American Health Information Community
Confidentiality, Privacy, and Security Workgroup Meeting #18
Thursday, April 17, 2008
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Thank you. Good afternoon, and welcome, everybody, to the 18th meeting of the Confidentiality, Privacy, and Security Workgroup. Just a reminder: We’re operating under the auspices of the Federal Advisory Committee Act, which means the meeting is being broadcast over the Web, and the public will have an opportunity to comment at the end of the meeting. Workgroup members on the phone, please remember to mute your telephone when you’re not speaking to reduce background noise, and please identify yourselves as you speak.
On the phone today, we have Steve Davis from the Oklahoma Department of Mental Health; John Houston, University of Pittsburgh Medical Center; Alison Rein, AcademyHealth; Leslie Shaffer, TRICARE Management Activity of the DoD; Tom Wilder from AHIC; Deborah Parris from the Family and Medical Counseling Services; Zinethia Clemmons and Christina Heide from the Office of Civil Rights at HHS; Elizabeth Holland from CMS at HHS; and John Loonsk from ONC. Did I miss anybody on the telephone?
>> Michael Pagels:
Mike Pagels from CMS as well just signed in.
>> Judy Sparrow:
Okay, thank you. And here in the room, we have... Jill?
>> Jill Callahan Dennis:
Oh, Jill Dennis from AHIMA.
>> David McDaniel:
David McDaniel, Department of Veterans Affairs, Veterans Health Administration.
>> Deven McGraw:
Deven McGraw, now with the Center for Democracy and Technology.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Steve Posnack:
And Steve Posnack, ONC.
>> Judy Sparrow:
Great, (inaudible). And with that, I’ll turn it over to the Co-chairs, Deven McGraw and Kirk Nahra.
>> Deven McGraw:
Okay, thank you very much, Judy. I don’t know if folks got a chance to read the summary of the prior meeting just that Steve sent out. Does anybody have any comments, concerns, additions, or corrections? (Pause) Okay. Well, as usual, we hold this open for a bit to account for the fact that probably not everyone did get a chance to read it. So we’ll give you till Friday to respond with any changes. Thanks a lot.
Okay. So we have somewhat of an interesting day carved out today, because we do have a couple of presentations from folks who are calling in on the public health issues that we talked about at our other meetings, but we couldn’t be on until about 2:00, so actually 2:05, according to our agenda. So we thought that it made sense for us to go ahead and get started with our discussions, and we’ll have to interrupt ourselves and stop at that point so that we can get the testimony from the two presenters, and then we’ll pick back up again when we’ve finished with them at around 3 or, again, whenever we complete. They get to complete their presentations, and we have a chance to ask them some questions.
So having said that, we’ll get started with the area for discussion. And what got circulated (inaudible) a pretty short document, which are policy factors for recommendation. Now, this is a bit of a right turn off of the direction that we were heading in, which was to try to focus more on the choice question and to try to figure out what elements policy elements people would need to weigh and come to a decision on before we could get to choice. And it was a sense that that approach was not getting us too far and that we were maybe a little too deep in the weeds to see our way through to an actual recommendation. And in addition, we learned that we have an even shorter time frame for coming up with recommendations than we thought. The Secretary has let us know that ideally, we need to get things into AHIC by September. Is that right, Steve?
>> Steve Posnack:
That’s probably the best estimate. We might have an extra month or so.
>> Deven McGraw:
Yes. We might have an extra month, but we are not guaranteed that. So in the interest of time to come up with another recommendation or set of recommendations in that very tight time frame, and given that the path we were headed down appears to be getting to us a point where we could make a set of recommendations, Kirk and I talked about it with the staff and thought that it might be best to broaden our a bit and maybe come up with our scope a bit and maybe come up with a recommendation letter that draws conclusions in some areas where we’re able to come to consensus; raises issues in other areas where we’re not; but essentially is, I think, calling it our swan song, our sort of potential last statement that we’re making to AHIC and to Dr. Kolodner and to the Secretary about the issues we see in this area and again, any conclusions we’re able to draw, but where we’re not able to come to consensus, to sort of lay out the factors that need further consideration and thought, either by the administration going forward to do their policy issues that, to the best of my knowledge, AHIC 2.0 isn’t going to deal with, or AHIC 2.0 to the extent that there’s overlap.
So how we’re going to run this is that I’m going to go through these factors. Again, it’s a two-page document, so I want to get a sense I am going to need to read through it, but I hope that you had a chance to read it. Does anybody have any questions to begin with about the process that’s about to unfold, the path that we’re taking now...?
>> Alison Rein:
This is Alison. I just had a quick question about the decision to actually think more broadly than perhaps more specifically and granularly, just because I felt like actually, in our last discussion, it was even too big for us all to get our arms around. So I guess my inclination would’ve been to pick something smaller and more discrete. But I’d be interested to hear about the thought process of the Co-chairs and the staff in thinking about a broader document.
>> Deven McGraw:
Okay. Well, the thought was that a lot of the sort of more discrete issues that we might try to pick off there’s so much that depends so many you know, all of the issues are interconnected in such a way that it becomes actually more difficult the deeper you dive, so that if we were and that’s partly what got us into trouble with the choice question. We thought actually that we were picking off a discrete topic. But then we realized that in order to get to the issue of what types of choice should consumers have in these new environments, people wanted to have a sense of what you were choosing into. So that led us to a lot of other disc lots of other discussions about, you know, the different ways that information could or should be used in these health information exchanges and, we thought, contributed to our inability to resolve. What was a narrow issue turned out to not be so narrow.
So it actually was a deliberate choice to go a little broader, again, not necessarily trying to achieve consensus on specific tasks or policies that we would want to be adopted, unless, by chance, we’re able to do that; but to kind of lay out a landscape of issues that we think are raised that need further thought and consideration and, again, to come to consensus if it’s possible for us to do so. But given the short amount of time and where the attempt to get consensus on a narrow set of issues got us in the last couple of meetings, it just didn’t make sense to try to do that.
>> Kirk Nahra:
Yeah. Let me just add a little bit to that, which is, as we got into the consent issue, as Deven said, what happened was, we were basically pulling out more and more small issues, and we seemed to be opening issues rather than closing them. And our sense was that we could’ve picked something and spent a bunch of time on one or two little issues, but we didn’t think that was a particularly productive use of this Group’s time. And given that we have a limited time, frankly, we wanted to try to do something that was going to be more useful, more effective, than tr you know, just isolating an issue here or there.
So that was what we were trying to do. We were trying to come up with some of these principles. And I you know, I don’t know I’m not sure where we’re going to end up with that. I mean, the idea of this was to you know, we our recommendations, no matter what they are, are not, as we know, self-executing. So they’re essentially points that are going to get passed along in a chain. So since we know that someone else at the end of the day, perhaps legislatively not clear if there’s other mechanisms we wanted to use these policy factors as a way to help guide what has to be that discussion. It’s not a discussion that we could conclude through our own efforts, even if we were far more successful at making recommendations than it seemed like we were going to be. Those still were just going to be a package of recommendations.
So that’s what we wanted to try and do. You know, we’re optimistic but obviously not certain that it’s going to play out.
>> Deven McGraw:
Does that make sense to you, Alison? Does anybody else want to...?
>> Alison Rein:
Yeah, it does. I mean, I think it’s helpful to think of it as a set of recommendations that might beget more work.
>> Deven McGraw:
Yeah. I think that could be quite right.
>> Alison Rein:
It just wouldn’t be our Group diving into that.
>> Kirk Nahra:
Right. Well, and again, if we had a you know, we might have continued down that consent route if we had a you know, a 5-year plan.
>> Alison Rein:
Right.
>> Kirk Nahra:
And I’m not at all convinced that it wouldn’t have taken a 5-year plan, given the way we were sort of spinning off pieces of that. So the fact that we have, you know, a few months at the most very much was part of that decision.
>> Alison Rein:
Okay. Thank you.
>> David McDaniel:
I would like to see the recommendations that go forward. If they’re going to be a broader spectrum, I’d really like for it to show, at least, that one of the things one of the outcomes of this group has been the finding that you can’t really separate any of these complexities; that when you start drilling down into them, there are so many routes overlapping one another that it’s almost impossible to just tunnel down in and take one issue and resolve it; that they’re all so intertwined that it’s going to take a lot of effort. And I think that’s a contribution that this Group has already made and that, just exploring these things, we’ve realized how hard it is to isolate something and find a single solution for it. I think that’s a huge contribution in itself for the next generation.
>> Kirk Nahra:
Well, and it’s I agree with that, David. And I guess I mean, one of my reactions, just personally and that’s not was not particularly a role in moving this policy (inaudible) one of my conclusions from listening to all of those debates and all of those issues that we were generating was to sort of back off and say, you know, “Why revisit all of this stuff? We have a set of rules that we can adapt. Let’s not create a whole parallel set of rules.”
So I mean, I again, personally, we could’ve gone down a direction I think we could have gone down a direction where I would’ve supported something that essentially says enough similar that and there’s the million other there’s a million issues, and we’re not going to r you know, we’re not going to recommend that we revisit all of those. You know, we could’ve voted on that. We could’ve tried to push that through. But that there wasn’t a sense at least, I didn’t have a sense that we had enough consensus on that. There were clearly a number of folks on the Group who would not have agreed with that kind of approach or weren’t at a point to be comfortable with that. And as I said, we could’ve sort of continued to spin out issues. You know, if we had had several more calls where the end of each call was 37 new issues, we might’ve concluded, “Oh, this is not no way to do that.” We’ve sort of just short-circuited that instead of turning that into a recommendation itself, which could have been a very broad recommendation. We’ve tried to go this other route.
Other comments or questions from folks on the phone? (Pause)
>> Deven McGraw:
Okay, well, we’ll go ahead and get started, then. Essentially, I’m going to read through these policy factors, and I want you to understand sort of where they came from. Kirk and I working well, actually, really staff, and Kirk and I working to get some feedback, came up with these. And they’re not sort of out of the air. They’re based on conversations that we’ve already had in the Workgroup. But you know, we acknowledge at the outside that this is the beginning of a discussion where we’re hoping and we really want folks in the Workgroup to fill in other pieces of it. We wanted to get have something to get us all started in this conversation, but I but what I envision this being turned into, essentially, is a longer recommendations letter.
So, you know so at each point, we want to open it up for discussion a bit; identify sort of what the open issues are; see if we can’t dig around, gather more information to inform the discussion a bit more, again, because we’re not closing the door to reaching consensus on this if we can. But we’re also not, you know we’re taking a broader view of this. And if there are areas where we can’t, we’re going to say so and, I think, ideally, identify what additional information needs to be gathered, what you know, that the topic needs further consideration, etc.
So it’s just they’re really higher-level recommendations to some extent, but again, this is really just a draft and very much needs everyone’s input. So and some of these factors, obviously, we I think we did a better job of fleshing them out. There’s just a lot more text associated, for example, with Factors 1 and Factor 2. When we start to get down to 3, 4, 5, and 6, there’s not quite as much. I guess that doesn’t necessarily mean that they don’t stand alone as they are or that comments are not welcome, even on the ones we’ve already fleshed out more fully.
So okay, unless anybody has any questions, we’ll go ahead and get started. Our yes, John?
>> John Loonsk:
John Loonsk, and I don’t mean to stop progress here, but have you come to a definition of what you’re calling an HIE? What is a health information exchange for you? I don’t because, you know, one of part of the work we’ve been doing over the course of this year is clear is that they’re so different and that just (inaudible) anything (inaudible) one way like that is can be problematic if we’re talking about different things. Some of them are simply switches where they don’t even they don’t (inaudible) anything. They don’t they just move information. Some of them have repositories that are storing
>> Deven McGraw:
Right.
>> John Loonsk:
Some of them are have different relationships with their provider organization. And I don’t mean to be a deconstructionist, but I just want to know where you are in that regard, because I do think that these discussions are going to be very important to the NHIN activities (inaudible), and I just don’t know where you are.
>> Deven McGraw:
Well, we have I mean, it’s interesting. We should take a look at our recommendation letters previously, where we talk about sort of the new entities and the extent to which we think HIPAA should cover that. And it could be that we may need to create sort of if we don’t create our own definition, create a set of assumptions about what we think we’re talking about when we say “a health information exchange.”
>> Kirk Nahra:
Although I mean, I agree with that, but I also I think we’ve just taken a slightly different approach. We haven’t defined it. And when we were drilling down on some of these specifics, that was part of the problem was that you needed a you know, with each specific that was being spun off, you needed an A, B, C, and a D choice and maybe it’s an A-to-Z choice based on the different models. So we didn’t know what they were. We weren’t sure what they were going to be. There wasn’t any particular evol you know, conclusion to evolution. So what we decided to do was you know, and again, personally, I was very reluctant to start making recommendations on particular procedures, because we didn’t really have any idea what we were applying them to. So we’re trying to we’re essentially trying to avoid some of that.
>> Deven McGraw:
Well, (multiple speakers) oh, I’m sorry. Go ahead.
>> John Loonsk:
I just wanted to respond that, essentially, I can understand that in the context of saying HIE’s broadly defined
>> Deven McGraw:
Right.
>> John Loonsk:
behave like covered entities. Or, I mean, you know, this is it but when you start to get more specific, it’ll become more problematic.
>> Deven McGraw:
But we did make we did begin to make a distinction between those who have a public face and component and those that don’t in other words, where the patient is interacting potentially directly with the health information exchange, versus those that don’t. So that is one way of starting to parse out some of those issues.
