1
American Health Information Community
Confidentiality, Privacy, and Security Workgroup Meeting #8
Thursday, March 15, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at DHHS-sponsored conferences do not necessarily reflect the official policies of the DHHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>>
We're ready to get started.
>> Judy Sparrow:
Thank you and good morning everybody, and welcome to the seventh meeting of the Confidentiality, Privacy, and Security Workgroup. Just to remind you this meeting is designed to meet the requirements of the Federal Advisory Committee Act, FACA. There will be an opportunity at the end of the meeting for the public to make comments. Also a reminder to the Workgroup members who are on the phone to please speak clearly and distinctly and to identify yourselves before you speak.
And we have a long meeting today. We expect to go until 4:30 this afternoon. We had a little fire drill here at the Department of Health and Human Services, so we're a little bit delayed in beginning. Without further ado I'll turn it over to Kirk Nahra.
>> Kirk Nahra:
Good morning, everybody. Yes, we’ve had a little bit of a blip this morning, but we'll try to get started. While we're scheduled till 4:30 I'm optimistic we won't still be here at 4:30, but we'll try to go from there.
The people in the room at least have a summary of the last meeting. Would that be available for people who are on the call? People who are members on the call, do they have it? Let's just go around the room and do attendance. John, do you want to start down on your end?
>> John Houston:
John Houston with the University of Pittsburgh Medical Center.
>> Don Detmer:
Don Detmer, American Medical Informatics Association.
>> Jill Dennis:
Jill Dennis, AHIMA.
>> Paul Uhrig:
Paul Uhrig, SureScripts.
>> Steve Posnack:
Steve Posnack, Office of the National Coordinator.
>> Jodi Daniel:
Jodi Daniel, Office of the National Coordinator.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Jeanette Thornton:
Jeanette Thornton, America's Health Insurance Plans.
>> Sue McAndrew:
Sue McAndrew, Office for Civil Rights.
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Families.
>> Mazen Yacoub:
Mazen Yacoub, on behalf of Sam Jenkins, Tricare Management Activity
>> Kirk Nahra:
Who do we have on the phone from the Workgroup?
>> Jennifer Macellaro:
Looks like Tracy Leeper is in for Steve Davis from the Oklahoma Department of Mental Health, and Elizabeth Holland from CMS.
>> Kirk Nahra:
That's all on the phone?
>> Jennifer Macellaro:
Right.
>> Kirk Nahra:
Did people have a chance to take a look at the meeting summary? I know it was kind of quick. Are there any questions or comments about that summary? We have a motion to approve, I guess. And a second. We'll be official today. All in favor. Motion approved, summary approved. I will note that we should tell whoever prepares the summary, Steve, what office you work for, because they don't seem to know that. We'll get that taken care of.
Moving on to our next topic, let me turn it over to Jodi to talk about some recent events, in particular, the AHIC meeting earlier this week.
>> Jodi Daniel:
Thanks, Kirk. And good morning, everyone. There was an AHIC meeting just this week. It was on Tuesday. And one of the exciting activities at the meeting was Kirk presenting our, re-presenting our fifth recommendation to the full AHIC on, it was recommendation number five. I'll just read how it was read.
CCHIT should be made aware of the identity proofing recommendations accepted by the AHIC on January23rd, 2007 and, where possible, security criteria developed should support these recommendations.
We had some discussion about this at the last meeting and there was some concern about whether or not this included business processes and we clarified that we were looking at the technology criteria, security criteria, and it was approved unanimously by the AHIC. So we anticipate that will be going as the recommendation from the AHIC to the Secretary. So it was very short and sweet. We were at the end and it was a little bit
>> Kirk Nahra:
It was seven and a half hours of very intense debate, very aggressive questioning. No, it was actually just a couple minutes. Despite the questioning I guess that happened in the earlier discussion, everyone seemed to be on the same page. There was no concern there.
>> Jodi Daniel:
And I think one of the things that happened at the last meeting, the last AHIC meeting when this came up, was we followed the Consumer Empowerment Workgroup, where there was discussion about whether or not CCHIT or another certifying body should look at certification criteria for personal health records. And there was a lot of debate at that Workgroup about that and I think that sort of spilled over a little bit into our recommendation last time, just that was brought up again at the AHIC meeting. This time I just wanted to raise that particularly because I know there's been interest in this group in looking at personal health records, and after debate there was a majority opinion of the Workgroup and a dissent of the Workgroup as to whether or not PHRs, whether or not there should be privacy and security and interoperability criteria developed for personal health records or there should be a process for doing that down the road and a dissent on that motion. The AHIC heard both sides and unanimously voted for the Workgroup recommendation to have personal health records, to have certification criteria developed for personal health records just in the area of privacy and security and interoperability but not -- the issue of functionality was kept off of the table and there was no discussion about that. That was not agreed to by the Workgroup and not put forth to the AHIC.
There were also some recommendations from the other Workgroups that were discussed at the AHIC meeting from the Quality Workgroup and the newly named Population Health Clinical Care Connections Workgroup, formerly known as Biosurveillance. They brought in their charge which were also accepted and I'm not going to go through too much detail because I don't think it has too much implication on our Workgroup's activities.
The one thing I wanted to spend a little time on, we had a privacy and security panel which I spoke at and Sue McAndrew who is here also spoke at. And then we did, we had the contractor on the privacy and security solutions contract, which is the contract with 34 States and territories, give an update on where they are, some of the issues they were seeing and had some states present on some of the solutions and implementation plans that they're working on there.
Basically Sue and I just gave sort of an overview and framework on, from the federal perspective, on some of the activities we're doing and how we see those feeding each other. We did talk about the CPS Workgroup and how those recommendations will feed some of our next steps with respect to the NHIN trial implementations, so for instance the identity proofing recommendations that were forwarded to the Secretary, we anticipate those to be incorporated into the next round of the NHIN work and we see that there is at least a relationship between some of the work that, some of the issues we're taking on and thinking about and some of the State work. So if there is some overlap, we would bring those issues to this Workgroup to think about and vice versa, if there's some issues that are raised here that really apply to States as opposed to the federal government and we would bring that information back to some of the States that are looking at this and working on projects with us related to privacy and security.
Sue, do you want to say anything more about that?
>> Sue McAndrew:
I think that pretty much covers it, Jodi.
>> Jodi Daniel:
The other thing, we had a national meeting of the privacy and security solutions contract that formed the health information security and privacy collaboration that was last week, Monday and Tuesday, and it really was quite an interesting and dynamic discussion getting all of the States that have started thinking about these issues in great detail to come together to discuss what issues they found, what solutions they're thinking about and the like. And just to give a couple of highlights, the issues that were coming up were issues of consent and there are a lot of State laws on consent that seem to be either confusing to folks or differing by State. Data security and quality issues, some legal and regulatory issues, and then concerns about how to interpret and apply HIPAA, which, because of the flexible and scalable nature of HIPAA, results in variation among businesses on how to implement those rules. And that was identified as a potential challenge to interoperable electronic health information exchange.
We can get into more detail on any of this if folks are interested, but I wanted to let folks know that that meeting had gone on and there's a lot of work there. That project will have final reports in June. And we also announced at that meeting, Rob Kolodner mentioned that there will be some funding for some of the implementations of those projects. We haven't worked out the details yet. But we're committed at ONC to continuing the process and working with States to try to implement some of those solutions, particularly where there are some cross-jurisdictional discussions and working on some of the implementation plans and solutions. So unless folks have any questions, that's pretty much the update.
>> Kirk Nahra:
Any questions from anyone on the phone about Jodi's update? Anyone in the room? All right. Thanks. Why don't we move on to the next point on our agenda which is to talk briefly about coordination of this Workgroup with the Consumer Empowerment Workgroup.
>> Jodi Daniel:
This has just been some preliminary discussions at this point, and Kirk, feel free to jump in if you have anything to add. As I mentioned last time, the Consumer Empowerment Workgroup had made a recommendation to the AHIC that they work on privacy policies for personal health records and now there would be a vehicle probably for putting that forward which is the certification process. And that they work with this group in doing that.
They are very committed to moving forward on looking at privacy practices for personal health records, but they don't necessarily have the privacy expertise on that Workgroup. They definitely have consumer expertise and they bring the consumer perspective to that discussion to understand what consumers would find valuable and important in privacy policies for personal health records but they wanted to work collaboratively with this group to tap into some of the privacy expertise that we have. So they will be marching ahead. And I just wanted to let folks know there was one discussion between the cochairs of both Workgroups. We need to have further discussions but I wanted to put it on people's radar screens if this group is interested in working with them on that and making sure the privacy expertise we have is coordinated with what they're doing.
There are some thoughts about having a subgroup where we might be able to pull some CPS members and some CE members together. We also may, there may be some pieces of this that this Workgroup wants to take on specifically and we can figure out how best to kind of throw that ball back and forth so they can look at it from a consumer perspective and we can look at it from a privacy perspective to think through how to get there.
But I just wanted to let folks know that that's being discussed sort of behind the scenes of the Consumer Empowerment Workgroup which I believe has a meeting tomorrow. We'll be talking about this. They're going to start talking about the different components of a privacy policy based on some of the testimony they've already heard.
>> John Houston:
Question, is Mark Rothstein on that committee or the Biosurveillance, whatever it's now called?
>>
Mark's not on the CE Workgroup.
>> John Houston:
What's Biosurveillance now called?
>>
Population health.
>>
Is he on that one?
>>
He's on Personalized Healthcare. The genetics, family history.
>> John Houston:
I guess the other point or comment I want to make is being on the EHR Workgroup, I know the EHR Workgroup is also very interested in privacy and identifying privacy issues that they I think would like to tee up. Also I think they feel need to be addressed sooner rather than later. So I think you can get information back from them, too.
>> Kirk Nahra:
There's sort of two different things going on. I think that this Workgroup would be interested in and amenable to having issues teed up, issues that are identified by some of the other Workgroups and sort of sent over here. That's frankly how this Workgroup arose. I think the issue with the Consumer Empowerment is a little different in the sense that they were moving forward on some issues and addressing it from their perspective without, I think, fully grasping that there were certain privacy and security issues.
I mean they were moving down a path that would have essentially skipped over the idea of applicability of HIPAA principles and sort of what those standards are compared to other kinds of potential standards. And one of the things we did in our call with them was to say, wait a minute, let's make sure that the conclusions that are coming out of your Workgroup don't contain significant implicit un-discussed assumptions. We wanted to flag those. So it’s a little different dynamic. We're certainly happy to get issues referred from the other Workgroups, but this was more they're moving ahead without knowing or without fully I think realizing that they were, they were going down some paths that I'm not sure they realized had the same implications. So that's what we're trying to work out with them. To the extent they're moving forward. Again, I think the idea from our perspective would be, one of the things we'll talk about later in this meeting and I think in some of the weeks ahead sort of how the HIPAA standards fit within this electronic environment. If they come back from their perspective and say here are 10 things that consumers want in privacy policies for integrated EHR environments or PHR environments, we'll then be able to look at them say wait a minute 8 of these 10 things are different from HIPAA. We'll be able to make that comparison. And I think we want to get their perspective on that but then try to do the application to the existing privacy and security ideas ourselves.
>> Jodi Daniel:
What we're trying to do is see if there's a way that they can focus on sort of from a consumer's perspective what are some of the important components that they see in privacy policies for PHRs and then perhaps bring that back to this group so that we can look at some of the issues that Kirk was describing to make sure that they fully understand the implications of some of those positions.
>> John Houston:
I know NCVHS sent a letter I think in 2005. I'm trying to look through my notes as we speak, speaking of, with regards to PHRs, and I know there was discussion in that about privacy and security considerations and it might be good to dust that off and take a look
>>
That report is part of the materials for tomorrow's meeting.
>> John Houston:
It is? Good. Good. Because I would hate to lose sight of that work, and some of the issues that got teed up in that document.
>>
It is part of the package that will be on the table tomorrow.
>> John Houston:
We might want to circulate it to this committee, just maybe identify those components would be specifically related to work this committee would want to do, too.
>> Steve Posnack:
I can circulate the Consumer Empowerment Workgroup materials to everybody.
>> Jeanette Thornton:
This is Jeanette. I'm kind of confused on this point. The Consumer Empowerment working group is going to be doing the privacy and security principles and then giving it to us, or is this working group going to sort of lead the way in terms of what privacy issues are with PHRs? How do you see that working? Because I know they had tasked the recommendation to this working group in sort of how they drafted the recommendation.
>> Kirk Nahra:
There's a couple of points. One is we're trying to coordinate with them. So that’s a big theme, we're trying to make sure we do have a hand on who is doing what. I think what they're going to end up doing, at least from our last discussion, was identifying sort of consumer interest in privacy policies for PHRs. Limited to that. They're going to say we want to have this, this, and this. And we would then look at that's covered by existing rules, not covered by existing rules, those kinds of questions. But we want to just work with them. Their earlier or I guess initial set of recommendations included a number of assumptions without realizing that they included a number of assumptions. They were so implicit that I think they hadn't really crossed their radar screen. We want to make sure just the substantive knowledge of privacy security gets over to that group. Deven, I'm going to guess you have something?
>> Deven McGraw:
I was comforted by your statement earlier about the fact they had sort of tripped, not tripped on that's probably the wrong way to characterize it. But that they had not necessarily thought about some of the privacy issues that were inherent in what they did. Which I think is fine. But I guess what I disagree with is that somehow they're taking the consumer privacy issues and we're taking the other privacy issues. That doesn't make any sense to me, because they're not a consumer, I mean, they're the Consumer Empowerment group, but it's not like their members are just a bunch of consumers sitting around dealing with all the consumer issues. I just think that's a little odd.
>> Kirk Nahra:
It certainly wasn't intended to be that broad a distinction. They were conducting some, they were pulling some information together on components of privacy policies for PHRs. That was sort of as far as it got.
>> Jodi Daniel:
Steve, jump in if you've got more here, because I know you've been working on some of the information that they've been gathering. They were looking at from their perspective of personal, looking at personal health records what kind of privacy policies are out there, what are some of the components of privacy policies, sort of where there are holes, where somebody might have had some good policy but it seems to be an anomaly in the industry and perhaps might want to promote having more of that, as well as some of the issues related to not just the components but making sure that it's available to consumers who are using them, making sure that it's in an understandable format that consumers can understand, that the privacy policies are understandable to consumers that are reading them, et cetera. So they've been doing research on this and so they wanted to have something more that they could actually turn over to this Workgroup that's sort of focused on here's what we've found here's some of the things we think are important, and that sort of thing. Do you want to add anything?
>> Sue McAndrew:
I would only add, by and large, the vendors that they were surveying and the existing systems that they were looking at are generally the freestanding systems which are not currently under any kind of HIPAA regime. And so the privacy policies or the security policies that they surveyed and to the extent they exist, they exist under Internet rules or FTC rules or just general business rules. And so they were finding a good deal of variety, a good deal of variation, a good deal of, that these were things that may, policies that may exist internally but that they weren't necessarily communicated to the public and in some cases I believe they even found that some companies were considering these policies to be proprietary. And so they were not shared with the surveyors, and you can anyway, so the privacy and security that they were looking at really, was to test the waters for the current state of the business practice in these areas as opposed to any compliance with any federal regime.
