue to improve the efficiency of the system, which hopefully results in a lots better process, not just from a reduction in cost, but an improvement in how individuals interact with the system, not just the payers and providers and intermediaries in that ecosystem, but also the important part of that is the consumers who are dealing with the results of those activities.
However, although I think it has been significantly improved, the pace of change in our industry, our individual business challenges, and frankly just the pace of technology change have advanced historically and continue to advance faster than our ability to keep up. There are a number of parts of our process which are very complicated and by design frankly move slowly.
And I say by design, I don’t think people have setup anything purposefully to move slowly, but the reality is if you’re trying to make changes that impact a very complicated industry, by design they are going to move a bit slowly to ensure people are onboard, but that pace of change is frankly not keeping up with the industry challenges and the technology challenges that are now available.
And then the third point I’ll make is that by enabling a more predictable and flexible roadmap, and I don’t think you’ve heard the term flexibly t, although it’s been in many of our discussions over the last year and a half, we hope that we can address these challenges, and hopefully meet the vision objectives of what we’re trying to accomplish going forward. Alix, I’ll turn it over to you.
GOSS: Thank you. Before I go to the next slide I want to just pause a second because I’ve seen that one of our colleagues, Denise Love has joined, and I think we need to officially have her announce herself and her conflicts.
LOVE: I’m Denise Love, National Association of Health Data Organization, Standards Subcommittee Member, full committee member, no conflicts.
GOSS: Thanks. Also I believe that Lorraine Doo has joined us by the phone, and she is probably going to make her way into the WebEx as well. So I’m not sure if there’s anybody else who needs to be recorded into the meeting. I appreciate Nick’s setup, and he really gave us a framing that we will be really teasing out as we go through the next hour or so in content.
We felt it was important to give a very high level picture of the overall process of advancing standards. It starts with the need being identified within the healthcare community, if you look on the left-hand side of the screen. This need is then taken into the development work of the applicable standards body for vetting and incorporation into a transactions standard or an operating rule. Work products ready for national use are vetted by governance groups.
In the case of transactions the recommendations to adopt first goes to the Designated Standards Maintenance Organization or DSMO for review and then advancement to NCVHS. NCVHS processes advance formal recommendations in the HHS process. Although operating will follow a slightly different process in that they are not required to go through the DSMO.
By way of background, the existing regulations require the involvement of the DSMO for transaction standards. The DSMO was created by a final rule in August 2000. The genesis however for the industry oversight group was included in title two, subtitle F, part C, section 1172 of the HIPAA act.
This section of HIPAA also recognizes the role to the Workgroup for Electronic Data Interchange, and the National Committee for Vital and Health Statistics, or NCVHS. So I’d ask that as we go through today’s discussion that you keep in mind that standards are developed or updated in response to a business need within the healthcare community.
Industry brings forward their needs for consideration into consensus based processes, often accredited by the American National Standards Institute or ANSI for incorporation into standard transactions and implementation guides. Operating rule authoring entities provide additional business collaboration to constrain standard implementation guides to garner further efficiency from the use of a mandated standard.
The rules of WEDI and NCVHS provide additional public vetting and synthesizing of policy and implementation considerations, and perspectives on national standards, before rulemaking commences. HHS’s CMS Division of National Standards is responsible for regulations related to HIPAA transactions and operating rule standards.
The predictability roadmap is focused on medical and pharmacy transaction standards, including EFT or Electronic Funds Transfer, plus the operating rule authoring entities recognized through HIPAA and the Affordable Care Act. In other words the Standards Development Entities listed on the slide, and we’ll use the term SDO to collectively refer to this group today.
To develop the predictability roadmap we undertook information gathering with the organizations shown on the slide, plus a workshop that included other interested stakeholders, like the Defense Health Agency, Military Health System, the Veterans Administration, Optum and Blue Cross Blue Shield Association.
We also engaged with the coordinating and governing entities discussed on the prior slide. More specifically the DSMO members, National Uniformed Claims Committee, National Uniformed Billing Committee, the DSMO Content Committee, Health Level Seven, ASC X12 and the National Council for Prescription Drug Programs.
And of course the Workgroup for Electronic Data Interchange. We also engaged with HHS, CMS, Division of National Standards. DNS is responsible for adopting transaction and operating rule standards for use by covered entities and their business partners, providers, health plans, and clearinghouses.
Representatives participated in the workshop and one on one sessions to ensure our understanding of the federal processes. Our information gathering affirmed feedback loops since the implementation of the nine HIPAA adopted transactions. This included the 2006 and 2009 DSMO and standards body white papers, and numerous hearing with industry feedback such as the review committee hearing of NCVHS in 2015.
Five themes emerged from this extensive work. Governance, as it relates to the DSMO and NCVHS processes. Updates to standards related to the SDOs. The regulatory processes related to HHS and CMS processes. Data harmonization related to the concepts of data conversion and interoperability.
And we’re going to be carving out that theme to be a part of the subcommittee’s work on terminologies and vocabulary. And the fifth one, third parties as covered entities, is related to who and how organizations are obligated to use transactions and operating rules.
To enhance our understanding in opportunity areas we convened a diverse group in what was called the CIO forum. Thing of this group as leaders from across the end users community. These are the front line of providers and their EHR or Electronic Health Record and practice management vendors. Health plans, clearing houses, thought leaders, and federal partners such as ONC and CMS. These are the folks that are delivering, enabling, and paying for healthcare.
We solicited feedback by presenting the five themes I just discussed on the prior slide. With each section providing an introductory overview and specific questions to prompt discussion. And we have robust dialogue. This dialogue validated two things for me: the benefit of having transaction and operating rules, and that significant efficiencies have been achieved since pre-HIPAA paper based days.
And, as Nick noted earlier, we had the opportunity to exist to garner more benefits by revising or enhancing the current approaches to keep pace with the strategic needs of the healthcare industry. The robust dialogue also underscored the importance of seven points: improving the current processes, but to do so with consideration of tomorrow’s business models and technology capabilities.
And underscore the value of avoiding technical debt and throwaway work. The importance of having the focus of the patient in the center of all of our efforts. Diverse end user engagement in standards development and governance is essential and needs to be less painful and less expensive.
We need smaller iterations at a predictable cadence that supports backward compatibility. The importance of becoming more evidence based in standards development by incorporating empirical testing and pilots that generate learning and supports better development adoption. That all actors in an ecosystem be clearly obligated to comply with standards and data protection obligations.
The robust dialogue at the CIO forum also reflects a strong agreement that there is no longer a meaningful differentiation of clinical and administrative data, and it’s time to create a pact integrating the standards.
To sum this up, the CIO forum input resonated to the subcommittee in three categories: transparency, measurement, and collaboration. Over the summer we synthesized and framed the input into recommendations, calls to action, and measurement objectives. We also worked on timing and interplay to effect the change. I’m going to turn it over to Nick to take us into the next slide.
COUSSOULE: Thank Alix. As we undertook those activities that Alix so aptly covered a minute ago, we listened and challenged the participants not only to tell us what the challenges were, that’s usually the simple part, but also what might be done to make the process better. Alix covered a number of items and underscored their importance.
But several goal areas if you will for addressing improvement along with general tactics to improve the predictability for each goal area emerged. And you see them on this slide. The first one is improvements for the federal processes. Second one improvements for the standard development organization of the SDO processes.
And the third general group would be what I’ll call governance in oversight or stewardship. If we look at the bullet points in the middle of that, in the federal process the idea would be how do we create more visible enforcement of our existing regulations. And the challenge there at a high level is if we have individuals or different entities in different places and not moving forward, then we continue to run too many different ways to address the same problem with too many versions if you will.
The easiest way to think about that is transition from ICD9 to ICD10, and any future transitions. If we have the industry running three or four versions of that, we create some chaos in there about who knows which version, how many do we have to support, how do we know which players are supporting which version, et cetera.
So in order to get there we have a little bit of a carrot and stick kind of model, which is the carrot model being there’s benefits to be derived, and the stick model is making sure that we force people to get there. And this part is creating that visibility. A second is more frequent guidance and outreach to the industry, and that’s part of the education process, and we’ll cover that in a good bit more detail when we go through the individual recommendations.
And then the third part of the federal process improvements, a third general area will be to improve the responsiveness to NCVHS recommendations and timeliness of the regulatory activities. And I covered that a little bit in earlier conversation, and again trying to take what is supposed to be a complex process because it involves lots of industry participants, and trying to figure out how it can move at a pace that supports not only people’s ability to adopt and adjust, but also the need to move a little bit faster.
And then the next bucket of changes to the SDO processes would be increasing the diversity of industry participation in the standards and operating rule workgroups. we tend to have a lot of the same folks and participants involved in this, and it’s not necessarily as broad of a group as we would like to have, so that when things do come out, changes come out, that all the parties are understood and involved in that process, instead of people engaging after that have already been defined and then raising challenges and opportunities which should have been done as part of the development process.
The second general theme would be to improve the timeliness of the standards development to support innovation and evolving business and technology challenges,. Again as I covered a little bit earlier the pace of change in our industry, and the pace of change generally with technology affords a lot faster in implementation of changes to support those challenges. So trying to speed this process up is really imperative.
And then the last bullet is regards to SGO process would be to improve the workgroup process for productivity. And we’ll cover that in a good bit more detail as we look at the individual recommendations.
The last one is the governance in oversight and stewardship general goals, and the transparency of the process, we have I think Alix we tend to bring out the timeline and roadmap, and I know Alix and then Lorraine and others is we’ve gone through some of our work efforts over the last year and a half, have tried to lay out the actual process that we go through at a high level of complexity, and we put together little more detailed timelines, which we’ll go over when we send out more information in regards to the hearing in the fall.
But the process is kind of measured in years, not in weeks and months. And although we would not necessarily advocate weeks, but we need to think about things that are done in a much shorter time frame than what our current process is today to be able to meet those challenges that are moving faster.
And then the last one from a governance and oversight would be advancing industry need and garnering value from the standards. And that’s really about how do we measure success and how do we lay out the criteria for success, and then drive that visibility and measurement path going forward to see that we’re actually obtaining the value that we hope to get.
So we also gave a good deal of thought regarding how we might frame up the recommendations in a way that hopefully lays out an action plan, as opposed to just a list of recommendations. So we categorized them into three distinct groups of items.
The first is recommendations. So we have recommendations that are geared primarily towards the HHS secretary, which is our primary obligation as NCVHS. The second is calls to action, and those are recommendations primarily geared towards industry and the users and implementers and developers of the standards and operating rules. And third would be measurements, so how we might define and measure progress and success.
As I indicated some of these recommendations stand alone, but many more are either codependent, meaning really depending on more than one item be addressed, either concurrently or sequential, meaning they’re dependent on other items being done first in order for the other recommendation to be valid.
We also consider the complexity of items being recommended, as well as the likely time frames by which the recommendations could be implemented. And with these considerations we categorize the tactics. Beyond those three groups of items we categorize them into general outcome goals, and those are the goals that you see highlighted on this slide. We bucket them also into time buckets, that will become apparent in just a minute.
But the outcome goals, as you see improve education outreach and enforcement, and by doing that we hope to promote efficient planning and use of the standards and operating rules. Many of you have been involved in the processes. We generated the themes that Alix covered a little bit earlier. This particular goal supports the regulatory process and third party covered entity themes.
A second goal would be a policy lever. So what can we do from a policy standpoint, and adjustments to changes we could make to support the process improvement changes we’d like to make within the industry? And those goals support governance and updates to standards themes.
And then the last kind of time based outcome goal would be regulatory levers that enable timely adoption, testing and implementation of updated or new standards and operating rules. And so those three kind of goal categories if you will, if we look at some of that, they’re also somewhat constrained by how difficult and complicated they might be to implement.
Part of what our objective is is to keep our vision big and transformative. We want to make sure that we think very big from long-term and structural questions, but at the same time we also want to make sure we’re acting small. If there are things that we can implement more rapidly to gain benefits over time while we may be working on more transformative or larger items that are measured in years to implement as opposed to months to implement.
So we try to categorize these recommendations in a way that allowed us to do that. If you look to the next slide we’ll start covering the recommendations. And as you look as I’ve indicated the first one in the group are recommendations that are primarily made to the secretary. When I looked at the outcome goals in buckets that I indicated before, you’ll see them in the column headings. And they’re really measured in a couple year increments.
So the first set of recommendations ideally are things that we would tackle in the next couple of years. Those would be the education outreach and enforcement goals.
The second one, policy levers, again a bit more complicated to implement, require a good bit more thought and engagement from different parties, and those are things that we would tackle next, ideally in a couple years following. And then the third one would be regulatory levers, and those again are a little longer term, require a lot more up front planning and a much more challenging sequence to get implemented.
So we tried to categorize into as I said the recommendations, calls to action in measurement schemes, along with what we would view as a timeline in somewhat of a prioritized sequencing. Now as I said before some of these are concurrent, they could be worked on at the same time, and some of them are more sequential, and some can stand alone.
So what we’re going to do now is walk to the recommendations again. Alix and I will tag team on this one, and we will try to explain them with a little bit of color, if the committee members have a particular point to make sure we understand what the recommendation is saying we will address that at the time of going through each recommendation and we’ll walk through them one at a time.
But we really want to to some degree limit discussion and debate about them, so that we make sure we get through all of them first so that we get a big picture understanding of them, and then we’ll go back and walk through them individually.
So I’ll start with the first couple recommendations. So if you’re on again the left column, which is the education outreach and enforcement, number one, that HHS should increase transparency of their complaint driven enforcement program by publishing information on a regular basis.
And let me read two, and then I’ll go back to explain them in a little more detail. Two is HHS should comply with the statutory requirement for handling complaints against non-compliant covered entities and enforcement action against those entities and their business associates. And again that should be published.
The idea behind these two recommendations is it really creates some visibility. You oftentimes need both carrots and sticks to make changes and make those changes enforceable if you will. On the carrot side obviously we hope that these changes and the adoption of the administrative standards and updates will benefit the industry, and that those benefits get derived from effective implementations of all parties. And that’s the carrot side, there has to be a reason to do this that makes sense.
The stick side is there needs to be visibility and to some degree penalties for not moving forward. There are always going to be entities that want to move slower that don’t necessarily see the same value, or that frankly just have difficulty from a time and expense and other priorities from implementing those changes. And the difficulty there is the efficiencies are greatest when they’re as consistent or they are consistent processes across all organizations.
Again, the simplest example to think of that’s pretty easy for everybody here to understand is the ICD10 transition from ICD9. As I indicated a little bit earlier I think it’s one thing to say everybody is going to go there. If we let different entities go whenever they wanted to within some reasonable transition timeframe we could be running 8, 9, 10, and 11 at the same time, and the complexity driven by that I think people could realize pretty quickly that wouldn’t make a whole lot of sense.
That’s obviously a big hairy one, but even with other standards and operating rules, if we’re not driving consistency across the industry and making sure that at some reasonable timeframe all the players are up to that same portion, we’re not going to get the same efficiency. So this is a little bit of the carrot and stick approach of creating that level of visibility. I’ll turn it over to Alex to cover the next few.
GOSS: I am going to be covering the middle column, regarding the policy levers. I’m going to do a little bit of setup before I read through these. Nearly two decades ago we designed an approach to oversee the way transaction related change requests impacting covered entities would be handled. The belief was that a centralized approach would promote trust, and that the funneling potential changes through a vetting process with further administrative centralization efficiencies and the standardization we would achieve.
For a variety of reasons the funneling of changes did not occur as planned. The industry takes their request directly to the applicable SDO. Further, operating rule standards adopted under the ASA are not a part of the DSMO process. As such, recommendation three is HHS should disband the DSMO and work with its current members for an organized transition.
In regards to recommendation four, we’ve learned many lessons since the passage of HIPAA, HITECH ACA and more. These lessons include but are not limited to the value of public-private partnerships, the importance of funding key initiative, and the importance of education and evaluation to demonstrate value and create buy-in.
We recommend that HHS should enable the creation of an entity tasked with oversight and governance, maybe we should call it stewardship, of the standards development processes, including the evaluation of new standards and operating rules. HHS should provide financial and/or operational support to the new entity to ensure its ability to conduct effective and intra industry collaboration, outreach, evaluation, which includes piloting, cost benefit analysis, and reporting.
In regards to recommendation five, a challenge experienced by the DSMO, funding dynamics aside, was a limited authority they were given. At times HHS and CMS rulemaking has reopened prior consensus based work efforts. The duration of federal rulemaking to adopt maintenance and modifications is lengthy. And beyond key milestones is mostly hidden from public view. A recommendation five is that HHS should conduct appropriate rulemaking activities to give authority to a new governing body, replacing the BSMO to review and approve maintenance and modifications to adopted or proposed standards.
COUSSOULE: I will cover now the item six on the right, which again that gets into the regulatory levers, to enable timely adoption, testing, and implementation of the new standards and operating rules. Right now the different bodies involved in this process, each have their own cadence for in a lot of ways different processes, and we’ve reviewed that over the last year and a half in some detail, through our workshops and sessions to understand, and when we look at that it’s very difficult, just given the different kind of processes, the different timelines and the different responsiveness to understand when things will happen and when they won’t happen, and then the details behind that.
But the recommendation is that the standard development organizations and operating rule authoring entities, the SDOs and OREs, should publish incremental updates to their standards and operating rules to make them available for review by the designated governing body, and then subsequently to NCVHS for recommendations to the secretary on a regular schedule. Let me walk through the rest of this detail and then I’ll provide a little more color.
The regular review schedule we believe would enable a regular adoption schedule. And those things really do go hand in hand. Industry has recommended through our discussions a two year process for the SDOs to complete the update, ballot publication submission and review cycle.
Inputs requested for completion of that cycle, the operating rules, and then once the standards and operating rules are recommended to the secretary in a regular cycle, HHS should be prepared to adopt those updates on a regular, reliable schedule.