>> :
(Inaudible)
>> Alison Rein:
Is this sorry, this is Alison again. I just wonder if this is one of the terms that’s being defined by that group.
>> Kirk Nahra:
It actually it is. And I think if you looked at the draft definitions, they have not defined HIEs as an entity or organization. They’ve defined it as an action: health information exchange.
>> Alison Rein:
Right.
>> Kirk Nahra:
I’m not sure that helps here. You know, we have been using the term “health information exchange” in a broader way to incorporate some of the geographic health information exchanges, some of the RHIOs. We’ve also used it in a broader sense in the health data banking world, for example, and even included integrated delivery systems at times that are participating and helping, but not that that’s necessarily the definitive definition right there.
>> Alison Rein:
Right. I mean, my sense is that we’re I mean, given that there are efforts to define it, and given than we want these to be a broader set of recommendations, I think we’re going to, as we put it, talk about these factors and the different issues that are raised. I think we’re going to have to identify where how we might come down on a particular way to address something is going to vary based on the different models that we know are out there today and, of course, the innovation in the future, which we can’t predict.
>> :
I think it does change our conversation, though, depending upon whether we’re talking about a verb or a noun.
>> John Loonsk:
I mean, you may just need to get to the point where you’re saying, “For the purposes of this effort, we’re describing it this way,” and describe some attribute. But I think it’s going to be problematic to get too specific without more specificity on what is talked about. I’m not sure the definition project’s going to help if it’s a verb. It just doesn’t I don’t think it meets your need.
>> Deven McGraw:
Absolutely. It doesn’t fit well into the factors that have been defined. But my suggestion is, we go ahead and get started. And you know, where these issues come up where how we might come down on it is dependent on what exactly we’re talking about. We should flag that; run through, you know, sort of the various concerns
>> :
So we’re just still discussing from an unknown noun perspective.
>> Deven McGraw:
Yeah, but it’s not a complete unknown. The we didn’t pull it out of the air. We need to just have some idea about what we’re talking about.
>> Kirk Nahra:
Well, and again but I guess what I take from this is, we need to just be cognizant of that issue as we walk through this. I don’t think I mean, again, if we take each one I mean, we’ve tried to do these policy factors. I mean, this is maybe I don’t know that it was front and center in our thinking, but I mean, these are written to be generally applicable principles, and so it may be possible that you could look at, you know, one of these and say, “Oh, well, that doesn’t quite fit this one model that’s in Portland.” But we’re not going to do that. We’re not going to I mean, I don’t that was the kind of exercise that I think we were heading towards when we were talking about some of the choice issues, and it just seemed from the way we were having the discussions to be sort of a bottomless pit. We’re trying to avoid that. The goal here is to avoid that bottomless pit. If there are places where, you know, we simply can’t say something because of these ambiguities, we’ll skip it and move to something else. I mean, I guess I don’t want to get hung up. If we look at one of these and we’d say, “This is a lot of detail, we’ve got to do 10 different variations, and we need six hearings on it,” that’s got to be off the table. That’s the rest of our existence.
So that’s sort of the idea that yeah, I mean, I just had so that’s I think we’ve got to look at these issues and figure out if there are points we can make that won’t require 5 years of work to make the point. If the answer is, “There aren’t any,” that’s o you know, that’s okay. But I hope that’s not the answer, but I mean (laugh), that may be the answer. But if we start moving down the a path like that, I think I mean, that’s going to be definitely might as well just say, “All right, we’re done with that one. We’re not going to make it, but we’ll move on to something else.”
>> Deven McGraw:
We’re going to move on, right.
The other thing that I hadn’t stressed enough in my explanation about how we’re going through this is that, for each of the factors, we are going to need to identify whether there is a rule in HIPAA that already addresses this and talk about what that rule is, what it covers, and the extent to which there may be a gap that we might want to recommend be filled or be explored further. Again, that’s consistent with the way that we have approached the issues, if not from the beginning, then at least from most of our lives, as a Workgroup, which is looking at, you know, what’s new about this environment and what, beyond HIPAA, might be needed on the privacy and security front. So you will see some references to HIPAA in here.
Okay. Let’s go ahead and get started. Factor 1: The ability of a participant in an electronic health information exchange network to view, access, or request health information without the prior knowledge of the source of that information creates new challenges to protecting privacy. And there are a number of issues to be highlighted here. Careful consideration must be given to who should be allowed to participate in or have access to health information exchange networks and for what purpose.
The factor’s identified here: It’s possible today that entities not covered by HIPAA could be network participants. If our recommendation to make these entities for example, health information exchanges subject to HIPAA were to be adopted, that may address this concern, because those entities would then have limits on how they can use and disclose information that could be directly enforced. If HIEs are just business associates of covered entities, their obligations with respect to the information are governed only by that contract and cover only the data that the covered entity submits to or passes through it.
The other issue: Providers participating in a network may be able to access patient information outside an episode of care. Providers participating in a network may be able to access information about patients with whom they have no prior relationship. While the HIPAA Privacy Rule addresses “minimum necessary,” it is unclear if a collection limitation’s fair information practice type of requirement is possible or practical and what the scope of that requirement could be. Now, “minimum necessary” does apply to requests for information, but it will only apply to HIPAA-covered entities and does not apply to requests, uses, and disclosures for treatment purposes. Electronic health information exchange networks present a countless number of new scenarios with respect to access to health information, and the rules that apply to such access should be clear. However, placing overly stringent limits on the purposes for which information may be accessed through networks may limit its utility as a public good. (Inaudible)
Okay, so that’s Factor 1. Okay, Steve wants me to keep going. I’m going to do a lot of reading here. I’m your narrator today.
>> John Loonsk:
What is your process here? What is it I mean, because it’s I mean, I don’t mean to
>> Deven McGraw:
Well, my you know, actually, we have talked about me reading all of them. It’s but I had gotten through a whole chunk of information. We need to do that for purposes of this being a public meeting, first of all. And second of all, it’s possible it is possible that some of the issues that folks might start jumping in and raising are also raised in other parts of the document.
>> Steve Posnack:
It might be easier just for processing and time purposes if we just go through those the actual factor
>> Deven McGraw:
The bigger factors. Okay.
>> Steve Posnack:
And then we can go back and start revisiting
>> Deven McGraw:
And then we can go back. Okay. I’ll do that for
>> Steve Posnack:
and limit the amount of reading you have to do.
>> Deven McGraw:
Oh, I appreciate that, Steve. For each of the remaining factors, I’m just going to read the factors as opposed to the issues to highlight within them. And as we discuss those factors, we’ll get down more into the details.
Factor 2: Confidentiality, privacy, ad security protections should be established to prevent access to an electronic health information exchange network for unauthorized purposes and to limit the purposes a network can use health information itself.
Factor 3: Once health information has been accessed via a network and recorded into a provider or other entity’s record about an individual, such health information should be treated as it is today under HIPAA and State law. Two sets of rules, one governing information obtained from a network, and governing information obtained from other sources would be impractical.
Factor 4: In determining the types of choices consumers should be able to make with respect to the exchange of their health information via a network, steps should be taken to incorporate the rights of consumers with the legitimate needs that providers and other entities have to access, use, and disclose health information.
Factor 5: Policies should promote privacy and security but not add such complexity that it creates significant impediment to the development and benefits of health information exchange networks.
Final factor: The protections established for health information exchanged via a network should take into account the potential benefits to health care delivery, transparency, quality improvement, and population health.
And that’s our first draft on factors, which and I read factor in excruciating detail, so (laugh). Does anybody have any thoughts, comments?
>> Jill Callahan Dennis:
This is Jill. There’s none of these that I overall factors that I disagree with, but I did have a question about Factor 3. And the question was, sort of, “Where is it coming from?”, because providers don’t really make that distinction now. The distinction that providers rely on, in terms of what information is theirs versus not theirs and part of the record, is whether or not they use it to make decisions about the patient. So I don’t disagree with Factor 3. I’m just wondering if it’s necessary.
>> Kirk Nahra:
Well, it’s put it this way: It’s I think it’s clearly necessary, because we spent the last two meetings going in a different direction, where we were talking about what could be used with the information, how they could access, what they could reach in, and what they could do with it when they got it. So we had an extended discussion. Again, I’m in exactly the same place that you are at the conclusion. I would love to think that that’s an obvious answer, but I
>> Jill Callahan Dennis:
This is just to protect against
>> Kirk Nahra:
Well, but it wasn’t. I mean, there were we had a whole discussion about whether we were going to have different restrictions than are in HIPAA for this information. Again, one of my personal views one of the stronger ones I have is, I think if we say to a doctor, “If you get the information through Channel X, you have to do one set of things, but Channel Y, you have a different set of rules,” I think that’s a bad result. That’s what this factor is designed to sort out. But that was not at all I mean, we had a lot of discussion about that. So it wasn’t at all an automatic...
>> Alison Rein:
This is Alison. I think, in some respects, it goes back to the point that John raised at the beginning, which is that some of this is dependent on the nature and structure and decisions made at the HIE level. And I almost feel like I don’t want to impose Factor 3, because it could be that because of an HIE structure or process that they’ve implemented, they wouldn’t necessarily come up against this issue.
>> Deven McGraw:
Tell me a little bit more what you mean by that, Alison, because I’m not following you.
>> Alison Rein:
So I mean, I think what we heard, perhaps I can’t remember if it was the folks from Rhode Island, but I think that they were because they had structured it, you know, as a State-level entity and with a certain set of protections and only used for certain things that they were able to manage this distinction. And so, I don’t know I mean, I’d have to, you know, get that person back or follow up with a specific question, but it I have a sense, at least from the way she was describing it, that, you know, information from the providers gained through the quote-unquote “traditional” means they have now might not necessarily be treated the same way as if they were doing that through the HIE, because of the nature of their HIE.
>> Deven McGraw:
Okay. Now hold on. Just when we had this discussion, Kirk and I, I think there’s a distinction between saying that we’re going to regulate exchanges differently and maybe even more restrictively than we’re going to regulate current covered entities who’re handling this information I don’t think that’s what #3 says. I think what #3 says and that’s certainly what we intend for it to say is that a piece of information we don’t want to have two different sets of rules applying to it when you know, because within the doctor’s office, for example, because they originally got it from the HIE and then it became part of their medical record that suddenly, you know, they’ve got Deven McGraw’s medical record and the information that they have on me that they generated within the office is treated under one set of rules, and the information that they got on me that they drew out of the HIE is treated to another set of rules. But we’re not saying, in #3, we’re foreclosing the possibility, at least in my view, that we would regulate a network and their uses of information and how information can, in fact, be exchanged in and out of it differently than we would regulate the use of data within an institution or by an institution, like a hospital or a doctor.
>> Alison Rein:
Right, but even going back to your first example, I mean, it’s conceivable to me that, you know, a provider office, if they pull information from an exchange, then would just, you know they would have information on a patient. They would pull it from an exchange for a specific purpose, but then it may not cross that, you know, firewall or threshold or whatever in order to become
>> Deven McGraw:
If they use that piece of information, Alison, they have to make it part of their record. They that’s their legal obligation as a provider in keeping their records. It becomes when it’s becoming part of their record, that’s where I it makes little sense to treat it differently.
>> Alison Rein:
I don’t know what the rules are if you just view it. I really don’t.
>> Kirk Nahra:
Okay. Well, that’s I mean, that’s we hear you. Are there other people who have thoughts on that issue?
>> John Loonsk:
The point you’re making here might be clearer if I think it was clearer to me when you said “getting it from care” or “provided” when you say “governing information obtained from other sources,” that’s just ambiguous enough to me that I didn’t understand the concept. What you’re really saying is “information a provider gets from care from provision of care” “information they get from a network,” right?
>> Alison Rein:
And that’s a much more specific...
>> John Loonsk:
He may be generalizing that, too, but I’m just trying to completely understand I was trying to completely understand what you were saying, and...
>> Deven McGraw:
Okay. Well, I mean, I’m a little bit worried about narrowing it to a care setting.
>> Kirk Nahra:
Yeah. I mean, it’s look, they doctors can get information today in however they get it today. And whatever they do today, they follow the current rules for that information.
>> :
They could be getting it for coordination of benefits.
>> :
Right.
>> Kirk Nahra:
For whatever reason they’re getting it for. So let me just forget the wording a second, John. You want to just understand the concept. So here’s what we’re trying to do.
>> John Loonsk:
You’re only talking about providers.
>> Deven McGraw:
No, it says “other entity.”
>> John Loonsk:
Okay. Is the patient in that?
>> Deven McGraw:
We’re not trying to regulate patients.
>> John Loonsk:
Well, you’re not trying to are you trying to regulate anything? I mean, I
>> Deven McGraw:
We’re making recommendations for policies. It flows John, it flows from things that we have said before, which from the outset, we have always said that the patients’ interactions we’re not trying to limit those in any way. And in fact, we might add statements in here at some point to encourage more patient interaction and empowerment.
>> John Loonsk:
I wasn’t trying to object to the general point. I was just trying to clarify the language, which, I mean, (inaudible).
>> Deven McGraw:
Okay.
>> Steve Posnack:
I mean, it may be helpful, as we talk through this more, to see what we mean you know, figure out if we can name other entities as providers, because you called them out
>> Deven McGraw:
Right. It’s okay.
>> Steve Posnack:
trying to tease out other records there are.
