American Health Information Community
Confidentiality, Privacy, and Security Workgroup #16
Thursday, January 24, 2008
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> :
Good morning.
>> :
I think we can get started. Judy, do you want to
>> :
The public is included.
>> Judy Sparrow:
Okay. Thank you. And good afternoon, everybody, and welcome to the 16th meeting of the Confidentiality, Privacy, and Security Workgroup. This is a federal advisory committee, which means it is being broadcast over the Internet, and there will be minutes available following the meeting. A reminder for Workgroup members on the telephone to please speak clearly and distinctly and identify yourselves for the transcriber. And also, at the end of the meeting, there will be an opportunity for the public to make comments.
On the telephone line, we have Steve Davis from Oklahoma Department of Mental Health; Don Detmer from the American Medical Informatics Association; John Houston from University of Pittsburgh; Leslie Shaffer from DoD/Tricare; Elizabeth Holland, CMS; Marilyn Zigmund-Luke from America’s Health Insurance Plan. And in the room, we have...
>> David McDaniel:
David McDaniel, Department of Veterans Affairs/Veterans Health Administration.
>> Alison Rein:
Alison Rein, AcademyHealth.
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Families.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Susan McAndrew:
Sue McAndrew, Office of Civil Rights.
>> Jodi Daniel:
Jodi Daniel, ONC.
>> Steve Posnack:
Steve Posnack, ONC.
>> Jill Callahan Dennis:
Jill Dennis, AHIMA.
>> Judy Sparrow:
Did I miss anybody on the telephone line? (Pause) Okay. With that, we’ll turn it over to the Co-chairs, Kirk Nahra and Deven McGraw.
>> Deven McGraw:
Hey, thanks. Okay. Did everyone get a chance to take a look at the prior meeting summary? Were there any changes that anyone has to it? If not, we’ll consider it approved.
Did you have any opening remarks that you wanted to make?
>> Steve Posnack:
(Inaudible) Maybe we can do the usual “If you have any comments or changes you’d like, get them in to me in the next day or 2.”
>> Deven McGraw:
Okay. Thank you. Can you tell this is the first time I’ve opened? (Laugh)
>> Kirk Nahra:
Do we want to run these by people who testified at all, just to make sure there’s (inaudible)? I mean, I would cut and paste well, I would cut and paste theirs, yeah, and make sure that’s not (inaudible). I felt a limited ability to make sure that was right (inaudible).
>> Deven McGraw:
Okay, anybody else have any comments? If you think of anything later, you can get it to Steve per usual. Don’t wait forever. Thank you.
Okay, moving on to updates from the American Health Information Community
>> Jodi Daniel:
This is Jodi Daniel. Good afternoon or good afternoon, everybody. We had our last American Health Information Community meeting Tuesday, and it’s going by
>> Jill Callahan Dennis:
It’s supposed to be “most recent,” rather.
>> Jodi Daniel:
I mean most recent, yes, not last. There are more to come, I promise, (laugh) for those of us who are excited for every upcoming AHIC meeting. Sorry. (Laugh) It’s been a long day already.
>> Kirk Nahra:
I assumed she had it right, but I
>> Jodi Daniel:
Our most recent. There are a couple of interesting things, along the lines of the AHIC ultimately having a final meeting. We there was an announcement about the AHIC SO, the AHIC Successor Organization, and the work in developing the AHIC 2.0. And the I think it was cooperative agreement was awarded and was announced to LMI. So that announcement was made at the meeting. And we will come back with more as things develop there and keep all the folks and workgroups posted on the activities for AHIC 2.0.
>> Kirk Nahra:
What does that mean? Does that mean just that they’re supposed to figure it out or I mean, what is the award to LMI?
>> Jodi Daniel:
The award to LMI is to establish the and I haven’t been working very closely on this, but they’re supposed to be trying to figure it out.
>> Kirk Nahra:
So it’s not a conclusion about what it’s going to look like.
>> Jodi Daniel:
It’s (inaudible) right. LMI is supposed to be trying to identify how best to structure AHIC’s 2.0, and then there’ll be sort of a next phase, which is the you know, getting it started and getting things moving on it. So
>> David McDaniel:
But is there a time horizon for those different steps?
>> Jodi Daniel:
There is, and
>> Deven McGraw:
Do you have stage 1 is approximately 4 months, and stage 2 will take it the remainder of the 8 months remaining.
>> Jodi Daniel:
So by December 31, 2008, their the structure theoretically will be in place.
>> Deven McGraw:
Right.
>> David McDaniel:
Thank you.
>> Jodi Daniel:
Thank you. The other two things that I wanted to bring up from the AHIC meeting that I thought might be of interest to the CPS Workgroup is, first, that the that HITSP announced its latest set of standards that have been harmonized, and included in that package were what they called a privacy and security technical note, which are standards on privacy and security. We can send the link out to folks in the Workgroup if people are interested in looking at this. But basically, they talked and they did come one some background and looked at existing principles and things like that regarding privacy and security and fair information practices to help guide their discussions about standards. What they said is that the standards they came up with in the area of privacy and security can support different policy approaches. They weren’t trying to dictate any specific policies, on privacy and security, but they did come up with some standards that can be used for the use cases and could be used both in the original set of use cases as well as in the most current set of use cases.
There were a couple of a bunch of different areas I’ll just read them off that for which they developed standards: a secured communications channel; collecting communicate security audit; access controls; document integrity; and the identity insertion, which is identity proofing, authentication, and authorization it encompasses all of that non-repudiation of origin; consistent time making sure things are time stamped consistently so they can compare across different systems; and managed consent directive. I have not plowed through all the details of these, but
>> David McDaniel:
Last one again, please?
>> Jodi Daniel:
Last one’s managed consent directive.
>> David McDaniel:
What does that mean?
>> :
I think it refers to consent authorizations that are prospective in nature, so you say, “Every time patient A’s or every time I go to my doctor, you can help out information exchange share X data with my doctor automatically, and I don’t need to continually do them for each transaction.”
>> Jodi Daniel:
It says the package of managed directives consists of a set of specialized transactions required or optionally recommended to implement the full cycle of health information exchange. And it talks about providing mechanisms to ensure that individual identifiable health information is collected, accessed, used, and disclosed in accordance with consumer consent. The way of managing consent, not saying when consent is needed, as I understand it. But for when there is consent that’s obtained, it’s the standards are about managing those consents and making sure that the information is
>> John Houston:
Are there any details as to whether those defined consents relate to specific data types, or is it just a general broad consent that would be would be given that would allow a covered entity to provide the entirety the totality of the record of that patient?
>> Jodi Daniel:
I don’t know the level of detail that it is in, does anybody?
>> Deven McGraw:
I haven’t seen them, so I but I would be interested in looking.
>> Jodi Daniel:
Yeah, there is an overview there is one document that’s called “The HITSP Security and Privacy Technical Note,” which is sort of the overview of all of them. And then each one of the areas that I mentioned has a separate implementation guide that goes along with it. So there’s and
>> Steve Posnack:
Voluminous.
>> Jodi Daniel:
The document I’m holding is over 100 pages. So we’re talking about, you know, 800 pages of
>> Steve Posnack:
Light reading.
>> Jodi Daniel:
of information. So if you’re having problems, you know, you need something to help you relax in the evening, you can go through this. So I haven’t digested them yet, John, and I don’t know the detail of that one.
>> John Houston:
Thank you.
>> :
If it’s available
>> Jodi Daniel:
They’re available on the HITSP Web site, and Steve can
>> Steve Posnack:
I’ll send out a link to everybody.
>> Jodi Daniel:
send out a link to everybody on the Workgroup so that you can look at them at your leisure.
>> John Houston:
Thank you.
>> Deven McGraw:
If it’s meant to be policy neutral, though, I’d be surprised if they specified the data element, because then you’d start getting into policy.
>> Jodi Daniel:
I think they were you know, my understanding is that there at least from what John Loonsk had said, that there was a desire to provide a way for manage and consent at a more granular level. But it didn’t I don’t think it’s, you know, what data it specifies the type of data.
>> Kirk Nahra:
I think it supplies you the type of data and data elements, but it doesn’t require to you use them. You make that decision based on your policy.
>> Deven McGraw:
Which is why it’s policy neutral. You can choose to
>> Jodi Daniel:
If you want to do it at the granular level, you can, but it doesn’t (inaudible).
>> John Houston:
Thank you.
>> Jodi Daniel:
Anyway, I wanted to make people aware of this because I thought it was relevant to the work of this Group. And anything that we put forth would hopefully help influence their future work, so I want to let folks know about that. The other
>> Kirk Nahra:
Let me ask this question that may come up with the next point I think you’re going to make. But I mean, for example, you mentioned the one about identity proofing and used a slightly different phrase, but does that just elim I mean, does that eliminate our point of us talking about that, or okay, how is it, in fact, relevant to what we’re doing? And that’s an issue we talked about for a while, made some progress on. We’ve put aside the authorization issue, which I believed, at the time, was largely a technical issue, you know, (inaudible). Sounds like it’s now some technical standards. But I almost and maybe it’s just a question to put on the table for once people have had a chance to study and digest it more, but that’s one where it’s hard and just me thinking about it to separate the technical standard from the policy. And then it’s okay. I mean, I’d love to say that we’re done; we don’t have to think about that anymore, but (inaudible).
>> Jodi Daniel:
Yeah, I think, you know, we’re struggling and they’re struggling in the you know, kind of in the same way that the policy issues are so intertwined with the technical capabilities that it’s hard for us to try to sort through the policy issues. And for them, the technical standards are so intertwined with the policy issues, and they’re trying not to dictate the policies based on the standards.
I haven’t read through this in detail to know. I think we do need to digest it more. But I think it’s something that may be worth a conversation to think through how we can either take things off the table, because maybe we just there aren’t policy issues we need to deal with, or do these raise issues that we should then chew on. And I did have a conversation with John Loonsk today to try to start that discussion, but I have to read through them to think about it more and would encourage others. But if you do read through these and have some thoughts (inaudible), get back to us on how we can better (inaudible) our conversations (inaudible).
>> Steve Posnack:
Well, you gave examples of some of the topics that were covered, like the secure communications channel. I don’t we’re not going to do anything we’re not going to have anything to do with that, I don’t think. But some of the ones you mentioned are much closer at least topic-wise to what we’ve addressed.
>> Jodi Daniel:
Right. So...
>> Kirk Nahra:
Then was there other stuff you were starting to talk about while (inaudible)?
>> Jodi Daniel:
Yes. So then the other thing at the AHIC meeting that came up in conversation in response to the HITSP standards which I thought was a little bit odd, but it’s something the Secretary is very interested in. And there was quite a heartfelt, I thought, discussion about this. There was a lot of passion involved with some of the folks talking about it. It was about patient access to electronic health information. And I won’t speak for Sue about what HIPAA says, but there were AHIC members who were asking, “Well, how do we make sure that patients get electronic access to their information, assuming it’s available electronically?” And it raised some questions about the form and format of access. Of course, under HIPAA, patients have a right to access to their information. There is language in there about the form requested, if it’s available in that form, and I don’t know the exact language, but you can clarify or it doesn’t have
>> :
But not at the moment.
>> :
Not with lunch. (Laugh)
>> Jodi Daniel:
And but then it raises other questions about, “Well, what does that mean, ‘electronic access’? You know, is it standard based? Is it just a PDF? Do we care?” There are issues that came up about timing and if it’s an electronic form. People were talking about it being available quickly. The HIPAA rules allow for 3050 days, with the potential for an extension, in there. So there were a couple of issues raised about access and whether there’s about patient access to electronic information and whether it raises new issues that are worth talking about that can provide better information or more timely information to consumers once the information is electronic. And I just wanted to raise it because it was an issue that was discussed at AHIC and clearly falls within the scope of this Workgroup.
>> Deven McGraw:
What was the context that it came up in?
>> Jodi Daniel:
It came up when they were talking about like I said, it came up when they were talking about HITSP standards, which was a little bit odd. The Secretary brought it up, and it was a little bit of a tangent to the conversation that was going on. It’s just something that he had been very interested in. He’s raised it in every meeting on anything related to health IT that I’ve heard about or I’ve been involved in so far. So it’s just his personal interest. He wants to make sure that patients are not forgotten about in the equation, and that they can get electronic and health information, and that they can participate, and huh?
>> :
(Inaudible)
>> Jodi Daniel:
Yes. Any you know
>> Kirk Nahra:
Well, is the reason that you’re mentioning it is that just informational? Was there instruction to us? Was there
>> Jodi Daniel:
There was not a direction to us to do anything with it. I’m bringing it up, one, informational, and two, to see if there if folks want to talk about this and raise this issue, because it is something that AHIC members are concerned about. And the Secretary brought it up, but, you know, three or four other people jumped in and said, “Yes, yes, yes, and we need to talk about it in this context and in this context.” So, you know, it’s one of those things as Sue keeps saying, “Yes, you can get it electronically” that you know, perhaps it’s something that may be a clarification that we can make about what is already permitted or required and maybe that there if we’re talking about the Higher than HIPAA conversation, are there new opportunities, you know, once the information is electronic, to make it more available to consumers, faster that kind of thing.
>> Kirk Nahra:
Isn’t faster really the main issue? I mean, I’m not aware that there’s any information necessarily that would be available in a typical EMR, that would not be introducible. I mean, it’s got to be something that’s not part of the designated record set today. I would think most of that information would be in the HIPAA-designated record set. It’s just maybe harder to get harder for the provider to gather, in some circumstances, not a one-s you know, one-stop-fits-all place to get it. And I assume the time period that HIPAA will put in because the idea was, you’re going to have to gather and find stuff that may not be as relevant, or it may be less relevant. So it’s really seems to be a faster question more than a substance
>> Jodi Daniel:
I think it’s timing of the question and whether or not we ought to recommend standards that are over and above (inaudible). I think it’s a format question, in terms of some assumption that this information is not just accessible to the individual or electronically accessible to the individual, but it somehow is also can automatically or readily be put into a personal health record of the individual, which is not necessarily an assumption anyone would make today, and to what extent that becomes a part of the site. And then I think fees and how the fee structure will play out in an electronic environment may also (inaudible) to the conversation.
>> Deven McGraw:
Right, because right now, it’s about copy fees.
>> Jodi Daniel:
Right, assuming mailing hardcopy.
>> Kirk Nahra:
(Inaudible) that translate to (inaudible).
>> Jodi Daniel:
Right. You know, you hand a disk. Is that a hardcopy of an electronic (laugh)?
>> Deven McGraw:
Right.
>> Jill Callahan Dennis:
So I think it has all those aspects. I think all of those aspects, though, really are going would necessarily be part of what we were going to be turning to next after relevancy is the Higher than HIPAA conversation.
>> Jodi Daniel:
So it’s I mean, it’s definitely consistent with our conversation that’s coming forth, and it is something that was raised as an issue of interest at the AHIC meeting. So it’s something that we should discuss as, you know, one of those issues that we want to prioritize to take on, you know, in the Higher than HIPAA conversation. And you know, I think that there might not be the Higher than HIPAA.
>> Deven McGraw:
You can come up with another term for that.
>> Kirk Nahra:
I was thinking of that. (Laugh)
>> Jodi Daniel:
I think, you know, the conversation I think that this one probably it’s one that there’s a lot of interest, and it may not I suspect it may not be as controversial as other topics, although I think there might be some issues depending (inaudible).
>> Kirk Nahra:
Well, I guess it strikes me that the biggest issues are going to be practical issues. I mean, the idea of getting that into your personal health record is presumably an idea everyone’s going to I don’t know anyone to think that’s a bad idea, but given what I’ve heard about the RHIOs and people like that, there’s nobody who’s anywhere near a position to be contemplating that, really I mean contemplating that in any or actually doing anything about it way. So it’s a great thing to shoot for. (Laugh) I would not suggest that we said, “You have to be able to do that.”
