American Health Information Community
Confidentiality, Privacy, and Security Workgroup Meeting #10
Thursday, May 17, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Matt McCoy:
Go ahead, Judy.
>> Judy Sparrow:
Thank you, Matt, and good afternoon, everybody. Welcome to the 10th meeting of the Confidentiality, Privacy, and Security Workgroup. Just a reminder, we’re operating under the auspices of FACA, the meeting is being Webcast and there will be an opportunity at the end of the meeting for the public to make comments. If you would all please identify yourselves before you speak, those of you on the telephone, for the purposes of translation, and also speak clearly and distinctly. If you could introduce those on the telephone and then we'll introduce them here in the room.
>> Matt McCoy:
Just two members on the phone right now. Yakoub Mazen from TRICARE Management Activity Military Health System and Tom Wilder from America's Health Insurance Plans.
>>Judy Sparrow:
Okay, and in the room we have -- David
>> David McDaniel:
McDaniel. David McDaniel from the Department of Veterans Affairs, Veterans Health Administration.
>> Steven Posnack:
Steven Posnack, Office of the National Coordinator.
>>Paul Uhrig:
Paul Uhrig, SureScripts.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Yuriy Dzambasow:
Yuriy Dzambasow, consultant to ONC.
>> Jill Dennis:
Jill Dennis, AHIMA.
>> Sylvia Au:
Sylvia Au, Hawaii Department of Health.
>> Judy Sparrow:
Thank you, and also one other reminder, please remember to mute your phone lines if you’re not speaking. And with that, I’ll turn it over to Kirk Nahra:
>> Kirk Nahra:
Judy, let me ask you a question first of all, which is, do we have, under FACA, do we have any quorum issues? I mean, do we have to have a quorum?
>> Judy Sparrow:
I think we have a quorum, considering the people here.
>> Kirk Nahra:
Four, five -- I didn’t get -- there weren’t very many on the phone.
>> Judy Sparrow:
Eight, nine, ten. We have ten.
>>
That’s a quorum.
>> Steven Posnack:
Don is supposed to be here as well.
>> Kirk Nahra:
Could we go through? Do you have the attendance list? Let's go down the list.
>> Judy Sparrow:
Sure. Kirk Nahra. Steve --
>> Kirk Nahra:
Oh, Steve is in for Jodi?
>> Judy Sparrow:
-- for Jodi. Sylvia, Jill, Dave McDaniel, Paul Uhrig, Tom Wilder, and I missed one other person on the call.
>> Lorraine Doo:
Lorraine Doo.
>> Judy Sparrow:
Lorraine Doo. Is there anybody else on the call?
>> John Loonsk:
This is John Loonsk, I'm on the phone as well.
>> Judy Sparrow:
Okay. How many is that, Kirk?
>>
Here we go. Here's Don.
>> Judy Sparrow:
Here’s Don. So with that, we have a quorum.
>> Kirk Nahra:
Good afternoon, everybody. We have a lot to cover this afternoon with our group so I'm going to jump right in for the first item of business, which is to approve the prior meeting summaries.
>> Steven Posnack:
It’s only one.
>> Kirk Nahra:
It's just one. I was looking for the second one. We have the April 12th. Are there Workgroup members that had any questions or comments about any parts of the summary? I mean, this is a public document, right, Steve?
>> Steven Posnack:
Yes, as soon as you guys approve it.
>> Kirk Nahra:
I guess the only question we have, should we run it by the panelists and just make sure that they’ve got -- a lot of it is a summary of their --
>> Steven Posnack:
Sure, we can do that.
>> Kirk Nahra:
Why don't we do that just to make sure there is nothing we got wrong for them?
>> Steven Posnack:
Okay.
>> Kirk Nahra:
So if people have any questions or comments, if you could get those to Steve by the end of the week, then we'll be able to finalize this.
Why don't we turn it over to Steve quickly to give a summary of the April AHIC meeting for a few minutes?
>> Steven Posnack:
Sure. So the American Health Information Community met on April 24th. And I guess it's been a tradition of Jodi's to give a quick debrief of what happened at that meeting. I'll just touch on a few points that are relevant to this group.
The NHIN trial implementations are going to be underway shortly. It was announced that there will be funding available for 7 to 10 pilot projects or pilot implementation projects. I guess we expect that the contract will be available in the coming months and then there will be, we'll do some review and the awards will be made later this summer.
The next point on the agenda was that there was some discussion about an AHIC successor. We have some talking points about that and how that will impact our Workgroup and the other AHIC Workgroups. This is something that we see being operational, fully operational in 2009. So we will continue working and continue marching for the remainder of the time that the Secretary is in office, as long as the Secretary chairs the AHIC. So we won't see any change in our work going forward until the 2009 point. And after that, it hasn't been worked out. It's not exactly clear what Workgroups will remain as part of a Federal Advisory Committee for HHS and what will be in the public/private sphere.
And finally just a note for everybody that's been involved, if you didn't get an email about it, the detailed use cases, the next round of use cases have been ushered out, and they deal with consumer access to clinical information, quality, and medication management. So if you haven't gotten an email about those or you're not on one of the listservs that make them available, you can go to www.hhs.gov/healthit/usecases and the office is accepting comments on those by COB Friday, May 25th. And if you go to the next.
>> Kirk Nahra:
Hang on. So for this Workgroup, people are more than welcome to take a look at those. Certainly look at them if you want. There's nothing official for our Workgroup in connection with those use cases. We don't view them as particularly changing what we're going to do. I mean we had obviously when we got started back in August, the use cases were a focal point of our attention, but I think we also came to the conclusion pretty quickly that the issues that we were talking about sort of cut across the different use cases and were broader than some of the use cases. So it was very hard to tailor our work to those specific instances. I think that that continues to be, at least my reaction and I think of the staff. Again, people should feel free to spend whatever time they want to on reading those, but there's no obligation, there's no sort of official connection at this point between that activity and what we're going to be doing over our next few meetings.
And, Steve, you might want to also just quickly mention, you said Jodi usually does that report. Some people on the Workgroup might want to know why she's not here to do that.
>> Steven Posnack:
Okay. That is also one happy announcement. For those of you that didn't know, Jodi was pregnant for a while.
[laughter]
>>
Usually is nine months.
>> Steven Posnack:
If you weren't here in person. And she did give birth on May 4th to a baby boy. And everybody's doing fine. So as she said, she's begun her summer vacation. And we expect her back
>>
Must be her first child.
>> Steven Posnack:
It is. So we expect her back the end of August, beginning of September. And I guess I'll move on.
>> Kirk Nahra:
Any questions or comments? Don?
>> Don Detmer:
Yes, I think the committee should send her congratulations.
>> Steven Posnack:
Sure. We can do that.
>> Kirk Nahra:
Any questions, comments on any of the AHIC issues at this point? That's going to be an interesting issue to follow, sort of what is going to happen to that organization. But as Steve indicated, we're very much peripheral to what that particular focus right now. It shouldn't affect what we're doing, certainly in the shortterm.
>> Steven Posnack:
Right. They’ll have three contractors coming back in June to discuss business models and sustainability for that group on the outside of the federal sphere.
So the last update which is the next item on the agenda for me to talk about, is the Consumer Empowerment, Confidentiality, Privacy, and Security Workgroups’ subgroup that is talking about the PHR privacy policies. Deven from our Workgroup is a co-chair of that group, and I won't put her on the spot.
>> Deven McGraw:
Thank you.
>> Steven Posnack:
Just to keep everyone uptodate. We have been marching along. We've had a couple meetings. We've been working off the prioritized Consumer Empowerment elements of PHR privacy policies that they've discussed at length at a number of their meetings. And we'll be trying to put together a clear, concise list and table of categories of items that should be in a PHR privacy policy, the attributes of those, and definitions of the attributes, so that is clear, with the intention of providing them to CCHIT for work in certification of PHRs. We haven't exactly worked out how that relationship will work out but we plan on starting a dialog with CCHIT to understand their requirements and what they need to make them useful certification criteria. And timing-wise, I think we may have some more data, or at least a draft version of our categories, attributes, and definitions table to give to the Workgroups for their June meetings with the intent of maybe starting to discuss some recommendations coming out of CE or CPS or both as a joint recommendation effort. That's just a heads-up of another parallel track that we may be on.
I'll turn it back over to Kirk.
>> Kirk Nahra:
All right. Any questions for Steve or Deven, if she wants them, on what's going on with that group? Anything you wanted to add, Deven?
>> Deven McGraw:
You did a really good job, Steve. Excellent.
>> Kirk Nahra:
All right. The next item on our agenda is stepping back a little bit to one of the issues we've been dealing with for quite a while now, sort of the next step in that which is the identity proofing and authentication issues. And we're going to have a presentation this afternoon from Yuriy just with some additional research and some additional information. Again, continuing our discussions on that point. Yuriy?
>> Yuriy Dzambasow:
Thank you, Kirk. Good afternoon, everybody. As Kirk mentioned, this is some follow-up research that the Workgroup had asked me to do based on a presentation that I had done back in February on looking at identity proofing practices for PHR providers, namely those providers that were offering additional services beyond traditional medical journal services and interacting with third parties such as care providers or insurers or pharmacies where there was interaction between the consumer and the third party.
And after that presentation on the 20th, I think there were some questions about exactly how much of that identity data, typically credit card information, stuff like that, was actually being verified by the PHR providers. Kirk and some Workgroup members had posed that question. So this presentation is a follow-up to that request. At the end there are some observations and considerations that I made for the Workgroup on perhaps some next steps. Slide 3, please?
In the original research, there were 13 companies out of the 50 that were researched. And the research was just trying to pull some public information that was available that we identified as valueadded PHR providers. Those were the providers that were offering beyond traditional medical journal services and also offering thirdparty access to the PHRs, not just consumer access. I attempted to contact all 13 of those PHR providers, five actually did respond. The companies are there, listed on slide 3. In addition one of those companies forwarded my request to a technology provider, Anakam, and they also responded as well. The next two slides are going to summarize the responses that I did receive from those five providers and the one technology provider. Slide 4, please?
Primetime Medical Software actually clarified that they really weren't a PHR provider. What they offer was a medical history capability that got integrated into PHR/EHR solutions. They also clarified that the installation of those PHR solutions typically required a relationship between whoever, whatever entity was providing that PHR/EHR service, such as a care provider, and the actual patient. What they were advertising was more of a medical history sumarrization capability that could be added onto that. That was their response. Of note was noting that a relationship actually existed between the care provider and the patient.
>> Kirk Nahra:
Yuriy, can I interrupt? I'm not sure I understand the distinction they're drawing. I mean I thought a PHR was a medical history.
>> Yuriy Dzambasow:
They’re --
>>
Not necessarily.
>> Kirk Nahra:
When they're saying we're not a PHR provider, we are a medical history provider, what's --
>> Yuriy Dzambasow:
They have a piece of technology, a product that integrates into a PHR/EHR environment that can summarize and create a medical history record in a certain format rather than try to do journal management and those sorts of things associated with a PHR. So it's more of an aggregated history capability that can be added into this.
>>
A direct entry, kind of?
>> Yuriy Dzambasow:
Right.
>> Kirk Nahra:
Okay.
>> Steven Posnack:
Maybe more to clarify, this is Steve, it would be more of a module for the EHR?
>>
It wouldn't be standing on its own.
>> Yuriy Dzambasow:
Right. It would not be standing on its own. They are not a provider of their own. It is not a complete, integrated PHR package. It’s a -- thank you, Steve -- it’s a module that would be integrated into this type of service to do a particular function.
>> Kirk Nahra:
And is it integrated into an existing PHR/EHR, which -- is it integrated into both of those? Or integrated just into an EHR?
>> Yuriy Dzambasow:
It could be either/or.
>> Kirk Nahra:
So if I'm an individual I have to buy something else and then I buy this, too?
>> Yuriy Dzambasow:
What I got out of this was a care provider has an EHR service deployed, or an EHR service capability deployed in their environment. They could take this medical history module and add this to their EHRfor their caregiver purposes. If they extend the EHR to provide PHR services to their consumer, they could then also have this module support medical history record development for the consumer bases, as well. So the module can serve both purposes.
>>
It's software.
>> Yuriy Dzambasow:
It's software, yeah.
>> Kirk Nahra:
So is a lot of what PHR vendors offer is software.
>>
So how does that differ from how does that change the need for identity proofing of the information that's going into that software?
>> Yuriy Dzambasow:
They're not involved. They're just selling a the provider here would be the caregiver in this example that has an EHR, has extended that EHR to provide PHR services, and they are the ones who identified the patient to have access to that. They bought this additional technology from Primetime that would integrate in. It's a piece of software that integrates in that allows the development of the medical history records from the doctor's office and from the patient's office. So it's just a hunk of software. They are not actually a PHR provider. They have no reason to do identity proofing.
LAXOR responded and said that one of the things that they've integrated into their PHR service is the concept of a personal health information manager. This is a person that actually gets into the process when a patient fills out an online application to enroll for a PHR and to establish a PHR. Once their information is provided and it goes to LAXOR, a personal health information manager receives that, reviews it, contacts that patient, goes through some amount of what LAXOR said non-rigorous identity proofing. So I mean there's no sort of set algorithm that they use. I think they will communicate with the patient. They will verify information, whatever they can, with that patient to get them to establish the account. Likewise if the patient wants to allow their care provider, I think one of the requirements that LAXOR also has is that the patient needs to define a care provider in order to establish the PHR. So they will go off and do some amount of identity checking on that care provider, not to the level of verifying that the license is still valid, but to some degree, to whatever degree their confidence is there that the care provider is a valid care provider and tied to the patient. I think the bottom line here is that they introduced the concept of a person to get involved to establish an account, to establish any thirdparty access to it, to help the patient define the roles and the privileges associated with that PHR and who's allowed to do what, who can read, who can write, those sorts of things there. And, therefore, institute some sort of relationship management with the patient. Not a whole lot of detail into the exact identity proofing procedures. I can't say that they use this algorithm to vet the information, that my name is really my name. But it's more than just collecting it and using it for credit card purposes.
Epic Systems clarified that their PHR service is an extension of their EHR service which they typically sell to care providers. So they said their typical model would be if wherever the initial point of care is provided by a care provider, the identity proofing would be done at that time on a patient, in an ER environment or perhaps a new patient visiting a doctor's office. And after that is done, if the patient would like to have a PHR set up so that they can go back and view their visit and any follow-ups and interact with medical doctors, an activation code could be mailed to that patient's address that's been verified, and they could then go online and establish a PHR account and use that activation code as a way of authenticating themselves for that establishment there. So they are relying on the fact that a relationship exists typically with care providers that they’ve already sold an EHR service to and then they would sell their PHR services as an extension of that EHR service.
>> Kirk Nahra:
Yuriy, are they any different, then, from Primetime?
>> Yuriy Dzambasow:
Yes, because they actually sell, what I got, an EHR/PHR capability, which is more than just a module that goes in and does a very specific function. They did say that they are aware that knowledgebased authentication technology is being used, but they weren't able to actually identify any of those providers to date. They didn't have that information at hand. The comment was we were at some conferences, we saw some pretty cool demos of people using KBA technology to do authentication. Unfortunately, they weren't able to point me in a direction there.
>>
Does Epic do the mailing of the activation code or is that something totally within the provider's control?
>> Yuriy Dzambasow:
That wasn't clarified there. I got the sense it would be part of the provider’s -- how much of the Epic System helps or supports the providers doing that, I'm not sure. But it sounded like the providers would actually go ahead and mail that out.
Dr. I-Net, which is a free service said, look, we really just don't do much identity proofing because we're a free service. Well, because the burden is as you do more identity proofing, it's more costs and therefore the free service doesn't become free. That was actually a comment that they had, they used to do a more rigorous type of identity proofing process in the past similar to what a bank might do in online banking today. Their feedback from their user community at the time was I don't like it. It's cumbersome. It's too long. The cost is expensive. So they just have gone to a free service. They did say that they can implement what they would call a privately branded solution for customers to say "look, I'd like to be able to do something specific for my environment. I'm willing to pay for it. Here are my requirements that I would like you to meet." They would work outside of their band, outside of their free service offering to implement whatever identity proofing requirements their customer might have.
>> Kirk Nahra:
Their customer is an individual?
>> Yuriy Dzambasow:
Right. Well what's out on the Web is just a free service PHR. It's people like you and me that could go there and set up a PHR as a free service. You don't want to pay for anything. So they don't do any identity proofing in that environment.