There are a number of implications in here, but the real primary goal is to identify some consistency, not only in the process, because we could have different processes by different players in here, but consistency in the time frames such that we can line all these up and create a little better predictability.
One of the things Alix was just talking about in regards to the visibility of all that, of those processes and the steps involved in that, to make them less opaque and a little more visible, would be helpful to all parties around, to not only understand how the process is working, but opportunities to improve based on creating that visibility.
We’ve all I think heard the term that sunshine is the best disinfectant. I think creating that level of visibility across the board. And it’s not that it’s not there at all, but creating that visibility across the board through all pieces of this cycle will allow us all to have a better understanding of what’s happening, what’s not happening, and what we might do to improve.
The next set of recommendations in regards primarily to the secretary. I’ll cover the first few and then Alix will cover the next few. The first one again in the relatively short term education outreach and enforcement would be that HHS should regularly publish and make available guidance regarding the appropriate and correct use of the standards and operating rules.
And that’s really to understand better and create that level of visibility that I was just talking about. and that also leads into how do we enforce that and drive that same behavior by making sure that it ties together also with the previous two I indicated on the previous page, which was how do we make sure that both the carrots and the sticks are in place, and then publishing and making available those rules.
If I then go through the policy components, numbers eight and nine here, we recommend that HHS should publish the regulations within a year of being received and accepted by the secretary for newer updated standards or operating rules, in accordance with what’s permitted in the act, in section 1174 of the act.
This again gets into how do we ensure that if our objective is to approve and recommend the changes by industry that then go to NCVHS for a bigger picture view, and assuming that we have agreed with all that input to make that available in recommendation to the secretary, we really make that process to work faster and to be more visible. Again, there are some statutory restrictions in there, but the process oftentimes seems to be in a bit of a black hole.
And this is not to be denigrating to anybody, we all have priorities and resource constraints, but some of this challenge is the industry participants are in some ways awaiting and beholden to changes that are made and promulgated by HHS. And again we’d like the process to move a bit faster. And then the next one, nine, is HHS should ensure that the operating division responsible for the education enforcement and regulatory processes is appropriately resourced.
And although we don’t have the visibility into how those priorities are set, nor would we portend to drive the priorities across the entirety of that division, we do believe that the process would move faster and create a little more visibility by making sure we have the right level of focus and attention with the staff. Now we’ve had excellent feedback, and we’ve seen that directly with this committee, but we do believe that there are some constraints in there that might move faster if we have the right level of staffing.
GOSS: With regard to the last column, since the adoption of the original HIPAA transaction standard there has been one major upgrade, with some errata adopted along the way. As such, number ten addresses that HHS should adopt incremental updates to standards and operating rules, in accordance with the act, the adoption of modifications is permitted annually, and if a recommendation is made by NCVHS and its updates are available.
Also we’ve made recommendations, they’ve landed inside HHS, and there has been absolutely no action or follow through in response to the substantial amount of industry effort that led to those recommendations being pretend to the secretary.
With regards to number 11, in today’s model we have a ceiling approach, meaning the maximum is adopted. This limits innovation and incremental modifications to data exchange. As such, recommendation 11 is that HHS should publish rulemaking to enable the adoption of a floor or baseline of standards and operating rules.
This rule should also consider other opportunities to advance predictability and support innovation. So instead of having a ceiling to push up against for industry, they would have a floor which would create commonality and with willing training partners be able to advance forward.
This ties into recommendation 12, which in today’s structure to legally use newer modified versions of the HIPAA adopted standard, a covered entity is supposed to request an exception. That’s a lot of effort. So we recommend HHS should enable voluntary use of new or updated standards prior to their adoption to the rulemaking. The purpose of this recommendation is to enable early adoption and innovation by willing training partners, and be consistent with existing ONC policy framework.
On our next slide we’re shifting from recommendations now to calls to action, to reflect opportunities for industry to improve the process. As primary drivers of transaction usage, health plans and vendors through their collaboration may hold insights that can advance administrative simplification.
Call to action A is that health plans and vendors should identify and incorporate best practices for mitigating barriers to the effective use of transactions, determining which issues are the most critical, and prioritizing use cases. By doing so this information can flow better into the standards world and help evolve our standards framework.
Convening diverse, often competitive players in the healthcare ecosystem to achieve consensus in a neutral environment can be key to achieving national goals. WEDI through its workgroup structure, as noted in item B, should continue to identify issues and solutions. WEDI should publish white papers advising on agreed upon policy implications and best practices related to the use of standards in operating.
COUSSOULE: one of the challenges, if I look at C and the policy lever, one of the challenges that exist through any type of significant change in regards to technology or rule change is to ensure that all parties that need to participate can do so effectively. And in order for that to happen you need to have a good understanding of not only what the changes are, but what each of the players in the ecosystem needs to do to make that change and give people an ability to kind of test and validate what that change would be in their own world.
And one of the challenges that we’ve faced historically is there’s not always an easy way to understand and see what an effective implementation of that would look like, absent kind of individual training partners or partners working one on one each to make that happen, especially during the early cycles of a rule change.
So the recommendation would be that HHS and the standards development organizations should identify and fund a best of class third party compliance, certification, and validation tool, recognized and approved by each standard development organization, to assist in both defining and assessing compliance, so that we would have a consistent way for each of the players in the ecosystem to validate that change in a way that makes sure that when we now work with other players in that ecosystem we’ve effectively said we’re going to meet the same standards and goals and obligations to each other.
And then further recommending that HHS should develop test criteria for that certification, and ideally build a program to enable multiple third parties to qualify, to conduct a validation testing by demonstrating their business value.
So again really by creating to some degree one place for each of the parties to understand what they need to do, and to test and validate and verify what they need to do in a centralized way, again versus doing one offs with each training partner and then ending up with a number of different customized opportunities for that implementation.
And then working over to the next column, D, from a regulatory side, it’s often indicated that it’s difficult to measure the value of implementing a new rule or change. And so we really want to make sure that there’s visibility into that value by again creating enough information to demonstrate that there will be overall value that’s well beyond the cost of implementing that. And a recommendation here would be that HHS should fund a cost benefit analysis of the standards and operating rules to demonstrate their return on investment.
I think part of this is by creating that level of visibility, and frankly if there’s not going to be a return on investment then it might not make sense to do it, so we should be able to validate at a high level that that return over some reasonable time horizon will be sufficient to warrant that implementation across the ecosystem. HHS should consider collaborating with and supporting existing industry initiatives pertaining to those cost benefit studies to increase the data contribution by covered entities and training partners.
So there are entities already in our ecosystem that do create and capture some of that benefit information. So HHS doesn’t necessarily need to do this on their own or create it all out of whole cloth, but could leverage some of the things that are going on already, and perhaps make them bigger and broader to ensure that that visibility and that benefit is understood by all parties.
So if we look to E, again back into the education, the recommendation is SDOs should consider collaboration with the private sector to plan and develop outreach campaigns with the intent to increase the diversity of participations in the standards development workgroups.
As we look today I think Alix and I have both hit on a little bit, and it became very apparent as we’ve proceeded down this process for the last year and a half or so, there are a lot of very dedicated very smart people involved in this process. Unfortunately it does tend to be a little bit of the same people involved time in and time out, because it requires dedication, expertise, time and money, and that’s difficult for all the players in the ecosystem to understand and be able to devote.
At the same time, the more limited the participants in that process are, the more likely that there will be items or considerations either not addressed or addressed in a way that does not support the broad swath of the industry. So anything that we can do to drive increased participation in that process would only help to make the outcome of that process more understandable and implementable by the entire industry.
And concurrent with that we need to make sure that the rest of the industry ecosystem is willing and able to ante that up. It’s one thing to say that we should consider that collaboration, it’s another to say hey folks, by the way, it’s easy to sit back and kind of snipe and argue and challenge when the standards have been pushed out and say wait a second, that doesn’t meet my needs.
At the same time you have to be willing and able to step up and ante up into the process such that when it does come out the other end it’s as a larger or higher likelihood of meeting those needs. And so recommendation F is that leadership from the public and private sector should commit to membership in the standards development organizations in that process.
Assign the appropriate subject matter experts to participate, facilitate improvements to operations as needed. Again, hopefully this would diversify the representation in the SDOs so that the content changes and the rules that are defined have a better chance of meeting the entirety of the stakeholders, with again ideally much more value to be derived than cost to implement. Alix?
GOSS: Moving to the middle column, to G, earlier recommendations address modernizing the concept of the DSMO. To that end it’s important that the industry actively participates in the design effort. As Nick noted with the needs coming from business, and that we want to make sure the standards support our industry needs, it really is a life cycle, and so we all need to be actively playing. Call to action G is that public and private sector stakeholders should collaborate to design a single coordinated governance process.
Governance should include detailed and enforceable policies regarding business practices, including policies for identifying and implementing best practices in such an organization. So if we have the DSMO replaced we want to make sure that the industry is actively engaged in the design of that replacement.
Moving to the final column, H, as previously noted there is a strong agreement that there is no longer a meaningful differentiation of clinical and administrative data, and it’s time to create a path to integrating the standards. Incorporation of administrative and financial standards into the interoperability standards advisory represents a small step towards convergence. HHS’s Federal Advisory Committee, NCVHS, and ONC’s Federal Advisory Committee, HITECH are collaborating with regards to objectives in the 21st Century Cures.
Item H is that we should continue to publish the Universal Dictionary of Administrative and Financial Standards along with the clinical one item and that they will be available for use in the ISA. We’re now going to pivot to measurement. And Nick I think you’re up with the first one.
COUSSOULE: In regards to the measurements of success which we covered a little bit earlier, we may define what we want to change and go through that change process, but unless we know what we hope to achieve as well as having visibility into that we’ve actually achieved that, we really won’t know.
Again the old adage is if I don’t know where I’m going, I may go real fast, but I don’t know if I’m actually going to get there. In this sense the first recommendation, M1, from a measurement perspective is that HHS should publically and regularly disseminate results of its enforcement program to promote transparency, opportunities for education, and benchmarking. And it’s easy to take this kind of recommendation and say we want HHS to public the bad guy list of people that haven’t done what we think they should do.
And it’s not about punishing anybody, but it’s about creating the recognition of where the changes are happening, where they’re not, how we might enhance the education and transition process, how we might understand why it’s difficult for entities to make this change happen and ho we might simplify that. So the idea is creating a feedback loop, not to punish people, but to create a recognition for how we might move faster on an ongoing basis.
GOSS: If we’re to modernize our stewardship approach, then we can also ensure we’re capturing and applying facts and evidence to effectively manage and advance the development and use of standards and operating rules. M2 speaks to HHS and stakeholders participating in the new governance process, establishing metrics for monitoring and performing assessment of the new entity.
And oversight and enforcement of the SDO and operating rule authoring entity deliverables and performance. So in essence, if we all agree to a new time frame, the cadence of advancing standards, we have to have a new organization that’s actually going to monitor whether we’re hitting the mark, and help us continue to evolve.
With regards to X3 NCVHS’s history speaks to our ability to receive, process, and advance industry views leading to healthcare data policy improvements. As such we recommend continuing to conduct stakeholder hearings to assess progress of the predictability roadmap.
As you may have imagined, the effort that we’ve undertaken has been pretty extensive from this recap today. And we know this is a draft body of work. And with regard to the regulatory levers we weren’t sure what to recommend. So in M4 we’re seeking some input from the industry to help round out the concepts of what we should propose in this area.
In regards to next steps, we have activities planned for the fall, as shown on this slide. Key is to ensure we obtain and incorporate the committee’s full input. Please be sure to send any further input on the materials distributed in the eBook an from today’s presentation. We’d like to have that feedback by early next week. I should say thank you for those who already gave us feedback, especially Bruce for that key missing word.
The subcommittee will then finalize the recommendation table, narrative, document, and the hearing questions. We have been very mindful of giving the industry time to discuss these draft recommendations, calls to action, and measurement tactics. The fall is the time for many industry conferences and standing meetings.
We presented our anticipated timeline to the leaders of the SDOs and WEDI in late August to support their planning efforts for engaging their membership in vetting the ideas presented in this very draft framework. We’ve offered to participate in presenting the draft recommendations to their members, and thank those who have already reached out to ask us to support their discussions.
Our expectation is that we will receive very useful and insightful feedback that will enable the subcommittee to take an important next step, preparing final recommendations for the full committee to review, and considerations that lead to a submission of a letter to the Secretary of HHS, Alex Azar, in early 2019.
More specifically, by October 1st we plan to finalize and distribute the slide deck, a narrative companion document with much more background information than we’ve presented today, and the hearing questions. Throughout October and November we hope that stakeholders will have extensive vetting of the draft proposal and gather their input, enabling them to either submit the written testimony, or submit written testimony and participate in a December 12th and 13 hearing. Those dates are confirmed.
NCVHS will hold a — to gather industry input on draft recommendations in DC. In December and January we’ll incorporate that feedback with the goal of attending the full committee meeting in February, giving an update and having a discussion, enabling us to finalize and submit the letter to the secretary.
I believe that is the last slide. We actually did it in shorter time than we anticipated. Nick? I’m sure we could make a choice whether we want to dive into questions. I’m not sure what time we’re set for break, so if Becca or Bill could keep us honest that would be great.
STEAD: The break is targeted for 10 AM, so we have 20 minutes before the break.
GOSS: I would say let’s back up and start with walking through the recommendations and using our hand raising feature on the WebEx of the members to signify that they have a question, proposing that probably the simplest way to go through this is we go slide by slide. I know we’ve thrown a lot of information at you in the last hour. So first I probably should open it up for subcommittee members to make some commentary.
LOVE: This is Denise. I just want to commend our leaders on the subcommittee. I think this depicts very well the input we’ve received, and it’s organized very clearly to me. I’ll be interested in hearing the input from industry and others. There are maybe a few little minor tweaks, but I’m not going to go through that right now. I just wanted to commend you for the work. And I think it reflects everything I’ve heard to dat. I think everything I’ve heard to date. But good job.
KLOSS: I was going to deliver that same message, so thanks for doing that Denise. I know what a heavy lift this has been, there is so much material and so many ways to go, but I think you’ve framed it well. I have one thought as just a point that we could perhaps emphasize a little bit more about. We’ve appropriately talked about increasing transparency and the benefit of education outreach, and I’m primarily looking at the first column as we go through.
It seems to me that one of the arguments to be called out is that this will really help those that have a minimum understanding of standards. They’re important, how to incorporate them. And it can be kind of an ongoing educational process. So I think more attention to the great breadth of our industry, that just simply doesn’t get this, is an important part of the argument.
GOSS: It’s a really great point Linda, because part of the challenge is that we don’t have a level playing field, and we really did hear that from the end users. We really appreciate that.
LANDEN: First off amen, kudos to Nick and Alix for an excellent distillation. I particularly love Nick’s way of describing this is to think large and act small, because I think that’s exactly what information technology needs. I think what the vision here is is the appropriate and educated vision for what the industry needs.
And by educated I mean lessons learned from the 20 plus years of HIPAA plannings and implementations. I think this eliminates some of the major barriers to progress, and this enables taking advantage of our new level of comfort with electronic standards and the new technology available to the industry.
It will give us innovative and interoperability, flexibility that the original HIPAA approach did not give us, because those were different times, and yet at the same time it has some guardrails around that to prevent some of the, I’ll say more dysfunctional possibilities that we have also learned about.
So I am very much looking forward to how all these areas in diverse industries, stakeholders, and segments react to this, and certainly am eager to hear from everybody on what their views are for opportunities and potential concerns. So thanks guys.
COUSSOULE: There are a lot of folks as part of this committee and also as participants throughout the last year and a half who have been at this for way longer than I have from an industry perspective. And it’s sometimes easy for those of us on the outside if you will, I’ve been doing this for ten years so I can’t claim to have no expertise, but I was not around in the industry when HIPAA was first enacted. And it’s oftentimes easy as an outsider to kind of snipe at what has happened, and look at something different and say man I see all the problems.
And I think that Rich, your point about recognizing not just what the problems or challenges might be, but how they happened and what happened and what could be done differently is really important here, and I think again it’s also easy sometimes as an outsider to say god, why on Earth would somebody do it like this?
As you sit back and you realize it’s not like you’ve got dim people trying to do bad things, people did the best that they could with what they had at the time, and then over time challenges and changes occur. So we tried to stay away from any hint that there is a blame somewhere, it’s not at all about that, there has been some really good progress made in a lot of ways.
How do we ensure that we take what worked really well, understand what didn’t, understand the challenges in technology and business change, and then drive it going forward? So we hope this is really viewed as a go forward change opportunity, and not as a oh my god why is it the way it is. So we really tried very hard to not do that, and hopefully we’ve explained along the way. So I really appreciate your feedback on that Rich, and we’ll also look forward to the rest of the industry feedback as we give them some time to digest this and come back and give us feedback in December.
GOSS: I think that was a really critical point to make. We have come a long way, and having been one of those people in the early 2000s working through the initial implementation of 4010 and NCPDP standards, people were really passionate and were doing their best, and times are very different. Let’s look to the sunshine. Who is up next, Bill?
STEAD: Vicky and then Bruce.
MAYS: I want to start where others did, which is to say how much I appreciate the tone and the vision and the thoughtfulness, when you’ve presented this as one not sitting on your subcommittee, it’s just so clear. And it allows me to be able to participate and how to think about these issues. So I just want to say thank you for that, and I know it comes at the price of a lot of hard work. So thank you.
On the other side, Nick, you made a comment about the outreach that you all have about trying to figure out a way that not everyone is at the table I guess that you all would like to see. And I guess if there’s any way that we can be helpful in trying to think about how to get you who you want, how to expand your outreach, I think that we should have that discussion.
