American Health Information Community
Confidentiality, Privacy, and Security Workgroup #17
Tuesday, February 5, 2008
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Great, thanks Alison and welcome everyone to the 17th meeting of the Confidentiality, Privacy and Security Workgroup. Again this is a federal advisory committee, it's being broadcast over the Internet and minutes will be available on the ONC website. Workgroup members please remember to mute your telephone when you're not speaking and' when you do speak, please speak clearly and distinctly and identify yourself for the transcriber.
Let me announce who is on the telephone. We have Steve Davis from the Oklahoma Department of Mental Health. Jill Dennis from Health Risk -- although I think that's changed.
>> Jill Dennis:
It's Jill Dennis at AHIMA.
>> Judy Sparrow:
Right. John Houston, University of Pittsburgh. David McDaniel from the Veterans Health. Mazen Yacoub and Vicky Brennan from Tri-Care. And in the room we have….
>> Dan Rode:
Dan Rode from AHIMA.
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Family.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein
>> Jodi Daniel Daniel:
Jodi Daniel, ONC.
>> Steve Posnack:
Steve Posnack, ONC.
>> Judy Sparrow:
And did I miss anybody that’s on the telephone?
Okay. With that I will turn it over to the co-chairs, Kirk Nahra and Deven McGraw.
>> Deven McGraw:
Thank you very much. Kirk, since I’m chewing lettuce….
>> Kirk Nahra:
Good afternoon everybody.
>> Deven McGraw:
Sorry Judy.
>> Kirk Nahra:
We have a couple of things we're going to do just to get stuff started and then we'll turn to the meat of the meeting.
Workgroup members have a slightly revised draft of the minutes of our -- of the summary of our November 8th meeting. There were some minor changes from one of the participants. Did anyone have any concerns about that? Steve?
>> Steve Posnack:
I have another update. We have a couple comments from minor -- you know, changes from Amy Zimmerman this morning. So it's nothing substantial, but I doubt that we'll need to.
>> Kirk Nahra:
Any comments from anybody about the changes? Jump in if there's anything.
>> :
Nope.
>> Kirk Nahra:
Okay. Then you also have with the meeting materials, a summary from the meeting of -- I guess two weeks ago. Any questions, comments, concerns about that summary? Again, we will take comments and questions until the end of this week, and they be we will presume that those are included. So if you have any comments before -- about these minutes, get them in to Steve before the end of the week.
All right. Next point we want to touch on quickly is the letter to the Secretary, which is at the end of your package. Steve, could you point out the minor changes and then hopefully we sign off on that.
>> Steve Posnack:
Sure. On Page 2 is pretty much a majority of the changes that happened. The second paragraph on Page 2, the first real paragraph. In the middle it says to further clarify, with the exception of recommendations below which provides specific exemptions.
Second real paragraph on Page 2. In the middle there were changes we made to address Tom Wilder's concerns.
>> Jodi Daniel:
To clarify what it meant to have -- to have an independent person attendance relationship.
>> Deven McGraw:
Yeah, subsequent to our last meeting we had some conversations with Tom to clarify what his -- what AHIP's concerns were with this relevancy letter, and what he specifically asked for was just some more clarification of what constituted an independent relationship, and so much of our recommendations and what gets carved out in exemptions was kind of dependent on.
So we added some text and so I think that, you know, unless we hear otherwise from folks, which I hope we don't -- warning, warning, we are done with this and this is due to be presented at the next AHIC meeting which is in a couple of weeks, Orlando at the HIMSS conference.
So we are putting this to bed. Thank you. All right, we're ready for
>> Kirk Nahra:
Anything else on the administrative details?
>> Steve Posnack:
I think that was it. If we think of anything else, we can bring it up at the break.
>> Kirk Nahra:
Okay.
>> Deven McGraw:
So now we're ready for the higher than HIPAA discussion.
>> Kirk Nahra:
What we're going to try to do today and we'll sort of focus as much attention as people want to put to it today. Again, we're trying to essentially structure our discussion about the idea of a higher than HIPAA standard. And again just to refresh people's recollections, we have recommended that a variety of entities who are not covered currently by the HIPAA rules be brought up to at least the HIPAA standard in their participation in health information exchanges. We are now looking at the question as to whether that standard should be lifted, as we’ve said, higher than HIPAA, for all participants in the HIE system.
That is an open question. That's the question we're examining at this point, and we are focusing our attention on trying to figure out sort of framework to address what is a very complicated and -- not just complicated but very broad question. I mean covering a lot of topics and so we're trying to figure out good ways to do it.
We had, one of the documents that was sent out to the workgroup is a chart which is essentially been developed since our last meeting. The idea of this chart, and this is following up on some suggestions that some of the workgroup members made last time, was that we focus -- we started talking about the idea of consumer choice for participating in HIEs. And you know at the broadest level, the options essentially are keep choice the way it is in HIPAA. Meaning not a higher than HIPAA standard. Give some kind of additional opt out or give some kind of additional opt in for participation. And some of the workgroup members had said that their views on that set of options, where they would come out on that set of options, were dependent on some of the other issues that come up in the context of our discussion. For example, the question of what uses and disclosures can be made of information in a HIE.
So what we've tried to do in this chart is identify some of the primary HIPAA provisions that would -- When Deven and I and Steve and Jodi met on this earlier in the week, we tried to come up essentially a set of topics where we thought people might view these issues as particularly important for the choice question. That's mainly the use and disclosure provisions. Those are not all created equal. Some of them are more important than others.
Similarly, we walked through the other kinds of HIPAA provisions and tried to identify ones that we thought were, you know, some were essentially irrelevant to the discussion. Some were ones that we thought were arguably important but probably not so important that the resolution of how we address that particular topic wouldn't affect your decision ultimately on consumer choice or participation in the networks.
So what we're going to try to do today is walk through this chart and come up with essentially -- we've called them contingent and noncontingent issues. Let me explain what we mean by that. Contingent issues mean that people would -- people on the workgroup would like to know how we're going to address those issues before we get to the bigger question of what kind of consumer choice will be allowed for participation in the networks.
The other issues are issues that might still be very important, they might not be important, but issues that would not be contingent for the consumer choice issue.
So we've done a sort of tentative guess on where we thought the workgroup would come out in that. We'll walk through those as we go through the chart. That's what this chart does. It breaks down the HIPAA requirements or at least the main HIPAA requirements that we thought were sort of within the confines for this discussion. We're going to walk through this chart, present sort of our suggestion for contingent versus noncontingent, and then hear the group's views on whether things should be -- we're in the right category, should be moved, et cetera.
We think that will help us develop essentially a game plan for how we're going to address this overall issue. If it turns out that the main thing that people want to focus on are for example a handful of disclosure elements under Section 5 12 of the HIPAA privacy rule relating to public policy disclosures, things like research, we can focus on research.
Those would be the purpose we're trying to achieve through this chart. Again, that's going to be the focal point of our discussion today.
The other point that I want to just mention quickly is that in having our discussion earlier in the week, we had thrown out a possibility for a -- again, sort of to short-circuit some of this work. And I wanted to justify identify this as a way of looking at these issues. I don't want to spend a lot of time sort of debating this point right now. I mainly want people to think about this idea as we're going through each of these individual topics.
Again, the goal that we have in mind is trying to get to a recommendation point on the question of consumer choice for participation in these networks.
If we need to go through 50 different HIPAA provisions to get there, that's fine, but we're also looking for whether there are ways to short cut that. And let me just mention some of these concepts, again, sort of an approach as we go through the individual points on the chart, we'll probably come back to this suggestion at the end of the discussion or later in the discussion, to see if now that we've had that discussion, whether this idea will give us a way of sort of short circuiting it.
Essentially as we were talking about it, where people have seemed to have had the most concerns about information in the network has not for the most part been treatment-related. Obviously, treatment is one of the major reasons to have these networks in the first place. Efficiency, better information, reducing medical errors, all of that kind of stuff.
It was a lot of sort of the other kind of uses and disclosures that are permitted by HIPAA which seemed to create the most concerns.
For example, the scenario of a doctor saying aha, I want to figure out for my own health care operations, who in -- who in my region has a particular kind of disease that I'm trying to figure out if I should specialize in. So I'm either going to go in and search the network to figure out if I want to build a new diabetes clinic in my facility.
Again, making that example up, but that would be someone reaching out into the network, gathering lot of information that today they would not have any access to. They would have broadened access by virtue of the existence of this network. Again, depending upon structures and things like that but potentially have access to information. And that kind of situation obviously has raised a lot of concerns. Should we permit that, how do we restrict it, how do we control it, et cetera.
So one of the ideas that we had talked about was the idea of essentially having a recommendation that would go towards the idea of saying that PHI can be retrieved from a network only for purposes of, A, treatment; B, payment. Recognizing again we might have a discussion whether one or both of those would be on the list.
But the idea was you could go out and get information from a network for treatment and payment. The possibility that once that information is gathered for those two narrow purposes, once you have it, you could use that information subject to the HIPAA rules. But you couldn't go out and get information for all of the purposes permitted by HIPAA.
Again, the example I gave of the, trying to develop a future business plan for particular disease. Another example would be when we get into public policy and things like that. Litigation, you'd have no ability to go out and gather records solely for the purpose of responding to a subpoena. If you already had the information, because you got it for treatment purposes, you’d produce it under the same rules you would any other information you had. But you couldn't reach out and gather information for all those other purposes.
So that's the framework that we had been discussing as a general -- as a possible recommendation, which would be, you can go into the network and pull information out primarily for treatment and payment purposes. Once you gather that information it was subject to the HIPAA rules in your possession. But you couldn't go out and gather information for all the other purposes permitted by HIPAA. That also has, in my mind at least, the benefit of not creating multiple sets of rules for information that you already have. It would create different rules for how you gather information.
Again, think about that as we're going through each of these pieces. We may find it's not a useful framework. May find it's a way to short circuit the need to go step by step by step through each of the HIPAA provisions.
>>Jill Dennis:
Kirk, it's Jill. Can I ask a question about that framework? Are you assuming that that sort of retrieval ban on anything other than treatment and payment, wouldn't apply to deidentified data? In other words, you're just talking about patient-identifiable data, right?
>> Kirk Nahra:
As we were focusing on it at the core was clearly PHI. I mean, the de-identifiable is, you know, an offshoot of that. You know, you've got a lot of questions as to well who is doing the deidentifying-- there's some important issues there. So yes, generally that's correct.
>> Jill Dennis:
Okay.
>> Kirk Nahra:
I'm not sure it necessarily includes any particular -- you could link with that a recommendation on how deidentified information can be gathered, et cetera, although again that's presumably assumes that the HIE is somehow deidentifying -- I mean, the idea you could reach in and gather deidentified data is -- I don't usually think of them today as working that way. Maybe that's something that would happen and we could come up with some
>> Jill Dennis:
I don't think they do work that way but as we're looking forward at some of the sustainability models these health information exchanges might come up with, they may have ability to do some sort of prepackaging of deidentified data for a variety of purposes.
>> Kirk Nahra:
Absolutely. So again, our -- and again, we're throwing this out as a potential framework for discussion, but focused on the -- you know, the higher level of privacy concern as people have been talking about, what happens to individually identifiable data. That was the general framework.
>> Jill Dennis:
Okay, thanks.
>> Kirk Nahra:
Deven, Steve, or Jodi, any other piece to add to that background piece?
>> Deven McGraw:
You covered it very well.
>> Kirk Nahra:
Keep that in mind. We'll come back towards the end of the discussion today. What we had like to try and do now is walk through this chart that you should have all got with your meeting materials. If you didn’t get it earlier, it's available on the website, is that right? Okay.
Let's just talk about how this is structured right now. Essentially, it goes through the HIPAA rule in -- numerical order, is that the right word, from the beginning of the rule to the higher numbers of the rule. That doesn't always work very well because some of the original -- the earlier points in the rule have some more general application. Again, what we've tried to do is -- this does not include every single provision of the privacy rule. We've tried to pull out the ones that we thought would be most relevant to the topic for debate. We were going to assign to Sue McAndrew the obligation to follow up on the other points of the privacy rule, I know she doesn't like to leave anything out. Sue, you can that ready for your next meeting, please.
>> Susan McAndrew :
Every piece is so dear to me.
>> Kirk Nahra:
530 K, L. Keep an eye on those.
So my suggestion would be to just walk through this chart. We are going to give -- the idea again, to try to get through this and to have discussion on things that people think is important, but not mandate discussion on things that are not as important. Is to walk through them, essentially identify a suggestion on whether it is contingent or noncontingent, and then if people have questions, go ahead.
Let me ask one question before we get into it too much. We're going to use the words contingent and noncontingent. Let me be clear about that. It is not important and unimportant. It is contingent, means an issue where how we resolve that question might affect your judgment on the overall consumer choice for participation in networks.
So you might think for example that giving individual a very involved accounting right, very extensive accounting right that would do much more than HIPAA, higher than HIPAA, you might think that's very important but you could also quite logically say that's not an issue that affects my idea of whether people choose to participate in the network or not. What kind of choice level we’re going to give them. That’s not to say that would be your answer but that's the logic. It's really important but not contingent. I don't need to know the answer to that in order to move forward on my thinking about what the level of consumer choice should be.
Is that language of contingent and noncontingent clear to people?
>> :
No.
>> Kirk Nahra:
Okay, who is that?
>> John Houston:
John Houston.
>> Kirk Nahra:
Okay, John, what -- is there -- do you have a question about it or is it just not at all clear?
>> John Houston:
I guess I'm slow here, but are we really saying is this component required -- I mean --
>> Kirk Nahra:
Okay, let me give you an example, John. If we made a recommendation that said the only -- following up on the sort of hypothesis I laid out at the beginning of the meeting. If we come out with a recommendation that says the only authorized -- the only permitted ability to reach into a network and take out individually identifiable information is for treatment and payment --
>> John Houston:
Right.
>> Kirk Nahra:
Let's make it cleaner, just for treatment. Forget payment for a second. Only for treatment. If you knew that that was the answer, you might say, you know what, I don't really need -- I don't think people need an opt in in that scenario, because there aren't any risks, that plays to all the benefits of a HIE system. I'm not concerned about misuse. So once I know that, I can -- once I know that the only permitted access is for treatment purposes, I can then decide whether I'm going to give people no additional choice, opt out, or opt in.