>> Deven McGraw:
Well, right. I mean, per
>> Kirk Nahra:
But I guess I mean, my view is, it sort of doesn’t matter. I mean, what we’re t what the point of this approach is to say that, “Look, we’re not proposing, in this factor, to define how people are getting information from these networks.” We spent a lot of time on that earlier. We were talking about “Do you access it only for treatment? Do you access it for treatment, payment, operation, (inaudible) research” all that stuff. We punted on that issue for the time being. We don’t have an answer for that issue yet.
All this point is saying is, when people get information from a network, whoever it whoever we ultimately decide can get it, and for whatever purposes we ultimately decide they can get it, once they have it, it’s all subject to one rule the rules that exist now on what they can do with it once they’ve got it. The difference that we spent a lot of time talking about was the opportunity to reach out and get a broader range of information. Today, as I understand the HIPAA structure, if a hospital calls up another hospital and says, “I want the records of all the people you have treated in that hospital, because I want to do some work on my end to figure out how we compare to your hospital,” they’re not supposed to give it to them. They can’t give it to them. They’re prohibited to giving it to them under HIPAA.
>> John Loonsk:
Nor does any HIE, to the best of my knowledge.
>> Kirk Nahra:
But that it’s irrelevant, John. That’s not the point. The point today is, they can’t get it today that way. They’re supposed the hospital on the receiving end is supposed to say no. It would be illegal for them to say yes. The opportunity that is created by the theory of these networks many of them may be set up not to permit that or may create controls not to permit that, but the possibility existed. And there were lots of people on this Workgroup and otherwise who were concerned that a hospital had the technical capability, in some situations, to reach out and get information that they could not get today. I’m sort of with what you said on that, which is, “I don’t think anybody’s going to do that. I don’t think anybody’s going to set them up that way.” But we didn’t have agreement in this Workgroup that that’s how it was going to be, because we didn’t know everything about what these networks were going to look like.
So we’re not trying to deal with that issue. We’re trying to deal with it once you get the data. Whatever the rules are, wherever you got it from, whatever the kind of HIE it is, any form you think of, once you have it, you follow the same set of rules that you apply today for the information that you get from all the other places that you get information.
>> Deven McGraw:
One thing that this discussion is actually making me realize and John, your point about what who are we talking about providers, and in what context, back to the point that gets raised in Factor 1, is that we don’t you know, right now, these entities, you know, don’t have multiple participants, to the best of our knowledge, that are not already covered entities. They’re mostly hospitals, maybe doctors’ offices, and a few more advanced areas. But the fact of the matter is that, you know, to the best of my knowledge, there’s nothing that prohibits a network from being established that has participants in it that are noncovered entities. And I think what we’re talking about here in Factor #3 is really a concern that current covered entities that are accustomed dealing with HIPAA rules, with res and their applicable State laws, with respect to health information, when they’re interacting and getting information, as is permissible for them through the network, to have two different sets of rules governing the data piece that they are incorporating into their records.
So one possibility is to say that in Factor 3, we’re really talking about where covered entities are accessing information through a network. And I think we if we’re okay with we’re sort of closer to reaching a statement that people are agreed upon, I think we’d have to leave to another day the issue of the other entities not (inaudible) participants in a network that might not be covered entities, because that leads into a little bit of some of the issues that we raised under Factor 1, because we don’t have a consistent set of rules to apply to noncovered entities, because they don’t they’re not covered by HIPAA right now. So when they get the data from a network, there’s no rule right now that govern how they use it.
>> Kirk Nahra:
Although, again, these principles are intended, I think, to be sequential to our earlier recommendation. So our earlier recommendation does, in fact, make all the participants in these networks in the covered entities.
>> Deven McGraw:
No. It covers the entities themselves, but did we say all of the participants should be covered entities? Okay.
>> Kirk Nahra:
Yeah. I mean, I
>> Deven McGraw:
I think globally, in the HIE (inaudible)
>> Kirk Nahra:
Anyone who’s participating in the network, including the network itself.
>> John Loonsk:
But it would need to be business associates.
>> Deven McGraw:
So yeah. We said they should be covered.
>> John Loonsk:
Not the HIPAA. Not the HIE. You’re saying that I mean, for them to receive data from a covered entity, they would need some sort of (inaudible).
>> Deven McGraw:
Right, but
>> John Loonsk:
It is really extending it out.
>> Deven McGraw:
Right, but the entity itself would have to be covered, which, right now, some of these HIEs are not. And in fact, some of them may be business associates, but where a business associate passes information to another business associate, I’m not sure that’s a that’s one more level downstream, where you’re just talking about contractual obligation (inaudible).
>> John Loonsk:
My point was about those who connect to an HIE that is acting like a covered entity would then assume the role of a business associate from (inaudible).
>> Deven McGraw:
Acting like a covered entity, or a covered entity
>> John Loonsk:
Well, yeah, a covered entity.
>> Deven McGraw:
Right, covered under HIPAA.
>> John Loonsk:
Right.
>> David McDaniel:
Kirk’s comment (inaudible) a question in my head about the fact that once they receive the information, essentially we’re trying to keep them from circumventing the ability to use data for purpose that they wouldn’t be able to get the data to use for under HIPAA today. And if you have access to it and you can just reach out and get it, it’s a little late, because the disclosure is made at that point, once they reach out and get it. It’s too late to say that once you get it, you have to treat it the same way you would under HIPAA. If you have the information in house, you could use it for some of the business purposes to better your organization under operations. But it really needs to be that you can’t circumvent HIPAA to get the data through things that you couldn’t otherwise get it from another covered entity.
>> Kirk Nahra:
Well, but okay. I mean, I agree with what you just said, David, but we ran into a real problems getting the group to agree to that, because that was the model that we tried to we spent a couple of calls laying out, which was we were debating a proposal a recommendation that would say, basically, covered entities could reach into the network and grab information. Yes, that’s the different one of the differences we identified was, they could reach out and grab at themselves in some circumstances was going to be for treatment, payment, and only those health care operations that are permitted today under the HIPAA rule, not all the health care operations, where you’re allowed to reach out to another covered entity, and the other covered entity could give it to you.
We tried to go down that route, and that was a road that, I thought, would mirror the HIPAA environment in the HIE environment. And it would say that today, if I’m a hospital and I want to reach out for one of those other health care operations purposes, for example, I can’t do that. I’m not allowed to. Or I can ask, but the person on the other end violates the law if they give it to me.
So we were trying to mirror that. We were trying to come up with a set of rules that would say, “One potential difference in the HIE environment is the ability, in some networks, to reach out and grab information.” So we were going to restrict how you reached out and grabbed it to only purposes where, under HIPAA, you could reach out and grab it. See, that’s when we started going off track with our discussions. Some people said, “Well, no, we don’t want those health care operations,” or, “We don’t want treatment,” or, “We don’t want payment,” or, “We want permission before we do any of these things,” and then on the other end, “We want to let research and public health come in for purposes that they can’t come in today.” So that’s where we started that spiral of just throwing off different kinds of issues.
I would love us to go back to a position where we would say, “People can reach into those networks for the same purposes that they can grab information today,” which is only treatment, payment, and those limited kinds of health care operations. I think that would be a good answer, although again, the problem is, even with that answer is, maybe that cuts off too many of these other potential goals that we have for these networks. We’re going to have people talking in 10 minutes, from the public health perspective. Today, there’s not an opportunity of public health people to reach out and grab this information. They can tell the people that have it to send it to them. They could pass a law that says you’ve got to tell me about, X, Y, and Z. But public health agencies, at least as a broad general principle, can’t reach into a hospital’s computer and yank out data. They can tell the hospital what the hospital’s obligated to report
>> David McDaniel:
Well, can’t we just determine that that’s beyond the scope of what we’re trying to do this and go back to that?
>> Alison Rein:
Well, actually, I don’t I mean, this is Alison I wouldn’t be happy with that outcome. I mean, to me, the whole point of having a health information exchange is not only to facilitate exchange of information between the existing players, but to generate far more utility for other entities that, thus far, don’t really get any utility or very little, limited utility out of the system.
>> David McDaniel:
I just hate to see us make a recommendation that is a compromise to that position just because we don’t have the time or the luxury of chasing all the rabbits that need to go in
>> Alison Rein:
But what’s the benefit of making the recommendation?
>> David McDaniel:
Well, I think, for me, the thing I’m struggling with is, if you reach into that network and you take something that I’ve put out there, essentially, that’s a disclosure on my part that I’ve disclosed that information to you. And I don’t want you to be able to go and essentially force a disclosure just because I’m in a network with you that I wouldn’t make otherwise under HIPAA. And if our recommendation says that once they have it, they have to treat at a time same way they would under HIPAA, the disclosure’s already made. And essentially, I’ve made by participating in that network, I’ve already made a disclosure that, under HIPAA today, I would not be able to make, because I’d be making it for a purpose that you might take it and use it for something that I don’t have the ability
>> Alison Rein:
And that’s why there’s so much thoughtfulness that needs to go into how you structure your HIE and who’s in it. And the purposes for I mean, I think this all goes back to Factor 1, right? I mean, isn’t this a Factor 1 discussion, as opposed to a Factor 3 discussion?
>> Deven McGraw:
Yeah. I mean, there’s I don’t think you can think about the factors as not interconnected. They build on one another. I think I do think a lot of the issues that have been raised in our discussion on Factor 3 are relevant to some of the points that are also raised in Factor 1. I don’t think they’re resolved.
>> Alison Rein:
No, I don’t think they’re resolved either. I guess I just the first question came up on Factor 3, but I almost would, I don’t know, advocate for going through these in the outline in which they’re presented, unless they weren’t presented in that order for a reason.
>> Deven McGraw:
Yeah. They’re they do tend to they’re well, some of them seem to build on the ones that came before. I think others are more global in nature, but there was they are in a particular order. They’re not random, or not completely random (laugh).
>> Kirk Nahra:
Let me just raise a more simplistic process question, which is, our agenda says we were taking a break 5 minutes ago. I guess the question is whether we want to do that, or whether we want to take a break after the discussion (inaudible).
>> Steve Posnack:
Dr. Overhage couldn’t make it on until about 2:30
>> Kirk Nahra:
No, no. But I mean, say that 2 keep this discussion going until 2:05. Then I’m just I’m it’s a question. I mean, I’m not you know, rather than take a break now, when we’ve been going for 45 minutes...
>> David Sundwall:
This is Dr. Sundwall. Can anyone hear me there?
>> Deven McGraw:
Yes. Can you hear us?
>> David Sundwall:
Yeah, I just patched in about a half an hour ago. I’ve been listening to this discussion. It’s my s on my calendar, I’m scheduled to make a presentation at 2. Is that your schedule?
>> Deven McGraw:
Indeed, it is.
>> David Sundwall:
Okay.
>> Deven McGraw:
In fact, we were just talking about you, so you’re very well-timed.
>> David Sundwall:
Okay, good. Well, I didn’t hear it. I was list (laugh) maybe not
>> Deven McGraw:
That’s okay.
>> David Sundwall:
Anyway, I don’t want to rush you or change your plans. If you want to take a 5-minute break, that’s fine with me. But anyhow, I’m here and ready to go when you’re when you are.
>> Kirk Nahra:
Okay, thank you. I guess my sense is, let’s continue on for a few more minutes, and let’s and then we can turn it over to our speakers, and then we can take a break after those speakers.
>> Deven McGraw:
Dr. Sundwall, can you give us about 10 minutes? And you’re welcome to stay on the line, but we won’t queue you up until about 2:05.
>> David Sundwall:
That’s perfect. That’s just fine, because I need to take an errand, and then I’ll be right back.
>> Deven McGraw:
Okay. Well, super. (Laugh)
Okay, we’re getting back to where we were. I do think we’ve had some issues that have been raised in #3. I think we should keep those in mind and shift the discussion a little bit to some of the factors raised in #1, also keeping in mind some of the some of what we’ve just talked about on the public health side, David and Alison, that’s precisely why we asked a couple of folks to address us today. So that discussion was very nice (laugh), whether you meant to or not.
Okay. So again, these are sort of drafted at high level. One of the keeping in mind that, in fact, we have made a recommendation that participants in the exchange, in addition to the exchange itself, should be covered by HIPAA, which, again, means we have treatment, payment, and health you know, use of the information for treatment, payment, and health care operations without, you know, consent, all and some of the other uses with consent. The research rules would apply. Public health exceptions would apply. (Inaudible) some of the issues that have been raised here in these policy factors the issues to highlight.
I know one of the things that we’ve spent a fair amount of time talking about on our Co-chair calls was the notion of a limitation on collection of data, because right now, you know, when these entities are not networked, you have as Kirk laid out before, you have to ask another provider for information that you need for treatment or payment or for health care operations, to the extent that you can get it where there’s a common patient relationship. And you have to find out, really, maybe even by asking the patient, where they what other providers they may have seen, so that even if you don’t have a consent requirement worked into the law, there is a, by operation, opportunity for engagement, because you may not necessarily be aware that that particular patient has been, you know, to X provider, X hospital whatever. In a networked environment, there is more of an ability to, again, reach in and view information and access it without necessarily having those prior conversations with the patient having it necessarily be for an episode of care.
Now, keeping in mind that our previous recommendations have been that the networks themselves, as well as all of the participants, should be covered by HIPAA so their uses and disclosures and access to data are limited. And we have the minimum necessary provision in HIPAA, which does apply to requests for information, in addition to uses or disclosures for purposes that are not treatment. Is there more that we need to say here, given that one of the concerns that comes up repeatedly is this sort of fishing expedition issue that you know, that often gets raised and grappled with in various contexts? Thoughts?