>> Jill Dennis:
AHIMA did -- this is Jill -- AHIMA did some work on this subject, really kind of a related subject, it’s been about five years ago now, but it was some privacy principles that were not HIPAAspecific that applied to what we were calling at the time ehealth Websites which was really about personal information on the Web. Actually, some of those generic privacy principles and some of the things that we were thinking about that might be helpful to that group and potentially to us as we look at some of those issues. I’ve actually got a copy of it today and I'll leave it with you, Steve.
>> Kirk Nahra:
I think the other piece of what Sue said is that all of that variation and all of that ambiguity is going to play into what we’re going to talk about later in this meeting in terms of that working hypothesis. In that sense it's all, I mean, again, the major point of this item on the agenda is to say they're working on some things, we're working on some things. They're related. We need to coordinate with them. We're still figuring out exactly what the details of that is going to be. We had a conversation with them which, at least from my perspective, made clear to me that they could clearly benefit from some of the privacy and security expertise that we had. They were proceeding from perspectives that were very relevant to consumer empowerment but that were not necessarily grounded enough into some of the existing privacy security laws. We want to make sure that information is shared and we're working with them and obviously we'll continue to bring that information back to this Workgroup as we flesh out a little bit more what that's going to mean.
Any questions or comments on, questions with the consumer empowerment group? Let's move on to the next point on our agenda. We had one loss during the fire drill today, it was very sad but Yuriy was not able to no, he was ill today. We knew that before the fire drill. And so there are some materials that were distributed, but Jodi is going to step in and cover the presentation that Yuiry was going to make.
>> Jodi Daniel:
Yes, before I do I'm going to turn it over to Steve just to talk about the identity proofing research that Yuriy has been working on and try to get more feedback from folks
>> Steve Posnack:
So when last we left Yuriy he had gone back and tried to do some more research and he was looking at the value-added services PHR sample size he had gotten, and the one main point that was his action item to take away from the last meeting was to look at the differentiation between the information that was used to purchase the PHR, sign up for the service, versus what they were actually using to identity proof. And that wasn't clear. He's tried to reach out to a number of those value-added services PHR providers and it's been slow-going. So his part on the agenda here was a little bit more of an update to get more feedback. He has talked to three PHR service providers but he's getting more data. One is pretty substantive so he'll be able to provide some more information based on that and the activities he's learned about. He's also interested in maybe trying -- and this is up for the Workgroup in terms of other recommendations, because the first point he's still working on came largely from Kirk and Alison's original concerns -- but to try and scour the PHR market and identify any PHRs out there that are using this knowledge-based authentication that he was talking about last time at the meeting, the kind of credit report identity proofing, the online methodology, if that would be of interest to the group if we could find some case studies maybe to look at to help apply our understanding of the non-prior relationship examples, that might be something we could offer up to him, if you're interested. You guys can send me an email with any other thoughts. But he's looking for a little more guidance to keep his work focused and what would be most beneficial to the Workgroup.
>> Kirk Nahra:
Let me jump in for a second. Seems to me what he's doing we're looking at for a couple of reasons. I mean, one is it's going to support a variety of different points we're making, which is that the unregulated marketplace is inconsistent, ambiguous, lots of variations, et cetera, may even be hard to figure out. So that's a relevant factor to I think a lot of what we're discussing.
I think it's certainly useful to know about some of the more active or aggressive or whatever phrase we want to use vendors and who are doing a better job on this to see what's possible, what's available, what's out there. I think that we've looked at this as an identity proofing issue, but it's obviously tied to the bigger question of what do we do with these other entities. So I think that's all useful to have. I think the more information we can get on that, I'm not sure whether, again, if we move through our working hypothesis today and end up with some recommendations, whether it's today or in the future, about these non-covered entities, some part of that work may drop by the wayside but I think we still have that identity proofing set of recommendations so I think the more we can get on that the better.
>> Steve Posnack:
To echo what Kirk is saying what Yuriy would be working on is probably the tip of the iceberg in many respects to a lot of PHR work that’s going on out there. If people have specific ideas that would also kind of uncover what else is below the water, that would be helpful.
>> Kirk Nahra:
Jodi, do you want to go ahead with the rest of that presentation?
>> Jodi Daniel:
Yes, with the appropriate caveat that I just found out this morning that Yuriy was ill and not going to be able to do this. So I will try to walk through this, but we can have him sort of respond to more questions next time, if there are some. This is basically an effort, after last meeting some folks were saying it would be really helpful to just have some discussion about what's changed since, in the last decade, basically, and how has health IT changed or information technology generally changed the healthcare industry and what does that, what are some of the implications of that. And at least we discussed at the last meeting that the folks around this table have that expertise and know that, but it would be helpful to just sort of establish a baseline of sort of the changing landscape. So Yuriy put this together and was going to talk about this but I will walk through his presentation just to make sure we sort of have a common understanding before we talk about the working hypothesis, about sort of what's changed and where we are today compared to where we were before.
Next slide. So we have the health insurance, this is not right the Health Insurance Portability and Accountability Act of 1996 is now almost 11 years old. And since that time, you know, if you look at the left column, this was preInternet boom. It was just sort of the early stages of widespread Internet usage. It was based on sort of more of a provider-centric model, where health records were held in doctors's offices before, for instance, personal health records came on the scene and there was more electronic sharing of information. And focused on particular types of covered entities. So these are most healthcare providers, although not all, health plans, and healthcare clearinghouses.
And so now in 2007 we're postInternet boom and everything is sort of Internetbased and Webbased, that there has been a movement to expand to include consumers in their own healthcare in a more comprehensive way, both through advertising to consumers, through personal health records, and a whole lot of other changes in that regard. And also there have been a lot more entities that are getting involved in sharing, collecting of health information than the covered entities that were identified in HIPAA, as well as some that still continue to exist that were not covered, but were business associates of those covered entities.
The next slide. Let me try to break this down a little bit more. So back to the preInternet boom. Little to no use of Webbased technologies. Most of the, or many of the privacy concerns were physical versus online concerns and we were really looking at the electronic transactions were really for financial and administrative purposes as opposed to clinical care, that there was a lot more physical data aggregation or aggregation even if it were electronic between particular entities versus more networked or online data aggregation.
And then if you look at the 2007 where we are now, we have more use of Webbased technologies. We have a lot more online use, which raises some concerns that we've been hearing about information being disclosed electronically and more information being connected together for where those disclosures can happen. And again online data aggregation. Talking about the providercentric versus the consumer involvement in healthcare more. In the providercentric model we had, again, healthcare services primarily revolving around the healthcare provider and it was more of a push model. The only way that the information was getting out of the doctor's office was if the doctor, someone made a request to the doctor and the doctor pushed them out to them.
In 2007, on the right side, again we have PHRs and we have push and pull models. We have some networks that have formed whereby a healthcare provider can search for information about that patient and be able to pull that information rather than waiting for the doctor who holds it to push that information out to them. Again I mentioned about the covered versus non-covered entities and some new entities entering the healthcare market.
Next slide. And I won't suggest that this is completely comprehensive. This is just some places where, to sort of highlight the differences of what's changed. So now we look at from the landscape change, how does that pose some new issues and challenges that we face today? So if you notice he took the column from the slide before on the right and pushed it to the left, so just moving forward from the new landscape, some of the issues that he was identifying was that there's broader access to health information, there is issues of standardization for online privacy and privacy protections for online information, and the issues or concerns that online access can result in greater access to data due to a particular security breach or a privacy breach, because that information is aggregated in electronic form.
With consumers becoming part of the model some of the issues or challenges, that there's more aggregate health information being able to be held by consumers, for example, in personal health records, and that there is concerns about selling of consumer information so that entities can market directly to consumers for healthcare services. And then, of course, the non-covered entities questions which goes directly to our hypothesis of today which is that clearly there are federal, the federal regulations that exist currently do not cover all entities that have developed in the electronic health world. And there may be little or no regulation that does cover these entities either in federal or State law.
Next slide. Some of the issues pose some risk to unauthorized access to information. There are risks of identity theft which this group has talked about, whereby if there is a breach of information, not only is there concern about the health information getting out but there might be a lot of identifiable information that can lead to identity theft. Some of this is a little bit repetitive. Consumers being involved, there are questions that come up about the accuracy of health information, if patients are directly entering data into their systems, into systems as opposed to it coming from the healthcare provider, issues of whether the patient has both read and write control to enter information into their record, and the role consumers might play in authorizing distribution of health information where previously they may not have had that control because they were not the ones holding that information. And then in the looking at non-covered entities in the marketplace where we're looking at issues of personal health records and seeing there are not a lot of privacy policies out there, or ones that are not obvious or easy to find. There's the potential for lack of trust or for information being breached where the consumers didn't realize that the information was not protected previously.
Next slide. So this was his conclusion, his conclusary slide here. So kind of bottom line, since HIPAA was enacted in 1996, there's been a technology explosion, including in the healthcare market, that the model for accessing and delivering healthcare has evolved and changed and may pose some new issues. There are these new noncovered entities holding vast amounts of health information that have surfaced. And that, so he concluded at the end of this that HIPAA has not changed which can mean one of two things: that it was designed to accommodate the changes above or that it was designed based on the 1996 environment and that there's still issues that need to be raised. And that's sort of where he was at. I guess any thoughts or input from folks on whether or not this sort of captures the changes or
>> Kirk Nahra:
Let me jump in to start. It seems to me that this is a useful starting point but it’s very much a starting point and still is going to need some pretty significant evolution. One of the things that jumps out at me is, I don't know, I'm not sure I would use 1996 as the relevant starting point. I mean, 1996 we have a law that says essentially there shall be privacy and security rules. Those rules don't exist until end of 2000, 2001 carrying on into the future where the Internet boom clearly was front and center on thinking about that. So I think that in terms of measuring sticks that's a little bit difficult. I think the other thing that’s important, from my perspective, it's obviously true there are non-covered entities that exist. We also, I think, knew there were non-covered entities in HIPAA as well, and that's one of the oddities of just how HIPAA arose. I mean NCVHS --John I saw your hand up, I don’t know if this is where you were going NCVHS spent a lot of time looking at healthcare providers who aren't covered by the privacy rules through essentially the accident of they don't use electronic transactions. I don't think that, if Congress had started with the idea of we need a privacy rule, they wouldn't have carved out providers who didn't bill electronically. They didn't start from that perspective. They started from a perspective that says we're going to have standard electronic transactions and if we're going to have those things we should have privacy and security for them. We've always had non-covered entities who had healthcare information. Again, this is I think going to be, we're going to start today talking about a working hypothesis which takes a little piece of this. I think that once we get finished with that, that discussion, we're going to look more in detail into the questions of really how is this different looking at his, you know, last two conclusions I think his last two I mean the question at the end of his conclusion, which is it, is it HIPAA is good enough for this, HIPAA was designed to accommodate this or it's so different that HIPAA doesn't work, that's really going to be something that I think this group is going to need to spend a lot of time on and spend some attention to figure out those details and this is a nice starting point, but that's sort of all we have at this point. John, do you want to jump?
>> John Houston:
To dovetail your comments, and I want to say one other thing. If you read the preamble to the privacy rule, there was a lot of debate over the idea of who should be encompassed in the privacy rule, or what entities should be in. There still might be a gap between what entities have sort of arisen since, but there also needs to be some thought put into, or some consideration taken with regards to why entities that existed in 2006, 1996 or 2001, why they were carved out. So there was a lot of discussion about that, and I think we need to be mindful of that before we just sort of move forward blindly saying these all need to be encompassed into a comprehensive privacy rule.
>> Kirk Nahra:
Although a lot of that discussion was also we don't have a choice. We can't bring some of these people in because they're carved out by the law rather than, we might want to cover them, but we HHS don't have a choice on that.
>> John Houston:
But that reality still may exist. So we need to be mindful of that. And the other point I wanted to make relates specifically to slide five, the discussion of identity theft. There are two sides to identity theft that are meaningful. I continue to hear the comment about how information can be stolen if it's globally available. But I think equally the problem is that with a national framework and an architecture and information being globally passed around, that if somebody does actually walk into a provider and under a fictitious name or under somebody else's name, I should say, and get services, that information is then going to be associated to the wrong individual and then made globally available also. So there are two sides. And just sort of to clarify: if I walk into a provider and say I'm Kirk Nahra and they treat me as Kirk and all of a sudden my information becomes part of Kirk's record and then providers through the NHIN go and access Kirk's information to provide care to Kirk, the likelihood of some type of unintended outcome simply rises. So we need to be mindful of that part of the identity theft issue, which I think NHIN magnifies.
>> Kirk Nahra:
That's actually one of the pieces that I think is not in this discussion is that to follow up on your example, John, if somebody walked in used my name and a doctor five years ago the doctor treats them, end of story, done. I might get a bill, but it's not going to get linked up to this record. So that integration piece is clearly going to be an important element. And I guess, from my perspective, ultimately going to be a more important element than to say the Internet is new. I mean the Internet, if you go back to 1996, you can see members of Congress basically saying there's this whole Internet thing, we don't really get it yet but we probably should do something about it. By the time HHS writes the rules, we know about it. We don't know everything about it, and there's clearly been some important evolution since that time. But everyone was using the Internet in 2001, and certainly with the HIPAA security rule, which is even several years after that, we had the Internet as a very important component of that. Don?
>> Don Detmer:
Just a couple of background points. I was chairing the NCVHS when we went through all this in 1997 and so forth. The history of the HIPAA legislation, mostly, was administration simplification. Congress really wanted to simplify all the bureaucratic overload and cost and waste that they thought was in the system. So this was a piece of really an objective of trying to simplify things.
>> Kirk Nahra:
And everything is simpler today, right?
>> Don Detmer:
Yes. But I think it's, and I don't think that Congress did actually, in fact they punted essentially to the Department to go the regulatory route through NCVHS, but did reshape NCVHS from being essentially focusing on vital and health statistics to being the national forum for looking at health information policy generally. In the context of that, started a workgroup called the NHII workgroup and it absolutely clearly did. It even talked about personal health records and that vision and all these sorts of things. So I think it's, although the Congress wasn't in the loop on all of this thinking, I think it's missing the point a bit to suggest that NCVHS certainly wasn't aware of these things, because that happened.
The other thing, I think was a nice review, but very U.S.centric, and I think the other thing that's missing completely in this is that much of the developed economies of the world are moving forward very much in implementing things and we're sort of spinning on this circle and pin of how do we deal with confidentiality and security. And so I think part of our context is we're going to look at really rethinking HIPAA is do we want to essentially see the rest of the developed world continue to move forward with all the standards and interplay of that with us increasingly sort of being side-lined on those discussions. Or do we in fact see some merit to moving forward more on a global kind of level.
>> Kirk Nahra:
All right. Other -- Jill?
>> Jill Dennis:
As we move forward on this working hypothesis one thing personally I would like to know, and I suspect some of the rest of you would like to know as well, is what are those other entities now? In other words, what's new in the marketplace that wasn't new then? I mean when we talk about non-covered entities we can think about commercial PHRs and we can think about health information exchange organizations as being new, that aren’t really under the scope of HIPAA. But what else would be out there? I think that would be very helpful sort of as a backdrop as we're examining the implications of a working hypothesis to have a better understanding of the marketplace.
>> Kirk Nahra:
Sue?
>> Sue McAndrew:
I think my comment would be basically that in terms of his conclusions, it's not really going to be an either/or, that these things are not mutually exclusive. I think on many points HIPAA is designed to accommodate the exchanges that are envisioned here and it is a set of standards that can be built on. I do think there are certain gaps that HIPAA may not address at all, such as the entities that aren't currently covered, or where the way in which HIPAA addresses it is not really adequate for this kind of environment. And I think for instance the business associate model may not be wholly acceptable, even if some of these uncovered entities would qualify as a HIPAA business associate.