>> Deven McGraw:
In some ways, John, it's about prioritizing the set of issues that we need to take up in our higher than HIPAA standard in order to be able for the workgroup members to be comfortable addressing the consumer choice question. It's not about it’s contingent, noncontingent, as Kirk said, it’s not important, not important. It's not making a threshold decision about what we will or will not ever take up. It's trying to get ourselves focused on those things we think we need to resolve before we can get to the choice question.
So in other words, resolving whether we're going to create a higher than HIPAA standard on uses and disclosures of PHI, which is the first thing on the list.
>> John Houston:
Why can't we just ask --
>> Deven McGraw:
I can't get to the choice question. I don't want to get to the choice question until we figure out what we're doing --
>> Jodi Daniel:
I think an assumption is we should use the original recommendation as the baseline. So baseline is the HIPAA standard. So we're not saying that there would be no, for instance, minimum necessary requirement. We would say the HIPAA minimum necessary requirement. So we're not having a conversation about whether or not there should be a provision on minimum necessary. We're having a conversation about whether or not we need to talk about a higher than HIPAA standard.
>> John Houston:
Okay, but then why don't we simply say -- that really then is what we're discussing today, is for each one of these HIPAA standards, is it sufficient?
>> Kirk Nahra:
No, that's exactly what we're not trying to do. Let me try again.
>> John Houston:
Okay.
>> Kirk Nahra:
The primary issue this workgroup is going to spend its time on for the foreseeable future, is what kind of consumer choice will we recommend should be the standard for participation in these networks.
We have had a lot of discussion about that already, we have -- again, I laid out -- I only see three general options on that. We stay with the HIPAA standard, we give people an opt out, or we require an opt in.
>> John Houston:
Okay.
>> Kirk Nahra:
If this group -- we could take a vote on that issue today, and we could say, all right, workgroup members, my recommendation is -- again, I'm making this up for purposes of this discussion. My recommendation is that people be given a opt out, but if they don't opt out, all their information can be put in the network.
>> John Houston:
Okay.
>> Kirk Nahra:
And some people on the phone will say, I agree with that. Some people will say I don't agree with that. And some people will say I can't answer that until I know more about what the system is going to permit.
>> John Houston:
Okay.
>> Kirk Nahra:
And at our last meeting there were a number of people who said, I can't answer that question until I know more about what the system will permit.
So my follow-up question to those people is, all right, do you need to know the answer to every single question to how the system is going to work before you can answer opt in, opt out or nothing else? Or are there only some things that matter to you in that regard?
>> John Houston:
Okay.
>> Kirk Nahra:
People said no only some things matter in that regard. I don't need to know, are we going to require a higher than HIPAA standard for the level and -- in the company the privacy officer has to be before I decide on consumer choice. That issue might be very important, but my view on consumer choice isn't contingent on knowing what -- how high up in a company a privacy officer has to be.
>> John Houston:
Okay.
>> Kirk Nahra:
So we're trying to take the provisions of the HIPAA privacy rule and say here is a list of provisions that people want to have resolved as to whether we have a higher than HIPAA standard or not before we can make a decision on consumer choice. Here's another set of issues where we may still choose to talk about whether there should be a higher than HIPAA standard at some point.
>> John Houston:
Yeah.
>> Kirk Nahra:
For example, are we going to have a higher than HIPAA standard on who the privacy officer has to be. But I don't know need to know that now to make a decision on consumer choice.
>> John Houston:
Okay.
>> Kirk Nahra:
That privacy officer issue would be a noncontingent issue. How you answer that question isn't contingent on -- you don't need to know that before you can make a consumer choice recommendation.
>> John Houston:
Okay. All right, I understand where you're going.
>> Deven McGraw:
Yeah. It really is about what do you need to know before you can weigh in on the choice question.
>> Kirk Nahra:
Yes, and so in terms of our progress, the shorter that list is that people are comfortable with, frankly, the better. If we come back and say no, everything is contingent, just -- we've created a problem for ourselves by saying we can't make any progress on choice until we've addressed every provision of the HIPAA privacy rule. We can do that if that's what people want to do, but --
>> Deven McGraw:
It means we won't get to choice for a good long while.
>> Kirk Nahra:
And again, the hypothesis at the beginning of this discussion was a potential way to short cut this even more. We could debate that right now, our view was we have to go through the list and figure out if that's going to be a good idea or not. We -- it may turn out to be a good idea, it may not turn out to be a good idea.
For example, as we go through these, most of the provisions that I view as contingent, or let me rephrase that. That I think other people will view as contingent, are significant use and disclosure provisions.
>>John Houston:
Okay.
>> Kirk Nahra:
It's not most of the other provisions of HIPAA. And I say significant use and disclosure provisions because I don't think anyone's going to -- throw their sword on the standard on uses and disclosures for cadaveric organ eye or tissue purposes. I'm guessing no one is going to feel that strongly about that particular issue. That's a use and disclosure provision but I think we're going to say that's not contingent.
Research. Probably going to be contingent. Health care operations, maybe going to be contingent. You know, some of those more important use and disclosure provisions.
And we may decide that the accounting rule is the major thing that people care about on this group and that unless there's going to be a far more detailed accounting provision, they're not willing to make a decision on consumer choice.
I'm guessing that's not going to be the answer, but again, if it is, it is. So that's what we want to try to walk through.
>> John Houston:
Okay, thank you.
>> Kirk Nahra:
Are there other questions, at the risk of -- at the risk of asking, are there other questions?
>> Jill Dennis:
It's not a question, but can I put in a placeholder for one section of the HIPAA that I was surprised wasn't in this chart because I think some people will feel it is contingent.
>> Kirk Nahra:
What's that?
>> Jill Dennis:
It’s 164.530(F), the standard to mitigate, as opposed to like affirmative notification of breaches. I think that's an issue that consumers will care about. And it's something we should discuss. I'm not sure where I come down on that, but I'd like to just put in a placeholder for including that in the chart as we work our way through it.
>> Kirk Nahra:
Is that in 530?
>> Jill Dennis:
530, and section F.
>> Kirk Nahra:
Let me just address that, Jill. I was probably the responsible for pulling out all of the 530 provisions. We don't have any those on this list.
>> Jill Dennis:
Yeah, I noticed. And I agree with most of them not being on this list, but that one I think is going to be important to consumers in terms of a -- affecting people's decision as to whether we would go with an opt in versus opt out approach.
>> Kirk Nahra:
Well we can put that as a placeholder. I would not have guessed that would be the answer, maybe that was a noncontingent rather than shouldn't be on the list. We'll see if it's going to end up being something else.
>> Jill Dennis:
Okay, thanks.
>> Kirk Nahra:
Any other questions or comments? We're going to talk about contingent and noncontingent for the next hour or two, so I want to make sure people are okay with that.
>> Tom Wilder:
This is Tom Wilder, I'm now on. I apologize.
>> Kirk Nahra:
Thanks, Tom. Anyone else join since we got started?
>> Don Detmer:
Don Detmer. I’ve been on for a long time.
>> Kirk Nahra:
Anyone else who wasn't on Judy's list of people on the call?
>> Elizabeth Holland:
Elizabeth Holland.
>> Deven McGraw:
Is there anybody who didn't hear Kirk's explanation about what we mean by contingent and noncontingent because this is very important.
>> Steve Posnack:
We'll have them do it again and they can compare the transcript.
>> Kirk Nahra:
All right. Let's start at the top of the chart, although it's not clear to me that's the best place to start but let's just do that for simplicity sake.
>> Deven McGraw:
We decided the order
>> Kirk Nahra:
Again, it goes through the rule, I mean we could easily say, you know what, we're going to skip 502 because it all comes up later. Let's go through it. 164.502. A, standard. A CE may not use or disclose PHI, except as permitted. You know, that's going to be contingent but also we're going to break that down into a bunch of subcategories. I don't see any reason to have that other than contingent.
Minimum necessary, same idea. Comes up in other places. Recommendation was that that be contingent.
>> Susan McAndrew:
Just on the minimum necessary. But when it does come up later it’s not contingent?
>> John Houston:
See, might be smarter to say if it's not contingent, otherwise how do we shorten the list?
>> Susan McAndrew:
When it comes up in 514? D-1 on Page 4?
>> Deven McGraw :
That's a clerical error. It's supposed to be contingent in both places.
>> Susan McAndrew:
Okay.
>> Deven McGraw:
We can discuss that but we were supposed to treat them similarly.
>> Susan McAndrew:
Okay.
>> Alison Rein:
And the point of the exercise is not necessarily to shorten the list, right?
>> Kirk Nahra:
Well, it's to see if it we can. If we come out and say every single point in HIPAA is contingent --
>> Alison Rein:
We've already got some that are noncontingent.
>> Kirk Nahra:
We're explaining the list. If everyone agrees with how this list --
>> Alison Rein :
I was referencing Don's comment, which was how are we going to shorten the list if it's on there. So I wanted to clarify the intent. That's okay.
>> Kirk Nahra:
Next point is the right to restriction. And again we put this in as a noncontingent a -- mainly because it's ultimately then going to be subsumed within how you do the choices. Right now the right to request a restriction -- it's not required to be granted. Et cetera.
>> :
I think it needs to be contingent.
>> Don Detmer:
Am I looking at the wrong sheet? Mine doesn't have whether it's marked contingent on noncontingent.
>> Kirk Nahra:
That's why I'm saying what it is.
>> :
You should have that.
>> Alison Rein :
It was distributed by Steve.
>> :
with the answers?
>> Deven McGraw:
Yep.
>> Jodi Daniel:
with the co-chair's first cut at this. So we're walking through each one to get people's input.
>> Don Detmer:
Okay, it's a different handout.
>> :
Correct.
>> Kirk Nahra:
Was what you sent out yesterday.
>> :
Both of them have the Xs on them.
>> Deven McGraw:
One of them was blank.
>> Don Detmer:
I don't -- well, the one I'm looking at doesn't but --
>> Kirk Nahra:
You would have gotten, Don, two e-mails yesterday very close together. One of them had this chart filled in. The one that --
>> Deven McGraw :
the Word document. Not the PDF document.
>> Don Detmer:
Oh, okay, I'll look for it. Go ahead.
>> John Houston:
Back to the discussion. I think it needs to be contingent.
>> Kirk Nahra:
Why?
>> John Houston:
No, I mean even though you describe the fact it is also referenced otherwise, I think that the agreed upon restriction is absolutely something that some consumers will find a great -- of great interest and value, and as I said with NCVHS, we're already looking at sensitive data classifications that may rise -- will make a recommendation that the sensitive data types be something the consumer can add restrictions to. So I think this is a contingent issue.
>> Kirk Nahra:
Again, John, just to be clear, it's not important versus unimportant. It's do you think that your view on ultimate -- the ultimate consumer choice question, whether it's a HIPAA standard for choice, whether it’s an opt in or opt out will depend upon how we define a right to request a restriction.
>> John Houston:
Yes, I do.
>> Deven McGraw:
Yeah, I hear you saying yes, John. The reason why, and we talked about this one, I recall that we moved this from contingent to noncontingent is because the choice to restrict is actually at the heart of the consumer choice question. This is a piece of.
>> John Houston:
Okay, but on the opposite side of that, though, I think that there are some existing RHIOs that do not give you this right and have pretty much said we don't think this is an issue. So there are individuals out, there I believe, today, that would argue to the opposite of this.
>> Deven McGraw:
No, that's exactly right. I think dish guess what I'm saying is not that it's an important question to consumers, because I completely agree with you. It's -- we struggled over dealing with this question is in fact to deal with a component of the consumer choice question. Because one of the ways that we frame choice was not just opt in or opt out for all or nothing. It's does your opt in or opt out also apply to certain categories of information. Or certain types of providers.
>> John Houston:
Right.
>> Deven McGraw:
So given that this was really about consumer choice, it didn't make as much sense to consider it contingent because once you start talking about how you would resolve, it you are in fact talking about choice. So that's the real reason why we categorized it as noncontingent. Because our assumption was that would be taken up and would probably be the spot of potential amendment or clarification on resolving choice.
>> Alison Rein:
Maybe we should come up with a third category.
>> John Houston:
Thank you. I was about to say that.
>> Alison Rein:
So instead of contingent, noncontingent as being the only two option, we could have a third that would be sort of -- I don't know what we want to call it, but --
>> Kirk Nahra:
Here's --
>> :
in the contingent discussion. Part of the choice discussion.
>> :
Yeah.
>> John Houston:
I almost think we need a fourth category on what is even doable out there. I mean, the thing that worries me about this is that I think all kinds of Christmas tree wish list, but what's actually even achievable --
>> Alison Rein:
That's the point of having the testimony, Don. I mean, I think what we're trying to do is lay out the areas of interest where we all have an expectation for getting more testimony from experts and people who are going to be able to help us figure out our answers to these questions.
>> Kirk Nahra:
And one of the reasons why we're trying, at least I'm trying to reduce the number of contingent categories, is the more categories we have the more testimony we're saying we need before we can make any progress on the choice issue. So again, if people think we want to have a longer list of contingent topics, that's fine. But recognize that what that is doing is it will delay our ability -- what we're saying is we can't make a decision on consumer choice until we make a conclusion on something like request for restriction.
>> John Houston :
Can I suggest, though, the point about another column is as we're looking through this so we don't get confused, we add a column or two that says it is an issue that -- this is -- it is something that is definitely a consumer choice component or consumer -- this part -- this section of it is absolutely something there's a consumer choice consideration for.
>> :
Almost everything is, in that sense.
>> Alison Rein:
Why don't we just call it RT CC, related to consumer choice. Would that be the column header?
>> Kirk Nahra:
Well --
>> Alison Rein:
No?
>> Kirk Nahra:
Look, we'll move it over, mark it as contingent with a RTCC under it. What we're trying to do, we need to address it now or we don't need to address it now.
>> Alison Rein:
Well, I think what I've heard is that de facto it will be addressed as part of the conversation. So it's sort of a misnomer to call it either one of these.
>> :
So what you're saying, we have some things we talk about before we get to choice, things we talk about after the choice discussion and things we talk about as part of the choice discussion.