>> John Loonsk:
Yeah, I guess my overall reaction to this is that our experience issues that are raised here are actually not new. They may as you stated, some of them may be facilitated. There may be additional opportunity but that the issues are frequently not (inaudible), and that I do find some of the language here to be a little bit inflammatory (inaudible) to countless number of new opportunities or reaching in and then I think that what I need to analyze and looked in what ways that thing are actually happening. So if anything it’s more restrictive, not less, then what is actually happening in paperwork.
>> Deven McGraw:
Right.
>> John Loonsk:
And so, yes, there are new opportunities, but I don’t think I think the whole “reaching in” concept, the concept of countless number of new scenarios, bears some explication, because that it’s not quite that’s not how it plays out. Most of the scenarios are have analogs in the paper world, even if some of them are harder to accomplish.
>> Alison Rein:
Well, but I think that’s precisely the point. You your analog in the paper world for pulling a discrete patient’s information may be a fact, but the idea of being part of a health information exchange, in part, is that you could, you know, ship a lot more information at the click of a button, obviously with the, you know, standard protections and protocols, etc. under whatever agreement you have. But I you know, the it seems to me that the scale of things and the possibility for information exchange is widely different, which is exactly the point. It’s you know, I don’t know that we want to
>> John Loonsk:
I’m not don’t want to belabor the point. I just think that things I don’t object to the fact that scale and is different and opportunities may be more plentiful. But to say that there are countless new scenarios and to talk about reaching in and grabbing information, I think, is not does not do a complete service to those who’ve been very thoughtful about how the system is as it is now, and this doesn’t really explain how things are occurring.
>> David McDaniel:
Well, I think that’s probably the thing that’s concerning me a little bit. And talking about it in those terms sort of takes it out of the context of the rules that we have to work by today, which are use and disclosure rules. And if we’re talking about HIPAA being that applicable ground floor for everybody, shouldn’t we be talking about it from the use and disclosure perspective? And if you’re participating in a network, you can’t, just because you have access to it, go and get it and create a disclosure for that other covered entity that that other covered entity couldn’t make to begin with. That was my earlier point that I think changing the syntax of how we’re going about this changes
>> Alison Rein:
Those are things that are defined by the HIE. I mean, that’s my understanding, at least. And I don’t know if others in the meeting or on the line care to
>> John Loonsk:
I think that bears just a little bit of discussion, because for most HIEs, or for many, at least, you’re going back to a provider organization. The HIE is not the respondent in an information request. It’s the provider organization that has the data. So that’s where
>> Alison Rein:
Right, so but the rules that you have in place as a participant in the HIE you know, there’s the fixed set of players that you’ve determined can participate, and then you have agreements with each one. And my understanding is that there’s language within each of those agreements that talks about, you know, what’s allowed under this disclosure.
>> David McDaniel:
And I’m very comfortable with that. All I’m saying is that just because that’s the way they’re doing business doesn’t mean they can circumvent the requirements of use and disclosure that are set forth in the Federal or State laws, like HIPAA, that say, “Just because my agreement says I can share it with you in a different way doesn’t mean that they can do that,” especially in an environment where it’s much easier for them to do that because they now have access to it.
>> Alison Rein:
Except that they’re all well, at least from the provider example that we’re talking about now, they’re covered entities. And I think, to Deven’s point earlier, we’ve recommended that participants in these exchanges be treated as covered entities, right?
>> David McDaniel:
Right.
>> Alison Rein:
So then
>> David McDaniel:
But I think that’s a huge assumption on our part: that they’re going to translate that to this new environment.
>> Alison Rein:
But that’s a recommendation. I mean, I agree: It’s not necessarily an assumption that we can make, but it’s we’ve already made that recommendation.
>> Deven McGraw:
We have, and I think, you know, that any sort of subsequent that’s why there’s actually language in here that acknowledges the fact that we’ve made that recommendation. But as Kirk himself said, they’re not self-executing. So we both have to deal with the world as it exists today, but also what might be potential that’s foreseeable but, of course, without getting, you know, completely out of hand and envisioning scenarios that are completely unlikely.
So I do think it is worth, to John’s point, talking about what we do know about what the current HIEs are doing, because I don’t want to suggest that we don’t have that we haven’t explored, that, because we have. And to, for the most part, the extent to which these are being used beyond for purposes other than just treatment is pretty slim. And again, we’re about to hear from a couple of them about public health uses that they’re either doing now or they’re foreseeing. But we can’t assume that you know, we have a set of assumptions that we’re building on, but I think our letter is going to have to be more fulsome to deal with the fact that we can’t control where our recommendations go, and we want to sort of tee this up, so
>> John Loonsk:
I have a question quick clarification. You your previous recommendation was that HIEs be like covered entities, and there was some discussion here of the participants in (inaudible) covered entities, which is a different thing.
>> Deven McGraw:
Not the (inaudible).
>> John Loonsk:
(Inaudible) I’m sorry. Yeah. Being covered ends yeah, sorry. I apologize. We have a
>> Kirk Nahra:
Okay, I don’t think that’s right, actually. So I want to can someone when we take a break, can someone pull up that recommendation? Because I don’t think that’s right. (Inaudible)
>> Deven McGraw:
That wasn’t the way that I remembered it, either, but everyone was nodding their heads, so I thought maybe I should (inaudible).
>> :
You know, I can remember the first line
>> Kirk Nahra:
I want to get the recommendation, because, I mean, we’re talking about foundation.
>> Deven McGraw:
All right. Well, we’re actually
>> Kirk Nahra:
“All persons and entities that participate directly in or comprise a network.” So it’s both, and we got to be real clear about that. So, all right, listen, we need to break. We need to stop and Steve, you want to introduce our first speaker? (Inaudible)
>> Deven McGraw:
Dr. Sundwall, are you back from your errand? (Pause) Okay. (Pause)
>> Kirk Nahra:
Can we tell if he’s on the line?
>> Deven McGraw:
He is on the line. Yes, he is.
>> :
Hold on one second. He just walked down the hall. (Pause, inaudible)
>> Deven McGraw:
Dr. Sundwall?
>> :
(Inaudible)
>> :
No, he’s not on till 2:30. (Inaudible)
>> :
Dr. Sundwall stepped out for just a moment. He’ll be right back.
>> Kirk Nahra:
Okay, can you
>> Deven McGraw:
Do you know when “right back” is?
>> Kirk Nahra:
Yeah, he was supposed to be back already, so we need him.
>> :
Like, seconds. He’s probably walking in the door as we speak. Hold on. He’ll be right here.
>> Deven McGraw:
Okay, thank you.
>> Kirk Nahra:
Make sure he tells us when he gets on. (Laugh)
>> John Loonsk:
Is it fair for me to make a comment
>> Deven McGraw:
Sure.
>> John Loonsk:
on a different factor? I just
>> Kirk Nahra:
No, don’t start something new. (Laugh)
>> Deven McGraw:
Don’t go there, John. (Laugh, inaudible)
>> :
We’ll get to the public health issue at 4:30 (laugh).
>> Thomas Wilder:
Hey, while we’re waiting this is Tom Wilder I’m just going to throw out a thought here, and I may be insane. But I’m wondering, based on the discussions we’ve had today and some of our prior discussions, if staff and our two respective Co-chairs feel like they have enough information to actually maybe draft up a letter that sketches out some of these things and making make some recommendations, and then we can take a look at it and say, “Yeah, we like that or don’t.”
>> Deven McGraw:
Well, you know, this is that’s certainly the direction that I thought we were heading in. We really wanted to use this meeting as an opportunity for people to at least react to what we had on paper here, because that was sort of the beginning you know, the use of this as the platform on which we would build a letter. So, you know, that would really be the next step, Tom. That’s exactly what we envision. So this is the sort of kind of vetting of our sort of initial thoughts with everyone in the Group, so that we, you know, are drafting a letter that might even be better or more fulsome more comprehensive than one we would create with just these you know, the two pages that we were able to come up with.
>> Thomas Wilder:
Right, because, I mean, I I mean, looking at these the kind of way you’ve laid it out, I actually I like the way you’ve laid it out. I think you’ve stated all of the issues. I’m not saying I necessarily would agree with all of them or disagree. I don’t know you know, I might wordsmith a few things, but to me, you’ve provided a good outline, and what you know, we need to let you know if there’s anything else in terms of an issue that we would want to plug in. But I think it’s a good start for a recommendation letter.
>> Steve Posnack:
Tom, this is Steve. I think, you know, in our discussions over the past couple weeks with the Co-chairs, that’s pretty much exactly what we were shooting for in terms of putting together an outline. If workgroup members have additional factor-level points that they’d like to tee up to add to the outline, we’d be happy to do that. And to your other question, I think, after today, we had hoped that we’d, you know
>> Deven McGraw:
Turn it around to a letter.
>> Steve Posnack:
start drafting it into some form of a letter.
>> Deven McGraw:
Yeah. So one thing I mean, this is the this meeting is the opportunity to get input on other issues to raise in the letter issues with the language as we’ve currently drafted it. But also you know, there’ll be times after the meeting, you know and folks digest this a little bit more for you all to send us emails that we can incorporate, so... Dr. Sundwall?
>> John Loonsk:
I think it’s a comment that won’t require resolution.
>> Deven McGraw:
(Laugh) Okay. Go ahead, John. (Laugh)
>> John Loonsk:
Just in factor 2, to both prevent access to
>> David Sundwall:
Hello.
>> John Loonsk:
electronic health information
>> Kirk Nahra:
Is that you, Dr. Sundwall?
>> David Sundwall:
Yup, I’m here.
>> Deven McGraw:
All right, John.
>> John Loonsk:
All right, almost
>> Deven McGraw:
Hold that thought. Okay, Dr. Sundwall, that’s great.
>> David Sundwall:
Okay, now, I would appreciate, because I was a latecomer and all this, if you’d give me an idea of the audience and if, in fact, you have either my PowerPoint up or distributed or where give me an idea of the context of our meeting here.
>> Deven McGraw:
Sure. Sure. We’re trying to get a sense of how health information exchanges are either currently facilitating or hope to, in the future, facilitate public health improvements. And we haven’t really heard from any health information exchanges on this particular issue. We’re hearing from you first today, and then we’re hearing from Mark Overhage as well. We have your slides. They are here with us in the room, and they’re also this is a Webcast meeting for the public, and your slides are also up for public view.
>> David Sundwall:
Oh, they are. Okay.
>> Deven McGraw:
Yes, so you just need to let us know when your next when you’re moving to the next slide, and we will take care of that for you.
>> David Sundwall:
Is could I tap I would have a technician help me, but is there a Web site that I could go to so I could see this as I’m speaking? The Webinar? Or is that too late to tap into that?
>> Deven McGraw:
I’m much I don’t usually bring that material with me, because I’m sorry. I am not I’m physically here. (Laugh)
>> David Sundwall:
Well, that’s okay. Let me go ahead, then.
>> Deven McGraw:
Okay.
>> David Sundwall:
And I would I’ll have I’ll anticipate that next time.
>> Deven McGraw:
Much appreciated. Thank you.
>> David Sundwall:
Good. Okay. Well, I’m very pleased to be asked to present to this prestigious Group. I know that our former Governor and your current Secretary chairs this committee, which then indicates his commitment and interest in this very important community. I’m going to start with the outline. Do you have that up?
>> Deven McGraw:
We do.
>> David Sundwall:
Okay.
>> :
We will.
>> David Sundwall:
Just I’m going to try and get through a lot of information, and I hope we don’t get bogged down, but just over a quick overview of State roles in health information exchanges, the public health mission. And I’m going to be kind of parochial there, meaning I’m going to give take the public health officers’ point of view and make a pitch for why it’s so important that we embed public health exchange in all of these things, which too often seem to be talked about in terms of, quote, “clinical data,” unquote, but we think that the public health reporting is equally important.
The value of the public health exchange participate in clinical information exchange this is just essential. By the way, you may or may not know that I represent ASTHO, the Association of State and Territorial Health Officers, on the State eHealth Alliance and am a full voting member now. And in our meetings, what’s been impressive to me is how sympathetic the Governors are to the inclusion of public health data. There hasn’t been anything but positive and supportive comments. So I’m sure that whatever they come out with in recommendations will be a strong endorsement of this including of public health reporting capacity, both and I overheard some of your conversation earlier both to and from. In other words, it’s a push-pull. It’s not a just “Give us your information.” We would be able to give information back that would have public health utility and then some of the challenges posed by the standard setting, as we’re all aware of.
The relevant roles next slide. Things that we believe States are charged with doing, of course, is protecting and promoting the public’s health that’s the very raison d’etre of health departments setting the regulatory and legal environment for health information and privacy issues, regulating the insurance market, licensing and credentialing of health professionals and facilities and by the way, the whole e-health things raises new wrinkles there because of cross-State licensing and credentialing, and we’re going to be talking with the federation of State medical words about that in May. We need to States should purchase and fund health care services for needy populations through Medicaid, and we do that. In my agency, we have Medicaid as part of it, so both the provision of services and public health are all in one large agency. And legal protections for consumers is obviously important. And we participate in our State RHIO here, which is a statewide one and was one of the first funded RHIOs one of AHRQ’s first five funded Regional Health Information Organizations.
Next slide is the State priorities or what we’ve what States are doing now. By the way, this is kind of taken from the I guess it was the Commonwealth Fund. NGA funded the Commonwealth Fund to do this report on who’s doing what in the States. And we’ve taken the liberty of embellishing it a little bit, because in the survey which we participated in, we either we dropped the ball or they did, but we didn’t get included in some things that we’re already doing. So if this looks different than what the Commonwealth published, it’s because we’ve added this (laugh) several activities. But we’re not lying. We’re just making it more accurate.