And the one thing that isn't really mentioned, although it may be implied, in terms of the changes in terms of the model of accessing and delivering healthcare services, I think the one thing that I've grappled with in trying to figure out how the current HIPAA rules would apply is in this networked environment and certainly when information may be moving between an EHR and a PHR and between a PHR and something else. Who owns this information? Where does this information reside? Who do we hold accountable for this information and for the disclosure and release of the information? Where is that point of liability and is it a matter that in the pull model that Jodi was mentioning does the doctor who is pulling the data in, does he replicate the data and keep it within his own control? Does he kind of look at it and it just keeps, remains resident wherever he pulled it from in personal health records? Are they pulling all this information in and replicating it in their own personal health records? I know there was some early discussion in terms of concern that consumers may actually want to do that because they're concerned that the record retention in the sources from which they're pulling this information may not keep the information as long as they want it? So I think there's a lot of issues about where the data actually is and who is responsible for it at many points in its life and that is something I think we need to keep in mind to figure out what entities do we want to hold responsible for this information and what kinds of responsibilities do we want to impose on them.
>> Kirk Nahra:
Other comments? I do want to stress this was very much a preliminary presentation and sort of a starting point for our discussion rather than, at least from my perspective, intended to answer all those questions. Any comments from anyone on the phone?
Let me do this. In the interests of time, we are going to skip our next item on the agenda, which is the NCVHS recommendations. You have a copy of a chart with your materials that sort of breaks out some of their recommendations. Let me tell you sort of why these are out there, and what we envision doing with them in the future, which is, NCVHS has obviously been working in this area a long time, far longer than we have and so one of the things that I've been working with Jodi and Steve on is trying to better understand what they have done, what they haven't done, where they've made recommendations that again may push some issues to us, where they've made recommendations that we think are finished, end of story. So we're trying to use their recommendations as part of our roadmap, mainly with an eye towards taking what we can from their knowledge and doing as much as we can not to simply just duplicate the same issues.
There's nothing that says we can't look at the same issue, but generally we want to try to reduce that as much as possible. So I do encourage people to take a look at that chart to look at the recommendations to say they didn't cover this topic or they started on this topic, they made a recommendation but we think there are some other pieces along with it. You can see some of the recommendations that are highlighted and I believe the highlighted ones are the ones that we've sort of flagged at this point as needing, perhaps areas where we can add more detail or definition.
>> John Houston:
Highlighted ones are the ones that NCVHS, the recommendations were coached in terms of something needs to be done in terms of investigating, and the ones aren't highlighted are ones where I think there was some conclusion drawn by NCVHS, so that's the difference between the two. I think even the non-highlighted ones are still probably open for discussion if you felt like they were wrong in the conclusion that was drawn.
>> Kirk Nahra:
I'm not sure I'd draw the line exactly that way. There is a variety of different issues with this. That's why you have this document is to take a look at them, to refresh people's recollections. I had read their letters a while ago but this is certainly helpful to refresh my recollection on a lot of these things. And again as we're evaluating our next steps, we'd like to just have people thinking about these issues.
>>
Can I ask a question? I'm probably going to admit some ignorance there. But did anything happen to these recommendations? Did they get adopted? Did AHIC do anything with them?
>> Jodi Daniel:
As I'm aware, they were submitted formally from NCVHS to the Secretary. They wouldn't go from NCVHS to AHIC. So AHIC hasn't weighed in on these at all. We are looking at these for, to figure out where there are opportunities to incorporate those if the Secretary thinks they're worth incorporating or that we should focus on now.
>> Kirk Nahra:
We HHS.
>> Jodi Daniel:
We HHS, sorry, not this Workgroup. One of the things that we have stated is that we want to the extent possible where there are some conclusions drawn, as opposed to HHS needs to look at this further, try to incorporate those in some of the next steps of the NHIN trial implementations since this was about privacy and NHIN trying to use that to help scope some of that work that will be taking place in the trial phase to try to test some of this stuff out. So I think that there's a lot of opportunity for this group if there are, if there's an interest in some of these topics, to take them on. Obviously we have John here to help us figure out if there are some issues, to make sure we're not duplicating work, as Kirk was saying. And we also work with staff at NCVHS to make sure that we're coordinated. So I think there's a lot of room for us to choose to chew on some of these if we want to or not to. And if we don't want to, HSS will take them on as they see fit at this point.
>>
That's good to know. Because I guess I was wondering, when you say take them on, if we decide as a group we agree with them, we could presumably recommend, make them recommendations to be adopted.
>> Kirk Nahra:
Sure, I think that's a fair point and one that again I think we should just think about going forward. One of the things we're dealing with here is really a resource of the time of this, time and energy of this group, and we certainlywe don't want to duplicate, or if we’re going to duplicate we want to make a conscious decision that we want to duplicate. We don't want to duplicate accidentally.
I guess what I would take away from this and ask people to do over the next couple of weeks is take a look at this list. I'd like to see suggestions of mainly areas where we think there's something different for us to be doing. I'm certainly amenable to hearing, oh this is clearly a great idea, we want to suggest jumping on that as well. Even if it's a, is this something that the Workgroup agrees with. I don't know that I want to spend a lot of time, if it's something that we generally agree with, I'm not sure we want to spend a lot of time sort of documenting the fact that we agree with it unless we have a particular reason to do that. Again, I'm not adverse but I'm not sure I want to go through, whatever, 26 recommendations and spend our time on agreeing with those. But particularly if there were things that, again, we look and say, oh, they've gone this far, we should look at the next step, or we should do this, or this raises in my mind this issue. I'd certainly like to hear from that --s o if you could -- hear from the Workgroup members on that. So if you could send those questions or comments to me or to Jodi or Steve, that would be great.
And again we were going to have a discussion about these today. My suggestion is that we not do that today. We're running a little bit behind, and I'd like to focus our attention more on the hypothesis today. But we'll clearly be coming back to these issues
>>
Can I suggest if we have time at the end maybe to discuss the highlighted ones a little bit or to maybe frame them a little bit at the end, if we have time and we find we're running ahead towards the end?
>> Kirk Nahra:
I don't want to place too much emphasis on highlighting this. There hasn't been a lot of, I’m not sure how much discussion there was internally with you guys. But there hasn't been a lot of other discussion about what was selected, wasn't selected. I would look at that as a rough first draft more than anything else. All right. And other comments or questions on that point? All right, let’s do this. We are scheduled to take a break in a little bit less than an hour. Why don’t we at least get a good start on our working hypothesis discussion?
Let me give people a little bit of a sense of what this is. We've shared this with the Workgroup sort of informally, and I think people have had a chance to think about some of this. One of the things I've been thinking about a lot over the last couple of weeks in general, as we've been moving along and as a result of the changes on the committee makeup, we were looking for some areas where we could begin to take some, perhaps some bigger steps forward. And my suggestion to Jodi and Steve which has resulted in this working hypothesis is I've had the sense as I've listened to the people on this Workgroup over the last several months, we continue to come up with discussion points and comments about the wide variety of entities that are involved in this system who play a bigger and bigger role in this system who are not currently covered by the existing HIPAA privacy and security rules. And this working hypothesis -- which is, again, designed to be a discussion point. It's not a, it's not a recommendation yet. It's not anything more than a point to focus our discussion -- is designed to bring forward what I seem to be hearing as a -- I think generally people are going to support this idea. If I'm wrong I'd love to hear that. That's the point of our discussion today. That's sort of the goal of this. Let me just read this working hypothesis and again what I'd like to do today is have a little bit of discussion about people's reaction to it, areas of agreement, disagreement, areas where people say, oh, I'd like to know more about this. Here's a component of this and I may be sympathetic, I may not, I need more information. We could come out of this discussion with a recommendation. We could come out of this with a work plan for next steps. We could come out of this by saying we don't even want to deal with this topic. All of those are certainly possibilities. The working hypothesis that's been distributed at this point: entities that create, store, or transmit individually identifiable electronic health information for purposes of clinical care or consumer management of such information should be required to meet enforceable privacy and security requirements at least equivalent to the relevant HIPAA principles, even if they are not covered entities under HIPAA today. That was the working hypothesis that went through a couple of different drafts. Obviously it wasn't something that was just spun off our tongues quickly. But the idea essentially was, and this is going to be a much more general way of saying this, the idea was there are entities that are clearly important and matter in this environment that today appear not to be regulated or not regulated with any particular consistency. We think that those people should be lifted up to the standard of HIPAA. Now, let me be clear on what this is not saying.
I think one of our next issues, if we move past this one, would be, all right, if and -- I'm going to do going to do this visually for people in the room. People on the phone will have to use their imagination -- we've got a HIPAA standard that's the baseline, that's in the middle of the page. We've got these non-covered entities that are below that standard right now at least in terms of legal requirements. We may find that some have voluntarily done more than that but in terms of legal requirements they're below that. So the idea of this recommendation was to lift those people up to the HIPAA standards. That leaves open in my mind very much for discussion by this group in the future whether we want the whole standard to be lifted higher. That's the is HIPAA good enough have things changed such that we want to do something more than HIPAA. I don't think this hypothesis says anything one way or the other about that question. So that's the idea, again, how we got started. I'd like to have some discussion today about people's views on this. Again, with an eye towards seeing if this is something we can move towards. If it's not, where are the areas of disagreement, where are the areas where we need some more information? Is that at least clear to people in terms of what our goal is with this? Okay. Let me with that open the floor for discussion. Jill?
>> Jill Dennis:
I'm going to go back to point I raised earlier, I think in order to move forward on this, first of all I agree with the sentiment, but I think to move forward on it, we really have to understand what are those other non-covered entities that are out there right now, because I suspect that there are some that are beyond the scope of providing clinical care or consumer management of the information that we may in fact want to reach.
On the other hand, I don't think anybody necessarily has an appetite for regulating consumers in how they handle their own information. But until we sort of understand what's out there in the marketplace, it's hard to sort of buy into limiters that say for the purposes of clinical care and for the purposes of consumer management, because I can think of some scenarios that really don't fall into either of those, but that this group might think are very important for some sort of privacy rule. I mean say let's say you've got a pharmaceutical company that uses a marketing research firm to do surveys of their customers that take a particular drug. Not for care, but for marketing purposes. What then can that marketing research firm do with that information? I mean, that might be an example of somebody that doesn't really fall into either of those situations but it strikes me that, wearing a consumer hat, I'd certainly hope that there were some limitations on what they could do with that information.
>> Kirk Nahra:
Let me react to that. That's an interesting point at a couple different levels. One is we definitely did struggle with that language on clinical care and consumer management, and I don't think, correct me if I'm wrong, I don't think that was intended to be particularly limiting, I don't think it was intended to carve out people, saying here are people involved in the system we don't care about them. So we can work with that language. And I certainly don't have any problem with that.
The other point is maybe we need to get more information about who might be in this category. I hear that. The third point, I suppose, is what, the way I've thought about this system is, you know, people putting information in, people taking information out, people or entities that are storing this information. I'm not sure I think about, to use your example, a pharmaceutical company as being one of those players. They're someone who is more affected by what the disclosure rules are in and out of that system. I don't know that and maybe I'm just wrong about that. I don't know that a drug company would be putting information into the NHIN or anything like that or directly taking it out. They might be interested in that data and they might be interested in rules that say it's okay to share de-identified information from the NHIN from pharmaceutical companies. That's another question is whether they would even be in that category. But all good points. John?
>> John Houston:
Kirk, since I know you were on the call yesterday with the NCVHS privacy subcommittee, this -- were you on the call? No? Who was on the call? I thought you were on the call for some reason.
>> Kirk Nahra:
No, I was not.
>> John Houston:
I apologize then. I thought I heard your name on the call.
>> Kirk Nahra:
That may have been true.
>> John Houston:
Sorry about that, then. I apologize. We are going down this road of putting together recommendations on this point right now, and I apologize, when I was listening before I was really thinking about the subject rather than that there’s already been two or three rounds of testimony in front of the privacy subcommittee on this and frankly, the recommendations that I think we are talking about today are really close to the recommendations NCVHS is prepared to make pretty soon. I'm looking at Susan and she's leaning her head a little bit.
>> Sue McAndrew:
Well, I haven't seen the latest draft. I guess there are two parameters that may be different.
>> John Houston:
Yes.
>> Sue McAndrew:
One is, to the extent the intent of this is clearly to be within the NHIN box, even though it is not explicit in the hypothesis. That the entities we are talking about are only those that Kirk, you kept referring to, are players in the system, are participants in the system. And that system being the National Health Information Network. The NCVHS recommendation, while starting there, it seems to me was always fuzzy, if not explicitly intended to go beyond just those that were participating in the NHIN.
>> John Houston:
Yes. In one sense yes, but it goes to the same issue. There is a whole group of non-coveredentities, group of entities out there for which there is no privacy framework
>> Sue McAndrew:
Right. For instance, this would be the difference: to the extent the NHIN letter wants to take a position with regard to all uncovered providers
>> John Houston:
Yes.
>> Sue McAndrew:
and make a determination as to whether or not they should have HIPAA or HIPAAlike privacy standards, that is where I see that letter going. Not all of those players are going to have any interests in being these entities.
>> John Houston:
You are absolutely correct. But I think there is a large number of players who have a great desire to get at information that, could they I guess, if you only scope this letter to be the NHIN, then I agree with you, but there is still an overlap of groups that have an interest and would be covered by the same type of recommendation. I will give you, by example, athletic trainers is one group that are not covered entities. Looking at, I'm looking at the letter right now. Medical spas, massage therapists, home testing laboratories. Things like that that, you know, maybe they are, maybe they are not part of the NHIN. They are not covered by anything today. We have heard from them. There is going to be there needs to be, I think, in some peoples' eyes, privacy and security standards for those groups. So I guess this is maybe more, a little bit more narrow than what NCVHS is looking at. Maybe the other way to look at it is does that consume what we are trying to do here?
>> Kirk Nahra:
Let me ask you this, John. Is your concern are you making a point of information?
>> John Houston:
Yes.
>> Kirk Nahra:
Are you concerned are you saying let me give you a couple of options and see how many of them are right. One is, is this information? Two, is it a suggestion that we not go in this direction? Three, is it a, information for the purpose of avoiding inconsistency? Four, is it information for coordination?
>> John Houston:
I think it is some of all of those. I don't want to see inconsistent recommendations. I don't want to see a lot of duplication of effort either. And my fear is that there's been a fair amount of effort to scope the issue in the broader sense by NCVHS to understand all of these different outliers, and their needs for information, as well as maybe other rules that apply to them. I will give you a great example. When I talked about the Athletic Trainers Association, athletic trainers, they are often covered under FERPA. And the thing we heard very clearly out of the representative of the National Athletic Trainers Association was, hey, I need to know what I need to comply with. You know, if it is HIPAA, great. If it is FERPA, great. But at times I'm left wondering, what are the rules that I need to comply with. So there is, you know I guess I'm giving this as information. But I also don't want to duplicate or make inconsistent recommendations too. And I don't want to see us to spend a lot of time something where you can leverage what's already being done.