>> Deven McGraw:
It depends on how it happens, though, because we know that a lot of health information exchanges aren’t necessarily building a patient portal into their, you know, exchange yet, but it doesn’t mean that you couldn’t submit an electronic request of an entity and get, you know, access to an electronic file through other means that a portal or whatever state-of-the-art technology. So, I mean, I think it’s definitely worth considering, and I would hope, as you say, that it’s less contentious than some of the other issues. I think it’s really timely.
Did the Secretary raise it in the context of HIPAA? Like, I mean, I know it came up in HITSP, but, like, was it attached to HIPAA? Because it seems to me broader than a purely Higher than HIPAA
>> Jodi Daniel:
No, it was not in the context of HIPAA. He doesn’t he wasn’t saying that HIPAA does this and should we do something different. He was just raising it generally as an issue of how do we get patients electronic access to their information, is there a standard for that, and talking about it in that context. So it wasn’t in the context of HIPAA at all.
However, in the spirit of full disclosure, it’s not like the Secretary’s office has not inquired (inaudible) us about HIPAA and access to electronic health records. Those conversations have been had.
>> Deven McGraw:
Right.
>> Kirk Nahra:
Is there anything else from that meeting?
>> Jodi Daniel:
I think that was all. You know, there were some a couple workgroups reported out, but nothing that particularly impacted this Group.
>> Deven McGraw:
The audit recommendation (inaudible).
>> Jodi Daniel:
Oh, right. Yeah. Deven testified.
>> Deven McGraw:
(Laugh) For a brief 10 seconds.
>> Jodi Daniel:
Right. This was an issue that we dealt with many months ago regarding the Model Requirements Executive Team and their recommendations with respect to allowing auditors access to the record. And you’ll recall that we spent a little bit of time on it figured that basically, it was what they were suggesting was certainly all permissible under HIPAA. And so we weren’t, at this point, prepared to say anything beyond that other than, you know, suggesting some exploring some further granularity with respect to some of the standards. I.e., if you can allow auditor access, should that be, you know, any auditor for any purpose whatsoever, or is can there be limits placed on that based on the nature of the audit, etc.?
The letter went around quite some time ago, but it finally was getting teed up, because it was a joint letter from our Workgroup and the EHR Workgroup. So getting off pulling all of that information together, it got presented to the AHIC on Tuesday. And there was a fair amount of discussion, actually, on the EHR component piece of it, but really very little to none on our piece of it. So and what we’ll prob
>> Deven McGraw:
We crossed that one off, right? (Laugh)
>> Jodi Daniel:
There will probably be there was a request to have a recommendation the AHIC present a recommendation on what to do with this letter. Now which we’ll do at the next meeting. My sense is that they’re just going to pass it on to CCHIT and HITSP and, you know, ask them to look at it along with their other activities on the roadmap and incorporate the recommendations as appropriate, with the one modification that they made to one of the recommendations to the EHR Workgroup looked at with respect to coding. So, you know, I think that that was there wasn’t too much discussion from the privacy standpoint.
>> Deven McGraw:
No.
>> Jodi Daniel:
Good.
>> Deven McGraw:
It was good.
>> Jodi Daniel:
Short day for (laugh) so any other questions about AHIC?
>> Jill Callahan Dennis:
The next meeting is going to be in Orlando?
>> Jodi Daniel:
Yes. It’s coordinated with the HIMSS meeting would be take place simultaneously.
>> Jill Callahan Dennis:
Is there any forecast of the agenda so that people can make decisions about (inaudible)?
>> Jodi Daniel:
The need to be in Orlando in February? Oh, my gosh. (Laugh)
>> Deven McGraw:
You need a reason? (Laugh, multiple speakers jesting)
>> Jill Callahan Dennis:
I’ve done this before, and I’ve had to leave, so I know all about the potential downside.
>> Jodi Daniel:
Well, we’re going to get to the conversation next about the recommendation the HIPAA relevancy recommendation letter, and that is that scheduled to be on the agenda, Judy, for
>> Judy Sparrow:
You actually are on the draft agenda, yeah, but it’s draft, so it’s still fluid.
>> Jodi Daniel:
So there’s an opportunity for CPS to present this that letter at the next AHIC meeting, although that would be changed if there’s any (inaudible).
>> Jill Callahan Dennis:
What’s the date again? Sorry.
>> Jodi Daniel:
February 26.
>> Jill Callahan Dennis:
Okay.
>> Jill Callahan Dennis:
And Mickey Mouse will not be in attendance.
>> Deven McGraw:
Don’t be so sure. He’s everywhere down there.
>> Jill Callahan Dennis:
All right.
>> Kirk Nahra:
Okay, well, why don’t we move on to our next topic, which is the relevancy recommendation, which (inaudible)? And people should have if you’re in the room, there’s hardcopies. It was, I think, Steve who sent out, with your agenda, what, 2 days ago, the current working draft, although intended to be more than a working draft at this point. I mean, people have had lots of stuff with us. So I want to open this up for discussion. Our goal is to try and have whatever discussion we need today and then, depending upon the outcome, be able to finalize the recommendation letter.
>> :
(Inaudible)
>> Jodi Daniel:
Sure. I mean, again, this has been out circulated, and we got a number of very helpful comments from folks, you in particular. We’re grateful for your spending so much time on it make sure that we were covering all of our bases. Does anybody have any specific comments that they didn’t have an opportunity to raise before? Please do so now so that we can it would be nice to check this one off as well.
>> Marilyn Zigmund-Luke:
Hi, it’s Marilyn Zigmund-Luke with AHIP, and I’m actually participating today for Tom Wilder, who has been active in this Workgroup, and I have not been involved in the discussions previously. I guess, from my perspective I did speak with Tom prior to today’s meeting, and I have a concern generally with the policy about excluding certain entities from the various HIPAA requirements. I guess my preference was always, once you’re involved in any kind of information network or information exchange, that you would comply with all of the HIPAA requirements. And I’m concerned a bit that now we’re creating a precedent that really is starting to chip away at some of the consumer protections that we’ve always supported. I don’t know if others on the Group feel the same. But I do have those concerns.
>> Kirk Nahra:
Well, that this is Kirk. I guess I have a couple of reactions. First of all, we’ve had that discussion many times. Tom’s been on them and has not raised that point with the Group as we were moving forward. Second, the precedent is already there, and the precedent is exactly what we were using as our model, which is how HIPAA clearinghouses are treated. And this Group, in many discussions, has viewed has been looking at the question of whether the health information exchanges were essentially analogous to the kind of thing that HIPAA clearinghouses do. And while it’s not a perfect match, it was a good analogy. And this Group has had discussion now for close to 6 months trying to move this along.
So this is the current proposal: It is a very limited set of carve-outs that mirror I guess I didn’t do the exact match matching, but it mirrors almost exactly the carve-outs for clearinghouses, because individuals don’t have relationships with clearinghouses. And so the idea here was that if individ unless individuals are signing up with these health information exchanges somehow and have some direct relationship, we tended to carve out the particular HIPAA requirements that were very tied to individual relationships between what today is doctors, hospital, and health insurers.
>> Susan McAndrew:
And this is Sue McAndrew. I want to say that my comments raise somewhat the same concerns with regard to the earlier draft of this. And I want to thank whoever worked on those comments and the revisions for, I think
>> Jodi Daniel:
That would be Steve.
>> Susan McAndrew:
(laugh) incorporating the essence of and addressing those concerns, which were to point out that we were only talking about those systems that do not have the direct interaction with the individual where they would actually come into possession or create records that didn’t exist anyplace except there, and that we were in no way diminishing or taking away or diluting those individual rights with respect to entities where this direct relationship did exist as with individuals and the providers that were participating in the network. And so all of those individual rights remain guaranteed in place. And the obligations continue to fall on the health care provider, to the extent that health care provider uses this network and we share records with other interoperable health care systems. All of that goes on in the background, and the individual can still seek redress and access to their information and amendment rights, notice rights, and all of that directed from that health care provider.
>> Deven McGraw:
Right, and I think this is Deven McGraw we also left open in the letter the possibility that these structures of information exchanges could change and morph over time so that there is more of a direct relation with achievement. And at that point, obviously, the HIPAA requirements that we categorized as exemptions in the letter would need to attach. So we spent a lot of time on this one.
>> Susan McAndrew:
I’m sure that you have, and I guess just for the record, I don’t know what the process is going to be for voting for the letter, but I’m not comfortable saying that, yes, I would sign off on the letter for AHIC. So I guess I’ll be the only dissenting vote on this.
>> Kirk Nahra:
Well, is Tom a dissenting vote? He’s been on all these calls.
>> Susan McAndrew:
I’ve spoken with him and raised these concerns with him, and he told me that he was fine with me noting these concerns and dissenting if that’s what I felt was appropriate to do.
>> Kirk Nahra:
Any other comments on the letter?
>> :
I think it looks fine as we’ve discussed it.
>> Deven McGraw:
All right, great.
>> Susan McAndrew:
Do we mention sorry. I was just rereading it. Do we mention here the work that we plan to do with respect to going above, you know, what
>> :
Yes.
>> Susan McAndrew:
So then, another point to maybe help assuage the concerns that were just raised is that the consumer protections that exist may actually get or at least our recommendation might be that they would get enhanced so they could actually end up being stronger than the status quo.
>> Steve Posnack:
I don’t know if that’s Marilyn’s concern.
>> Marilyn Zigmund-Luke:
Well, I have a number of concerns. I mean, primarily, I don’t agree with the position about the lack of a privacy notice being required, whether it’s sent to the consumer directly. I can understand why you’d have that exemption, but in other contexts it’s been discussed, at least that should be posted on a Web site or at least available. I mean, I think every entity
>> :
It says that it should have a letter.
>> :
It said it should be posted on the Web site and made publicly available on their Web site or through other means. So the only thing it doesn’t obligate the entity to do is to physically send it, because supposedly, it’s the job of the entity that has the direct relationship with the patient to do that.
>> Jodi Daniel:
Anyone else want to raise anything before we close this? (Pause) Okay, well, I think, you know, we’ll have to touch base.
>> Jodi Daniel:
We’ll have to touch base, obviously, with Tom, but I think that given that the overwhelming majority of the Workgroup is that we should move forward with this, we’re going to move forward with this.
>> Susan McAndrew:
If you move forward, that’s fine with me, just as long as it’s noted that I’m the dissenting vote.
>> Kirk Nahra:
Well, we can we hear from Tom on that? Because Tom’s a Workgroup member. I want to make sure that we’ve got his specific “no” vote, because he’s been on he’s agreed with every one of these discussions that we’ve had going back for months.
>> Susan McAndrew:
I will send the message on, Kirk, but that’s why I’m participating for all of the hours that I am today. So I will let him know your concern about him not being on the call.
>> Kirk Nahra:
Well, no, that’s my concern is not that he’s not on the call. My concern is that if there’s going to be a dissent from a Workgroup member, I want to have that dissent from the Workgroup member. So he needs to let us know that he dissents from this, and I’d also like to know from him whether he plans on writing anything or just say he dissents. We have a whole process for other views. I want to make sure if he feels he has some of those. I want to hear from him that he wants to use that. If he doesn’t want to use that, that’s obviously fine as well.
>> Susan McAndrew:
I will let him know.
>> Kirk Nahra:
Thank you.
>> Deven McGraw:
Okay, well, we actually got through that discussion quicker than scheduled. So we have a break on here, but I think we should
>> Kirk Nahra:
Not have it. (Laugh)
>> :
Start the fun.
>> Deven McGraw:
All right, so now we move into the next phase, which we had set forth for ourselves from our very first recommendation and, you know, obviously, which presents another set of challenges. But I think many of us have been eager to begin this discussion. And we’re now ready to have it, which is the HtH, Higher than HIPAA discussion. And obviously, there are many areas that we could that we will want to tackle, but Kirk and I thought that we might start with the piece that a lot of organizations have been talking about, and that is whether consumers should have a right I some folks call it opt-in/opt-out. On the draft piece of paper that you all got with different scenarios on it, it’s labeled “consumer choice.” And we’re talking about health information exchange here and whether no? (Inaudible, pause)
Oh. I’m sorry. This is for Kirk and I so that we don’t mess up. I apologize. We have some scenarios to (multiple speakers)
I’m sorry. This is a helpful discussion guide for us to help sort of guide us through it, but it is we are at the point where we’re discussing opt-in/opt-out of health information exchange networks, where we have, sort of as a baseline, HIPAA, which permits the exchange of information by a covered entities with identifiable information for treatment, payment, and health care operations without express authorization from the patient. And so, now that the question that’s teed up is, when those records are moving through an exchange network, should there be a higher set of standards?
Okay. So we’ve tried to sort of think through what some different scenarios might be to get the conversation going, one choice being
>> Kirk Nahra:
Hang on. Let me just jump in for a second. I guess the other part of just getting the conversation started we’ve had a lot of this conversation, and I guess what we’ve struggled with is not necessarily getting it started but getting it focused and pushing toward the point where we can have some resolution. And one of the issues that we tried to do with the Workgroup over the last couple months was trying to get people to identify areas where additional information would be useful, where we could you know, we could bring in people or gather information so that people could make up their mind. And frankly, we got very little input on that.
And so one of the things we were trying to figure out was, maybe that means that people actually have firmer views on what some of these answers should be, and so we wanted to try and figure out a way to flesh that out a little bit and see again, if the answer is, everybody on the Workgroup feels that they have a view and they could vote on how they think it should be approached, we would like to know that at this point. I sort of suspect that’s not the answer, but we’re not sure. We’d like to try to know that.
Similarly, if people don’t have a view or don’t have a clear view and they need something else to get them to a point where they have a view, we have to figure out how to do that. And so that’s the part that we’ve been struggling with a little bit. Obviously, you can break this down into, you know, potentially an infinite number of components, and so we’ve tried to pull out some of the what at least we’ve thought of as the bigger-picture issues. But one of our goals today is to come away with a better sense of where this Group is on what we need to do. And again, if people say today, “Yeah, we’re I don’t need anything more; I know exactly what I want the answer to be,” again, that doesn’t mean we’re all in the same place but that’s at least useful. That will help us. If people come back and say nobody has any idea what the answer should be, then we really need to drill down on how we’re going to make progress on this. I think it’s the kind of issue where you know, where one of the groups looking at this, lots of people are doing a lot of talking and a lot of thinking about these issues, and that can go on forever, for better or worse. We don’t have forever, not that Deven doesn’t want to do this forever, but (laugh), you know, we want to try to figure out if there are ways that we can make some more progress.
So these scenarios that we had envisioned were again, these are not these are sort of measuring sticks for ways to think about how we could make recommendations. They are not themselves recommendations, frankly because they’re mutually exclusive. They’re essentially the spectrum of recommendations we could make.
So we want to lay those out. We want to have some discussion about where people are on those and what they think about the different points, with an idea towards, again, figuring out whether people have you know, if we give lay out these three scenarios and everyone says, “Oh, I love #2,” great, we can move on. Again, I’ll be a little surprised if that’s the answer, but frankly not you know, not astonished. So we want to figure it out.
The more important second piece is going to be, “All right, if people don’t know where they are on this spectrum, what is it going to take to get them somewhere on this range of choices?” And so we want to lay out these scenarios. Again, they are along a spectrum. We are happy to discuss you know, maybe the answer is, there’s five decisions on the spectrum rather than three. Maybe it’s I hope it’s not 25. But we want to play that out a little bit, figure that out, and that’s sort of the goal of most of the discussion today.
The other thing to keep in mind is that we do have a meeting scheduled for roughly 10 days from now, very close together due to a little bit of the accident of the calendar. So we may continue this. We may decide that we need you know, if the answer is, we need factual information, we’re probably not going to have that information in 10 days. So we want to play that out, and again, hopefully, this will get us moving at least in the right direction to get us beyond just I mean, talking about these issues is important, but it’s that I think we could do that for a long time trying to get this a little more focused.