But anyhow, you can see there, at a glance, what States are involved in telehealth, e-prescribing, the MMIS replacement which we’re up to our ears in; it’s going to be costly but, we hope, worth it electronic medical records, electronic health records, and personal health records. And I won’t define for you, but you can read that in the Commonwealth Fund how they’re the kind of distinctions between those regardless, it’s exchange of clinical information, however they define it and some decision support tools or particular letter files or prompters, which we think are valuable in clinical medicine.
So you can see a variety of things being done by different States. And just as we weren’t included in everything when we did the survey, I suppose there are other very worthwhile initiatives under way that aren’t reflected in this chart. But it is drawing upon that Commonwealth Foundation report. Next slide.
I hope you’ll forgive me. I’m sure that my audience is a very sophisticated educated group of people. But I find, now that I’ve defended a budget before a State legislature 4 years in a row, I have to keep going back to basics and saying, “What do public health organizations do?” or, “What do you do, doctor?” And I’m surprised, because these legislators, you think, would know. But I think it’s probably benefits all of us to know to remind ourselves what is public health all about. And then it’s the five P’s, I call it: certainly protecting our citizens from harm’s way, be it natural or manmade problems; preventing unnecessary injury and death; promoting healthy lifestyles and I do think it’s probably the greatest promise of our ever-attenuating health care costs if we’re more successful in investing in public health and preventive medicine. In my State, as I say, we have responsibility in the public health department to provide basic primary and preventive care for the most needy of our population.
And we are, by the way, full participants in the Governor’s health reform efforts. So I just spent this morning in legislative hearing, the very first one of the Utah Task Force on Health Reform, where we’re contributing to that in a substantive way and moving forward, where we hope to be able to cover all Utahans with health insurance. It would be in incremental fashion, not all in one build.
So let me just move on and give you some quick examples of what we’re doing here that fits into these categories, P words. As far as protecting, we do, of course, conduct electronic disease surveillance using laboratory result messages and return to ordering physicians. This is an ongoing thing. I get, popping up on my computer every day, incidents of concerns about disease outbreaks, whether it be a pathogenic E. coli or salmonella or West Nile virus, and those we have that capacity, and it needs to be improved to comply with what the CDC expects of us. But I think most States are attempting to do electronic reporting of mandatory disease of diseases.
Number 2: As far as prevention, we have an immunization we have the capacity to through our UIIS system that’s the Utah Immunization Information System of keeping track of all children’s immunization record and wanting want to make that in some cases, we can make it available to families, not just doctors, but and give a reminder to providers when a child needs an immunization. So of course, one of the foundations of preventive services is immunizations, and we’re very pleased with our UIIS system. And by the way, I think, thanks to electronic records this electronic reporting, we’ve gone, from the day I got here, from 49th in the Nation for 2-year-old immunizations to 31, and now we’re 21. And I give credit in no small part to this technology that helps us do a better job of promoting and tracking.
Number 3, next slide: As far as promoting healthy lifestyles, we can as I said, we can push health alerts to providers through our network based on the presence of disease outbreaks or epidemics. This is not just reporting, and I think someone mentioned that earlier that we really do want that two-way capacity if we’re going to be effective in our public health, education, and information efforts.
Next one, #4: providing basic primary and preventive health care services to disadvantaged. I w the Medicaid program in Utah is a key participant in health information exchange. We have a transformation grant that’s related to pharmacology and long-term care settings. It’s electronic. We they were a founding member of UHIN, the Utility Health Information Network, which I’ll talk about in a minute. But we are as electronic as we are capable of at the moment and hope to get more so, but we also have some incentives for doctors to get on electronic medical records. So Medicaid is helps us as leverage. And you’ll see in a few minutes how we use Medicaid dollars, in fact, to leverage all of our initiatives in electronic health data management.
And as I mentioned, we’re full participants in health reform. A big bill was passed this last year related to health reform in Utah. The foundation of it is electronic health data management. A lot of people say, “Well, what? You didn’t start with insurance coverage?” Well, we hope to get there, but the two things we got enacted in the bill are a statewide clinical health information exchange, both standard-setting authority and money to get it up and running, which we will match with Federal funds, with AHRQ money from our RHIO grant, and with private-sector money; and we also got a reporting of cost and quality data. We think we’ll be one of the first areas in the Nation where we can actually give comparative cost. And I’m not talking charges. I’m talking what was paid for an episode of care, so we can provide comparative information from health plans or institutions on what it costs for a hip replacement or a normal birth or a colostectomy, and we’re looking forward to having that cost and quality reporting capacity up and running soon.
Next slide. RHIO are you keeping up with me? We’re on 11.
>> Deven McGraw:
Yep. We’re good. Thank you.
>> David Sundwall:
Okay. We do have kind of a well-known and mature RHIO. It predated the Federal funding for these things. It’s our Utah Health Information Network. It started in 1993, so you can see it’s quite mature compared with a lot of efforts. It’s impressive, because it’s not for profit. It is the board is all those who use it, meaning the doctors and the hospitals, the insurance companies, Medicaid, so it’s a very nice collaboration between those involved. And it does include the whole State. It’s not for profit. It has a business model that has allowed it to be self-sustaining. In fact, something I I’m not an expert in any of these matters, but as I’ll say in a minute, they do mostly to date have done administrative services the billing and reimbursement of electronic claims. But I think it’s, like, $0.11 or $0.13 a transaction, which I think is quite a bit cheaper than others, but because it’s so inclusive, it’s able to be profitable, because it does so much of the work for the State. And it is a federally recognized standard development organization.
The next slide, on page 12, is really just a statement of how inclusive it is. All over 1,800 payers by the way, that’s obviously a lot more insurance companies and health plans than are based in Utah, so it’s many out of State as well. All of the hospitals; most of the physicians; all of the laboratories; all our local health departments; mental health centers; chiropractors; and mostly most of the dentists, not all but they use this. And the beauty of it is that while if they go through the UHIN, their claims are paid promptly. They may not like the payment they get, but they get it quickly and accurately. So it’s been a service that’s been embraced by the whole health care system throughout the State.
Now, let’s talk about the clinical health information exchange. I told you that we got two bills passed: one that gave the Department of Health the authority to adopt standards for clinical health information exchange and I’m picking up on your conversation. I heard about half an hour of it. I guess there’s a lot of consternation about the standards and how they might be applied, but we are forging ahead and, in fact, going to set such we’re we, as the health department, will adopt the standards that are developed by UHIN. And in the hearing this morning (inaudible), I think you all might have benefited by hearing the discussion between Jan Root and Michael Stapley, kind of two of the folks that at UHIN, because they gave a little bit of the history of how the HIPAA standards were adopted. And while it may be presumptuous and I’m not sure they’re overstating Utah’s role here. I believe, in fact, the HIPAA standards were pretty much developed here 90-plus percent, they said and then were adopted nationally.
But the way they described that happening is, they hardly started from scratch. They already adopt they through a consensus process of those who were going to be using it, they reviewed the national standards and then came to some, I guess, common agreement on what they would use (inaudible). We expect to do the same thing with clinical. We hardly are starting o starting at the beginning. There’s lots of work that’s been done, but UHIN will and by the way, they already have some 20 clinical elements they think they have agreement upon. But anyhow, they will develop standards, the Utah Department of Health will adopt them, and then anyone using UHIN for clinical exchange will have to use those standards. And while we’ve had a little pushback at the legislature from national hospital organizations like Humana or HCA, they all came on board, and they know if they’re going to do business in Utah, whether it’s a national laboratory or a for-profit hospital or Intermountain Healthcare that’s locally based, they’re all going to use the same standards for clinical information exchange. So that was actually Slide 14. (Laugh)
>> Deven McGraw:
We’re keeping right up with you, okay?
>> David Sundwall:
Okay. Let me go back if on 13, if I could, on the public health participation. I mentioned that we have this immunization information system. We also do quite comprehensive newborn screening, including now cystic fibrosis, which was just added this year. And that’s kind of coordinated in something called CHARM, the Child Health Advanced Record Management. And then that will be embedded in UHIN, so that a provider who cared for kid anyone providing care for children should, through this clinical exchange, be able to get that kind of information that would be useful for their medical record. That would, of course, be available to hospitals.
We you see the two-way street: We will get laboratory testing, we have hospital discharge summaries, we can get clinical records, and there can be a two-way exchange with patient approval. And the what is all what all is included in the clinical information will is yet to be determined, but we fully anticipate it will be lab data, pharmacy data, allergies, discharge summaries, and these public health reporting things. Like, we could have embedded the kinds of illnesses that should be reported for the CDC and have that be easy and automatic. And come to the health department, and we could forward that to CDC. And ideally, of course, this is going to happen. But we think we’re very pleased that we’re on our way to have this statewide effort in Utah, thanks to the maturity of UHIN and their being able to jump-start it.
Now let’s go on to 15. Media challenges, of course, were the standards for the clinical exchange. We have that authority now. And by the way, I must admit I never anticipated that you embark on these endeavors. You’d need a legal authority to do that. But it really paralleled what they already did in the insurance commission, where they, years ago, did the same sort of thing, where they needed legislative authority to develop standards for administrative exchanges. So this is a parallel to what we’d already done with the insurance commission, and now we have such authority. And I’ve told you the process that UHIN will do it, basing their standards on a whole lot of work that’s already been done to date, but trying to come to a consensus by among those who are going to be using it. Also, issues of the National Governors Association is dealing with are privacy and verification of health professionals’ credentials, and those are we talked about at the State eHealth Alliance.
I think I’m going to skip 16, because we’ve already talked about that. That’s the adoption of standards and requiring those who elect to participate in electronic change. If you’re going to play in Utah in health care, you’re going to use these standards. It’s now mandatory.
Regarding the privacy aspects, on page 17 or slide 17, we are been a participant in the HISPC’s 40 States and Territories (inaudible) multi-State collaboration. That’s been very helpful and interesting in identifying what are the challenges.
The next slide, you can see the collaborations that are existing, and they continue to analyze data to study the intra/inter-State consent policies. We’re trying to harmonize the privacy laws, develop full strategies to educate and engage consumers. I years ago this is a little parenthetical here I used to be administrator of HRSA in the Public Health Service. And that’s when we developed the National Practitioner Data Bank, which, I thought, was going to be very helpful to address people’s concerns about substandard doctors and providers and but we headed it was a voluntary thing. I mean, we kept the data, but it was proved to be challenged by a lot of legal entities, because it wasn’t required that people in that data bank be made public. Anyway, I’m just saying I’ve got a few scars on my backs from implementing the National Practitioner Data Bank, so I appreciate the challenge we have of trying to get standardized privacy laws. It’s not going to be easy, but I think it’s very important.
And the next slide, on 19, is two of the HISPC projects in Utah. That’s the Consent Data Elements Collaboration. We’re establishing a model for identifying and resolving patient consent and information across the State. And Utah I mean, I’m sure it’s so there are these commonalities, but we’re really a center for care for the intermountain west. We get lots of referrals from Wyoming, southern Idaho, across the boarder from Colorado, because Salt Lake is kind of a large urban area for the West, anyway. And so, all of these cross-State things are very, very important to us and a real challenge. And we’re developing a reference guide that describes requirements mandated by State law for consent.
In Utah, our this is just the HISPC’s projects. It’s adoption of standard policies. We’re trying to get a policy requirement-authenticating audit for UHIN and cHIE this is something we haven’t done yet and need to do and define and implement a strategy to help States and Territories adopt agreed-upon policies. So the HISPC things have been helpful, but I think we’re moving ahead regardless of some gaps in all of that.
The last thing I want to just mention briefly here is about the State (inaudible). This State alliance, as you know, is a National Governors Association initiative. It’s chaired by Governors Bredesen and Douglas, and it’s been informative for me to be able to sit in that. And like I told you, there’s already a lot of sympathy and support for public health inclusion in whatever electronic health data management is developed or promoted. But we’re trying to harmonize standards across the board, whether it be for privacy or legal liability, and allow for dialogue among States that will get creativity going and some parts of me want to make this a Federal thing, but others when I realize the vitality of various regions or States, you don’t want to stifle that allow for public input to inform State policymakers. And we’ve heard from plenty of presenters that are the meetings we’ve had to date.
We want to develop a nationwide core this next slide set of credentialing requirements with standard online licensure applications. I have I will be representing the State alliance at the FSMB that’s the Federal State Medical Boards in Texas in a few weeks, and they historically have done a great service by having model legislation related to liability and to licensure. And I should think they might have a role here. We haven’t I can’t say that the alliance will recommend that yet, but I wouldn’t be surprised that that that is an entity that might, in fact, replicate their previous good works in model leg State model legislation by doing something like that for licensure-related positions and even e-health issues and establish a single central coordinated credential verification that would be great CDO for verification of providers. I think that would have a lot to do with quality of care and support licensure structures to facilitate e-health.
So I hope that’s not too much information. I think what I’ve tried to do is let you know the role of one State, one health department, and our intent to go build upon where we are. We’re quite proud of what we’re doing but have some major new responsibilities with this statewide clinical exchange and cost and quality rep comparative reporting for episodes of care. And so, with that, I’ll just stop and see if there are questions or discussion.