>> Alison Rein:
Right.
>> :
So it's not the first set of things we look at, but --
>> Alison Rein:
or it will be somehow elucidated as part of the discussion. I mean, --
>> :
Deven, you sort of described sort of where it came up, that by referring to it now we would be jumping ahead of ourselves.
>> Deven McGraw:
Yeah, I mean I really do feel that way which is why -- but having said, that given that it has to be part of the choice conversation, whether we put it in contingent with an asterisk, noncontingent with an asterisk or make a box in a third row, as long as we're all agreed that this is part of the choice conversation, I think we can move on.
>> :
Okay.
>> Deven McGraw:
Now we're to deidentified personal health information, which we put as noncontingent. Again, not contingent to the conversation about choice. Subsection E, disclosures to business associates.
>> Kirk Nahra:
Noncontingent --
>> Deven McGraw:
We have it as noncontingent.
>> Kirk Nahra:
Whether you're going to permit disclosures to business associates, viewed as again something we might want to address but not something that's going to be affect consumer choice.
>> Alison Rein:
That I think would absolutely affect my consumer choice. Depending upon what constitutes a business associate.
>> Deven McGraw:
It's all HIPAA rules as is.
>> Alison Rein:
Right, so therefore I think that becomes game -- to me, though, it's almost part and parcel of the conversation about use for what. Presumably you couldn't divulge to a business associate --
>> Deven McGraw:
What you cannot do yourself.
>> Alison Rein:
Right.
>> Kirk Nahra:
Which is one reason why we -- we have to address what you can use it for and what you can disclose it for but the question whether you do it yourself or through a business associate is a secondary question.
>> Alison Rein:
It just seems they're sort of related and maybe this goes back to the point that was raised earlier. Some of these don't seem to lend themselves -- because I think that's a conversation that may come up as part of this next step of testimony. But I don't know --
>> Kirk Nahra:
The question we would have to say we're going to look at is we're going to A, look at what a covered entity can do itself. And we're going to separately and independently also look at the question of once we've decided what a covered entity can do, whether it can have a vendor do that for them. That's separate and independent question.
I've never heard the most privacy protective people say you can never use business associates or there are only certain categories -- lots of people would say we don't want you doing X, Y, and Z, but I've not heard anybody say it's okay for you to do X, Y, Z, as long as you don't hire a vendor to do it for you.
Do you have a different view on that?
>> Alison Rein:
It strikes me that there's potentially heightened risk the more hands, the more stewards there are of the data. It's not something that I feel personally passionately about. But it is an issue that I've heard --
>> Kirk Nahra:
Okay, but the question for our workgroup today is which category is our workgroup going to put this in for our planning and framework? If we want to schedule a hearing to say let's talk about business associates specifically, we’re going to talk about use and disclosures for covered entities, are we going to add a second hearing or second panel or whatever just to talk about that business associate point? We got to decide that.
So are there people on this workgroup that feel that should be in the contingent category?
>> Susan McAndrew:
I guess another thing to keep in mind is there already is a recommendation with respect to business associates that are themselves players in the network that they will under some regime be brought up to covered entity status. So that there will be some higher standard than they have today. Not necessarily higher than HIPAA but at least HIPAA.
>> :
Right.
>> Susan McAndrew:
Literally, with regard to their activities when they are participating in the network. I don't know how much help that gives anyone.
>> David McDaniel:
Sue, this is David McDaniel, you beat me to the draw on that but I absolutely agree. I think that is -- that's the thing that keeps popping into my mind. We've already said we're going to treat those business associates differently than we would in the HIPAA world today. In our earlier recommendation. I do think that there is a perceived additional risk to a business associate doing something, but I think we've kind of covered that with that earlier recommendation.
>> Alison Rein:
If people feel comfortable. I wanted to disclose that because I think there's sort of a notion that the more different people who touch the data is higher the risk.
>> Deven McGraw:
I'll make a suggestion, to leave it in noncontingent but also to make a note to ourselves that as we resolve the use and disclosure questions which are clearly contingent by everyone's agreement, that before we shut the door on that, that we might raise this again and see if we're comfortable with where we were on that.
Moving on. Deceased individuals, we thought that was noncontingent. Personal -- same with personal representatives. We preliminarily labeled that also noncontingent. Likewise, confidential communication. Uses and disclosures consistent with notice and disclosures by whistle blowers and workforce member crime victims.
>> Kirk Nahra:
Any questions on any of those?
All right, moving on to 164.508, and again this is one that doesn't quite fit nicely, but we've got -- essentially what we took out of that is the marketing component of 508. Which shows up both as an authorization issue and also as a what is the definition of marketing issue. And so while we've got this listed under 508, we've essentially gotten the marketing concept as a contingent issue.
Then we go into 510. Uses and disclosures requiring opportunity for the individual to agree or to object. Noncontingent because that's primarily something that is going to be dealt with in the course of having one on one relationships with patients in a hospital, you know, it's can you talk to me about my mother in the hospital. That kind of stuff.
Then we get into 512, which is in many ways I think the -- one of the biggest areas --
>> Susan McAndrew:
I think before we completely leave 510 -- something that did come up -- component of that is the facility directory.
>> Kirk Nahra:
We took it off the list, we didn't see a relevance to that point in the network situation.
>> Susan McAndrew:
But I guess the question is, I mean it's not a facility directory concept. With regard to the network. But is there an index or a patient locator comparable issue that is a network issue that would be comparable to a facility directory issue in a physical setting? I don't know whether that's something you're dealing with.
>> :
Isn't the directory opt out provision for more protecting it from the outside world than the inside world? And in these circumstances it's going to mean more accessing from provider type of scenario than it would provider divulging information about a patient to a family member or a friend or a neighbor.
>> Susan McAndrew:
I mean, certainly with regard to B, you know, there's no --
>> :
Yeah --
>> Susan McAndrew:
No issue. I just don't know where you want to deal with patient locator capability system vis-a-vis any opt out information that we want to carve out.
>> Deven McGraw:
It’s a good point. It’s an analogous issue that's not directly addressed by HIPAA, so -- the question would be whether we think -- we can't get to the choice question without resolving it as a contingent.
>> :
Addressing a record locator service.
>> :
or we have to maybe recognize it as an anomaly in this particular circumstance that really didn't show up in HIPAA because it wasn't in this electronic world that we're living in.
>> Kirk Nahra:
So there's a couple of points. One is, it seems to me we want to put back into the chart this idea of a locator, even though it's not -- it's not what the rule says. It's just a concept. So that's point 1. We should do that.
Two, that raises a bigger question for people to think about, which is are there other categories of issues where there isn't a rule at all. I mean, what we did is walked through the HIPAA rule. So if something is not in the HIPAA rule, again, that wouldn't be that relevant for use and disclosures because if it's not in the rule you can't do it. But Sue's example is something that's not rule but is relevant in this new environment. So if people creatively think of something else, we need to know about that.
Then the third point which is the one we need to focus on today, all right, we've now put a box in the chart for this. Are we checking a contingent box or a noncontingent box for that point?
>> Susan McAndrew:
To me I guess it's to be something like -- it gets to be something like the agreed upon restriction in that in carrying out a choice, consumer choice, one will need to take into account how that locator system will need to function in order to execute that opt in or opt out.
>> Kirk Nahra:
Let's play that out. One of the things we are struggling with. Again, we started in our meeting last week, we had tried to isolate the consumer choice issue and address that issue as a free-standing issue.
What we found from our discussion last time was that there were plenty of people who couldn't answer that question until they knew the answer to other questions. So today we're trying to come up with that list of other questions. We have to avoid having a situation where we have multiple sets of answers that each have to be decided before we can address the other one.
For example, it seems to me that the locator question, A, you've got the issue about how the system works. But it makes perfect sense to me to say we need to come back to that issue once we've decided consumer choice. Because if it's opt in, you sort -- you've already done that part. But we can't say all right, it's -- we only need to address locator after we know consumer choice, but we can't get to consumer choice until we get to a whole bunch of-- we have to be careful about the chicken and egg issue.
I'm okay with saying, for this locator point, noncontingent but we got to remember to come back to it. Based on the consumer point issue. Maybe request for restriction fits in that -- I don't know if that quite works the same way. Again, if we end up recommending opt in, you know, maybe you need to make sure there's a better request, or you don't need to worry about a request for restriction as much. If it's no additional choice beyond what you have as HIPAA is our recommendation, okay, then we're going to say let's come back to locator and we want to make sure people have a right to pull out of the locator the same way they have a right to pull out of the hospital directory.
>> :
Okay.
>> Kirk Nahra:
We'll put that box in, put it as noncontingent. Okay.
>> :
That's -- it's a --
>> Kirk Nahra:
Again, in the press of trying to do this in time for this meeting, we didn't brainstorm what else is out there. Again, I'm optimistic there aren't 50 other things on that list, but I mean, if there are, there are. But people have to think of those if there are any others.
All right, let's move to 512, and again these are obviously important issues. We could have just said all of 512, our conclusion when we looked at that they're not all the same and it wasn't worth spending time just to pick out an example on the organ and tissue transplants. But if people feel differently, we can move it.
Let's walk through what we had here. Public health activities, contingent. Victims of abuse neglect or domestic violence, noncontingent. Health oversight activities, contingent. Judicial and administrative proceedings, contingent. Law enforcement purposes, contingent.
>> John Houston:
This is John. I don't think judicial or law enforcement is one that should be in the contingent category.
>> Kirk Nahra:
What do other people think about that? I'm fine with that conclusion but what do other people think about that?
>> Jill Dennis:
I think from a consumer standpoint, some of the law enforcement -- your ability to disclose certain information for law enforcement under HIPAA has been a real sore point with some consumer groups, so I think it may be a factor that affects our decision about opt in, opt out. I think on law enforcement it is --
>> Kirk Nahra:
Now again, let me just remind people of our -- that the point I raised at the beginning.
If -- and let me use law enforcement as an example. If we were to adopt the idea that said you can only go into a network for treatment and payment purposes, then the law enforcement issue would be exactly the same as HIPAA today. If you've got it already and you obtained it for a legitimate purpose, it's subject to the same law enforcement rules as any other piece of information you have.
The scenario that is potentially worse on law enforcement, if we don't have that rule is, if I'm a policeman and I walk into a hospital and say, A hospital, do you have anything in your possession about this hospital, and B, I want you to go search the whole network for every other hospital in the area. If we cut off that right there and say no, you can't search the network for that purpose, then I would say the law enforcement issue is a nonissue. It's exact same as we have today.
If we in fact permit people to essentially rummage through a network for that purpose, I understand that being a different issue. Which is again a reason why I tend to like this idea of saying, look we can avoid a lot of those picking and choosing by just saying you only go in for treatment and payment. You only gather information for those purposes.
>> Jill Dennis:
I think until we bless that concept, though, it better stay on the list.
>> Kirk Nahra:
All right, that's fine. How about the judicial and administrative proceedings which is the subpoenas and litigation?
>> Alison Rein:
I would assume there are a different set of actors that would feel the same about that as the law enforcement one.
>> Kirk Nahra:
Okay.
>> Deven McGraw:
I saw them treated as the same. Similar vein.
>> Kirk Nahra:
Decedents, no one had a problem with. Eye or tissue no one had a problem with. Research was contingent.
Uses and disclosures to avert a serious threat to health or safety, noncontingent. Disclosures for specialized government functions, noncontingent. Disclosures for workers' compensation, noncontingent.
Any questions or comments about those? All right. I think the conclusion, if I have it right, is that we actually got that one right. We got that list right. Everything was -- all the categories were right. Okay, good.
>> :
Validation.
>> :
You want to take a victory lap?
>> :
It's the first time. Has to be a first time for everything.
>> :
Uses and disclosures right on contingent.
>> Kirk Nahra:
All right.
>> :
Should have been easy.
>> Deven McGraw:
So now we're at 514, minimum necessary. You know, recall that in the beginning, under 502. On Page 1, 502(B). The minimum necessary and what it applies to and doesn't apply to which is, that standard we thought was contingent. Here my sense is that we were going to treat it consistently but Kirk was disagreeing --
>> Kirk Nahra:
Well, I was saying I'm not sure it isn't all noncontingent. I mean, we had some discussion that said there are definitely people who would like to see more definition to minimum necessary, but the question is do we need -- whether you're going to have more definition to minimum necessary in this one context mean we have to know how to answer that question before we can go to the consumer choice issue.
My view would be, again, I understand why that's an issue throughout HIPAA. I understand that lots of people have lots of questions about whether the minimum necessary rule gives enough detail or gives enough, you know, enough precision to it, I understand those issues. The question is whether knowing whether we're going to create a higher version solely for these networks, is a contingent issue on consumer choice.
My view would be it's noncontingent. Not meaning we don't address it. But it's noncontingent. But I'm amenable to whatever people want to do. It wasn't that we treat it differently. It's that I was putting it on noncontingent rather than contingent.
>> Deven McGraw:
Right. And my own preference would be to keep it as contingent. But I do think that once we have -- I would prioritize the use and disclosures discussion that we are going to have that we've already decided is contingent, the 502-A provision, because in some respects how we resolve that has a big impact on how contingent I still feel about the minimum necessary piece. If that makes any sense.
>> :
(inaudible) if it were limited to treatment and payment, for example, then you might not care as much about
>> Deven McGraw:
About making changes before I get the choice question.
>> :
Right.
>> Deven McGraw:
Right.
>> :
It’s secondary --
>> Deven McGraw:
The second degree.
All right. So I think the conclusion is it's contingent. Kirk is looking at me.
>> Kirk Nahra:
Again -- if it's going to be contingent, I think what we're saying is we're going to bring in witnesses to talk about minimum necessary, and how that standard should be or should not be higher than HIPAA.
>> Deven McGraw:
And a network environment.
>> Kirk Nahra:
In a network environment in order to come up with a consumer choice approach.
>> Alison Rein:
Although what Deven is saying is that conversation would happen after the other discussion. And testimony.
>> :
Which would sort of --
>> Kirk Nahra:
After the other testimony or other recommendation?
>> Alison Rein:
Well, I mean, we could take a pulse after the testimony and, I don't know about the time line.