>> Deven McGraw:
Okay. So I’ll lay out the three possible policy approaches that we came up with. Again, they’re not (inaudible). but this is all this conversation is all going to be in terms of just opt-in/opt-out, not trying to come up with the range of areas in which we think Higher than HIPAA may apply.
>> Kirk Nahra:
Well, that again, that was the that’s our discussion for now.
>> Deven McGraw:
Yeah, just so I know.
>> Kirk Nahra:
It’s mainly a question of deciding whether information’s in or out or whatever.
>> Jodi Daniel:
Sure. What happened when we were talking with Kirk and Deven, the a lot of the issues we’re talking about regarding Higher than HIPAA sort of depended upon where we landed on this issue. So if you know, if there was a lot of consumer choice built in, then that might affect the decision down the road whatever. It seemed like and it was an issue that when we were asking folks to prioritize way back, it was one that popped up pretty high on the list. So for this for those two reasons, the decision was made to start somewhere and start there.
>> Deven McGraw:
Okay. Great. Okay, so again, this is this list is not meant to be the one and only list, but to tee up the conversation. And there’s essentially three choices, and they build each choice builds on the other. Number 1 is, consumers can choose how and whether their information is disclosed from their personal health record to a health information exchange, but once the information is in the exchange, essentially the HIPAA rules apply. Did I phrase that right?
>> :
Yes.
>> Deven McGraw:
Okay, #2...
>> :
Wait. Please say it again.
>> Deven McGraw:
Yes, consumers yes, I know you don’t have paper.
>> Kirk Nahra:
Well, it’s less the specific wording than sort of the concept
>> Deven McGraw:
Yes, the concept. (Laugh)
>> Kirk Nahra:
the concept being that what’s different about this environment is the PHR piece, and so people have a choice as to whether data from their PHR goes into the environment, once it’s in it.
>> Deven McGraw:
Okay, right. And all the rules apply. So choice 2 builds on that. Again, consumers have the choice, whether information that is in their PHR gets into the exchange. But even but it builds on that by saying consumers then have a choice
>> Kirk Nahra:
A second choice.
>> Deven McGraw:
a second choice about whether information collected by their health care provider can be exchanged as part of the HIE. In other words, they’re sort of opting in for beyond just their PHR, but information that may be held in their provider’s EHR. Their provider is participating in a health information exchange. They have a choice about whether the information can be exchanged through that network. And then once you opt in or have the chance to opt out and we can talk about (inaudible) that choice the timing of that choice, then the HIPAA rules apply.
So you have the choice. It’s like a gatekeeper choice, right? He you know, again, building on #1, which is your information from your PHR doesn’t go into the network unless you say it goes in, but once it’s in, the HIPAA baseline rules apply. This choice #2 builds on that by saying #1 yes to #1, and then there’s a second question about whether the provider records your the records that are kept by the provider on you, whether you have a choice about whether the information can flow through the network. And this is something that a lot of the regional health information exchanges have been dealing with, based on some anecdotal information that I know that I’ve received that they’re allowing people to opt either have to opt in to having their records exchanged, as part of the HIE, or to be able to opt out.
>> Kirk Nahra:
And again, the idea
>> Deven McGraw:
But once they’re in, HIPAA would apply.
>> Kirk Nahra:
And again, the sort of motivation would be, all right, we’ve been discussing what’s different under that approach. The what’s different would be the fact that there is this electronic exchange among different providers. So that would be, again, another variation. Now I should say that we’ve structured these as one; one and two; one, two, and three. I suppose you could have an option says you don’t get a chance on your PHRs, but you do get a choice on the electronic medical record. I don’t know I don’t think anyone’s going to support that necessarily. So we view this as a logical progression. So again, you could we could vary among this, I suppose. So that’s another but again, the idea was PHRs, you know, being the most different would be the new thing on the block, and so, you know, consumer controlled give choice at that point. Second choice, you get choice there and on the provider side.
Again, I suppose the most extreme option, which we didn’t really lay out, is no choice anywhere. Again, we didn’t lay that out as an option idea being, that wasn’t that is part of the spectrum, but we didn’t have the sense that anyone in the Workgroup was necessarily at that part of the spectrum.
>> Alison Rein:
Well, and how could you compel someone to share their PHR?
>> :
(Laugh) Right.
>> Kirk Nahra:
Well, I don’t know that it’s quite that obvious, Alison, only because our recommendation assumes PHRs connect up to the health information exchanges. So if a PHR you know, for example, a free-standing independent piece of software that I could keep track of my stuff that choice doesn’t really even present itself, and we’re not purporting to regulate that at all.
>> Alison Rein:
But with the provider-managed PHR (inaudible).
>> Kirk Nahra:
Well, not even provider-managed, but something that connects up to a network.
>> Alison Rein:
Can a provider in an emergency have (inaudible, multiple speakers) be able to find out that you have some information in your PHR about your allergies.
>> :
So and maybe this is jumping ahead to option 3, but does option 2 is that at an element or granular level, or is that
>> Deven McGraw:
That’s option 3. Option 2 is
>> Kirk Nahra:
Option 3 is really Alison’s option. (Laugh, multiple speakers)
>> Alison Rein:
It was just a question. (Laugh)
>> Deven McGraw:
Yeah, option 3 adds the level of granularity, which is, not only do you have the right to choose about whether your PHR and your EHR records are part of the HIE, but you get to make that choice on a more granular level.
>> :
Per transaction.
>> :
Per transaction, by provider I think we did (inaudible)
>> Kirk Nahra:
We didn’t drill with what those levels of granularity would be.
>> :
It also might be that you set up a protocol that anything that has to do with my substance abuse records does not go in. Everything else is fine. And you wouldn’t have to do that necessarily on an iterative basis
>> :
Each time.
>> :
Right. But so, there’s a variable range of permutations even within that category 3.
>> Kirk Nahra:
Absolutely. And in fact, that it we struggled with how to even define that option, and we wanted to focus, first of all, on the choice idea. We could have that option. We could have gone to this was Sue’s point earlier could have said, you know, a whole bunch of other rules related to HIPAA as a whole. We tried to focus on choice, made it logical, tied to 1, 2, 3. But yeah, could be information. It could be I mean a category of information. It could be provider. It could be, you know, a variety of different options.
>> John Houston:
This is John Houston.
>> Deven McGraw:
Yes?
>> John Houston:
With regards to your three options, going back a step, I would propose that you flip options 1 and 2, which because I think some people would argue that more basically that having access to the providers’ information as part of the network is more assumed, in that it is more of a there’s more should be more consumer rights associated with PHR data, if PHR data is actually integrated into the network.
>> Kirk Nahra:
I’m not sure I understand that, John, exactly. What the last couple sentences seem to be exactly what our #1 was.
>> John Houston:
The #1, I thought, was, PHR information was integrated into the network. Correct?
>> Kirk Nahra:
You have a choice as to whether PHR data would be integrated into the network.
>> John Houston:
The second one would be if you had PHR and EHR data integrated into the network, correct?
>> Kirk Nahra:
Well, it would give you two ch again, the way we were thinking about it and that’s not to say it’s the only way to think about it was, PHR would be consumer-maintained record: “Do you choose to have what you’ve collected put into the network?”
>> John Houston:
Right. Oh, you know, I’ve got it backwards. So it’s more increase in controls as you go forward. But I guess the greatest the to me, the lowest level of control would be if EHR data is added to the network. And then more demand and control would be actually, I’m confusing myself now. Sorry about that. (Laugh)
>> Kirk Nahra:
I mean, John, our I mean, again, we’re trying to lay this out in terms of who the whole or most of the discussion we’ve had has been, “Is there something different about this environment such that different rules are needed?” One of the things that is clearly different and I believe everyone agrees with this point is that we don’t today, in the HIPAA environment, purport to regulate anything that is purely on the consumer side, that the consumer I mean, if I have stuff in my house about my health information, that’s not regulated by HIPAA. It’s not part of HIPAA. It’s outside the HIPAA environment. And if I choose to sit down with you know, buy a piece of software, again, that’s totally unregulated by HIPAA today. So that’s A is something where we recognize that that’s consumer driven. We want to encourage it to be consumer driven. Therefore, we wanted to say, “Okay, first choice would be, are we going to have that today unregulated, purely outside-the-health-care-system data put into the network?” First choice that again, we could have had a scenario 1 that said, “No choice, period; it’s in,” but both practically and from a policy perspective, I don’t think there’s anyone on this Group that would support that idea.
>> John Houston:
I agree with that.
>> Kirk Nahra:
There may be people who say the only real difference is, the PHR data coming in the electronic medical record data is simply a better version of exchanging stuff that you’re allowed to exchange today under HIPAA, so you don’t need a separate level of consent there. So you can make the first one without necessarily giving us a new level of consent on the EMR side. But then the choice would be, “All right, so what’s #2 is, there is something different about this environment. What’s different is the fact that people providers can, in fact, have a centralized way to share information. That’s not something” I say this without necessarily agreeing with this “that’s not something envisioned by HIPAA, and therefore, we want to have a separate set of rules there.” That’s another way to look at this that would give people a second choice. Again, once it’s in, everyone would be playing by the HIPAA rules. Then you get the third option which could say you get those choices and you get some additional levels of detail granularity choice as to what goes in.
>> John Houston:
Right. And do you think that we should I mean, do you think that you could argue that there should be granularity of one type of data one type of information, like EHR but not PHR or vice versa? Or do you think that its granularity is an all-or you know, it’s either granularity for everything or it’s granularity for nothing?
>> Kirk Nahra:
I again, the we hadn’t gotten very far on the granularity discussion, but the I think the assumption that I’ve, at least, been operating under is that there would be granularity on the PHR side solely because, for the most part, you can’t make somebody put I mean, if I’m sitting at home with my PHR on my computer, you know, unless there’s a law that, again, I don’t think anyone supports that forces you to put data into this, you just don’t do it. So you would exercise that right by just saying, “I’m not putting anything in.” We’ve presumed, although this is a technical issue as well as a policy issue, that if I keep track of my cholesterol level and my podiatry records and I just want to put my podiatry records in, I can essentially exercise that granularity myself by only putting that in.
Now, I will say, I’m aware of a couple of situations where, from the PHR side, it is an all-or-nothing. It’s either they don’t they haven’t designed those records to be able to pick and choose like that. So there is a technical component of this component.
>> :
So technically, it’s possible.
>> Kirk Nahra:
Of course.
>> :
The software may not allow for.
>> :
You may be subject to coercion by an employer or an insurer to submit certain things. And maybe coercion is a strong word, but you may get incentives that, you know, that cloud your
>> Kirk Nahra:
Which is the opposite of coercion (laugh).
>> :
Well, but they may cloud your thinking about potential risks involved, so
>> Kirk Nahra:
You don’t really want that new TV.
>> :
(Laugh) Or the 10 bucks. I mean, come on. (Laugh)
>> Susan McAndrew:
Here’s where I’m getting hung up on this, and maybe you guys can help me through this, because I’m sort of blocking on the PHR versus the EHR stuff. Does the first scenario say that you make the initial decision to share your data or not, but that you lose all rights to through your personal preferences, coming from the HIPAA rules, in terms of some of the automatic data sharing that doesn’t (inaudible) authorization or consent? That’s where I’m getting hung up. In other words, once you make the initial decision to participate with your PHR in the network but then you lose the ability to say, “But in this situation, I don’t want this data to go,” if HIPAA permits it to go.
>> Kirk Nahra:
Yes. Scenario 1
>> Susan McAndrew:
Yes, that’s what scenario 1 says.
>> Kirk Nahra:
on the spectrum says the main choice you have as a consumer
>> Susan McAndrew:
Is in or out.
>> Kirk Nahra:
is whether to put your information in or not. Once it’s in, all the participants in the system
>> Susan McAndrew:
Standard rules.
>> Kirk Nahra:
follow HIPAA rules, exactly.
>> Susan McAndrew:
Okay. Gotcha.
>> Kirk Nahra:
So your choice your if you don’t want a hospital who can retrieve that information in the course of treating you to be able to also use that to do a financial analysis of how it’s you know, whatever it is, your choice is not your choice under scenario 1 is, don’t put it in the first place.
>> John Houston:
Kirk?
>> Susan McAndrew:
But I mean, it’s I mean, based on that illustration, where I get clouded in terms in conceptualizing this I mean, if you’re putting your information in, you opt in to allow a provider access to your PHR so that your treating physician can know what your latest cholesterol level was and you don’t have to repeat that test. But that information now becomes part of your PHR. But if you have shared it with the treating physician and I don’t exactly know what the medical record rules of the road are going to be, but it does seem to me that at some point, that’s going to become part of that doctor’s EHR.
>> :
Yep. Sure.
>> Susan McAndrew:
Now, unless we’re talking about if the information came from a PHR, it’s always going to be PHR information and not every EHR information, and so the PHR rules of the road will always attach to that information. Then, it seems to me, as soon as you’ve shared it in the system, you’ve converted PHR information into EHR information, and then scenario 2 determines your options of what that treating physician can subsequently do with your EHR information.
>> :
Except that it probably depends on the type of system the provider has, whether or not they segregate those records. But in terms of what they’re allowed to do, if it’s been shared with them, whether it’s a, you know, copy-paste or feed-in or whatever mechanism, you’re right: It eventually becomes part of their permanent record. (Multiple speakers)
>> Susan McAndrew:
If they choose to make it part of the record.
>> :
Right, (inaudible).
>> Susan McAndrew:
If they look at it and say, “Who cares? I’m not bothering,” I mean, that’s just fine. And then you don’t really have an issue, because they don’t have any information to share with anybody anyway.
So I mean, my only problem and I’m buying into the scenario structure here is that I have tended to look at the opt-in/opt-out what level, when, how, as within distinct silos. So the PHR is over here, and the EHR is over here. And whatever you do for the PHR has absolutely nothing you’re not building on the PHR to do an EHR, not building on an EHR to do a PHR. I mean, you can have totally distinct rules, because if you’re doing the PHR and you want that to be consumer-controlled information, then you’re into giving the individual as much choice as technology will bear in moving that information to where they want it moved to.
Different rules, it seems to me, and much closer to the rules of the original HIPAA balance, come into play when you’re talking to providers and plans, if they’re part of the network in terms of what the rules of the road are going to be, in terms of using them a network to share information with others.
>> Kirk Nahra:
But I guess that, you know, my I’m not sure I followed all of that, but I think the basic point that I took from that
>> Susan McAndrew:
It’s only, you know, 3 years of living at NCVHS. (Laugh)
>> Kirk Nahra:
Well, but I mean, for example, one of the reasons that I I mean, one of the concerns that I have for anything beyond 1 and 2 let me put that way is, I don’t think I think that the difficulty of trying to have different rules applicable to the same information, depending on where you got it from I don’t like that. I think that’s an enormous problem. And so the scenarios that I lean towards, at this point, say, “You can choose whether to put it in or not, but once it’s in, it’s all the same.” So you can choose to put your PHR information into the system or not, but once it’s in that system, people just follow the same rules for that information as for all the other information that’s been created in the system before. One set of rules, once it’s in. You can not put it in at all. If you want to keep your PHR out, that’s fine. But once you put it in, all the same rules.
>> Leslie Shaffer:
Can I just ask a clarifying question about option 2? I mean, I understand option 1, and I think we would agree with that, because PHRs are really something that are viewed to be consumer-driven, so that a health plan could move data into a PHR for a consumer, but it would be only at the consumer’s request. And then when it’s in the PHR, the consumer has the right to do whatever they want with it. If they want to give their physician view access to help with their treatment, they can do that. They can give family members and friends access if they choose. Or they can choose to do to give no one access. The ability to block information would be handled in the PHR. It’s not going to be handled at the health plan. The consumer in the PHR could determine if medication information or things like that would move outside of their PHR. And again that could be limited to the functionality that’s within the PHR itself.