And it might be we need to have that discussion in general for each of our subcommittees, because I had the experience yesterday of somebody I guess was listening, and they asked about getting an audio file. And they began to talk about the things that they could do if they had it in audio, which meant it was going to go further out. So I think if the committee can be helpful, let’s find a way to find some time to talk through maybe how to expand our outreach.
GOSS: I want to comment on that. I look at the standards process as a lifecycle, it has a need, they’re innovating, they find that something is missing, et cetera, and then it goes through a process, I’ll come back around to industry implementing it. And over the years in particular the provider community is in a very challenging situation. They are focused on delivering care, of taking care of our citizens. They need technology and standards to meet their needs, but we need their voice in the development to make sure that it’s meeting their perspectives.
We know vendors do not always fully represent a provider’s voice, from a provider’s perspective, even though the venders are there in the sense of an EHR focus to be exactly there to support the provider’s needs. So we have sort of a chicken and egg dynamic.
As a doctor, a nurse, a lab, a radiologist, they don’t want to go sit and argue over data elements and syntax and semantics and situational nodes, but at some point somebody from their side of the house has got to show up, and we’ve got to find, use today’s technology to find a way to go about getting them engaged earlier in the process. And I think that’s sort of a holy grail. I wonder sometimes whether we can actually overcome the belief that they’re not at the table and actually figure out a way to make it easy and effective and not painful for them to be at the table.
COUSSOULE: I think Alix hit on it earlier, and it’s probably not as prevalent in our recommendations as I think it will end up being going forward, is the whole concept of the administrative kind of versus clinical standards. And I say versus because typically they’ve kind of run their own paths.
If we look at the delivery system for lack of a better term, the objective is to provide the best patient care possible on an ongoing and regular basis, and then the administrative side is how do we make the financing work to make sure we get all the information as relevant.
And so we’re realizing and have realized that those two historically divergent paths are not divergent anymore, but they’re very much convergent. And how do we simplify over time the activities that clinicians perform and ideally translate that into enough information to make the administrator side work as well.
Alix’s point about we don’t always have, big we, the level of engagement that we like, the more we can understand and recognize that convergence, hopefully the more we can simplify that activity. And I know we’ve been talking with ONC about that through their advisory committee as well, and I think that will be a greater point for us to undertake over time.
MAYS: Maybe one of the strategies is rather than people coming to you to listen, and we’ve used this when we did data access and technology, we went to specific meetings where we knew like Datapalooza and the American Public Health Association Meeting, and actually did presentations where then we got that feedback exactly from the audience that we wanted by actually doing a presentation. And I don’t know if that’s possible, to think of really clinically driven large meetings where you can have a focus group or do a presentation and get the feedback and spread the word.
GOSS: I would like to even see that folks pay attention during the public comment periods of the SDOs. They go through a very extensive process, not only in the head down detail work within their workgroups, but they open up their draft work product for industry comment for a protracted period of time, they reconcile every single comment that they get, and they then have to explain how they’ve reconciled every comment and then where we’re going with it.
We need, even if we could just get people to pay attention in that portion of the process, it would be a lot more effective than people coming later in the process, even during the regulatory step, to say they have a disagreement.
STEAD: Let’s try to manage to agenda and hands. I think there has been rich conversation around this piece, but I suggest unless Alix or Nick disagree that we work on through the hands. Bruce is next, then Bob. I cannot tell if Denise is a new hand or hanging chad. So Bruce, Bob, Denise,.
COHEN: I want to build on this conversation. I think the documents that you’ve created are phenomenal, the slide set and the companion documents that I read through. I think the conversation to me, this is an area I know very little about, I would recommend another little piece which would be standards for dummies. I mean you’re talking about the context of standards and how to integrate clinical and administrative data.
If you just did a four or five pager that sort of simplifies the explanation about the history, the importance, and the dynamic process, and the intention of how to improve ultimately the delivery of health services through focusing on creating this manageable process of standards, I think that would be a great piece. So I would recommend sort of a simplified short version of these incredible ideas that you’ve put together. So that’s one thought.
My second just question was have you gotten any feedback from the DSMO about transitioning away from their organization to create this HHS entity for governance and oversight.
GOSS: Two points to that one. The first vetting and public airing of these recommendations is today. It is important for us as a subcommittee to bring it back to full committee discussion before we release these to the wild, so we’re sort of doing that in tandem. The second piece is not that we think it should be an HHS entity, it’s that we think HHS should recognize an entity, a modernized version of the DSMO. And it should be a public-private sort of sector organization.
STEAD: Bob, then Denise.
PHILLIPS: This is a really bold proposal. I really respect and appreciate the work that went into it. I hope it gets reaction, and I hope it’s a productive reaction. To the points that have been raised by several folks about the lack of engagement of provider organizations in the standards development process, I became aware yesterday of a letter circulating on the hill about the conflict between clinical registries and EHRs.
And what struck me in seeing that yesterday and seeing this today again, is that the provider organizations are quite engaged and see the policy arena as the solution. If we could bring them to the standards development and vetting process, that might be a more productive place for them to be involved. And they may not just understand that or understand how to get involved.
And I wonder as has been suggested if we should have a meeting with some of those larger provider organizations, the ones that are more engaged in the policy arena right now, and ask them to help us figure out how to involve them more productively on the standards development side. Thank you.
LOVE: I was around in the early HIPAA days, Nick, so I do have memories. In those early days, public health, and states were really engaged and energized and at the table. Over time, because the need has diminished, we have more stable standards, but also resources and people, resources have diminished and people have moved on. And we’ve been kind of sweeping, public health is not I think fully engaged at the table as much as I’d like to see in the standards process.
So to that end I think as states are using data more than ever for their state health policy in the form of all payer claims databases, it’s critical that we bring them back in the tent and get them engaged. And I’m just passionate about that, and I hope that this new framework does engage states more effectively. We’ll have to think about how.
But the question that I have, and I should know this, Alix, Nick, so you may want to smack me with your virtual hand, but does this framework, I can’t remember, but I know there was some talk about expanding the reach to exempt players. Would these mom and pop PTAs, the small ones, would this get at that or is this completely different?
GOSS: Are you talking about the property and casualty folks who may be using —
LOVE: Non-covered entities are a problem in the policy arena when you’re using data and getting data from some of these non-covered entities who are kind of on the fringes of all these standards. So I just didn’t know if this gets at that or if that’s a completely different discussion off the table. And again, you can use your virtual hand and slap me.
GOSS: It is a really good point. I don’t know that we’ve hit it hard enough, or clearly enough.
LOVE: In my world that’s one of those niggling problems. But anyway, we can’t solve everything at once, but I just wanted to bring it out.
COUSSOULE: Denise, I know that has come up in our discussions here, it has also come up in the beyond HIPAA discussions pretty significantly. I think we would love to get some feedback in regards to that from the rest of the committee, as well as the industry participants as we continue to evaluate this going forward.
GOSS: Bill, I see your hand raised, but I also want to acknowledge that a comment came into the host, and I believe to me as the presenter, and I want to make sure we get that captured so that we can read it as part of the public comment. So I’m looking for Ruth and team, to help me, and especially Rebecca with all of that.
HINES: It needs to be e-mailed to me and then we’ll do that. We have public comment later today, we have it after the whole meeting.
GOSS: Agreed. I want to make sure that the host, meaning Ruth and team, grab that, maybe they can put it in the email since Michael Whitty(phonetic) chose to use the chat feature to communicate a message. And Bill Stead, I think you were going to make the last comment and take us to break if I’m remembering correctly.
STEAD: I will try. First let me repeat the thanks to Alix, Nick, and from my perch also clearly Lorraine, Geanelle and team at CMS. This has been n unbelievable effort to get this in an approachable form, and I think you’ve done an awesome job.
The thing I would like a little bit of insight in when we come back from break is how big is the lift for HHS to do what we’ve got in the 1920 column. Because it looks to me like the way you set this up, the first column provides information we will need as we work the second column. I know they can be staggered a bit.
But it seems to me that we need to make sure that we understand how hard it is for HHS and the industry to do what’s in the first column. So any color commentary after the break that would help me understand that or the committee understand that I think might be helpful. And with that I suggest if it’s okay with Alix and Nick that we go to break and we reconvene at 10;15.
HINES: When we reconvene do you want these same slides up?
GOSS: Yes, please. We’ll start with Bill’s comment, and then I still want to go through each of the table slides so that we can have any questions evolve and be discussed from the committee members.
GOSS: The question that we had before break was from Bill, our esteemed chair, about how big of a lift is it to do the activities in the first column for 2019/2020, related to increasing transparency of the complaint-driven enforcement program, and complying with the statutory requirements for handling complaints.
I think in my mind, it is difficult for me to have any comfort in answering on behalf of the Division of National Standards. I think it is a matter of choice and resources aligning for them to do that work. And we felt that it was more of a low-hanging fruit. As such, it went in the first sprint. And I think it really goes back to some of the educational aspects that we heard from some of the members’ comments before break.
And so I would hope that they would be able to take up those recommendations and act upon them very quickly while taking on the more lengthy activities that you would see in the subsequent columns on the recommendations. Nick?
COUSSOULE: No, I agree with you wholeheartedly, Alix. I think that many of the things that we have recommended, and frankly to be perfectly blunt, if they were all easy, they would already be done, right?
And so part of the challenge is trying to set up not only directional goals and sequencing, but realistic goals and sequencing. And then hopefully, some of these things could move faster. Some may move a little bit slower. It is very much a process change. And as well know, we set up a plan. And then the plans react to kind of first contact with the enemy, and the enemy usually being time and complexity and resources.
I fully understand your concerns or comments, Bill, but I do believe that we are sequentially going down the right path. We will just have to adjust timeframes and be realistic with what we can accomplish.
GOSS: And to that point, Nick, we will have the Division of National Standards having a seat at the table at the feedback loop at the December 12th and 13th hearing.
I have not been watching the hands go up. I am not sure who is up.
STEAD: We have got Dave, Linda, Nick. Nick is down.
KLOSS: I wanted to add to that assessment of essentially when you look down that first column, there are first recommendations. Three of them, when you bring in the recommendation on measurement, they really are related. That is transparency about the complaint and enforcement process, and how complaints are handled. And then the measurement thereof.
I see one, two and measurement one being really quite related. It would be a programmatic decision. And certainly HHS could choose to move at that incrementally. But they are all the same theme.
And then the other one is publishing available guidance regarding appropriate and correct use of standards and operating rules. So I would echo what Alix and Nick have said that if these steps can’t be taken, then I think there isn’t much hope for any of the agenda. These do seem quite fundamental. I think it is reasonable for the committee to start there.
STEAD: On this slide, going to number six in the ’21/’24 period, industry recommends two years for standard organizations to complete update ballot publication and submission for review cycle. Am I understanding that that is what we are recommending as the ongoing target?
STEAD: How does the idea of a floor in advancement work with that target? I am trying to grasp what fluidity looks like with a two-year cycle that gets something ready for review.
GOSS: Yes, so if you think about this two-year cycle, so that is for the business to come forward and say I want to change, for them to go through their due process, create a ballot there, public review period, finalization, the publication and then to bring it forward into an overarching stewardship process. We felt that the timing dynamic has been a huge challenge in all of this. We really want to respect the various process steps within each organization.
We felt like this was sort of the middle of the road that could engage industry, and possibly by setting a baseline floor approach, you could have a cadence where you would be like, look, we are kind of doing in the clinical side of the house where it says, okay, we have got a floor. We will call it version X.
And then in two to three years, meaning two years is standards process, a year of federal process, we could either have a new version recommended and adopted, or we could even have the new version that would come out and say, okay, we are keeping our floor. But here are subsequent versions we have developed. And this is the direction we are heading in for doing an upgrade at some point, formally through rule-making. To sort of help the industry take a step forward with a more current version and proving it out.
So I think that you bring up a point that we are looking for very specific feedback on how the industry sees the STO process, the oversight stewardship possible increased, cost benefit analysis and testing and evaluation steps, and outreach steps can all work together to get more predictability.
COUSSOULE: I think one of the challenges is trying to understand how. If we accept the premise that we are trying to create a floor by which kind of that becomes kind of the must part of this, which everybody must comply with this, we are trying to be sensitive to that. I think this really gets to some items on the next page of the recommendations is to enable the kind of creativity and flexibility to do things well beyond that and not be encumbered by, if you will, the floor migration process.
So we want to make sure that this really focuses on keeping everybody, all the players in the ecosystem, advancing forward in somewhat of what I will call a minimum way. While at the same time, enabling the kind of creativity for willing participants to move much faster on certain challenges that ideally would eventually get set into the floor.
STEAD: Then it seems to me we may need to pay some attention to trying to make that clear. I get the difficulty. But recommendation six speaks to incremental updates, for example. And 10, 11 and 12 get into more the true fluidity that we need. And I just wonder whether we need to be really clear that six relates to the floor.
GOSS: This is really helpful. It is the kind of feedback we need to tweak these before we actually release them for people to do their formal prep for their testimony. So we will take that way as an action item.
I can also let you know that even though we sent out in the e-book the corresponding narrative in the slide deck, we have not stopped working since we released those around Labor Day. And so Lorraine and I already have a next version markup in the works.
So the feedback today, especially around the non-covered items from Denise before break, and now this awesome comment from Bill. We will make sure to take this back in tying 6 a little bit better or making it clearer, and also the interplay with items on the slide that we are currently displaying with 10, 11 and 12.
COUSSOULE: Yes, Alix, and just to reiterate that, there was another document that will come along with the recommendations to be sent to the involved parties prior to the December hearing, which does get into a good bit more background and textual detail. I think we can certainly make it part of that document, if it isn’t already. And I know some components of it are.
And we could make sure that we are clear on the recommendation side here, as well. I do believe we are in the same place. We do need to make sure that we are communicating it all effectively, so your point is very well taken.
GOSS: And to add on to Nick’s point, we will also be posting the document on our website. We do have the intention of inviting all of our prior participants to the meeting. But we want to make sure that everybody in the industry who cares about this has an opportunity to provide testimony.
STEAD: We are 15 minutes into a 45-minute block. And the slide has now advanced to recommendation 7 through 12. There are no hands up. I am assuming that we have gotten the questions or comments related to recommendations 1 to 6. I am just trying to be taskmaster. If that is the case, then let’s see if they are related to recommendations 7 through 12.
GOSS: Shall I go to the next slide, Bill?
STEAD: We are now displaying the call for action, the first of the two call for action slides. We have got a hand-up from Linda.
KLOSS: I have a question about D. And in the presentation in here, it is not clear whether calling for a cost benefit analysis of each standard and operating rule, or whether it is a collective cost benefit analysis. I think we need to be really clear about that.
And I was thinking about kind of the opportunity that we identified in the vocabulary outline that called for a cost benefit analysis of proposed vocabulary standards before they went into effect or as part of the principal.
So the question was is this something along the approval process? Or is this a collective? I just ask us to be clear on that.
COUSOULE: That is good feedback. To be honest with you, I am not sure I know the answer to that. We have talked about a number of different kind of components of this or approaches to this. And I think that would need to be fleshed out in our further discussion, but that is a good point.
STEAD: My gut, just from what I have lived through with the T and V work, is that it is going to have to be at the level of a transaction and the related operating rules.
KLOSS: I agree. But I think that suggests then that it becomes part of or embedded in a proposed workplan. And so we may just have to look at how we have described that.
COUSSOULE: I think is what has happened, at least with the ones that have happened today to try to gather that information. It is distinguished that way, whether they were done together or done independently. The value proposition I think will need to stand alone. And then how the mechanically going about caption that information and publishing it is a subject for a future detailed discussion.
STEAD: What I would encourage is we try to clarify that we are thinking of this at some unit that has the pieces needed to get benefit. And that then you probably want to have an annual or whatever roll-up that communicates the overall value of the effort, but allows the evaluation to be done at the units that in essence are go/no decisions over time. Does that make sense?
GOSS: It is very helpful. And I think Nick’s response, I concur with. And I think that this will be an item that we need to bring forward for some further discussion, or at least maybe a strawman or a subcommittee consideration. We will have a fair amount of lift in the next two weeks, so that we can make sure that the materials are available by October 1st for industries —
COUSSOULE: I think we also have to recognize that our recommendations and calls to action sometimes reflect what we think needs to happen but there will likely be lots of detail that would need to be fleshed out for any one of them.
And I think to Bill’s point, if we are not clear about either the scope or direction of what we are asking for, then we absolutely want to clarify that. But we certainly won’t have the level of detail to say Fred does this today, Sally does that tomorrow. But we do want to make sure we are clear with the direction and the intent. That is very good feedback.
STEAD: We have got a hand up from Denise.
LOVE: Yes, and this is something else I should know. But I am thinking through the process here and WEDI and the SDO.
So the way that it works today is if an entity, I know the states the best, so I will say the state, want to make a modification to the core standard, they go through the DSMO process and the SDO process. Would they go right to the SDO now? How will that flow change?
For instance, when do not resuscitate became data elements, states wanted or pressed it on admission. They worked it through the standard-setting process under HIPAA. Would that be streamlined? It seems that is what we are getting at. I am trying to get to the point where I can communicate it to the states.
GOSS: I don’t think we are trying to shift any aspect of industry going into an SDO environment, recognizing that I am using that term collectively, to make a business case for a change that can then be vetted in a consensus-based process. I think what we are trying to do is speed up the delivery of that. I don’t know if I should even say speed up. The predictable nature of the cycle per entity in the SDO environment.
And enabling that then to move forward in a way that has that wraparound set of services for orchestration, governance, ROI, testing et cetera, with kind of a new envisioned version, a modern-day version of the DSMO that has got the funding and the authority and the support to really do the orchestration.
The standards development processes, especially when you look at the anti-accredited side of the house, I am just going to pick on X12, HL7, NCPDP, they have got very robust due process steps that they have to adhere to. And they have developed over years, if not decades, in some cases, and comply with a very transparent representative due process sort of concepts.