>> Deven McGraw:
Thank you very much, Dr. Sundwall. We have Mark Overhage on the line, I think it probably makes sense for us to hear from him first, and then so I hope that you can bear with us I think folks with us, because I do think folks in the room and on the phone will have some questions for you, but I think it will make the most sense for us to hear about what’s going on at the Indiana Health Information Exchange. And then that way, the two of you can answer and provide your perspectives on questions that we might have.
>> David Sundwall:
That’s great. I’m happy to do that. I may I have a 1:00 with the NGA, but I can step out and come back in. And by the way, I just can’t resist telling you that Indiana and us and a few other places are what the CDC calls the Fabulous 4, so we’re in good company.
>> Mark Overhage:
(Laugh) I’d never heard that. (Laugh)
>> Deven McGraw:
No better introduction than that.
>> David Sundwall:
No, Indiana’s terrific. The Regenstrief Institute and by the way, Clem McDonald’s originally from Utah. That’s so smart. (Laugh)
>> Deven McGraw:
All right, Dr. Overhage. Go ahead.
>> Mark Overhage:
I want to make sure I understood correctly, given that introduction. What I think I was I’m going to comment on is about the role of public health and engagement of public health in HIE, right?
>> Deven McGraw:
Yes. No, that’s exactly right, and what Indiana is either doing now the Indiana HIE with respect to public health or what’s sort of envisioned for the future if it’s not something
>> Mark Overhage:
Right, and that’s what I’ve prepared for. I just wanted to make sure I was (laugh) get the right thing.
First of all, as we think about public health, one of the things that I learned early on is, public health is wears multiple hats, and so I think it helps a lot in discussions to separate those hats. And one hat is what we traditionally think of in terms of sort of population health surveillance and interventions, right? Identifying bad water, identifying and intervening in disease outbreaks those kinds of things. But they also have a very significant, varies-by-market health care provider role. So, for example, they run large laboratories that deliver results to physicians. It’s very common for in urban areas for county health departments to do the vast majority of sexually transmitted disease-screening laboratory tests things like that. They capture and manage immunization data that clinicians use in taking care of patients. They themselves deliver care, whether that’s in clinics of various kinds, monitoring therapy things of that nature.
So I we find it helpful to think about those separate kinds of hats that public health wears. And on the health care provider hat, there’s a variety of them where they’re just like other health care providers. They need integrated patient data as they take care of them in a public health clinic, for example. They need they can make data available from their laboratory, much like a hospital laboratory or a commercial laboratory would, including results delivery, although there’s some interesting examples there, one good one being and this is something that’s not deployed, but it’s like one of those “any day” deployments is newborn screening. In our State, all the newborn screening is done by a centralized laboratory contacted contracted by the public health department, and that one of the laboratories’ obligations is to deliver the newborn screening results to the physician.
One of their big challenges is they don’t always know who to deliver it to, because the pediatrician who’s going to be caring for the patient after they leave the hospital isn’t always identified at the time the newborn screen is drawn. In fact, it’s fairly common that they’re not identified. And what we’ve been able to show are significant gaps in that. We’ve been able to document a number of cases, and some of them very tragic. For example, last year this is just in the last 12 months a child’s whose newborn screen showed that they were thyroid hypothyroid deficient and that wasn’t picked up till 4 months later. And so the child was permanently impaired as a result of that. Nobody did anything bad, nobody did anything evil, but the process fails.
So what is going into place now is, as those newborn screening results are generated, we link that up with patient care happening in the environment say, a physician office visit and then we can link the patient with a provider and actually make sure that that information gets to the provider who’s caring for the patient in a timely fashion. So there’s, in that role, you know, a variety of things. I’m going to spend more of the time and they can contribute like from immunization registries or from programs like WIC Women, Infants, and Children, where lab screening and where hemoglobin measurements are done as part of the program and making sure that data’s available to the ambulatory care provider who’s caring for that patient.
Looking at the other hat, sort of the population health surveillance hat, I’m going to describe a couple of examples. The first is electronic laboratory surveillance and reporting. Essentially, what we do is, through the health information exchange, all the lab it’s not all; it’s never all, but the vast majority well over 98 percent of the laboratory test results flow through the exchange. So we’re able to monitor those results looking for evidence of reportable conditions: hepatitis, sexually transmitted diseases, or things like methicillin-resistant Staph aureus or MRSA. And so, by doing the surveillance in a centralized fashion, we’re able to dramatically improve the rate at which reporting goes to public health as a result of this.
So, you know, in a recent study that we published in the American Journal of Public Health, we demonstrated the and I can’t remember the exact I think it was it’s either five- or 12-fold; I can’t remember increase in reporting of in the completeness of reporting for these conditions to public health as the result of being able to electronically and deliver these cases. Laboratories and physicians, while they’re committed to making that information available to public health, just have a hard time making it work reliably, reproducibly. And importantly, that information got to the health department much, much quicker. So in the case of something as a transmissible disease in particular, the opportunities to intervene earlier in an outbreak are very important.
And just to highlight that as an example, in 2000, before we were delivering this information to public health in a routine basis, before they were completely integrated into the flows, we had an outbreak of a disease called Shigella, a bacteria that causes diarrhea and nausea in a lot of young kids and the elderly can be a real problem because of dehydration. It we noticed on January 4 of 2000 an excess number four cases of Shigella, which was very unusual. This outbreak went on and, by the end of it, had involved well over 700 children and cost the community tens of millions of dollars in lost work time, daycare revenues that were lost because daycare centers had to be closed, and so on. And so we always wondered what would happen if we could’ve intervened earlier.
But today, for example there’s a great example from last December: There were five exactly five patients more than usual who showed up in the emergency departments with gastrointestinal complaints in central Indiana, in this case. The State health department who monitors these flows identified that contacted the local health department, who investigated. And by the close of business the next day, they had talked to the patients, identified a common source thought to be donuts, interestingly identified food handling practices at the store where they had bought the donuts, and had addressed those within 24 hours of the event, which I find just a remarkable level of sophistication and intervention of our health departments.
Another example of taking advantage of those flows is obviously, there’s a lot of concern about MRSA, methicillin-resistant Staph aureus, and especially the role potential role of community-acquired as well as hospital-acquired infection. In Indianapolis, over the last couple years, we’ve leveraged the health information exchange to identify when a patient is admitted. And this was a study and effort focused at the inpatient world. We were able to identify when patients with MRSA previously diagnosed were admitted to facilities notified the infection control practitioner at that facility. Patients were isolated appropriately much earlier in their hospital course, and we were able to introduce interventions that were resulted in a 60 percent reduction in hospital-acquired MRSA in the hospitals where we were doing this work so some, you know, just phenomenal examples of what you can accomplish with electronic laboratory reporting, syndromic surveillance, and delivery of information.
A similar vein I’ll wrap up here in just a minute or so. A similar vein and this was a study from 2002 I think it was where Indianapolis had the honor of being the syphilis capital of the United States that year. The per capita case rate was much higher than anywhere else in the country, despite very intensive public health interventions: billboards, radio spots, free condoms you know, all the usual things the public health might do to try to reduce transmission of a disease like that. One of the things that they tried very hard to do was to improve screening in the emergency departments. Many of the patients who had the disease would show up for care for a variety of reasons in the city’s emergency departments, and yet they had trouble getting them appropriately screened. We were able to implement reminders to the physicians and the emergency departments to screen patients who were at high risk because of their clinical history and perhaps the geographic area where they lived, which might correlate with sociodemographic characteristics of the individuals who were being infected, and intervene to increase the screen rates dramatically in the emergency departments where this was implemented.
So the I mean, those are kind of some quick highlights of the kind of interventions that you’re able to do when you have very strong flows of clinical information. And the next sort of horizon, really, for us is spending more energy and this is being supported in part by a CDC contract in integrating this information tightly into what happens within the health departments. Many health departments continue to focus at work in a siloed fashion because of their funding and traditions, but creating more flows and processes that allow them to take better advantage of this information and also to feed information back to clinicians in a timely, more effective fashion sort of the health alert network-type functions.
So I talked really fast and went through a bunch of examples. And I’ll shut up and see what questions you might have.
>> Deven McGraw:
Okay. Thank you very much. It’s really helpful. I’m going to actually go this is Deven McGraw, one of the Chairs. I’m going to go ahead and ask a question to directly to Dr. Overhage but invite Dr. Sundwall to address it, too.
>> Mark Overhage:
And please call me Mark.
>> Deven McGraw:
Okay, Mark. (Laugh)
>> Mark Overhage:
I appreciate it, but... (laugh)
>> Deven McGraw:
You know, you just gave us a couple of really good examples of the way that the HIE was used for public health purposes, and you mentioned that the Department of Health monitors the lab results that are going through the HIE to, you know, sort of pinpoint the sort of over-the-average rates of certain types of infections or lab results. Can you describe a little bit more how that works
>> Mark Overhage:
Sure.
>> Deven McGraw:
from an operating perspective?
>> Mark Overhage:
The way that our health information exchange works is, data flows from data sources like laboratory systems and hospitals, private labs, national labs flows mostly in real time in other words, as a result of generated and is normalized and stored in a separate file separate database or vault on behalf of those organizations. The beauty of that approach is that we can see those results as they’re being generated. So in other words, as soon as that laboratory test is done, we normalize it. We now know it’s an RPR, a test for syphilis; or we now know it’s a hepatitis B surface antigen or IGM or something like that. Then we can apply logic to that and when I say “we,” I mean the health information exchange. So the various participants hospitals, laboratories, and so on essentially, it’s kind of a Chinese menu approach. They can say, “Yes, I want you to screen and report to public health, on my behalf, our laboratory tests,” “Yes, I want you to do syndromic surveillance on our emergency department visits,” “Yes, I want you to do syndromic surveillance on our ambulatory visits,” or whatever. The things that they might want to have happen to their data happen.
So with that institution’s direction, those laboratory tests are screened as they are generated by logic and algorithms that the health information exchange runs, and then they are delivered in standardized format HL7 messages with LOINC codes and so on to the health department the State health department, in this example, because that’s the legally designated recipient for reportable lab tests, for example. And so they’re delivered to them in batches every 3 hours, because that’s how they wanted to do it, through a secure file transfer. And then they manage the results from there.
>> Alison Rein:
This is Alison. Do those results also go back to the providing entity with some sort of report as to how they compare relative to others participating in the exchange?
>> Mark Overhage:
We have offered to that, and no one has been interested. (Laugh) Now, you know, the contrast is, though, with the MRSA work, where they are very interested in doing that. So, you know, I think that’s an example of where I to some extent, I think the hospital, for example, feel like they own the problem of MRSA. The fact that patients are getting laboratory patients who the hospital has necessarily no connection with they saw some physician and the result you know, the lab went to the hospital laboratory. The laboratory has an obligation to report, but, you know, the hospital doesn’t feel much ownership to that patient. I’m just speculating there.
>> Alison Rein:
Right.
>> Mark Overhage:
It’s not really their care, their people. It’s just they’re running labs for people, and...
>> John Loonsk:
Mark, this is John Loonsk. Just an organizational question: You and I wanted to sort of clarify this for the Group: Is the repository you were talking about, upon which the algorithms are run is that the provider organization’s repository? Or organizationally, is that the HIE’s?
>> Mark Overhage:
The model that we have is that the data is and belongs to the organization, and that is contractually how it is. We host that data for them, much like Cerner or Siemens might host the hospital’s HIS system at the Kansas City data center or at the Melbourne, PA, data center. So it is their data under their control, and everything that’s done is done under their direction. It just happens to be hosted in a common location.
>> David Sundwall:
This is David Sundwall. Let me just tell you how we do it: We do not, in any way, have a repository. UHIN is nothing more than a mailbox or a conduit through which that information is exchanged. It stays at the hospital or the doctor’s office or the laboratory. But we facilitate that exchange through this pipeline or electronic highway. But this was very key to our legislature, because they were loath to consider paying money f State money for some kind of a centralized repository for health information that might be subject to who knows what in the way of privacy or legal concerns. So we don’t have a repository.
>> Mark Overhage:
And beyond that I think I have this right about UHIN is that you are a post office, and you do not open the envelopes. So while we do this we don’t need a repository to do the public health functions, because it’s really on the flows of data. If I believe I have this right: In UHIN, you don’t open the envelope to see what’s inside of it, in terms of the data that’s being sent.
>> David Sundwall:
No, but of course, with our NEDS or our epidemiology surveillance system, that, of course, is available for analysis and categorization and what have you. But anyhow, you’re right: We don’t for the administrative we never looked at the administrative data, and it’s it’ll be our responsibility as a health department to analyze the public health data we get.
>> Mark Overhage:
The other thing I’d like to comment on regarding that is that we actually have no State funding whatsoever for this.
>> Deven McGraw:
None.
>> Mark Overhage:
No, none.
>> Deven McGraw:
Okay.
>> Mark Overhage:
The public health department helped fund some interface building for hospitals when they were implementing the syndromic surveillance system. And of course, we’ve been participating with Dr. Loonsk and his office and others in the some of the nationwide demonstrate that the State does not fund this at all.
>> Deven McGraw:
So what’s the funding model?
>> Mark Overhage:
It is a as I described, it’s a lot of people. It’s a patchwork quilt. We deliver through the a variety of services on top of this infrastructure, including things like results delivery for the labs. We take that result, and we deliver it to the physician, much like UHIN describes. And there’s a fee to the sending source for that. It’s, you know, $0.17 a result whatever it is. There’s a sliding scale based on volume. Or we do quality improvement driven off of this. Or we do, you know, things like that, including public health. And we view the public health work as something that is a marginal cost and a tremendous benefit to the community, and not something that we think public health should necessarily fund. I mean, it’s great if they can contribute, but it’s not you know, not critical.