I agree that the PHR if the consumer opts into sharing the information with the network, it can go in. The problem I’m having is with scenario 2, where you talk about the provider information. The EHRs idea was something totally different. They’re the physician’s records, clinical, that are for treatment. The consumer doesn’t have access to that information. Maybe someday, you know, a zillion years from now, there’ll be a happy marriage of PHRs and EHRs, but I don’t see that at any time in the near future. So I guess I don’t under
>> John Houston:
There are a lot of people
>> Kirk Nahra:
Well, let me ask you this, Les: I mean, if you’re saying that you think scenario 1 is the better scenario, I think there are people that agree with that for all of the reasons I think you’re going with, which is that the EMR side is information that exists today, it often exists in electronic form, it’s regulated, we don’t need any different rules for that. That’s again, that’s a perfectly rational approach. It may be the approach that I end up with. So I think what you’re saying
>> Leslie Shaffer:
I’m understanding it.
>> Kirk Nahra:
Well, I think you’re understanding it and you just don’t agree with scenario 2, which is fine.
>> Leslie Shaffer:
Okay.
>> Kirk Nahra:
I mean, I assume everyone at some point will disagree with two of at least two of the scenarios.
>> :
Well, the only point, though, is that there actually are situations where there’s an integrated PHR/EHR supported by a provider, so I’m not sure that it’s accurate to say that that’s a zillion years from now.
>> John Houston:
Yeah, in fact, the (inaudible) very (multiple speakers)
>> Kirk Nahra:
(Inaudible) figure, which is, we hang on a second. We need to address I mean, it may be that there is a scenario or more than one scenario where that happens. And similarly, there may be PHRs who can do this at levels of granularity that we can’t even imagine. The question is, what are we going to recommend for an entire industry? And there is always going to be, and I hope there always will be, PHR vendors who can do things better than the standard that we think is the you know, the baseline. And presumably, that’s how people are going to compete in the PHR marketplace. And there certainly are people out there purporting to have privacy and security standards that I don’t think we’re going to recommend that everyone has to do. Some people can just choose to do those other things.
So we’ve just got again and I guess my sense of today, is let’s try to outline what these possibilities are before we start the debate on which is the right one.
>> Don Detmer:
Is this mic working for the folks on the phone?
>> Multiple speakers:
Yep.
>> Don Detmer:
Great. This is Don Detmer. I’ve been trying to get in a bit. I think that’s right, as I see it. And right now, there are probably upwards of 3040 million who have this kind of integrated record through Epic, though My HealtheVet, and so forth. So it’s not like something that’s way off into space on this integrated record. But that wasn’t the point I was going to make. Vasia (?) and some others are also in one of those options, giving people the opportunity to have their data used for research purposes not just care, but also research. And I think it would be prudent as long as we’re an open option to have part of the open option.
>> Alison Rein:
I guess from my perspective, I’m a little bit confused. I mean, I know you guys wanted to tee up to get a sense of the temperature in the room. I’m a little bit confused, because I certainly couldn’t commit yeah, it’s warm. (Laugh) I couldn’t commit to staking, you know, my claim on one of the options, even once I’ve understood them, without knowing where we’re going with the Higher than HIPAA, because 2 is fine with me, contingent on where we end up with recommendations for Higher than HIPAA. But, I mean and maybe this is off base, but if you if because if you’re saying that the record then would have to comply with HIPAA, then that’s, you know, the end of it. Then it begs the question, “Well, then what are we talking about them complying with?”, because we’ve all along had these notions that we’re going to be delving into what Higher than HIPAA is.
>> :
What specifically, Alison? Like, what would you need? I think this gets to Kirk’s question of what you need to know to just (inaudible).
>> Alison Rein:
Well, but those are two separate questions. There’s what information do I want, and then there’s what things we’ve talked about that may be Higher than HIPAA or may not be.
So, I mean, I know off the bat one of the issues where I’d like clarity and maybe it could even be provided by people in this room, but I think I could hazard a guess as to what constitutes treatment and payment. Health care operations in the current environment and the emerging environment is something that I think I’d like to know more about in order to inform sort of where I would sit, you know, on the vector.
>> Kirk Nahra:
Well, okay. You make two points that I think are fair points, and I want to lay those out, and let’s focus on them. One is, you’re making a little bit of a chicken-and-the-egg point, which is, you can’t do the chicken of these scenarios without the egg of what the other pieces are. And that’s a fair point. We had to start somewhere, because I don’t I mean, so that’s how we laid these out, because we thought it was, A, the most significant of the Higher than HIPAA debate clearly not the only one, but we view this as a way to try to get that moving.
The second piece is, “All right, I want to understand if we’re going to say that people have to buy into all or nothing, I want to really explore what that all is going to be in this environment.” And again so that’s a fair and in fact, if we come out of this discussion today with a list of questions we need to look at, that would be a huge step in the right direction. We’ve struggled at this point to go from “I think there should be Higher than HIPAA” to “All right, what is it exactly, and how are we going to figure it out?” So health care operations you want to know I’m going to paraphrase, and I don’t know that I have this right, but I mean, you want to know what might be “Okay, now that we’ve got this integrated environment, maybe there are health care operations things that fit what fit HIPAA that we haven’t really thought about, and we should think about”
>> Alison Rein:
Well, and I think
>> Kirk Nahra:
“before we decide if people are buying into it.”
>> Alison Rein:
To Don Detmer’s point, a lot of research falls under the purview of health care operation, and so or could theoretically.
>> Kirk Nahra:
Yeah. Actually, most research doesn’t fall under health care operation.
>> Alison Rein:
But it could, or it could fall under treatment, because you might do quality research with your data to inform your treatment. I’m there’s a huge well, Kirk, you’re going like this: “These are examples that I’ve heard. What I want to know”
>> Kirk Nahra:
Well this I know, I know, but there’s a whole reason but under and maybe what we need to do is, we need to clarify HIPAA, because there’s if you are doing “research,” meaning publicizing things from you know, publishing information of value to the broader community, there’s a specific HIPAA research provision that is not part of treatment, not part of payment, not part of health care operations very specific HIPAA rules on that on research.
>> Alison Rein:
Right. But a lot of research doesn’t end up in publication, and a lot of research is conducted by various entities that fall outside of the purview of the classical research structure. So I’m just saying that that is a bucket within HIPAA that, for me, is sort of that the health care operations that, for me, is very murky. And I’d love to tease out where research falls on the treatment-payment-health care operation spectrum and potentially in multiple places.
And I don’t know, Don (someone sighs)
>> :
you should have been at my 3-hour meeting yesterday (laugh), where we spent
>> :
Sounds like fun.
(Multiple speakers)
>> Alison Rein:
So I don’t know, Don, if you had anything to add to that, because I know that’s an issue that’s near and dear to your heart.
>> Don Detmer:
Well, I guess the point is that it is the fear, of course, going forward is that people who actually are quite interested and happy to have their data used for research won’t even necessarily be given the option to do so. And if these things do shift out of institutions into buckets, in various places, and we don’t at least have that option alternative, whether it’s used for there’s a big debate between what’s research versus quality. And now that’s not necessarily my point. I think research if it’s legitimate research, whether it’s used for quality research or whether it’s used for basic research or whatever I mean, I think the point that what I’m mostly trying to say is, let’s make sure we don’t lock out the opportunity of people to engage in any of those, as far as that goes.
>> :
Well, and that kind of brings me to a point that I’m kind of an initial question, when I look at option 1, that I think we need to know. And I don’t know if there is an answer out there. But if it isn’t all or nothing, as far as allowing all of your PHR in and then it is subject to HIPAA or nothing at all, does that kill the concept of PHR for a substantial percentage of the public, because they want more granularity? I don’t know if there’s been any research on that, but it seems to me an important question.
>> Don Detmer:
Huge question, and I think the thing that I think is particularly scary about it I think, technically, the capacity to really be able to do a lot of that fine-grain tracking while in good systems, it certainly can be done. I mean, keep in mind that our penetration rate of even EHRs, at this point in this country, at the primary care level is minimal. So this also kind of practicality as well as what that are not
>> Kirk Nahra:
Don, you’re very much cutting in and out as you’re speaking.
>> Don Detmer:
I’m sorry. I’ll try I don’t know if this will work better, but I’ll try. The point I’m making is that the concern is, while clearly good, robust systems could handle a fair amount of specificity, when you actually look at this country and the way we’re coming even at use of electronic health records in small practice environments, the capacity really to expect that we will have the ability to do a lot of fine choice dividing out pieces that are shared and so forth, while it’s part of the dialogue for years, in practicality is really is, in fact, I think, one that’s going to be very hard to try to deliver on.
>> Kirk Nahra:
Well, the other question which I’ve been thinking about and this ties into something Sue said a little bit ago I mean, I know there are PHRs today where I can say you know, I can give my doctor access to my record, or I can send my record to my doctor. One question for this Group to think about is, do we view that as sending data to a network? I sort of don’t view it that way. I sort of view that as a two-way communication without any I mean, if I send my PHR information to my doctor, maybe it’s I mean, maybe we have to worry about it being what the doctor does with it on his end, but the PHR itself is not put into a network at that point.
>> Don Detmer:
Oh, but if you have an ele I mean as a clinician now, if you receive an email from a patient about their health information, it becomes part of your medical record of them.
>> Kirk Nahra:
That’s my point is different, and let me try to be clear about this. We’ve been talking about very loosely generalized and I recognize there’s a million nitpicks on this. We’ve been talking about PHRs, electronic medical records being records held by the providers, and the networks. What I was saying is that there’s lots of opportunities today for a patient to provide a communication to a provider.
Email let’s use that as an example. If I send an email to my doctor, I agree absolutely that that email becomes part of the record that the doctor has on me. I don’t think that, in general, that email is now part of some broader network involving the rest of the health care providers in my city, unless it goes back from the doctor into that network.
>> Don Detmer:
No, that I think you’re right. The trouble is, of course, the doctor who receives the message puts it in he can have she has to consider that part of the patient’s record. So then if, indeed, he or she shares that data with another doctor through the network, it I don’t think your you know, it’s going to be very hard not to consider that part of that doctor’s record.
>> Kirk Nahra:
I agree with that statement. And maybe this goes back to the question that John Houston started with and then changed you know, (laugh) convinced himself out of. But I think, in that description, we could have a lot of granularity on the PHR side, because a lot of the discl maybe what happens is, people say, “I don’t want my PHR in the network. I want the ability to say, ‘If I’m going to send stuff to my doctor, maybe I recognize that the doctor’s going to put it in the record, but if I only send him my cholesterol level and not my podiatry information, then there’s no way for him to put my podiatry information in the network.’”
>> Don Detmer:
That’s correct.
>> John Houston:
Right.
>> Deven McGraw:
It then, though, has a domino effect of diminishing the potential value
>> Kirk Nahra:
Absolutely.
>> Deven McGraw:
which is another piece of this concern. The other thing is, and just to your specific example, there’s a lot more talk about reimbursing for e-consult and telephone consults. So as soon as those things start getting reimbursed at a rate that’s higher than is current today, it’s all going to be part of the medical record and will have to be for payment operations. So
>> Don Detmer:
(Inaudible) that’s a fundamentally different I mean, I think there has to be some recognition that once the information is disclosed that there is some way to rely upon it as well as to have it documented in the provider’s record for whatever purposes. But the question is the tipping point is at what point and how should that data be disclosed, and to what degree of control does the patient have over it prior to or subject you know, or whatever controls the patient has regarding disclosure. I think that’s we’re all talking about.
>> Kirk Nahra:
Well, and then just to follow up with something else I mean, my bias at this point, frankly, is, I think the more restrictions we the more granularity we permit in this system and the more sets of choices that we have, the less beneficial this whole system becomes. And so my bias is, again, let’s give them the all-or-nothing choice, but you really want it to be an all-or-nothing choice, because if you start putting half of the stuff in, it’s going to undercut the values of the system dramatically.
>> John Houston:
But this is but again
>> Don Detmer:
I don’t think it’s operationally achievable today and probably won’t be for I mean, in terms of fine granularity, I think it’s unrealistic. As desirable as it may be as a public policy objective, I don’t think it’s a realistic in large part, a realistic option for some time.
>> John Houston:
But philosophically, I think, you know, to the extent that consumers have a PHR that they are feeding themselves, I think we all agree that a consumer probably feels that they have a higher expectation of privacy with regards to the data that’s in that PHR, and that for that reason, you want would argue that the consumer also has a higher degree of should have a higher degree of control over what data from that PHR then has disclosed. And the corollary to that argument, then, also is that we could argue that the EHR is an all-or-nothing thing or always, you know, is should be readily available, and that the PHR’s the thing that has the right to be, in some way, controlled or at least limited in terms of what information can be disclosed.
>> Steve Posnack:
This is Steve. I guess I just want to make sure that I’ve been listening to everyone’s comments. I think some people are still a little bit see things a little bit differently, and Jill spurred one of those thoughts. So with respect to choice 1, which has to do with PHR, just so we can make sure everyone is on the same page with that one, because everything else pretty much spills off of it, what we’re trying to say conceptually is, the consumer has a PHR that is connected to a network. At the point in time and we’re not making a technical call on how much granularity that PHR has, so it could have you know, you can opt in to sending out everything, or you can have more granular controls, whatever the technical capabilities are of it. But what we’re saying is, you can the consumer can control that and make me decide when the information and however that information goes into the network. When that information goes into the network, subsequent usage of that information is covered by HIPAA. That’s how option 1 the choice 1 works. Does everyone understand how that
>> Don Detmer:
I guess
>> Kirk Nahra:
You have the choice. You don’t have to agree with that.
>> Steve Posnack:
Right, but
(Multiple speakers)
>> Don Detmer:
I guess one of the struggles I’m having is, how is that different than today’s world, when you’ve got a patient sitting in an exam room, and what they divulge to the provider that ends up going in the EHR that gets protected by HIPAA is no different than what they would put in a PHR that they would divulge to a provider that would then, in turn, be protected by HIPAA? I don’t
>> Steve Posnack:
You just made that electronic now.
>> Don Detmer:
Right. It’s the same scenario.
>> :
You have an assumption, Steve. You have an assumption that the network is a repository, not just a transfer mechanism.
>> Susan McAndrew:
It can because there’s nothing there are no uses of the information by the network. The network simply takes it from here and moves it to there. And when you get the information to there, there’s somebody there who is has their own set of HIPAA obligations and/or network obligations with respect to that information.
>> :
Doesn’t it depend on the architecture of the company?
>> Susan McAndrew:
Very little. I mean, I am a little fuzzy on conceptualizing these this information that may come to a provider as simply a view, and whose information that is, and for how long it is, and whatever happens to it once they click “Go away.”
>> Kirk Nahra:
You’re going to have to stop using all those technical terms.
>> Susan McAndrew:
I know (laugh), I know. This is as technical as I get, which is kind of scary.
So, I mean, this is my struggle with the way these scenarios are framed, because I have been coming at all of these issues as potentially access controlled, and it doesn’t matter and they can be different, whether if the system if the network is coming through the PHR and saying, “Hi, I want some information,” how it gets that information out of the PHR is going to depend on how the individual has structured its control. Those are the conversations I’ve been having on this is that, in a PHR gestalt, the individuals should have the maximum capacity to click “Yes” or “No.”
Different scenario, though, when you move that same question to a provider, who’s hooked up to the network. Those opt-in/opt-out choices can be much more granular, or they can be, you know, more global in terms of “Hi, I don’t mind you having an electronic health record on me, but I don’t trust Internet World, and I don’t want my information accessible to people that ping you and ask for my information.”
>> Kirk Nahra:
So that’s option 2.
>> Don Detmer:
And I think that’s where the paradigm shift takes place, really.
>> Susan McAndrew:
And so you get to option 2, and, you know, some people talk about this as “Okay, that’s your choice. You can opt in, or you can opt out.”