>> Kirk Nahra:
But they do the additional services? One of the lines that we've been talking about is a journal, as you described, versus reaching out and grabbing other stuff. Do they reach out and grab other stuff?
>> Yuriy Dzambasow:
It's advertised as the capability as being out there. Once I do it, then I could allow folks to get into that by sharing my account access information. So it's upon me to allow people to get access if I share my account access information or working with Dr. I-Net to set up other account access, ways for people to get in and view my PHR.
>> Kirk Nahra:
We'll need to give consideration as to whether that's a concern for us. If their view is we’re essentially not doing any identity proofing, I could go in and presumably set up an account as Paul. If I do that, what, then, think about what then might happen? If I all of a sudden look like I'm Paul and I can go out and start calling up Paul's doctors and saying "put your stuff in here," sort of piggybacking issue.
>> Yuriy Dzambasow:
I think the flip side question there would be how much would a caregiver actually would a caregiver ever even want to go into that kind of environment knowing the rules that apply to them. Are they willing to --
>> Paul Uhrig:
When you say go in, are they going in to look what's in there or input data?
>> Yuriy Dzambasow:
It's not clear from Dr. INet. This was a conversation that I had with them that was just sort of all over the map. As specific as you tried to be with some questions, it was "well --."
>>
They're enjoying being unregulated.
>> Yuriy Dzambasow:
Yeah.
Cerner Corporation, slide 6, please? Their current solution that they have right now, Cerner clarified for their PHRs it requires a relationship with some type of health care entity, such as a provider or insurer. That is the consumer market that they sell their product to. What was interesting is they would hope that in the future, and I'm not sure if this is something where they're seeing their product evolve to that wouldn't require them to sell just to a particular health care entity market. They would like to see some sort of independent health databank be established that would be responsible for doing this rigorous identity proofing and then pass the results of that process to health care entities that would be, that would need that information to establish PHR accounts for patients. So it's some other third party out there whose job in life is to verify that Yuriy is Yuriy and he lives at this address and all this information and then pass that on as an attestation to a health care entity that's offering a PHR service. That's a comment that they had made as to where they'd like to see the market go to. Currently they require a health care entity to be part of the process and a relationship be established with a patient.
The last response was from a technology provider, Anakam. They do provide a knowledgebased authentication technology solution. This is the technology that leverages database information that's based on some identity data you provide and then develops personalized questions for you to answer where the intent is that you would be the one likely to know the answers. They can leverage public databases, like the credit bureaus and the DMVs. They can also extend that into private databases, such as pharmacy databases, doctor databases, insurer databases, where you could really, then, personalize the questions beyond just do you live at this address or have you lived at this address? It’s, what were your last three prescriptions filled? At your last doctor visit you were checked out for, more personalized there. They did acknowledge that they're working with a government agency right now where a prior relationship does exist with the patients. They're also working with a commercial entity where no prior relationship exists. The commercial entity with no prior relationship, it sounds like they're just in the contract talks of getting that executed. It doesn't sound like much is going on there in terms of a real working solution.
Some observations from getting these responses, to me it seems like this market of a PHR provider offering additional services beyond journal management with no prior relationship to a consumer is really in an infant stage. It's a very small market and it appears to be truly emerging right now and trying to get settled.
>> Kirk Nahra:
Yuriy, let me ask you that -- when you say truly emerging, do you think it's coming, or it’s just really small right now?
>> Yuriy Dzambasow:
It's probably more correct when you say it's small.
>> Kirk Nahra:
Do you have any sense, just listening you described some of those. I've always struggled a little bit with whether there really was a market there. Do you have any particular sense that the issue for us is do we need to care about that segment of the market.
>> Yuriy Dzambasow:
That's one of the considerations as we move forward. I think of what I've seen as sort of a consumer sitting back and maybe watching TV a little bit and listening to commercials, all the stuff I've seen so far is coming from insurers and care providers and hospitals, people that have relationships with patients. I'm not really seeing stuff come out of the blue. From a consumer perspective, it says there's this market of these kind of PHR providers. Those that are are really just journal management providers such as WebMD where you can set up a PHR account.
>> Lorraine Doo:
Well WebMD -- this is Lorraine -- WebMD also has the employer and the plan account. So they're doing both. But the CapMeds and the Angel soft and the MedicAlert, all of those standalones that are not taking data yet from anywhere else, those are proliferating. What we don't know is what their use is in terms of uptake.
>> Yuriy Dzambasow:
Right. With the WebMD, with the employer relationship and the plan relationship, what I meant was yeah, they are leveraging where a relationship exists, but they're not just allowing John Doe to come in and set something up without a prior relationship and then offer all these tangential services.
>> Lorraine Doo:
Right.
>> Yuriy Dzambasow:
Those who responded see value in having a relationship in place, which I think, which is very consistent with the recommendations made in the January AHIC meeting by this Workgroup.
The notion of using knowledgebased authentication doesn't appear to be as widespread as like it is in the financial industry. My perception is that KBA technology would be most useful if it were tied into private databases where the personalized questions could be more detailed. However, that sort of drives you back down the path of a relationship exists. So you have a relationship with a pharmacy or a care provider or an insurer and there's information about you, and then we can really develop some personalized questions on identity proofing that are perhaps more better [laughter] more better are better than just using public information.
I think the fact that one PHR provider posed the notion of a health databank is just interesting to note. Whether or not an entity like that will exist in the future, I don't know. But I just thought it was worth noting that somebody out there thought having this entity to validate identities and pass that information on is worthy of noting.
>>
And they called that a health databank?
>> Yuriy Dzambasow:
That was just what they called it. That is not my term.
>>
Got it.
>> Yuriy Dzambasow:
So I think based on that and to summarize, move into slide 8 is and perhaps, Kirk, I think more appropriate, maybe not an emerging marketplace for these type of PHR providers, but truly a small marketplace right now. And given that, I think the Workgroup could take one of two approaches: sort of sit back and watch, and if it does evolve and emerge, then you would be in a position to perhaps make some recommendations. The other option is because it's small, you might have some influence. And you could look at developing some high level recommendations. Maybe not spend a whole lot of time on detail. But if we believe that the marketplace would evolve into these kinds of providers, now would be an opportunity to kind of shape it. The question is, is this truly an emerging one or not?
And then the second one I think for consideration is because some industries use knowledgebased authentication technology, is this something that we should consider, the Workgroup should consider, in the health care environment. And if you do, look at two facets of it, just using public databases or extending that into private databases, as well.
>> Kirk Nahra:
Okay. Questions or comments from anyone in the room? Why don't we start with people in the room? For Yuriy? How about anybody on the phone of the Workgroup?
>>
No.
>> Kirk Nahra:
Okay. All right. I think that we'll get together with the office here and come back with some suggestions on sort of our next steps about this. I mean I think we may be at a point where we're sort of hitting the end of the road on this. I do, I guess, personally get the sense that to the extent that we had early on some concerns about stifling the marketplace if we were going to make some of these suggestions, I guess I have some what less concern about that since it seems like that's not where things are today and not at all clear that they're going in a place where our recommendations would have a negative effect on any of those providers or any significant group of those providers. So any other questions or comments?
>>
But I still feel that there's value to even though the market is small and may remain small, there's still value to at least setting the bar for if they use a method of identity proofing, I mean the principle is valid. And I think you can go there in terms a recommendation without specifying technical detail, which clearly they're not ready, the technology is not out there, really, at least widespread in this group to do it. But that could potentially stimulate the interest in developing techniques to do it. So I think there's some value to be gained.
>> Kirk Nahra:
I don't disagree with that. I was thinking about that, I guess. My comments came up in the context of two things. One is our idea identity proofing path, but also the next issue that we will turn to, which is the working hypothesis stuff, where the PHR vendors offering the services that Yuriy’s describing will be affected by our working hypothesis and may have some standards imposed on them. I guess I take away from that that to the extent somebody could say "I'm a free service and I don't want to have to comply with any rules," I'm a little less concerned about that because I'm not sure we design around I'm not sure we carve out an exemption for people that aren't a big part of the market and don't seem to be a growing part and aren't really doing the kinds of things we're concerned about.
So I was looking at it from both of those perspectives. I think the identity proofing, yeah, we've defined in the working hypothesis PHR vendors who are essentially participating in the health information exchange environment. So these people with the extra services, we've got to continue to think about that. I mean I assume the people that are not doing these other services and are just journal entries or journal collections, I don't know if we want to say they have to do identity proofing. We could certainly say that, but that's again sort of getting further away from the core of what we're looking at. And I would not want to say we think it's a bad idea for them to do something, I'm just not sure if we want to get into that or not if they're not touching the information exchange piece. Don?
>> Don Detmer:
If you didn't want to go that far you could say at least state on your website what your policy is or isn't so that there is transparency at least. This is what we do or don't do . That is another approach. It will not compel that much. But at least sort of gives somebody a sense of what's going to go on.
>>
I agree. But it doesn't do much for the consumer.
>> Don Detmer:
I'm not advocating. I'm just talking about options.
>>
Yeah. No I see where you're coming from. But the harm is the same to the consumer whether it's medical journaling that they've put in there and the company then uses it in an inappropriate way, the harm's still done.
>> Don Detmer:
It's the user beware versus I will protect you.
>> Kirk Nahra:
That's a fair point. We may be mixing a little bit of apples and oranges. When we've been talking about identity proofing, the risk was I say I'm Paul when I'm not. The risk in I guess your last example is I'm me, I'm really me and I'm the right person but they're holding my data and they screw it up. Not because of these extra services they're having, with the extra services we get into all the things we're concerned about. But they're a hosting service that's just the journal and somebody breaches that and steals the information. That may be where Don’s point comes in, I'm not at all sure that we don't want those people to have privacy and security practices. I'm not sure if identity proofing is the one that I’m worried about as much there.
>>
I see what you're saying.
>>
I think the threshold for the identity proofing would be whether or not there's interconnectivity with somebody else, because that's where you hand off the risk of proliferating information and identity and all those different things. That could be the threshold point. I think we do need to make a
>> Kirk Nahra:
That's how we've been looking at it. That's why Yuriy is talking about these additional services are that extra step that you're talking about and our working hypothesis was intended to be that extra step. The working hypothesis was not intended to cover a journal company.
>>
Yeah, I see that.
>> Mazen Yacoub:
I have a question.
>> Kirk Nahra:
Go ahead.
>> Mazen Yacoub:
Yeah, this is Mazen with Tricare. Have we gotten away from wanting to make a recommendation about non-present identity proofing?
>> Kirk Nahra:
You mean not in person?
>> Mazen Yacoub:
Correct.
>> Kirk Nahra:
Well, it hasn't been what we've been talking about lately. It doesn't mean we're not addressing it. Is there a comment you want to make about that?
>> Mazen Yacoub:
No, no. I just wanted to ask that question, just a quick question. I think some of the things her touch on that but clearly it’s not so much the focus of it. I wondered if that was still part of the agenda.
>> Kirk Nahra:
Let me back up a second. This is going back a couple meetings, but I think that's one reason why we were focusing on these interconnecting PHRs. And the idea was again, the recommendations we made basically said we like inperson identity proofing. There may be situations where there are other ways to do that. We were concerned for these journal companies that if we were to say you have to do in person that was going to be a real problem for these journal companies. So we sort of put them aside and said well we're not going to talk about in person for just the journal companies. It's when they start making connections to other entities that we worry more about identity proofing. We haven't at this point made a recommendation I'd have to go back to the notes. I don't remember whether we said anything specific about alternatives to inperson other than we were going to look at them.
>> Mazen Yacoub:
Yes.
>> Kirk Nahra:
I don't think we made any recommendations on non inperson identity.
>> Mazen Yacoub:
I was just asking whether that was on the list.
>> Kirk Nahra:
Let me ask that as a question. I don't recall we made any recommendations other than to say we were aware that we needed to look at that and we were going to do that.
>> Steven Posnack:
I would -- this is Steve -- I would say for everyone to remember, and they can correct me if I'm wrong, we outlined the additional two options in that first recommendation that were if you had a relationship you could base that on. And then the other one you could do non-in-person but leveraging that relationship. We have allocated other options from our recommendations from January that
>> Kirk Nahra:
It's the non-relationship people we haven't got to. We haven't come up with a, we haven't made a recommendation for non-relationship situations of anything other than in person yet. We said we are going to look whether there's something that might work in that scenario.
>> Steven Posnack:
Correct. I guess I would offer up for the workgroup in terms of a suggestion either more work for Yuriy or for us to consider as a recommendation David's point of the interconnectivity part. I don't think that we've drawn a line in the sand in the recommendations that we made in January based on the interconnectivity part. And we could make a higher level, more overarching recommendation that says that you're going to be interconnected, we would want you to go about some identity proofing process and leave it general like that so it doesn't contradict any of the recommendations we made in January, but also covers, now, the rest of the non-prior relationship world where we set a standard at least to say you needed identity proofing. We're not going to tell you how to do it.
>> Kirk Nahra:
I don't want to get too far down this road because I at least don't recall all the details of that earlier recommendation. But I recall being very uncomfortable with exactly that approach because I didn't want to leave up in the air what they were going to do. Now, we may want to leave up in the air what they're going to do if they're not connected because we may decide that we don't really care about that. But I guess my view, subject to this additional work, was if it's going to be connected, I haven't heard anything in a non-relationship setting that makes me comfortable enough other than in person. And so we were going to look at whether there were not in person options that were available for these PHRs that were integrated where there was no prior relationship. And that's why one of the vehicles we had talked about, which we really haven't done anything with, was inperson from other sources, not just inperson by the provider, but they could go to a notary public or whatever. We haven't really gone down that road.
I guess the other piece that I'm hearing, and maybe this is where we connect back up with what Yuriy was saying, it doesn't seem to me that the marketplace for integrated but no prior relationship really exists very much now. And so we may be spinning our wheels on something that doesn't matter. That's somewhat of the take-away I hear now, which is there really aren't many businesses who are offering this integrated set of services, or interconnected set of services, who aren't doing that in a way that is based on some prior relationship. Is that a fair conclusion from what you were saying?
>>
Well there may not be now, but I think there will be. There are products in the pipeline.
>> Kirk Nahra:
Although that’s sort of what Yuriy is saying, he's not clear there are going to be those.
>>
Well based on interviews with the five companies that called him back? I just don't think it's a good
>>
It's not a significant sample. And we're still dealing with a population where there's only limited adoption. And if what we're going for is more widespread adoption, then maybe creating something where there is an added level of assurance would promote that more widespread use and adoption.
>> Kirk Nahra:
But again, here's where I think we are today. And I want to make sure we don't go forward with this until we've checked back the earlier recommendations. I think where we are today is we've said inperson or use a relationship. And we said we're going to look and see whether there's any alternatives to inperson. I haven't heard what those are yet. And I haven't heard in the course of Yuriy's work or otherwise any particular substitutes to inperson in a situation where there is not an existing relationship that I feel comfortable saying okay, that's good enough. So right now, if somebody started a product tomorrow that is an integrated PHR solution that you can walk into the supermarket and buy, we're saying our recommendation right now is inperson authentication, I mean inperson identity proofing, excuse me. So we can continue to explore whether there are alternatives that would be sufficient. I guess what I'm hearing, given all the other things we have to do is that market isn't much today. We're not learning much about what that market's going to look like. And, therefore, I'm not sure we should spend a lot of time coming up with an alternative to inperson. Again, inperson is a high standard, I think we've all decided. We're looking at whether there's lesser standard. I haven't heard about it yet. I’m not sure I want to spend a lot of time looking for a less good alternative that we can get comfortable with.
Now if Yuriy came back and said no, this is where the market's going, if you're not going to deal with this, you will have a huge problem, that's a different situation. But I hear lots of people saying there's things in the pipeline. And it may be happening. When those people come out, maybe they come and testify on what they do instead.
>> Yuriy Dzambasow:
I think the other -- this is Yuriy -- I think the other perspective that we don't know is if these products were to come out on the marketplace, how would the caregiver community react to that? Will doctors want to sign up with these types of PHR providers? Or are they more content to run their own offering through their environment or through a hospital or leverage an insurer community? That's a part that potentially we could use.
>> Kirk Nahra:
The other piece and Mazen you had said this in terms of acceptance and widespread use. I don't know if this is a consumer empowerment issue or not, but are we going to get more widespread use because these products are cheaper or because they provide better privacy and security? And I don't know the answer to that. I took from your question that we need good privacy and security in order to get consumer acceptance. And I don't have any particular reason to disagree with that. But there are probably plenty of people who would trade off some of that for a cheaper product.