And what we need to do is know that they have got the support from industry to do the development work and be able to produce some on a regular cadence. And we have seen notable advances in some organizations. I think if anybody has been tracking the work that we did related to NCPDP’s latest recommendation, there is a standard upgrade. It was amazing to see the transformation from 15 years ago to what we heard this past, I think it was March. They did in and of themselves the process of developing the standards on a modified process with regular checkpoints with their community.
And even went as far to do their own implementation process dialogue and brought all of that forward into the hearing. That kind of maturation that we want to see across the entire ecosystem, and especially to get the rest of the industry to pay attention and know where to step into those processes and to support them to get better work products in the end.
LOVE: Okay, thank you. And then one really quick one on column A, we see health plans and vendors. I am fine with that. WEDI, which is great, but there is really not a third component for big users of these transactions, the states or the public health. And we have a disintegration of the public health data standards consortium. So there is sort of this missing piece to reach out to the states, as well, and educate, but that could be done over time. I just see that as a missing piece.
GOSS: I agree. And I think providers are missing in here. And I am hopeful that, to some degree, they have got incorporated because of the WEDI process, but I think we were also trying to be mindful of sort of history resources and dynamics. And so, we tried to go with what we thought would at least get the ball rolling. I encourage folks to, as they think about these recommendations and calls to action, what that should look like.
STEAD: Can we advance to the second of the draft call for action slides? Everybody is really getting good at putting their hands back down. That is very helpful.
Do we have any comments or questions on this slide? While people are thinking, I will make my one comment. On H, it seems to me it would be helpful if we could sketch out what a unified ISA might look like and what a unified USCDI might look like, glide path. Our read H is sort of putting them side-by-side. I think your intent is that by the end of 2024, if not before, there would in fact be one plan. Maybe I am misreading. Maybe I am misguessing.
GOSS: I think that your point is well made. And that as we look to the Report to Congress and some of the thoughts that we have about that, we have separate tracks today under law and regulation, and we need to force them to converge. And that your point of sketching out a unified ISA or a USCDI is something that we should bring into the light of day for further consideration, commentary by the industry, and also as part of our collaboration with ONC.
STEAD: Thank you. Any other hands there? Let’s move to the next slide. The recommendations for measurement.
COUSSOULE: I just want to comment on one thing. I think the most important item on this slide is M4. And I know there’s a lot of words and really complicated that industry input is requested. Sorry, being a little facetious here.
But we really do want and encourage not only the committee members to continue providing us that feedback, but to truly engage the folks who have been engaged in this process with us for the last year and a half or more, to continue that engagement and be prepared to agree, disagree, challenge, suggest adjustments and changes in this process.
We are not trying to do this in a vacuum. We recognize that the people who have to go and make the change are generally not the committee members here, but the people on the other side of the phone in call today. So we really encourage, and I ask for your continued excellent participation in this process.
STEAD: We have got hands up from Linda and then Bob.
KLOSS: On M4, I am wondering if it is necessary to have this here. I think that comment applies to all of the recommendations. I don’t think we need to feel like something needs to be in each column. So I thought this was maybe a little redundant. Just a thought.
COUSSOULE: I can respond to that, Linda. We realize that it is, and we frankly debated having it in there or not, but we really wanted to be as clear as we could be in regards to that. It is possible that that might not be in the recommendations after they come out of our discussions with the industry participants in December.
But certainly, as a draft and leading up to that, we wanted to make sure that these were not presented as this is the deal, come tell us what you think, but this is our thoughts initially. We have put a lot of time into these thoughts. We don’t mean to make it sound like they are willy-nilly. But at the same time, we really do want the feedback.
KLOSS: I think that applies to everything, not just this box in measure.
COUSSOULE: It absolutely does. We could have put it in each one or in each page. But the way it is set here, as we wrapped up, we wanted to make sure we sent that message loud and clear. So yes, I would agree that it would account across the spectrum of our recommendations and calls to action and measurements.
STEAD: I actually read it a bit differently, and maybe I am wrong. I actually read M4 as a TBD. You have a column heading, and you don’t have any action except input. I, in essence, read that as TBD.
COUSSOULE: I think it is a little of both. I will let Alix comment, as well. But I do think it is a little bit of both, Bill. To reiterate Linda’s comments, definitely we want the industry feedback applied everywhere. And in this case, it is a little bit of a TBD in that we are not sure, and we don’t have enough clarity into what the regulatory levels that would be from a measurement perspective. So we want that input in an ongoing basis.
STEAD: I get that. Then what you might consider is whether you almost want to state that. Then you are leaving yourself clear that you want the industry input on M1, 2 and 3 also. But that M4 frankly is, at this juncture, too cloudy to lay out until we make some progress on 1, 2 and 3.
GOSS: Well said, Bill.
KLOSS: That would make me more comfortable. Otherwise, I am afraid —
GOSS: At some point, there is a process we need to go through. We can only take this so far at this point, and really feeling that we could do something of value. I think that it is too cloudy at this point to lay this out. But feel free to give us your thoughts if the light of day is clearer for you. I think we can —
KLOSS: And the other thing I was taking literally, the column title, regulatory levers. I mean, there may not need to be any measurement, maybe something, that is within the agency’s ability to undertake without a regulatory permission or requirement. So anyway, I would be more comfortable. Because when I read it, I thought, well, this seems like kind of a throwaway comment. And it diminishes what the whole purpose of the next round of hearings is that industry input is requested on all of this.
STEAD: I think we have gotten the idea down. Let’s move ahead to Bob’s question.
PHILLIPS: Thank you, Bill. I was going to speak more to M1. The need for transparency around enforcement is, I think, just really important
The education and benchmarking equally, I think there is just so much misunderstanding about what HIPAA standards or what come after, how they are enforced, what the penalties are, that drive a lot of strange behavior around HIPAA standards. Some of that strange behavior is overemphasis, and some of it is using documentation to avoid really dealing with the standards. And so I think this is a really critical piece that the field would welcome. That is all I have.
STEAD: Then I think we have gotten to where you can come back to next steps and the prep for the hearing, and bring this home. You have got 10 minutes.
GOSS: I think that the slide clearly shows that our timeline is to wrap up, to incorporate the feedback received today and any other comments people may have in the more extensive narrative documents. And if they could submit that to us, any feedback, by early next week on that narrative, that would be fabulous, so that we can wrap up our documentation and start distributing it by October 1st. That would be phenomenal. So that we are looking to have a December 12th and 13th hearing at the Omni Shoreham Hotel in DC.
And we would ask that if you planned to attend or participate or observe in the hearing, that you would stay at the location at the meeting for a variety of reasons. We will making sure those details are available on our website and more specially to the folks who have participated in our Appreciative Inquiry workshop and CIO forum. We will be making sure you get a whole bunch of related materials in your invitation to that hearing.
What I would ask Nick is if there are any further comments or if we should go ahead and have that one comment read by Rebecca.
COUSSOULE: That is what I was going to suggest as well, Alix. I think we are good. Rebecca can read that.
GOSS: To prime the pump of people’s thinking, turning over to you now, Rebecca.
HINES: I just want to emphasis for especially those not on the standard subcommittee, that the document that Alix was referring to that you are welcome to provide input into is in the e-agenda book. I am trying to find what page it is on, just so that people don’t have to figure it out. Here it is.
So starting on page 94 of the e-agenda book is that narrative that Alix and Nick have been referring to. And Alix, when did you want feedback by?
GOSS: Preferably Monday or Tuesday, but drop is Wednesday, please.
HINES: Okay, so there you all have it. You have until early next week, Wednesday at the absolute latest to send feedback, this draft narrative which is pretty comprehensive.
So during this conversation, Michael with the Office of the National Coordinator sent a comment in that I think I will be of great interest. It is certainly relevant. Here is what he is adding to the conversation.
There is a lot of really cool, interesting work here. I want to make a side note on this topic. And I think it is implicit in what has been represented. But I think it is important to make it explicit. It is important to consider the opportunity as technologies advance to move away from the currently dominant model of building system with clinical bolted on, and towards integrated systems that use one set of underlying standards, or better yet, a single harmonized standard that reflect the reality that this is all supposed to be about one goal, patient care.
Providers, public health and billing payers ultimately really need the same data. What care was given for what patient characteristics, abstracted at different levels, reflecting that in base, date element level perhaps? Standards would do a lot to advance the technology field towards integrated seamless systems.
STEAD: That is a very nice summary of our comments out of both this work and TNV around the need for convergence, the opportunity. Bob, you still got your hand up. Is that carry over? And Rich has his hand up.
LANDEN: Regarding the comment from ONC, I think at the vision level, absolutely, we do very much need to make that explicit. But I also want to make it explicit that that vision does not necessarily translate into a call to migrate to single systems.
The industry has very separate systems at this point in time for much of the day-to-day processing work, both on the clinical side, the payment and financial and quality reporting side. Those systems represent a huge investment, and in the IET world, going back, earlier we talked about think big, act small. We don’t necessarily want to make a decision early on about going to a single underlying system.
So harmonizing the data, yes. But that doesn’t necessarily follow that we want to dismantle. We don’t necessarily want to get into rip and replace thinking for systems and transport. Thanks.
STEAD: I think if you play back to the discussion we had at terminology and vocabulary around the fact that we need to have computable relationships amongst the various standard terms, for example. So that you can have systems that are designed for a purpose but standards that can be tuned to a purpose, and yet reflect some underlying semantic DNA. We will be older before that is done.
LANDEN: Bill, will you promise me that that will happen?
STEAD: I will promise you that we will be older.
COUSSOULE: What we will promise is that we will try.
STEAD: Are we done and ready to shift to beyond HIPAA?
GOSS: We are. I just wanted to do two last final parting words or sentiments. The first one is to Lorraine Doo who has been a phenomenal staff support in all of this and has done a yeoman’s work, in the words of George Argus, in producing the narrative report and guiding the subcommittee’s refinement of this content.
And the other sentiment I want to say is the importance of the stakeholder engagement and the support that they have given through this process, a lot of the participants have battle scars for many years. And their innovative thinking and willingness to think big and act small is very important. And we look forward to their constructive feedback in the form of testimony and ongoing collaboration in December and beyond.
STEAD: I really want to reemphasize both your thanks to Lorraine and my thanks to you and to Nick and to the rest of the subcommittee. It has been awesome work. Thank you. Linda?
Agenda Item: Health Information Privacy and Security Beyond HIPAA
KLOSS: It feels like we need to have some sort of brain twist or something to move from predictability roadmap to the world of beyond HIPAA. But we are good at these transitions.
So I want to start by saying our goal in the next hour and a half or how long it takes, again, is to get your critical thinking as the work of beyond HIPAA continues to evolve. When we left the May meeting, you advised the subcommittee to dedicate some work to taking a stab at a version one model for beyond HIPAA.
As you will recall in May, we kind of drilled down into registries as one of the exemplars of a data phenomenon that exists sometimes beyond the boundaries of the protection of the HIPAA law. And I think we had been kind of prepared to develop additional exemplars.
But your guidance suggested that we kind of take a hard turn and go back to what was one of our goals, which was model development. And that is what the subcommittee has been working on over the summer. So I want to thank our subcommittee members, Nick Coussoule, Jacki Monson, Vickie Mays and Bill, who has been a loyal contributor to each of our subcommittee calls.
The support and the guidance of our lead staff, Rachel Seeger, and our other staff support, Amy Chapper, Kathryn Marchesini, Maya Bernstein, Natalie Gonzalez. So it has been a team effort as all work of the National Committee is.
The first thing I want to point out, and I am going to walk us through this model and ask the subcommittee members to pipe in and ask committee members to raise their hands. I think it is probably best in this instance that we stop and discuss things that may not be clear right at the get-go or as we go along because we are kind of telling a building story here. And we don’t want to leave anybody behind.
The first comment I will make is this title, stewardship by design, as applied to data device and app exemplars, is just very much a working title. So let’s take that as it is, a bit of a throwaway. But we are looking for some good words that might describe our model. So be thinking about that.
What we are looking for also in this next discussion, and we are listening carefully to understanding areas of agreement, disagreement or resonance about this model as it is developing. I will also call out that in addition to our subcommittee and our lead and other staff, we went outside of the group and called upon for past members of the privacy confidentiality and subcommittee for a reaction to an earlier version of the model.
And we got outstanding feedback. And when we talk about the plan going forward, we intend to incorporate your suggestions and then go back to our broader reactor panel to help us shape this.
So just as a reminder, our Beyond HIPAA initiative is building on past committee work and the work of other government and private initiatives to consider the health data privacy and security framework for 21st century health information challenges. Specifically, we were to identify and describe the changing environment and the risk to privacy and security of confidential health information, and highlight promising policies, practices and technologies.
You will recall that we completed and we published the environmental scan. I think it went up in December of 2017. We were then to lay out integrative models for how best to protect individuals’ privacy and secure health data uses outside of HIPAA protections, while enabling useful uses, services and research.
And we began, as I said, by looking at areas of good examples or use cases that had emerged in the environmental scan. But we have taken a turn to going back to trying to take a stab at a model.
In an effort to certainly formulate recommendations for the secretary on actions that HHS and other federal departments might take, and report a report for health data stewards. We will return to the question of at what point we may be ready to formulate recommendations. And before we are done with this session, we will also return to the question of whether the key themes that will feed into the report for Congress because that is most certainly one of the audiences.
Also, what we plan to do today, as we did in May, you will recall we had a briefing on the general data protection rule in Europe that became effective in May. Today, we are going to take you through the model. And then Jacki Monson from our committee is going to give a brief overview of the new California consumer data protection law that just was enacted in June. So things are moving quickly on the front. And we want to make sure we are aligning our work to how our environment is changing.
Next slide, quick highlighting of work to date. I think I have already covered that. Our goal today is model framing. Version 1.0 was developed by the subcommittee. We got outstanding comments from our external reviewers. And we have produced essentially a version 1.1 for your critique today. And then we will talk about where we think we might go next.
What we realized is that in thinking about the world beyond HIPAA, what we are trying to mitigate against is our potential problem, which also may be referred to as harms. I think there is a number of ways that we could describe these.
But what happens if personally-identifiable information is wrongly used? What might the adverse experiences be? So we delved some into the issue of harms. And we also realized that there is a companion issue of risk. You will see threading through this the issue of looking at this world outside of HIPAA through the lens of what are the risks and what are the harms?
We expect that over the long haul that what will guide the recommendations is perhaps a very realistic look and addressing first the greatest risks and harm area, and perhaps setting aside others. But I think we needed some anchor, some way to anchor this. Why is this beyond HIPAA important? It really does relate to what are the risks to individuals and what are the potential harms?
So this slide is borrowed from NIST through recent publication and introduction to privacy engineering and risk management. And they acknowledged that there are a range of problems, which they say may be referred to as privacy harms, privacy violations, privacy intrusions, privacy invasions, privacy problems. But they flow from loss of trust, potential for discrimination, loss of self-determination, inability to actually make personal choices, economic loss, a full range of issues that we know lurk out there.
And as we are putting this kind of background together, so that we think about this in terms of harms and risks, in his recent book, which I have read just very recently, Michael Chertoff, the former US Secretary of Homeland Security, as you know, has written a book called Exploding Data, Reclaiming Cybersecurity in the Digital Age. And there was a concept there that I thought also was important for us to think about.
He said that in the current context of data 3.0 era, which is most certainly what we are talking about in this world beyond HIPAA, what we are worried about in this world beyond HIPAA, he makes the argument that privacy is too narrow a value in this context. That privacy is about concealing behavior or information from others in a private space.
And that we should be focusing on what we can do to preserve autonomy, the value of autonomy, which is the very core of freedom. autonomy is the ability to make our own personal choices, restricted only by transparent laws and also influenced by social norms affecting our reputations within our communities.
I think this is a little theoretical to lay on you right now, but I want us to be thinking about how we position what comes out of our consideration and analysis. And I think that the idea of looking at autonomy is certainly underlying the General Data Protection Act. And it is certainly underlying the direction that California is going. I think we will come back to that. So this feedback came from our outside reviewers, that we need to kind of focus on the risks and harms that we are trying to mitigate through our focus on beyond HIPAA.
I thought that NIST made a further, really important point. And that is that one way to look at this risk of harms is from the standpoint of how likely contextual analysis and how likely a problem is to occur, and then what its impact is. Again, a high-risk, high-impact harms may be something that we first focus on and prioritize.
And I would go back to the work that we did in the de-identification letter, where we actually made an explicit recommendation to HHS that there be research done on identifying a way of categorizing and describing risks and harms. And so I think we have done some work, and we have said something about this. And we may need to bring it to this discussion in order to get our arms around it.
Let me stop there. I am going to get specific and dive into our model. I hope that made some sense. So risk, harm, how do we identify what we are worried about as we start looking at what mitigating steps might be taken.
And then the fact that we don’t have to reinvent the wheel.
STEAD: Raise your tent cards if you have questions or comments.
KLOSS: All right. Then let’s continue on. Look at these as sort of a build slide because we needed to get a number of concepts in here, so there are four or five to kind of get us to the main event. And look at this first two red blocks, HIPAA-covered entities and business associates. And the next one, data users not covered by HIPAA. We kind of are looking at this as a left-to-right continuum.
We don’t think, as we look at what mitigating steps could be taken to improve the protection of information beyond HIPAA, the obligation isn’t just only on those data users that are not covered by HIPAA. There are some mitigating steps that can be taken by those who are already under the HIPAA umbrella. So we see this as a continuum.
The issues are a little different. If you are already covered by HIPAA, then you are concerned with compliance risk. And that we have defined on this slide as exposure to penalties or corrective action when a HIPAA-covered organization fails to act in accordance with laws and regulations. So what drives many HIPAA-covered entities is this concern with compliance risks. What do we need to do to make sure we aren’t reported to OCR or we don’t have exposure that could lead to a lawsuit?