>> Don Detmer:
One of the problems, of course, is that the doctor, by almost a matter of definitely custom, if not law now, though if they get information from a patient, at that point, it becomes part of the patient’s record.
>> Susan McAndrew:
Right. I mean, you know, that’s my other issue
>> Don Detmer:
I mean but I think we’re there.
>> Susan McAndrew:
is that, you know, all of this is opt-in, this opt-out works on that doctor’s EHR that patient’s EHR.
>> :
What I’m struggling with, Sue, is how you would frame it, because to me, I look at these options the way these options are built, and it matches exactly what you’re saying.
>> Susan McAndrew:
Okay....
>> :
(Inaudible) choice, but so obviously, there’s a disconnect I’m not quite getting. So I would how would you frame the hierarchy of choices?
>> Susan McAndrew:
I would tend, first of all, to put PHRs aside for the moment, because I think well, it depends that, in some ways, it’s an easier conversation, and I think the harder choices are on the EHR. These are conversations on the PHR, because, one, as people pointed out, HIPAA isn’t there yet largely, and two, it’s designed for all of these very consumer-controlled desires. So you are really limited by technology and the capabilities of technology.
>> :
So I wonder whether one way to simplify this is to because I think part of where we get clouded is the second prong of #1, which is that once you put it into the network
>> Susan McAndrew:
That’s the part that I don’t
>> :
That’s the part that people don’t
>> :
Maybe I can clarify this
>> :
Can I finish?
>> :
Sure, sure.
>> :
Let’s because one of the places where I think we’re getting tripped up is, once the data does come out of the PHR and the physician either uses it or lies on it, in many cases, it’s going to become part of the PHR, and then we’re automatically knocked into 2. So is it possible for us to say, “Consumers should be able to choose when or whether their information comes off the PHR, period,” and set it to the side? Once the information is part of an EHR, then that’s where
>> :
I think that’s the way you have to frame it.
>> :
the whole conversation needs to be.
>> :
I think that’s where Sue is coming from, too, if I’m understanding correctly.
>> Susan McAndrew:
I mean, that’s it’s really on that that is where the HIPAA framework butts up against the state laws that mandate consent and how those state consent laws that you looked at are not harmonized from state to state. And, you know, HIPAA accommodates consent, so it’s not you don’t have to overrule consent to get to this opt-in/opt-out choice. But it becomes much more of a you have a lot more choices: whether you do it as opt-in or whether you do it as an opt-out, whether you allow people to choose whether they go opt in or opt out, and then at what level those choices operate and whether you provide more sensitive information that they preordained opt-out category.
>> :
One sole permutation to add to the you know, I think it’s fine the way it’s been clarified, but I think it was the folks from Rhode Island who said that everybody in that state is, default, part of the exchange. It’s just the choice in whether or not their data move in the exchange. And so there may have to be sort of a stepping stone when we say, “You’re either in the exchange or out of the exchange.” Well, you might be identifiable in the exchange where the record locator service says, “Yes, this person is in the exchange, but no, there will never be any information available.”
>> :
Well, I was wondering if playing off of that, if what we’re really talking about is the lookup function. Is not is, for instance, a patient the patient goes to a clinic for mental health treatment, and they don’t want that information to be accessible to anybody who isn’t providing mental health care to that. Is it that then another doctor is trying to find information on them just it won’t show up, because not that it’s not there, but that when they when somebody else does a lookup, the patient can choose not to have that information available as part of that lookup through the network. Not that the doctor couldn’t otherwise share it if you know, because HIPAA allows it or
>> :
And those are two separate distinctions. Rhode Island has said, “We’re not allowing that,” I think. I hope I’m not mischaracterizing that. I don’t think other exchanges have necessarily, you know, sort of fallen in their position on that. At least I mean, I’m sure they have, just I don’t know. I’m not aware of all of the different permutations. But I do know that’s a distinction just because the sheer acknowledgment from an institution, like Betty Ford, that we have a record for you is, in some cases, sensitive enough. So I just wanted to introduce not that it needs to be more complicated, but when we’re talking about being part of an exchange or not part of an exchange, there’s the lookup recognition component, and there’s the actual clinical information exchange component. And so I wanted to make sure that that you know, the sensitivity of those two components was captured.
>> Kirk Nahra:
Well, the other piece to keep in mind and I - this is hard, but when we say, in these options, that all the other rules would apply, that includes all the currently more stringent state laws. And it would include the mental health you know, federal substance abuse law and that kind of stuff. So the question I mean, one of the questions is, are we going to make a recommendation that is higher than the HIPAA package, which already includes all the other state stuff? So if a state already says I mean, Sue mentioned consent. If a state law already requires consent for any information disclosure of mental health information, I suppose we could make a recommendation that says, “Get rid of that.” We could. That’s not anything on the table right now. So the recommendations on the table are the current system that includes HIPAA plus all the other stuff is what would happen when information goes into the system. We’ve got to keep that in mind. It’s not so the question is, are we going to create a system that takes the state law and goes above those, too? Those are already in the package.
>> :
Or the, you know, as you’re saying, Higher than HIPAA it would be, do we bring HIPAA up do we bring the others up to the highest state law?
>> Kirk Nahra:
Right, well, yes. Are we going to propose, for example, that there now be a federal law on birth control information? I mean, that’s where we would end up going is
>> :
A federal standard.
>> Kirk Nahra:
A federal standard, right I mean a federal rule, a federal you know, all of those things. We’d be saying the choices the states that we’ve given them the choices the states have made, you know, are not going to be good enough. We’re going to say, “You’ve got to do X.” And that’s where we
>> :
In the name of uniformity and interoperability. (Laugh)
>> :
One question I have that you guys introduced by and that may be a topic for getting additional input is that when you introduce the complexity of managing HIPAA relative to all of the state laws, in an electronic environment, how much more or similarly complex is that to the level of granularity that’s introduced by 3? So is it really, you know am I being clear? No. Okay.
>> Kirk Nahra:
Say it again.
>> :
So people have said on the phone that we don’t think our systems can accommodate, you know, granular choice by consumers. Can our systems accommodate I mean, and I know there’s been a lot of workgroups on attention and thought about this. And because not many states are exchanging yet, it’s hard to know. But I think some expert input on the relative difficulty from a capacity a technological capacity to manage the complexity that’s inherent with option 3 relative to managing just the existing complexity of HIPAA relative to state laws.
>> John Houston:
If you were asking if we would be better off with uniform federal standards, the question is, unquestionably, yes.
>> :
Wasn’t my question. (Laugh) I mean
>> Kirk Nahra:
Well, your question is sort of, “Can they handle the complexity of state laws today?”
>> John Houston:
They can’t.
>> :
Well, how much more strenuous is that, or is it on par with the level of complexity that would be keyed up by option 3?
>> Kirk Nahra:
No, I think that’s a fair point, and it’s also one where, again, I was struck when we started to hear testimony from the different RHIOs, how each of them I think everyone we heard from was tailoring their specific details for their very, you know, modest test to the particular law of that particular state. And it certainly sounded to me like even with those tests, we were building five different incompatible sets of standards today.
>> John Houston:
But you know, where the conversations broke down, though, was, when you have a city like Louisville, KY, where I am, and you literally go right across the river and you’re in the Indiana and so that network may be dealing with state laws in two different states.
>> Don Detmer:
And in fact, that’s true for 50 percent of the U.S. population, an equivalent situation like that.
>> :
That’s true, but we also heard from folks like the RHIO in Memphis, which is dealing with the exact same thing: They are right on the border, and they have patients coming in from at least two different states, but they’re but they have a physical locality of their business in a particular state. But they are figuring these things out what states’ rules they have to comply with. So it’s not
>> Don Detmer:
If the adjoining states have similar law, then it may not be that big a problem. Still not a national standard.
>> Kirk Nahra:
But it’s also not that big a problem if you’re talking about “We’ve got to find something that meets Kentucky and Indiana.” The problem right now is that what meets Kentucky and Indiana doesn’t have anything to do with what’s in Georgia. I mean, it’s just that
>> John Houston:
May not, yeah.
>> :
It’s an accident.
>> Kirk Nahra:
Right. It might not have anything to do with it. I mean, it could map, but it doesn’t I’ve had a lot of reason to look at all those different l each one of them is pretty unique. There aren’t very many standardized state laws on a lot of these (inaudible).
>> :
But where is the e the State e-Alliance in (laugh) where in being able to inform us about harmonization efforts and level of technology capabilities, ya-ya-ya?
>> Jill Callahan Dennis:
I’m only on one of the workgroups, but we’re actually having a meeting in February, and
>> Deven McGraw:
A big meeting in February.
>> Jill Callahan Dennis:
Yeah, it’s a big meeting, and I think it you know, there will
>> :
I’m not sure that we’ll have the answer. I think it’s more to figure out moving forward, because there seems to be a lot of energy from a lot of different groups on some of these topics, and we wanted to make sure that we were going to clarify our role accordingly. So
>> :
But I don’t think they’re anywhere near having the answer. I don’t know do you know anything else different?
>> :
No. I would say, though, the HITSP project that they have a couple of collaborative efforts that are looking you know, multiple state collaboratives on some of these issues: harmonizing state law, looking specifically at consent different consent regimes, but that’s a full-year project at this point, so and then they will form a state alliance. So there’s a little bit more detailed work that needs to be done with the states, which would then get recommended up to the state alliance. So we’re still a little bit of a ways off in the research phase, yes.
>> Don Detmer:
And that
>> :
That won’t necessarily talk about the technical capabilities.
>> Don Detmer:
And that really is one of those kingpin discussions that it could just make it almost impossible to do the technical side of this, because you think you’ve got a patient over in Indiana who has certain rights in that state, and their network is being operated in the state of Kentucky, and then you’re trying to build your technology capabilities around both of those states. That’s going to be really difficult, because every single patient you have coming in your door may have different technology needs, as far as how you’re going to share that information, how much of that information you can share, how you have to share it, and so on.
>> :
Well, our country’s built on innovation. I mean, (laugh) shouldn’t we be able to I mean, if people always talk about, like, the free market work if we want it to work in this case, why don’t we make them rise to the challenge?
>> :
And, you know, HITSP and others have said, “Tell us what policies you want. We can design standards. We can design technology to meet those.” So I’m not saying there’s not challenges to comply with each state law, but as far as the level of conversations we’re having here, what level of granularity (inaudible) do people want a particular level of granularity for individual choice? I don’t know that I don’t think the technology is necessarily a barrier, at least at that level. I mean, once you start getting into “Can you do these five things simultaneously?” and they’re mutually exclusive, well, maybe. But as far as you know, if the Group said, “We” and I’m not suggesting this at all, but if folks said, “We want to be able to have consumer choice for these for, you know, these type of health data, systems could be built to do that.” Whether they’re built that way now, you know, and whether it’s practical is a different question, but I don’t think it’s an impossibility.
>> Kirk Nahra:
Well, but the other issue to keep in mind is that the difference between technological possibilities and what little we are seeing right now. I mean
>> :
Exactly. Oh, absolutely.
(Multiple speakers)
>> John Houston:
(Inaudible) do it, but that doesn’t mean you’ll see it.
>> :
Then it’s a matter of aligning consensus.
>> Kirk Nahra:
Why don’t we do this? We are scheduled to take a break. Why don’t we take a break? It is now about 10 of. We will start up again at 3 o’clock.
>> John Houston:
Okay.
(Break)
>> Judy Sparrow:
Chris?
>> Chris Weaver:
Yeah.
>> Judy Sparrow:
We can resume now, please.
>> Chris Weaver:
Okey-dokey. Got it.
(Multiple speakers)
>> Deven McGraw:
Are we ready?
>> Chris Weaver:
You can go ahead whenever you’re ready.
>> Deven McGraw:
Okay. Thank you. All right, so in an effort to see if we can focus this discussion even more, I’m going to try to see if we can either put one piece of this on the table or come to agreement on it and check it off and move on. And that would be the very threshold choice that we began with, which is that consumers have the right to choose whether or not information is disclosed from their PHR to a health information exchange. Do we have at least agreement on that? And the reason why I’m asking is because I think what where we appear to be heading in the previous discussion was the comfort connection that one’s PHR data gets to an HIE that the HIPAA package would apply, and there would be somehow less control, and so, because that data originated out of a PHR, it had some discomfort there. But then subsequent discussions about how, when it does get to a provider from a PHR, in fact, it likely, in most cases, becomes EMR/EHR data, and a more difficult set of questions starts to attach, which is, the data about the patient that comes from an EHR that ends up part of the EHR becomes part of the HIE whether the consumer should then have some choice over whether the data becomes part, again, of that network and, what should be the granularity of that choice.
So being able to focus on the EHR-EMR interoperability part of an HIE question and where consumer choice fits there seems to me to be the direction that I think we’d like to head in if we can get there. And that requires us to sort of table or decide that we agree on the discussion about whether or not consumers have a choice about PHR data.
>> John Houston:
(Inaudible) agree that consumers actually just intuitively have EHRs.
>> Susan McAndrew:
I think that that is one of the purposes and intents of introducing a personal health record is to have a large degree, if not an absolute degree, of consumer control over disclosures to others from that record system and whether that disclosure is into a network system, or is done to third parties, or however it’s done. But the it is inherent in that concept of consumer control of that (inaudible).
>> Deven McGraw:
Anybody else?
>> Sarah Wattenberg:
This is Sarah Wattenberg from SAMHSA. I’ve just joined, but my understanding of what’s going on now is sort of deciding what the basic approach is here about whether or not it’s consumer control and, I guess, at what level of that control. Is that correct?
>> Susan McAndrew:
The level of control, I think, may be a separable conversation.
>> Sarah Wattenberg:
Well, I think it so, forgetting the level of control, I think, you know, SAMHSA’s constituents, which are people with mental health and substance abuse disorders, you know, clearly would require that for substance abuse, because of the tradition and federal statute and, at the state level, tradition and state regulations that the PHRs would absolutely need to have a, you know, ability for consumers to provide permissions for who gets, you know, what information and under what circumstances. And SAMHSA’s been working on some of that for EHRs and plans on doing some adaptation of that for PHRs as well.
>> John Houston:
It sounds like we’re all in agreement.
>> Deven McGraw:
It sounds yeah, but thank you.
>> Sarah Wattenberg:
Okay.
>> Deven McGraw:
Thank you, Sarah.
>> Sarah Wattenberg:
Sure.
>> Deven McGraw:
All right, well, then, I think I propose we then move on and see I think probably what makes the most sense is to lay out what I think now are the three options different, slightly revised three options, which is and again, we’re talking about patient control over EHR records, one being one would now be, they don’t have a right to opt in or opt out. It’s a record about them, it’s in the system, and the HIPAA package will apply.
>> John Houston:
Then they have the same rights that they have today under HIPAA and the package of state laws that already exist.
>> Deven McGraw:
That’s a very good way of putting it. Option #2 would be the non-granular your in-for-all, out-for-all choice, but you have that choice, which today you arguably don’t, unless there is someone voluntarily adopting it as a requirement. And then #3 would be, not only do you have that choice, but your choice is granular. And obviously, it’s if we’re exploring that more fully, we would have to get into much more detail about how that level of granularity would apply: By providers, by type of transaction, by transaction are three options that occur to me, and they’re probably not the only ones.
And so hoping to have further discussion on those points, already a couple of suggestions have come forth about some additional pieces of information that folks would need to have in order to make a decision about how they fall among those three choices: not at all, all in or out, or choice of granularity. And so, opening them that back up to see if there are other thoughts about additional that folks would need, I know Alison through on the table that her for her, the choice between #2 or 3 might depend in part on where we might come down on the Higher than HIPAA discussion on health care operations, for example, and maybe some other pieces, too. So it would be hard for her to decide, but I think I don’t want to speak for you (laugh), but you’re between 2 and 3 and leaning towards 3 as now if we don’t get Higher than HIPAA on 2.