>>
So if we abandon looking for or looking at the possibility of other solutions other than inperson authentication, are we not stifling this market by saying we're putting a standard that is our most comfortable standard, but we haven't really evaluated what other standards are out there that would be less expensive for you to implement, not be as rigorous, but still be acceptable from a privacy and security perspective?
>> Kirk Nahra:
Couple things. One is I don't view it as stifling. Two is I'm not sure it's our job to figure out what those people might want to do in the future. I'd rather, basically, put a placeholder on that and say we've done what we can do right now. We haven't at this point come to any conclusions that there are acceptable alternatives other than in person. But if there's a point when there's suggestions out right now no one's coming to us and saying here's our good alternative, the only thing I've heard is this knowledgebased. Which, again, if you're the grocery store selling it off the shelf to somebody you never heard of before, it's not clear to us, I don't really have a good sense of how the knowledge-based
>>
In my mind, the knowledgebased thing only works if you have a prior relationship or some relationship with somebody to get the kind of information that you need to be able to ask those intelligent questions.
>> Paul Uhrig:
I mean I've actually gone through the questions. I have to admit, you know, and it's one sample, so hardly a statistical sample. But I had no prior relationship with the company. I just did it with a test. I can't think of anybody who could have answered those questions, except for me. Maybe my exwife. But that's about it.
>> Kirk Nahra:
Who is somebody we'd be worried about.
[laughter]
>> Paul Uhrig:
No, I understand.
>> Kirk Nahra:
I didn't mean her specifically. I don't know the woman.
>>
Just remember, this is a public forum.
>> Paul Uhrig:
But my point is only someone who knows me extremely well could have answered those questions off the cuff right away. Some research would have to be done to understand whether, how good it really is. But I think there is some value to it. That is where the industry is going, and the fact of the matter is I think a lot of these companies do want access. I know they do. They do want access to data sources. And the primary reason why they're not getting it is because of this issue. So in my mind
>> Kirk Nahra:
Let me understand what you're saying. Companies offering what want access to what data?
>> Paul Uhrig:
Companies offering PHRs would like access to data sources, obviously from what I know that's a pharmacy, so that they can connect and be able to download the information just like you can Quicken from your bank. And one of the primary reasons why that's not happening, in my mind, is because of this issue of identification and authentication.
>> Kirk Nahra:
That's a fair point. I guess I go back to the following, which is and we talked about this a little bit back in January or December, whatever it was. If we're talking about costs, it's going to be cheaper to have somebody walk into a notary public and have their ID checked than to buy this knowledgebased access. If the whole point is cost, I'm not sure that knowledgebased what does the A stand for -- authentication is necessarily a cheaper option.
I guess the question for us is do we spend our time on this issue to come up with alternatives for vendors who haven't appeared in our research, so that we can anticipate what might be happening where all we've said right now is inperson is the gold standard. We're not sure if there's an acceptable silver standard yet. Or do we spend a lot of time, a lot of additional time figuring out if there is a perfectly appropriate silver standard for this market that we're not finding. It's a resource question, in my mind.
>>
Well, the other question I would have is I can't remember the wording of the January recommendation, but did it apply to anyone other than who had the potential for an inperson relationship? I can't remember how it was worded. But if it doesn't, then there is a gap there. And wouldn't there at least be, wouldn't it at least be desirable to have a baseline that those other things that wouldn't be subject to that recommendation, if in fact they're not, have a method of identity proofing?
>>
That would be potentially consistent with the recommendations already approved?
>>
Yes.
>> Elizabeth Holland:
This is Elizabeth from CMS. I have like a disconnect question. I understand that we want in person. We're saying we’re wanting inperson proofing, but I'm not exactly understanding why. The consumer is going to go to a PHR vendor, conceivably online, and buy a PHR. That PHR is conceivably empty until the consumer puts things in it. And why do they care if it really is that consumer or not if it's just going to be used by that consumer?
>>
That was my earlier point is that there is that trigger point that we do care because then it becomes interconnected with other systems and other data may be being pulled into it or it may be pushed out to other data. All of a sudden that's identity
>>
That's if they want to share their data. Just because they have a PHR, that shouldn't inherently mean that it's going to be shared.
The point that I have is what CMS has to think about is how we're going to offer PHRs, we're going to approve so many PHR vendors to handle PHRs for Medicare beneficiaries. But we need to know that the Medicare beneficiary has really gone to that PHR vendor and signed up, and we need to make sure that we're matching the right data, that we will send the data into the PHR. And we don't have a personal relationship, like an inperson relationship with a beneficiary. We can only go on knowledge base.
>> Kirk Nahra:
But you have a relationship with that beneficiary. So you're not at that category that we're talking about right now.
>> Elizabeth Holland:
But we don't have a relationship with the PHR vendor that we're sending the information to.
>> Kirk Nahra:
I'm not sure you don't have a relationship. You haven't met them in person or you don't have a contract?
>> Elizabeth Holland:
No, the beneficiary has gone independently to the PHR vendor, and then either the beneficiary will come to us or the vendor will come to us and say we want this beneficiary's information. And how do we make sure that they have the permissions to get that information?
>> Paul Uhrig:
Which is my scenario.
>> Kirk Nahra:
I've lost something.
>> Steven Posnack:
The onus is on the PHR vendor at that point to do the identity proofing or else if they wanted to make the requests for data to CMS or SureScripts or whoever else, those entities, SureScripts, CMS, don't know that the PHR vendor knows that you know who you are, Kirk. You could be Paul and then that PHR vendor would go and grab Paul's data and give it to you.
>> Kirk Nahra:
Right. And we're saying right now we think that should be inperson until we come up with a better alternative. And we haven't at this point come up with a better alternative.
>>
If I'm a vendor and I'm selling this service or in the event of the free service, as long as I have just that one back and forth relationship between me and the subject of the information, then we wouldn't ask them to identity proof. At the trigger point in which the information was going to be integrated with someone else, if they weren't identity proofed to begin with, we'd have to have them go back and identity proof because they've now crossed a different threshold.
>> Kirk Nahra:
Correct, and right now.
>>
If it's a oneway cycle. Or a twoway.
>>
Right.
>>
My Yahoo health care site.
>>
But you can't do it in person if you're in Maryland and your beneficiary is in Hawaii. Unless you have an office in Hawaii that they can walk into.
>> Kirk Nahra:
One of the things we put aside was this idea of trusted thirdparty inperson authentication. Maybe that's a viable option.
>> Don Detmer:
That's the idea between the single trusted bank concept. Actually you have a trusted site somewhere that can, in fact, do all that. I'm not advocating it. I'm just saying that's why
>> Kirk Nahra:
I'm not sure it's the same thing or not, Don. But I guess the point is people buying this stuff are somewhere. They may not be where the vendor is, but they're somewhere. So if I'm buying something from a software vendor in Hawaii, I can still walk into whoever we decide, if it's a notary public, if it's my local bank, if it's somewhere, I can go there and they can authenticate me and then that's good enough for the PHR vendor. We can look at whether that's a viable approach. We've had discussions about that. That one, again, that one seems to me to be perhaps a little bit more viable than some of the other pieces we've talked about. We've had some concern about sort of who's willing to rely on that and are the, is the notary public willing to stand behind that inperson authentication. So that's a viable thing for us to look at. I think it's a hard thing to look at. I mean the question, for example, and, Paul, I think you had raised this in one of the earlier meetings, what if the notary I work in a law firm where the notary publics go through all this stuff all the time. Sometimes it's very thorough and sometimes it's not. They're not taking on any particular liability to a SureScripts or some other hospital that they've never heard of. So we can look at that as an option. We can send Yuriy out on that. We can have hearings. We can do all of that stuff. Do we want to do that? Again, what that's saying is you don't have to walk into my store to buy my product. You have to walk into someone's store to buy my products.
>>
Well, my hearing a comment, though, is if our government and CMS is going to do this, we better look at it. Because that's not what you call a corner drugstore. That's a big operation.
>> Kirk Nahra:
Let's talk about, let's go back to the CMS example for a second. So CMS right now is exploring this option without having any particular sense of how the PHR vendor is going to do this? I mean is that a fair statement?
>> Elizabeth Holland:
Well, I don't think it's in any of our present thinking that we're going to require the PHR vendor to do inperson proofing. They sign people up generally over the Web. And people are going to come on the Web and say okay, I want WebMD PHR. Here is my credit card information. This is where I live. Blah, blah, blah. And they'll sign up for a PHR. Then WebMD, or the beneficiary, will come knocking on CMS's door and say hey, I've got this WebMD PHR, can you send my Medicare claims there? And we’re going to say, okay, who are you? Do we have records on you? What do we have on you? And we’re going to ship off their data to the PHR. And then we'll give them like daily feeds updating the data.
>> Kirk Nahra:
And so you're going to be entirely dependent on this PHR vendor who has no requirements?
>> Elizabeth Holland:
Well, we're going to put some amount of I mean, we're very interested in what the CCHIT is doing for EHRs, but without that for PHRs, we may have to come up with our own functional requirements, and they will have some privacy and security aspects to them, that PHRs will have to be in place in order to be Medicareapproved so that we will send data to them.
>>
Identity proofing. We're kind of back to where we began.
>> Elizabeth Holland:
But I think a lot of the PHRs don't do inperson identity proofing. They just sign up people over the Web.
>> Kirk Nahra:
And our view as of now is that's not good enough integrated. Again, where we are as a Workgroup right now is we have not seen an acceptable alternative yet to inperson identity proofing for an integrated PHR. And what I hear you saying, I think, is that CMS is moving towards a model where they're going to have some other undefined method. We're not the law. We're just making recommendations to someone else who is going to make recommendations. But if CMS came to us and said here's what we're doing, what do you think of it, I think based upon our prior discussions, we would say we don't think that's very good idea at this proofing.
>> Elizabeth Holland:
We're going to be piloting probably starting later this year because our specs were out for sources sought already. They went out last month. So we will have something in pilot phase up soon.
>>
When do you expect to have any data back on what happens?
>> Elizabeth Holland:
I think it's at least a oneyear pilot.
>>
Thank you.
>>
Elizabeth, are you talking about the registration summary?
>> Elizabeth Holland:
No. That's just for managed care. We're talking about a fee for service pilot. So it's in addition to whatever we learn through the managed care. And that's going to start soliciting, the managed care part is going to start soliciting people I think like June 3rd or 4th.
>>
June 3rd.
>> Elizabeth Holland:
Ahhuh.
>>
So are you going to make those disclosures to noncovered entities under HIPAA pursuant to a business associate agreement? A business associate relationship? Or will it be pursuant to an authorization? I think maybe you could somehow tie some of this to the authority to make the disclosures might be able to tie them to inperson authentication expectations or something. I guess I'm not even getting how you'd make those disclosures legally under HIPAA to a noncovered entity that's without one of those pieces in place.
>> Elizabeth Holland:
Well we're the disclosure we're making is we're giving the data to the beneficiary. We're doing what the beneficiary wants us to do. And they're telling us they want us to move their data to XYZ PHR. And the beneficiary has a right to their data.
>> Kirk Nahra:
But the issue is you don't know really if it's the beneficiary or not.
>> Elizabeth Holland:
Right. And that's the part we have to work out with the PHR, figuring out how we're going to make sure that the beneficiary is the beneficiary. The way we do it now, through our MyMedicare, we ask certain questions and we say okay, you can view it. This is going to require a higher level of assurance because we're going to be actually moving it somewhere.
>>
Well you do one thing on the Medicare obviously, anybody that's in if you're talking about at least your over-65 population, there are offices all over the country, and they do all kinds of authentication to decide you get benefits. And that's certainly at least
>>
That’s Social Security.
>>
You have mom and pop shops everywhere that do that, at least. That could be a function that you could take on through that mechanism because you've got them everywhere.
>> Kirk Nahra:
Let me try to close this up. I want to make sure -- we're scheduled to be finished a few minutes ago on this topic. Let me work back with the staff on making some suggestions on what to do next. I think that we have, our major question is whether we are going to, A, put more time into identity proofing at all? If so, are we going to look at alternatives to inperson identity proofing? Are we going to look at thirdparty, sort of trusted source ways to do inperson identity proofing? Or are we going to do something else?
And that first question is very much a real question. Are we going to do more on identity proofing at this time? Obviously we'd be happy to have CMS's input on that. I don't know, just from what you're describing, we're not in a position to move quickly enough to probably make any difference on your pilot. And I'm here, based on the two minutes we've heard about this, this Workgroup, if asked today, would say we think you need to do some more on identity proofing in that environment. So, all right.
>>
At a minimum, looking at trusted thirdparty source versus in-person.
>> Kirk Nahra:
All right. So if people have other thoughts on that or suggestions on what we should be covering, if you could again get those to Steve in the next couple of days and we will try to move from there. All right. Any last I almost hesitate to do this -- but any last questions or comments on that point?
>> Lorraine Doo:
Kirk, this is Lorraine. I'll send them to Steve. How's that?
>> Kirk Nahra:
Great, thank you. All right. Let's move -- thank you, Yuriy, for that -- let's move on to the major topic of our discussion today, which is our working hypothesis. For those of you who are on the Web, that material has been distributed. Obviously you've had them in other contexts, as well. Those of you in the room, there is a single page right before this chart. So it's towards the back of the materials that you have in the room right before the chart.
Let me just lay out what I would like to try and accomplish today. We had some discussion of the working hypothesis at our last meeting, which was the hearing that was held in the other building where we had testimony from RHIOs and some of the PHR vendors. At that point we had a pretty good consensus on large segments of both the working hypothesis and the subhypotheses. We had asked for comments, follow-ups, et cetera, from people. And we got a variety of comments, some of them, frankly, surprising to me, some of them less surprising. Some of them in directions I hadn't anticipated. So let me at least lay out what my view is of what we're trying to accomplish with this.
This working hypothesis itself was an approach that we had suggested a couple of months back to try and essentially move the ball a little quicker down the field, just to play out a sports metaphor. Rather than have an openended let's talk about a topic without knowing where we're going, we had tried to formulate essentially an idea to try and take potshots at. An idea that I had some support for, that I think the staff had some support for. It doesn't mean that it was not subject to discussion. But sort of where we thought the group was going to go on this. And we called it a working hypothesis as a means of stimulating discussion, focusing attention, but giving us something to shoot at. Giving us something that people could have opinions about and we could try to refine.
The idea was that over the course of our hearings, the working hypothesis would move from question up for discussion to recommendation. Once we got to a point where everyone agreed with the topic, it was then not a discussion point, it was the view of the Workgroup. So the idea was to move from a working hypothesis and get to a point where we had a strong enough consensus that we were going to turn it into a recommendation. I am optimistic that we are getting close to that on this main hypothesis and at least some of the subhypotheses. There were a number of folks on the Workgroup who at least seemed from their comments to not see a connection between the working hypothesis and the step of recommendations. I'm happy to have discussion about that, but again our intention, my intention, at least, was that it was a working hypothesis until we got to a point where we agreed on it and then it was essentially going to be a recommendation.
So my goal today, recognizing that we have lots to talk about and that people have views on all these points, is to try and get as far down this working hypothesis as we can to decide either we are at a consensus point on some or all of these, or we're not. And if we're not, what do we need to know in order to get there? If the answer is we don't like subhypothesis 1 because we need to understand what the following kinds of organizations think about this topic, then we'll take that to our next hearing and say, all right, let’s go get people to testify on those points. So the goal today is to figure out whether we have consensus on these working hypothesis points, to refine it in any ways that we can during the time we have, to begin to turn those into recommendations, and to see if there are areas where we need further factual development through testimony or otherwise. So let me just stop with that. Is that at least, as an approach for the day, something that people understand, makes sense to them? Do you have concerns or objections? Now is the time also. Anyone in the room? I'll take silence as uniform agreement with every word I said. Anyone on the phone?
>>
No.
>> Kirk Nahra:
All right. Well, so that is our goal for the afternoon, for the time that we have scheduled for this discussion, which is roughly the next hour, hour and a half or so.
Let's start with the working hypothesis itself, the sort of head hypothesis. Let me just read it for everyone. I know people have it and it's been distributed. But let's just be clear. "All persons and entities excluding consumers that participate in an electronic health information exchange network at a local, state, regional or nationwide level, through which ideally identifiable information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to any relevant HIPAA requirements ."