What is missing in our protective mechanisms is we migrate over as sort of the use and disclosure risk beyond HIPAA, which we have defined as a risk that a user or an intruder. Could user access protect the dataset to derive confidential information on an individual? So this is really new territory.
But look at this as a left-to-right continuum, so that we are looking in the beyond HIPAA space at both HIPAA-covered entities, business associates and data users not covered by HIPAA. And we are using a definition of risk as the potential threat, and the likelihood and the relevance of the things we have just gone through. It makes sense, just basic HIPAA, non-HIPAA.
Then if we look at the next, we have added kind of the guts of this continuum. We think the way to advance the beyond HIPAA is to again take this as a continuum where those who are already covered entities and business associates can do more, can do more, are not obligated to do more, but can do more to adopt protections that go beyond regulatory compliance.
And we know leading organizations are doing that already, though we had some feedback and some discussion about how realistic that is to expect anyone to go beyond. But I think this is the same discussion that kind of we have been having in the predictability roadmap sense. There are protections beyond regulatory compliance and forward-thinking organizations, such as Sutter Health. Jacki has shared many stories that are already in that space.
We also think that there are improved data stewardship approaches that can be taken by entities that are not covered entities or live at that intersection that we were probing with the registry use case. Those who are not covered can improve data stewardship. That certainly was the spirit with which we develop the stewardship framework for community use of health data.
And then in the farthest right, we can, as a society, enact new data protections that fill in that space, particularly as it relates to risks and potential harm in the area of use, disclosure, reuse, et cetera.
Now continuing the build, our insight was that these mechanisms exist both in the public and private sector. So this isn’t all government initiative only. As we move from the regulated, if you will, world on the far left, the unregulated world on the far right, there are both public actions that can be taken, as well as private mechanisms that can be put in place by those who are willing, if you will, to go beyond what is (audio cuts out).
Any questions? All right. Then let’s move to the next slide. This is kind of the model as it now exists where all the pieces are kind of pulled together. We see HIPAA-covered entities, business associates, data users that are not covered by HIPAA. We see the progression from compliance risk to broader use and disclosure risk.
And we could transition that description from risk to harm. And that may be an area that we see how we might possibly depict clearly. And then in red are a series of potential mechanisms that private entities could be taking. And in blue are the steps sort of aligned with what we just did in predictability roadmap where this is the federal or governmental jurisdiction.
So I would like to walk us through those and certainly get any ideas that you may have. We had some reflection on some of these concepts actually yesterday in the small area data presentations where there was reference to disclosure avoidance techniques and privacy preserving small area estimates. And I think that makes the point that there really is a lot of development and improvement going on, but not captured in any organized way or organized in any kind of model that one can follow.
So let’s look at the adopt protections beyond regulatory compliance column, the far right. This would be the domain of those that are already covered by HIPAA. But they could, in the first bullet, and should be requiring data-sharing and data-use agreements before releasing PHI. Even and probably are, but may not be consistently doing it.
And we could broaden that even that data-sharing and data-use agreements as we discussed when we talked about registries could be adopted or required for even deidentified datasets. Covered entities could strengthen their risk management practices and their de-identification policies overall. Covered entities could improve transparency regarding uses and disclosures of their data.
We could recommend that there be expansion of the definition of business associates to cover more of the entities that are getting and using deidentified or personally identifiable information and some of the entities that we just talked about in the context of predictability roadmap that are now covered entities in our business associates.
And the FDA could require privacy and security functionality for approved devices. There are levers, in other words, that federal agencies could take now to insert the HIPAA privacy and security principles more tightly into current uses for data. Any comments on that?
This is a lift because it is suggesting that covered entities and business associates who aren’t always implementing HIPAA effectively now are called upon to, for the good of the order, to do more. And we had some interesting discussions about how that happens on a voluntary basis and if it might without the lever. Bruce?
COHEN: This is really fantastic stuff, Linda. This is a wonderful model development. I would just expand that bullet that says federal expansion of definition. I would just put federal expansion of definition of covered entities because it is not just business associates. It could be other kinds of data systems.
KLOSS: It could be either, yes.
COHEN: I think if you made that a little broader, it would be better.
KLOSS: Okay. And Rachel is capturing all your suggestions for us. Rich, you have your hand up.
LANDEN: Yes. My point of departure is the last bullet on the third column of this slide, enactment of new data protections in the bullet states could better regulate data protection. On the clinical side since high-tech and meaningful use, one of the police premises is that data needs to follow the patient or, for broadening, data needs to follow the person. And we have got a lot of stuff in place toward interoperability.
So persons can move around the country, so a state-based system would be extremely challenging. I don’t want to get into constitution stuff and states’ rights and all that. Recognize that. But it would be extremely challenging to operate at a state level that could protect a person as that person chose to move across states. I think our model needs to be cognizant of do we or do we not want the data to follow the patient.
And then following from that, the decision is does the patient control or the person control his or her own data, which gets into some opt-in/opt-out and under the current ONC on the clinical side gives the patient the right to send data anywhere he or she chooses, irrespective of anybody’s judgment about the risk of where that data is going. Just some thoughts about the model and some of the premises underlying it, and where is the control of data vested in organizations, either private or governmental, and where is the control vested in the person?
KLOSS: Thank you. I think those are both great topics for our continued discussion. That is why, as soon as we complete walking through this particular slide, then Jacki is going to describe for us what California is doing. And just to reiterate, the way we are putting this forward, we use the words, could, once in a while I guess should is there, but I am not sure that is as deliberate as it may have been editorial. But we were trying here as this first round to lay out some reasonable examples, what could happen going forward.
So if we look at that second column, oh, Denise, you have a —
LOVE: I may have missed it, but on the last bullet on the third column, states could better regulate data protection. There is a lot in there that I don’t understand.
KLOSS: There is a lot in each of these bullets.
LOVE: It is really highly regulated, but I don’t think we are calling for more. Are we calling for more uniformity? I don’t know how to interpret that.
KLOSS: Let me walk through column two and then column three. And I promise we are going to probe on this state issue more.
So column two, again, this is in that kind of space that is at the juncture where there is an entity that is handling data. It may be a registry. It may be an app. It may be a personal health device. But there are opportunities for introducing improvements, the data stewardship. And here you see the first bullet is, with greater understanding, consumers could proactively exercise their rights to privacy and confidentiality.
So there is a consumer thread through here most certainly to Rich’s point. Data holders, and we use that phrase just as sort of a catch-all for those who may be processing, storing, handling data in an app or in a use, should improve their adherence to fair information practices, principles, that organizations could elect to voluntarily certify data holders, applications or device manufacturers.
We don’t have any privacy check process beyond what existed in meaningful use. Standards development organizations could strengthen standards for data management, privacy and security. And those are kind of private sector mechanisms that are possible. There may be others. And if there are others, we would love to have you add to this list.
In the public sector, in improving data stewardship, agencies could issue enhanced self-regulatory guidance on practices for managing PII and more robust best practices for de-identification. This doesn’t necessarily take up change to the law. The agencies can issue self-regulatory guidance.
The FTC could enforce breach notification rules, and app guidance could be strengthened. Organizations could adopt certification and accreditation of DII data holders. There could be a certification process.
In the third column —
STEAD: I would just note, Linda, that your dog’s contribution to the development of this model has been substantive through each of the meetings.
KLOSS: It is too hot to put her outside. Usually when I have a conference call, I will put her outside. But today, it is too warm. And the pest control man just arrived to sweep the outside of the house. That is what is going on here.
At the far right then is the enactment of new data protections. We see the potential for consumers to proactively demand greater choice and protection of their information. That is the phenomena most assuredly that has led to the general data protection rule and the work in California.
We could see FTC taking its role, Congress broadening the role of the FTC, a more stringent regulation beyond what its current powers are. There could be a federal data protection law enacted in the United States. Congress could expand the definition of HIPAA, and states could better regulate data protection.
So as we saw in our last discussion on predictability, things that we put in the right aren’t the things that are absolutely the heaviest listening here, but are pretty important. And this whole grappling with what the national policy is most assuredly something that needs to drive our model.
And how far we go is a decision that this committee will have to make as we move towards formulating recommendations. Are we going to be bold? Are we going to be modest, incremental? And I think that is a discussion that I would love this committee to have in a few moments after we hear from Jacki about what California is doing. Then we will come back, and we will talk a little bit further about how we took a first stab at applying this model to three use cases, and then where we think we go next.
Is that fair? Any other overall reaction or questions on this? When we put these bullets in here, it wasn’t with the idea that this is a recommendation. These are potential mechanisms. And they may not be all of them.
STEAD: I think the real question for the committee is whether this begins to paint the picture of what the levers might look like against the landscape of the different challenges and the different public-private components. Just really trying to give you a picture of the landscape.
KLOSS: And a way of framing that landscape that includes both the regulated and the unregulated.
STEAD: In essence, would be, in some way, this would result in a picture, in some sort of something that would be like our 2001 on for health statistics.
KLOSS: Yes, maybe more visual as we go further.
STEAD: Right. And then we would develop more concrete recommendations reflecting that vision.
Alix has her hand up.
GOSS: We have consumers in the third column, and I am really happy to see the consumers there because I think they need to be active participants.
KLOSS: And in the second column.
GOSS: What I want to channel here is the level of education and caring that is created by that education within the consumer environment. Especially when you think about today’s social media.
I think they are an integral part of the puzzle pieces, so I am glad you included it. Thank you.
KLOSS: Anyone else have a comment now? Or shall we proceed and then come back to discussing how this applies? Jacki, will you give us an overview of new developments?
MONSON: I will. And unfortunately, I lost WebEx connectivity. I have the slides, but I can’t see what you are seeing. Hopefully it is the CCPA slide.
So the California Consumer Protection Act is an act that they are dubbing the sort of GDPR of California. The bill came out in June of this year. And interestingly enough, there is already an amendment on the California Governor’s desk for review based on some activist reviewing it and the California Attorney General.
So the purpose of it really is to give consumers more privacy rights and transparency. And in my opinion, I think the reason why they fast-tracked this law so quick is because of the controversy that was going on around Facebook and Uber that you might have heard of that are California companies who had some issues with not necessarily being transparent with consumers. It does not, for the most part, apply to non-profits. They are excluded.
Who does it apply to? It applies to for-profit business entities in California that have a gross revenue of $25 million or more. A company that receives or shares more than 50,000 consumers, households or devices. I will just note, there is pretty broad applicability. And then more than 50 percent of the revenue from the sales protected health information.
They tried to intertwine exception, what I call statutory exceptions, which means that if the entity has to comply with these, it doesn’t necessarily mean that they are excluded. It means that the statute wouldn’t be in scope. And so the particular statutes that right now they have out of scope or as an exception would be HIPAA, CMIA, also knows as the California Medical Information Act. And then the Gramm-Leach-Biley Act, which is mostly applicable to financial institutions.
STEAD: Jacki, are those inclusion criteria ands or ors? If any one of them applies?
MONSON: They are ors.
GOSS: So that means that CCPA trumps the applicability of HIPAA?
MONSON: What it means is that if HIPAA applies in a situation, like say there is the disclosure of protected health information that happens at Sutter, if HIPAA applies, then this particular law would say we are going to take a back seat to HIPAA. But if the scope of that protected health information breach is beyond, say it includes more data elements than requirements of HIPAA, or includes medical information, then in this case that law would apply.
GOSS: Who is more stringent?
MONSON: Right, whichever one is more stringent would trump. The next two slides, I am just going to highlight some of it. Obviously, it is a huge build, so I tried to summarize what I thought was most applicable to this group and really the broad-arching pieces to it. But it is not encompassing of everything.
So really what the purpose of this was, to give consumers ownership, control and security of their personal information. So that is sort of the over-arching view of the build. So HIPAA has PHI as the definition, CMIA or that California Medical Information Act, defines it completely different. And in this law, it defines as personal information. That definition I included because I think it is important.
It identifies, relates to, describes, is capable of being associated with or could be reasonably linked directly or indirectly with a particular consumer or household. It includes devices. If you wanted to find beyond HIPAA, I think this is probably it and then some.
So consumers are given particular rights. They are given access report rights. An access report is that I could request from a California business how they use my personal information, and they would be required to provide me a report to tell me that.
You also have the right as a consumer to have your information removed or erased from business systems. If it was personal information, and I wanted it removed or erased, I could make that request. And the organization has to reasonably comply with that and actually remove the data from our systems.
And then the next one is to opt out of selling of data at any time. And if a person opts out to the sale of data, say I don’t want my personal information sold, then a company can’t go back and request again for at least 12 months the sale of the data. And they also are required to, if I want to say I never want my data sold by you, I have that right. And they don’t have the ability to come back and ask me again. It is really heavily focused on what I call opt-in consent, which is trying to get individuals to consent to their information being shared with third parties, particularly the sale of the information.
And what I will just highlight is very interesting to me is that it actually focuses on minors, too. From age 13 to 18, it actually gives minors the right to sign and opt in or opt out for their information. And then before 13, they actually have to get ahold of their parents or guardian.
And what is interesting is, if you think about it, a lot of times datasets, particularly in business, might not necessarily have the age of the individual. So it might actually require organizations to collect more data to be able to accommodate these requirements.
So just continuing the highlights, businesses are required to post details on their website or other public means about how they are using or not using consumer data for a rolling 12 months, and then again having clear opt out instructions that either have the ability to opt out to a particular dataset or opt out period of the use of their information. And so it is really interesting that they would be required, businesses for 12 months. They really would have to know where their data is and be able to data map it. Every avenue, to be able to provide on their website where information is going.
It would be very interesting to see how that works out for many companies, many business associates or other vendors who are working with them to perform a function on their behalf. It will require complete control over their vendors, in addition to what they are doing.
And then, of course, access reports. As you might recall with HIPAA, access reports are extremely challenging to be able to provide and don’t necessarily tell a complete story. And this particular regulation, it is not entirely clear what is in scope or out of scope of the access reports. It just simply states that an individual has the right to know where their information went via the access report.
And then in addition to that, it is a requirement for businesses to reasonably safeguard consumer data. There is not a lot of detail on what that means. They refer to another California regulation, 1798, which is another statue run by the California Attorney General with breach notification requirement for California businesses. And really, all that loss does is that you have to encrypt the data and reasonably secure it. So not too specific on what that means or what kind of details.
It has significant damage implications for the business that they failed to comply. It is $7500 right now per violation. And it is not entirely clear in the act right now what per violation means. If it is more than one data element, is each one of those disclosures a violation? Or is that disclosure of that individual one violation? That is part of the addendum that folks are requesting as they want more clear clarification on that.
And then consumers do have a right of private action. It is limited. They limit it from $100 to $750 per violation. Then the compliance requirement for this particular act is January of 2020.
Questions that I can answer?
STEAD: Denise and Linda, and I will raise my hand, also.
LOVE: I may have missed it, so please let me know. But I am trying to think how this affects OSHPD and its public and research data files and any upcoming all-payor claims database that is in the pipeline and what this means.
Let me say also that states, like OSHPD, historically have sold de-identified limited use files. Not so much in California, but in other states as a source of revenue because there is a lot of third-party take-up proven as one that buys the de-identified micro data files for their business purposes. I am just trying to unravel what that means for the public data collection of hospital and claims data.
MONSON: It is within scope. So if they are collecting 50,000 consumer household data of California, they would completely apply to them. I do know that the amendment that is on the governor’s desk that was passed through both the House and Congress in California is asking for that particular function to be excluded from this, both research and any public question of data. But as of the act right now, it would be within scope.
LOVE: That is really unfortunate. We have to have a fine line between the public good and knowledge and quasi research, if not research. And locking up data is good for the patient, I suppose. But it is bad for the patient, as well. Because if we don’t have a broad scope of the population, the study, then we don’t know what is going on. I just think it is out of balance when privacy and access and protections, if any one of those gets out of balance, it doesn’t serve the public good. I am a little concerned.
MONSON: I think they didn’t contemplate. This bill was drafted and pushed through in three months. And it was really focused on the Uber and Facebook, Silicon Valley type companies who are exchanging data. And they didn’t necessarily contemplate, from what I know and reading the commentary, and obviously following the legislation, what the impact would be to others.
I think they made an attempt by making exceptions for the statues, HIPAA and CMIA, but didn’t necessarily go further in how this could particularly impact other data sharing. I do know that some of these proposed amendments have passed will address that. But if they are not passed, I completely understand your point.
LOVE: One more thing is like for 25 years, if not more, OSHPD has successfully released the data without any breaches, and it has done huge — if you just look from HCUP down to Truven databases and market scans and everything else, the good it has done compared to the risk. So I am preaching to the choir, I am sure. But I am really concerned.
STEAD: Thank you. Linda and then Rich, then me, then Alix and Vickie.
KLOSS: Jacki, will there be development now of regulations based on the law? So the devil will be in the detail, and there will be opportunities for comment as this comes together? What do you see happening between now and January 2020, the effective date?
MONSON: I expect multiple addendums. I think that the California Attorney General took the first stab at requesting the addendums, which are sitting on the governor’s desk right now. I think as people are processing how they would have the opportunity to comply, even though, for example, most hospitals are non-profit, most aspects of hospitals have some for-profit.
And so trying to distinguish between PHI and personal information has been lots of challenging conversations. The California Hospital Association is involved. So I expect more addendums to the law to seek clarification before January of 2020. And I also expect that they are probably going to extend the compliance date because there is obviously a significant amount of burden on the businesses to try to address how to do this. And similar to with GDPR, it is a really short runway to redevelop your systems in a different way to address this particular law.
LANDEN: When I first was listening to the description, I said OMG, can a patient then request that his or her electronic health record data be deleted. But as I thought more about it and went back to your slide, one of the bullets on who it applies to is organizations that get more than 50 percent of their revenue from the sale of PHI, so that would include even for-profit hospitals. Am I correct in that conclusion, that patients can’t request deletion?