>> Alison Rein:
Yeah. I mean, I guess, for me, I sort of assumed that once we start digging into the Higher than HIPAA conversations around the topics that we’ve already identified, and maybe additional ones that we haven’t, that conversa or those conversations, in and of themselves, would help clarify in people’s finds where they fall on this 1-2-3 spectrum. So just a process question, you know, sort of how are we proposing or is this what you’re throwing out there? Like, how are we proposing to go about this discussion?
So I assume we right now are trying to generate the laundry list of questions that people have for additional information gathering, which seems to me a little bit separate from identifying all of the areas where we have previously pointed out or may point out that there may need to be something Higher than HIPAA.
>> Kirk Nahra:
Well, here’s, I guess here’s the problem that I’ve, at least, faced that I think Deven and the staff have faced on this, which is, we have a list of topics that people have said, “We want to see whether they should be Higher than HIPAA.” What we don’t have is “All right, great, with that list, what do we do with that list? What do we do with the list that says ‘Access Rights’? What are we going to do about that?” And I’m really struggling with that.
Now, part of why I’m struggling with that is, I’m you know, there are plenty of components of the issues we’ve been following over the couple of months where I have felt, you know, I can contribute particular pieces of information that’ll help us move on. I’m not sure I yet see the reason to say, “You have different and better access rights if the information comes knew this channel than if you come through this channel.” So I’m not the one to come up with the what’s it what’s the answer going to be.
But we have that list of topics. People were very good about generating that list of topics. What we don’t have is, again, “What do we do with it? What do we need to know? Who’s going to come in and tell us something that will allow us to make a decision on whether there should be an additional right?” And that’s the piece that’s, at least from my perspective I it right now, what we are is, we’re left to just have these discussions, which are fine but only get us so far. Part of our goal today is, maybe they get us far enough that we can check that one off the box. I sort of think that we won’t get too many of those, Don. So what do we need to take that list of topics and turn it into something that’s going to be a recommendation?
>> :
Do we have that list of topics?
>> Kirk Nahra:
I mean, I’ve got you know, I was trying to write things down from memory that (laugh) you know, that we’ve talked about already. We’ve got health care operations as a potential topic; research as another potential topic, or how that may interrelate; audit, which is separate than accounting, but they are somewhat
>> John Houston:
Audit trail.
>> Kirk Nahra:
audit trail some you know, consumer-focused audit versus the systems audit; the access requirement I think maybe people could shout out others that they had. Right now, we can make a small list. I can’t think of anything else offhand.
Okay, so that’s let’s assume that that’s part of the list and that there are others we’re not remembering. What do we do with that? What do we do with, say (laugh), access rights? I mean, we could I mean, again, I suppose somebody could sit down and come up with three scenarios on access rights. One is a scenario is, you get full HIPAA access rights and nothing more. Number 2 is you know, I guess it starts to get hard, because #2 is, you get something more, but what is it? You know, you get more than HIPAA, and that’s X. Number 3 is, you get more than HIPAA, and that’s X plus Y.
>> Jill Callahan Dennis:
Can you just identify access rights consumer access rights on information, or does it
(Multiple speakers)
>> Kirk Nahra:
Yeah, I’m trying to compare to HIPAA. So there’s the HIPAA access right, which is an individual consumer right to get access to their designated records. So first scenario, I presume, is no additional access rights than granted by than those granted by HIPAA. The second option is something more than that, and the third option is even more than that. I don’t know what those are.
>> Don Detmer:
Well, if we could come up with the with some ideas of the something more than that and the even more than that, then it’d be interesting to hear from the industry to say, “Okay, if we hold you to the HIPAA standard here, what does this do to your business model, and what does this do to patient care? If we hold you to this higher one, what does that do to your business model and patient care? And if we hold you to this real high one, are we killing you, or is this doable? And what do you think the impacts to those areas would be?” But I think we can’t really do that until we have some idea of what those additional standards
>> Jill Callahan Dennis:
Well, one of the things we talked about is potential more-than, and the idea I would hesitate to mention it (laugh) is the time frame.
>> Don Detmer:
There’s also another dimension to this. There’s a dimension to that as well, and that’s that one-time access is a continuing access for a defined period. It you know, it’s also issues relating to rules of the road.
>> Deven McGraw:
Jill, can I get to you elaborate on what you said?
>> Jill Callahan Dennis:
Yeah. Well, we had talked about time frame right now. You know, the once the patient lodges a request, there’s the clock starts to tick, and you have to deliver within a certain amount of period of time. And so that could be one Higher than HIPAA discussion that we would have is that in this new world, you know, should we have a higher standard than what’s present?
>> Deven McGraw:
The timing, the format and fees those kinds of things.
>> Jill Callahan Dennis:
So, yeah, I mean, to me, it would be really helpful. Some of these issues, we may not need testimony, but at a first pass, maybe we could just come up with sort of, like, a matrix of different permutations of options and then, you know, maybe try and align them with this bigger opt-in/opt-out. Some of them may be totally separate from the opt-in/opt-out questions. So in my mind, the audit trails issue
>> Kirk Nahra:
Doesn’t have a corollary, so to speak, in the HIPAA world, so that would be...
>> Jill Callahan Dennis:
Well, exactly. Sort of a stand-alone
(Multiple speakers)
>> Kirk Nahra:
It’s a dramatically different accounting, right?
>> Jill Callahan Dennis:
Right. And it’s so it’s therefore Higher than HIPAA, and regardless of which opt-in scenario you might choose, one might argue that it should be there, or one might argue that it shouldn’t be there.
>> John Houston:
Can I ask one clarifying question? Is the third I think the third scenario was this issue of granularity, correct?
>> Jill Callahan Dennis:
Yeah.
>> John Houston:
That is that, to me, is in and of itself a Higher than HIPAA
>> Kirk Nahra:
Absolutely.
>> Jill Callahan Dennis:
Yep.
>> John Houston:
And the reason why then, towards that end, NCVHS right now is trying to finalize a letter on sensitive data types, with the thought that there would be additional protections provided, associated with those sensitive data types. And so I just want you know, I think, as you’re trying to mature your understanding of this, just recognize that that work is ongoing.
>> Jill Callahan Dennis:
So when did when do you think that letter’s going to be released?
>> John Houston:
I was hoping it was about 6 months ago. (Groan) It’s still the debate within the privacy subcommittee. I’m hoping, the next meeting, that we either get closure on that or some direction as to when it will be finished. But I think it very much ties in with all of our discussions here.
>> Jill Callahan Dennis:
All right, but the next the earliest opportunity would be there’s a full committee meeting in
>> John Houston:
February.
>> Jill Callahan Dennis:
February.
>> John Houston:
Yeah, and I think after that, there’s one in April or May now.
>> Sarah Wattenberg:
John, Paul, this is Sarah. They’re not debating the actual core issue. They’re debating around the edges. But essentially, the general committee has already said that they’re going along with this idea of doing consent based on providers and stuff, right?
>> John Houston:
I’m not sure I understand what you’re saying, Sarah.
>> Sarah Wattenberg:
Well, but they’re not still debating the level of granularity. Is that right? They’re more
>> John Houston:
I mean, we’re just there’s a lot of wordsmithing going on. Is Maya Bernstein in the room?
>> Kirk Nahra:
No.
>> :
No.
>> John Houston:
Okay, because, you know, I think what we’ve the basic premise of the letter is that there needs to be sensitive data types, and those sensitive data types you know, that user should have the ability to determine, based upon sensitive data type, what information they want to make available. So and that is really the premise of the letter. So if you take that as sort of you know, as the coarse reading the gross reading of the letter, then, you know, there wasn’t the recommendations really weren’t “What are the sensitive data types going to be?” but rather “We need to do more work to define those.”
>> Sarah Wattenberg:
But that’s four sensitive data types. There does need to be some
>> John Houston:
Additional rights.
>> Sarah Wattenberg:
priorities. Right.
>> John Houston:
Right.
>> Kirk Nahra:
And again, additional rights beyond those currently existing in state laws?
>> John Houston:
Additional rights meaning ability to a patient decides to whether to or to not allow those sensitive types to be made available and issues of a break-the-glass what happens in an emergency and things like that. And this all relates specifically to EHRs, and I don’t think of it as a discussion in the context of PHRs, though.
>> Sarah Wattenberg:
(Inaudible) I would doubt that a lot of state laws would cover it that universally. They, I think, probably are more discretely associated with a particular
>> :
Hell.
>> Sarah Wattenberg:
Right, exactly. They’re not that global in their description, it sounds like.
>> Kirk Nahra:
Meaning not a law that says (inaudible).
>> Sarah Wattenberg:
Well
>> Kirk Nahra:
(Inaudible)
>> :
Yeah, yeah.
>> Kirk Nahra:
There’s a mental health law, and there’s an HIV law.
>> :
Right. It’s not a law. There’s a it’s not a law that says, “This is the allowance for how you handle sensitive conditions in this environment.”
>> Sarah Wattenberg:
Right. I think but didn’t we talk about this, John? I think part of the idea is that the way that NCVHS is structuring that is that it would sort of cover most of those laws that allow for certain kinds of consent.
>> John Houston:
Yeah, I mean, it is and I mean, by default, I think people think of I mean, when you think about sensitive data types, you end up landing on a lot of state laws all that exist. But you also have to realize there might be sensitivity associated with genetic information and other types of information that may only now be coming becoming recognized as having additional sensitivity associated with it. And again, NCVHS is not is only by example describing a variety of sensitive data types. We’re not saying, “Hey, these are a good call. These are the categories.” We’re just saying that somebody needs to decide what they are and how they need to be treated. So they have to sort of I think the next level of inquiry by NCVHS would be that.
>> Kirk Nahra:
I mean, yeah, I guess my reaction I’ve dealt with a lot of these laws. I can think of a law in one state that includes among that has a broader law on sensitive conditions, and they include in that essentially anything that’s reportable by public health laws, which translates to if you had a food poisoning incident.
>> John Houston:
Right.
>> Kirk Nahra:
So yeah.
>> John Houston:
I just want to make sure you guys understood that, because
>> Kirk Nahra:
It’s not that. You have to report it, and no, and the people on the other end are trying to figure out, “Well, I have to I’m not allowed to disclose this information if it’s about food poisoning.” And most of the time, they don’t have any idea if that’s why it arises, so it creates a whole new set of problems. And I guess one of my overriding issues in that this is an example of it is, we’re going to make this much harder when one of the goals is to streamline this stuff (laugh). So again, I
>> Sarah Wattenberg:
No, I actually would disagree a little bit, because, you know, we are supposed to be making things easier, but we’re also supposed to be making things better. And so part of I mean, you know this: that part of the reason for the consensus because it engages more people in treatment. But I guess part of it is also the hope with I mean, we also have a federal substance abuse law that requires a consent. And part of the hope is that the difficulty, as I’ve heard it from a number of providers and states and so forth, with the consent issue is that it is so burdensome and so difficult to manage, primarily because it’s paper based, and that when you create a consent functionality that’s electronic, you make the whole process a lot easier. And it actually facilitates coordination and collaboration of care in a way that you can’t do now. So it’s both improving the ability for treating conditions, especially with all of those coordination of care and integration of care you’re not going to be able to do that unless you develop an architecture that supports some of the baseline foundational consent requirements that many of these, you know, sensitive information groups already have.
>> Kirk Nahra:
Hey, Sarah, let me ask you a question. I don’t know if you know the answer to this. But if I have information covered by the federal law the federal substance abuse law, at this point if I’m a provider and I have that information, under the law today, could I put that into a RHIO without consent?
>> Sarah Wattenberg:
No.
>> Kirk Nahra:
So why do we need something more than that? I mean, that already exists. That exists today, uniform across the country.
>> Sarah Wattenberg:
Because the it’s not a well-known law, and so a lot of the technical people who are establishing the architecture don’t know that they have to do that, #1. And #2, people think that it’s just that one of the issues is that it’s not just for a substance provider. It’s for somebody if you’re going to have information streaming through the rest of the health care system, the whole health care architecture has to support this. But the reason is because that same kind of law exists in at the state level for many for mental health and for some of these other sensitive information categories. So you do need to sort of address it from an architectural privacy point of view. Otherwise, you’re not going to capture all of those other sensitive areas, and states and technical people aren’t going to have the direction that this is the common denominator that they all have to meet.
>> John Houston:
Yeah. I mean, let me just reiterate what just Sarah just said. It’ll probably be very redundant here, but I mean, part of the exercise is to establish a framework as much as it is to decide what the categories are. And some of them might be a slam-dunk, but yeah, mental health and substance abuse information absolutely, it’s sensitive, which those are the easy ones. But there’s probably, you know, 8 or 10 other categories or 7 or 8 other categories that there’s some probably some debate about whether they are sensitive or not or what is the level of sensitivity that you would want to assign to them. So or subcategories. So there is a lot of depth to this, and again, you want to put together the architecture, or you want to put together the framework as much as you want to define the actual elements.
>> Sarah Wattenberg:
Kirk, did I answer your question?
>> Kirk Nahra:
Sort of. I mean, again, I my personal view is that if the problem is, nobody knows about the existing law, we should do something with that rather than give them another law that they’re not going to you know. But I understand
(Multiple speakers)
>> Sarah Wattenberg:
But I guess what I’m saying is, it’s not just an education piece. It’s exten it’s we’re now creating a national system. So the
>> John Houston:
You got a supporting architecture to do that.
>> Sarah Wattenberg:
Right, so you can’t just sort of say, “Well, we already have it,” because we don’t. What we need to do is provide direction to tell people we need this. And then part of what I’ve heard from the states is that, you know, their stuff kind of all over the place, and so what they would prefer and this was through the NGA the ONC contract was that they would even say, “Even if it ends up being a little bit stricter, we’d rather be stricter but at least be common.” You know, that would take care a lot of a lot of their issues that they have around the lack of uniformity.
>> Don Detmer:
Did they say that if there happened to be an instance as laxer, too, they’d go with it?
>> Sarah Wattenberg:
I’m sorry. Say that again.
>> Don Detmer:
Did they also say that if it tended to be more lax, they would go with that, too?
>> Sarah Wattenberg:
No. This Group did not say that, because this Group is representing I mean, certainly, there are people in the Group who want it, but the point was, since we already have one federal law and a lot of state laws around mental health and HIV, that it would be easier to just create a permission-based system, even though that would be harder for some people, because at least it would be common.
>> John Houston:
Yeah, I think part of it but also part of the whole exercise was to decide whether sensitive data types were important functionality to include in the NHIN in order to ensure that it is adopted and that adequate privacy protections are put in place. So whether there’s a state law or not is really though it is helpful and may, in certain cases, you know, cause decisions to be made regarding what is sensitive, it shouldn’t necessarily be controlling that there is not a state law and therefore shouldn’t be considered sensitive.
>> Kirk Nahra:
Even though that is how the information is treated today.
>> John Houston:
I’m sorry, what?
>> Kirk Nahra:
Even though, if there’s not a state law saying that data is sensitive, it’s not given any additional protections today.
>> John Houston:
Right. I mean, what we’re trying to do what the committee is really trying to do is put forth the notion that, for NHIN to be successful, there needs to be the concept of a sensitive data types; and that there needs to be consumer control over sensitive data types, you know; and that by doing so, you’re facilitating adoption of the NHIN; and that these are this is required functionality that consumers would expect to see.
>> Deven McGraw:
Thank you for chiming in with that, John. That’s really I think it’s very helpful to know that that’s coming down the pike.
One of the things that occurs to me is, we’re having a discussion about the three choices, but also, we’ve put on the table additional you know, that we might want to consider where we would need Higher than HIPAA in specific areas before getting to the threshold question of consent. And I just want to take a step back in terms of sort of planning for subsequent meetings. Am I right in hearing that there are at least a significant number of us that can’t get to a kind of threshold, an out-of-network question, without sort of deciding making some more decisions about rules of the road and whether we’re going to change them? Or do we want to try to think more in a more focused way about the information that we would need to get to some closure on the three options that we laid out?