What we've been calling this in shorthand is the level playing field idea, which is everyone who is going to participate in health information exchange activities should follow, should be meeting a standard that is at least equivalent to HIPAA. A couple of things come out of that. At least equivalent to HIPAA is a baseline. We're talking about a level playing field. One of the next steps of this Workgroup clearly is going to be should the level playing field be something higher than HIPAA? That's not our topic for today. That will be one of our next topics. And unless we have lots of disagreement today, that will be one of the key areas of testimony in our June hearing is should we have, should we lift the rules of the playing field up for everybody? But again the principle that we're talking about today is the level playing field across the people that are going to be participating.
We took, we added the language about excluding consumers. We didn't want to have John Smith who is transmitting his own PHR information have to follow those rules, we're okay with that. We wanted to have a broad definition of what we're talking about, the idea of health information exchange. Again, not the freestanding PHR vendor who has got a journal entry that I can write down the notes of my medical visits. It's when that data starts going in and out of that document and connecting up with the networks that starts to be the issue.
We came up with stored, compiled, transmitted, or accessed. Again, as a description of the activities that involve participation in these networks. There was some discussion at our last hearing as to whether that list was comprehensive enough. I don't think, Steve, we got any suggestions from people on other activities that needed to be included. So let me throw this open for discussion. We got, again, when we had this discussion at our last hearing, people seemed to be pretty close to a point where we were getting down to the last points on this. Are there comments, questions, reactions to the baseline working hypothesis? Not the subs yet, but the core working hypothesis? Let's start on the phone first time. Going once? All right. In the room. Questions, comments? Don?
>> Don Detmer:
I think you want commas, I'm hardly a copyeditor, around excluding consumers. Because otherwise it sounds like all persons and entities [inaudible] consumers that participate in a.
>> Kirk Nahra:
Fair point. You want that set off.
>> Don Detmer:
Yeah.
>> Kirk Nahra:
That's correct.
>> Don Detmer:
Like if they exclude consumers.
>> Kirk Nahra:
All entities that exclude consumers. I agree, that's a fair point.
>>
This is a little bit of a nit. Adding to stored, compiled, transmitted, or accessed, aaybe adding the word modified. Because I could see someone having a program similar to the one that Yuriy was telling us about where you take information in and you may kind of juggle it around and then make it available in another form. And that group could be excluded from this.
>> Kirk Nahra:
Well, presumably they would have to store or access, wouldn't they? I'm not sure I object to modified. I'm not sure someone could modify without storing or accessing or compiling. Well does anyone object to adding modified? Again silence --
>> Deven McGraw:
I think this is the only problem. This is Deven McGraw. I think the only problem we have with adding to the verbs is that we'll just keep adding to the verbs. Is it modified? Is it utilized? Is it sent somewhere? But I see your point. But I'm also like, I always feel comfortable that we kind of, you have to have the information. And once you have it, the different activities that you do with it are sort of subsumed within this description.
>> Kirk Nahra:
Let me ask this question. Is there anyone who was going to suggest an additional verb beyond modified?
[laughter]
>> Deven McGraw:
That’s true. If that's the only one that it takes, I'm fine with that.
>> Kirk Nahra:
Put away the principle and get to the practical.
>> Yuriy Dzambasow:
Kirk, this is Yuriy. In a related industry activity, in the mortgage industry, one of the things this they came up with was disposed. Because one of the concerns is when you actually get rid of computer equipment and stuff like that, that there could be information on there. If you throw it away in the trash can, you're worried about how that information is actually disposed of properly.
>>
I like disposed better than modified.
>> Kirk Nahra:
Again, just to play it out. You can't dispose if you didn't store it. You have to have stored it in order to dispose of it.
>>
You could modify without storing it. I'm not a SAS programmer but I know that you could modify it.
>> Kirk Nahra:
Without accessing it? Access is here, too. That's the thing. You have to access in order to you have to either access or store in order to modify.
>>
We had used the term process in a similar event.
>> Kirk Nahra:
If the answer is no one has a suggestion, no one is going to suggest an addition other than modified, does anyone have a problem with adding modified? All right. So let's add modified after transmitted.
All right. Any other questions or comments about the working hypothesis itself?
>>
Are we sure in all instances where consumers are involved in this that there would be no requirement for them to follow HIPAA requirements?
>>
That would be no different than them being the authorization authority under HIPAA in all cases. I mean they are the controller of their information. If they want to put it in in an unsecured manner and do something unsecured with it, it's their data to do that with. It’s their loss.
>> Kirk Nahra:
That's exactly right. The HIPAA standards are designed to create protections for individuals and their information. I mean, one of the points that we're going to get to in the subhypothesis is it's here in the idea of relevance. I mean if you go down the HIPAA checklist, most of the HIPAA checklist would not be relevant to the consumer privacy notice. I don't have to tell myself what I do with the data. I don't have to give myself access to the information. I'm not sure which direction you look at, there will be very little of those things. Again, user disclosure limitations. If I want to put it the newspaper, I'm allowed to put it in the newspaper. Here's the issue. I can't put Paul's information in the newspaper, but the system has to be set up so that I can't get Paul's information. So all I'm going to get is my information. I'm allowed to do it, frankly whatever I want with it.
>>
On the rights and responsibilities side of the fence.
>>
Let's say you're putting in personal health information, you're doing a family history. You're not putting your information. You're putting in your cousin's information. And some of these entities are looking at the Surgeon General's Family History project and trying to incorporate that into personal health records and electronic health records.
>> Kirk Nahra:
So the concern would be I put in information about my mother or my child that is wrong or inaccurate or malicious or whatever it is.
>>
That's correct. Your cousin doesn't want Huntington's disease about them in your personal health record, right?
>> Kirk Nahra:
I guess one of the issues there. That's a very good point. I'm not sure saying HIPAA applies would restrict that in any way. That's certainly going to be treatment, payment, health care operations activity. It's certainly going to be it's in connection with all the things that are appropriate.
>>
Well HIPAA wouldn't reach this situation, anyway. Because they're non-covered. An individual putting information on a blog about somebody else.
>> Kirk Nahra:
I think that's a direct point. We're talking about making them essentially covered. Again, they're not going to be HIPAA-covered entities. But we're talking about extending rules to people today who don’t have to follow them. I guess it strikes me that
>>
I mean there's more and more information you can enter. Like I might not be able to take X drug because my brother was tested and his genetic information says that he cannot tolerate X drug. Right? So if someone wants to put that in their personal health record to alert their health care provider, they're putting information in about genetic testing of relatives.
>> Kirk Nahra:
I guess my sense is that that's a very good point. It's a real issue. It's a different issue. Meaning that I don't think that taking out excluding consumers so I guess the question is it seems to me that's sort of adjacent to what we're talking about. Maybe we put it on the list of things we want to talk about. I'm not sure how to deal with it, but I don't think we deal with it by modifying the working hypothesis. I don't think the principle of, I don’t think the idea of level playing field fits the consumers, people you're talking about. I guess that's my thought. It's a real good issue. I hadn’t thought about that.
>>
I guess I don't want to exclude all situations where consumers might be putting information in. As long as we address it somewhere else that’s fine.
>>
Nothing today prohibits someone from telling the doctor my cousin has X disease and it goes into their medical record.
>> Kirk Nahra:
Correct. Goes into their medical record. Let me ask one other question, which is, do we have any reason to think that if I put something in about my mother or my brother or my child.
>>
Family history.
>> Kirk Nahra:
Well, I understand that which we've been gathering forever. I understand that my mother, brother, and child may have their own privacy interests. I understand that part. Let me put that aside for a second. Is there a risk in this integrated environment that the doctor is going to go into my record and grab something out about my brother and move it to my brother's record? Is that going to happen?
>>
That's what we're looking at right now and we're looking at all the electronic health records. Where is genetic information put? And if you're all in the same health care system, why couldn't somebody use the family data in order to treat that patient? Because if you have a high risk of colon cancer in your family, the doctor would want that information to do colonoscopies sooner. There is a question on, if the same health care provider were seeing your whole family, that even causes more ethical considerations, but if they're a different health care provider --
>> Kirk Nahra:
So we have two kind of issues there. We have, is that a use we want to permit, which is sort of a secondary use question, do we want to permit my family's medical records to be used for my treatment? I think we call that secondary use, although maybe that's not the right phrase.
The second is sort of the reverse of that, which is if I'm the one putting that in and I write down that my brother has some disease, I might not be right about that. Is there going to be a problem on that? But that's a risk. If we permit the information to be used, how do we control the accuracy of it? But it seems to me the first issue is are we going to permit, develop a system that permits that to happen in the first place? Again, that strikes me as an important issue. We're going to expand our issues rather than contract them. But an important issue that's not this issue, may or may not end up being our issue.
>> Deven McGraw:
Right. And actually, I have to ask Joy -- this is Deven again. I have to ask Joy Pritts, who is over at Georgetown who I call on HIPAA issues. I don't think Sue is here today. But I think under the treatment exception for consent of HIPAA, it includes getting access to one person's information in order to treat another. And it's specifically designed to capture family history circumstances. So it's a bigger issue and doesn't having HIPAA apply doesn't even get at that particular question because it's permissible already, a different set of circumstances. From what I understand, (inaudible).
>> Kirk Nahra:
Although again I think that’s sort of affirmative -- there's a permission element in there.
>>
I think you have to get informed consent. That's what we do right now to get someone else's records for treatment --
>>
I don't want to spend much more time doing that, but it came up in the context of looking at this recent IRS ruling allowing for hospital donations of equipment to physicians and it's essentially looking at to what extent could a hospital that donated equipment access records of a patient that wasn't treated? And apparently you can do that if it's to treat another person, and you don't necessarily need to get the consent of the person who’s records you're accessing. But let's just table that because it's taking us way offbase.
>> Kirk Nahra:
I'm not sure I agree with it, either.
>> Deven McGraw:
Suffice it to say there are some bigger issues.
>> Kirk Nahra:
Who is taking notes of today? You're getting these lists of future topics? Okay. Don?
>> Don Detmer:
This is a media topic. When we were actually going through the pre-HIPAA, at one time we considered sending all medical records to Europe and then re-importing them to the U.S. Because European law said that once data meets a privacy standard, it meets it globally. Essentially, in other words, if we've had it in our borders, from now on it's covered by our privacy considerations. This is not true of when Xrays are being read in India overnight in the U.S. and we've got every other jurisdiction here. Local, state, regional, nationwide. But in an era of the Internet, at least we need to discuss whether we're concerned of this internationally.
>> Kirk Nahra:
So the question would be if the health information exchange network was an international network.
>> Don Detmer:
Or if the data is outside.
>> Kirk Nahra:
This language let me ask you this, Don. You're clearly raising an important issue. It's only an issue in this topic if we're talking about an international network. I don't think this issue says I mean if I'm in India
>> Don Detmer:
Individually identifiable data is transmitted.
>> Kirk Nahra:
Right, if I'm in India, I'm a company in India --
>> Don Detmer:
I'm talking about if I'm company here sending it to India. Once I send it to India, do I give a hoot about it? Now it's in India.
>> Kirk Nahra:
We're going to have let me anticipate an issue we will have in a little bit when we get to subhypothesis 3. I think one of the issues we definitely need to have some discussion on is how far downstream we intend this hypothesis to go. I mean I envisioned when we start talking about this that this hypothesis was going to go to people who were accessing this information, getting into the networks themselves. Not necessarily I could go into it, I have to follow these rules, but then when I come out, I might send it to all kinds of people in my normal business, perfectly appropriate things, who themselves will never touch the network. I don't think we're saying all those people on my periphery also have to follow subhypothesis 1. But that's a question.
So the India, if I'm transmitting to a company in India to do whatever it is they're going to do, let's say I'm a hospital today. I have to follow HIPAA in sending it to India, meaning business associate contracts, all that kind of stuff. I don't know that that would change at all. It's only if the Indian company is going to get into the network directly that I think --
>> Don Detmer:
I'm asking a different question. We're saying if we think privacy and security criteria, basic, a lot of people say it's too low a floor. But if we're saying, if you're sending it as a packet, you can't open the packet, that's one thing. But if you're actually opening that envelope and you're looking at the data, wouldn't we, if we're trying to protect -- are we protecting data or are we just protecting the U.S.?
>>
I think in today's world if you do that kind of thing offshore, you're essentially accepting that risk that you might not be able to you're doing it for some business associate relationship that you may not be able to enforce because of the laws in that country. Organizations like us, we decided we aren’t going to allow that to happen in our organization. We won't even allow offshoring to happen because we don't think that's a risk that we want to take, to have somebody even in a legal business relationship that we could push information to them and not be able to enforce them doing what they’re supposed
>> Don Detmer:
I guess what I'm asking is group is this is an exhortation, basically. Do we think it's an exhortation around data or where the data happened to be in a national context?
>> Kirk Nahra:
Don, let me make sure I understand it. I think it's neither. I think that all we're talking about here is we're defining the networks. We're not even talking about
>> Don Detmer:
That's not how I read it.
>> Kirk Nahra:
Okay. Well if where you're going is putting, for example, the word "international" after "nationwide."
>> Don Detmer:
I'm not worried about the galaxies.
>> Kirk Nahra:
But here’s my question. That sentence, to go back to wordsmithing, means a network that operates at a local, state, regional, nationwide, or international level. I'm don’t know -- if we are concerned about health information exchange networks that operate on an international level, we should put that word in. I don't think that's your concern, though.
>> Don Detmer:
That's part of my concern.
>> Kirk Nahra:
That’s part of your concern.
>> Don Detmer:
At least saying the protections, then, cover this. In that context. How I read it.
>> Kirk Nahra:
I don't object to adding the word international if we think that's a relevant possibility. I don't think that gets to a large part of the point that you're raising. I think the other point you're raising is a perfectly fair point. That's why I was saying it's different than this.
>> Don Detmer:
Aren't we if we put the word international in here, aren't we saying we recommend the prohibition of offshoring? Because you can't enforce that. Unless you're working with countries that have similar privacy laws to ours and are willing to enforce them, places like India, who are just now beginning to think about those kinds of things, they're only thinking about them because we are pushing back and saying wait, we can't do business with you and trust you because we have no way of enforcing these.
>> Kirk Nahra:
Fair question. There's two ways to deal with that. One is by either not including or dealing with that as a hypothesis. Second is subhypothesis 1 says that for a given participant there may be one or more enforceable mechanisms. So are we saying -- we could add international and still have an enforceable mechanism, say, for example, to be sort of a reverse safe harbor program. The EU has a safe harbor program with the Department of Commerce that allows companies in the United States to essentially get a good enough standard. It would be the reverse of it. Again, I guess I don't have any particular sense from what I've heard that there is going to be some, you know, health information network established in Brussels that people all over the world are going to be turning their medical records into. We're having a hard enough time getting this out of Boston. So it's not clear to me that the international environment
>> Don Detmer:
I guess it’s the word participate is the one that actually is my sticking point relative to hearing reading this and hearing what you say and interpreting it as you say it. Participation is a fairly loose and inclusive word.
>> Kirk Nahra:
Okay. One of the questions that, I was going to raise it later in connection with subhypothesis 3 was the idea of sort of direct participation. Again, my view, just a personal view for what it's worth, is I want anyone that's touching this network, not necessarily touching the data ultimately from the network, because there may be lots of people 10 generations downstream who get that, but I want people who touch this network to all follow the same rules.
>> Don Detmer:
I do, too. That’s what I’m saying. So my reaction is if somebody outside is able to touch it, why wouldn't I be worried about their security levels? We don't have the capacity to enforce this. We're making an exhortation here. We're saying this is what we think should be. Right? And I guess my feeling is that if I think the data are worth protecting, I kind of think they're worth protecting wherever my data may go.
>> Kirk Nahra:
That's exactly the distinction I'm trying to draw. I don't think this goes to everywhere the data might go.
>> Don Detmer:
Because somebody participants as it relates to the data.
>> Kirk Nahra:
No. Somebody who participates in the network.
>> Don Detmer:
If I use the data aren't I participating?
>> Kirk Nahra:
No. That’s exactly the distinction I’m trying to draw.
>> Don Detmer:
I think participation is not the right word.
>> Kirk Nahra:
Let me give you two examples. Let's discuss how we want to treat those. This is an example raised in some of the comments that we got from again, I think it comes up directly in subhypothesis 3.
I am a health insurer. And I put data in and out of this. I'm touching this network every single day. We all agree, first of all that company is probably covered by HIPAA, anyway. But we all agree they should have to follow the level playing field rules. Right?
>> Don Detmer:
I think we agree on what we’re trying to say, we’re just --
>> Kirk Nahra:
Let me finish. I want to give an example.
>> Don Detmer:
I already agree with that. I already agree with that.