>> Kirk Nahra:
It matters a lot to me because what we're saying with contingent -- again, what I hear people saying is contingent is I can't make a decision on consumer choice until I know the answer to all of these contingent topics.
>> Alison Rein:
Right, but I think what she's saying is that in earlier topics on which we're going to hear testimony and the outcome of that from this body's perspective, will determine whether or not that's a contingent issue.
>> Steve Posnack:
Maybe it will move over if we get a different answer as we move forward.
>> Kirk Nahra:
That's what I say. Answer, answer implies resolution. Not gathering information.
>> Alison Rein:
Right, but when -- okay. It becomes a matter of terminology, because I don't know if you're talking about when it actually gets passed on to the Secretary as a recommendation. Whether it's sort of --
>> Kirk Nahra:
But Alison, again, I tried to -- the -- again, I'm not just talking about timing. I'm talking about the substance of what we're trying to address here. Which is a number of people on this workgroup have said, I cannot make a recommendation -- I cannot come to a point where I'm going to make -- participate in a vote on a recommendation until I know the answer to all of these other contingent questions. And we're coming up with how many questions are on that list. And what I hear -- when we hear that, I mean if we've got 25 things on the contingent list, we need 25 little answers before people will make any answer on the big consumer choice question.
>> Alison Rein:
And I heard Deven say, and I would agree, that one of those little answers, the answer to one of the little answers will dictate whether or not minimum necessary is a contingent issue for the discussion.
>> Kirk Nahra:
What's that issue, what’s the one that's going to dictate that?
>> Deven McGraw:
Use and disclosures.
>> Kirk Nahra:
So all the use and disclosures --
>> Deven McGraw:
I’m suggesting that we do the use and disclosure pieces first, because to me minimum necessary is tied up in that. And so that's really the source of my discomfort of moving minimum necessary completely over into noncontingent.
Having said that, I do think that if we got to a resolution on use or disclosure and then, you know -- look at the existing HIPAA standard from minimum necessary, and I believe we have really gotten to a good place on use and disclosure, then it could be that I don't need to talk about that. And it seems like you are also framing this as we're going to gather testimony about every single contingent issue in one session.
>> Kirk Nahra:
No, no, no. I'm concerned it's a going to be 20 sessions. I think we can't do it in one session. The longer the list is -- we're probably talking about -- to have this be useful we're probably talking about a panel at a minimum on each of these topics. Each contingent topic.
>> Alison Rein:
I think you can group some of them because I think some of the experts are going to be experts I cross sort of thematic range.
>> Kirk Nahra:
Maybe it's not this 20 list, maybe not 20 panels, but it's not one panel, and it's not -- so --
>> :
24 hours one panel.
>> Kirk Nahra:
All right.
>> :
24-hour meeting.
>> Deven McGraw:
Oh, no!
So still in 514, but on Page 5. We're now in limited data set. We had labeled this as noncontingent. Again focusing on the question of what needs to be resolved in order to get to consumer choice. Actually, we treated the rest of these in this particular section as noncontingent. So that includes, again, limited data set, uses and disclosures for fundraising, uses and disclosures for underwriting and related purposes. And the verification requirement. Does anybody have any comment?
>> :
Underwriting for health insurance?
>> Kirk Nahra:
What that provision says is when you gather information for underwriting purposes you can't disclose it for other purposes. It's a very restrictive provision, not a permissive provision.
>> :
Thank you. I vouch --
>> :
Underwriting permitting for underwriting is --
>> Susan McAndrew:
I mean, I don't know to what extent, because both fundraising and underwriting are -- what we have in 514 are really additional requirements over and above the usual health care operation.
>> :
Right.
>> Susan McAndrew:
I don't know to what extent any of these topics would become part of whatever discussion we're going to have on health care operations in general.
>> :
Right.
>> Deven McGraw:
Okay. Moving on to 520. Notice of privacy practices. Again, recall that in our -- what we have already decided with respect to moving those that are currently not covered by HIPAA into HIPAA and that this would apply where there's a direct relationship but not where there isn't. Again, we labeled this one as noncontingent.
522, right to request privacy protection for PHI. Both pieces, the right to restriction of uses and disclosures. As well as the confidential communications requirements, we labeled as noncontingent.
>> :
We'll have to move A. over.
>> :
522-A, we talked about.
>> Deven McGraw:
Thank you for reminding me. Yes. Part of choice conversation. Thank you for the reminder.
Okay. I assume folks are going to speak up, otherwise I'm going to moving. 524, access of individuals. Protected health information. Subpart A, this is a basic standard on access to PHI. Labeled as noncontingent. Implementation specification, the time lines with respect to access and timely action, also noncontingent. And then subpart C, which in the requirement says a covered entity must comply with, when access is provided, again noncontingent. We had a lot of discussion about this actually, and that’s not to foreclose further discussion among this workgroup. But the sense was while this is an important issue to a lot of consumers, our collective sense was that it wasn't -- didn't necessarily need to be resolved to get to the choice question. But obviously I’m opening that up to group feedback.
Comments? Okay. 526. The right to amend protected health information. Again, sort of similar set of discussions were had on this one. Ultimately, we decided that it wasn't again contingent to getting to the question of choice, although might be an important -- yeah, obviously there are some of us who might want to talk about it at some point but we don’t need to before choice.
And Page 8, similar discussion again with respect to the accounting rule. We labeled it as noncontingent. Noncontingent on getting to the choice question.
Then we're to, Sue, the point that you raised about the -- sorry about that, Jill. The ability to mitigate under 530, subsection F.
>> Jill Dennis:
Yeah, this one just came up for me, kind of in the same sense of record locator services. Is that it's kind of a concept that may be contingent. And I haven't really settled on my own personal view on this yet, but let me try and lay it out and we can talk about it briefly.
HIPAA requires covered entities to mitigate the damages associated with improper disclosures of patients’ information. HIPAA doesn't require notification of the consumer in all circumstances of a breach. That’s been, and we've seen some states starting to go that route in terms of passing laws that would require sort of affirmative notification of the consumer, any time their confidentiality has been breached.
>> Kirk Nahra:
Hang on, Jill. There are lots of state laws. There are almost 40 now. None of them say require notice any time there's a breach of any information.
>> Jill Dennis:
California is starting to go in that direction is my understanding.
>> Kirk Nahra:
California's statute covers more information but it's not all breaches, not every time.
>> Jill Dennis:
Okay, well, I guess the point I'm trying to make is that I think this may be a subject that we want to talk about before we get to a consumer choice decision in terms of opt in, opt out. Is that something we can cover. Because I do think from the standpoint of consumers, it may be a factor that is critical to consumers in making a decision to participate or not participate in a health information exchange.
Like I said, I don't know where I come out personally on that issue yet, but I wanted to put it in as a placeholder because I think it's going to be a key consumer issue, and I think we sort of don't address it at our peril because if we go with say, you must opt out in you want out of the system and people say hey, wait a minute, you're not giving me any choice and I'm not going to know if my information has been used inappropriately, unless somebody chooses to mitigate through that route of notifying me. I think there could be a real pushback against some of these exchange efforts. Anyway, I wanted to throw that out and have a chance to talk about it with all of you.
>> Kirk Nahra:
Well, there are at least two options. I mean, right now we took off the 530 list from this list entirely. So one option is to put that topic on the list as a noncontingent. The other is to put it on the list as a contingent. I mean again, I guess my sense is -- I mean, I'm not here as the consumer representative. I would be very surprised if people would make a decision on how to participate in these networks because of the steps that need to be taken in the event of a breach. But other people have a different view of that.
>> :
Yeah.
>> Kirk Nahra:
Again, when we say higher than HIPAA, that would include all existing state laws. So we'd be talking about something that would not require notice under the existing state laws that we're going to say would require notice.
Because right now, I mean right now if there's a breach, there's a breach tomorrow at a RHIO in Maine, they have to follow the Maine security breach notice law. And so the only purpose to be served by putting in something else is we think there are reasons beyond what those state laws say to require notice.
Again, HIPAA doesn’t say -- I mean, this is all -- I mean the idea of consumer notification is something that's arisen since 2003, almost entirely since 2005, tied to a single specific security breach involving choice-point. Almost every single state has those laws now. There's not an affirmative specific detail provision in any part of HIPAA. That's clearly correct. But again when you look at what -- when you look at what the obligations are to a hospital, a network, anyone today, it would be to follow the state laws on notice.
>> Deven McGraw:
John, was that you?
>> David McDaniel:
It was David.
>> Deven McGraw:
Sorry.
>> David McDaniel:
I'm kind of with Jill on this. I haven't really decided where I am. I just know that from our experience we're getting more and more expectations that this is a right. And it's not necessarily related to the expectation of following state law. And I think given that we're talking about a different kind of data breach when you're talking about large data sets and multiple providers and whatnot, I think the complexity of that gets a lot bigger. And I might choose to be in or not choose to be in a network based on whether I knew I was going to be notified or not. Just because of the high profile stuff that's been in the media, even on the financial side. I hear what you're saying, Kirk, that you think that maybe that standard is already there, with state laws, but what about people who live in states that don't have that yet. And I'm sort of on the fence with that. But I throw that out because I think it is worth pursuing.
>> Alison Rein:
Is this an issue that falls within that sort of contingent or secondary contingency category so if we answer a first question, do people's perspectives change at all? Or is it regardless of the type of choice model or wherever we fall out on some of these other issues. We think we would have to address it? I'm inclined to think with Jill and David that this could potentially be a point. But I'm just trying to find out whether it's in the full contingent category or whether it's part of a conversation that happens along the way.
>> Kirk Nahra:
It seems to me the part of the conversation that goes along the way, it's actually hard to do that. I mean, if you opt in to -- let's say we come up with a most -- the highest level of choice, a full opt in. What you're opting into is people doing what they're supposed to do. You're presumably not opting into breaches and all the bad stuff that can happen.
So while I personally don't see it as a contingent issue, I also don't see there's any particular intermediate step that would make it not an issue. Because it's a -- it's purely a question of what's going to happen if something goes wrong. We can be as narrow as we want on what's permitted, and still have a problem if there are breaches and there are going to be breaches.
>> Deven McGraw:
Yeah.
>> Kirk Nahra:
Again, I don't see the need -- I mean, if this group were to say we're going to propose a higher than HIPAA standard that includes going higher than state laws, we would be the first -- Congress has not passed a federal law, there is no -- we would be way beyond where anybody has been right now.
>> Deven McGraw:
But when you say higher than state law, are you talking about bringing those ten states or however many it is that haven't passed a more protective law, up to the level where their compatriots are, or are we talking about creating something higher than where any state is? I don't think that's what we're proposing.
>> Kirk Nahra:
Well, are we talking about basically saying to those ten states, you haven't bothered doing this, we're going to do it for you?
>> Deven McGraw:
Yeah, potentially.
>> Dan Rode:
One of the problems with a network, it could cross state lines and there are so many communities, St. Louis, Chicago, anything on the river, the advantage of addressing it may be because you will have conflicting -- one state says yes, you do, one state says no you -- now do I have to decide which state --
>> Jodi Daniel:
You could have situations where there are different--
>> :
Yes.
>> Susan McAndrew:
And let's not assume all those 40 state laws look like one another.
>> Alison Rein:
In fact I think it’s safe to assume they’re ---.
>> Deven McGraw:
I think -- Jill, and Alison, and David, I completely agree with you where the consumers are on this. Because of the sort of year of the stolen laptop, this might be the one thing that is driving the huge amount of mistrust that people report in polling about the systems. So I'm reluctant to not take it up as part of the set of contingent issues that we address before we -- as we're talking about choice.
>> Kirk Nahra:
Again, I guess my view would be huge important issue, irrelevant to choice. We got to come up whatever we're going to recommend on that. Which may be something higher, may be something different, may not be something different. But we want to do that whether there's -- whatever the choice is.
>> Deven McGraw:
Yeah, I but I guess -- I'm in agreement with Jill that if I know that somebody has an affirmative obligation to notify me, if they release my data for an inappropriatefor an unpermitted purpose, I might actually be more willing to participate. Because I might feel more empowered --
>> David McDaniel:
Nothing is going to happen that I'm never even going to know that it even happened. And I think that is the consumer drive right now is I want to be in control, in this world of data gets lost and I want to, you know, how control or do damage control and I don't even know that I've been put at risk.
I think people are making decisions based on that. Certainly in the financial world they are, because you look at any financial institution's website and they're reassuring people all over the place that they're going to let them know if there's a problem.
>> Deven McGraw:
You definitely read your financial documents more than I, do David.
>> Deven McGraw:
I would prefer to make it contingent. Okay.
(inaudible)
>> Deven McGraw:
Steve is reminding me -- well, we already --
>> Kirk Nahra:
Let's do it this way. The last page of your chart is not a chart. It's the definition of health care operations. We assume -- I mean, we've put treatment, payment and health care operations on the contingent list. We assume that not all components of health care operations are created equal, although we may decide -- again, we could recommend that -- again, that goes back to my initial premise that we talked about at the beginning of the call. We may say that you can't go into the network for any of the health care operations purposes. We could say you can go in for all of them. We could say that you can -- we could do -- whatever. But we wanted to identify the specific provisions of health care operations, again -- we're just going to go through them. It's not clear there's any particular -- we're going to take this one off or put this one on. But I think we talk about health care operations a lot and in the way my guess is many of you didn't know all of the 512 provisions, probably didn't know there was a tissue donation provision. Let's go through the health care operations pieces.
Again, these are today uses and disclosures that are permitted by the HIPAA privacy rule without any need for specific permission from an individual, it's just part of the system that you buy into when you go to the doctor or go to the health insurer.
One, conducting quality assessment and improvement activities. Two, reviewing the competence or qualifications of health care professionals and evaluating performance. Three, underwriting premium rating and other activities relating to creation of health insurance contracts. That's the broadest provision on underwriting. Again, it permits use and disclosure of PHI for underwriting purposes. Conducting or arranging for medical review, legal services and auditing functions. Business planning and development. Business management and general administrative activities of the entity.
Again, keep in mind and Sue, I don't know if you have anything to add on this. But the idea of health care operations as I understand it, is essentially the related administrative activities of being a covered entity. Just these are the kind of things that you do when you are a covered entity. They were to run your business. Not necessarily specifically for treatment or payment. But to run the business of being in the health care industry as a covered entity.