>> Kirk Nahra:
One of the points, I guess, for the working hypothesis, and this may be a little inconsistent with what Jill said, but one of the questions is whether this idea, subject to whatever discussion we are going to have and whatever amendment we're going to have, is something that this group agrees with, without the need to spend a lot of time and resources on it.
>> John Houston:
Good point.
>> Kirk Nahra:
And I don't know the answer to that. It may be I mean, for example, I guess what I heard Jill saying was, I don't know if your word was sympathetic orsupportive. You had some positive word but not sure of the full scope of this. Well, we could adjust this to basically, you know, punt or preserve the ability to expand that clinical care or consumer management piece and really focus on that one issue of, all right, who else is out there, if everyone agreed with the rest of it. There's a whole bunch of points in here, if we agree with nine of the ten and we want to focus our attention on one of the ten, that dramatically reduces workload, resources, those kinds of things. That's what I want to try to flesh out today, if there are people on the Workgroup that say, absolutely not, thosenoncovered entities are not covered for a reason and darn it, they shouldn’t be, then we have got to have more discussion. I haven't heard at this point heard anyone say that, but that's the kind of thing I'm looking for.
>> John Houston:
To your point, I agree with Jill. Thetouchpoint is those entities that want to participate in the NHIN in some way. Maybe that needs to be the scope. But having said that, one of my cautions is that we also, even if we decide we can all agree upon a recommendation today, I would have a little bit of a fear that we would, I apologize for saying the next word, naïvely come to the conclusion that if we don't investigate it, may find out that, has more depth to it than we thought and discussed and so, when our recommendation is formed it doesn't take into consideration some of the things that we need it to. That'sanother caution is, is
>>
If I may offer a suggestion. I think what the Workgroup did last time, and I was looking at from the outside, was pretty successful in saying, we are going to look at this identity proofing problem and see what we can do to provide specific recommendations around that. I would suggest that we take this hypothesis and maybe pick one or two areas. Say it be personal health records, say it be health network organizations like RHIOs, etcetera, and look at how we can make specific recommendations around those two entities. Because I think that if we start out too broad, we are going to be hearing testimony for months and months and months and might not advance the entire goal of what this Workgroup is trying to do in the shortterm. So be interested in your thoughts on that sort of concept.
>> Kirk Nahra:
Again, I guess what I was, what I was hoping to try today may not work. And I fully accept that it may not work. What I was hoping to try was whether there was an opportunity to move forward in this area without the need for months and months of testimony. We may find that's just not the case. Again, I'm perfectly amenable to that. I didn't want to assume that we needed to take testimony on months of this. If we need to, that's, again, fine. That's I guess what I'm interested in. I would like to hear, I guess what I would be interested in hearing first today let me try to just focus this a bit is people's reactions to the substance of this point. I agree with parts of it. I don't agree with parts of it. I don't understand this part of it. Those kinds of things. So we get a sense is of where, if any, there are areas of consensus on this group, where there are areas of significant disagreement. Then I think we look at, what's the game plan with that background.
>> Paul Uhrig:
This is Paul, I will use Jill's words. I think I agree with the sentiment. I think the words are the spirit of this. What I'm struggling with a little bit is, to me, it falls into three buckets. It is you’re a covered entity, you’re a business associate or you are none of those two. And, I mean, I think to highlight a point that Susan was making, what I don't have clear in my mind is how many are in that final bucket of neither a business associate nor a covered entity. So, you know, I just don't have a sense of whether that's a lot of people or a few people.
The other question, and I don't know what sense others have is, if you were to assume, and I acknowledge it is a bad assumption, that everybody is either a business associate or a covered entity and I know it is a bad assumption but let's just make does this issue go away? Does the concern go down, or is there still an issue to be discussed?
>> Kirk Nahra:
Sure. And let me jump in on a couple of those things. One question I have, Paul, on your first point is, we can certainly look at how many, how often, how broad, how many varieties there are that fit into your -- I can’t remember if it’s your first bucket or your third bucket, but -- neither covered entity nor business association. One question I have is, how much difference that information makes. I mean, from my you know, we know there are companies who offer PHRs directly to consumers and therefore would be neither covered entities or business associates. We know that from Yuriy's review. We know that, I think, from just our own experience in the marketplace. So whether that's 1 percent of the market or 10 percent or 80 percent of the market, I have a question in my mind, nota conclusion, as to whether it is worth spending time and effort to define that or do we say, whatever it is, we want to make sure there is some standards for those people. That's a question in my mind.
The second part, and again I think there is an assumption in this hypothesis, which is an assumption I think I agree with, but let's be explicit, which goes to your second bucket on business associates. My view is, I have paid more attention to the NHIN and these integrated, RHIOs and things like that, is that I think Sue saidsomething like this I don't think the business associate model works very well because, what it does, is it takes business associates from being peripheral players to covered entities and turns them into being the central players. And I think in that environment, the central players should be subject to direct, enforceable standards rather than solely a breach of contract by an if I'm a RHIO and I've got, I don't know, 1,000, 10,000, 50,000 providers and I'm in theory a business associate to all of them, I think there are real issues about who's the one that's going to have the breach of contract case or who's going to be able to enforce that. I don't think that model works very well. Now we could certainly have testimony and take evidence about that point. And again, I'm perfectly amenable to doing that. That's a view that I have that's clearly implicit in this hypothesis, and I want to flesh that out. If people are of the view or want to explore the question of whether the HIPAA enforcement process works well enough for business associates today or what would work with business associates, again, I'm happy to have that discussion. I just don't know whether we think that or not, or whether people think that or not. John.
>> John Houston:
Enforcement’s probably another black hole that we, I don't know if we even want to touch right now. But, you know, again, maybe what we need to do here is also, and I know we talked about this a few minutes ago, is make sure that there is a clear scope to this. I like the fact that if we say Susan had indicated, this is purely related to the NHIN. That makes the recommendation cleaner, if you incorporate that into this hypothesis. And if you do that, then I also think it makes it much easier to look at who would need, this would have to apply to, because in my mind it becomes simple: if you want to participate in the NHIN in any way, shape or form, then
>>
Price of admission.
>> John Houston:
price of admission, thank you. That's a great way to put it. Then we don't have to worry about getting caught up in this is it clinical care, is it consumer management
>>
And what do those terms mean.
>> John Houston:
What do they mean, am I a business associate> If I touch it, if I'm getting, if I'm granted access to it through whatever architecture is arrived at, then that is my price of admission, is I have to comply with these rules.
>> Jodi Daniel:
I was going to respond to that, John. I think that one that makes sense from the standpoint of scoping this, two, from the standpoint of not I don't think that would be duplicative of what NCVHS was talking about because they were looking at this issue more broadly. And three, I just wanted to focus folkson, we have a charge for this Workgroup which really is focused more on electronic health information exchange and NHIN. And I think that would bring it within the scope of this Workgroup appropriately, as well as making it more manageable. So that seems like a good
>> Kirk Nahra:
And I guess the other piece is, I think that was implicit in this but not explicit in the words. I think it isentirely consistent with what's here, but I wouldn't have any objection to that at all.
>> John Houston:
I think at times, you know, it is not clear what the scope of the AHIC is. So using the magic acronym NHIN is still helpful in whatever we do to make sure it is clear what the scope is. Because some people will misinterpret the scope if you don't put it there so
>> Kirk Nahra:
Okay. Let's use that as a starting point. If we adjust this hypothesis to have that limitation, which again, I think -- we haven’t done the wording, but I think that would limit part of the scope. We would also probably then be able to eliminate the idea of that clinical care/consumer management idea, would probably also at least reduce the importance, maybe not eliminate, but reduce the importance of Jill's original question, who else is out there? You know, it is the price of admission. Whoever you are and, again, my sense is that that wouldn't necessarily be the drug companies but that's a different, you know, I'm not sure about that. But if they want to be in or they are permitted to be in, they would have it to meet those rules. What do people think about that, again for discussion? Deven?
>> Deven McGraw:
I think I like that caveat. And I also agree with the spirit of this. And I think the other two pieces of it that concern me in terms of wordsmithing, which is the enforceable privacy and security requirements. I was not sure what the adjective was in there for. Because one could read it to mean only those that are enforceable. And currently if you're not covered, in fact, none of them are enforceable. So I just want to get some clarification on what we mean there, and also the relevant HIPAA principles. Again, these are sort of words that you end up litigating over
>> Kirk Nahra:
Well, and let me
>> Deven McGraw:
to get out of it.
>> Kirk Nahra:
Absolutely. And let me tell you what I at least envision by those. Enforceable means, at least from my perspective, you have to follow them. There is, the government can tell you you violated a rule, you violated a law, etcetera. So I would not, I would not include in that the trade association of the independent PHR vendors standards for effective privacy protection. So something that, again, can be enforced by a government, you know, regulatory entity. Something like that. That would be my sense of what enforceable means.
Relevant HIPAA principles, you know, I'm not sure that I want everybody who touches anything in the NHIN to have to give a privacy notice to every patient who is so there are pieces of HIPAA that I think don't necessarily translate. Without having given a lot of thought of this, I think we are it mainly talking about security standards, we're talking about use and disclosure limitations. Maybe we are talking about individual rights, although I think that gets tricky also because, you know, who is providing the individual rights. That's an issue, that's an issue that comes up, I guess, independent of this issue. Let's assume the people are all, go back to Paul's hypothesis, it is all covered entities and business associates. There is a real question in my mind as to how some of the HIPAA details work out in that situation. Who gives the amendment right, who gives the excess right, who is keeping track of every accounting. A lot of things don't work very well in that integrated environment. So that's the idea of relevant HIPAA was, things that make sense in that context. We could, we could have our next set of activities be, let's go through HIPAA and figure out what's relevant. I don't have any objection to doing that. That again was the idea. There are some parts of HIPAA, you know, I mean, I have dealt with HIPAA a lot for example for clearinghouses. And we all know clearinghouses are defined to be HIPAA-covered entities for reasons that go back to administrative simplification. It's never made any sense to me for a clearinghouse to be giving a privacy notice. Who do they give a privacy notice to? They don't have any customers. So they are subject to those rules but they are not actually, they cannot be subject to some of the pieces. That's I guess the idea of those two
>>
And they don't have to give the notice.
>> Kirk Nahra:
But it is an odd you have carved that up in certain ways. We would be, we are doing the same sort of thing. It is not just a translation of HIPAA, word-for-word, directly. Here is HIPAA, give it to you, but we have got to figure out what pieces are
>>
Go ahead.
>>
I would just want to hear, and maybe a little bit from Jodi in terms of the and this may also depend on who gets to pick and choose what's relevant from HIPAA for these entities, is who your definition of enforceable standards as being government-enforceable standards. And I just wanted to explore a little bit, because it's always been my thought that one of the AHIC principles was marketdriven entities and RHIOs and all of that. And what
>>
Certification. I think the whole point of this is having certification of EHRs, PHRs, networks, etcetera.
>>
To what extent the market or the business governance of these entities can create these kinds of enforceable standards.
>> Jodi Daniel:
This is just from my perspective. I, you know, when I see enforceable, I think that they are, you know, laws are one approach to enforce these practices but there may be others. We are working very much toward, you know, industry practices and certification, as Jeanette had mentioned. And in fact we are also looking at certification for, or working with CCHIT on certification for networks, the network service providers. So there I mean, I think that's one. I think there are different possible approaches for enforcement, you know. It is possible that there are more comprehensive privacy laws that are passed either at State or federal level, but it may not be. And I would think that we should be considering a variety of approaches to what that means for enforceable and how we can do that.
A couple of other things though that I heard, you know, when Deven said, well, what's relevant mean and how do we define that and who defines that? I think Jeanette's suggestion of, if we go with a working hypothesis and maybe we keep that going for a while before we make a recommendation, is we use that to look at particular types of entities. Then we can figure out what might be relevant in a particular context. Because it may be, as Sue was saying, some of the rules may work and may not work, depending on who the entity is, if it is a new kind of entity, to saying that HIPAA protection should extend to networks. Well, what does that mean because there are different types of entities and they have different uses of the information, and does it really translate? So I think in order to define relevant, my view would be that you need to look at it in a context of a particular type of entity, because I don't think it is an obvious direct correlation, although it does, the hypothesis, without looking at it in terms of particular entities, does leave that ambiguity, at least the way it is written.
>> Kirk Nahra:
John.
>> John Houston:
A comment actually two comments. The first being, if we do scope this to be any entity that wants to participate in NHIN, it does sort of, in my mind, make it somewhat simpler in a way of, because you can impose rules. You know, nobody has to participate in the NHIN. And so in one sense you could say here are the rules that if you want to participate, and they don't necessarily need to be statutory. Maybe someone will tell me I'm wrong, but I would think they don't have to be statutory at that point in time.
>> Kirk Nahra:
The "you" is interesting. You can impose rules
>> John Houston:
NHIN can impose rulesthat, I think it might be maybe easier to arrive at rules because they can be done on a,if you don't like them, you don't participate. And I guess if it creates a standard of care then it becomes more problematic because people say I have to participate, but
>> Kirk Nahra:
I think that's an interesting point. I mean, the other piece is, having standards I mean, I'm going to make a big assumption which is, I'm going to assume we all think there should be standards of some kind. Then there is a question of, all right, let's say I want, I'm willing to participate so I accept your rules. My neighbor does not like them and is not going to participate. But I'm going to accept them, but then I'm not going to do them. That's the enforceability part.
>> John Houston:
Absolutely.
>> Kirk Nahra:
That's where I think this hypothesis included both of those. It should be requiredto meet specific standards and that they be enforceable. So bothof your
>> John Houston:
Or that they be enforced. Enforceable, I think the nuance of what enforceability means, and I have the same reaction. We should never put a rule in place unless it is enforceable. We should never say there is a standard out there unless there is some expectation that it will be enforced or is of at least a, is written in a way that allows people to be able to comply with it. And, you know, if it is some motherhood and apple pie statement about the privacy of data and it goes when I read the word enforceable, I take that as like, you know, everything should be enforceable if you are going to put it down and
>> Kirk Nahra:
Let me stop you there, John, because it seems to me you're raising two points.
>> John Houston:
By the way, I'm an attorney, so I think of things as very black and white in this regard somaybe it's
>> Kirk Nahra:
Enforceable, enforceable from the perspective of the entity whose behavior is being looked at means I can understand what I'm supposed to do. Mother and apple pie, you know, be protective of privacy and security is both hard for me to figure out and hard for a government person to say you breached it because it is not clear. It is not as specific. It is not and that's an important piece of it. The second part is, and again, what I envisioned as being part of this hypothesis is someone, I said government but maybe that was too much, has to have the responsibility for doing that.
>>
For enforcement.
>> Kirk Nahra:
For enforcement.
>>
Right.
>> Kirk Nahra:
So, I mean, I guess we could say to mean again I don't want to do too much wordsmithing now but conceptual being there should be standards people have to follow, and there should be someone who is assigned the responsibility for making sure people follow them.
>> John Houston:
That's much cleaner, and I agree with that. I have one more point, and I'm know I’ve sort of monopolized some of this conversation. The other component of this I think we need to be mindful of is that there will be certain entities, certain government entities, that will look at this NHIN as an opportunity to do, not just governmental but many of them are governmental look at this as an opportunity to get at data, public health, vital statistics. People will look at the NHIN as a great opportunity to mine data for a variety of non-treatment-related purposes. As well as, I think you will also see entities like law enforcement agencies looking at this as an opportunity to get information that they would otherwise have to subpoena but may be able to avoid a court order or subpoena process to get at it. So you never know I see Susan McAndrew wincing but I think if people are we just have to be mindful of the scope of this, too, also is going to include other types of entities such as governmental entities. And we need to make sure that there is also some understanding of what their rights and obligations are to
>>
I guess with respect, and I think public health and research probably come closer than law enforcement. But whether there is
>>
Agree so
>>
whether there is a line between who's a participant in the NHIN and who is simply a third party coming in and extracting, the way they would now, asking for the disclosure of information as opposed to having the right to actually just pull it, which I see is the essence of being a participant. Some automatic right to pull.