>> Kirk Nahra:
Let me give you an example so you can tell me whether you're concerned with my second example or not. That one's easy.
Let's say I'm the health insurer and I go in and I get information about 10 patients that have filed coverage lawsuits against me. So I pulled out Paul's medical, all the information about Paul in there as part of defending a lawsuit that Paul filed against my company. Okay? And I the health insurer hire a law firm to defend that lawsuit. And that law firm receives information from me. They may not even know where it came from but it happens to be information that the health insurance company pulled out of this RHIO. Do you want to have this principle extend to that law firm or not?
>> Don Detmer:
Is it a Canadian law firm?
>> Kirk Nahra:
Wherever it is.
>> Don Detmer:
That's what I'm asking you. If it's a Canadian law firm, I would say yeah.
>> Kirk Nahra:
What if it's a Pittsburgh law firm?
>> Don Detmer:
It's already in this because we said it's national.
>> Kirk Nahra:
I don't agree. That's a fundamental point I want to be very clear on. I don't think that law firm participates in the network at all.
>> Don Detmer:
I think participation is being used in a way that you exclude that and it says that to you. Participation to me says if I touch this thing and actually get data out of it
>> Kirk Nahra:
But the law firm isn't touching the network, that's the point. The health insurer is touching the network. Let me stop there.
>> Don Detmer:
I'm looking at it from a clinician side. Not from a law firm. I'm an Indian doctor and I'm getting these data and I'm getting intersecting them at night with the unit over here to get data back and forth through that network, am I participating in that network as you're defining it? I'm not.
>> Kirk Nahra:
Is anyone else having this issue? I want to know whether this is you're raising this in the context of international, but that's, in my mind, very much sort of a sideshow. We're either going to cover all these downstream recipients or we're not. I hadn't intended to have cover all of the downstream recipients. I know that there are some other folks on the call and in this room who had real concerns about trying to cover those downstream recipients. I used a law firm as one example of a downstream recipient.
>>
I don't know if this will help or not, but I think where you're going with that is that Indian physician, say medical tourism or whatever, could potentially have direct access to a U.S. health information exchange or whatever to swap data. And at that point they wouldn't be downstream, Kirk.
>> Kirk Nahra:
Again, they are okay. Let's use that example. I think that person fits this definition because they are participating in a national or regional or whatever network.
>>
I see what you're saying.
>> Kirk Nahra:
Now, we have a question, which is maybe David's question, as to what we can do if that person violates the rules. And maybe we want to say I don't have a problem if we want to discuss the question of whether we're not going to let people from India, or wherever it is, participate in these networks. That's a fair question. But I think the words of this working hypothesis as written directly cover that Indian doctor accessing the network. I don't think it covers somebody who is sent information that I take out of the network when I'm covered. That's the distinction that I'm trying to draw. Now, again, we could decide to cover all those downstream people, the people that I again, if I'm one of these participants, if I take it out and give it to other people, we can try to cover those other people.
>>
His point, though. I think that if you have an Indian doctor accessing it, it's no longer just a national, but it's now an international network.
>> Don Detmer:
One could say regardless of governmental jurisdiction, and then I don't have to worry about it.
>>
You do get into a little bit of a problem. I see where he's going now. We're talking we're actually trying to find a physical location for a network that is in fact likely an Internetbased system that doesn't actually reside.
>>
And it's probably going to thrive because it's an Internetbased system. So the people like DoD and the people like Ford Motor Company and people who have employees all over the world are going to be able to access both here at home and other places the information they need to treat those people abroad.
>>
I know what we meant to do here, which is to capture the local RHIOs, the regional health information systems, the statebased systems, and all the different things that are getting created. But if we have international providers interacting and all of this is taking place in the Internet, which doesn't reside, really, anywhere
>> Kirk Nahra:
We're also using the language that everyone is using right now. A RHIO under that approach, this thing is a RHIO. There is no such thing as a RHIO.
>>
I'm not suggesting you use those words. All I'm saying is I'm now seeing what's happening here is that we have a physical definition of this network that doesn't work so well in a non-physical location.
>> Don Detmer:
Whether I should read it that way, that's the way I read it.
>> Steven Posnack:
Can I make a suggestion that may help?
>> Paul Uhrig:
Can I first?
>> Steven Posnack:
Sure, go ahead, Paul. I yield my time to Paul.
>> Paul Uhrig:
How's it treated today? It's happening today. I mean you have Xrays, in your example, going over. Transcription companies send transcriptions to India. So all of this happens today.
>> Kirk Nahra:
It happens today through a business associate agreement that's meaningless.
>> Paul Uhrig:
So it's in today's world. So what is it about the network that makes us have to do a change, is my question? If it's happening today on our business associate agreement, presumably everybody is comfortable with that. Why is that not equal?
>>
Not everybody is comfortable with that. Some of us won't even do it, because it's left to being a riskbased decision. You can decide that I'm comfortable doing a business associate agreement that I may not be able to enforce. And that's the risk I take of maybe having my information show up on the Internet and being held ransom for it until I'm paid money to get it back. Those kinds of things have happened just in the past six months.
>> Paul Uhrig:
I guess I’m asking a fundamental question, I guess you could say, are we opening up HIPAA again? We don't like the way it was drafted five years ago on this issue. We want to change it and use this as an excuse to change it.
>> Kirk Nahra:
We'll get to that when we get to subhypothesis 3. That's the distinction I was trying to draw between the company who is directly touching the network and the downstream business associate who is doing something because the company asked them to. And --
>>
But what if we just got rid of the geographic modifiers? What would we lose?
>> Kirk Nahra:
Just say participate in an electronic health information --
>> Don Detmer:
Don't have it in there then I don't get hooked.
>> Steven Posnack:
Can I make my suggestion now, maybe?
>>
You yielded your time.
>> Steven Posnack:
I take my time back from Paul now.
[laughter]
>>
He has to yield you the balance.
>> Steven Posnack:
Yield me the balance. So I think we've heard before that the participate word has been up for contention. Other members have made comments about it at other meetings. And to get at Kirk's point about people having direct access to the networks themselves, I would like to suggest and I hate to wordsmith this as it's been versioned too many times but change participate to directly interact and we can either, and we can get rid of the geographic locaters. And that gets at Kirk's point of we're concerned about the people that have a primary pulse into the network. You're concerned about the providers that will query the network and the health plans and whoever else might be directly pulling or pushing data in the network. We're not exactly concerned about someone that is going to pull the data and then give it off to someone else who would probably be a business associate. And we don't want this to exactly cover them.
>> Kirk Nahra:
We've got two issues. Let's treat them distinctly. Let's deal with Don's international point. Are people comfortable deleting the geographic references?
>>
Yes.
>>
Yes.
>> Kirk Nahra:
Is there anyone on the phone who’s not comfortable with that?
>> Don Detmer:
Either that or adding the international reference.
>> Kirk Nahra:
The proposal on the table is to delete the geographic reference.
>>
Yes.
>> Kirk Nahra:
Now, Steve's point is a second point.
>> Steven Posnack:
And I think it gets at the subhypothesis 3 question.
>> Kirk Nahra:
It gets at subhypothesis 3. I think it's really a completely different point. That takes out the word "participate" and puts in what, Steve?
>> Steven Posnack:
Directly interacts. And that's a lot of the wording that you all have been using, anyway. Deven has been using interact.
>> Don Detmer:
It works for me.
>> Kirk Nahra:
So are people comfortable with that change? Is there anyone that's not comfortable with that change?
>> Paul Uhrig:
Well.
>> Kirk Nahra:
Go ahead, Paul.
>> Paul Uhrig:
Very literally, because the network is a how do you define the network then? People who interact with it and the network itself. If you just read it literally, people who interact with the network sort of excludes the network, so I think it has to be people who interact with it, by interact I assume you mean connected to it, and the network itself.
>>
Wait a minute. I didn't get the distinction.
>> Kirk Nahra:
We want to make sure the network is covered.
>> Paul Uhrig:
Let's say you consider my company to be the network. So if this just reads the people who interact with the network are covered, you haven't covered me.
>>
I see what you're saying.
>> Kirk Nahra:
We've got to cover Paul.
[laughter]
>> Paul Uhrig:
I'm getting beat up today.
>>
Directly connected to an electronic health information network.
>> Kirk Nahra:
Is he directly connected to the network if he is the network?
>>
No, I wouldn't agree with that. I do like connected rather than interact, I have to admit that. But I still think it's people connected to and the network itself.
>> Kirk Nahra:
Why don't we just
>>
I really like participate. And the reason I did was because I thought that it actually alluded to the fact that you might interact with this network, but you may drop this to paper. And the way we've written this, it's almost a security rule position in that we're only talking about EPHI here. But the risk to the consumer could be that it gets put in this electronic system, but then because the person's participating in the electronic system and they're being made to comply with HIPAA, it would also fall to the paper records, as well, and the paper protection of any outputs from that system.
>> Kirk Nahra:
Let me jump in here. It seems to me we have -- Steve's minor change raises two issues, unfortunately. One is whether participate is a better word than interacts. The second is whether the word directly adds something to either interacts or participates. So let's distinguish. Do we think that the addition of the concept of directly helps us? I guess I think it does. Maybe connected also does that. Connects directly to an electronic? How about that?
Frankly, Steve, I'm not sure I like interacts any better than participate. But I think directly is the key. Again, I want to make sure that that fifth tier downstream person who has no idea where the information came from but is just doing their job isn't wrapped in. But I do want whoever's touching the system to be wrapped in.
>>
Or whoever is the system.
>> Kirk Nahra:
Let's deal with, Paul's issue we can deal with separately and I hope less controversially. Especially since he's volunteering. We need a decision on what the word like participate is -- well, let's take directly. Do we like the idea of directly? Anyone not like the idea of directly? I have to phrase these in a way that I can get, the silence could be taken for something.
>>
I think there will be endless discussion about what types of interaction are direct versus indirect. But I'm fine with leaving it for now.
>> Kirk Nahra:
Leaving it in?
>>
Yes.
>> Kirk Nahra:
Put it this way. I think that's a fair point that we will have questions. I think we have less questions if we add directly than if we leave it out.
>>
Right. I mean we're clearly meaning to confine the universe in some way.
>> Kirk Nahra:
We've got directly. Let's talk about what it is they're going to do directly? I've heard participate. I've heard interact. I've heard connect.
>>
I like connect. Because it strikes me that's speaking to the function we're talking about.
>> Kirk Nahra:
What do people think about that? So we've got directly participate and connect.
>>
I just think participate assumes a larger universe of what you would do with the information.
>>
I think directly helps.
>> Kirk Nahra:
Directly helps on any of those.
>>
I was okay with directly participates.
>>
I just don't want us to define it such that this protection recommendation doesn't fall to the paper outputs of this electronic
>>
I'm okay with that.
>> Kirk Nahra:
Let me throw out a proposal and then get yeas and nays. Do we like participate directly, is that acceptable to people? Let me rephrase that. Is there anyone who objects to participate directly? Anyone on the phone? All right. So participates directly.
>>
Directly participates.
>> Kirk Nahra:
Don't want to directly participates. That would be splitting or -- someone with more grammar knowledge than I have will figure that out.
So let's go back to Paul's point. Should we say just after health information exchange network, something like parens, including the network itself?
>> Paul Uhrig:
I think it defines on how you define network itself. Whether it's single or a person.
>> Kirk Nahra:
Whatever it’s defined, we're just going to say including it.
>>
Quite frankly, if we keep it participating in the network, my concern becomes less because I think you are participating in the network.
>>
That's true.
>> Kirk Nahra:
But it's a fair you asked a fair question. So your view, put aside your company. I mean is a RHIO
[laughter]
is a RHIO covered? As a neutrally looking at this, would a RHIO look at this and say if this says participate directly in a network, does the RHIO say aha, I now have to follow this?
>>
[inaudible]
>> Kirk Nahra:
But Paul was saying if we say participate directly, he thinks that was unnecessary. So that's the question. Are we better off saying specifically including the network? Or do we not need to do that?
>>
What if we said that directly participates or provides network services to an electronic health? Then you captured them.
>> Kirk Nahra:
Or participates directly in or is. How about that? That's the shortest amount of letters we can do.
>> Steven Posnack:
In or is.
>> Kirk Nahra:
Is there anyone who objects to that formulation? Have you ever seen a lawyer come up with a fourletter answer?
[laughter]
People are paid by the word there.
>>
This is going to be a national holiday soon.
>> Kirk Nahra:
Let me try to read what we have here to make sure we have it right. Let me make sure we have the current version right.
All persons and entities comma including consumers comma that participate directly in or is an electronic health information exchange network through which individually identifiable electronic health information is stored, compiled, transmitted, modified, or accessed should be required to meet privacy and security criteria at least equivalent to any relevant HIPAA requirements.
Is that at least an accurate description of what we have now?
Now I'm going to do something, I can't imagine I will do this. But I will ask one question. And this goes back to a point that David made a few minutes ago. Does the word individually identifiable electronic health information, is the word electronic there, is it necessary, or does it help at all? I mean, we've already said that it's an electronic health information exchange network.
>> Steven Posnack:
You mean redundant for the activity that's happening?
>> Kirk Nahra:
Yeah.
>>
Or its outputs. I think participate assumes that from my perspective.
>> Kirk Nahra:
Assumes what?
>>
Assumes that what you're talking about is more than just the universe of the electronic record. If you're interacting with it and you're participating in the system itself, that assumes that you're using it. It might assume that you're printing it out. It might assume you're using outputs. To me, I don't think we need to get more granular than that.
>> Kirk Nahra:
You're okay with taking out electronic?
>>
Yeah.
>> Kirk Nahra:
Anyone object to that? All right. So we will take out that word individually identifiable electronic health information just becomes individually identifiable health information. Any other questions or comments on this opening paragraph of the working hypothesis?
>> Steve Davis:
This is Steve Davis on the phone. I just have a question about or is. It sounds like we have a conflict between the nouns and the
>>
Probably are instead of is.
>> Steve Davis:
Could it be or comprise?
>> Kirk Nahra:
All persons or entities? Or are. That's fine. We'll add extra letters. That's going to be a problem. Because an entity is how about this? Each person or entity. I'm serious. You can't have an entity can't be an are network.
>> Steve Davis:
I suggest saying or comprise an electronic health information exchange network.
>> Kirk Nahra:
Instead of is? Or comprise? Entities comprise? I don't know. That's fine. Everyone okay with that?
>>
Yep.
>> Kirk Nahra:
All right. Any other questions or comments on this working hypothesis?
>>
I have a question. It didn't even occur to me until I read it. It doesn't necessarily mean that we have to change anything. But there is a lot of debate. When we say at least equivalent to relevant HIPAA. We put that in there, as you stated at the outset, in case we later might want to recommend some more stringent standards that apply at the federal level.
There are already more stringent standards than HIPAA that are in place at the state and local level. And what I'm a tiny bit worried about, and I'm not suggesting that we need to change this language, but that we might flesh out in some explanatory report type language that follow it, is that we're not suggesting that everyone be brought down to the HIPAA standard such that more comprehensive or stringent state laws wouldn't apply when they already apply.
>>
I think the fact that we're holding them to the minimum HIPAA as the minimum standard. HIPAA already says if there's a greater standard, you must follow it. So even by doing that, we wouldn't be bringing it
>> Kirk Nahra:
Yeah, I don't see any reasonable interpretation of this word that would allow someone to say, aha, I used to have to follow some tougher state law and this says I don't have to.
>>
Well it doesn't say anybody has to do anything.
>> Kirk Nahra:
Let's say that this is passed as a law like that. I don't see how someone could read that and say, aha, I now get out of doing something that I had to do before.
>>
Okay.
>> Kirk Nahra:
Does anyone I mean I guess you had the question because you had a question.
>>
Also, it comes in the context of a bit of a policy debate that was going on a little bit more rigorously last year but it's likely to come up again, which is and is raised a little bit by the RTI barrier study. This notion that if you have state laws that differ, are we creating barriers to health information exchange? Wouldn't it be easier if everyone was following the exact same standard? Whether it's a high standard
>> Kirk Nahra:
Yes.
[laughter]
>>
Whether it's a high standard or a low standard. And I guess I don't want anybody to interpret this to be some sort of beginning statement or about our intention to createone single standard for everybody. And I don't suggest doing that through a language change here.
>> Kirk Nahra:
So here's how we could play that out. We are going to move, whether it's today or quickly thereafter, to turn these into recommendations. The recommendations go into AHIC with I guess the last one went in with a cover letter. It would certainly be very easy to say in that we don't intend in this recommendation to have any impact whatsoever on any more restrictive state laws.