MONSON: That is correct that they can’t request deletion because it would fall under HIPAA and protected health information and other California more stringent laws. So that wouldn’t happen to a for-p0rofit or non-profit hospital.
I think the more challenging aspects that hospitals are going to face, whether they are for profit or non-profit, is how you define the difference between protected health information in the scope of HIPAA, and this very, very broad definition of personal information. And then how you have those conversations with patients who are going to believe that it does apply.
And for the Sutter example, we have some non-profit entities that do get protected health information because they might be doing billing processing, not just for Sutter, but also for other organizations. And so those are the things that we are grappling with trying to figure out the applicability of it.
And we are obviously working with the California Hospital Association because the desire obviously is to make that entirely clear because imagine the patient safety risk. And even trying to delete information from the system, even for a HIPAA amendment, is really challenging to do. Systems just aren’t built like that. I can’t imagine trying to comply with that in a year and a half without getting some more clarification on what that means.
STEAD: You addressed my question there, so I will go onto Alix.
GOSS: A great discussion so far, and I really appreciate the response to Rich’s commentary because it helps put a fine point in what I want to ask, which is two parts. The first one is to confirm my belief that the citizen doesn’t have to reside in California potentially to be encapsulated in as being covered under this act.
MONSON: That is correct. So if for example, you are a Facebook user, this act would apply to you because they are a California business.
GOSS: Or it could trip into the example that you were just getting at under the HIPAA stuff, where you may have gotten public use file through a data use agreement with Medicare. So you are getting like the Truven scenario where you are using data that is applicable here, but may be coming from another part, maybe about a citizen in another part of the country.
MONSON: Absolutely. That and vendors aren’t excluded, business associates aren’t excluded. It is pretty broad encompassing. Similar to GDPR, as you know, although GDPR is European-focused, there are US-based companies that have to comply with it. And therefore, US consumers have the same rights as European citizens do if their company has to comply.
GOSS: We have just upped the ante on the complexity for everyday Suzie Q to understand what this is all about and what their rights are, going back to an earlier comment I made about channeling Bob Phillips.
My second question is really about any sense of whether or not we are going to have other states trying to piggy back on this?
MONSON: Absolutely. Usually, California is the leader in most regulatory space, but particularly in privacy and security. And I know that there are many states who are watching. Florida is watching, Minnesota is watching, some of them are actually in public dialogue with the California Attorney General. I expect that we are going to see drafted legislation similar to this pretty quickly because there is an out crying of consumers who are concerned with their data and it being sold without them knowing it.
They are feeling the pressures of that, but usually wait for California to adopt before they start drafting. It is very interesting to me that folks are already starting to draft those laws. I think we might see it more in motion before this even has compliance date because we still have a year and a half before it is enacted.
GOSS: I think you just said something that triggered other questions for me, which is about the date sales aspect of it and how we don’t let this become, if it is data sales focused, revenue generating for profit companies, we need to make sure that people aren’t using this protection avenue to block public health, population health for the public good kind of going back to some of Denise’s comments. Because people take a law or a reg with good intention, and then use it as a blocking agent to not inappropriately.
MONSON: It is a very fair concern. And it is a concern that health care organizations in California currently have today, as well as the public agencies who are actually requesting the data. And hopefully in the addendums, that will be addressed. But if it is not, it is definitely a big concern.
And in California, we have more than 100 privacy laws today. And I can tell you it is really challenging when I am interacting with patients, trying to get them to understand which one can apply. We have to do our own legal analysis to figure that out first, and then to try to explain that to a lay person who doesn’t know all of this. They just walked in under the presumption that it all applies, and they want to exercise their rights.
GOSS: Well, especially when you think about business models around accountable communities and the data analysis that they need for trying their community health needs assessment. And just figuring out what is the right thing to help a community be healthier and have more productive citizens and address inequities, whether that data analysis is coming to a for-profit organization suddenly opens up a big can of worms for me.
STEAD: I want to try to control to agenda, if I can. We have got Vickie, then Bob, then Nick with hands up. And Linda, I don’t know how long you are planning to let this set of questions take place.
KLOSS: I think we can give it another five minutes and still get through the rest of our agenda.
MAYS: I am going to try to be brief because Jacki really answered a lot of questions. But I am just going to put out there a few of the complexities.
One of those is that even though the non-profits, one of the problems is everybody seems to have this public-private partnership. So for example in the UC, we are having to go through an incredible amount of looking at everything from research. It is not just in the patient care, but it is also like we use sales and services to provide certain things in terms of research.
I am going to read just something quickly from our internal working documents we have. Personal information includes any information that identifies, relates to, describes, is capable of being associated with or that could reasonably be linked directly or indirectly with a particular consumer or household. This includes biometric data, internet activity and consumer profiles based on inferences from various bits of data, as well as education and employment related information. It has taken us a whole host of people to really figure out all the ways in which we have to comply.
I can tell you that there are going to be addendums, particularly Denise, you are worried about some of the research stuff that I already know that there have been addendums that people are trying to work on to address the very things that you are concerned about. I will stop there.
STEAD: Bob, you can channel yourself now.
PHILLIPS: I think there are a couple of things here to comment on. One is the concerns about the ripples of this. I mean, even the European policy, watching organizations here try and deal with it when it has no real direct application, but largely out of fear that something like California’s law will happen, has been pretty amazing.
I think that there is an opportunity for us to play a role in helping articulate the concerns and offering assistance, if not a convening role, in helping states who are thinking about doing this develop better laws that particularly protect the public health functions that HIPAA did and that Denise has brought up.
And the second is a convening role to help clarify just what the laws and the rules that come from them, what do they actually mean and how do you meaningfully respond to them. I think both of those functions would be really important if California passes this or if other states start to tackle it, too.
MONSON: I completely agree. It is passed. I think it is a matter of when other states do, as Vickie alluded to. We are all hoping that there are some addendums that make this a little less broad than we all think its original intent was.
COUSSOULE: Just a couple of comments and a question. I know HIPAA is kind of excluded from this. But unfortunately, not everybody is covered by HIPAA that is in the middle of our kind of health care ecosystem. So there is likely to be a lot of unintended consequences, I believe, through this.
Number two, when we have each state kind of making their own rules, and I recognize California is typically on the bleeding edge of these things and also usually the most restrictive, we still end up in an environment where we can have 50 different sets of rules that everybody has to comply with.
And you end up with not a least common denominator model, but a least common denominator model because you have to meet all those obligations if you happen to operate in all 50 states. I think that is something I think somebody said earlier that the committee can help to create a recognition of what that might mean for things that are in our purview.
Also, these types of things don’t generally get less restrictive over time, but more so. I think from kind of an entropy and chaos kind of rain model that they tend to, over time, get more and more complicated. Those are just personal beliefs.
And the last one is a question, as well as a belief, that incentives typically drive behavior. The businesses can be fined $7500 per violation, depending on how you define that. Those numbers could get really big really quickly. Consumers have a right to private action, which is slightly less so. And most individuals would recognize, unless there is some class action stuff set up, that their cost to pursue is probably not going to be worth it.
But I have an interesting question. If the businesses get fined, where does the money go? Does the money go to the state, or does the money go to the individuals who were harmed in that, or at least likely harmed, in that process? That then drives the different entities who might be involved and interested in trying to collect the money.
MONSON: It goes to the California Attorney General, so it goes to the government. And the only money that would go the consumer would be their private right of action of that 100 to 700 per violation. And then I am sure they would have the right in California. We have some class action laws that they would obviously have their right to exercise, too.
COUSSOULE: The last point I would make is that as we talk about oftentimes the need for more information-sharing and more information availability in the provision of care and lots of different impacts of that from a system perspective, from a community perspective, you really hope that as these laws get implemented and more over time, they don’t create another barrier to improving community care.
STEAD: Let’s let Denise have the last brief word, and then let’s close this part out.
LOVE: I just wanted to echo what Bob said. I am just raising the question that if the committee’s role could be, as these things promulgate or potentially promulgate or have promulgated, that the committee articulates some education pieces to consumers why their information is critical to public health, population health, but also price transparency.
I know California is about to embark on this price transparency journey with us. It can’t be done without the patient contribution of their data. And they get back much more than they give. I am just guessing some educational pieces in the future for the committee.
KLOSS: Thank you, Jacki, and thank you all. I knew this would be a noon-hour wake-up topic. It just seems so clear that what happens in the vacuum of keeping pace, the law must evolve in ways to control the use private parties can make of individual data. I think that is what we are seeing in the general data protection rule. And that is what we are seeing here and inevitably in the work of other states.
I think it underscores two things that our environmental scan is a living document and already a little bit out of date. And there is a real role for the committee in putting forth a stake in the ground that suggests that being proactive in introducing mechanisms booth in the public and private sector is overdue.
The question to the committee now is are we heading in the right track? Do we rip this up and find another way to demonstrate the scope of the work? I mean, we are to the point of making recommendations. But we did take a stab at applying this draft model to the use cases operating at the intersection of the HIPAA covered and unregulated world.
This is kind of where we left off last time. But we revisited the use cases in light of this model. So three areas, health data registries, personal health devices and we used geofencing as an example of an app. WE sort of thought that these were three kind of different paths, but representative of this world of the intersection.
You saw just a first cut at showing what kind of mechanisms might exist for registries. As we discussed last time, covered entities can go beyond what is strictly required and require, if you will, data use agreements, which include prohibitions against re-identification and re-disclosure.
Covered entities can offer patients an opportunity to opt out of registries, making very explicit that this is a use being made for their data. That kind of can be beyond the treatment payment health care operations. Covered entities can strengthen the management of de-identified datasets. And they can certainly take part in certification, voluntary certification, efforts for registry sponsors. So that the public has some assurance that registry sponsors are, in fact, have in place reasonable data stewardship practices.
The public sector with regard to registries, we saw the OCR could issue guidance in this regard, sub regulatory guidance. There could be mandatory accreditation for registries as a part of funding streams. So CMS certainly has some leverage here to tighten their oversight of registries when those registries are requirements of funding.
And from a standpoint of enacting new protections, they could be rolled up and covered by a broader definition of covered entity or business associates. So that is just an example of our test whether this model can be applied. Any comments on that?
We did the same then for personal health devices. The mechanisms put forth are a little bit different. But there are some consistency. Again, covered entities can make sure that there are business associate agreements. Covered entities can expand patient education. That is a typo, sorry, about registry uses.
I am not going to read all of these. But you see where we are going. We can tee up some examples of what are the top of mind low-hanging fruit options for tightening down the current system without major regulatory change.
And then the third is the geofencing app. Covered entities step up information to patients about the risk of using location features when they are sitting in emergency departments. There could be broader enforcement of breach and use of data from apps. In the private sector, people could proactively demand greater choice and protection of their information, i.e., the California law. And Congress can adopt federal data protection laws, or states can regulate data protection. So there are ways to put a cap on this or give greater transparency to these uses.
So we didn’t do a lot of work. And you can see from these, these are very early drafts. I apologize for some of the typos. It was a check by the subcommittee that this kind of does work in different settings. Any comments on those before we move on?
COHEN: I am wondering, Linda, given California’s law, whether it would be possible to adapt the model. I really like the model of compliance risk through disclosure risk, and looking at private and public entities. Is there any way to adapt the model to be able to evaluate emerging privacy laws, like this California example?
KLOSS: Interesting suggestion. I think we could. We may find that given all of its definitions and scope, it doesn’t solve some of the problems we are dealing with. In fact, it probably doesn’t solve many of the problems we are dealing with. But there certainly is some overlap. We would be happy to chew on that. Thank you.
STEAD: It seems to me that what we might be able to chew on is the degree to which the model clarifies the questions that would need to be explicitly dealt with to make the California law workable. Is that what you are thinking?
KLOSS: When Bruce asked the question, I immediately kind of went to a Venn diagram in my mind, thinking how much of what we are talking about in the unregulated health information world would actually be addressed by the California law, given the focus on the commercial uses of data. But I think we could chew on scope.
STEAD: I think the challenge of that is the lack of clarity at what happens with Jacki’s statement the most stringent law applies. What that, I think, does is create some difficulty understanding. I am not sure, as I listen to this, that the statement that the HIPAA exception would mean that they couldn’t ask to have data deleted from their medical record. Maybe they could if the more stringent law applies. I don’t know. A lot to be defined.
KLOSS: I want to wrap up kind of our overview and then consider where we go next. We wrestled with the recommendation from the committee last time that we take a look at how we can ground this model on ethics. And we did do some thinking about that. I think we decided that we needed to ground this model on principles. That ethics is kind of the domain of professional codes. And it doesn’t eliminate that, but it didn’t seem sufficient as grounding.
We thought we would want the model to reflect professional codes, which is certainly stewardship, privacy. But also derived from fair information practice principles, which does undergird HIPAA and has been used by NCVHS throughout in various privacy and security guidance work that we have done.
I think the expanded articulation of fair information practice principles that reflect the rights of data subjects in GDPR and in California Privacy Act, this diagram actually is reflective of the list of individual rights that very much ground the general data protection rule. We wrestled with the ethical principles. We think it is a combination of ethics and the fair information practice principles, which flow through our work, flow through the environmental scan and certainly the no data protection rules.
Where do we go from here? If we have general resonance from the committee that we are heading in the right direction, we want next to take this version 1.1 and send it back to our panel of outside experts, which includes Bob Gellman, Mark Rothstein, Leslie Francis and Barbara Evans, our past members of this committee who have been part of thinking about or introducing the concept of beyond HIPAA over the years. And just get their next round of reaction to this.
Then at our last subcommittee meeting, we thought that it was time to take a stab at turning this PowerPoint into a short written narrative report from converting the slides to narratives. It kind of tells its own story.
It won’t be something that we necessarily act on formally. But it will help. I think it will force us to clarify our thinking and be pretty precise in how we tell this story.
Fourth, as the next step, certainly we have themes to incorporate in the 13th report to Congress because this is bullseye HIPAA work. And I will talk next about that. And then fifth, we think that it is probably time to convene either a hearing or a roundtable in 2019, early 2019, for model development and path forward. Hopefully, we could come out of that with some actionable short-term recommendations.
So that is where we are at. Are there any questions, suggestions, additions, comments from subcommittee members?
STEAD: I would love to see us both develop the text report and formally post it as a vision piece. I think it would be extraordinarily helpful. That has the great advantage of then becoming, along with the environmental scan, it sort of becomes a reference point that helps us prepare the material for the hearing. But also helps us keep whatever letters we come out with short.
KLOSS: Yes, that is a good use for it. It just feels like it is time to build it in that narrative way.
If there are no hands up, then let’s take us to the last slide in this section. This is what we pull out of our work to date on themes for the 13th report to Congress. We think there is the obvious theme that we can reference the environmental scan and describe the regulated and unregulated world.
We can underscore the strength of HIPAA’s privacy and security approach, along with its growing limitations as we live in this world of data 3.0. The need for strategic changes to protect individuals from risk of harm beyond HIPAA. So we think that is one theme.
Then thought that a good way to discuss and illustrate this may be, especially in a report to Congress, through selected stories about the world beyond HIPAA. Kind of those little scenarios illustrating potential risks and harms. We can draw from both the beyond HIPAA report and the report of the cybersecurity taskforce and other work. There certainly are a lot of great illustrations of the risk of harm. But do it through story telling again to maybe get attention for this and illustrate.
Consumer attitudes, we addressed this in the 12th report and think it is certainly to be reinforced. And based on this morning’s discussion, I think we can reinforce it in terms of what is happening in the developing legal arena, both in California and through the general data protection rules. Consumer attitudes are taking front and center stage now as we try to come back into a proper balance between social good and the rights of individuals and risk of autonomy that may be happening in an unregulated world.
We think there is a theme. There is an opportunity to increase protections and choice for consumers, at the same time, reduce burden to Bill’s earlier point that we focus on cost and burden reduction. And we could kind of frame the legislative issues. I think actually we will have some important contributions to the 13th report to Congress. And if we begin putting together this narrative piece, that can align with what we say in the 13th report or vice versa.
PHILLIPS: Thank you, Linda. Just related to your third and fourth bullets, the ones that really focus on consumers, I think there is also the role of articulating the fears and how those fears can be inappropriately translated into legislation, as opposed to the protections and choice.
How we manage those separate from fear, it is almost like a behavioral economics counterpoint of how we can achieve what they need in terms of protections and choice, without going so far as to responding to fears and having unintended or, in some cases, uncared about consequences.
LANDEN: First off, I am very much in accord with this approach of the theme slide specifically. A couple of comments on that. For the selected stories, let’s make sure that we very clearly describe that the stories we use are common and not just one-off anecdotes that happen once in every two gazillion instances. So pick things that are real, not hypothetical, and convey that message clearly.
Second, work in references to the real-world changes that have happened since the HIPAA legislation and specifically the European GDPR and the California law, and talk about the world is different. Third and finally, remember that privacy was something that Congress did not deal well within the HIPAA legislation and that HIPAA essentially punted the privacy regulation or the privacy solutions to HHS and CMS to do by regulation. In our look at it, remember that. We need to think what Congress will be willing to consider or not in terms of what we say to them and how we say it. Thanks.
LOVE: To follow on Rich’s comments about real-world changes and how things are different, there are some legislative issues that have come up in my world that may not fit or shoehorn in to the privacy or the standards, administrative simplification. And that is we have got some issues with substance use disorder data. We have got issues with ERISA and labor that could touch on some legislative issues.
I don’t know if another theme would be, and Rich touched on it, what has changed. What are some of the challenges outside of the past reports? I just raise the question.
KLOSS: I think I see that in number one, framing this as the regulated and unregulated worlds, and how HIPAA has its strengths, but has its growing limitations. That is relating to —
LOVE: Beyond the privacy, though. Just beyond the privacy.