Again, I don't have a problem, I think, as we go through this, of saying you can't reach into the network and gather all the data about everybody who lives in Missouri for your business planning and development purposes. I'm personally going to have a more difficult time if we say you got that information for an appropriate purpose but you have to segregate it out and when you're going to do your business planning you can't look at this piece of data.
So we've got to think about that and that's one of the reasons why we looked at it, the difference here being the ability to reach into a network. But that's the list of health care operations, all of them at least as of now are conceptually on the contingent list, because health care operations is -- we need to figure out what we're going to suggest with contingent -- with health care operations as a contingent element to getting to the question of consumer choice.
All right, that is the chart. Let me just -- are there questions at this point about any of the category placement contingent/noncontingent, other than what's been raised before?
>> :
I think we did well.
>> Kirk Nahra:
Let's take our break now, let's take 10 minutes, and we'll come back and sort of move on to our next steps.
(Break).
>> Kirk Nahra:
Operator, we're going to get back started. Can you hear me?
>> :
Okay, yes, thank you.
>> Kirk Nahra:
Are we back on, operator?
>> :
Yes, you are.
>> Kirk Nahra:
All right. We are back reconvened. Here's what we would like to do for a little bit now, and see where this takes us. Is to go back to the point that I started with, started our meeting with a while ago. Which was a possible approach to these issues.
We've just gone through the provisions of the privacy rule with the idea of putting them in the contingent/noncontingent category. While there are exceptions, the major contingent pieces have related to uses and disclosures of information, and most of the other provisions we put into the noncontingent category.
So let me just walk through the -- we called it a working hypothesis, but I don't know that there's any magic to that word. But the framework that is a possibility for short cutting some of this.
And the idea was that, what people are -- I mean, there's good uses of a network and uses of a network where people seem to be less comfortable.
The good uses seem to be, you know, A, treatment, maybe payment to a lesser extent. But treatment and payment are sort of the core purposes. And some of the other permitted uses and disclosures under HIPAA mainly health care operations and the public policy disclosures, people are more uncomfortable or have more questions about when it -- when it could be -- you know, could be developed such that an individual hospital, for example all of a sudden would have the ability to reach out and grab information from all over the network for either health care operations purposes or these public policy purposes. And there are concerns about that.
I don't want to say people object to that or say it shouldn't happen or anything, but there are concerns with that and in the context of our choice question, you know, sometimes they're called secondary uses, whatever we want to call it. But the idea of how information can be obtained from the network seems very relevant to what choices people are going to have.
So one of the possibilities that has been raised, that I have raised, is the idea that we could short cut some of our discussions on this by essentially saying that information can be retrieved from a network only for purposes of treatment and payment. Period, full stop.
Now, that would be a front end recommendation. That would allow a couple of different things. That would allow hospitals, doctors, et cetera, to reach out and gather information for treatment and payment purposes. It would allow the network who is a business associate to the doctor to give the doctor back the doctor's information if the network was holding it for the doctor. But that wouldn't allow the doctor to get some other doctor's information about a patient for purposes other than treatment and payment.
Once information -- the second part of that would be, once information is obtained for one of those purposes. So doctor reaches in, gets records for treatment purposes, the doctor now has that information in his or her own records. Then that information would be treated consistent with HIPAA, meaning the doctor wouldn't have to segregate that information from everything else that the doctor has about the patient. And if there happened to be a law enforcement request or a subpoena or whatever it is, or health care operations, they could use and disclose what they have, but they couldn't at that point reach out and get more stuff for their own health care operation, et cetera.
That would be a -- again, a possible framework. We could say that's a bad idea, let's not even deal with it. We could say that's a good idea, full stop. Or we could say that's a good idea but we want to add X, Y, and Z to the list of appropriate reasons to gather information.
I'd be interested in getting people's reactions to that possibility. The idea of limiting -- reaching into the network, retrieving information from a network for purposes of treatment and payment.
>> David McDaniel:
Kirk, this is David McDaniel. I guess the only thing that just jumped out at me, I mean that sounds reasonable when you describe it. But I guess what jumps out at me is if I were someone analyzing this workgroup's recommendations, I would say why did you stop short of what HIPAA allowed in allowing information to be accessed and used for health care operations purposes? And what was the purpose for doing that?
>> Kirk Nahra:
Let me halfway answer that, David. I mean, one, I think it's a fair question. But two is HIPAA does not really have a how do you get information provision. HIPAA primarily deals with how covered entities use and disclose information. It doesn't for the most part talk about how they get information.
For example, today I'm not aware of really any scenario by which a health care provider could go out to other people and say, give me information -- even if it's copies of paper records, because I want to do health care operations.
Now, one exception. We were talking about at the break. There is a provision in HIPAA, it's a provision not too many people pay that -- aren't aware of necessarily, not that they're ignoring it, Sue. They're not aware of it as much. That does permit entity A to disclose information to entity B, for entity B's health care operations, but it's only in very limited situations. It has to involve a patient that both providers have a relationship with, and it has to be for very specific purposes.
So again today I would question the premise of your question, David, which is today there really isn't a vehicle for providers or insurers or covered entities in general to reach out to others and gather information for most of these purposes.
>> David McDaniel:
Actually, it does happen to us, Kirk, in our relationship with CMS. Because we aren't able to claim against Medicare and yet we are able to claim against Medicare third parties. And so --
>> Kirk Nahra:
That's a payment disclosure. That's a payment situation.
>> David McDaniel:
Right, but we have health care operations functions that we can't do in order to even start the payment function.
>> Kirk Nahra:
Give me an example -- well, give me an example and I want to hear this example because I want to see if it's even appropriate under HIPAA, but give me an example.
>> :
Then we'll disguise your voice.
>> David McDaniel:
I won't take the group's time to go into that, but I just understand that -- and not an expert in our processes leading up to billing, but I know this is not a part of the billing process. It is a part of the process of benefits determination, and I know that we're sort of an odd organization in that we are both a plan and a provider. Sort of intermingled with our plann and provider function.
>> Kirk Nahra:
But again, under the HIPAA rules today, someone can disclose to you, to the VA, for treatment purposes, for payment purposes, or for certain health care operations purposes, only if it meets particular criteria. One of the criteria being you both have a relationship with the person, which is probably true in the example you were starting to talk about. It also only has to do with, as I read the HIPAA rule, conducting -- you know, it's conducting quality assessment and improvement activities. It's reviewing competence or qualification, or it’s fraud and abuse. It’s not other things. If it's for other health care operations purposes, CMS shouldn't be disclosing to you.
>> David McDaniel:
Well, in some of the things we’re using that data for before we do operations, before we do the health care payment piece, is the fraud and abuse piece.
>> Kirk Nahra:
So again, I suppose we could modify my suggestion, this complicates my suggestion, but modify it to say you can only reach into the network for treatment, payment, and those health care operations purposes permitted by that part of the rule. Although, again, I don't think that -- I mean, when you're doing it with CMS, it's not -- the analogy in a network setting would be, you would be allowed to reach out to every government entity around to figure out if they had any information that was relevant to your health care operations purpose. I don't think you're doing that. I don't think anyone is doing that today.
>> Jill Dennis:
Let me try that scenario with another example and see how it plays out. And I'm thinking of some of the regional EMS quality improvement efforts where -- I mean, manually how it works is they share each other's data to look at outcomes after ambulance runs and things like that. And so it's not affirmatively reaching out right now; it's a disclosure.
But going forward, you know, in a network environment, it would probably be a good thing if regional EMS participants could reach into the network for, because they would meet those limited exceptions in that one part of the rule where both have a relationship, et cetera.
So maybe an example like that helps clarify.
>> Kirk Nahra:
Let's do a couple things. One is I want to generally talk about this idea as a possible way of short-cutting some of the discussion. I certainly don't have a problem if what we say is treatment, payment and those health care operations -- you know, and the provisions of 506, was it C? You know, that is very limited health care operations in very particular circumstances. I certainly would have no objection to that.
That would mean, just so we're clear, that providers couldn't reach into the network and gather other people's information for any of the other health care operations purposes. For any patients they don't share with these providers or for the public policy purposes. That may be fine, but that's sort of the idea. And again --
>> David McDaniel:
I'm uncomfortable with that, Kirk, than leaving it out all together.
>> Kirk Nahra:
What do other people think?
>> Tom Wilder:
This is Tom Wilder. Help me understand a more basic issue. When you talk about reaching into the network for information, are you referring to a situation where the network has on its own server health information, or are you talking about using the network to access health information that may be maintained by, say, a health care provider?
>> Kirk Nahra:
I'm not sure that -- let me give you my answer to, that Tom, which -- I'm just trying to react to it. I mean, you know. I don't know that matters. I mean -- here would be the example. Let's say that a health insurer -- again, they want to figure out under a health care operations idea, they want to figure out if they're paying more in medical claim costs for obese patients than Aetna is. You know, Blue Shield wants to figure out if they're paying more than Aetna is. In order to do that, they need to find Aetna's patients and they would reach out into the network and say, let's grab Aetna's patients to do that study.
>> Tom Wilder:
Yeah, except they can't do that.
>> Kirk Nahra:
Exactly, they can't do that today because there’s no well, A it's not permitted and B, because there's no vehicle to do that.
>> Tom Wilder:
Right.
>> Kirk Nahra:
Under the network there would be a vehicle and we're trying to decide if it would be permitted. And my suggestion, if we follow my approach would be no, they couldn't do that. They couldn't reach out into the network, whether the network has it itself, or whether it's a pointer system, under either scenario, they couldn't reach out and find out information about Aetna's patients. Or Blue Shield couldn't find out about Aetna's patients. Or hospital X couldn't find out about hospital Y's patients.
If they share a patient and it fit -- they were trying to do quality check under that limited provision, they could do it but that would be the only exception.
Again, my view as we're walking through this, is I can understand why we don't want to let hospital X reach out and figure out all the data about someone else's patients. That makes sense to me, and it wouldn't be permitted today.
Which is sort of why I think that that standard, I mean we're thinking about this higher than HIPAA idea, but it's actually not higher than HIPAA. It's clarifying something that doesn't really come up today in HIPAA because -- if Blue Cross Blue Shield called up Aetna and said we want to figure out if we're doing a better job than you, Aetna would hang up the phone. That's why it's not a realistic issue today in a network setting, the vehicle by which that information could be obtained could possibly exist.
>> Tom Wilder:
To me it's actually the fact that there's a network there is really irrelevant. I mean, they can't do it if there's a network. So, because there's kind of side contractual or other legal issues that would prevent that from happening.
I mean, I guess to me, I start with a real basic premise, which is the more barriers we throw up, the more likely payers or plans or whom else are going to say why am I bothering with this network? I'm going to do what I do now, which is I’m going to stick it in an envelope and stick a stamp on it.
So to me, to say, you know, it's okay for treatment or payment and it's not okay for health care operations, I'm having a little trouble supporting that.
>> Kirk Nahra:
Let me stop you for a second, Tom. We’ve got to be clear when we say, again, once you've got it for treatment and payment, which is the only way you're going to get it now anyway --
>> Tom Wilder:
Right.
>> Kirk Nahra:
You could use it for all permitted HIPAA purposes, is what my suggestion is. But we're not going to broaden your ability to gain new information because the network exists. We're not going to let you get information unless it's for treatment. I mean, if hospital B has information about your hospital A's patient, we're going to let them gather more information than they have today. We do recognize that they could get that same information today by calling up hospital B and having a fax sent over to them. But we're going to say okay, network makes that easier, more effective, blah blah blah, we're going to permit that, we're going to permit it for payment under this idea. But we're not going to let you do business development strategic planning by getting hospital B's patient information through the network.
I agree, you cannot get that today. I mean, hospital B is precluded from giving it to you today. Even if they wanted to, they're prohibited by the rule from giving it to you. In identifiable form. Which is all we're talking about for this analysis also.
So -- and as we're talking about, this I'm not actually sure it isn't reiterating and clarifying a fact that is already in HIPAA if we add that point about limited health care operations purposes.
>> Tom Wilder:
And again, I apologize for my confusion, because I'm still not -- I'm still struggling with. This let me give you a specific example. Let's say I'm a health plan and I want to get information from a hospital for quality assurance purposes. I want to check to see in their treatment of their patients, how many of them are, you know -- I'm making this up, but they're given beta blockers within a certain period of time or they're following recommended protocols that have been laid out by the specialty practice organization.
So are you saying I can't -- I shouldn't be able to use the network to do that or I should be able to? I shouldn't be able to just send an inquiry to the hospital and say, you know, I want to get this information, because contractually --
>> Kirk Nahra:
That's a good example and a fair question. Let me give you how I would answer that. Which, again, I'm just making this up as I go along. Today, you get that information, the health plan gets that information, because I believe -- well, I believe the health plan gets that information because the hospital views that disclosure as part of its health care operations. It's part of its business dealings with the health plan. I think. I mean, Sue, does that sound right? It's not treatment, although does it fit some definition of treatment? --
>> :
Well, it's health care operation.
>> Kirk Nahra:
They want to know -- I don't know, sometimes it might be aggregate. But it's not always aggregate.
>> :
Right.
>> Susan McAndrew:
I mean, I think in large part some of that would be, with regard to the Aetna people, that would be the health care - - you could.
>> Kirk Nahra:
That would be the part of health care operations --
>> Susan McAndrew:
Health care operations where you can share identifiable information.
>> Kirk Nahra:
Now I do know, of situations, Tom, where health plans have said I want hospital X -- in order for know determine whether you meet the standard for my network, I want to get PHI about not only my own plan's patients, but about other plan patients that you have treated.
Now, my understanding, tell me if you have a different piece of information, is the hospital won't give them that information in a PHI form.
>> Tom Wilder:
That's true, and in fact we've actually had our members -- our health plans be asked by employers for PHI, not only for their employees but for all their employees covered by --
>> Kirk Nahra:
So those do not happen today --
>> Tom Wilder:
Right.
>> Kirk Nahra:
That's prohibited today, and part of what we're saying is that would be prohibited as well in the network setting.