>> Deven McGraw:
Right.
>> Mark Overhage:
Jill?
>> Jill Callahan Dennis:
Hi, this is Jill Dennis. I have a question, actually, for both of you, in terms of how you’re handling the patient authorization end of it. And I thought I heard Dr. Sundwall say that you’re doing that two-way exchange with patient approval. I’m wondering how that works and to what extent your State mandatory reporting statutes cover that. And really, same question for Mark: You know, is that covered under your mandatory reporting statutes, or do you do something above and beyond that?
>> David Sundwall:
We’re in the process you know, this is a new authority we have to do the clinical health information exchange. So we are in the process of developing that consent form for patient exchange. I must clarify, however: That doesn’t apply to we don’t need patient consent to do reporting of reportable disease data.
>> Deven McGraw:
Right.
>> David Sundwall:
That we will will happen as it has, and we just hope it’ll be easier by being embedded in the with this as part of the exchange here. But as far as exchange of clinical I mean patient-specific lab or hospital discharge summary or what have you, that, I think, will be subject to this new form that’s being developed.
>> Mark Overhage:
And similarly, in our State, laboratory reporting for reportable diseases is mandated in identifiable form by State law. And so that’s pretty straightforward. For syndromic surveillance, the information is deidentified before being aggregated for syndromic surveillance.
>> David Sundwall:
That’s right.
>> Deven McGraw:
Okay. Thank you.
>> John Loonsk:
Yeah, Mark, it’s John again. Do you mean “HIPAA-deidentified” or the removal of direct identifiers?
>> Mark Overhage:
Thank you, John, for clarifying that. It is removal of direct identifiers. Obviously, for public health purposes, there’s a lot of HIPAA identifiers that would be needed, although we have developed an approach that allows us to handle a variety of those things, like geographic deidentification, while still being able to do cluster recognition and things like that. So we keep picking away at getting fewer and fewer of those identifiers carrying forward.
>> John Loonsk:
Thank you.
>> Kirk Nahra:
Are there other questions for our presenters?
>> Alison Rein:
I this is Alison. I sort of have a question about you know, if each of you could hypothesize, thinking about, you know, “what’s next” type of opportunities so say, for example, with diabetes or asthma, being able to take clinical information from a health information exchange and identifying, you know, particular regions in a city that have really bad pollution issues that triggers asthma, etc., etc. I mean, are you thinking along those lines? Or are you sort of up to capacity with the status quo? Or are you already doing those types of activities?
>> David Sundwall:
Well, what you’re talking about is really kind of chronic disease management, which has been a focus of real interest at the CDC and continues to be something we’re trying to figure out how to do better. But those are obviously really, really important health matters. To the extent we can do kind of population health surveillance and focus on the areas where there’s a higher prevalence of those things, we’ll all be better off. But I quite honestly, we’re up to our ears in implementation of this new clinical record exchange. And then, I think, those kind of opportunities will lend them will present themselves, once we get it up and running.
>> Alison Rein:
Yeah. I mean, I just sorry, just a quick follow-up: I wonder if the very nature of those underlying data at all have any impact on how you might have to do things differently or exactly the same, depending on that purpose.
>> David Sundwall:
I’m not sure I get the point.
>> Alison Rein:
Well, for, you know, identification of, you know, outbreaks, you might have a different set of data and data flows, etc. than you would for chronic disease management data.
>> David Sundwall:
Exactly. You know, I think that our primary I mean, quite honestly, our initial responsibility is to protect the public, so our traditional disease surveillance will remain high priority. As we do a clinical exchange, we hope to embed health data in that, but that won’t replace, in any way, our disease monitoring.
>> Mark Overhage:
In Indiana, I guess, a couple thoughts to your you know, one is that one of the current activities, which is actually pretty exciting, is, one of our forward-looking mayors, Steve Goldsmith, a number of years ago, started building a fairly sophisticated geographic information base for the community, so power line routes, well fields all those sorts of things. So one of the things we’re about now is linking those intimately into the health information exchange in a way that you can anonymously query the exchange and have sort of proxy variables, if you will, so you can sort of ask questions like, “And so, how far did this patient live from a power line high-tension power line between the ages of 6 and 8 years old?” You can also infer information like family income, based on census block, by linking them geographically. So there’s some pretty exciting things we’re doing there, and really facilitated by the forward-looking folks many years ago that started accumulating this data in a usable format.
And then is, in the other chronic disease management realm, we have a fairly large effort, focused initially on primary care physicians, where we’re running 28 distinct quality measures across the large market area and looking at, as you suggest, a variety of issues in this case, oftentimes more things like access barriers and insurance design barriers to health care screening tests, for example and are pretty excited about the possibility that that offers.
>> David Sundwall:
This is David. I’ve got to excuse myself to get on another call with the NGA, but thank you for including me, and I hope you’ll keep me in the loop.
>> Deven McGraw:
Oh, absolutely, and thank you so much for your time. We know you’re really busy.
>> David Sundwall:
Thanks very much.
>> Deven McGraw:
Anybody have any further questions for Mark? (Pause) Okay, Mark, many thanks to you, too. Seems like we’re calling on you a lot these days (laugh). And we greatly appreciate your making the time.
>> Mark Overhage:
Well, I always learn a lot from the questions and discussion and to learn what our colleagues in Utah are doing in more detail. So thank you very much for the opportunity.
>> Deven McGraw:
Okay.
>> Kirk Nahra:
All right, great. Thank you (inaudible). Why don’t we take a break till I have 3:03. Let’s take a break till 3:15, and we will reconvene at that point.
(Break)
>> Deven McGraw:
Operator, this is Deven McGraw. I’m sure we’d like to resume.
>> Alison Gary:
Okay.
>> Deven McGraw:
Great. You ready? (pause) Are we back on?
>> Alison Gary:
We are.
>> Deven McGraw:
Okay, great. Thank you very much. Okay, back to... maybe where we left off, although we lost John, so he’ll have to...
>> Kirk Nahra:
Why don’t we see if we have any comments?
>> Deven McGraw:
Does anybody have any comments that they want to raise on the presentations first? (Pause, inaudible) Yeah, yeah, go ahead.
>> Kirk Nahra:
Let me just mention, you know, one thing I was thinking about as I was listening to the discussions were, there were a variety of functions that were described which, to me, don’t raise new biosurveillance security issues. Let me just go down the I guess what I thought was four main topic areas. One is, they talk about things like licensing you know, provider licensing issues and things like that you know, not PHI, not patient information at all didn’t, in my mind, raise any issues. There were situations where the public health agency was essentially using the network to disseminate information as a communications channel as a better communications channel again, didn’t seem to be privacy and security issues: There were vehicles this seemed to be a really important part of what they were talking about. It was a the network was a better vehicle for providers to communicate, with the public health agencies, information that they are supposed to and do communicate today. It was just better and faster.
And fourth, there were a variety of situations where the public health agencies were health care providers. They were providing different treatment services to particular patients. And I listened to that series of things and say those four categories, which again, I don’t wasn’t 100 percent of what they were describing, but it was a large amount of what they were describing are things that I don’t view as being any different. It became the network was made it easier and made it maybe more efficient, but really didn’t raise a variety of new kinds of issues. And where I was going with that was, I could see I don’t know if it’s a factor or in some vehicle-based you know, we spent a lot of time talking about whether public health agencies should have access to the networks. I could see basically saying that for those kinds of functions don’t really see the need for any new privacy and security rules. If, however, the public health agencies are going to be given access to reach into the network for other purposes of their own making, we would then need to have a or we need to flag that as an issue that would need additional discussion at that time, rather than spending our time trying to figure out what it is they might want to do, speculate, deal with things that again, these guys really weren’t talking about doing much just flag what’s not new and r identify what could be new, but leave it as an issue for development if we get to a point where that new opportunity develops.
>> :
I did hear one thing that I think might be different, and but I agree 99 percent with what you just said. And it was, to the extent that there it depends on how their mandatory reporting statutes are written. (Inaudible) how they’re written is, when there’s a lab result that triggers a certain duty to report, that report becomes available, as opposed to the approach that I think I heard, where they’re actually mining 100 percent of the reports to identify those that might trigger the responsibility. Do you see this the difference that I’m pointing out? And it may not be problematic, depending on how the mandatory reporting statute is written, but it is a little bit of a different collection method, a broader collection method than is typical today. So I think that is that could be one difference in that scenario, in how they’re handling the ability to mine the reports for those kinds of results.
>> Alison Rein:
Yes. This is Alison. I guess that example, combined with the fact that, in my mind, a lot of the utility is of these exercises is yet to be explored, which was sort of the reason I asked my question about chronic disease management, etc. And I’m you know, I’m a huge proponent of this, so I’m not trying to sort of say we should, you know, hold this up or stifle their ability to move forward with this, but I would almost rather have our recommendation be more general in the sense that we say, you know, more you know, something to the effect of “More is needed to explore all the ways in which these entities would engage in a health information exchange, but it’s the belief of this group that that’s a worthwhile endeavor” something like that.
>> Deven McGraw:
Yeah. I mean, I think that’s what Kirk was getting at.
>> Alison Rein:
Right, but I just don’t but I don’t want to say, “The stuff they do now is okay, and we’ll only talk about the stuff they do later... later on.” I mean, I guess I’m just not ready to say that, because I agree that the stuff they do now is okay and they have license to do it, but to me, it sets up an artificial distinction between the utility of what they do now and the utility of what they could do in the future. Does that make sense?
>> Kirk Nahra:
Well, what I said, Alison, was not a statement that everything they do now is fine. It’s “Here were four things they do now which all seem to be okay” those things.
>> Alison Rein:
Right, and I guess I just don’t want to stop (laugh) I don’t want to stop there by disaggregating the things they do now versus the things they could do in the future. I’d rather have a bigger picture recommendation. Maybe I misunderstood what you said.
>> Kirk Nahra:
Let me try to say it again, because I don’t...
>> Alison Rein:
I think I understood. You’re saying that what they do now didn’t raise any red flags, and it seems very akin to what they’re allowed to do now in a different setting. And that’s fine, and I agree with that. But I don’t necessarily want to make that language part of the recommendation, because I don’t like the notion of teasing out this “now versus then” issue. I don’t know if I’m expressing that well at all, but I’d rather be general.
>> Kirk Nahra:
Well, do other people have I mean, again, I don’t mean for this discu it was just a reaction to that last session. Do other people have reactions?
>> John Houston:
This is John Houston.
>> Deven McGraw:
John.
>> John Houston:
Hey. I guess, sort of towards what’s been said I didn’t find anything really insightful here. I mean, I guess what I heard was a lot of what I know public health is doing, and I agree that this is seems to be more of a just a more convenient vehicle in which to do things that they’re already entitled to do. I know, where I’m from I mean, a lot of these types of things just is just sound like rather than the hospital having to make a report, this would make it a better way for a the public health authorities to be able to perform their duties without having to wait for hospitals to you know, to respond or to provide reports.
>> :
I think the only thing that I am feeling strongly about on this is what Jill’s already spoken to, and that is that they have the whole of the data to mine from, rather than the data that would currently just be reported.
>> Deven McGraw:
Well, and that’s they raised a couple of examples in that regard. One is the application of sort of automatic algorithms that are looking for specific test results, for which my understanding was they already have they’re all reportable, so instead of waiting for the member institutions to send their report, they have something within the so you know, within the network itself that pulls that out and sends it along to them per the reporting statutes. Then there was the syndromic surveillance piece, where they don’t you know, again, all the reportable stuff had “PHI” in it, and that’s consistent with State law. On the syndromic surveillance side, there it’s deidentified data, and John fleshed out, not deidentified by the HIPAA deidentification definition, but without patient identifiers, but not stripped down all the way, to the extent that the HIPAA rules require it to be in order for it to be deidentified. And they have a sort of greater database to go through than they would if they had to ask they had to go institution by institution.
So, is that am I mischaracterizing the two different or did I miss an example that got raised? And so...
>> Jill Callahan Dennis:
No, I don’t think so. And don’t misunderstand. It’s not that I think that’s a bad thing. I think that’s a good thing. I think that’s one of the values of health information exchange. But it is, I think, a different method than...
>> Deven McGraw:
Right. Different than today.
>> Jill Callahan Dennis:
Yeah.
>> :
Not one that I would encourage that we squelch necessarily. It’s just that they different.
>> Deven McGraw:
Okay, pointing out the differences, saying that it concerns you in some way. Okay.
Anybody else? (Pause) All right, well, I think let’s use the remainder of the time that we have for the meeting here to try to we spent a fair amount of time talking about some issues under Factors 1 and Factor 3. I’d like to spend some time talking about Factor 2, if we could, and then, of course, any other factors if we can get to them. Again, we’re going to be turning this into a recommendations letter, and we want to, you know, gather some input on what we already started to draft, in the hopes that the next iteration, which will ideally look more like a letter or start to be shaping itself into that, starts to look more and more like something that will get the consensus of the group. And also hearing from you know, don’t be afraid to speak up if you like what’s on here (laugh), not that we need any praise or anything, but it does help in terms of our own assessment for going to the next step, which is continuing to draft this to sort of get a sense from Group members about where they are on these factors, beyond sort of the concerns that you see that you want to raise.