>> Kirk Nahra:
Well, let me jump in for a second and try to add to that. I mean, we listed when Steve was listing the areas where we might or where people have indicated an interest in a Higher than HIPAA discussion, there is one category which is, for example, individual rights: accounting right, access right, amendment. We can add a notice in there. Those kinds of issues strike me as not really having an impact on the opt-in/opt-out issue that whether I’m allowed to see who looked at my records after the fact really shouldn’t affect the rule of how my information gets there. That’s a, you know, again, personal view on that.
Whereas I don’t know that I agree with Alison’s point about health care operations, but I understand why that might affect the opt-in/opt-out choice. If the answer is, what I’m opting into is only treatment and payment, maybe we don’t let people have that choice, but if it’s operations too, we give them a ch you know. So I can understand why we want to have that disc why that particular topic might affect people’s views on the opt-in/opt-out. I guess where I’m going with this is, I think it would be helpful to try and separate those out, because I think if we just come up with a list of everything that could be Higher than HIPAA, we’re not going to make a lot of progress. But if what we’re trying to do is, we’re trying to narrow the set of questions that will allow us to go to our opt-in/opt-out scenarios, that would be very helpful.
>> Steve Posnack:
What if opt-in/opt-out is contingent upon
>> Kirk Nahra:
Okay, yeah. What are the elements of Higher than HIPAA that might be con that might make it contingent for the opt-in/opt-out choice? Again, I heard your “operations.” I heard “research.”
>> :
Some of the section 512 disclosures some of those have been sort of controversial in terms of people’s willingness to participate in the system, whatever it is, like disclosures to law enforcement you know, some of those permissible disclosures without patient consent. Those might be ones that to be focused on, because they could affect an opt-in/opt-out.
>> Kirk Nahra:
Yeah. Okay, let’s play that out. So I mean that the idea and let’s put aside research for a second, because research is one of those. And I understand the research discussion. We talked 512 includes you know, it’s often called the public policy exceptions. And there are a bunch of components of that that the system is sort of stuck: public health requirements you know, for the court process yeah, some of that stuff. Yeah, well, there may be some that we can there are some that you can argue about. There are some that we’re really sort of stuck with. Then there are some like research, where I think, obviously, there’s a public policy goal of research where you could have that rule be whatever you give it. There’s no definition of that rule because of public policy.
So if we want to try to do that, again, my question would be, “All right, what do we want to hear about 512 that would affect people’s judgments on that?” I mean, is there are we going to bring law enforcement people in? Are we going to bring in you know, again, there are lots of people who don’t like the law enforcement provision of HIPAA. One of the things that I’ve tried to focus on is, I don’t want to hear that somebody doesn’t like the law enforcement provision of HIPAA. I want to hear why we should have a different rule now than what currently exists for the law enforcement provision of HIPAA.
>> Sarah Wattenberg:
But that makes our exercise sort of impossible, because what happens if what the person is saying to you is that I’m “I don’t like the law enforcement provision, and therefore, I’m not going to opt in to your system”?
>> Susan McAndrew:
Well, you know
>> Sarah Wattenberg:
That is the point is that
>> Susan McAndrew:
No, actually, I think, in many of these, many of the 512s may be largely extraneous to the core idea of a network, which is connecting providers. And so when you have law enforcement coming and knocking on your door, I think that particularly, you know, what we’ve just gone through, in terms of HIPAA relevancy discussion and the role of the network in accounting for disclosures, was largely that that’s irrelevant to the network, because it’s going to be the obligation of the individual providers to account for those disclosures.
So I think the assumption there was that law enforcement’s going to knock at the provider door. It’s not necessarily going to knock at the network door. And even if it knocks at the network door well, it really is better off knocking at the provider door necessarily than the network door. But if it goes to the network door, it would you know, it would enter that doorway through the same permissions that apply to the provider.
>> John Houston:
But hold on a minute. See (inaudible) that’s Susan, correct?
>> Susan McAndrew:
Yeah.
>> John Houston:
I think you’re mak you’re drawing a conclusion that’s not necessarily been concluded yet. I mean, you could argue that the Higher than HIPAA standard that should be adopted in that particular case is that law enforcement wants to get a record. They need to go to the provide their actually developed the record. That would be my proposal as to a Higher than HIPAA standard, because absent that, they could go anywhere that they could get the record from that’s connected to the NHIN and say, “I want all the records associated with this patient. Give ‘em to me.”
>> :
Right. That’s what I was going to say. So they go to one provider and say, “Let me see what you can see.”
>> John Houston:
So a Higher than HIPAA standard
>> Susan McAndrew:
No, I don’t know that they can go to them and say, “See what you can see,” if we assume that the provider is maintaining their own electronic health record.
>> John Houston:
But how do you but see, how do you know that? See, this is the really the debate, I mean, because in theory, if the provider can get at the record through the NHIN and law enforcement comes knocking at the door, some pro you know, what would be wrong with a subpoena that says, “You need to get me that record”? Now, if the federal law says that the Higher than HIPAA standard says that law enforcement is not permitted to do that that they need to go to the source provider in order to secure that record, that, to me, might be a very reasonable compromise to make, because patients may have a very great concern over law enforcement simply going into the NHIN and grabbing records.
>> Susan McAndrew:
Okay, but if and you know, if that’s your hypothesis, then in fact, there is, in that scenario, no source of the record.
>> John Houston:
There’s no what?
>> Susan McAndrew:
Nobody’s the source of that record.
>> John Houston:
Sure, they are. The producer would be the source of the record. The institution
>> Susan McAndrew:
The what?
>> John Houston:
The institution that created the data that, in my mind, would be the source of the record. And
>> Susan McAndrew:
So if I if my surgeon sends my surgical information to my private physician and he puts it in my medical record, law enforcement can’t go to my personal physician and get my medical record. It has to go to my surgeon.
>> :
They have to go to both if they want that complete package of record.
(Multiple speakers)
>> Susan McAndrew:
I mean even today
>> John Houston:
But hear me out. I mean, the issue is that today let’s just say that we’re living in a world where the NHIN exists and all providers contribute to it. Okay, let’s assume that that’s the case. Okay. Without any rules, in my mind, I could very clearly see law enforcement going to the most convenient provider, or going directly to the NHIN, and saying, “I’m going to get this patient’s record, because that’s most convenient for me.” That, I would hypothesize, will occur.
>> Jill Callahan Dennis:
Well, and Sue, you get to, you know, the whole piece about the Part 2 law, which is that you can’t redisclose records. And so that’s another reason why the architecture for the whole system has to have this consent function, because if you’re going to have some records in there, even if it’s not just substance abuse records, that you can’t redisclose without consent, you have to be able to have that consent if they want to redisclose it. But the whole
>> Susan McAndrew:
But, you know, that’s independent of who’s asking for it.
>> Jill Callahan Dennis:
Correct.
>> Susan McAndrew:
So that’s not
>> Jill Callahan Dennis:
Wait, wait. What do you mean? What do you I’m sorry. What’s your point?
>> Susan McAndrew:
I’m trying to figure out what your point is.
>> Jill Callahan Dennis:
Oh.
>> Susan McAndrew:
I mean, the big picture point seems to me, do you compel law enforcement to go to each discrete source of the data, or do they have the latitude to just go to any one provider they choose and pull it? It’s an issue of convenience on their end, which maybe lead to concerns about people sort of, you know, fishing for information more than they do now, because it’s easy. First is, having more sort of independent civil liberties by forcing law enforcement to go directly to the original source providers for those documents. I maybe I’m not characterizing that tension, but that’s at least what I’m hearing, and it seems completely reasonable to me if there’s interest in hearing testimony that we could hear from, you know, sort of two parties on that issue. I’m not suggesting that that’s my preference. I’m just trying to clarify
>> Kirk Nahra:
There’s a couple of points there. The I mean, if I’m a law enforcement person, and I show up at Dr. Jones, and I say, “Dr. Jones, here’s a subpoena not only for everything you have, but everything you might be able to get in the future,” doctors aren’t going to give them that information. They will you don’t have to go out and get new stuff. But the real scenario would be going to the NHIN, because they going to a NHIN that’s a depository model, if that’s the right word, because they have the information. You could go there and get you know, people don’t create new stuff in response to a subpoena.
>> Jill Callahan Dennis:
No, but what they do have is
>> Kirk Nahra:
I mean, you don’t do that. I mean, nobody in response to a subpoena is going to go gather new information that they don’t currently have.
>> Jill Callahan Dennis:
I understand
>> John Houston:
No, but what they might do, though, is be compelled by law enforcement to query the NHIN, which is available to them, to get responsive information.
>> Kirk Nahra:
I well, what’s the law that I mean, there’s not a law that would allow them to do that today.
>> John Houston:
Exact but see, there’s not a law that prevents them from doing that. That’s why I think this is a good example of the Higher than HIPAA standard that you may want to establish.
>> Don Detmer:
This is so you could go to a depository?
>> John Houston:
No, no, no, no, no. So no. What I’m exa the example I’m trying to paint is the exact opposite: If you don’t want them to simply be able to go to the repository, you’d better establish a law that says you can’t.
>> :
Can’t compel the provider to convey the entire record of a individual beyond the scope of the source data from that provider.
>> John Houston:
Yes. That would be the Higher than HIPAA standard, for fear that they would be compelled otherwise.
>> Jill Callahan Dennis:
But just because there’s a legal document doesn’t mean that people won’t try, I think is the point that’s being made on the
>> John Houston:
That is exactly the point that I’m trying to make here.
>> Jill Callahan Dennis:
So this goes back I mean, you raised the issue of 512 (laugh). So I mean, I guess it sounds like there’s enough debate and discussion that maybe it warrants bringing people in. But is that the kind of thing that would be helpful that you were suggesting?
>> Susan McAndrew:
I just thought that if there’s anything in HIPAA that will that I think, as my gut tells me, most likely to affect an opt-in/opt-out decision, it’s some of those things that may fall in that (inaudible, multiple speakers) things in that category, but it’s some of those things that have been sort of flash points in the news.
>> Jill Callahan Dennis:
(Inaudible) real civil liberties event.
>> Susan McAndrew:
Absolutely. That being a touch point.
>> Jill Callahan Dennis:
I mean, I can tell you that even with the federal confidentiality laws, we have law enforcement people all the time going to substance abuse providers and, you know, demanding them to release things and going following people to methadone clinics. I mean, it’s not unheard of.
>> Kirk Nahra:
Well, to follow up on Jill’s point, it (inaudible) the major topic that is relevant to the opt-in/opt-out choice, the uses of disclosures of information that would generalize to treatment, health care operations, and 512 put together?
>> John Houston:
You know
>> Kirk Nahra:
Those are the things that providers covered entities today can use and disclose without the need for any specific patient permission.
>> John Houston:
Well, there’s an argument to be made I apologize for making this even more complex that should there be a different standard associated with use of data, for purposes other than treatment? Some people would argue that and this has been a late discussion at NCVHS is that what standards apply for treatment may not be the same standards that apply for payment and health care operations that there should be a more demanding standard associated with accessing data, for example, for health care operations.
>> Kirk Nahra:
Well, that’s exactly what I said, John. I said
>> John Houston:
I’m sorry. Maybe I missed it. I apologize
>> Kirk Nahra:
The topic what I’m trying to understand is, we’re trying to get to a point may not get there. We’re trying to get to a point where we have a set of recommendations on choice to be given to consumers, if any, concerning participation in these networks. And some people have said that they don’t think they can make a decision on that until they know some of the other ground rules.
>> John Houston:
Right.
>> Kirk Nahra:
What I have suggested may not be what people agree with, but what I have suggested is, it’s not everything in the Higher than HIPAA discussion that is relevant to that point. I don’t see someone can tell me they see differently I don’t see why the extent of an accounting right would affect our recommendation on whether there’s opt-in or opt-out to the system at all. If somebody thinks that that’s not somebody says, “No, that’s hugely important to me,” before I decide, please jump in.
My suggestion was that, for those people who want to hear what the HIPAA ground rules are going to be before they decide on opt-in/opt-out to the whole system, the things that sound to me the most important are the use and disclosure provisions of HIPAA, which are the provisions that allow disclosures for TPO without any consent; and the provisions of 512, which also allow for use and disclosure without consent.
>> John Houston:
My only point is the first category you describe, use and disclosures for TPO.
>> Kirk Nahra:
That’s a big category. You’re saying you mainly care about one part of that. I understand that.
>> John Houston:
No, no, no, no. All I’m saying I might not necessarily don’t care about it. My point is that if you’re going to have a discussion about Higher than HIPAA, part of the discussion points should be whether there needs to be a Higher than HIPAA standards maybe for operations health care operations, but not for treatment.
>> Kirk Nahra:
John, I’m proposing we’re going to look at (inaudible)
>> :
Yeah, that’s what he’s saying.
>> Kirk Nahra:
Should it be Higher than HIPAA for T, for P, for O, for 512-A, for 5-12-B, for 512-C, or for 512-D?
>> John Houston:
All right. That’s fine.
>> Kirk Nahra:
That whole category.
>> John Houston:
I thought you were lumping them together. That’s
>> :
Yeah. No, he’s saying that’s one of the groups that you would want to
>> John Houston:
Right. All right. Don’t mean to raise everybody’s ire.
>> Kirk Nahra:
Other views I mean, are there other components of HIPAA that people want included in this sort of preliminary discussion?
>> :
I think it might be included in that category, but, you know, sort of the discussions we’ve had about what constitutes, you know, A now the term of art has escaped me, but whatever HIPAA refers to is business partners or
>> :
Business associates.
>> :
Business associates. Thank you.
>> Kirk Nahra:
What about them?
>> :
What constitutes the business associates is changing rapidly in this environment. And I know we’ve had some discussions about that, so I don’t know if that applies.
>> Kirk Nahra:
Well, let’s flesh that out. I mean, we have talked about that. We’ve dealt with that, at least in part, by essentially saying that if you’re participating in this network, even if HIPAA calls you a business associate, you’re going to be covered now. So we’ve dealt with it that way by broadening out the scope of who would be covered. We’ve also said I think this was just this wasn’t part of the recommendation, just sort of a description of the recommendation that we are not proposing to turn every HIPAA business associate into a covered entity, because there are lots of business associates that will never be never be anywhere near the network. So with that, what part would you lump in with the discussion?
>> :
Well, so maybe it’s covered by our recommendation letter. But then, it depends on the extent to which, I guess, whatever comes out of this then filters back into that recommendation letter, so then all of those entities would then be bound to the Higher than HIPAA under those whatevers.
>> Kirk Nahra:
Well, that’s again, that’s our premise our operating premise that every all those people are brought up to HIPAA now, and then we’re looking at the question of whether all those people will be brought to a Higher than HIPAA standard. We could say, I suppose, although I haven’t heard anyone say this, that only some people will be brought above HIPAA. I haven’t heard anyone propose that. I think our premise was, we’ve brought everyone to HIPAA. Now does everyone get lifted up? Because one of the key components of our recommendation was level playing field, so it would be inconsistent to say only some people go above that. So with that additional information, is there a piece of business associates that you want to talk about?
>> :
No, no, it was just I know there’s been a lot of discussion about, you know, what constitutes the business associates. I wanted to make sure that was covered.
>> Kirk Nahra:
Are there other components of the HIPAA rule beyond the use and disclosure provision that people think would be important to inform their decision on opt-in/opt-out?
>> :
Just to jog our my memory, I think it would be helpful for me, at least, if we could circulate the whole list of what people have mentioned earlier.
>> Kirk Nahra:
Okay.
>> :
I mean, is that all right? I mean, I don’t want to I just I can’t think of anything right now, but that doesn’t mean that
>> Jill Callahan Dennis:
Well, then, I think we decided this right after the break, but correct me if I’m wrong that we had general consensus that others’ access to a PHR we already decided that that is patient control. I mean, that was my understanding of what we decided, so...