Now, if we take -- we take the idea of saying, and those health care operations that are permitted today by the rule, I think that goes -- that covers your quality point. You know, that may be why those provisions are in there. They're sort of a shared interest between the hospital and the health plan, but would only be for shared patients.
>> Susan McAndrew:
Otherwise you get a limited data set type of --
>> Kirk Nahra:
Or non-PHI. Deidentified or something else.
>> Tom Wilder:
So again, so you're saying it's, Aetna could reach out through the network to hospital A to get information about Aetna's patients.
>> Kirk Nahra:
Aetna could reach out through the network and get information that it is permitted by the HIPAA rule to get today, not through a network. But only that information.
>> Tom Wilder:
So what does this health care operations then exclusion, how is that different?
>> Kirk Nahra:
Well, I mean, frankly one of the conclusions I'm coming to as we discuss this, is while lots of people in this discussion seem to have treated health care operations differently, I think we're actually saying the HIPAA rule, we would essentially follow the HIPAA rule on that. But here's the important difference. Let me give you a different scenario. Let's assume the network, is holding all this data for a minute. Not a locator. I don't know that matters but it makes my example easier.
We're going to make clear that the health plan cannot reach into the network and get other health plans' customer information. Even if it's for their own health care operations purposes.
Now, that may just be clarifying how the HIPAA rule would apply in this situation because I don't think you can get that under HIPAA either. It doesn't come up under HIPAA because no one’s got that data and is willing to give that data. In a network that data the network might be willing to give it, but it would violate the HIPAA rules today, it seems to me.
>> Tom Wilder:
We've said the network is subject to HIPAA.
>> Kirk Nahra:
Even without it, even if they were VA, they can't give out Plan A's data to Plan B. They're not permitted -- that would be an impermissible disclosure by a business associate or by another covered entity.
>> Tom Wilder:
Sure, you're disclosing individually identifiable health information.
>> Kirk Nahra:
Again, the provision, Tom, of 506, says that I can disclose information for your health care operations purposes in a limited set of circumstances.
>> Tom Wilder:
Right.
>> Kirk Nahra:
Only a very limited. I think it does make sense to modify what I was starting with by saying we want to continue that. We don't want to cut out that ability. And part of our explanation is by the way, the HIPAA rules would make sure you can't reach in and gather all other kinds of data for other health care operations purposes. We're not broadening what you can do under HIPAA.
So my suggestion is actually far more conservative than I thought -- I mean, I wasn't thinking about it that way. But it's essentially reiterating the HIPAA rules rather than changing them.
Again, once you have the data in your possession as a health plan, I think the corollary would be you can do what you're permitted by HIPAA to do once you have that information appropriately. You just can't get it for those other reasons. Is that helping at all, Tom?
>> Tom Wilder:
It is. I mean, I guess I'd have to see this in writing. Again, I guess I'm a little different in that I start with the basic premise that the health information exchange to me doesn't really change the HIPAA privacy rule parameters. And I think in some respects we're kind of overanalyzing this.
>> Kirk Nahra:
Well, I'm not all sure I disagree with you. One of my views has been and continues to be I'm not sure I really see anything sufficiently different -- that's the difference question.
I'm not convinced yet that I see anything different to justify an additional rule, additional set of rules, particularly when I also see advantages and I see difficulties from just multiplicity of rules. But this is a situation, I think, where what we're saying is that the HIPAA rule would actually work effectively in this setting to restrict what you can gather.
Let's use a different example, which is the public policy one. Let's use law enforcement, or a subpoena. If law enforcement shows up with a subpoena to a hospital, and let's say the hospital really wants to cooperate. I mean, they want to do anything they can. I can understand why we don't want that hospital to be able to go out and obtain information that it has otherwise never seen from some other hospital to turn over to law enforcement. I can understand why we don't want to permit that.
This idea would say we're not going to permit that. Law enforcement has to go to the other hospitals to get that information.
Again, there are some folks who are going to say wait a minute, research is like that, but maybe we want to allow all that information for research or maybe we want to allow those extra steps for public health activities. We've got to talk about that. I mean, that's again, we can have a strong statement with exceptions, or additions, or we can go through our, you know, 52 contingent elements and figure out what we're going to put on that list.
What I'm throwing out is the possibility of having a rule that short cuts a lot of that discussion.
(Multiple speakers).
>> Deven McGraw:
I think the other thing that would be helpful to have information on, and I don't even know if this is possible to get, but to be able to address question of some thing, that some of us raised during the break. Which is, to what extent are covered entities now or likely in the future going to be having their records actually be the network, as opposed to right now my understanding is in most cases if not in all cases, where there is a health information exchange network, the facility or the plan has its own set of records that are then exchanged through the network or maybe there's a duplicate copy kept in a repository but there's not a situation that I'm aware of where the record keeping requirements that are on the facility are met by having them be in the exchange. In which case, I think it might create a slightly different dynamic because that record, the records are one.
But I don't know to what, and that may get to Don's technology question about sort of where are we now and where are we likely to get in the future. To what extent are we creating incentives for a future model where all the records are stored in one place? Isn't necessarily a good thing either.
>> Dan Rode:
I want to raise the same question on payment, only because when you start looking at a network on payment issues, then you've changed the dynamic that we have right now as well. Because it becomes a question of who has access to the network. And under what purposes. So Aetna could technically go in to the network to seek information on other payers because of coordination of benefits.
I started in health care as a patient account manager. I could start rating other people's health care payment information to make my job easier. It would certainly be much easier. But I'm not sure the intent is to have me rummaging through, whether it's central registry or not, for that purpose. I think the waiver given for payment takes on a whole new dynamic when we get to this situation.
I don't want to touch minimum necessary, but that certainly fits in to the whole dynamic between providers and payers in the HIPAA dynamic as well as certainly would in this situation as well. Can a payer have full access to the electronic record in the central database model?
>> Alison Rein:
Pay for performance fees. Then you're really dovetailing payment as you suggest with a lot of other different types of information and uses.
>> Kirk Nahra:
Again -- I'm going to say this and let me know, Sue, if I’m right. I think that is a use and disclosure that would probably be permitted today by the HIPAA rule but since it's not required, it doesn't happen very often. I mean, providers don't necessarily share that information or other benefit plans that might have other coverage, don't share that information in the normal course of events. Although they would be permitted to. So it would alter the dynamic depending upon how the system is set up. I mean -- and I think it's fair for us to say -- I mean, we could certainly make recommendations that say in this kind of system X, and this kind of system Y.
But in a system where I could go into the network and take information out without the person on the other end knowing about it, it would alter the dynamic. It wouldn't change the rules because I think that disclosure is permitted today. But again, it doesn't happen today because people don't want to make that disclosure and they don't have. So it would change that -- it would take a discretionary disclosure and turn it into a, I don't have a choice anymore, someone can take it, at least in some networks. I think that's right on the rule.
>> Susan McAndrew:
I think that is -- pinpoints the distinction of how these networks may differ from the current HIPAA environment, is changing the control of the flow of the information by moving it from the holder of the information to the requester of the information. And I think in payment, there's also a treatment equivalent to that, shifting of the difference of the exchange. Although the values might be slightly different.
But there is a concern, and might be addressed by minimum necessary, might be addressed by opt out or sensitive information blocking, in terms of how you limit, or how you address what another provider really needs for treatment purposes. And this would be the same thing. What does this other person really node for payment purposes. And who gets to control that in this new environment.
>> David McDaniel:
Not even something we don't know the answer to yet because we don't know how the systems will work. There is the possibility that systems could be so sophisticated enough to make the disclosure of information something that you had to ping somebody for it and get the approval and the circumstances as we know HIPAA today wouldn't change. That's really about what the system is capable of doing. We don't know that yet.
>> Kirk Nahra:
I mean, that -- it is certainly true that we don't know that. That is something we have to factor into all of our discussions. I guess the question is, does the fact that we don't know that mean we make a certain kind of recommendation, we don't make any -- I'm not sure where that takes us. That certainly, it's certainly a relevant fact. But again I'm not sure where we go with that.
>> David McDaniel:
I think if I knew that it was going to change the way we know HIPAA today and I as the health care provider am no long in control of determining what another provider is going to get from me out of my store of data, then giving up a lot of control to be one in one of these share groups.
>> Kirk Nahra:
Let's go with that for a second. Now, what we're talking in these last couple of points is altering the business relationship between providers, plans, among plans, among providers. Is that a relevant question for this group when we're looking at privacy, security and PHI? I'm not sure it's not, but --
>> John Houston:
I don't think our basic role is to try to organize the health system.
>> Kirk Nahra:
I agree with that John.
>> :
I don't either, but
(Multiple speakers).
>> Kirk Nahra:
Where do we go with that? Again, for example -- let me go back to the point I made a minute ago. One health plan could clearly give coordination of benefits information to another health plan. They don't love to do that today and they often don’t volunteer that. And so the fact that in some systems we may be able to, quote, force a health plan to do something that they're permitted to do today but don't, I don't know, I mean is that our problem? Is it not our problem? Are we going to say we're not going to permit that because it might happen? I mean, that's a tough answer.
>> David McDaniel:
Well, I personally think that if you look at the both side of the equation, the rights and responsibilities sides of the equation when you're talking privacy and security, if I'm looking at my responsibility as a health care provider or my responsibility as a payer, I have some obligation to only give the minimum amount of that information that is necessary.
>> Kirk Nahra:
I don't think that's the issue. Here's the fact scenario I'm envisioning. Health plan A is trying to figure out if their insured has any other coverage somewhere else. Health plan B has coverage for that person. It would be relevant to require health plan B to pay some money. They're not today forced to volunteer that information. And it's solely -- it's not a privacy issue at all. It's a question whether health plan A is paying more or health plan B is paying more. The network might permit health plan A to figure that out. Is that good, bad, are we going to permit that or prohibit it? I don't know. But that's what is different -- that is a difference in this environment in -- if networks are set up in certain ways.
>> Alison Rein:
How does this get closer to the consumer choice question?
>> Kirk Nahra:
Again, my view would be if we had a recommendation that said people can only reach into the network for treatment, payment and add these couple of health care health care operations points that are permitted today, I struggle personally to see why we need a different. That's HIPAA. That's HIPAA without the negatives that we're concerned about.
If your view or someone else's view is, I understand the ground rules now, and I think the answer should still be opt in, that's okay. I mean, again, the idea of contingent is I can't make a decision on choice until I know the ground rules. The question is, what I'm trying to lay out is a big ground rule, is that enough to say yeah, I can make a decision on choice?
>> Alison Rein:
I sort of feel a little short circuiting the process in a way that -- I mean, I understand you were trying to do it for efficiency sake, but I'm not sure at the end of the day when we make our recommendation that we have to justify with all of the discussion that has ensued, whether or not that's the best approach because it sort of truncates the deliberation on all these other issues that clearly --
>> Steve Posnack:
What other issues?
>> Jodi Daniel:
It makes a strong statement that the network -- that a NHIN, or health information exchange cannot be used for other purposes like law enforcement or like litigation or whatever. So it is -- which is a much higher than HIPAA standard. If it's under HIPAA, you could get -- information could be exposed for those purposes with certain (inaudible), things like that and basically saying you can't use this new system, that a network or health information exchange to get information for this.
>> Alison Rein:
You can indirectly once you got it for treatment and payment, though, because once it's out there or in there --
>> Kirk Nahra:
But that's the difference, Alison. You have to say at that point that I have the same information, I'm a hospital, I have information about you. I could get that information today from another hospital by calling them up and having them fax it to me. If I did that, it's subject to all the same HIPAA rules. And if law enforcement shows up tomorrow, I got to give it to them. But if I get it through a network, the exact same information, I can't give it to law enforcement. I got it for the same reason, it's because you were the emergency room right now, and I got that information, I have it now. Is there a reason to say if I get it through this channel, one set of rules. If I get it through this channel, a different set of rules.
I personally don't see that. I understand why when law enforcement shows up we don't necessarily want to say to the hospital, go out and get all this other stuff just for the purpose of dealing with law enforcement. My suggestion wouldn't let them do that. But once they get it for treatment, it's their information, I would put it under the same rules.
I don't see a basis to say, the communications channel by which you obtain the information for a legitimate treatment purpose, you need to segregate them and keep them separate and keep them in two different sets of rules for how you deal with that information. I don't see that. You may have a different view on that. You may say -- I'm not sure what your answer is but you may say there's different rules for X, Y, and Z reasons. Or you may say, I still want to opt in. But I understand the rules now. I understand the ground rules and I still want to opt in.
>> Alison Rein:
I guess the other discussion point, maybe it's because I came 20 minutes late and maybe you went over how this fits in. But for me looking at this and trying to make some determination without going through these is still not a task that I can do.
So how is whatever we determine through this, relevant to whatever discussions and recommendations --
>> Kirk Nahra:
Okay, let me give you an example. We have on Page 3 of this chart, Section 512, which were the public policy disclosures, B, C, D, E, F, G, H, I, J, K, and L. And we’ve got five of those in the contingent category. I'm proposing to basically -- I mean, my hypothesis would say we're not going to go through each of those individually. You can't reach into the network for any of those purposes, period. Can't do it.
Now, we could have a panel on each of these and reach the same conclusion, or different conclusion. But that is what we would -- that's what the approach would be. Saying we don't have to go through each of these points. And we don't have to go through, if you look at the last page, the health care operations provision, we don't have to have a discussion about business management and general administrative activities of the entity. We're just not going to allow it. HIPAA doesn't allow it, we're not going to allow it.
That's what that would do. So you would then have, here are the rules, you can gather it, you can obtain information from the network, again under this possibility, treatment, payment, and a tiny limits of these health care operations pieces if you have a shared relationship with a patient. That's it. And then you -- then the question would be, if we know those are the ground rules, can we reach a decision on the choice model?
>> :
Or can we talk about it.
>> Kirk Nahra:
Yeah, is that a point we can have a discussion on the choice model.
>> Alison Rein:
I guess the struggle I'm having is that you seem to be from a third party entity perspective viewing the network in one way. And as a consumer I view the network as more of a continuum, and so --
>> Kirk Nahra:
I don't know what that means. Play that out.