PARTICIPANT: Oh, I see. Okay.
PARTICIPANT: There are huge things that have, you know, the ERISA thing is not a privacy issue. It is a standards issue. It is a regulatory issue that goes a little outside of HHS. But clearly, there is a solution. But it involves other players.
STEAD: I think I captured that also. I think trying to build into the front of the burning platform how the world has changed may be very helpful broadly.
Let’s try to bring this to closure and take lunch. My question is whether people would be willing to come back at 1:15 instead of at 1:30, so that we would have an hour and 15 minutes to work on report to Congress instead of an hour. Does anybody have any problem with that?
Dave gave us a green check. Does that mean a problem or okay? Bob has a red X. Linda has got a green check. Bruce has a smile. Okay, let’s be back at 1:15.
AFTERNOON SESSION (1:15 p.m.)
Agenda Item: NCVHS 13th Report to Congress Brainstorm
STEAD: Welcome back everybody. What we want to do now is to dive in to beginning to do the real work on the Report to Congress. Based on our discussion yesterday, I took a few minutes this morning to begin to stub in an outline that reflected what we talked about yesterday at high level. I thought I would start by walking through that.
Then what we are going to do is walk through probably – actually what I want to do then is talk a little bit about some of the stories that we might want to tell to help people really set the context for what those need to do. Then walk through the slides that we have accumulated that are input from the various projects and subcommittees that are candidates for levers in most cases for the 13th Report and then walk through – begin to work the template of levers of possible legislative, executive, and public-private action. Several of our members have begun to populate that with really some very thoughtful and very helpful ideas. Rebecca and our logistics contractors have worked out how we can actually edit that live on the WebEx. We will hopefully continue to expand our technical skill.
With that context, basically the first block would be a call for action. I am beginning to think that maybe the first piece of that will be – the world has changed since 1996 and some key bullets that communicate the magnitude of that change and the challenges and opportunities it creates.
Then the burning platform of the gap between what we are all – the great progress we have and continue to achieve through incremental advances and admin simp, both the standards components and the privacy and security components, but the gap between that and what we really need if we want to transform health and health care to meet the goals of value-based purchasing and through population health.
The stories would presumably communicate the goal and then the offset by an example of where we are now to quantitate the gap and then get into the recommendations. I do not mean the recommendations, but the representative sort of sets of coordinated action that could affect the change that we are talking about. This is not about detailed recommendations. This is about, I believe, largely grabbing the attention of in most cases, key congressional staff that would really see an opportunity to delve into this.
Then we would have a progress and status report. Alix will have to help us. We struggled with this in the 12th Report. We will have to get it right for this. Whether we have a bullet that is administrative simp and then a bucket under that that is standards and another bucket that is privacy, confidentiality, security or whether we use this sort of structure, which is in essence what we did last time and we will have to figure out.
But this would be, if you will, the progress report that Mia is reminding us that we need to include and then I do think we want a category around access to data that brings together the things that have come out of the population health and community health work because that is a unique lens that NCVHS brings that is not front and center in the work of ONC and HITAC.
And then priority for next steps and close with a set of appendices, which I think in essence want to be the clearest references, if you will, to key parts of our responsibility. I am thinking that, for example, the chart that was in the Predictability Roadmap piece of history of how some of the stuff works might be something we would want to add to this. I think that we will want to update and keep appendices one through three from the last report. They will need to be updated, but they are basically timeless.
At high level, that is restating what we have talked about yesterday as an outline. And noting the change, I think I would put in to the burning platform to the world is changed.
We have hands up from Dave Ross, Jacki Monson, Linda Kloss, and Nick Coussoule. I have green checks by Denise and Rachel. I do not know if those are hands or not. Everything went away but Linda and I got a smile from Rachel.
KLOSS: I am wondering in the outline if we might consider breaking out admin simp section 3.1 into transaction standards and code set standards or do so under that item. But I think because we are going to spend a little more time in this report teeing up the T&V topic, we may want to call more attention to it.
STEAD: Good point. What do you think about whether we want to break loose of our subcommittee structure and have – I guess it really was not, but have admin simp and have transaction standards and then code sets and then privacy and security?
KLOSS: I never thought of the report as needing to reflect our committee structure, but rather the topics that we want to make front and center.
STEAD: I agree with you. We now have hands up from Alix, Dave.
GOSS: May I add on to Linda’s comment in that – I am actually going to weave Linda’s comment with Mia’s comment from earlier. The statutory obligation of this report is from the administration simplification provisions. It sounds like Mia and Suzie did some deep diving into what are those obligations. It might be helpful if they could share that work with us just to make sure we are not overstepping our boundaries inappropriately.
The second piece I would say is if we are in fact all about administrative simplification, the broader focus of maybe as an opening about how the world has changed or more proximately since the last report I think could be a good part to open with.
And then I think that when we look at – I like the terminology – breaking ourselves out almost by transactions and operating rules, terminologies and vocabularies and the privacy, confidentiality, and security and then the access to data. I think there are big pieces of the ecosystem that has to work together and wonder – although it is not a part of HIPAA is sort of the weaving of the patient as a part of the progress and status may be something we may want to consider.
ROSS: Alix just pretty much summarized what I was going to say. Just let me add, on the whole bill, I like your framing on the burning platform. I absolutely agree. It is a good opportunity to make the statement of how much the world has changed. It is pretty staggering between the electrification, if you will, of health care. EHRs are ubiquitous. Mobile devices would soon be coming point of care diagnostic devices. Intelligent medical devices. And then the data use themes leading to social determinants and community health. These are overarching themes are just things that I think were just hardly envisioned back in ’96.
If you do this, if we write it that way in the beginning with the burning platform, it sets the stage for arguing some of the points that were made during the earlier briefings this morning. I like your outline.
COUSSOULE: I think the framing of the burning platform is really to try to codify the sheer change in the last 20 years. I think if we do that well that would actually frame up the progress and status below where we can clearly meet the statutory obligations to respond on the administrative simplification provisions and things around that. But that framing should also then drive how we push the different topics or themes below. I do think that the suggestion before about the themes before is you have the separating out the privacy or the administrative simplification from the terminology is a good one as well.
STEAD: Dave gave a nice summary of key examples of how the world has changed.
Let’s take a few minutes if we can and brainstorm what might be compelling stories about what is possible today versus what we have today.
If you look at what we know about the – how could we give a palpable feeling for how much less expensive it would be if everyone was able to participate in a handful of key transactions? The trouble is it is not HIPAA. The thing we have talked about so much around vitals. What would happen if each community had real time data about every death each Monday? I am searching for non-technical examples of the magnitude of the opportunity to increase effectiveness while decreasing burden.
Dave’s hand is up and Linda’s hand is up. I do not mean Linda. Denise and Bruce. It is Bruce and Denise.
COHEN: I will start from the population health perspective. Certainly, what you were alluding to, Bill – since the late ’90s, there has been enormous progress and challenges for vitals. Vitals are the important foundation for identity establishment and security that was not concern late in the ’90s, but certainly is now. The ability to rapidly identify emerging epidemics and to intervene seems to be much more of a primary issue than it ever was. We heard other kinds of examples with respect to business uses for rapid ascertainment of births and deaths. I think there are very fruitful vitals and examples of what we could do better than we are doing right now.
I think yesterday it was clear too in the afternoon. There was universal consent that we have an enormous amount of data, but it is just not organized and accessible to do a variety of kinds of policy development and program development at the community level, at the hospital level, at the local health department level. There is a real gap between the rapid expansion of the availability of data and how we have organized it and made it accessible for multiplicity of uses.
STEAD: Thank you, Bruce. Denise?
LOVE: Under PPACA or ACA, requiring local cost information about providers to consumers, employers, yet 60 percent of covered lives are potentially exempt from these reporting initiatives in the ERISA exemption. There are solutions, but true price transparency needs to have the covered lives in the employer self-funded arena to be reported. That is one magnitude of opportunity.
The second is we have —
STEAD: For clarity, Denise, you said 60 percent are exempt.
LOVE: Potentially yes. Potentially self-funded ERISA exempt. We are not seeing that – it varies state by state, employer by employer, how many are contributing data to statewide reporting initiatives. Some are doing so voluntarily. Some are just coming through. But potentially, we have a huge amount of people, 50 to 60 percent of our covered lives are in exempt ERISA self-funded, self-insured plans, which is the missing gap. There is just no way around it. If they are not collected with the standardized data, which means the ERISA non-exempt plans, public insured plans, and individual market plans, we are missing a key and probably the biggest population to understand price transparency and accountable care. That is the first huge gap. And Cassidy and Congress and others have cycled this for a while. It is on their radar screen. They have been having some talks about fixes. It is something that Congress can fix and that labor can fix.
The second issue that states are struggling with is in the opioid arena. We have also a gap of 42 CFR Part 2 substance use disorder data. States are struggling. We are working through some fixes, but that is just another health policy issue that is facing states and employers and others who are trying to understand the magnitude of the problem. I just wanted to put those plugs in because I think those are opportunities.
STEAD: Thank you, Denise. Alix, Nick and other colleagues from Standards. From the testimony that we had for the Review Committee, is there a way to communicate the magnitude of the participants in a transaction that do not use the standard and the operating rules?
GOSS: That is a great question. Considering that hearing was in 2015 and I have not looked at that work since probably we finalized in 2016 – I would have to go back and look at that. Clearly, we had some numbers. I remember MGMA, in particular, helped bring forth some numbers. CAQH CORE, I think, did as well. I think we have some sense of – we all know the 278 prior authorization is a hot mess, but that there were five transactions that had pretty good adoption. I think operating rules would be something else we would have to look at.
You are trying to understand – I think what you are driving at is how do we reflect what is the current state of usage today and you would be right that the Review Committee report would be our good source to go to on that because I do not know that we have more current statistics than that.
STEAD: What I am trying to figure out is if there is a way we can communicate the cost and the lack of effectiveness from the gap. I think for us to – we are going to at the end of the day I think need some sound bites that are a little bit like the number of deaths from adverse drug events that drove the whole to err is human series. I think we are going to have to identify some sound bites that have face validity that turn the magnitude of the problem into something that people can understand.
LOVE: I have got in front of me an extensive NPRM comment that 20 states and the National Academy of State Health Policy and – with some of those numbers, about 63 percent of all workers, some data and the import of capturing the data and the impact. If that is what you are getting at, we have a huge body of work in that regard.
STEAD: Could you try to abstract it and ship it to us?
LOVE: Absolutely. I have it open right here. I have Briars – his comments from the SCOTUS decision that really this is – he agreed that this is a big issue and that DOL has the authority to fix it.
GOSS: — come from an ERISA perspective, Denise, I think to round out that good kind of factoid.
The other idea that comes to mind is this 2017 CAQH index, the Report of Healthcare Industry Adoption of Electronic Business Transactions and Cost Savings, is the only other off the top of my head thought a good solid resource that I am aware of and we know that they are only as good as the data they are able to analyze. It is a good source that we should consider.
KLOSS: There have been some estimates of the cost of the administrative burden that Brookings and Commonwealth Fund update regularly. We may want to do some research into Health Affairs or other journals because I think these things are tracked, the administrative burden and health care. I think from that we could extrapolate how much is related to just the QG(?) processing.
STEAD: I think we have probably spent enough time in this piece. What I am trying to do is sort of begin to upregulate your thinking around potentially compelling examples. This report is going to have to be short. Obviously, it can include references. A few really compelling sound bites would be helpful. We will want to continue to think. As you wake up in the middle of the night and think of one, ship us an email.
With that, let’s move from the story part to the potential levers. What I thought we would do is if you can pull up the Power Point then this has the slides that – these are slides that various amongst you have submitted in one form or another relevant to the 13th Report. This was from the perspective of the Standards Subcommittee, I believe. I think Alix did a quick noodle on it. Do you want to speak to it, Alix?
GOSS: I did craft this yesterday afternoon in knowing that the administrative simplification framework came out of the HIPAA laws, we know that that framework then further constrains the efforts of our regulatory friends in HHS, along with other administrative procedures act and related due process obligations. If we could go back to the source, aka Congress, and thinking about the progressive work related to 21st Century Cures, et cetera, our process was to bring together the laws that govern the administrative, financial, and clinical aspects, as well as the governance frameworks with some motherhood and apple pie objectives as sub-points.
STEAD: Very helpful. Comments on that or do we go to the next slide. Let’s go to the next slide.
These were the themes that came out of T/V. We did not talk about them yesterday. Do you want me to talk through this, Linda, or would you like to?
KLOSS: I am happy to. One of the questions I have in this space is is this outside of our calendar timeframe. How much of the T/V can we incorporate when our report is covering them through 2018?
STEAD: I think that we can – because of what we did last time, I think the pieces that we think we have adequate agreement on can be included. You end up with a demarcation. We cannot include – I think things that we feel can be stated based on the environmental scan, the Roundtable summary and yesterday’s Full Committee discussion. That is what can be included. Whatever we do beyond this.
But I think we had clear agreement on the high level, near-term, intermediate-term, and long-term, sufficiently to include them in this.
KLOSS: One point, and again we were tasking these trying to tie them to other priorities that Congress will recognize. Number one is that interoperability really rests on the terminology and vocabulary standards foundation and some description of the importance of terminologies and vocabularies to achieving interoperability and the downside of trying to advance interoperability in the absence of a cohesive terminology and vocabulary roadmap.
And then also tying this topic to 21st Century Cures. I think our first thought was let’s not introduce the topic outside of these two recognizable contexts.
And then third was something that Congress may have to modify HIPAA legislation to remove the specific reference to ICD for version updates, and have ICD version updates handled the way every other vocabulary and terminology quote set updates happen.
The first two are public policy related and the third is – I think we positioned it as an efficiency issue.
STEAD: That is correct at least from my perch. I see Nick’s hand is up.
COUSSOULE: Just a little more of a generalized question. I do not mean to take us back a little bit. But how do we distinguish in our report what we are framing as a current status versus an ask of the recipients of the report? I think we think a little about the report of the status and then I think we frame up the art of the possible. But how do we ensure that the report covers that in a way that really leaves the takeaway with what we want the takeaway to be, which is is there an action we are asking people to take.
HINES: I would like to jump in and say we are not asking anyone to do anything. We are saying if you do not do this, this is likely to happen. If you do this, then this other great outcome is likely to happen. But these are recommendations. We are not asking, requesting, suggesting. We are just saying this is how the world is, how the committee sees it and here are our recommendations.
COUSSOULE: I get that. I am just trying to think of how to distinguish between the – do we have a one section that gets into a recommendation or do we flow the recommendations in through each of the – here is what the status is and here is what might enable a substantive change? The detail we do not need to get into now. I am just trying to understand.
STEAD: I think it is very important. I think it will become much clear when we get to the template particularly given the fact that we have begun to get some good input into the content of the template because the legislative levers that we are going to identify are things that we think Congress needs to consider doing either in that form or some other form.
I think we are going to say getting from the current state to a much better state will require some form of legislative action and these are some possibilities. Does that help or not?
COUSSOULE: That works for me now. I am just trying to think in my head how to frame up – challenges as well as the potential for an art of a possible model.
STEAD: Rebecca, am I off the reservation with what I just said?
MS HINES: I do not think so. I think Nick is asking an interesting question. I think it will become apparent as we figure out what all the possible stories and messages and the way we outline the gaps. I think we just have to let ourselves organically go through this developmental process.
STEAD: Then let’s go to the next slide. This is the slide, which we just walked through coming out of the Beyond HIPAA discussion. Anything further you want to add to this at this time, Linda? Do we consider we dealt with this adequately before lunch?
KLOSS: I think we are fine. I think we are going to need to flesh out how far we go with the final point framing legislative issues.
HINES: I think the examples that already two members have sent in I think – you are right, Linda. How do we frame them? But I think if we frame them in terms of the way Bill suggesting sort of the current status versus the possibilities, which might be the way to do it.
STEAD: Let’s keep trucking then. Next slide.
COHEN: The next couple of slides have to do with population health. I will start the discussion. I know Bob had some additional thoughts. I would like the other subcommittee members to include them as well. This is a combination of the 13th annual report and our trajectory thinking. The bottom line is how population health data are central to improving individual health and community well-being.
Certainly, developing and using the data framework is a perfect example of public/private partnership. The US News and World Report health rankings and the articles are real-time examples of community-based issues where using our framework and data that emerges identifies specific community concerns. Certainly, I am sure working with Soma, we can identify other examples.
The second bullet is the sustainability of vitals and the importance. I think this would fall under both the legislative and executive candidate for a lever. The first one is the data framework and the second one is vitals. I think the sub-bullet says it all. Many examples of the potential issues emerged. This is a candidate lever both for legislative action around sustainability and I think joint executive agency action as well.
Yesterday afternoon – I think both of these key bullets. Social determinants data. Bob presented many compelling ideas and part of the discussion yesterday was focused on social determinants and generating the importance of expanding access to these data for hospitals, geographic areas and population subgroups. I think these are combined.
This sort of builds on the partnership idea. I do not know whether this is 13th Report or just directions that we need to take, but sort of the integration of data – we actually talked about it earlier today. The integration of providing access to data while addressing concerns for privacy.
I know also earlier today the idea of the importance of integrating behavioral health data with other data to understand overall health.
Again, this sort of builds on social determinants and understanding positive – moving towards positive well-being issues as well as focusing on the traditional disease-related models. Whether it is opioids or violence, having more real-time access to data to understand and reduce and mitigate the risks for these emerging epidemics is a real specific example of what we could do with more and better integrated access to data.
Bob, do you want to add anything to this list?
HINES: Bob, we can show your template because you actually did a beautiful job of articulating some very specific suggestions if that would be helpful.
PHILLIPS: Sure if you have it available.