So reminding that Factor 2 starts off with, again, a pretty broad statement that confidentiality, privacy, and security protection should be established to prevent access for unauthorized purposes access to a network for unauthorized purposes, and to limit the purposes that a network can use information itself. And then we’ve drafted a number of issues to highlight here, acknowledging that networks can rapidly connect to previously segregated information that creates a new target for hackers and increased concerns regarding large-scale breaches. And this may be more applicable to models that are data repositories more than others that are open to some discussion, if you’d like.
To what extent does an expanded use of a network create additional challenges for keeping data deidentified? If you have HIPAA applying to these networks and they can then use this information that the network has access to for treatment payment and their own health care operations, in that scope of uses, (inaudible) broad or these networks themselves versus their participants.
And then we had given an HIE has the potential to benefit a number of activities, such as research and quality reporting. Careful consideration should be given to the rules that may be appropriate for uses of the network by the organization or partnership that governs it. And we’ll go a little bit into the research rules, and noting that you know, again, if our recommendation were to be accepted, that these entities and their participants are covered by HIPAA, then the HIPAA research rules would apply, and potentially also the common rules, depending on how their particular research was funded.
And I know I’m responsible for the bolding of “health care operations” (laugh) in that sentence, because I confess, personally, I’m a little concerned about allowing these networks to access information for you know, for their own health care operations. You know, I’m but I’m also confessing that I haven’t thought it through enough to know what I would do about that. I think part of it is because these entities are quite new, and what kinds of health care operations are they going to have that they’re going to need to access PHI?
>> David McDaniel:
And the participants in them may not want to encourage that anyway, because how do you keep organizations within a network from competing with one another using each other’s information at that point?
>> Kirk Nahra:
Well, your but your point, Deven, is the network itself, not the (inaudible).
>> Deven McGraw:
Well, that’s right, although there have been moments when I’ve been thinking about this that, you know, for a covered entities’ own health care operations hospital, physician’s office to what extent do they need to access network data versus the data that they would have within their own facility?
>> Kirk Nahra:
Well, that’s right, but that’s
>> Deven McGraw:
But they could
>> Kirk Nahra:
That’s the access discussion we were having earlier.
>> Deven McGraw:
That’s right. Right. I mean, again, it’s kind of it is linked together.
>> Kirk Nahra:
But I mean, that’s but I think there’s a very those are two very different points. I mean, the and it obviously will depend, to some extent, on the nature of the network. The network may not have anything that it can you know, may not have any data to use for health care operations in certain models. So we don’t you know, if they don’t have any data, we don’t care about that rule, because it’s not a you know, it’s not an issue. We don’t have any data either. If it were a repository for example, one of the models that repository, if it were following HIPAA rules but then used and disclosed information for I mean, it wouldn’t have treatment purposes, because it doesn’t do treatment. It probably doesn’t have payment purposes, but it’s not getting paid for the health care services, or certainly, in many situations, might not have payment purposes. It would have health care operations purposes. So that’s a legitimate question. We need to address that, you know, full stop. We need to address that question, or self that is a question that needs to be addressed.
>> David McDaniel:
And there may be some instances in that where they if you’re going to say they’re a covered entity, some operations they may have to have information, and be able to use it, that they’ve drawn from the network, like providing security backup and testing those backups that have to be able to access that information to do backups. Now you’re telling them they’re a covered entity and have to follow the security rule, they have to test their backups, but yet you’re not giving them the ability to actually use the information that might have come from other (inaudible).
>> Kirk Nahra:
And that’s a good example of a direction that, I guess, I would suggest we not go down, which is not to take I mean, essentially, the way you’d have to do that is, you’d have to take every health care operations purpose and every public disclosure purpose and every provision of the security rule and say, “Let’s have a discussion about whether that one’s in or that one’s out.” I think that’s a bottomless pit that I would just as soon not go down, so...
>> Alison Rein:
Right. This sounds like a great area to make a recommendation that somebody else do that.
>> Deven McGraw:
I’m sorry, Alison. What did you say?
>> Alison Rein:
This sounds like a great opportunity to make a recommendation that somebody else do that.
>> Kirk Nahra:
Oh, that’s what I was (inaudible):
>> David McDaniel:
Throw them in the bottomless pit. (laugh)
>> Alison Rein:
Or to do some of this exploration of the different structures of a health information exchange and the extent to which they should or should not be able to use the data that they do or don’t capture for health care operations. I mean, I think that’s a very legitimate question. So I would I mean, and it’s something we have bumped up against before in different discussions, because health care operations, while it has a definition, may have evolved since that definition. And as new actors come into this space, it may have evolved. So I don’t I mean, I’ve expressed before: I don’t really even know the full spectrum of health care operations at this point. So I don’t know. I don’t know if the Group is comfortable with that sort of recommendation, but if we’re if, at the outset, we said that this letter was to be a recommendation for some future work, this seems like a pretty good candidate.
>> Deven McGraw:
Yeah. I think where Kirk was headed was to make two distinctions. One is the health care operations of the network itself, and then the extent to which the covered entity participants in the network can access information via the network for their own health care operations.
>> Alison Rein:
Sure. And that could be covered within the same recommendation or be two different ones.
>> Deven McGraw:
Right. (Pause) All right. Did anybody else have any thoughts they wanted to add on to Factor 2 here? (Pause) Okay. I think we already had a fair amount of discussion on Factor 3. Factor 4 is the types in determining the types of choices consumers should be able to make with respect to the exchange of their health information through a network. Steps should be taken to incorporate the rights of consumers with the legitimate needs that providers and other entities have to access, use, and disclose health information. And then, as an issue highlight, there is an appropriate role of for consent, but a framework that places the burden on consumers to protect their in health information and therefore absolves others of that responsibility as well is not the right approach. So...
>> Alison Rein:
I agree with that, but I just want to make sure that we’re not suggesting that providers and health information exchanges, for that matter, have some sort of obligation to second-guess a properly executed authorization form.
>> Deven McGraw:
That’s certainly not the intent.
>> Alison Rein:
Okay.
>> Deven McGraw:
Okay. (Laugh)
>> John Houston:
This is John Houston. I know we’re not wordsmithing, but I find the interest the use of the word “incorporate” versus a word like “balance” I’m wondering why we decide that word was chosen. And was there an actual a reason why that word was chosen over something like “balance”?
>> Deven McGraw:
You are so right, John. It was chosen instead of “balance,” but I’m (laugh) not sure it’s the exact right word that it was actually specific to my request. From the consumer standpoint, I don’t I understand that, you know, sort of absolute privacy on one end is impossible, because we do still need to have this information move. On the other hand, I don’t like the word “balance,” because it too often ends up where you have a scale where the benefits versus risks get weighed, and the consumer piece of it doesn’t get appropriately incorporated or addressed. It’s my preference that we not use the word balance, because that tends to suggest that consumers have to give something up. And it’s my view that you can put the right p appropriate privacy and security protections in place that acknowledge the consumers’ needs for privacy but also allow the information to be used
>> John Houston:
And should we say something like, you know, “Steps should be taken to incorporate rights of consumers when determining what the legitimate needs of providers and other entities have with regards to access, use, and disclosure of health information”? And I know that’s maybe wordsmithing, but I just
>> Deven McGraw:
Wordsmithing is fine, John. That sounds good to me. And probably, the word “with” was in there because the word “balance” used to be in there, and so I argued for it to be taken out, so... anybody else have any thoughts on that point? (Pause)
And the you know, the issue in particular about the you know, making a specific comment that a framework that places the burden on consumers to protect their information and thereby absolves others is not the right approach is another one that I know I deliberately added, in part because I do think that the debate about privacy and security too often gets focused on just as a matter of consent or non-consent. And as I think we all real if we didn’t know it already, we certainly realized it in our attempts to even address the issue of choice that you have to know what you’re consenting to in the first place for that to even be one bit meaningful.
So you know, I think that as we get to the drafting stage, we’ll probably have to put some more frames around this particular factor. There’s some you know, definitely some more rhetoric and explanation that is due, but I wanted to make sure that we at least highlighted that.
>> Alison Rein:
This is Alison. I actually have a question for Factors 4, 5, and 6. I mean, it sounds like the structure for the document could conceivably be that you, you know, name the factor; you have some elaboration as to why it’s important; and then there’s a specific recommendation as to how, potentially, at least part of it could be addressed through future work. So do you plan on I mean, should we be trying to identify those discrete examples of future work for all of these? Or is it okay to just have those for some?
>> Deven McGraw:
I think if there are some that occur to you for the others I mean, we didn’t leave Factors 5 and 6 deliberately naked. It’s just that it didn’t occur to any of us who were in the early drafting stages of these, but that’s one of the reasons why we hope that all of will you give it more thought, partly because, I know for me, Factors 5 and 6 were so broadly stated
>> Kirk Nahra:
We got tired. (Laugh)
>> Deven McGraw:
I don’t think we ran out of gas. To me, they were so broadly stated that some of the issues that I would have raised under 5 and 6, I had already raised in either 1 or 2 or perhaps even 3. So but I can’t say that that would be true for everyone, of course, so...
>> Alison Rein:
Well, it begs the question, then: Do we need to leave them in as factors, or do we fold them into some sort of general language that’s either a preamble or part of these other discussions?
>> Deven McGraw:
I mean, my gut reaction is that they’re not I mean, they were listed as factors because we thought, at least at the drafting stage, that they were as important as the ones that had come before. But having said that, I suspect that as we continue to massage this and draft on that that there will be some wordsmithing that will need to be done, and we may change our minds as the letter gets more fully fleshed out. But that would you know, just because they don’t have issues underneath them didn’t make them didn’t at least, it didn’t occur us to that they were any less important as the other ones.
>> Steve Posnack:
And this is Steve. Maybe the I think the complexity point in Factor 5 is probably what we’re trying to articulate the most, and that may be something that’s threaded throughout the whole, you know, document, if you want to do something like that. It’s a matter of how we want to apply it we want to break it out more yet to be determined.
>> Deven McGraw:
Yeah (laugh), but that doesn’t I mean, Alison, if you want to suggest some issues, all the members should really send us suggestions of issues that we missed. If you want to add a particular factor, it would really be helpful. Otherwise, you’re going to what you’re going to get back is what Steve, Jodi, and Kirk and I can think about in the next iteration, based on the discussions we’ve had today and the presentations we heard. Okay.
>> Kirk Nahra:
Want to just take that all back and (inaudible)?
>> Deven McGraw:
Yeah, I think so I think yeah, the ball is in our court to get you all (inaudible, pause).
>> Steve Posnack:
So I’m trying to ask Deven and Kirk a question and
>> Deven McGraw:
Talking in code. (Laugh)
>> Steve Posnack:
We so we had discussed and this is more for the particular issues underneath the factor. If there’s a specific issue, what we wanted to tee up in conversation here, as not to go down a path for, you know, 45 minutes and get off topic, was to identify the particular issue that you wanted to highlight under a factor and say and take a little bit of an algorithmic approach and say, “Is there a HIPAA corollary? Is there a HIPAA answer to this question to this issue?” and then, you know, tease that out a little bit. We can write that up and get those analogies out there, and then also perform an examination as to if there’s also something new that this issue creates, too, that we should articulate as well underneath that factor. So there are two steps that we want to take also, as we started to flesh this report out.
>> Deven McGraw:
Yeah, but that’s I mean, we have sort of started to do that in some of these areas. I think that’s really partly what we do as drafters.
>> Kirk Nahra:
Yeah. We need to just go we need to take what’s been discussed today and just work on the next go-around (laugh). Judy, I know we’re supposed to give a heads-up about doing the public comment. Why don’t we do that so we can do that in a few minutes?
>> Judy Sparrow:
Okay. All right. Alison, you there?
>> Alison Gary:
Yes, I am.
>> Judy Sparrow:
Why don’t we see if anybody in the public wants to comment?
>> Alison Gary:
Sure. Okay. We have a slide on the screen that tells you how to comment or ask a question, for all those that are online. If you’re ready on the phone, just press star-1 on your phone now to comment. Any wrap-up comments while we’re waiting?
>> Kirk Nahra:
Let’s talk quickly about our next meetings. Next one is scheduled for what, May...
>> Judy Sparrow:
May 27.
>> Kirk Nahra:
May 27. (Multiple speakers, laugh)
>> Deven McGraw:
You know, I think it’s a step like I said, the ball’s in our court, Kirk and Steve and Jodi. We should pick Jodi, right, because she’s not here. We’re about to volunteer
>> Judy Sparrow:
(Inaudible) Jodi’s on the telephone. (Laugh) Jodi’s on the phone.
>> Deven McGraw:
Oh. (Inaudible) At any rate, it’s in our court to get a revised draft. And so it would be really helpful for folks to get us any additional written comment next week. It’s doesn’t it’s not necessarily your last opportunity to do so, but it would be great to get this draft, you know, even to get it even further along than it is today. The more comments we get at the early stage that we can incorporate, I think, the more rapidly this process will go. And to the extent that as we sort of go through the draft, we do identify some issues that we want to explore more fully by I don’t know that it’s taking testimony or making calls doing more research. We want to leave ourselves some time to be able to do that and then report back to the Group. So if I can prevail upon all of you to help us out, great. We’ll have a much better product as a result.
>> Alison Gary:
Judy, we don’t have any public comment.
>> Judy Sparrow:
Okay, thank you very much. Last words?
>> Deven McGraw:
Anybody else have anything to add? (Pause) Okay, great. Thanks, everyone.
>> Kirk Nahra:
All right, yeah, thanks. Take care, everybody.
>> :
Thank you.