>> Alison Rein:
So I would say, you know, treatment, payment and these some exceptions stop, but then once it's all in there, there you're still exposing me to all of this other stuff. And that's, all of that other stuff is what I hoped --
>> Kirk Nahra:
Absolutely. No. Absolutely. But I'm saying -- well --
>> Alison Rein:
That's where -- I thought that's where we were going to be going.
>> Kirk Nahra:
I don't think that was the discussion, though.
>> Steve Posnack:
It sounds like you want to change the rule -- sounds like you want to change how they apply --
>> Deven McGraw:
To a particular entity.
>> Steve Posnack:
After the network.
(inaudible)
(Multiple speakers).
>> Kirk Nahra:
You're actually --
>> Alison Rein:
It’s the same thing from the consumer's perspective.
>> Kirk Nahra:
Alison, I think you're now adding -- you're going to double this list of categories here. Because you're going to say not only do we have to see whether somebody can reach into the network for any of these purposes. We then also have to see whether they can use and disclose information they obtained for any of those purposes. So that is doubling -- that's doubling the pieces here. And so again, I don't have a problem if what happens is when we say that's what the rules are going to be, and you say, you know, what I'm worried about that back end so I want consent. I don't have a problem with that. That's what we're trying to get to. Is to say what do you need to know before you can make a decision on consent.
>> Alison Rein:
I don't want to cut off the what do you need to know discussion. That's what I care about. So as long as -- you know, we can put out whatever hypothesis you want, but I don't want to not have this discussion because I'm afraid that then we won't get to address those issues.
If you're saying they're the same thing, or that we will get to them, then I'm not as concerned.
>> Kirk Nahra:
Let me ask. I don't want to mischaracterize what you're saying, Alison, but I think that's doubling the large amount of work we have, and it's -- again, I don't see that, but where are other people on this?
>> Alison Rein:
I actually thought that's what we were doing all along. Maybe it's a communications problem or maybe I've just been out to lunch for the last two meetings. But Deven, you're sort of shaking your head. Am I --
>> Deven McGraw:
No, I think what you are proposing, and you should correct me if I'm wrong, what's making you uncomfortable is that we started several months ago going down a path of looking at what was different in a network environment and trying to focus on whether we needed a higher than HIPAA standard to address what was different, and whether consciously or maybe unconsciously for some of us, how that has evolved is in focusing on a set of rules that would define either how the network itself operates or how providers interact with the network, as opposed to taking a broader look at HIPAA rules for all players and making changes that would apply to all covered entities across the board. Because we are now, some of us, exchanging information through a network's environment.
We have from evolutionary standpoint been focusing on the behavior of the network and how entities interact with the network, and whether or not we need some different rules vis-a-vis that sort of piece as opposed to -- this is Kirk's sort of HIPAA good/bad. And trying not to go there.
And so consistent with that we've sort of identified a sort of set of recommendations that are going to apply to how the network behaves and how people interact with the network. But once the information rests with a covered entity, it's in a covered entity's hands, then because we're not getting to good/bad HIPAA, the HIPAA rules apply. And that's where I think we're coming up with some resistance.
I would like to continue to look at this from a more narrow perspective because I think it's going to have enough of a struggle -- and this is again my personal viewpoint -- to get to what are the rules for new entities and how we interact -- how covered, current covered entities interact with the new entities and then we might think about whether we now create -- need to extend that. Once we get to the point where we come to agreement on that set of points.
So I actually see Kirk's hypothesis or maybe not working hypothesis, discussion draft, is actually reaching our points of contingency which are addressing sort of network rules and how it interacts with networks, in a way that doesn't necessarily -- if we like where it's headed, because it does create a much more narrow use, set of use parameters for either the network itself or how people interact with it, just right off the bat and then -- and I think our next step really should be exploring what pieces of testimony or additional data we might need in order to get comfortable there in terms of how we're massaging it.
I don't know if that was helpful at all, but it is a much more narrow -- it's a narrower lens through which we're looking at this. But it's not necessarily inconsistent with the direction we've been heading.
I think that's all I have to say.
>> Jill Dennis :
This is Jill. I have no problem with the concept of the hypothesis. But I'm wondering why -- or I'm wondering if, actually, we should say -- reaching into the network for treatment, for payment, for those limited operations purposes that we've been talking about, but the two other issues I think we need to discuss are public health and research. To the extent that one of the reasons behind the development of these networks is to enable faster data sharing for syndrome surveillance and potentially for some research, too.
So where are we at with that? Is there a deliberate attempt not to go there? Or are these just things that haven't been tacked on to the hypothesis yet?
>> Steve Posnack:
Right now, if I understand it correctly, those wouldn't be allowed.
>> Kirk Nahra:
Again, it's a question of what the starting point is. We could have a hypothesis -- we could have a recommendation that says treatment, payment, limited health care operation, period, end of story. We could say those things, plus whatever else we decide to add. Or we could go -- we could have no starting point and go point by point through all of the contingent issues to come up with that list.
My suggestion is treatment, payment, we've added on for discussion that small health care operations, and then let's figure out if there are other-- For example, I'm going to guess, from this group, maybe I'm wrong, that there's not going to be a proposal to say let's open up broader access to law enforcement because of this network. I'm just going to guess that. Maybe that's not right. I understand that there are people who are going to say research. There's a particular benefit in the research community. I don't know that I particularly have a position on that one way or another. I understand that issue and I understand we might want to say, treatment, payment, health care operations, and research in some situations. Or public health in some situations.
Again, that's just an approach. Do we have -- that cuts out the rest of the health care operations discussion. That cuts out most of the public policy provisions, and it says we're going to look at one or two or three where people think there's a good reason to add them in. Rather than to through all of them to figure out how many of them we're going to cut out.
It's approach issue.
>> Jodi Daniel:
Setting the baseline of start narrow and see if we want to add some things rather than start broad and figure out what to cut off.
>> Kirk Nahra:
And go through all of it and figure out what to knock it. That's it exactly. It's how you approach this issue. Again, and if we came up with a scenario by which we said treatment, payment -- again, this is only how you reach into the network. Treatment, payment, couple of health care operations -- just as an example. And research and public health. And we came back and said all right, group, what do you think about consumer choice. Could people make a decision on that. And if the answer is no, I can't make a decision because I still need to know about cadavers, that's okay.
>> :
or minimum necessary
>> Kirk Nahra:
Or whatever. Or whatever your example is Alison. Whatever your example is. If the answer is I can't -- that's not good enough, I need that plus minimum necessary, fine.
>> Alison Rein:
I just wanted to make sure that by sort of adopting this revised model, we weren't then deciding that we didn't need to go through a significant portion or whatever portion of these elements people have expressed a need to discuss.
>> Steve Posnack:
I think it's going to be an incremental approach. If we go with the additive approach it will be incremental by definition. So if we start with this baseline approach, then we're going to go through and if we add, say, public health and research, then everyone will circle back and say, do we want to say opt in or opt out, do we want to say more granular. And then if the group says no, we don't know enough, then we add some more things into the list and ask that question again until we get to a point where people say yes and --
>> Kirk Nahra:
To play that out. If what we say -- those couple of things, is the group really going to say we have to understand all the parameters of minimum necessary as applied to treatment? I'm not going to push for that because, you know, I don't necessarily -- I don't know that there's any particular benefit to -- again, saying if you're doing treatment and you're going through a network, you get X, Y, and Z. But if you're doing treatment and call them on the phone, you get A through Z. That personally doesn't make any sense to me. So I wouldn't at that point view -- once we've narrowed down the categories to -- so few a list, I wouldn't view minimum necessary as something that I'd spend any time on. Again, I'm one voice on this.
But I think that that approach, some of these ones that are viewed as contingent will be viewed as far less important and maybe not important to the consumer choice question when we're only talking about a couple of categories. Again, that may not be everyone's views. But I think that's a way to -- I'm concerned that we could spend the rest of our time as a group talking about this issue and not getting to a resolution. And I was trying to propose an option that I think would get us to the same point but faster. I can't imagine our group is going to -- I don't think our group would be able to make a recommendation that says treatment, payment and all health care operations, because that's prohibited by HIPAA right now. That would be against HIPAA. That would be lower than HIPAA. I don't see any point in talking about that right now. For the accessing the network. I can't reach out and grab other people's information today for those other purposes, right? Am I right?
>> :
Right.
>> Kirk Nahra:
So I'm not sure I see any point talking about that. We're not going to go lower than HIPAA.
>> Deven McGraw:
I think we also need to keep in mind that we have a previous recommendation that these networks themselves would be covered entities and subject to HIPAA. So while I'm not necessarily saying that we shouldn't go with this framework because I actually agree with the direction we're heading in, I do think we'll need to consider what the entity does, covered entity themselves because then use and disclosure provisions would apply. And health care -- you know, what health care operations would in HIE --
(inaudible)
>> Deven McGraw:
Yeah, the HIE. The PHR vendor.
>> Jodi Daniel:
So I think what I'm hearing you say, Deven, is we still will have some of those questions with regard to some of the new entities that are accessing the data, that only have access to the data because they're would be a network environment, like an HIE. But for you it isn't an issue for the choice question, what they do on their own, or it is?
>> Deven McGraw:
I would think it would be. What the HIE can actually do with the data, as opposed to a -- I mean this is all framed in terms of a reach in. This is about the fishing expedition, of various types, in many ways.
The question of -- we haven't even addressed what an HIE can do.
>> Jodi Daniel:
What if it was only retrieve from a network, or used by the network itself.
>> Deven McGraw:
Right, well --
>> Jodi Daniel:
That's true, we could make the same assumption that the network, although it would be for their own--
>> Kirk Nahra:
The network is not going to have treatment. The network is presumably not going to have payment. Well, the network is not going to have health care operations where it has a relationship with the patient because we sort of defined that away.
>> Alison Rein:
I guess where I struggle, though, is all of the network components, and many of the new ones, can facilitate those types of operations and activities. And so I'm --
>>Deven McGraw:
But I think that's the reach-in piece, like getting the data from the --
>> Dan Rode:
Who can get the data, how much data can they get and what can they use it for?
>> Tom Wilder:
While it can facilitate it, again, it's a tool, right? It's not -- you don't have any more or less HIPAA rights or responsibilities than you do now. Just because you can reach in and grab the data from somebody doesn't mean you otherwise have the right to do it. It just means it's a different avenue.
>> Deven McGraw:
Right. I don't disagree, Tom. I'm just trying to figure out -- I think where Jodi was heading was whether it was possible with a little word massaging to address the issue of the network's own uses of the data in it. Or that flows through it, depending upon the model.
>> Kirk Nahra:
I guess my sense of that is that I don't have any idea what they want to do. And what they need to do. I mean -- I mean, I'm not sure -- we could wrap it into this hypothesis, but I don't have any idea what the answer should be for them. I mean -- a couple things. First of all -- I mean, let's frame the questions. One is, what they would be permitted today to do by HIPAA because they are business associates. Which I assume is a lot of what they would be doing. They have to follow the HIPAA rules, they can aggregate data in the same way that a PBM can aggregate data. But they can't -- you know, they can't share hospital A with hospital B, as a business associate. They can do aggregate stuff.
I don't know whether there are HIEs or RHIOs or whatever we want to say, who are saying, I want the ability to do X on my own initiative. I just don't know if they're saying that at all. We would need to find that out.
I mean, frankly today -- that's an interesting question. I haven't thought about this. With our recommendation that turns them into covered entities, does that broaden their ability in some ways? Right now they could only use as a business associate, they could only use it to perform business associate function.
>> Alison Rein:
It does except a lot of them are bound, I think at least the state ones -- well they're bound by what they've been given a mandate to do, either legislatively or by essentially ordered by the state.
>> Jodi Daniel:
That's not necessarily true for all of them.
>> Alison Rein:
No, I'm just saying as an example, so.
>> Kirk Nahra:
Let me suggest this. I think that that’s a -- I hadn't really focused on that issue. I think that's a real issue. I would not propose to wrap it in right now, I think it's a different issue. Let's write something and get -- let's get a factual answer from these groups, are there things that you're trying to do with this information yourself? I mean, I don't know the answer to that. The answer may be no.
>> Steve Posnack:
Isn't it a question we had a recommendation that defined them as a covered entity and now Deven is asking a separate now that they're a covered entity, what are they allowed to do under HIPAA that we don't want them to be allowed to do?
>> Kirk Nahra:
I don't know if what they want -- I don't know if they have any idea -- I mean, look, presumably an HIE needs to use data to figure out -- you know, if it has any kind of economic business model, it has to understand, does it have enough data. They need to be able to, if they're getting, I don't know, if somebody is getting paid two cents a transaction, they have to have some way to check whether they're getting paid 2 cents for a transaction. I assume no one is going to argue with that to some extent.
Are they going to be able to start marketing their line of RHIO clothing? I don't know. Well, and I don't know what they would be trying to do. I don't really --
>> Alison Rein:
They're trying to sell the data.
>> Kirk Nahra:
Okay, but Alison. That's an easy answer. They're clearly prohibited from selling identifiable data if they're a covered entity under HIPAA.
>> :
Identifiable
>> :
They can disclose information like for research purposes.
>> Kirk Nahra:
Following the research provision, which is they have to go through all that. That's a question. Are they trying to do that. I don't know the answer to that.
>> Alison Rein:
These are the higher than HIPAA questions I think that we had. At least for me, in my own mind, there are activities that they can engage in, they're allowed to engage in under HIPAA. You know, I know there's a lot of consumer concern about the resale of these data even in the aggregate, if you're part of a RHIO.
>> Steve Posnack:
That gets back to my question of we made them a covered entity, they are allowed to disclose deidentified information. So we're asking now that the HIE is a covered entity, do we want to allow them to disclose the deidentified information.
>> Alison Rein:
This is the higher than HIPAA discussion that we were eventually going to get to.
>> Steve Posnack:
That's part of it. It has nothing to do with choice, or does it?
>> Deven McGraw:
Well of course it does.
>> Alison Rein:
It does absolutely. Because whether or not you choose to engage in very large part contingent --
(multiple speakers)
>> Kirk Nahra:
Wait a minute. Why do we realistically think that consumers would care about what happens to their deidentified information? I mean, under --
>> Alison Rein:
But they do.
>> Tom Wilder:
Some do, and some could care less.