>>
Sounds good to me.
>> Kirk Nahra:
I think we did that one other -- there was something like that in the earlier recommendation, we don't intend it to do that.
All right. Last opportunity. Any other questions or comments about the working hypothesis itself? All right. Now, sold.
Here is my process question. I would like to turn this working hypothesis into a recommendation that will go to the AHIC. Now, as we commented just a second ago, it will go in the context of a letter. We can turn right now to seeing whether anyone has any problems with this particular wording being a recommendation, or we can move through the subhypothesis. Is there any particular preference at this point? Let me throw out a suggestion. My suggestion would be let's spend a couple of minutes talking about how do we get this into a recommendation. I'm not sure that's even a couple of minutes. It may be a very easy discussion. I think some of the subhypothesis we may have some more substantive debate over. Is that okay with people?
>>
So are we going to try to, after the discussions of the subpoints, make those into recommendations as well that would go into the same recommendation? Or will we see if time allows for that?
>> Kirk Nahra:
The goal I think would be ultimately to have four recommendations covering. One with an A, B, and C. But yeah.
All right. Now let me throw this out. I would like to have this be a recommendation from our group again, my expectation when we started this process was once we got to a consensus on the wording, we would end up with a recommendation. I know there was some question about that and it wasn't clear to me from the individuals who raised it whether the question was not really agreeing with the substance of what we were talking about versus being okay with it as a hypothesis, not being okay with it as a recommendation. So my suggestion, again just to start the discussion, is that this working hypothesis now that we agreed on the wording become our recommendation.
>> Thomas Wilder:
This is Tom Wilder. You're only talking about the hypothesis? Or are you lumping in the subs as well?
>> Kirk Nahra:
We will eventually get to the subs and we'll have discussion as whether we even agree to them as a hypothesis. Right now we're just talking about this I mean, Tom, my sense is we have to, before we can evaluate whether any piece of this becomes a recommendation, we have to agree on the piece. I have no idea whether this group is going to agree to 1, 2, or 3 yet. I'm optimistic we get there. But all we’ve done is agree to the working hypothesis itself. I would like to have that hypothesis become part of our next recommendation, whether it's the only part we agree with or whether there's other pieces attached, I don't know yet.
>>
I agree that the working hypothesis we hammered out today is something that I would like to see go forward as a formal recommendation. I'm not sure that there aren’t other pieces that we'd like to include in the recommendation, like the comment about --
>> Kirk Nahra:
1, 2, and 3 are other pieces that we will talk about as well.
>>
Likewise recognizing that this recommendation doesn't include that whole environment of the downstream.
>> Kirk Nahra:
Well, I think the downstream we're going to cover on number 3, I think. Tom, did my comments get to your question?
>> Thomas Wilder:
Yes.
>> Kirk Nahra:
Okay.
>> Steven Posnack:
Can I ask a process question if we're progressing down the recommendation road, and that affects my workload?
>> Kirk Nahra:
We're trying to make it real easy.
>> Steven Posnack:
I don't have too much to write except for the context now. Would it be the Workgroup's desire to because we have, I think, a timing opportunity now to kick out the main working hypothesis to the AHIC on June 12th. Do we need the other subconcepts just as agreement to be part of that? Or is this standalone enough with context like Deven's suggestions and other suggestions that we can write a small one- to twopage letter and say there will be more work from this. This is only the beginning. Do we want to kick them out as we get them, or do we want to hold them all until September, July?
>> Kirk Nahra:
My view would be that if we get no further today, we should hold it. We should not have that be a freestanding independent with no other pieces. What do people think about that?
>>
Why?
>> Kirk Nahra:
Because I think the other pieces are really important.
>>
Oh, I agree. I guess on the other hand we've criticized about not moving, this is something -- by the way, I would like to see a cover letter. I'm not sure I caught or totally agree with some of that discussion. But I think there is some merit to getting this out and having something out, and a clear business saying this is not the end of it.
>> Kirk Nahra:
Let's hold Steve's question until the end of the day today. It may become moot if we make more progress on the other pieces.
All right. Is there anyone in the room or on the phone who objects to the working hypothesis itself being turned into a recommendation? All right. We now have a consensus on moving this working hypothesis to becoming a recommendation. I think that is a very important step. There are obviously lots of issues in terms of what it means, and Don was talking about exhortation. It doesn't result in anything directly. But I think conceptually this is a very important issue for this discussion.
>> Thomas Wilder:
Kirk, this is Tom Wilder. I did have one, I guess maybe question.
[laughter]
I'm okay with the hypothesis being a recommendation. The anal retentive attorney in me wonders if when we mention the HIPAA requirements, that we actually embed a specific cite to the security and privacy rules. I think everybody knows what we're talking about.
>> Kirk Nahra:
That's fine. I think we'll include again, we can figure out whether that's part of the context or whatever. But that's fine. Just make a note of that, Steve.
All right. Why don't we do this? We were not scheduled to take a break for another 10 minutes. Why don't we break now? It is 3:04. Let's be back ready to go at 3:15?
>> Steven Posnack:
We'll put people on mute.
[break]
>> Kirk Nahra:
All right. We are back on the phone ready to get started. We are going to turn I see no reason not to just go 1, 2, 3.
Let's start with subhypothesis 1. Let me read this for everybody in case anyone doesn't have it. For a given participant, there may be one or more appropriate, quote, enforceable, close quote, mechanisms to insure privacy and security requirements are met.
What that has been intended to deal with is this goes back to maybe Don's exhortation point, which is our first our working hypothesis is not selfexecuting in any respect. It's going to require someone to do something somehow. We didn't want to bind sort of the decision-makers down the road as to what the mechanism would be. We didn't want to say this had to be a new law versus it had to be a regulation or versus it had to be something else. We originally had some examples in here which came out because some of them, I thought, were not appropriate. Others were too sort of prescriptive without being very helpful. So this is, I think, in some ways, a very general position. We are going to get when you get to number 3, we're going to deal with what I view as the biggest component of this. And I don't think we have to deal with it in number one, but I want people to think about these together, which is the suggestion that we're working on is that for the people who fit the working hypothesis, again, these are the direct participants. These are not the downstream entities. We don't think a contract, or we're discussing the idea that a contract is not going to be good enough. We want to have the standards applied directly to each of these participants. We're not saying necessarily that it's a law versus it's a regulation versus it's a condition of participation. But that's the idea. So are there any particular comments on subhypothesis 1?
>> Steven Posnack:
Based on the changes that we made to the main hypothesis, do we need to work that wording around the given participant part? Do we need to add --
>> Kirk Nahra:
We still say participate directly. Do you mean covered by the working hypothesis?
>> Steven Posnack:
Does the participant in here include the networks themselves? Now that we've included that --
>>
I think since we've done all that work to try to clarify that in the main working hypothesis, we need to tie these to it.
>> Kirk Nahra:
For any person or entity covered by the working hypothesis.
>>
Yeah, something to tie them back.
>> Kirk Nahra:
Why don’t we say that? That’s clear and explicit.
>>
Do we mean there may be one or there should be one?
>>
Or there will be one.
>> Kirk Nahra:
I don't want to say should. If, for example -- when you look down the road and see what the options are. Obviously passing a law is one possibility. If they pass a law, you don't need something other than the law. You just need the law, right?
>>
But if there's nothing
>> Kirk Nahra:
I'm sorry I'm missing your point. But if there's nothing, what's the purpose of the statement? I see what you're saying. You're working at it from the other direction.
>>
There should be a should. At least one.
>>
I thought that's what we were saying. But it says may. Just an observation.
>>
May is they may choose not to do it at all. No regulation, no nothing.
>> Kirk Nahra:
That's not what it's intended. Let's figure out how to deal with that.
>> Steven Posnack:
This is a changing to a recommendation language thing. I think what the hypothesis was saying before is that we don't know what the mechanism may be. There may be one or more that you can choose. So fortunately now I think if you put in the should or those musts or coulds, then that's pushing it towards the recommendation language, which is fine, which is the direction that we're going in.
>> Kirk Nahra:
Let's get there now.
>> Steven Posnack:
That's what I'm saying.
>> Kirk Nahra:
Again, the point is it's not necessarily one size fits all.
>>
Right.
>>
But there ought to be a size out there I think is what we're saying.
>>
And I think you're giving yourself the flexibility by saying one or more.
>>
Should be one or more.
>> Kirk Nahra:
Do people read this as having a possibility that someone might conclude there's zero?
>>
It may, yes.
>>
I think it's useful if it stays may. What point are we making? We're just sort of observing there might be ways of getting there. We ought to say there ought to be a way, could be any number of ways, but there ought to be at least a way for the people that we are covering here.
>>
I think it should be should or must because otherwise may tells me that they may not choose to do it.
>>
What are we talking about? What is an enforceable mechanism?
>> Kirk Nahra:
We have specifically not said what those are because we don't
>>
Could you just give an example so we have an idea?
>>
Are we talking policies and procedures? Are you talking about laws and regulations? What are you talking about?
>> Kirk Nahra:
My personal view is there needs to be a law or regulation.
>>
So why don't we say that, I guess?
>> Kirk Nahra:
Let me back up a little bit more I don't personally need subhypothesis 1.
>>
Well, I think it adds something in that it says it's not enough to just have the principles, that there ought to be a way of enforcing adherence to the principle.
>>
I do, too.
>> Kirk Nahra:
That's a fair point. That's true. There are a couple of different points being made here. One is that when we talk about should be required in the working hypothesis, we want those to be enforceable. So the enforceability is one point. I do think that's important.
The second point, which I guess I feel less important is one or more means of having it. So I don't know that we're going to have situations where hospital X has to follow a law and a regulation. That would be two enforceable, that would be more than one enforceable means. It may be that a hospital doesn't need anything new because they're covered by HIPAA, but the PHR vendor needs a law. So what do we want to do about this?
>>
Can I ask you another question?
>> Kirk Nahra:
Yes, sir.
>>
Is one of the things that we're trying to say in this is the concept that you mentioned earlier that we have discussed before that entities today who would not be covered entities, we would consider should be covered entities and have the law directly apply to them? Is that one of the concepts?
>>
That's hypothesis 3.
>> Kirk Nahra:
Conceptually, yes, I do agree with that. Again, they're not becoming HIPAAcovered entities because HIPAA covers a lot of things other than participation in these networks. But they should be treated to the standards of a covered entity for this purpose. And subhypothesis 3 says a contract isn't good enough.
>>
So 3 is what gets to that point?
>> Kirk Nahra:
That's my idea. I think that's where that comes in. I want to say that essentially 1 and 3 connect up in the sense that the enforceable mechanisms that are available should not include contracts. Again, that's my view and that's where these subhypotheses are going. We haven't agreed to that yet.
>>
It's almost like we're saying HIPAA really needs to be amended but we don't want to say so explicitly.
>> Kirk Nahra:
I guess I'm not sure that's right.
>>
Or create a new law, that's true.
>> Kirk Nahra:
You could have a new law. Maybe 10 years from now when this program in 2014, I guess, it's going to be HHS runs the world. And in order to participate, you have to agree to the regulation. That's another option. That could happen. Is it? I don't have any idea. I don't think we need to go into that piece.
I mean I guess here's the question. Do we need number 1? I mean the enforceability point is important. Maybe we can just wrap that into 3. I'm not sure this one or more piece frankly -- Steve do you remember
>> Steven Posnack:
Originally we had examples like certification in there.
>> Kirk Nahra:
I didn't like certification.
>>
3 I don't think will cover everything you want to reach here. 3 relates to people who are doing business associate functions.
>> Kirk Nahra:
Fair point.
>>
You can get rid of it by just adding the word enforceable up to our now recommendation.
>> Kirk Nahra:
Fair point.
>>
Should be required and enforceable.
>> Kirk Nahra:
Let me go back. Hang on. Before we go there, let me go back to my question. Subhypothesis 1 makes the enforceable point. I think we all agree with that. Is there any other point in subhypothesis 1 that we want to make sure we keep?
>>
Does enforceable assume that there's going to be regulation or law?
>>
No.
>> Kirk Nahra:
When you read these all together, it might mean it might imply other options, but then we remove the contract option in number 3. So the question is is there something that's regulation or law or something else that's quote enforceable that's not a contract? And I'm not sure about that answer. Does anyone have a thought on what that might a condition of participation might be not a regulation or law but would be enforceable. You get kicked out if you don't
>>
Is the industry regulated?
>> Kirk Nahra:
I don't want that. I took out the idea of certification because I don't think that's good enough.
>>
Instead of using the term enforceable, is industry regulated any better?
>> Kirk Nahra:
No. Because that implies self that implies that people do it themselves.
>> Thomas Wilder:
Yeah. This is Tom Wilder. Let me maybe take another stab at this concept. How I see it as a clear statement that says in order for this recommendation to be effective, there must be some means to enforce its provisions. And then I would put in a parenthetical, e.g. comma law or regulation comma contract provision comma certification requirement, et cetera. I strongly believe it is not up to us to decide what that enforcement mechanism should be because I think it really varies with the circumstance. That's why I've had such a problem with number 3 is I think in some cases having a law or regulation is exactly what you don't need. And I'd be glad to argue that point. But I don't think it's up to us I think we need to make the point that you need to have a way to enforce this. Although there's a part of me that agrees. I'm not sure we even need to say it. I don't think we need to pick and choose as to which mechanism is the best way to enforce.
>> Kirk Nahra:
I don't think we've ever suggested saying the best way.
>> Thomas Wilder:
Well, but you said yourself that you don't think certification should be on the list.
>> Kirk Nahra:
I've been very careful with what I've said, Tom. I don't think we've said what is the best way. I have said, just personal, and we can decide on, some things that I think are not acceptable. My view, which again we can talk about, is I don't think certification is appropriate. And as we get to number 3, I don't think contract alone, again, bearing in mind we still want to talk about that directly point. And I don't know, Tom, that directly point is designed to deal with some of the issues you raised. I don't know whether it deals with all of the issues you raised or not. You raised the law firm example. So I'm not sure about that yet. But I personally don't think a certification is good enough.
>>
So if we were to go back to the earlier suggestion of just taking the word enforceable and interjecting it into our working hypothesis, required to meet enforceability privacy and security criteria at least equivalent to any relevant HIPAA requirements, we're actually tying it right there in the sentence to our expectations that HIPAA would be at least a minimum standard. Then we could eliminate hypothesis 1.
>> Kirk Nahra:
Couple points to that. I agree with that. I think the point you raised and that Tom is raising as to what is enforceable is still an issue but it's an issue in hypothesis 1, as well.
What I'm not sure about is whether there's another point in subhypothesis 1 that we feel is important. There's this idea of one or more that at some point in our discussions was important to people. I've lost why that's important. I don't today think we need that one or more idea to be explicit and spelled out. So I'm not really sure what it means. What are people's thoughts on that? Don?
>> Don Detmer:
Well this isn't quite to that. I'm teetering on whether this could also be covered in the cover letter or whether this is so salient it needs to be a special kind of explanation point. I mean, again, I'm just teetering on it. I could go either way.
>> Kirk Nahra:
I think we want to keep the idea of enforceable.
>>
I think so, too.
>> Kirk Nahra:
We can decide
>>
I would favor some additional verbage after mechanism. Whether we say certification or not, I don't know about that. But I think policies, procedures, regulations, to say something. Mechanism is just sort of a spring can be a mechanism.
>> Kirk Nahra:
David's suggestion, which I like, is take the word enforceable, put it in the working hypothesis, and get rid of 1.
>>
That's fine.
>> Kirk Nahra:
What do people think about that?
>>
Because what it does is ties it back to our expectation of a minimum standard of the HIPAA privacy and security rules. So at a minimum we come up with an enforceable standard that meets that floor. Then if nothing else comes of it, we at least have that much of it tied to it.
>> Kirk Nahra:
All right. Is there anyone who objects? Steve?
>> Steven Posnack:
Doing that, I have to just bring up a point because I've been working on versions of this throughout the whole time we've been working on it. And we did have enforceable there. And we moved it out and had it explicitly in subhypothesis 1. John Houston, who is not on the call, had a point about having it say enforceable. And he wanted it to say enforced. If you want to move it back to the working hypothesis then I can't represent his position very well, but he wanted it to say enforced. Because if they're enforceable, it didn't connote to him that they were enforced.
>> Kirk Nahra:
I remember that discussion from John. I don't think I mean I think that's a completely different issue that's outside of our --
>>
Does everyone else agree?