>> :
I thought that’s what we decided, too, Jill.
>> Jill Callahan Dennis:
Okay. Okay. So that could affect the opt-in/opt-out, too, but I thought we already
>> :
Yeah. Yes.
>> :
That was my impression as well.
>> Kirk Nahra:
Are there and just to put it in phrase, it seems that we basically recommended opt-in for PHR data coming in.
>> :
Well, we talked about with patient control, but yeah.
>> Kirk Nahra:
Right.
>> Jill Callahan Dennis:
So in other words, we’re what we’re saying is that it’s patient control as defined by opting in or out? I’m sorry.
>> Deven McGraw:
What we said specifically was that PHR we framed it in terms of consumer choice. My own preference would be not to borrow the terms “opt-in” or “opt-out” to reframe that, because “opt-out” assumes, arguably, access to information absent patients making
>> Kirk Nahra:
Right, we (inaudible) assumed it was opt in.
>> Deven McGraw:
Right. Right, but I don’t think we need to go there. They’re shorthand, and I think we were much more clear with the terms that we used.
>> Kirk Nahra:
All right, so let’s talk about well, let me ask: Is there anyone else who has a component of the HIPAA rule subject to Steve circulating the list, but anyone right now on the call or in the room that has components of the HIPAA rule other than the use and disclosure provisions that they would want framed, redefined, expanded on before they could make a decision on the opt-in/opt-out question? (Pause)
All right. So we will get that list circulated. We will well, okay, so we’ll get that list circulated. Then we have a long list of uses and disclosures that we’re going to be thinking about. Let’s do let’s put together another document for circulation in the Group for selection of choices. We’ve got to just break down TPO and 512. We probably need to well, I would say, let’s break it into T and P and O (laugh) what?
>> :
(Inaudible)
>> Kirk Nahra:
And 5 keep the 512 provision on its own. We will circulate that to the Group. The Group needs to go down that list and identify ones that you want talked about. You know, I encourage you to pay attention to this and focus on this, because it needs to be a decision now that we’re not going to revisit 6 months from now. But similarly, if we pick everything on that list, that’s what we’re going to be doing for the next year. So I do encourage some selectivity on looking at that list. I don’t know if maybe what we’ll do is, we’ll have people pick a top five. You can list others but rank a top five so we can at least prioritize efforts.
>> Don Detmer:
I know what I’m doing this weekend. (Laugh)
>> Kirk Nahra:
Well, I mean, it’s cutting and pasting. I mean (laugh) does that make sense?
>> Deven McGraw:
Yeah. I think it does.
>> Alison Rein:
So does that mean that well, maybe I’m jumping ahead, but since the audit access rights issues conversation can be separate, is that and we don’t seem to need, at least at this point, testimony, is that something we plan on talking about in our early February meeting, or are we still
>> Steve Posnack:
If I can propose, you know, what work products I’m going to be creating, they’ll be this (inaudible) contingent upon an opt-out opt-in/opt-out decision, and we’ll be able to list all that information below it. And then we’ll also have probably a second document that lists topics like audit and access and the individual rights that are not contingent. So we’ll have a contingent and not contingent. Is that okay to separate that out?
>> Kirk Nahra:
Well, I think
>> Alison Rein:
(Inaudible) priorities on the contingent list.
>> Kirk Nahra:
Well, hang on. I think there’s two things. Alison, what I heard you asking for before, which I think we agreed to do, was to circulate that list from earlier on topics people were interested in, so that people could confirm that there was nothing else they wanted to put on this contingency list.
>> Alison Rein:
Correct.
>> Kirk Nahra:
So we need to do that, period. I mean, that’s not a new document. That’s just circulating that. And we need to hear from people on this Group if there’s anything on that list you say, “Oh yeah, I really I forgot about X, but I need to know about that before we can go up go down that opt-in/opt-out road.” I am you know, I don’t know that there’s anything on that list. It would be great if there isn’t anything on that list. But we need to go through that exercise.
Point 1. Point 2, we need the use and disclosure chart that’s going to be a top five. You know, among however long your list is, you should pick a top five and then everything else.
Then we I’m sorry. Go ahead, Jill.
>> Jill Callahan Dennis:
I’m sorry. Along with that, I mean, I think it’s fine for us to prioritize our top five, and I don’t know if there’s any research out there that suggests that certain factors lead to that consumers have a greater interest in these factors when they’re making the opt-in/opt-out decision. I don’t know if that exists, but if somebody’s done it, it seems to me that could steer us in the right direction, as far as what factors we should consider (inaudible).
>> :
We can certainly share the cumulative top five list, maybe with some of the HIE presenters from the last one, and ask them if we’re I don’t know, but presumably like (inaudible) Delaware and Rhode Island, you know, and Massachusetts have those discussions, and they might be able to at least vet the list.
>> Susan McAndrew:
I have never heard much in the way of an explanation about people surveying their opt-out without (inaudible). And that’s whether you have an opt-in.
>> :
Yeah, and I don’t know if that’s been done, but it
>> Susan McAndrew:
Or
>> :
We’ll find out.
>> Kirk Nahra:
Well, we’ll try to figure out if there’s something that exists on that. Then we go to your second question, Alison, which is, for the things not on that contingency list but we’re interested in exploring Higher than HIPAA independently, what are we going to do with that list?
>> Alison Rein:
Right, and do we need testimony, or is that something we can just drill down on as a Group?
>> Kirk Nahra:
Right. Now, let me throw out a couple of possibilities. I guess I had been thinking that those topics would be put on the back of the list rather than the front of the list, and that we would focus our attention on this the choice not the choice point, but the choice issue (laugh). Now, with that said, you also raise the question of the meeting next week. I mean, I don’t know that my guess is, we’re not you know, we’ll have this list sometime early next week. It will get out to people. It will take a few days to get it back from people. That’s probably not going to be that useful for I don’t know. It I wouldn’t want to rely on our February meeting being dependent on having a lot of useful information from that process.
>> Alison Rein:
Well, and we wouldn’t be able to have any testimony.
>> Kirk Nahra:
Absolutely, absolutely. So while my general sense would have been to take those other rights and push them to the back, we do have a meeting scheduled, which you know, just being scheduled doesn’t mean we have to do it. We don’t have to invent a purpose to have it, but I suppose we could talk about those other issues, although I’m not sure that again, we sort of have talked about those other issues, and I’m not sure you know, those were the issues that we circulated to everybody and said, “What will it take” you know, “What will you need to hear to learn more about these?” And we got nothing on that point. The goal last fall, when we were doing that, was to try and line up testimony, and we didn’t really get information responsive to that, so...
>> Alison Rein:
Well, I don’t know that we need testimony to talk about timing, format and fees.
>> Kirk Nahra:
Sure, but I mean well, okay, let’s use timing or let’s use any of those as an example. If we’re going to say, “You should do it in a week, and it should cost a dollar, and the format should be PDF,” we’re of course going to need aren’t we going to need people to say “That works” or “It doesn’t work” or “That’s realistic” or “It’s not realistic”?
>> :
Personally, I’d want to hear from some members who have experimented with closer turnaround times and what’s the impact on workflow.
>> Kirk Nahra:
And I think those are almost entirely technical. You know, those are I mean, the only reason that I’ve heard to have a different right in the circumstances is that it may be possible to have a different right. I mean we you know, the HIPAA rule exists because there was a sense that it was going to take a certain amount of time to do this, and HHS just said, “This is the amount of time we’ve come up with.” There’s the possibility that those time frames are too slow in this environment. No one’s obviously, no one is proposing a longer time frame. There’s a possibility that it could be done faster and, therefore, that it should be done faster. But we need to address
>> John Houston:
There’s the possibility that it can’t be done as fast as we think it can be done.
>> Kirk Nahra:
Right, so (laugh) I made two points here: It can’t be done faster, and it should be done faster. We need to know whether both of those either or both of those is true before we before I, at least, would make a recommendation on it. But again, I mean, I think that’s very heavily dependent on someone else telling us what, at least, their reality is, or what they see on the horizon, or how it would work, or, you know
>> :
Pre 48 hours on electronics. (Laugh) Just putting it out there.
>> Kirk Nahra:
No, but okay, so let’s we put that out, and what do we what would we need to do to make that be a responsible recommendation? I don’t think this Group could say, “Yeah, that sounds good.” I mean, (laugh) would you feel comfortable making that recommendation, Alison?
>> Alison Rein:
Yeah.
>> Kirk Nahra:
You would.
>> Alison Rein:
No. I mean, obviously, you’d want to vet it. I just didn’t know if we wanted to see if the Group could arrive at some uninformed consensus that would then be shared with people to vet, or whether we wanted to bring in a whole chorale of
>> :
We could start with a working hypothesis and then
(Multiple speakers)
>> Kirk Nahra:
Well, I guess that’s exactly my point. We could have a discussion at our next meeting of, whatever, the five or six things on that earlier list that aren’t on the contingency piece and just talk about them. That’s fine. I mean, we could do that. And frankly, I’m not sure at this point I mean, I’d be interested in hearing the discussion. I’m not sure what the other proposal is for what we do on that meeting, because I don’t think this contingency stuff is likely to work its way I mean, that just speeds it very quickly. I think that that’s an important
>> Alison Rein:
Well, let me ask one question. If there are if there’s anything on that contingency list that there is, at least, enough folks that think that we it needs I mean, maybe it’s health care ops or research or something. Is there something on that list that we know, you know, is something we’re going to need to deal with? And you know
(Multiple speakers)
>> Kirk Nahra:
Let’s play it out. Let’s say research. Where do you go with that? All right, we know it’s going we know research is on the list. What happens?
>> Alison Rein:
Well, then the question is, what information do folks need to...
>> Kirk Nahra:
And would we try to have people here in 10 days to talk about that? I mean, that’s the question. And that’s sort of my reaction is that that’s just too fast that there’s not any particular advantage to raising that for 10 days. So you want to get it right.
>> Alison Rein:
Again, it sounds like dealing with the non-contingent items.
>> Kirk Nahra:
Well, that I mean, there’s at least two possibilities. And I hope I’d be interested in whether people have suggestions for what the third is. You know, one is to talk about those issues. Two is not to have the meeting. Three is to do something else at the meeting. Are there suggestions for what the something else might be?
>> Jill Callahan Dennis:
Read the HITSP document. (Laugh) You get 100 pages; you get 100 pages.... (Laugh)
>> Kirk Nahra:
That’s homework, not for the meeting.
>> Jill Callahan Dennis:
But I can’t do homework for it. (Laugh)
>> Kirk Nahra:
All right. Hearing no other discussion suggestions for the February meeting I mean, do you guys have
>> Steve Posnack:
Not at this
>> Kirk Nahra:
Okay. So do we want to well, I guess the third option is, reserve judgment for a little while. Do we want to focus on those we’ll call them non-contingent elements just as a shorthand. These are the areas where we’re going to talk about a Higher than HIPAA standard but it’s not contingent for our opt-in/opt-out choice, individual rights being, you know, at least one category of those. Are we going to have a discussion about those? People think that’s a worthwhile thing to do?
>> :
Maybe it could be a shorter meeting. (Laugh)
>> Kirk Nahra:
I’m not pushing to have a meeting at all necessarily. I’m trying to figure out if it’s useful to do that, because I do think we’ve had a lot of that discussion.
>> :
I think it’s useful to have a framework discussion so that we can at least figure out the areas where we might need testimony in the future. And then when we’re ready to come back and deal with that issue, then we can
>> Kirk Nahra:
Can we do this? Just another thing: Let’s pull we had those scenarios that we walked through. Can we circulate the minutes from that meeting again so people are at least refreshed on what we did talk about? Because we had that we had a meeting in September, October, something like that, where we had three or four examples that dealt with these individual rights issues, and we talked about, you know, what the HIPAA rules were and how it would play out in some of these scenarios. And again we had a lot of this discussion at that point. So I want to at least let people know what was said earlier so we don’t all right, why don’t we focus on that? That meeting will go what was it? I assume a 4-hour meeting?
>> :
I believe it was.
>> Kirk Nahra:
No, no, no, the next meeting February meeting.
>> :
It’s scheduled for 4 hours.
>> Kirk Nahra:
Excuse me. You know, again, my recollection is, we didn’t even finish those scenarios, because we spent a lot of time talking about one or two of them. So we haven’t that when we tend to discuss these issues, we tend to have a lot of discussion, which is fine. I just want to hopefully try to get us further down the road on this.
All right. That sound like a plan? Okay.
>> :
And it sounds like the goal for the discussion should be to break them up into what areas we need testimony, right? Is that
>> Kirk Nahra:
Well, I think it’s two pieces. Maybe it’s to have a discuss to see if there’s a consensus on a direction. I mean, if people think that your idea of the pre 48 hours is a good one, we should see then the goal is, “All right, we’ve got to see if it’s a realistic” you know, versus “No, that’s a bad idea.” You know, that’s so we could have that so it’s probably both of those.
>> :
(Inaudible, laugh) Just telling you now. (Laugh) So close.
>> Kirk Nahra:
Any other thoughts from people about I guess the sort of two things on the table. One is the work we’re going to do to flesh out those contingent issues. Second is what we’re going to spend our time on in our February meeting. Any other thoughts on either of those points?
>> John Houston:
Sounds fine.
>> Kirk Nahra:
All right, so we will get those materials together. The thing that we need most quickly from people on the phone is well, is Steve’s going to circulate that list of topics that were raised earlier. We need to know from people whether there are additional elements that they think are part of this contingent component, again, beyond the use and disclosure limitations. I mean, I’m assuming that’s a question of finding that document, right? Getting it out?
So people, let’s say Tuesday, we need to hear back on that, and that’s your chance. If you don’t pick a topic by Tuesday, it’s not on the table. Again, it’s not that we’re not going to talk about it. It’s that we’re not putting it as a contingent element on the opt-in/opt-out discussion. It will be on this other discussion about other Higher than HIPAA elements. And then we’ll circulate this other document with the top five, and we’ll get that out, but that’ll that won’t be on quite as rushed a timetable.
>> :
Is the email that gets sent out going to repeat the instructions for what we’re supposed to be doing with each Group?
>> Kirk Nahra:
Sure.
>> :
Okay, because I always get a little lost. I’m sorry.
>> Kirk Nahra:
All right, anything else for people at this point? (Pause) All right, well, we get people get a little extra time today, and thanks for (multiple speakers) public comment.
>> Judy Sparrow:
Sorry. Ryan? Sorry. (Inaudible, laugh)
>> Alison Gary:
Ryan, if you could open up for public comment.
>> :
(Laugh, pause)
>> Kirk Nahra:
What do we need to do?
>> Judy Sparrow:
It’s up on the Web.
>> Chris Weaver:
For those of you that have been following along online, you’ll see a slide up in front of you with the number to dial in. And once you’re in, you can press star-1 to ask a question. And for anybody who’s already dialed in and has been listening, you can just go ahead and press star-1, and you can ask your question or make your comment. If you guys want to wrap up while we wait for anybody to get in the queue, go ahead.
>> Kirk Nahra:
Well, (inaudible, laugh) but otherwise, anything else for anyone on the call? For
>> :
Nope.
>> Kirk Nahra:
I’m sorry. Go ahead.
>> :
Nope.
>> Kirk Nahra:
Okay. So I so do keep an eye out for these emails. Be you know, be on the lookout for them over the next couple of days, because we do want to try to keep this moving.
>> Steve Posnack:
And take me off your block list. (Laugh)
>> Susan McAndrew:
(Inaudible) Posnack won’t get lots of emails. (Laugh)
>> Kirk Nahra:
All right. Is there any (multiple speakers) anybody on the line for public comment?
>> Alison Gary:
No, we don’t have any public comment.
>> Kirk Nahra:
All right, well, thank you very much for everyone’s participation today, and we will talk to you in a couple of weeks.
(General thanks)