>> Kirk Nahra:
We're going to say under HIPAA you have no
(Multiple speakers).
>> Kirk Nahra:
Under HIPAA today you have no rights whatsoever as to deidentified information. The rule has concluded that there's no privacy interest in deidentified information. And we're going to say that the deidentified information in a network setting so important that it's going to dictate a choice rule?
>> Alison Rein:
Yeah. For a couple reasons. We don't have to get into them now. This is like a very significant issue that we've.
>> Tom Wilder:
It is to some people, certainly.
>> Kirk Nahra:
Alison let me ask you this as a general question. Is there any set of answers that's going to lead in your mind to anything other than an opt in?
>> Alison Rein:
I have not gone through this process, Kirk, and I think that I would be afforded the same opportunity to go through the process.
>> Kirk Nahra:
I understand.
>> Alison Rein:
So I don't know. And it depends upon where we fall on a lot of these questions. Which is why I keep raising the point about wanting to make sure that we're not, you know, just sort of dismissing out of hand a number of these points. And if we are to get to the choice and it's an iterative or additive process, and they can come back in, and it's a process in flux, I'm fine with that. I just -- I mean, we've spent the last year-plus, resurfacing a lot of these issues and we've always said well, we're going to deal with them as part of X, Y, Z context, so I don't want to not have that conversation.
Unless the group decides, you know what, that's not our conversation to have. We're going to punt to someone else. You know, I can't answer that question. Those are very significant issues that were just raised.
>> Tom Wilder:
Yeah, it's starting all over.
>> :
No.
>> Kirk Nahra:
All right. My sense is that we've taken this about as far as we can productively take it today. Are there people that have other things they want to add today? I don't want to cut this off, but I also don't want to just go back and forth for another hour.
>> Deven McGraw:
Well, is it worth talking about the -- what types of additional information we might need in order to figure out whether this is enough, or this hypothesis is enough or we might want to add some things back in. Like public health, research. For example, it says, I go back to Part 1. I’m not going to the chart. I'm going to the hypothesis. Identify -- you know, the information can only be retrieved from a network for treatment and payment. Aggregate information could be retrieved for public purposes. So that raises a bunch of questions.
>> Kirk Nahra:
I would take that out because it's going to be too much -- we're trying to simplify. Get rid of that sentence.
>>Deven McGraw:
I'm not trying to simplify. I'm trying to figure out -- I'm trying to explore whether there are public purposes that we want to be able to retrieve information from a network for. And what the parameters of that would be. And is it just aggregate information, or does it need to be identifiable in some cases?
>> Kirk Nahra:
Right. I would take that sentence out of that first point, and we're going to put certain public health purposes back in at the end.
>> :
Okay.
>> Kirk Nahra:
Is that where you're going to go?
>> Jodi Daniel:
It sounds like on one, the conversation has gone to, we need to talk about some of the public purposes, like research, like public health, like quality. And then the question is -- and we have people testify, what -- how much identified -- do you need identifiable data, deidentified data or something in between like a limited data set? And then we could have -- we could say research is in, but only aggregate information. Or research is in but identifiable. And it can be identifiable. So it sounds like there's public purposes and which public purposes, and the amount of identifiable or nonidentifiable information that’s available.
>> :
You look perplexed.
>> Deven McGraw:
That's consistent with the sort of road map direction that I'm suggesting we had. And I wanted to stick with this working hypothesis that Kirk drafted vis-à-vis how the information gets retrieved out of and used from a network. So it goes -- you know, the grabbing it and taking out a piece of it and figure out whether we want to expand it beyond the narrow scope that's been provided and what types of -- where we might go with that. And a parking lot for a second working hypothesis that we might develop, what the HIE itself can do with the data and whether we are going to propose -- nice clock. To narrow that at all. Itself.
Then I think -- unless I'm missing something, where we will at least have gotten to this sort of, the new actor and really focusing on HIEs, not really PHR vendors but these networks, and sort of what are the ground rules that are different from HIPAA that we would propose. And that's internal operations as well as external relationships.
Then I think we might have a universe of choice. Because I don't know that we need to get to a choice for a PHR vendor. Those are personal health records that people can obtain themselves.
>> Steve Posnack:
From an administrative yet testimony type question, it sounds like we need to prioritize what we want to add in or what we want to hear about adding in, research or public health. Sound good?
>> :
Yeah.
>> Steve Posnack:
Do we want to add something else? Let me -- I'll read the list of I guess the contingent ones that I looked through. Marketing, public health, the oversight provision, the judicial and administrative provision, research, law enforcement, and then we've got minimum necessary and requests for restrictions. And then health care operation, I think is somewhat already sliced and diced because of the restraints we’ve put on there.
>> Deven McGraw:
They all have been sliced and diced. I think it's a question whether someone is proposing to add a use back in, and what would be the testimony that they would want to hear, and you know, public health and research have already been thrown on the table. Are there others.
>> Kirk Nahra:
Let's be a little precise. I don't think it's a question of use. I think it's a reaching in.
>> Deven McGraw:
Right, reaching in, thank you.
>> Steve Posnack:
What types of questions do we want to ask them?
>> Deven McGraw:
Right. For what other purposes do people want to be able to reach in to the HIE and what would be the additional information that would help us reach a decision on that?
>> Kirk Nahra:
We have two. We have research and public health.
>> Deven McGraw:
Right. Are there others?
>> Jodi Daniel:
And I guess the question also on public health is the 512B, there's a whole bunch of stuff in there. Do we want to talk about public health generally or are we talking about parts of that or all of that.
>> Kirk Nahra:
And let's also try in terms of sort of what are we looking to gain in we want -- well, we want public health officials to come in and talk about -- I mean, are they even -- are they covered entities? What's their ability to get into the system now anyway? So their ability to get into the system --
>> Jodi Daniel:
Existing law --
>> Kirk Nahra:
No, but -- They don't have existing ability to get into a health insurer today. They can make the health insurer report stuff to them.
>> Tom Wilder:
If you want to get an edge on what is at the edge of all this, I'd say that folks in New York City public health department is who we want to get down.
>> Kirk Nahra:
but what I'm trying to understand is, I mean if what we're talking about is how somebody reaches into the network, are we envisioning public health agencies being eligible to reach into this network?
>> Susan McAndrew:
There currently are public health relationships where the, where the connection is already electronic. And while it's not so much --
>> Kirk Nahra:
What connection?
>> Susan McAndrew:
It's essentially where a hospital has reached an agreement with their public health department to electronically transmit reportable information. And some of these systems, I believe, are interactive to the point where it's a little fuzzy whether the public health department is reaching in or whether the public health department is assembly receiving.
>> Jodi Daniel:
And there are public health use cases (inaudible).
>> Kirk Nahra:
So it's a -- to play out Sue's example. Are there currently or proposed HIEs where public health agencies would essentially have independent access rights? Where they would be --
>> Susan McAndrew:
You were talking about the use cases --
>> Jodi Daniel:
I don't know the details, we have two.
>> Kirk Nahra:
We have two questions. Are we looking at them getting in themselves.
>> :
for the HIE --
(multiple speakers)
>> Tom Wilder:
I think there's more than two. I think the point is a lot of what people traditionally have seen as public health, chronic illness now in departments is considered a public health issue. Managing people's diabetes. From my perspective, I think you need to get Les Leonard in up from CDC and you need to get the folks from the public health department in New York, if you wanted to cover, because there's a whole variety of these. And possibly also, I think it would be smart to get Indiana in the loop because they're doing interesting research stuff that cuts through all this through their statewide network.
I don't think you're going to delineate in other words all of the possible interesting permutations.
>> Deven McGraw:
I don't know whether this goes under research or public health, but I would certainly be interested in talking to some of the major public-private entities that are part of the sort of national measurement, what I'll call the national measurement enterprise, the National Quality Forum, the Ambulatory Quality Alliance, to get some -- and this is also something I'm happy to undertake myself because we're connected to all these organizations and very interested in facilitating more measurement and public reporting on health care performance which I'm not sure whether that falls under research or public health. We're not talking about city or state-based entities but instead getting a sense of where that enterprise is heading in the future, and what the value would be of being able to get data and whether it needs to be individually identifiable or aggregate data.
>> Tom Wilder:
Is that Alison?
>> Deven McGraw:
No, it's Deven.
>> Tom Wilder:
Hi, Deven. Yeah, I agree with that. In fact, I think the whole issue is a policy debate right now, and what is quality and what is starting to be research and vice versa. Hastings is, there are people there that might be good to hear from that are really into this as well.
>> :
Well, Tom, you even got a line between now what's payment and what's quality.
>> Tom Wilder:
Exactly, exactly.
>> Dan Rode:
The other group you may want to talk to is Denise L, at NAHDO, which would represent a broad group of organizations that collect health care data. And I'm not sure they've done enough research on in and out, whether they're seeking data or getting the data.
>> :
NAHDO.
>> Dan Rode:
National Association of Health Data Organizations. Salt Lake.
>> Alison Rein:
With identified versus deidentified, aggregate, I know that there will be whole separate subtopic on the ability to reidentify and I don't propose that we know sort of go take a deep dive into those waters. But I would be interested in hearing sort of about restrictions on people's ability then to merge or people's interest in merging multiple data sets to reidentify. Which I mean, I don't know, I mean it's prohibited under HIPAA to try and reidentify. But I don't know if that, if that's part of the conversation about whether or not you need identified versus deidentified data.
To the extent the Secretary's Personalized Health Records wants to comment on even the ability to deidentify at some point in the very near future.
>> :
There was some testimony taken on that.
>> :
There may -- then maybe that -- I'm sure it's public but maybe it could be circulated.
>> :
We can --
>> :
for extracurricular reading.
(inaudible).
>> :
Yes, pretty technical.
>> Alison Rein:
In my mind you want to be considering not only what exists, but what we can anticipate in the very near future. And you know, it’s pointless to have all this time having policy discussions about something that may be very real and not taking that into consideration.
>> Jill Dennis:
I actually think that's a good idea, I just don't know who we could get who would be willing to comment on that, unless somebody -- maybe like Privacy Rights Clearinghouse out of San Diego tracks that kind of stuff. I don't know anybody who would be tracking that kind of stuff.
>> Jodi Daniel:
Tracking what? I'm sorry.
>> Jill Dennis:
You know, large scale attempts to sort of reidentify from deidentified data, by merging databases.
>> Deven McGraw:
Oh. Maybe CBT.
>> :
Yeah, I don't know.
>> Deven McGraw:
Not necessarily in the health care context, in other data context.
>> :
Yeah.
>> Jodi Daniel:
That’s interesting, the issue of deidentification and reidentification is not necessarily in the, there's the issue of health information and whether or not we can deidentify genetic information and the group Deven was part of was talking about - -
>> Deven McGraw:
Was?
>> :
Done?
>> Deven McGraw:
No, not done.
>> Jodi Daniel:
Is talking about that. But obviously the merging of database is not necessarily a health care (inaudible) information issue.
>> Deven McGraw:
But it is true that the presence of the genetic family history information (inaudible) my recollection is the re-linking (inaudible) And since the direction of personalized health care work group is going in their recommendations with respect to how to get that information into electronic records.
>> Alison Rein:
Not going to be any such thing as a deidentified database at some point
>> Deven McGraw:
No I’m not going to go there yet. It’s tough.
>> Alison Rein:
at some point, perhaps, but you know, if they're part of --
>> Jodi Daniel:
So are you suggesting, if down the road they’re to say they cannot be deidentified, it's having a conversation about the level of identifiers worth having that conversation, or I mean, let's take the hypothesis that you're saying at some point there will be, in your view, no such thing as deidentified data, that’s it’s always identifiable. If that's the case, then is talking about information in aggregate form or with identifiers removed still worth having because it reduces the risk or is that fact make it, so we should be talking about the information?
>> Alison Rein:
Maybe there’s, not to be trite but like a third way. And I don't know what those ways are. I mean, I assume that as people sort of move into this very 21st century domain, that they're thinking about this a lot more than I spend my time thinking about it. I want the discussion to be informed by what is likely to be imminent reality as opposed to the paradigm that we're all familiar with as it exists today. And which existed when the HIPAA rule was promulgated. It's just an awareness raising. And I know that we've sort of alluded to it previously, but if we're going to hear sort of testimony, I don't want to sort of have it in this very narrowly confined box. So I don't know if that helps clarify.
>> Jodi Daniel:
It seems to me that it's still worth having conversation about identifiers and whether or not, if we're talking about public health, if the data can be used with identifiers stripped, even under the assumption there may be -- it may be -- let's assume it's possible it can be completely deidentified, it still is harder to reidentify if you have information removed. Or requires effort or maybe a lot of effort, you know, to reidentify if you don't have name and date of birth and street numbers.
>> Alison Rein:
Maybe there's some technical approach I'm not aware of that data people have for doing this, but sort of renders it less scary for --
>> Jodi Daniel:
Yeah, I think -- on the deidentification scale -- (inaudible) Same thing with data generally.
>> Deven McGraw:
Anybody else have any other suggestions for things that we would want to gather more information about?
>> Deven McGraw:
I think we'll do some work, and can we open it up for public comment? Hello?
>> Kirk Nahra:
Operator?
>> Alison Gary:
Sorry.
>> Deven McGraw:
That's okay. We're actually on track to end early, maybe for the first time.
>> Alison Gary:
Great. For those on line you'll see a slide on how to call in to comment or ask question. If you're already on the phone, just press star-1 on your phone now to comment. If you have any wrap-up comments while we're waiting for public input.
>> Deven McGraw:
Anybody? I don't think so.
(inaudible)
>> Deven McGraw:
We're checking on the date of the next meeting. I can promise you it's longer break than the one we just had.
>> Deven McGraw:
Monday, March 3rd. Thank you.
>> Kirk Nahra:
Are there any comments?
>> Alison Gary:
No, there are no comments from the public.
>> Deven McGraw:
Thanks, everyone, I feel like we made progress.
>> :
Thank you.
>> Deven McGraw:
These conversations are not easy. Much appreciate everyone's input and participation. Especially coming after a meeting that we just had, what, eight days ago? So we're glad to end this one a little bit early. Everybody have a nice weekend.
>> :
Bye-bye.
>> :
Thanks, see you.