>> Kirk Nahra:
Other thoughts at this point? Don?
>> Don Detmer:
I guess I have no problem with it as a working hypothesis. I guess the question of course, is that we've got a lot of working hypotheses we need to put on the table if we take this approach and then work through each of these. I think probably saying, yes, it is a good working hypothesis. Let's have staff work out some of these. Let's try to get another set of these working hypotheses out as working hypotheses and not try to smith them write down to an action, if you will. So it is actually going into reverse a little bit, what I was hearing you suggest earlier. But I'm comfortable as a working hypothesis, but I'm not comfortable with all the other things on the list that we also probably ought to get to.
>> Kirk Nahar:
You are not comfortable with not having them on the list or you are not
>> Don Detmer:
No, I'm comfortable with the working hypothesis, but I would like to get other hypotheses up there too that we can work at so I look at these in a context of a set of issues and say, okay, which would I think is, get this one running sooner instead of later. This needs a lot of staff work because it has a lot of implications, and try to actually not do these sort of one at a time.
>> Kirk Nahra:
Let me
>> Don Detmer:
It is more a matter of process, I guess.
>> Kirk Nahra:
And let me talk about that. I have had some concerns, and I know I'm not the only one, about two things. One is how do we get our arms around this really difficult set of issues. And two, how do we make progress? And on the one hand I think that almost every issue we could let's use identity proofing. We started with identity proofing because there was a sense that it was a small piece that we could get started on, make some progress, you know, have some quick achievements. And while we have made a set of recommendations and I think they were useful recommendations, we have also found as we have drilled down we are nowhere near the end of the discussion on that particular topic and we could be here, you know, next year still talking about identity proofing. And our original assignment, or our original effort was identity proofing and authentication. We got nowhere on authentication at this point. So I think that we need to balance our need to make progress with this complexity and, you know so again, my suggestion with this particular working hypothesis was, I thought it was a relatively big picture idea of importance. Recognize that there are people in this system who are not currently covered by existing privacy rules and make a statement that we think they should be.
There were a variety of other potential hypotheses of similar big picture nature where it was not at all clear to me whether we had anything remotely resembling a consensus. So I didn't suggest a working hypothesis for areas where I didn't really think we had views yet. In my mind, again, in my mind, solely as I looked at this over the last couple of months, I look at the two single biggest ideas being, what do we do with people who are not regulated now and what do we do with people that are regulated now, essentially. Do we need something new for people that are inside the scope of HIPAA? I don't have any idea where this group is on that second question yet. We have not really talked about it. It has not really come up, other than peripherally in our discussions. I was not prepared to throw out a working hypothesis on that issue, because I'm not sure what it would say now. I think we're going to have to get to that issue. So the idea was, let's try this one out to see if an area where, again, what I heard
>> Don Detmer:
I support that.
>> Kirk Nahra:
Yes, I know, I understand. Let me, again, when we sent this out for an informal reaction, I think everyone we heard from had the same sense of sympathy or, you know, generally supportive. Okay, so I think we can make some progress on this one. We can, we have clearly got some areas of important, you know, of discussion, we need to deal with, but I think we can make some progress on this one in the relative shortterm. Now, I guess Don, to go back to your bigger point is, do we have that as one track where we are trying to wordsmith or trying to get new information and, at the same time, try to do two, three, four, five others. I'm not sure we are capable capable is not the right word I'm not sure that the existing resources, staff, time of this Workgroup is going to let us do that.
In a perfect world, sure, we could have 25 of these and we would be meeting every day for, you know. That's not So that's my concern. And I would like to see some areas where we could make progress. And again, if we look at this and say, you know what? We have got five major components of this where we need days of testimony on each one of those before we can move forward, I'm okay with that answer. I just want to throw it out and see whether we could sort of get past those things. Other questions or comments at this point?
All right. Let's talk for a few minutes. We have 10 minutes until we are scheduled for a break. Let's talk about what we should do next on this, on this particular hypothesis. We also have some time scheduled later for this, but let me just throw this out. We clearly, based on this discussion today, can revise the language. I mean, is there anyone who thinks we should not at least do that? Anyone on the phone? Okay. Now, the next question is, should we plan for information gathering on any of the topics that we have discussed today. And information gathering can be putting out a call for information, it could be setting up a testimony hearing next time, anything like that. Are there areas like that and, if so, what are they?
>>
John, I want to know what are these potential non-covered entities that would be participants in the NHIN that, as a way of setting context for this hypothesis. And I have no problem with the reworking of it. I think that's a really good idea. Sort of as a price of admission, this will apply to all. But we need to know who they are and what purpose they are going to fill in that NHIN, I think.
The other thing I think we need to do is then break it down with HIPAA and say, okay, what from HIPAA should logically apply to these different categories of participants in NHIN. That's
>> Kirk Nahra:
Maybe that's a good way to think about it. It seems to me we have got, we have got a working hypothesis that we know has some components that need further definition. That last point you made goes to the relevant idea. And maybe we combine your two points as we say, we have got to understand who these entities are and what they do before we are able to assess what's relevant. I don't so maybe that's one of our next again, if the working hypothesis is the heading, subcategories are work on relevant, work on enforceable, whatever else. So I'm not sure that's necessarily we can gather that information without it necessarily being an impediment to moving forward on getting the hypothesis straightened out. Other thoughts on areas where, areas relevant to this working hypothesis where further information should be gathered? And I don't mean that this is the only chance people have to give us that information. Anything else that comes to mind for people right now? Anyone on the phone?
All right. Why don't we do this: I will work with the staff to refine the working hypothesis, the language of that. Again if people have specific wording, be happy to hear it. We will also look at some of the suggestions for next topics and think about whether that's testimony or whether that's gathering information or what.
>> Steve Posnack:
I was just going to suggest, I think to Jill's point, we can come up with a short list of who the who is, and send that out to Workgroup members, either to add to or subtract based on their experience. That might help. We could probably do that behind the scenes at least to get a short list. And then from that, you know, it is helpful to us as staff to know general directions that you would like. So if health information exchanges is one of the whos not to get too Dr.Suess-y if health information exchange is one of the whos, then we can call in a couple of those people and apply the working hypothesis to that and, you know, discover what the relevant pieces are and go through that type of process. I think that's what Kirk was talking about in terms of the combination of both. You know, and if PHRs are another we can pull in those people and say, then what is the relevance to those people as well. Sowe can put together a table, probably would be the best.
>> Kirk Nahra:
All right. Any other thoughts for the time being? Again, if you have thoughts following this meeting, please just them get them to Steve or Jodi or me, hopefully in the next few days.
Why don't we do this. It is on my watch 12:40 essentially, a little before that. Why don't we take a break for lunch? We will start up again at 1:30, meaning I would like people back in the room before 1:30 so we can get the call back going at 1:30. All right. Thank you.
[lunch break]
>> Kirk Nahra:
Judy, can we go ahead and get back on board? We are going to get started, everybody.
>> Judy Sparrow:
Jennifer?
>> Jennifer Macellaro:
The phone lines are all still open.
>> Judy Sparrow:
Okay. Great. I think we are ready to begin now. Turn it back over to the chair.
>> Kirk Nahra:
Good afternoon, everybody. We are now going to turn to, I guess the next item, not numbered, but application of our working hypothesis to the personal health record environment. Let me turn this over to Jodi before we get started.
>> Jodi Daniel:
Welcome back, everybody. We had, in looking at how to proceed with this Workgroup discussion today, we knew we wanted to talk about the working hypothesis, but we thought it would be helpful to at least talk to, about one type of noncovered entity or entity that may not be covered, or that may not have been thought about in the time HIPAA was drafted. And since Jeannette Thornton participates in our Workgroup, we figured we had a valuable resource right here that we could tap into to talk about personal health records, since they have recently been looking at personal health records for health plans, or health plan-sponsored personal health records, where those personal health records may either be part of a covered entity or business associate of a covered entity or the like, knowing that there are also some PHRs that may not be covered or might not be business associates. So we thought it would be helpful to have Jeannette just give an overview of what they are doing and some of the privacy issues they were looking at both from what would be covered under HIPAA and some of the other privacy principles they were talking about, and so thought it might help to focus our discussion on the working hypothesis to look at a particular example. With that, I will turn it over toJeanette.
>> Jeanette Thornton:
Okay. Thank you. Now I'm not going to talk for two hours so hopefully you'll bear with me here. And I wanted to talk a little about what Jodi mentioned, personal health records. I don't know how many of you would actually admit to watching "American Idol". I personally will not, but there was a commercial on “American Idol” last night, for those of you that caught it, a particular health plan offering a personal health record and talking about security and privacy. I thought that was very relevant. You’ve probably also seen ads in the Washington Post, etcetera, about personal health records. So it is obviously is an extremely hot topic to date.
So I'm kind ofpitch-hitting for Tom Wilder, who is in Australia this week, lucky him. But I've been working a lot on operational issues regarding personal health records that are offered by health plans. So we really appreciate the opportunity to talk to all of you today. You know, we have realized and we have talked to a lot of consumers, consumer groups, and done a lot of focus groups on personal health records. And we know that consumers will not use a personal health record unless they can trust that their information is going to be secure and be private. So we really value that, and we have been doing a lot of work in looking at various issues related to HIPAA and how it applies to PHRs, as well as Stateprivacy laws, which have a lot of implication to what we are doing as well. We are also partnering with the National Health Council. They are a group that represents people with chronic conditions and looking at how can PHRs be improved to really make sure they're meeting the needs of people we think will benefit the most from them, those who are suffering from chronic conditions.
So I was asked to answer five questions in my remarks today and I will be going through that. Some of them seem more common sense than others, so if I see some yawning, you can push me on oryou can interrupt me with questions, I think that's perfectly okay as we go through this. I think that we all are operating under the assumption of what a personal health record is. Is there anyone here or on the phone that doesn't have a good understanding of, when I say a personal record, what that is. I think it is a good starting point. Haven't seen them enough over the past year or so. Good. That's a good way to start.
Well, health plans are using information that is collected through the processing of claims and administrative data, as well as information that is selfentered by consumers to populate a personal health record for use by consumers. Now, of course, that personal health record, because it is being offered by a covered entity or by a health plan, is covered by the HIPAA requirements. Of course we believe this applies both to the information that is derived from claims information, as well as the information that is selfentered, if the consumer chooses to, by them. Of course I think that's sort of basic framework to the PHR.
We also firmly believe that the PHRs should be owned and controlled by the consumer. I think that's really an important point. So when you are looking at family member access or provider access, it really should be up to the consumer to decide how they should do that. And most health plans have set up some sort of process to allow an individual to take their PHR and give access to a provider, either in a paper environment today by printing it out or in some ways more sophistication in terms of sending it to a provider, or giving access to a family member who may be taking care of you or have an interest in helping you manage your care. So that's another point.
Now, we also get the question about sort of how the HIPAA security requirements apply to, you know, whether or not a health plan can get access to the information in a PHR. And it is important from a trust perspective that that information is secure and the consumer has notice of how that information is used, shared, disclosed, etcetera. We are aware of several examples because the health plan that AHIP used, had electronic PHR available to them, where there was information that was not correct in the personal health record and there needed to be a process put in place for the information to be corrected. So that's certainly one area where health plans would help a member in terms of getting the information in the PHR corrected.
Another thing that you are seeing a lot in personal health records is the application of sophisticated analytical techniques to take information and do different alerts, drug/drug interactions, etcetera. This is an area where health plans are using the PHRs, providing, doing some analytical analysis of the information to provide a tailored service to the consumer based on what their needs are, what information is in the personal health record.
So this is some examples of how HIPAA applies to these personal health records. Now, for the PHR vendors who are providing, in most cases a health plan would outsource this to a PHR vendor, there would be a business associate agreement in place that would govern those types of arrangements. And of course you are all familiar with those HIPAA requirements.
Another important area that I know that OCR has been asked in terms of a recommendation for the Consumer Empowerment working group to look at is how does having information electronically available in a personal health record affect the HIPAA privacy rule provisions for amendment or correction of protected health information? What's being done in this area right now really does vary across health plans. Whether or not you can do this electronically, online, or you have to go outside of the personal health record and do some sort of other error correction. But we do feel that all personal health records need to have this process in place, of course consistent with HIPAA, to allow for information in the PHR to be amended, corrected, etcetera.
Also important to the HIPAA requirements in personal health records is record retention. And another thing is part of looking at sort of what some basic privacy and security principles should be. We get asked a lot, in terms of talking with consumers, that people don't really want to have to recreate their record from scratch. And it's important that there are specific record retention requirements put in place for the information and the consumer is aware of what those are so they are not losing information and having to reenter their information from scratch. Those are some sort of applications of HIPAA specifically to personal health records.
And I'm going to talk next about what we did as an industry and how it sort of takes this to the next sort of step. We worked with the Blue Cross/Blue Shield Association to develop two things. One is a standard set of information that consumers should see in a PHR that's offered by a health plan. We are calling it a model. It is basically 100 or so or more data elements that a consumer should see in their personal health record so that there is consistency between health plans in what they are seeing in their PHR.
Another thing that we did as an industry was say, you know, we understand that people are often changing health plans because they change jobs, their employer makes a choice to change, they are in the federal benefit program and they are, during open season they are changing plans. So we developed a standard so that a consumer could pull their information that's in their PHR, with their consent or with their approval, and take it with them to their new health plan. This brought up a lot of issues regarding privacy and security, and so we decided to form a working group with health plan legal compliance technical experts to look at what would be the legal operating rules for doing this transfer of information between health plans if the consumer says yes, I don't want to have to retype my information, I want it pulled with me when I change plans. There is a lot of HIPAA implications here. In looking at this, we determined, in working with an outside counsel, that this transfer and I'm going to look at my notes here can be considered healthcare operations because it relates to population-based activities related to improving health, reducing healthcare costs, or related to the replacement of health insurance or health benefits. And because this was a transfer between health insurers and it was a healthcare operation, there was no requirement for a business associate agreement. However, because the PHR market is evolving and this is really a new service for consumers, a lot of consumers are not familiar with the PHR, and we want them to really trust that their information in their PHR is under their control. We decided to op, to implement an operational requirement while, even though HIPAA under healthcare operations wouldn't necessarily require it, that it is really important that the consumer first approve this transfer and say, new health plan, I think, I approve you, requesting my information from my old health plan so that I can build up a record over time. So that was a really key point that we thought was important when we worked on sort of our, the policy requirements.
Another important point related to HIPAA that I talked about earlier in terms of, you know, and this, sort of this consumer approval is a huge issue that's been talked about a lot in terms of PHRs, etcetera, and terms of the NHIN and opt-in and opt-out, etcetera. Certainly since PHRs are such a new concept, and I think, Mark, I think the I'm trying to think of the survey data. Something like under five percent of people today only have a personal health record. Don't quote me on that, but I think that's kind of the reality of where things are at. You know, this is really a sort of new and evolving thing, and there is a lot of areas we don't know what the best policy requirements are yet just because the marketplace and the vendors are just changing so fast. There is lots of innovation going on, lots of changes.