>> Kirk Nahra:
Does anyone else think that we need the idea - that our position here is that unless there's an aggressive law enforcement effort to do this, we don't want to put the words there? That's sort of what John's point is. I think it's an implicit although it may have been ahead of his recent problems with his company. They had some stories in the news, for better or for worse.
>>
Can you read the statement again?
>> Kirk Nahra:
The point is that he thought the word should be enforced standards rather than enforceable. He wanted some idea of I think it's an implicit.
>>
Oh, actionable.
>> Kirk Nahra:
An implicit criticism of how HIPAA has been enforced. HIPAA is clearly enforceable. He was, well that's not good enough. I want it to be actually enforced . I don't think that's our place to deal with that. So my suggestion -- Steve, did you have anything else?
>> Steven Posnack:
That's it.
>>
So how would this read?
>> Kirk Nahra:
-- is that we go back to the recommendation and add the word enforceable before privacy and security criteria and that we then delete subhypothesis 1.
>> Thomas Wilder:
This is Tom again. I guess I'm okay with that as long as people are not assuming that we are saying the HIPAA rule needs to be amended and HHS should be the enforcement authority for all this.
>> Kirk Nahra:
I don't think any part of our discussion on any of these hypotheses have said any of those points.
>> Thomas Wilder:
I don't think we have, either.
>> Kirk Nahra:
Are there any concerns with that suggestion? That is, moving the idea of enforceable to the first recommendation and deleting subhypothesis 1? All right. So that is easy. We've now amended the recommendation. We've eliminated subhypothesis 1.
Let's move on to subhypothesis 2. I'll read it again. For a given participant's role and characteristics, certain privacy and security requirements may be more relevant than others. Example, similar to the treatment of health care clearinghouses under HIPAA, it may not be appropriate for health information exchange to provide privacy notices.
This subhypothesis is designed to essentially expand on the word relevant in the recommendation. The idea is we may decide, again may, because we may say everything applies, but we're essentially leaving ourselves an opening. And it's going to be the subject of part of our June hearing for different companies who play different roles in health information exchange networks to come in and say we don't think we should, for example, a RHIO should not need to provide a privacy notice to everybody whose records happen to pass through the RHIO because the RHIO doesn't have any individual relationship with the patients. That is the idea behind subhypothesis 2. I view it a little bit as a placeholder because I think we're going to, down the road, come to a point where we say this is what's relevant, this is what's not relevant, or everything's relevant. But this is essentially a recognition that it may not be 100 percent of HIPAA. There may be carveouts for particular kinds of entities.
>>
Yeah, I don't think 2 is needed because I think it's already covered when you say relevant. I mean one possible alternative is to say relevant and applicable. But I'm not sure we need 2. I think we need to, as you say, discuss what that may mean in the context of various players but I don't think we need the hypothesis.
>> Kirk Nahra:
Let me piggyback on what Tom is saying. Maybe this is going back to the discussion on subhypothesis 1. When this came up, it was designed to be a placeholder in connection with the word relevant. Maybe we go back to our idea of a cover letter and just say -- when we make this recommendation, we add a paragraph that says we recognize that there may be certain portions of the HIPAA regulatory scheme that aren't directly applicable to certain kinds of institutions. We're cognizant of that issue. We're working through it. We're evaluating whether there are carveouts that should be made. That will be the subject of our next hearing. Maybe we do that and eliminate subhypothesis 2.
>> Lorraine Doo:
Kirk and Steve, you're there, right?
>> Kirk Nahra:
Yes.
>> Lorraine Doo:
Because isn't this issue part of what's been coming up in the merged Consumer Empowerment and Confidentiality Workgroup specific to privacy notices and who needs to do them and what they need to have?
>> Kirk Nahra:
It's similar but not really on point, Lorraine. I mean that group is a little more looking at what should be in a notice, what kinds of things are covered by the notice.
>> Lorraine Doo:
By definition it means who has to send them. Because if not I thought that was part of our discussion last week.
>> Kirk Nahra:
But that's also just an example. And it is an example that is a comparison of something that exists today in the HIPAA privacy rule. So we're not saying anything in this subhypothesis. Again, my suggestion is we're going to get rid of this. But this subhypothesis doesn't say anything about the future state other than we're going to look at whether there are variations. HIPAA today, the HIPAA rules don't make clearinghouses send out privacy notices even though they're covered entities because the people writing this rule recognized that it made no sense for clearinghouses to send out to people because they didn't have individual customers. So that's the only relevance of that example.
>> Deven McGraw:
This is Deven. Consistent with Lorraine's point, I hate this example. I agree that the clearinghouses aren't covered, but the term health information exchange has a lot of different potential applications. And I wouldn't want a statement in here that suggested that we didn't think that an HIE would have to provide a privacy notice. So I'm almost on board with getting rid of this subhypothesis because we may not be able to come up with an example that we all agree on as something that would merit --
>> Kirk Nahra:
If we rewrote, this is a little different point. This is whether we put this in a comment letter or not. But if we said it may not be appropriate for health information exchanges to send privacy notices to everyone whose records pass through the network.
>>
That's better said.
>> Kirk Nahra:
We have a question about whether you have a privacy notice and whether you post it. If John Smith happens to have his records going through a network and a privacy notice shows up at his house from the Massachusetts RHIO, he's going to say what the heck is that? That was the idea of that example, not that they wouldn't have privacy policies.
>>
So I guess as I look at this, I kind of see I mean I would like to get rid of it, too. But at the same time, when I look at the sentence in our working hypothesis, it refers to a relevant HIPAA requirement. I could make the case that I'm not a clearinghouse, I'm not a health care provider, and I'm not a health plan so none of this is relevant to me. And while we've said at least equivalent to any relevant HIPAA requirements, I think we need to say what that means. That we expect HIPAA to apply to those organizations in this instance. Because I could say that it's not relevant to me because I'm not a covered entity. We don't explain that out. We could lose that.
>> Kirk Nahra:
That's a fair point. Let's do two things. I want to talk about the idea of getting rid of subhypothesis 2 and turning it into part of the comment letter.
Second, I want to deal with your point, David, which I think is a fair one. Which we could say -- if we were going to do that, we could say something like our baseline is that all of HIPAA's got to apply to all of these people, everyone covered by the working hypothesis. But we may conclude that there are certain pieces that don't have to apply to certain people. So the baseline is everybody's covered for everything. There is the sort of carveout idea. Your point is a fair one. I've had business associates who signed contracts saying we will follow all applicable laws. and their view is well if I'm not covered, nothing's applicable. It's that idea.
[laughter]
So let's deal with those two points separately.
Do we think that we need again, there was a reason that subhypothesis 2 was here in this idea of the subhypothesis that we've been discussing. We all knew that we'd have to look at the question of are there things, it doesn't make sense to say to a RHIO you have to do A, B, and C. We’re not sure what A, B, and C is, A, B, and C may turn out to be nothing. So it was a placeholder, it served a useful purpose. It's the topic of our June hearing. We already have a Federal Register notice out seeking thoughts from the companies as to where this is relevant. Do we need this as a separate hypothesis?
>>
I think we can cover it in a cover letter. I do think we need to have something that addresses making HIPAA relevant.
>> Kirk Nahra:
I agree with that.
>>
But what we have here in the way this is reading today, I think we could put it in the cover letter.
>> Kirk Nahra:
Is there anyone who thinks subhypothesis 2 needs to be maintained as a separate hypothesis? All right. We will do this. We will delete subhypothesis 2 as a separate idea. We will prepare a paragraph for a recommendation letter that essentially makes at least two points. One is the idea that the baseline is everything is applicable through the hypothesis itself. A recognition that there may, stress the may, be carveouts for certain kinds of entities and we are looking at that issue and come back if there are things that we think should not apply to certain entities. But making David’s point that the baseline is that everything is applicable. Anybody have any concerns with that formulation? Okay. We have all those as notes for doing this through the letter? All right.
Moving right along. We may eliminate Don's earlier question or Steve's earlier question.
Let's talk about subhypothesis 3. I know that hypothesis 3 has generated some questions and concerns. The main thing I want to clarify before I open this up for discussion, the idea of subhypothesis 3 is essentially twofold. One is the idea that, and this relates back to the enforceable question, contracts in and of itself we don't think are good enough. We want something that's more than a contractual standard. But we're also talking about people that are participating directly in this network. We are not talking, we are not intending in this recommendation to cover all of the downstream entities that may be sent, may have dealings with, the information. So we are not proposing to dismantle the HIPAA business associates structure. The example I gave earlier of the law firm who receives information that might have been generated by, through a health information exchange, they're still going to be a business associate. They're still going to have a contract. They're still not going to have any further obligations than that. We're only talking about the people that participate directly in the electronic health information exchange network through the activities that we mentioned above. Those people should have again, as this hypothesis is written, those people should have to follow requirements directly, not through a contract. That's the framework of subhypothesis 3.
So we should talk about two things. One is whether, what people think about that idea. Two is whether the words say the right thing. Let me start with the idea.
>>
Just a quick question. Wouldn't they just fall under the working hypothesis as it is? Because it says all persons and entities?
>> Kirk Nahra:
Right. But we've tried to again, what this states is explicitly a contract's not good enough. So I agree they're covered but we said enforceable and we left open what enforceable means. What we're saying here it ain't a contract, again for those people who are covered by the recommendation above. So, questions, comments? I don't want to call on people. I know there are people that have had concerns about this one. Did the clarification that we've made over the course of the day that I think makes pretty clear that those downstream entities are not who we're talking about, does that eliminate the concerns that people had?
>> Thomas Wilder:
I guess I'm still struggling with why a contract provision isn't good enough.
>> Kirk Nahra:
Here's I guess the point, Tom. You may have the that's a perfectly appropriate viewpoint. And we should decide whether other people have that viewpoint. I personally, when we say level playing field, I mean let's use the example of a RHIO. I mean a RHIO, one of the reasons that I think we're having these discussions is that RHIOs, under the HIPAA structure today, are business associates to everybody. And that the business associate contract in that setting provides no real enforceability on the RHIO because nobody can fire them. Nobody can terminate them. Nobody can take action against them. So that there really isn't any particular obligation imposed upon the RHIO. I personally don't think that's a good enough structure. I think that one of the problems we see in this environment, and one of the reasons we're going to have the discussion in June about whether maybe even HIPAA isn't good enough is that the business associate model flips on its head in a RHIO environment. The RHIO runs the show, not the covered entity running the show. So that's why my view is that a contract isn't good enough and it's not a level playing field. If I have the ability to go to jail and all you have is the ability to get the contract terminated, particularly when there's no realistic mechanism to even do that, I don't think that's a level playing field. So that's my view, which I know is shared by some of the Workgroup members, we have to decide if it's shared by enough of the Workgroup members, as to why a contract isn't good enough. Again, for the people who are directly in there, not the downstream people.
>>
I'm sorry. Taking that a step further, directly involved in the network, to me, just trying to figure out how this might play out realistically, these would be entities that would have a contract with the network provider, in a sense. And that could become pretty onerous to a network -- I don't think a network provider would want to do that. I think a network provider would rather have the standards set across and have people responsible and tied in.
>>
Well not only that, then you have these essentially new covered entities by virtue of the fact that we're stretching this over to
>> Kirk Nahra:
New entities covered by whatever rules are going to apply here. They're not becoming HIPAAcovered entities.
>>
Correct. But these new entities that have these expectations are then going to have to manage the business associate relationship, if you had those in place. And honestly, I'm not even sure that covered entities under HIPAA today are doing a really good job of managing their business associate capabilities of accounting for disclosures or reasonable safeguards or technical safeguards around data as it is. I'm inclined to agree with Kirk that if we have an opportunity to make a statement here, let's make a strong statement that we believe that a contract is not strong enough.
>> Kirk Nahra:
I'm glad you're agreeing. I think this provision deals with half of your problem. It doesn’t deal with the fact that RHIOs might still have business associates downstream that they won’t do a good job policing, but again, that’s the level playing field. If they don’t have to do it, then we’re talking about subcontractors and all the other things I think we all -- not we all. I certainly view today that each level downstream the protections decrease, just because the oversight and the people care less and have no relationship and it gets, the further you get away from the covered entity, again, not zero protection because of the business associate contract, but in general, the protection gets weaker. We’re still going to have that issue, but at least starting everybody at the same place.
>>
Right. But I think this does a good job of sort of matching the obligation to the magnitude of the risk and it strikes me as a reasonable approach.
>>
Well the other thing too, is that we said if they’re directly related, you could be a sub of a sub of a sub, and if you’re directly related to the network, you’d still have this apply to you. So I think that’s actually a little bit different than the infrastructure we have today, with the HIPAA business associate relationship. It’s actually stronger.
>>
I guess, Kirk, maybe part of the problem is I’m still not understanding how this work and so let me just give you an example, and maybe you can help me out, again, maybe my opposition is because I’m not, I’m just having a hard time putting the pieces together. Let’s say I’m a dentist, and I’m not a HIPAA-covered entity because I don’t engage in any of the HIPAA electronic health care transactions. But I agree that I’m going to be, I want to be part of this RHIO, and I may want to send some information to a patient through a RHIO or to the hospital through a RHIO. So you’re saying that there should, that my contract with the RHIO that says I’ve got to use the rules, I’ve got to not disclose any of this information, that’s not enough, that there’s got to be something more than that.
>> Kirk Nahra:
Right. I want that doctor, that dentist, to follow the same rules that a covered entity follows, that the RHIO follows, I don’t want them to have any --
>>
Well, they’ve got to follow the rules, it’s just if they don’t follow the rules, the contract lays out what the penalties are.
>> Kirk Nahra:
My view is that that’s not a level playing field. It puts that dentist on a -- I don’t know if it’s a better, I don’t know if the word is better, but that dentist has fewer things to worry about than the people who are covered by these rules. I think that means again, we can look at the HIPAA experience and debate how good a job business associates do. But I think it's fair to say that business associates are not worried maybe no one is worried about OCR or DOJ, but business associates are certainly worried about them less. Their worry is zero.
>>
So you're saying that it's not that a I'll use another example. A doctor who is a covered entity, they've got more of a hammer over them because they've got to worry about a possible civil penalty or a criminal penalty because they're a HIPAAcovered entity?
>> Kirk Nahra:
Yes, I think so.
>>
So you are saying, then, this doctor who is going back to the dentist, that there should be some law that establishes civil and criminal penalties for their relationship with the RHIO?
>> Kirk Nahra:
I don't know whether I like this idea of tying it to a relationship to the RHIO necessarily. It’s that dentist is participating in a health information exchange network --
>>
Right.
>> Kirk Nahra:
-- and we think the playing field should be the same for everybody participating in that. And that the standard should be at least a HIPAA standard.
>>
And we’ve already said that we believe it should be something that should be enforceable.
>>
Well, we have, but again --
>> Kirk Nahra:
Tom's point, if I may paraphrase, Tom, is that you think enforceable can include that contract between the dentist and the RHIO.
>> Thomas Wilder:
Absolutely.
>>
But it doesn't really give the consumer any rights under that arrangement.
>> Kirk Nahra:
I'm not sure how many rights the consumer has now, either. The right to complain.
>>
They have the right to complain. They have the right to, notwithstanding
>>
Changes
>>
Agency might not enforce it. You can then call up your Congressman. There are things that you can do. You have no right if you are you're not even a thirdparty beneficiary, arguably.
>> Kirk Nahra:
I'm not sure you can call your Congressman the same way.
>>
To get the law changed.
>> Kirk Nahra:
Let me ask this. Tom, do you, you had some questions about whether you were understanding what the hypothesis was saying. Do you feel you understand it right?
>> Thomas Wilder:
Yes.
>> Kirk Nahra:
You just don't agree with it.
>> Thomas Wilder:
I just don't agree with it.
>> Kirk Nahra:
Are there other people that share Tom's views on that? Let’s be real clear about that. Are there other people on the phone who would like to see contracts preserved as the means of enforcing these standards?
>>
Not here.
>>
I guess to direct participants.
>> Kirk Nahra:
Yeah. Now, Tom, one of the examples you would use in one of the e-mails you sent us mentioned that law firm example. Are you comfortable with that part, that we're not reaching those people?
>> Thomas Wilder:
Yes.
>> Kirk Nahra:
So your concern is still some of these direct participants, you think that a contract with the RHIO is good enough?
>> Thomas Wilder:
Yes.