HINES: Ruth, can you toss me the ball? We will pull these up. Both Bob and Denise sent the template with specific ideas filled out. As soon as I get the ball tossed my way —
COHEN: While we are waiting for that, is there anybody else from the Population Health Subcommittee who wants to add any comments?
MAYS: In the slides that you just presented because they had several things that I had sent in. When you were talking about this concept of a story to tell, I think that the mortality data and what it is if you want to wrap that into the opioid, what we have been able to learn since the mortality data, for example, has been linked, how, for example, also enhancing the mortality data that comes from violence deaths would help us learn much more I think as well about the opioid epidemic. I think that is another one of those stories that can be told.
If what we do is talk about what we can learn from mortality data for disaster preparation that – I think hits home to some of the stuff that is being struggled with.
HINES: Bob, we have your template showing. Can everyone see it?
PARTICIPANT: Dave Ross has his hand up. I think you are looking for Bob to walk through.
PHILLIPS: This was just rather quick thinking trying to get something into the grid for today. On legislative action, I will not pretend to understand all of the engineering of the Internet. But I do know that there are nodal control points and people who have control of those nodes. I think that we can create something similar for data integration flow and permissions.
I just heard a lot of concerns yesterday among our federal participants about moving data into research data centers. I know they have removed remote access to those. And a lot of the focus is on protecting the data. But if we can create secure nodes and controls on those, I think there are ways that we can integrate data and give people specific permissions and make the data more accessible, not just through APIs. I think that may take legislative action since I am not sure who would have authority within the administration to do that.
Under the executive branch, it would be following up on yesterday’s conversation that the leadership of that federal data strategy group would be called on to identify the common, community, county, and state health and population data use cases, some of which we ran through yesterday and how those funnel to some standardized small area data elements that can be delivered either through API or something else. What is a common core that are used universally that need to be delivered routinely and not through the data centers?
The HIPAA piece may belong better over in the previous discussion. It is an idea of enabling patients to control their data availability, but to also identify some explicit carve outs from that, not just public health, but ways the data can be used and then de-identified or obscured because they are geographically pulled together. This is getting at the idea that the California law or other laws like it cannot have the unintended kinds of consequences that we are concerned about, but still offer the protections we are interested in achieving.
And then it is the idea that there needs some kind of a rump group within HHS and Census that is really focused on innovations. That really came from me out of Benmei Liu’s discussion yesterday. We have people within different agencies who are doing incredibly innovative work on how to bring data together, how to impute them to small areas and still protect the identity of people. You do not have people like that in every agency. You are having different responses while you are having some incredible innovators develop some very important methodologies. It creates some kind of consolidated innovators group that can develop those innovations and methods that the rest of the agency should be adopting. The fact that Dr. Liu had to do that within NIH and specifically NCI was enlightening to me. I know some of the folks doing that work and other agencies have left.
But the public-private partnership – I think Soma just in spades demonstrated the value of that in terms of continuing the work that we could not do, but also in bringing some fresh thinking to it. If you are going to park in nearly 40 research data centers out in academic departments or institutions, let’s take advantage of those and really inspire and support some innovators out in those centers to be places of learning, not just data holding sites.
And then to create some collaboration. We had one off use cases yesterday, but there were some common themes that were starting to gel across them. I think we need some collaborations that are formal, some informal, but some of it should be formal that can speak directly to fatal data strategy folks about those local needs that are not just national organizations, but are speaking very specifically to local needs. That is what our framework really brought to light. I think we need some other collaborations that are more ongoing in that regard.
That is probably more than you needed to explain what I was trying to capture here, but thank you.
STEAD: That is really awesome, Bob. Thank you. I see Dave Ross’ hand and Linda Kloss’ hand is up.
ROSS: Thank you. It took me a minute to clear Bob’s screen off and find the screen where I can — I had written down several – but it turns out to be quite in line with Bob’s although I like the way he said his last one much better.
Before I go through the specifics, I do want to say though on the population health – review the slides, one thing I did not see was the fact that we are now in an era moving to forms of reimbursement like value-based purchasing. That naturally brings about a need of population health data focus and analysis. There is a shared interest in viewing data beyond a transactional view that I think very much HIPAA when this was first started was built around a transactional view of health care and health care reimbursement. I just think it is a theme that we need to – it is back to your platform, Bill, but it is one of the many elements that have changed that they are driving us to want to use data in a different way and then –
I would agree with what Bob said about legislative action. I had written a note to myself about creating some kind of new office within HHS or – some of the themes we heard yesterday about assigning responsibility for curating standards and maintaining an aggressive outreach. I think that is going to take a focused intention and it is going to have to be deliberately funded and mandated. Those are jobs that take time. I think we need employees of the government who are tasked to be able to do that or it is not going to happen.
Under the executive branch, again, I very much support what Bob wrote.
STEAD: Let me ask a clarifying question. Dave, you are basically saying you think that we should have legislative action around assigning responsibility for curating it.
ROSS: I do. Otherwise, it is just not going to happen. Who is in charge of that? How is it going to happen? We are basically trying to get through a more viscous data movement and that is going to take a curating —
STEAD: I got it. I just was trying to make sure I understood and Rebecca then moved it up there.
ROSS: The executive branch – I agree completely with what Bob wrote. I had written something a little different built on a model that we have used over the last few years of reaching international agreement for the elimination of tropical diseases that we call the neglected tropical disease scorecard. It is an agreement on all the different stakeholders. It is very similar to the environment we have here. It is simpler, but we are talking about US health care. We have all these different stakeholders and having each of them understand where they stand, what their commitments for change and process, improvement are, et cetera. There is no scorecard that I am aware of. Is it possible to start build that? Maybe a reach too far at this point, but I thought I would toss it out.
I think that is all. Under the public-private partnership – his comments were much more cogent.
STEAD: David, if you don’t mind, would you send us the example?
STEAD: Linda, your hand is up and then Roland’s hand is up.
KLOSS: I was just questioning whether the second bullet form executive branch action really does need to be moved up to legislative. The executive branch I do not think could overhaul HIPAA.
We have talked before many times over the years about whether we want to extend, redesign, and build on. I think we have to be kind of careful about how we – I think we have to decide how far we want to take that. But I do not know that it is executive branch. I think it would have to be legislative unless, Bob, you had some specific reason for having it in executive.
PHILLIPS: No, I trust your judgment much more there.
KLOSS: And then I think we have to think about how far we want to take that because as we have discussed, there is some danger to us scrapping what is working. I think I would like to have us chew on that.
STEAD: We have quite a few months to chew. I think you are basically right though, Linda. We have been very careful in our letters to the secretary not to recommend things that took legislative action. The report to Congress does not need to be constrained in that way.
KLOSS: I completely agree, but then we have to be careful.
THORPE: My point is – how would that look – could you explain a little bit more on this – executive branch – I am very unclear as to who the stakeholders ought to be and what are we building.
ROSS: Roland, this is Dave Ross. Were you talking to me?
HINES: I think he was talking to Bob about this thing about directive to the federal data strategy group. What are we building? And what I see Bob saying is we are actually trying to —
THORPE: I was talking to Dave. Can you elaborate on your – who are the stakeholders? Who would they be and what would this look like for us? I know that you said you had years of experience in the international arena – diseases.
ROSS: It is a comparison of how we brought a universe of different parties together, all who ostensibly have the same objective, which was to eliminate a handful of these diseases, but all of whom played in different ways relied upon one another in various ways. But there was not any common view of what each needed to do. This may not really apply. I do not know, Roland. I struggle to think of a concrete domestic example.
I will tell you what I am going to do. I am going to write up a page or so on what this scorecard is all about. And then if you guys think it sort of applies or the concepts apply then we can work from there; otherwise, throw it in the trash can. I do not want to take up air time trying to explain it all because there is some background that you all need.
THORPE: Thank you.
STEAD: This is really good. Further discussion on this slide or can we shift to Denise’s? Let’s shift to Denise’s.
LOVE: I put these down just because they are in our wheelhouse that it may be outside of the scope of NCVHS. I do not know. But it clearly affects the health data assets that states and federal agencies potentially use. But all of the following are a compendium of not my ideas, but these are vetted across state with attorney generals and legal staff and National Academy of State Health Policy and our Standards Workgroup. They are multidimensional. Again, I will not go into the ERISA law.
But I will raise a question that I do not know and Mia and somebody else might. There is potentially some public health law that could be invoked, but I do not think we are prepared to get into that. There seems something in the SCOTUS that they even mentioned HHS and CMS as potential fixes to this problem, but it is a big problem. That is the only legislative action at this point, that I have been aware of or that we have talked about seriously.
The Executive Branch – there is a ton. CMS. If they could just write a letter saying it is okay for carriers to report Medigap, I think it would be a huge help to know what is going on in value-based purchasing, in Med advantage plans.
We need guidance. I mentioned this before, physician identifiers and attributions. It is being done differently all over and it is rather messy, but again value-based purchasing relies on identifiers and attributions.
There is some in the new rule from CMS, and I may be misstating, but the matching support program may be phased out, but this is a good way. I would hate to see that happen. CMS continue the Match program for support and using leverage for states to adopt the standard format to standardize data across states that are taking on Medicaid Match to develop their all-payer claims and other reporting systems.
We have mentioned DOL. There are extensive comments. I will send those through.
OPM is another one that needs to encourage and maybe through contracts give some assurance and guidance to carriers that have federal employee and TRICARE plans that state mandated PCDs can receive the data without contract breach or penalty. I also mention SAMHSA working to streamline the acquisition process by state that is not just restricted to a research study, but for policy. I think I will leave it at that. It is a big lift, but these are ones that have been talked about for about a year. And a standard redaction of substance use claims for non-research use. That is another one that is kind of all over the map. Maybe out of the wheelhouse here, but this is a list of things that the states have actively worked to submit comments on and have quite a bit of research and documentation around.
STEAD: Thank you. I see a hand up from Alix.
GOSS: To clarify, Denise, these are all executive and none of them legislative.
LOVE: As we have written the NPRMs and letters and public comments, most of these have fallen into the executive branch action. There is an ERISA fix for the law that I think has been floated by or talked about in Congress. I do not know of any action. It is a very simple fix to add state mandated all payer claims databases to the list of permitted exemptions under ERISA. There is like five and just adding that category. But I do not know where that is and that is the only legislative fix that I could be aware of. Now, there may be others as far as public health law beyond my understanding, Alix. But that is the only legislative action that I could think of today.
GOSS: Thank you.
STEAD: Those are the ideas that have come in. Let me flip back to Nick and ask if it is beginning to be clearer how we might come up with – I think what we are going to want to make sure is that we build a set of potential legislative, executive, and public-private partnership actions that collectively would change the game. We do not have to make them comprehensive. I think that we are really trying to provide exemplars that you could act on, but there are probably other ways to skin the cat, but it does take coordinated action across those three spheres to change the game. That is sort of where my head is. I do not know that that means it is right.
COUSSOULE: This is Nick. I think I am getting a better handle on it. I am just trying to think through how broad we get with our discussions and recognition of systemic challenges versus how detailed we get. We have talked about everything from relatively broad sweeping items to very specific detailed items. I fear if we get that detailed, we may miss an opportunity to get the theme right. As this progresses, I will probably get more comfortable with that, but I am just trying to get my head around it.
STEAD: I think they are quite correct that for this report, we will need to get the key themes right because the details will take much more work than can be done in the three or four month period we use to write the report.
I think what we have done with each of the projects starting with vitals and then with Predictability Roadmap, T/V and Beyond HIPAA. I think each of them have gotten to where we have got themes we can work with. We will just have to be careful to pull them together. Please help us to try to keep that lens.
We are down to three minutes on this block, which would then bring us to public comment. Anything else or are we ready to go to public comment?
HINES: Ruth, you can take the ball back.
KLOSS: Do you want to just review one more time or Rebecca of the timeline on the Report to Congress or were you going there next?
HINES: We did not have that up. Basically, the plan was to at the October Executive Subcommittee call meeting, which has just been scheduled to basically take what was discussed today and go deeper and work. Bill, I do not have it up in front of me, but the outline then has you working with each of the subcommittees back and forth getting material, basically developing the meat so that when we get to the December Executive Subcommittee call, we can come to some agreement on what the meat and level of detail is and then mid-December, we turn it over to Susan Kanaan to actually take the themes, the level of detail, the ideas, the outline and write the draft report. That would be done over the holidays and in January.
The idea would be that the Subcommittee calls, Pop Health, Standards, Privacy over the fall would need to include on their agendas this discussion so that when the report is written in January, it will reflect what we all have been talking about. And then the idea was to have a draft ready for the Full Committee meeting on February 6.
KLOSS: Thank you. I just wanted to figure out where we put that in our other subcommittee priorities.
STEAD: What I am hoping is that in the – over the time between now and what is now I believe an October 11 Executive Subcommittee call, I am basically hoping that the subcommittees will be working. For example, Standards are going to be working on getting ready for the hearing. I think Privacy and Security needs to be working on taking what we have come from this with Beyond HIPAA to laying out the work to get it to where you could have a roundtable in some time in calendar 2019, first part of calendar 2019. I think that Pop has a lot to chew on from yesterday.
My goal was to let – I was trying to get enough that I could begin to work it and come back with an updated draft approach in advance of what is now the October 11 Executive Subcommittee call.
I will need time from the subcommittees to begin to populate the progress report. But I am thinking that time would fall in the November to December – probably in November. And ideally, we will keep that to be not very labor intensive because we will largely be drawing form the work we have already done, but we will have to see. That is how I am trying to think about how we manage our bandwidth. Does that make sense?
KLOSS: Thank you. That is very helpful.
STEAD: Alix has a hand up.
GOSS: To that point of managing our bandwidth, which I think we have been doing a much better job thanks to your leadership, Bill. I am thinking about what is in the 2019 work plan since we have a lot of things that are going to wrap up in the first three months or so. I know that in our eAgenda book, we did have an updated plan. I know that in the Standard Subcommittee perspective, we have had a parking lot of issues. We have often undergone a strategic planning process for the year ahead and wondering if we are going to do that maybe in February or what your thoughts are about that.
STEAD: My thought is that we are going to need to try to find time to build high-level scoping – we are going to need to plan out the first three quarters of calendar 2019 at least high level before the February meeting. I think they are pretty well reflected in the work plan that we put in the eAgenda book.
What you may want to do – it would be helpful for each of the subcommittees to look at that. I know from my perch there are two things I was hoping to have time to have lunch time conversations about that I could not do. One is I do feel that there is urgency to scope a project around ICD-11. I think that will fall more in the Standards Committee and the separate T/V workgroup space. I have not talked to Rebecca, but I was wondering if maybe Debbie would conceivably have the bandwidth to go back and do the first cut at extracting a summary of the process we used to do the work that led up to ICD-10 because I think if we could get that background work done then I think the Standards Subcommittee would need to scope that project. We then have to decide do we have the bandwidth to do it.
I think the other thing in that same space is – not in the Standards space, but another thing I would like Pop Health to consider is going ahead and scoping a project to work with NLM around how we approach augmenting the terminologies that are represented in UMLS to address public health and social behavioral determinants. Those are two things that I would like to see worked into the plan.
In many ways, I think we have the building blocks for calendar 2019, first three quarters, for the rest of the federal fiscal year. Does that compute or am I mis-thinking?
GOSS: It is aligning for me for the most part. I feel that we need to get back to the issue of prior authorization transaction, especially as it relates to the convergence efforts that are happening, but otherwise it computes.
STEAD: What I would suggest is we probably need to revisit this question at each of the upcoming Executive Subcommittee calls. We are about to come to closure on having one each month for October, November, and December.
GOSS: I am glad I brought it up because I cannot be at the one in October.
STEAD: That was a very helpful question or set of questions. Are we now ready for public comment?
HINES: I do not see any hands up from any members with any final parting comments.
STEAD: We have four minutes. Before we adjourn, I really want to special –
HINES: Wait a minute. We have not done public comment yet. I just wanted to make sure no members had anything else to add.
STEAD: Thank you for correcting.
Agenda Item: Public Comment
HINES: We did get one public comment actually in the last little bit. It was from Margaret Weichert. Thank you, Margaret. I will also send these to the Standards team. On the Predictability Roadmap, the comments are for recommendation 3 and 5. How will the new governing body work? How will this be different than the DSMO?
Recommendation number 4. Oversight and governance of SDO processes. As an ANSI-accredited SDO standards developing organization, our processes used must comply with ANSI essential requirements and are reviewed and audited every five years. I do not think it is appropriate for the new governing body to have governance over SDO processes.
Recommendation 6. Last sentence. Change “should” to “must”. Unless HHS will commit to promulgating a rule in a year, this will all be for naught. In Item C, HHS developed criteria for certification. Recommend evaluating how the certification criteria was developed for promoting interoperability and the ERX requirements. This was a joint effort between HHS, NIST, and applicable SDO.
Those are the comments we got from the WebEx. Let me just check the NCHS mailbox. There is nothing. RLA team, do you see anything else on the WebEx? I do not. With that, Bill, then I apologize. We are done with the public comment period now.
Agenda Item: Closing Remarks
- STEAD: Thank you. I was getting ahead of myself. We have completed the public comment.
Back to letting me thank the staff of the Subcommittee. I think all of us know that what we went through today has taken extraordinarily heavy lifting for months. Lorraine Doo, Rachel Seeger, Kate Brett, and Geanelle Herring have simply been awesome.
I also want to thank the National Center of Health Statistics team: Mariette Squire, Geneva Cashaw, and Debbie Jackson, and also the ASPE staff and leadership. In particular, I want to thank the logistics contractor RLA, from nimbly pivoting from an in-person meeting to a virtual one with only 24 hours’ notice. And a special thanks to Rebecca, who was willing to make the call that we needed to shift and has worked with everybody to make it all work. This is just an awesome team. Thank you all.
With that, we are adjourned. Unbelievably enough, exactly on time.
(Whereupon, the meeting was adjourned at 2:40 p.m.)