We certainly also felt that because of that, you know, if you are pulling in information into your PHR from your prior health insurer, it is really important that you get an opportunity to review, correct that information, just to make sure, before that happens, that it is correct. So that's another important principle I wanted to highlight.
The HIPAA security rule certainly also applies to this transfer of information. I think in terms of an interoperable environment, whether it is between two health plans, between two covered entities or non-covered entities, etcetera, there needs to be strong protections of all the information that is in transit. And there also needs to be distinct processes in place so that people, when they are sending information, can be sure it is arriving securely at their destination. So another principle that HIPAA certainly lends itself to is making sure that there are step-by-step procedures, that there is a receipt process, acknowledgment of receipt process, and the review of information that is secure. I think this is an important principle that would limit the ability for a covered entity to send information to a non-covered entity without having those processes in place so they can guarantee that the information in transit is going to be secure and that they can give a guarantee that it arrived at its destination, etcetera.
One area that I was also asked to talk about was the communication of privacy and security practices to consumers. And this is something that I'm going to have to do a little bit more research on. I know that in some health plan notice of privacy practices, it includes information on the personal health record and the privacy notices. In other cases it is a separate privacy policy that's shown to the individual upon enrollment into the personal health record, and they also agree to terms and conditions, etcetera. So we need to do a little bit more research and get back to you on specific, sort of that framework for notice, which I think would be important for all of you to take a look at it in terms of the PHR and whether or not it is a part of that notice given, a part of HIPAA, or if it is above and beyond a separate process. So I will have to come back to you on that.
While HIPAA is certainly extremely important when you are talking about PHRs, what we have found was that, more so, impacted by the variations in State law as they apply to personal health records. A couple of things that apply to us as being affected by the State laws in which the State health plans operate. I don't know how many of you have had your own PHR, but most PHRs have to take the step of excluding certain categories of information from the PHR. And plans have to do that because of various State laws. There may be State regulations. It may be a practice that they choose to adopt, etcetera. And I think there is a lot of variation. Some plans have decided not to include that information in the personal health record. Others give the consumer the choice to exclude it from their record, etcetera. There is a lot of variation that really depends on the State law, State laws that apply to that particular health plan.
>>
Are you talking about things like mental health information
>> Jeanette Thornton:
Yes. We define super sensitive as mental health, substance abuse, HIV, in some cases reproductive health, certain drug uses, etcetera. I was talking to a health plan yesterday, and they said that, you know, consumers don't really want to be talked down to. And when you have something like that, you know that you have it. So it is sort of unfortunate, but some people want to be able to see all of their conditions in a PHR. On the other hand, other consumers would certainly say, I don't think anyone else needs to see that or it doesn't need to be in my PHR. There is a lot of variation right now about that. And when you are talking about privacy principles or a privacy hypothesis for PHRs, it is something that you are obviously going to have to take a hard look at. Should there be some general principles in this area or not?
>> Jodi Daniel:
Jeanette, if I could ask, is the issue I mean, I guess it would depend with a PHR on whether or not the, there is access to that information by, in this case, a health plan and that that might affect the desires of the consumer, whether or not to have that information. And I would assume that if in fact it was a PHR that the consumer and only the consumer could look at, unless they authorized release of it or something like that, that that issue goes away, because those issues are usually about disclosure of that information. Is that right?
>> Jeanette Thornton:
Yes. Where it becomes more of a issue is certainly when you are talking about children. A lot of health plans have had to make some really hard choices about offering PHRs to that 14 to 18 and older age demographic because of those disclosure issues and parental access, as well as spousal access. And, you know, I think, these are a group of people that would be very likely, we think, to use a PHR. But because of the varying State laws, disclosures regarding that, we have seen a lot of different approaches. Some plans will give parents access to the minor child's PHR unless, with certain information excluded because of the State laws, until the child turns 18. And then the PHR becomes only the now adult’s personal health record. Other companies are giving minors the ability to set up their own personal health record. Of course it has to know the name of their health plan and some identifying information to be able to do that of course. And then others have much more of a sophisticated approach whereby the child can turn off access to their parents. So you are seeing a wide variety of things. And when you are talking about privacy in PHRs, I think it would be really interesting for this Workgroup to kind of look at some of these issues related to children and accessing personal health records, and especially the teenage set, as well as spousal access, etcetera. Because there are a lot of privacy issues that may not necessarily be HIPAA issues but they should be looked at if you are going to have interoperable PHRs that are beneficial to consumers.
>> Kirk Nahra:
Let me ask you a question. Do you have a sense that that state law issue with PHRs is any different than the rest of the issues related to parents and kids? If I'm a, it is my insurance for my kids and my spouse. And my health plan presumably has rules on my kids are too little. But when my son becomes a teenager, they presumably have a rule that exists today as to what kind of information I'm going to be able to get about his claims history and things like that. Is there anything different about that issue in the PHR environment?
>> Jeanette Thornton:
Well
>> Kirk Nahra:
It is a very complicated issue in general. But I
>> Jeanette Thornton:
I guess I should have said this earlier. But none of these laws specifically apply to personal health records. They are really becoming heightened issues as people are getting easier, quicker access to their information oline. So the laws are not any different. You are just having a lot more of these issues come to surface when you are offering a personal health record and it's easier for there to be security, privacy issues like this that come about. They are not I'm not aware of any specific laws on, State laws on PHR privacy, etcetera. They are all, you know, these are all issues that are really just coming to the forefront. When you are having the interoperable health information and you think about it, well, a health plan operating in one State may just have decided to include certain categories of information because that is the consumer's wish to have that information in there and that's appropriate for their State. But when the information is now transferred because they change health plans to their new health plan, the State laws may be different, etcetera. There becomes a lot of different issues that have to be worked out. And these issues, not only between health plans, but as you look at your broader thinking about interoperable health information, there needs to be some sort of framework or privacy and security and other issues to sort of handle some of these operational issues that come out. So just some things to start your thinking in this area.
>>
Excuse me. Are these State laws that are specific to electronic transmission of this data or are they just, again, a more generic law that gets applied in this particular context and now, in this electronic context, to personal health records?
>> Jeanette Thornton:
Yes. You certainly think about, Minnesota has very strict laws about parental access to information about their teenaged children having certain, taking certain prescriptions, certain drugs, etcetera. And because this information would now be easily available in a prepopulated personal health record that has medication history in it, for example, then this issue really comes to the forefront of how do you make sure those State laws can be followed in this new environment of the personal health record.
>>
Have you run across any State laws that are specific to an electronic transmission of the information?
>> Jeanette Thornton:
I'm not I know, hopefully, Jodi, the HISPC process will solve those problems for us. I'm not, off the top of my head but I know, it always comes up in terms of just a general disclosure of information.
>> Kirk Nahra:
Well, and I mean, does the question mean something that is limited to electronic or something that includes electronic? I mean, there are lots of State laws that would include electronic transmission.
>>
Something that would be specific
>> Kirk Nahra:
Specific and exclusive to electronic.
>>
Yes, I was trying to recall, and I don't know whether it came up in eprescribing or some other context, that someone had come across a law that prohibited, I think it may have been HIV status or the results of HIV tests from being communicated electronically. You could mail it. You could phone it. But you could not send it over the you could not send it electronically. I was just
>> Kirk Nahra:
It is certainly possible there is such a law. I've seen lots of these laws, and I haven't seen one like that. I mean, this is gets off topic, I suppose it is relevant in these PHR settings. Those State laws are written every possible way, and there is such an enormous variation in them. And frankly a lot of them I mean, most of the laws that Jeanette is talking about don't clearly say anything about health plans. They usually say the doctor who is the mental health provider or the substance abuse provider can't disclose except in certain situations, and you have got to sort of make these leaps of judgment on whether that's applies to someone who's already gotten that information and where they're getting it. None of these laws prohibit what a person could put in their own PHR. They all apply to a treatment person. It starts with a treatment person. The State law will be an interesting complication. And I was, I guess I'm intrigued to hear that this approach, there is certain information not even going in the PHRs because of that. That's an interesting issue.
>> Jodi Daniel:
And it seems to me that one of the, what you are saying is that some of the big issues are, when there is a transfer of the PHR from one health plan to another or where some of the State laws would be coming up because of the variation.
>> Jeanette Thornton:
Right. You will hear health plans I know what my state laws are. I know what can be included, I’m feeling legally comfortable in putting in my PHR. But when we talk about ainteroperable environment whereinformation is flowing, it becomes a lot more uncertain. And I think people will tend to take a very conservative approach to make sure that information is not improperly disclosed. But what value, does that limit the value of the PHR to the consumer who wants to have all of their information? So there is sort of that tug, that balance that needs to be put in place.
>> Kirk Nahra:
Well, and the other part of that is that, the discussion you had about the consent or the consumer or permission, whatever we are going to call it. I mean, it is not, it is not a consent under HIPAA. It is not an authorization presumably. But it obviously makes sense to say, yes, we want you to tell us where this should go. That's going to be an interesting hybrid. Having no HIPAA, no direct HIPAA relevance but clearly a situation where of course you want the individual consumer to, you know, if it is Blue Cross/Blue Shield, they don't know that you are now transferring to Aetna without you telling them that you are now transferring to Aetna. It would be interesting if you could wrap those all together and deal with the State law issues but, again, a real complexity.
>>
I have a question. I'm it almost seems to me, and I'm probably missing something here, that the plans are being ultraconservative by just not putting this information in the record. Because one of the things that a lot of the consumer groups talk about in PHRs is they like the model because they think it has more consumer control. So that if I want my information to go I'm going to go see a specialist. I don't depend on my primary care doctor forwarding the stuff in his or her records. I in fact take it and it's my consent and I can say I'm going to send X, Y, and Z in the record but I'm not going to send this because I don't think they need it. And that appeals to a lot of consumers because, even in these States where there are laws, my understanding is, when consumer consents to the disclosure of that information, then that can be sent. So I guess I don't understand how a policy that says we are not going to put this in the record because there is all these sort of State law issues on these supersensitive records is as pertinent in a PHR context where the transfer of information occurs with consumer content.
>> Jeanette Thornton:
M'hmm. So I think a couple of things. I'm talking about the environment, state of play with the vendors in the PHR marketplace that is out there today. I certainly think that everyone wants the PHR marketplace to move to an environment where the consumer is able to shut off this, shut off this sort of information from going here and shut off that sort of information, and all that sort of control. But if you look at the vendors in the marketplace today, I don't think you would say that we are there yet. I think there is a wide variety of sophistication in place, and this may be sort of a stopgap approach until sort of the PHR marketplace catches up. And, you know, I have seen a lot of demos from a lot of cool PHRs, and they are starting to put in this sort of selective functionality. But if you look at some of the basic PHRs that are in widespread adoption today, you don't see that sort of functionality.
>> Kirk Nahra:
I think the other part of it, Deven, in response to your question, is that I think companies are being conservative. I mean, I think that the approach you are describing is a conservative approach, but it is a perfectly reasonable conservative approach because of how complicated some of these laws are. I mean, some of them say you have got to have a consent form that says this, this, and this. Another one has a different kind of consent form. Sometimes you can disclose to this person but not that person. So if they are developing a national standard, I think it is very hard to have a national standard that covers all these State laws. Now, is it true that 92 percent of the time there won't be any problems? Yeah, probably. But it is not at all, it is not at all surprising to me that a company that is if you are offering this to your members as an additional member benefit, you don't want to get in trouble for doing that. So it is not at all surprising that companies are being pretty conservative. I mean, that's a I mean, I've said in other contexts I think the State laws create far more confusion than are helpful because it is so hard to deal with them. Again, I've said in other contexts. Give me one law. I don't really even care what it says. Give me one law that I can follow. But I think we are going to see some of these situations where maybe we find in the PHR environment or some of these environments that some of those State laws actually work against some of the, some of the additional requirements may work against what we are trying to accomplish here. That's just something to keep in mind.
>>
I think you said you needed more information on that, but I wanted to be sure. Are any of the PHRs you have looked at in this process using the person, the enrollee sort of as the proxy for the individual? For example, I make all these authorization and consent decisions for my husband.
>> Jeanette Thornton:
I mean, I've seen a couple of different approaches there. Normally the subscriber will have a separate PHR and a separate access. And there is a process in place in more sophisticated PHRs out there where somebody can choose to link the information between two people or add another member to their PHR, add someone's access to their PHR. This is an area that's kind of changing versions two and three and four are having that kind of functionality, but it is not widespread.
>>
Okay.
>> Jeanette Thornton:
That's another sort of important issue in terms of ensuring privacy. I think people that's sort of the number one thing, is can I keep something secure from my
>>
Who makes the decision.
>> Jeanette Thornton:
Right.
>> Kirk Nahra:
And the other thing important about that is it is an environment where the insurance companies are different from an unconnected vendor or a providersponsored situation. I mean, the providers have relationships with each spouse individually. The insurance company has relationships with both spouses and the kids. So there may be some additional complications in an insurersponsored PHR that you wouldn't have to worry about in a provider model or some other kind of vendor. It is just a different we have got to look where those are coming from to see where the complexities are going to be.
>>
The other question I had for you related to how it’s sort of auto-populating with claims information to begin with. That's your starting point. And given that, I would imagine they are getting into all kinds of requests for amendment just because of the nature of claims data. In other words, it is sort of generic. It is a function of what's lumped into that particular code, etcetera. So when you do have these requests for amendment, is there any checkpoint back to the provider that submitted the data to make sure that the amendment is not changing the clinical concept?
>> Jeanette Thornton:
Right. There is a couple of things to that question. One is sort of, there is a wide variety of approaches, just the health planshave employed through the creation of the PHR and the prepopulation of claims data. Some plans will have a process whereby it is available for you and you can choose whether or not to log in. Others you have to sort of opt-in to having the information pulled in, etcetera. Others, you know, you can basically say I don't, under no uncertain terms do I want a PHR. Shut it off. I don't want anyone to have access.
But to your point, we certainly recognize some of the gaps with having claims data be as a basis for a PHR. I'm not going to sit up here and say that's not the case. We certainly feel that it is more information than is available electronically to people today, and it is a great first start as we move to an environment where there is much more interoperable electronic data available to consumers. And of course one of the reasons why you cannot just a lot of times correct the data right on a personal health record is that information came from somewhere, whether it was miscoded or over, like you mentioned, categorized information wrong, etcetera. And the health plan is going to have to do an audit of why that, where that came from.
CarmelaBaccino (ph) was giving an example this morning of a problem where she saw something in her personal health record that was wrong. She had this surgery. It said she had that surgery. And she had she and the insurance company had to actually go online, look at the PHR, and go through that process and audit of how that so it takes a lot more time and energy to get that information corrected. But yes, you have to go back to the original place that that information came from in order to get itcorrected. Because we don't if somebody has diabetes, they have diabetes. So you have to sort of some issues have to be addressed there. Go ahead.
>>
A followup question. Are you concerned also though that, you know, if you give the patient a lot of control over this record, this PHR, that they sort of create a medical novel of themselves rather than a realistic, factualbased history of their medical care and their condition? I mean, Iat least see some type of anecdotal evidence of people doing those types of things, and that scares the heck out of me. Because, you know, it is information, in the past clinicians may not have had good information, especially as it relates to care that wasn’t provided by them or their institution, but I think equally dangerous is the case where people decide that they are going to omit things that they find not relevant or that they have some embarrassment over but are entirely relevant to their followon care or care in the future, maybe not just followon care but care in the future. Has that been, has that been a topic of discussion or something that
>> Jeanette Thornton:
Well, I think it goes back to what I said earlier in response to Jill's question, is that process, that audit process they have in place. I don't think you are going to see somebody getting their information changed just because it is not a mistake.
>>
I think that's a different issue. It is one thing if it is a mistake, and you sayyou can correct information and information that needs to be corrected. It is another thing if you give consumers, which a lot of PHRs do, a lot of control over what actually makes its way into their record. And if you simply allow peopleto unilaterally decide what information either they want to keep in their record or want to make available to other providers, then, you know, what seems to be done in the sake of privacy ends up having a profound impact on the ability to provide quality care, and in fact may have, again, a medical novel which doesn't really reflect the patient's actual care.
>> Jeanette Thornton:
I think some of these more sophisticated access control functionalities are really new. And I don't think we have a lot of information about sort of the impact of those types of functionality that are in, the PHR vendors are offering today. Not a lot of health plan PHRs have that level of sophistication yet. It really is sort of an area that’s really changing and evolving and we don't know. You also have to remember that this is not a clinical record of care. This is something that a consumer uses to manage their this is a person's, it’s not an electronichealth record
>>
-- providers to allow them to facilitate care, it does become in some sense
>> Jeanette Thornton:
Well
>>
an adjunct to the record.
>> Jeanette Thornton:
You know, it is a great place to get a medical summary of the doctors you visited, the encounters that you've had, et cetera. But it, in no way should it replace an electronic health record or clinical record. It is a starting point to inform a great, good conversation between the consumer and the doctor, and it should not be viewed as sort of a replacement for that.
>>
I've got a followup on Jill's question. I have had a hard time actually getting any sort of research that's looked at actually what the correlation is between, you know, essentially the experiments you are getting into and the correlation between the medical record. Have you invested, or is there an interest in investing in actually doing some of that research, or can you lead me to some of it? Because I see a lot of extra burden on providers having to deal with that. It might come back on the insurance, but a lot of it is going to come to the provider saying, gee, I got this in my record but that's not what I thought happened to me. And I guess the question is, because this is not obviously, I mean, I think it is new days. Patient-centered care is great, and we are going to have rough and tumble and it's going to be rocky. So I'm not being overly critical, but I'm being concerned about these interfaces that have problems. Is there an interest, or have you already invested in some of that to look at how big a bump that's likely to be or a hole?
>> Jeanette Thornton:
That’s sort of an interesting question because this is, there are several different prevailing models out there when it comes to personal health records. You know, there is the insurer model, which I've talked about today. There is the independent vendor that's pulling data, like a Quicken or, kind of model that's out there. There is the PHR that’s tied to an EHR, where it is basically their record in consumerfriendly terms, and there are probably five other models that I'm missing. So and I'm not aware there hasn’t really been a lot of research in the PHR space. I know there's been some, I've seen some in the University of Maryland Business School. Markle Foundation done a lot of consumer surveys, other work. But I think that would be an area it would be interesting to be take a look at.
>>
We would be delighted to have that dialog. Because I think the research is really essential at this much more fine grain level than sort of the global opinions and so forth. Because ultimately that's how it is going to hit the street, is that way.
>> Jeanette Thornton:
Sure. And I think, as this working group is considering how to apply this hypothesis to PHRs or not, and I think it's important to look at all these different models that are out there. They may have different requirements, and there is going to be a lot of change over the next few years, I can imagine, as certain ones become more popular than others, etcetera, so provide a better service. So let's see here. Just going to check in here. How are we doing on time?
>> Kirk Nahra:
We are good. I know we have gotten you sidetracked.
>> Jeanette Thornton:
That's all right.
>> Jodi Daniel:
question back to John. As part of that concern many times about, well, what if the consumer is holding back data and sharing it with the doc. How is that different than what's happening now? I mean, if a patient goes into a doctor's office
>>
Right.
>> Jodi Daniel:
they are going to tell the doctor some things and not tell the doctor other things.
>>
You are absolutely correct.
>> Jodi Daniel:
So I understand it doesn't help that. It may help them to provide more information than they would have otherwise remembered.
>>
Right.
>> Jodi Daniel:
Maybe there might be some undue, some the doc may rely on it more because it is in writing or it is in some electronic format. But how does that really affect the way the doctor is practicing medicine compared to what they are doing now with limited information?
>> John Houston:
I will answer, not being a doctor although I try to play one on television. No, I think the whole concept of the NHIN is try to, as well as PHRs, and all we are talking about, is try to advance the quality, quality of care and reduce medical errors and things of that sort. I think, I suspect physicians will always want to get as much information as they possibly can. I think physicians probably today recognize, when having to get a history off of somebody or ask somebody for their past medical history, get a sense of whether they feel it is complete and try to work the best that they can with the information they do have. This is just simply a matter, if you are an given electronic doc, if you are given electronic information you may be more likely to assume that it is complete, or your hope is that it is complete and you are just trying to make better decisions. So again, I just think that, in this day and age, we should be trying to advance this, you know, advance care and try to reduce error rates. And I just don't think it is there is sort of a balance here. And I think we are not wellserved by providing, allowing people to have too much control over these records, or the fear being is we are not going to get the advancements we think we are.
>> Kirk Nahra:
Well, I guess all excellent points and points that sort of highlight some of the tensions we have had with privacy and security concerns just in general. I guess just in the interest of keeping Jeanette moving I want to focus on issues that I mean, you are raising a lot of questions that are generic to the idea of what PHRs are and how they work and how they work in all these environments. I would like to see if there is anymore I know we got you off
>> Jeanette Thornton:
No problem.
>> Kirk Nahra:
were there other pieces that you wanted to
>> Jeanette Thornton:
Well, the final thing that Steve asked me to talk about was sort of the implications of having personal health records that are covered, offered by covered entities and those that are not. I wanted to spend a few minutes on that, and then I will conclude.
We certainly support the hypothesis that was presented this morning and discussed this morning, especially in the area of personal health records. Because we do think that at one level the playing field, in terms of having personal health records all meet a minimum level, however, it wouldn't address some of these other things that we have talked about regarding interoperability and State laws and other sort of issues. So it is certainly the starting point, but it doesn't address the whole, all the issues that need to be addressed from a privacy and security perspective to have interoperable personal health records, which I think is everyone's goal. And without having, addressing all of these sort of requirements, there are a lot of limitations in the ability to have an environment where we have a portable, personal health record which is where we want to go. So I think that's also important, with having some PHR vendors covered by HIPAA and others, and others not.
Now, where, you know, the rubber kind of meets the road is how you would go about doing that. I don't want to prescribe any sort of recommendations to you today because I think there is a lot more research and discussion that needs to take place, frankly. There are several issues, you know, whether it is done within the existing Secretarial authority regarding privacy requirements and whether it is done within the business associate framework or a different framework or something, that we have thought about it. And also sort of what is the role of the existing regulatory agencies in, you know, evaluating or enforcing these new requirements on these entities that may not fit the mold of a traditional healthcare entity that HIPAA was sort of designed to cover.
I think and one of the other issues that I didn't necessarily talk to today but is also important is the Department of Labor's authority under ERISA, when you have large selffunded plans that are operated by large employers as well. They are often covered by detailed contractual requirements that would sort of describe what sort of privacy practices would need to be in place, etcetera, especially as it comes to PHRs and how they are offered. That’s sort of an another wrinkle in this, another group of people we should be talking to as a working group, to think about the employer model of personal health records that we are seeing as well. So with that I thank you for your time, and any other questions or comments would be appreciated.
>> Paul Uhrig:
One other
>> Kirk Nahra:
Go ahead, Paul.
>> Paul Uhrig:
Getting back to sort of the hypothesis and, I understand in the model that you are describing, it is a PHR that is sponsored by a plan, and that is where the HIPAA is. ButI suspect that it is, the application is not owned by the health plan. It is contracted with the third party. That's not a covered entity.
>> Jeanette Thornton:
Usually under a business associate agreement.
>> Paul Uhrig:
So that is the relationship there. So in this model that entity that obviously has accessfor one reason or another, it's coming out of a BA.
>> Jeanette Thornton:
There are some plans that do it themselves so it is not 100 percent the case but there is a mix. Yes.
>> Paul Uhrig:
Okay.
>> Kirk Nahra:
Let me follow up with that. Is there any part of the PHR relationship, whether it is direct with the health plan or through a business associate, that you guys think is not covered by the HIPAA? I mean, is that whole package, I mean, we have been talking about inside HIPAA and outside HIPAA. Is that whole package covered by HIPAA as far as you are concerned?
>> Jeanette Thornton:
That's how we have been dealing with that.
>> Kirk Nahra:
Good. Good to know somewhereour fine lines are right but just wanted to make sure. Okay. Other questions or comments for Jeanette?
>>
Just one, since you mentioned employers. It's never been clear to me, a lot of health plans are employersponsored, where that line really is. Do you see most of the employer-provided PHRs as actually being run and offered through the, as a plan benefit or is it, or are some of them actually separate and apart from the plan and directly offered by the employer to some third party?
>> Jeanette Thornton:
I've actually seen both.
>>
Both?
>> Jeanette Thornton:
There is both. There is some, as part of that servicing agreement there is a health plan. A personal health record is offered as part of the service. In others, an employer may take it upon themselves to market directly to their employees for health risk assessments. Others sort of, employee sort of centered wellness activities where they are having, they are directly going to WebMD or whoever the vendor is to get those PHR to those employees.
>>
But even in those cases is the, does the employer claim the ability to access that information, or is that information as it is from
>> Jeanette Thornton:
Yes, I have
>>
other kinds of
>> Jeanette Thornton:
employer offered PHR. I do know that in some cases different health data, different healthcare entities are asked to provide data to prepopulate the PHR, whether it is pharmacy data, claims data, or other data. But that's just a general statement. I don't know of any I haven't done any research or work on employer PHRs.
>> Kirk Nahra:
Let me jump in for a second. There are a couple different models. Let me be clear on one thing, Jeanette. When a health plan, a health insurer offers these PHRs, I assume that that applies to both its, it could apply to both its insured business and its administrative business, that's the employer health plan? I mean, Aetna, pick a name out of a hat, I don't anything specific about the Aetna arrangement, but they would offer that both to their own customers and the customers where they are administering a health plan?
>> Jeanette Thornton:
Well, because, PHRs have just been offered in the past two, one to two, three years, a lot of plans have rolled them out sort of in the phase way. So you might see some plans that started with their large employer groups and are moving to other groups, etcetera. So there are some variations. But I wouldn't assume that
>>Kirk Nahra:
Either way. Okay.
>> Jeanette Thornton:
Yes.
>> Kirk Nahra:
So to go to your question, there are some of the employer-offered PHRs that are solely basically making a, you know, essentially a software program available to employees. And most of the time, not necessarily all the time, but most of the time they are not purporting to have any access it to it but it is also not through the health plan. So that's a category of what, right now, I think, we are calling the non-covered entities. It may be I mean, the vendor in that situation is going to have a contract with the employer, but it is not a HIPAA contract. It is not a business associate contract. It is some kind of
>>
We have heard the CE Workgroup that is, I think, had early testimony on PHRs, some of them being offered through employers.
>>
M'hmm.
>>
It was not clear through that testimony whether they considered that to be through their health plan or but in all cases the employer hastened to say that they, that information in the PHR was confidential and under the control of the employee and the employer did not have any independent right of access to that information.
>>
Followup question. I guess, is the employer though, I’m going to use the word compelled, that’s probably the strongest word. Is the employer compelling the employee in those cases to participate? And the reason I ask that question, it is one thing if the employer says voluntarily, oh, this is great. I want to go and contribute to this PHR because, whatever value they see in it, versus one where the employer in some way is compelling the employee to participate, such as saying, you will save 100 dollars a year on your deductible if you do this. And the reason why I ask that question is, I think it is meaningful when you are looking about how many controls you can reasonably want to put in, privacy controls you want to impose upon these types of PHRs. Because clearly if a person has an absolute right to decide whether they want to participate or not, it becomes almost a consumer decision. Whereas if there is any level of compulsion to do it, then I think there is more of a right to expect that there is more privacy protection in place.
>> Kirk Nahra:
The ones I've seen, which is not all of them, have been very voluntary. It is an opportunity to sign up for one. I might quibble with the compulsion on giving somebody incentive, which is 100 dollars off. I think, the compulsion would be if you want to have your insurance through us, you have got to sign up for one of these. I certainly have not seen anything like that. I have seen some incentive programs.
>>
But it seems like, in fact when I was upstairs before this meeting in the cafeteria, I was watching CNN which is on the television up there. And it so happened they were talking about employer incentives for wellness.
>> Kirk Nahra:
Yes.
>>
And they can get some of those incentives can get fairly aggressive, to the point of, you know
>> Kirk Nahra:
Absolutely.
>>
I think that also is a way, of where things are going. And so we have, I think looking forward, in the way the PHRs are structured, I would be surprised if you are not going to really see a lot of pressure for people to contribute to PHRs, especially if they have chronic conditions such as diabetes or there’s weight management issues, things like that, where they are really being compelled to involve themselves with a PHR in order to help manage their care.
>> Jeanette Thornton:
This may be more for the Consumer Empowerment working group when they put together the privacy principles, but there obviously is a group of people that are saying, you know, I'm willing to give something up in order to give them access to my information today because I need this information to help me. And there are people on the other end of the spectrum who don't feel that way. And privacy policies and principles have to, in some sense, accommodate both of those groups and some people are going to be obviously in between. And so you don't want to limit people's ability to get the information they want if they are willing to give something up.
>>
I think that's right. But with the caveat that, for example, the employer, Sue, that you mentioned who hastened to add they have these controls in place. Unless it is organized under their benefit plan, it makes that portion of their business a covered entity. They are under no obligation not to use it for hiring and firing decisions. So it is really up to the good graces, then, of whoever is in charge of that company to set that rule. That's kind of a dangerous place for a consumer to be.
>> Kirk Nahra:
Although again, a lot of the ones I've seen the way they deal with it is they don't have it in the first place. It is not they are holding the data and voluntarily abstaining from looking at it. It is the data is somewhere else away from the employer.
>>
But again, it is their decision as opposed to the consumer's, unless they are
>>
how to set it up
>>
subject to the HIPAA.
>> Kirk Nahra:
Absolutely. Again, I will tell you, from the other, the flip side is, the employers also know that, they are scared to death in a lot of this stuff. They are looking at a market where they want to be helpful to their employees, but the employers I talk to, they don'twant anything to do with this, because they know as soon as they have the possibility of that access, they will get slammed on that. So I think that they are very conscious of that split.
>>
But there is, even if the employer doesn't have access to the information, if they recognize that they can reduce costs, we are all looking at reducing costs, by really compelling their employee base to participate in PHRs, even if the employer doesn't have access to the PHR. Then that, whoever is running the PHR I think has some type of, needs to have some type of commitment with regards to privacy and ensuring that the individuals who are going to be really pushed to contribute to the PHRs, understand what it means when they, when they involve themselves in that PHR and whether it be notices or other types of protections that need to be put in place. And I think it is fair ground to think about these types of things. This is going to be a growing area of interest.
>> Kirk Nahra:
Well, and frankly, it is, as I hear what you are saying, another reason supporting our working hypothesis. Let's make sure there are enforceable standards for those people, which might or might not we're trying to(inaudible) notice one of the relevant ones, but we would look at that. And the first step would be, let's make sure there are some standards out there and bring them up to that.
>> Jeanette Thornton:
Andthere is a lot of experts out there, health plans and other places, so if you need help in identifying other speakers and testifiers on this topic, be happy to help.
>>
I just had one question. You were talking about these employer, that there are some employers that are sponsoring these, directly as employers, not through their plans. And you mentioned something about the prepopulation of these. Are they then getting patient authorization to prepopulate the information with claims information or other information, clinical information, or do you know?
>> Jeanette Thornton:
I don't, I don't know.
>>
Okay.
>> Jeanette Thornton:
Have to talk to some employers
>>
Right.
>> Kirk Nahra:
They have to because they don't normally, the employers doesn't normally have the claims data in the first place.
>> Jeanette Thornton:
The healthplan would have to have some
>>
That's what I would assume. That's why I asked, because you made some comment about that obviously if it is the health plan who has their own PHR
>> Jeanette Thornton:
It would be interesting to talk to Dossia
>>
Yes.
>> Jeanette Thornton:
because I know that they have been actively trying to get claims data added to the PHRs
>>
Oh, really
>> Jeanette Thornton:
to do that, yes.
>> Kirk Nahra:
All right. Any other questions for Jeanette? All right, Jeanette. Thank you very much. Appreciate you doing that, especially on such short notice. Thank you very much.
>> Jeanette Thornton:
Sure.
>> Kirk Nahra:
We have a couple of other things we want to try and cover today. We had some time set aside for discussing the application of our working hypothesis in the PHR environment. Frankly, I think we did most of that this morning. And my sense from the discussion this morning is that we have some next steps on the working hypothesis, and we are sort of in agreement on what those next steps are. We are not in agreement beyond that, necessarily, but that we know where we are going to go with that. Is there anyone feels we need to have more discussion on that issue today?
All right. I also want to turn then to our next point, which is planning for the next Workgroup meeting. And I'm going to say that I think we also have a pretty good sense of where we are going to go next. I mean, it seems to me we have got sort of three, two balls in the area and a third I would like to put in the air. We have the identity proofing issues that Yuriy has been looking at and we will continue to move those forward. We have issues related to our working hypothesis. And I think that our next, our next sort of telephone call with the group will probably involve a restructured hypothesis and some of those other elements about gaps to fill and things like that.
I guess the thing I would like to put, get people thinking about, and this goes back to something, I guess, Don said earlier this morning which is, I would like to get individual thoughts about areas we can turn to next with this working hypothesis idea. I think we had a good discussion today. We covered a lot of ground on that. We didn't go 100 yards on the football field but we went 75 or something, and we got much further along. So I would like people to give some consideration to, you know, next step ideas where that concept, that process might work as well. I would encourage people to send those through to me or to Jodi or Steve. And we willsee if, you know, sort of what we'll take on next in terms of that. I know we have had a lot of discussions in each of our last couple meetings about next steps. And again, this working hypothesis today was designed to alter that dynamic a little bit. But, I mean, are people in agreement that we made enough progress on that today that it is worth trying to do that in other areas? Anyone who doesn't, doesn't agree with that for the time being?
Okay. So again, I think we have some good, we made some nice progress today. And we have got some goods things to be working on. And I'll be working with Jodi and Steve on getting some more, you know, information on some of these other areas for the hypothesis. And again, please do let me know if you have, again, an idea for a hypothesis, you want to write something up, whatever it is in terms of next steps.
Let me do this. Maybe we should turn, just let the audience know we can take public comment, and then we will have a few minutesjust to wrap up. Then we can finish up a little early.
>> Jodi Daniel:
Can I just, as far as you were saying, things are kind of openended at this point and that we're working on. Just also the issues of working with Consumer Empowerment on their PHR, privacy health
>> Kirk Nahra:
And NCVHS
>> Jodi Daniel:
And NCVHS.
>> Kirk Nahra:
coordination with both those organizations.
>> Judy Sparrow:
Okay. Jennifer, do you want to bring in the public, please?
>> Jennifer Macellaro:
Sure. You should see the slide in just a minute that has the number to call in, if you're not dialed inalready. If you have dialed in, you just need to press star 1 to alert the operator. And there's an email address there if anyone wants to write in any comments after the meeting. So I will just check back in with you in a few minutes.
>> Judy Sparrow:
The next meeting is April 12th. Is that right? I think so. Okay.
>>
That's what I have on my calendar, April 12th from 1:00 to 5:00.
>>
Yes.
>> Kirk Nahra:
Should we wait for them?
>> Judy Sparrow:
Just wait another minute. It doesn't take too long. If you have anything you want to say in the meantime.
>> Kirk Nahra:
Well, let me just open it up generally. Are there other comments or thoughts, people want to pass along at this point? John?
>> John Houston:
Do we want to talk about other hypotheses at a high level and just sort of throw some thoughts out on the table? Because I think the one that I continue to have and I know we skirted in NCVHS for some time is the whole issue of opt-in versus optout, which I think is a hugely important issue from a privacy perspective and I wouldand to Don's earlier point which is if we get a few of them in play, it doesn't mean we have to work on them together but as we're working on one and teeing up the next hypotheses, I think we can do that without a lot of extra effort but yet when we're ready to start on the next one, I think it gives us the ability to do so. And I really feel strongly like that at some point in time, somebody's going to have to deal with the thorny issue of optin versus optout and I would love to get it on the table sooner rather than later.
>> Kirk Nahra:
Well, let me just address that real quickly, John. I mean, I agree that's obviously a big picture issue and the way that I've thought about it and the way that we've had some discussions in terms of our planning was to address that a little bit from the side and here's what I mean by that.
I had, you know, my visual description earlier of lifting people up to the HIPAA level and then examining whether we should have something above HIPAA and it seems to me that we should look at whether there should be a higher than HIPAA standard rather than address optin/optout as an element of that. And again this is just how I've thought about it which is if we can't come up with reasons as to why this is different, better, worse, more controversial than HIPAA, one conclusion would be HIPAA's good enough for that. If we bring everyone up to a HIPAA standard and this isn't all that different from what we've had before, why have a different optin/optout environment than we do with HIPAA?
If the answer is on the other side, no, this is very different, there's X, Y, and Z that makes this different and HIPAA's not good enough for that scenario, then we go to, all right, what does that mean HIPAA's not good enough? We make it opt-in, we make it opt-out, we do different kinds of controls, we define TPO, whatever it's going to be. But it seems to me there's that first step which is, we've got an existing framework today for health information in a lot of these contexts and we've taken through our working hypothesis, we've broadened out the scope to cover anyone that's going to be touching this information in the NHIN, it seems to me we need to evaluate whether there's a need for more than that or not. That's how I've looked at it. Rather than figuring out what that additional is, it's the why we need an additional.
>> John Houston:
I had just two things. I think we continue to hear this as being an issue of sensitivity and consumers. That's the first thing. And second thing is that probably one of the greatest areas between HIPAA and State law is in the area of consent for disclosure. Such as in the State of Pennsylvania, Commonwealth of Pennsylvania, if I want to disclose medical records outside of my institution, I need to get patient authorization and though I've been able to create for my own organization, which is a multi-hospital organization, a consent form that allows me to share within that organization without additional consents between hospitals, once I get outside of my institutions I am compelled in Pennsylvania law to get that authorization. As I said, I believe that framework is a fairly common framework in most States.
>> Kirk Nahra:
Is that for sensitive diagnoses?
>> John Houston:
No. Any type of anything, any type of information disclosures. If a patient goes to a physicianor another hospital outside of my system, in order to provide the medical record to that institution or that physician, I need to get patient authorization.
>> Kirk Nahra:
Just for what it's worth, my sense is that's very unusual that's what Pennsylvania law says, that there are very few State laws that areI mean, there's lots that have sensitive condition laws that Jeanette was talking about but I'm aware of very few that are general, any kind of medical information.
>>
Minnesota.
>> Kirk Nahra:
There may be a handful.
>>
And I think doesn't California have some consent for treatment?
>> Kirk Nahra:
That's not at all a common framework.
>> John Houston:
I've seen it in numerous other states. I remember seeing a 50State analysis at one point and that was an issue that came up in more than a few States.
>> Don Detmer:
I guess I see this as a little broader than necessarily the boundaries you've put on it. For example, to go back to the spirit of the original HIPAA legislation which is administration simplification, we just said there are some patients who actually frankly would like to facilitate information being moved to providers as well as people who are extremely cautious and sensitive about that happening. I think that part of the optin/optout, for example, even if you use an algorithm approach to unique identification, without the Social Security number, that sensitivity drops quite a bit. Should patients have the right to say you can use my State driver's license number as my unique identifier? Should patients have a right to say, it’s fine with me if you let my data go to the people that are involved officially in my care, if I've gone to see them and I'm a registered patient with them, it's fine with me if, in fact, I would like to have my data go to medical research that are IRB-approved so that in fact, if there is research going on that might fit my condition, I could have information pushed to me so I might know about that and so I could participate in that for the benefit of my child or myself. So I think there's a set of these optin/optout issues that are not constrained per se just at HIPAA but do speak to the broader picture of what should national standards be in terms of choice, in terms of access and so forth.
>> Kirk Nahra:
Okay. Let me do this. Let's go to the public because we've queued them up. Let's see if we have any of them now and now we can continue our discussion.
>> Judy Sparrow:
Jennifer, is there anyone on the line, please?
>> Jennifer Macellaro:
We don't have anyone phoning in comments now.
>> Judy Sparrow:
Okay. Thank you.
>> Kirk Nahra:
I guess here's my suggestion which is, let'sif people have suggestions on issues they would like to put up for that kind of working hypothesis discussion, why don't you send those to Jodi or me or Steve and we'll pull together a list and sort of suggested approaches for that. I mean, again I do still have the reaction, Don, when I was listening to your list that most of those topics have an answer under HIPAA today, and the idea of is that good enough or not good enough does strike me as a little bit of a common ground. Again, the answer very well may be it's not good enough and we need something else, but the way I've looked at it is we've got to decide if it's not good enough before we shouldI mean, if we get into something that says, you know what, there's going to be optin for all exchanges of health information in this situation, there's almost no optin rights for basic,I mean, for any TPO activity in HIPAA, there's no optin rights. There's not even an optout right really. So we're saying we're going to have a much higher standard in this environment than we do for a doctor sharing information through some other mechanism with a hospital today. I just want to understand before I would support some of those additional steps why this is different. And again, we may have an answer as to why this is different and if the answer is it's not really different but we don't like the way HIPAA's working, again that's a fair answer. I just, I'm not sure we're there yet. So that's the part again that I've been trying to look at.
>> Don Detmer:
Let me say this. Personally I'm an optout type of guy. I mean, I would prefer that, working for a healthcare provider, I think having information is absolutely important but I'm compelled by the fact of hearing a lot of public testimony and public concerns over the NHIN and concerns over access to information that people may feel is of a character that they don't want necessarily disclosed widely and concerns over this global availability of data and, you know, who might see it, that these are the types of things, though, that I think in order to garner the public trust, we need to bring up and consider.
>> Kirk Nahra:
Deven?
>> Deven McGraw:
I was just going to say I've participated in some of the meetings related to the HISPC project -- I always get it mixed up with HITSP -- but it's the project that is looking at States’ experience and the barriers to implementation and the one session that I was able to attend in the two days that were held most recently, I mean, they're at the point where they are sort of writing reports and talking about implementation and next steps. They're grappling with this optin/optout question right now and there are decisions being made as some of these systems move forward about whether they're going to structure them as optin and optout. So one of the things we might want to do is take a closer look at what's coming out of that effort because I think maybe they're grappling with it right now, it might be quite constructive for us in terms of setting a national recommendation to get a little bit of knowledge about how they're coming down on the question, because even within the sort of range of consumer principles that I've seen out there, they come on, down on the question actually quite differently. So I think it is a valid question to consider and I think there's actually a wealth of information that's going to be out there. There may be some already and it's just going to get even riper in terms of a knowledge base as that project wraps up. And that also goes to the question of the State law variation issue. Like, especially in States where the people in the communities go to providers in different States. So there's a lot of sort of crossborder transfer of data that's, you know, quite meaningful and important to resolve.
>> Jodi Daniel:
One thing I would say is that, you know, I think it's great, it would be great to have, you know, sort of a working hypothesis that we're kind of actively in some general agreement at least with the sentiment on and that we're trying to test out and perhaps having one that we're thinking about. I mean, we don't have to necessarilythey're working hypotheses. Doesn't mean that we've come to a recommendation or conclusion and, you know, one of the things, Deven, to play off of what you were saying that might be interesting or helpful is, you know, we could ask some of these States that are grappling with this to address the question that Kirk's asking which is, well, why do we need this anyway and if, in fact, there were these protections, you know, at least the level of protections, would that be good enough or not and why not?
>> Deven McGraw:
Right.
>> Jodi Daniel:
And what are you hearing either from consumers or from providers or from whomever. I mean, we could bring in, as you're saying, these folks to come and testify to ask them those questions.
>> Deven McGraw:
Yeah.
>> Jodi Daniel:
And we can structure these questions around these various issues that we're debating here and get input from a variety of folks who have been thinking about this.
>> Deven McGraw:
I mean, I went to the Families USA annual conference and the folks from Massachusetts talked a bit about what they've been doing and I think that I don't have a sense of what's going on all across the nation, but it struck me that what they were doing up there was a bit more advanced because there had been a significant investment of capital from the private sector to push that effort forward and that they had already begun making these decisions and it was already an operational system, at least in one community. So I mean, I just offer that as an example. There could be others that are even better and more robust, but I do know about that one.
>> Jodi Daniel:
There's also, I mean, I think this could be looked at in a variety of different levels. There might be, particularly if we have an NHIN that's a network of networks which is what we're envisioning it as and we do have differentyou know, there could be variation in how this is done, you know, at a regional or a State level health information exchange. You know, it may be that there are some rules of the road that actually meet our hypothesis of to play in the NHIN, you have to do at least this. And then there may be some other practices that the group may want to talk about but, you know, while maybe they're not necessary, they might be,you know, they might be things to consider in certain circumstances if there is a State or regional effort going on, you know, just, we may not have to think about all of the principles or practices on the same level. There might be different levels of, you know, either enforceability or some things which, here's a minimum but if folks want to do more, here are some approaches to do that because you could still make a recommendation of if you're going to do this, it should an optout or it should be an optin or it should be, you know, not that this is a requirement, but if you're doing this, this is what we recommend based on the testimony we've heard.
>> Kirk Nahra:
All right. So again people should think about any ideas for a hypothesis, think aboutI mean, I suppose the other issue is, you know, is topics even the if there's not a hypothesis. I mean, I'm not sure even if we were to go on optin or optout, I'm not sure we have at this point a consensus or a potential consensus but, you know, let's figure that out. I mean, one of the goals of the working hypothesis is an area where we think there's general agreement in the group and I don't have a sense of that one way or the other. Please get those in. It doesn't have to be tomorrow, doesn't have to be Monday but the sooner they're in, the easier we can try to plan for our meetings ahead. Any other last comments from anyone before we wrap up for today? All right, everybody. Thank you very much for participating today. Thank you.