>> Kirk Nahra:
Now we're in a place now, let me ask for a last time, is there anyone here that shares that view at this point? All right. Now we had in one of our earliest discussions the idea of consensus and various things like that. We haven't had to use that very often. We had a debate. We made clear that consensus didn't mean majority plus one. It didn't mean 51 percent. Are we comfortable as a group that everyone minus one is sufficient to make a recommendation move forward? Is there anyone who objects to that?
>>
I'd like to hear from the minus one.
[laughter]
>>
I think probably that has to be noted. I guess that's what we did on Consumer Empowerment.
>> Kirk Nahra:
There's two things. We can note, well, Tom, this will be your call, and we'll obviously make sure that -- there's obviously people that are not on the call today. We'll make sure there’s no one else. You have three options available to you, it seems to me. One is that this doesn't say we don't say anything about this. Two is we note your objection in the recommendation. Three is you can write a dissenting view.
>> Thomas Wilder:
I'm comfortable if you just note my objection.
>> Kirk Nahra:
Why don't we write, we’ll write the recommendation letter, we will note that. You're welcome to do a dissenting view if you decide you want to do one. And we should talk when the recommendation letter comes through, maybe there will be some other if your views change, certainly let us know. All right, Steve, did you have something?
>> Steven Posnack:
I was just going to say, Tom, I think I can work with you on a paragraph that we can put at the end in the context of the recommendation.
>> Thomas Wilder:
Sure.
>> Paul Uhrig:
Because I absolutely agree with content. But what I’m beginning to struggle with, if somebody would ask me what does it mean to directly participate? I'm not sure I now have a good answer for that. And it seems like a lot is now hinging on that definition. So as much as I hate to revisit the recommendation, can someone help me with what that means?
>> Kirk Nahra:
They're going in and getting stuff. They’re putting it in directly, they’re taking it out directly.
>> Paul Uhrig:
But it gets into, again, what is the network? Because we now say it's a network of networks.
>> Kirk Nahra:
Tom's dentist was directly participating. He was putting stuff in, taking stuff out. His contractor, who does his books now let me give two options. If he hires someone to come in and do his books and he's going through all the stuff that the dentist is putting through the network to get all the claims data, that person is not directly participating. If the dentist says I want you to do my books and I need you to go into the network and get all the claims information yourself so that you can figure it out, then I think they're directly participating. I just don't know why anyone would that doesn't strike me as what people do.
>>
But you're setting a minimum standard like HIPAA, then you will have that business associate provision for those instances where they're not directly, but they will still have that binding contract. It’s just going to be further down the line.
>> Kirk Nahra:
I suppose, Tom, in your example, we hope that the RHIO I mean, I don't think the dentist is a business associate to the RHIO. So we hope that the RHIO does a good enough job in its contract that it imposes obligations on the dentist to do all those things with his vendors. But we don't really know in that situation, because that contract is not subject to any laws right now. So that would be a potential weakness in the contract theory is the RHIO doesn't even have they could write a contract that says don't be a bad boy. Now, again, we hope they wouldn't. But those contracts are just business dealings. They are not, at this point, regulatory dealings. Does that help you at all, Paul?
I mean again my sense of participate directly, we talked about that word connect. They're touching the system. They're putting data in, they're taking data out.
>> Paul Uhrig:
My point is the system in my mind is not a welldefined thing. It's a RHIO. There are some people that think in a couple years there will be no RHIO, it will be something else. So this needs to be broad enough so that it can be adapted to different situations and not sort of this the network. Because the network could end up being many, many different things.
>> Kirk Nahra:
Let me propose two ways to deal with your point. One is we try to wordsmith is. Two is we address that in the cover letter. We say essentially as these networks evolve, we may need to do some more work on defining participation in particular contexts. Are there any examples that you can think of today, situations today, where we would have confusion about that? I don't know the answer to that. I don't know enough about the details. Maybe we can
>> Paul Uhrig:
If our whole conversation has been premised on that it has to be part of a RHIO, then, yes, I think there's lots of people who touch the system but don't have a direct connection to a RHIO.
>> Kirk Nahra:
What is an example?
>> Paul Uhrig:
I hate to use me again, but if a PHR wants to connect to the pharmacy health information exchange, does that fall within your definition? It is not a RHIO. We're not a RHIO.
>> Kirk Nahra:
You're an electronic health information exchange network. That's how the recommendation works. What do you think about trying to deal with that in a -- we're defining all these things obviously in a moving environment. Does it make sense to at least raise and identify that issue? I'm just worried that we discussed a variety of other options for that word participate. We ended up with participate. I'm happy to revisit that. I'm just not sure any of the other ones are good enough to anticipate all the future, all the possible ways that these things might look in the future. And I don't want this to become a means of preventing us from having this happen.
>>
I also think that we have sort of migrated to a more narrow scope in the discussion to RHIOs and that's not what the recommendation is.
>>
Exactly.
>> Kirk Nahra:
That's an example but it's not
>>
That's not what we're recommending. It's much broader than that. We just happen to have migrated down to that.
>> Kirk Nahra:
Let me ask you, Paul. We could not deal with it at all, we could try to wordsmith it, or we could include it in the cover letter.
>> Paul Uhrig:
I would not want to include in the cover letter that as networks evolve we have to revisit this. That I would not be in favor of, because I'm in favor of trying to get something that will work in the future, not revisit it.
>> Kirk Nahra:
What if it’s more openended? There may become environments where -- we're talking about a theoretical possibility now, I think, rather than something that's current. Unless people have examples that they think are current.
>>
Paul, given the reset of our perspective, that is broader than RHIOs, do you even have a problem?
>> Paul Uhrig:
The lawyer in me is coming out. However this is going to be implemented, someone will ask the question what's the difference between direct and indirect participation? I don't have a very good feel for that. Not good enough to answer it.
>> Kirk Nahra:
Let me explain what I understand that answer to be. The goal of our recommendation is to avoid you could state it positively or negatively. I wanted to avoid covering all those downstream people. All those people who are not, not the one who is getting information from the network. But, again, the traditional business associate model. I don't want to cover those.
So when some people had raised concerns about different pieces of this, we came up with the idea of directly to emphasize that if I'm a fifth tier downstream recipient, I'm not participating directly in the network. We can accept that. I think people will understand that. There may be examples that you're talking about where it's not as clear. And so that's the piece. I'm not sure that's a maybe or an is.
>>
Can we define direct in the cover letter what our intentions are? What we intend direct to mean is, and then define it.
>> Kirk Nahra:
That's fine.
>> Steven Posnack:
Yeah, this is Steve. I was going to offer that up because you're reading my mind. I think the electronic health information exchange network is an abstract enough concept that it encompasses all types of different technologies into the future. Trying to get a concise meaning of what we mean by directly would probably be helpful in the letter. That may help assuage some interpretation concerns.
>>
What he said.
[laughter]
>> Kirk Nahra:
All right. With that said, are we good for this piece of discussion today? We are going to prepare a recommendation letter? Steve, what's your question?
>> Steven Posnack:
I think we agreed in concept. But on 3 we haven't agreed on language.
>> Kirk Nahra:
That's a fair point. Well I guess I have a couple points. One is we want to make sure that subhypothesis 3 tracks the changes we made to the hypothesis. So we’re going to say participate directly and things like that. Are there any other wording questions?
>>
Yeah, I have one. On the third line where it says and not through contractual arrangements. We don't mean to imply that they shouldn't
>> Kirk Nahra:
Not only through.
>>
I was going to say not solely through.
>> Kirk Nahra:
Solely, that’s fine. That's a fair point. Any other comments or questions on what's in subhypothesis 3?
>> Steven Posnack:
This will be -- so the working hypothesis is recommendation 1. This will be 1.1?
>> Kirk Nahra:
A two paragraph recommendation.
>> Steven Posnack:
I’m not going to say make a two paragraph recommendation. I'm saying this is a separate recommendation?
>>
I think it's just a subset.
>> Kirk Nahra:
It's sort of becoming all connected. I'm not sure we have to break it out as a separate idea.
>>
Yeah. Because the paragraph at the bottom of that one.
>> Steven Posnack:
So a two paragraph recommendation.
>> Kirk Nahra:
Or two recommendations, I don't care. We came out with originally these subs were sort of open issues resulting from number 1. If all we have is one of them left, I don't feel that we need to break it out like that.
>>
I think we should talk about whether we're going to indent or not.
[laughter]
>> Kirk Nahra:
And I'm a big fan of right justification.
Putting aside those important issues. Do we have other questions or comments about the wording to number 3? Is there anybody who objects to the wording of number 3? Tom, recognizing that your objection is continuing until you tell us otherwise.
>>
Addition of the word solely?
>> Steven Posnack:
We'll add solely and directly and some other modifications to make it consistent with the main hypothesis.
>> Kirk Nahra:
Right. All right. That is all we have on these points today. I think to go back to the earlier discussion, the June 12th is the AHIC meeting or is when the deadline is? What's the deadline going to be?
>> Judy Sparrow:
Oh, boy, the deadline.
>> Steven Posnack:
It would be a week before, probably.
>> Judy Sparrow:
June 5th.
>> Kirk Nahra:
That will be tight at this point. But we should move to get this done as quickly as we can do it and have it done effectively. I don't want to have an artificial deadline just to race it through. I'm actually not here on the 12th for that meeting. I'm not sure we could present it then anyway.
>>
Aren't we terribly close? I think the hard work is done.
>> Kirk Nahra:
Let's try. But I want to get it right. I suspect we will have discussion on the letter, just given put it this way. I think we should note the points we've raised today in the letter. I don't think we need to add a lot of embellishment to that. It may be a twopage letter. Not a one paragraph, and it's not a tenpage letter.
>> Steven Posnack:
More than two pages, I can say that much.
>> Kirk Nahra:
Or three or four.
>> Steven Posnack:
I'm not talking about the length, the content.
>> Kirk Nahra:
I think mainly what we've done today for the letter is to add points where we know there's additional future work to be done.
>>
Need for clarification.
>> Kirk Nahra:
Or we're going to have to deal with something. I think if we waited to a point where we answered all of those questions, we'd be five years from now. 2009.
>> Paul Uhrig:
I think this letter, we’d all like to review it. Someone asked for it beforehand. I'm expecting we'll all have our editorial comments.
>> Kirk Nahra:
Steve, we have a goal of doing that. That will mainly fall on you. So it's a question of how quickly we can do that.
>>
Participate, or directly participate?
>>
You will directly participate.
>> Judy Sparrow:
Maybe you could have a short business call.
>> Steven Posnack:
Okay, so FACA requirements included, we may need to have approval of the letter at a subsequent meeting.
>>
[inaudible]
>> Steven Posnack:
Well, we had gotten far enough along that it was just a small bit of word changing here and there. We'll have to evaluate what we've got. We could also have a onehour call if need be. We’ve gotten close.
>> Kirk Nahra:
We'll figure that out. Okay. Let's move on. We don't have a lot of extra time. So let's talk quickly about planning for the next meeting. It seems to me that one of the goals we had today was to evaluate whether there were points in connection with the working hypothesis where we needed additional factual information. I think we are at a point where we do not need that right now. So we are not going to have testimony related specifically to the points that we've just agreed are our recommendations.
The topics that we are going to look at in June include two main ideas at this point. And, Steve, if I'm getting these wrong, correct me, but we're talking about hearing testimony on two topics. One is what we sort of called the relevance idea with the hypothesis, which is what parts of HIPAA might not be applicable to certain kinds of entities? So we're going to bring in some of the different kind of entities to talk about which pieces are relevant and which pieces might not be relevant.
The second topic is going to move onto really our next big picture issue, which is a working hypothesis and recommendation talking about meeting at least HIPAA, we're going to start the discussion of whether there should be something more than HIPAA. And we are going to look at that not in the context of whether HIPAA is good or bad, but look at it in the context of is this electronic health information exchange environment different in such a way that something other than HIPAA is appropriate? So what we are trying to focus on are the differences between the kinds of things applicable to HIPAA and this environment. We are not planning, certainly for this hearing, may come at some future time, although it may not, we are not bringing in people who say HIPAA is a bad rule. That's not the idea of these hearings. This hearing is designed to focus on what's different about this arrangement? Do we need different kinds of standards because HIPAA doesn't fit well? HIPAA doesn't cover the right kinds of things, et cetera? So that is the idea for the June hearing. Do I have that right?
>> Steven Posnack:
You've had enough practice, telling me.
>> Kirk Nahra:
We are currently looking at having two panels on each topic. Steve and others are working on people, and maybe --
>> Steven Posnack:
I would say right now it's this week and next week, in addition to writing our new recommendation letter, is going to be a hot week to get any recommendation from members in terms of, I think we agreed at the last meeting that we wanted to focus on the non-covered entities realm. So we can try and pull a different health information exchange to talk about the relevancy issue. Another PHR provider.
>> Kirk Nahra:
I think non-covered entities for relevancy part. It may not be for the other piece.
>> Steven Posnack:
For the other piece, in terms of the differences, any suggestions of folks you may want to hear from would be great.
>>
Are there people you've already lined up and we're looking to fill gaps or is it wide open?
>> Steven Posnack:
Wide open. We've got some ideas but we haven't
>> Kirk Nahra:
The other thing is we did, there is a Federal Register notice out asking for written testimony on some differences ideas. We may find that we can do a lot of this through written testimony. We may find that some of the people I don't remember what the deadline on it.
>> Steven Posnack:
For anyone listening on the web it's the June 22nd CPS Federal Register notice. I don't remember the exact date it was published. We'll send it out to the listserv.
>> Judy Sparrow:
It did go out to the listserv.
>> Steven Posnack:
It did go out to the listserv. Okay.
>> Kirk Nahra:
My question is when was the due date for comments?
>> Steven Posnack:
June 4th.
>> Kirk Nahra:
Those comments are due early enough that we may look at them and say, hey, here is someone we want to come in and have testify as well. That will be an additional source.
>>
Is the relevance discussion going to include how applicable this might be from a standpoint of HIPAA regulations having been defined specifically for health care organizations and built around their business practices and their business models, and we try to apply some of these standards to non- health care organizations that are fitting themselves into the health care space. It may be almost impossible, because some of the applicable authorities and things that are built into HIPAA may not give them the bandwidth to do their business.
>> Kirk Nahra:
Let me ask you. Let me follow-up on this. That's a perfectly appropriate topic. I guess I'm not sure if that's topic 1 or topic 2. It very well may be topic 2 which is HIPAA isn't really a good fit here. So I guess I'd be interested in who do you got in mind? Who would fit? That kind of thing. But I think conceptually that again, one of I'll give you a little bit of a personal bias. This is purely just my own opinion about just watching these things is that I'm not sure that a lot of the components of health information exchange are really all that different from HIPAA now. We've made decisions on consent versus non-consent and things like that. I'm not sure that it's all that much different. With that said, there are clearly parts of this environment that don't fit very well. The business associate model I don't think fits very well. Individual rights I don't think fits very well, because it's sort of hard to figure out who is responsible for different things and who is policing who and that kind of stuff. You may be raising another piece of why HIPAA doesn't fit very well. And if what we come out with is ten reasons why HIPAA doesn't fit very well, that may lead to a conclusion that we need something other than HIPAA. We'll say presumably higher than HIPAA. We will not go lower than that. But that may be a perfectly good reason to have something different than HIPAA. So that's exactly what we're trying to look at in the course of this next hearing as one of the two topics for the next hearing. We're not going to finish that topic in the next hearing. That may end up being the single most significant issue that this Workgroup is going to deal with is do we recommend meeting HIPAA or do we recommend meeting something above that? Again, that's a very big deal issue. And absolutely open in all directions.
>>
When we're talking about making a recommendation to apply this to organizations that are not covered entities, it may very well be that they couldn't comply with some of the components of HIPAA, not that they wouldn't be applicable. But in their business model, they couldn't
>> Kirk Nahra:
You're raising a very good point that I don't think we it works, but we were seeing these as two completely distinct topics. You're bringing up a point why these are sort of blended topics. That's good and that's useful. But we would certainly be interested I mean if you've got people or categories or something that fit what you were talking about, that would be a perfect type of person to come testify. Again, we can put them on either panel. It may be that we don't draw the lines as darkly as we thought we were going to draw them.
>>
I’m thinking about non-covered entities in both VA and DOD that struggle with this all the time.
>> Kirk Nahra:
For example, Tom's dentist before is a non-covered entity through the accident of not doing electronic billing, I don't have any - that person can do everything that a covered dentist can do. I need something more than that. You're talking about a what that’s a non-covered entity?
>>
Like public health programs that are mandated by state law are not covered entities. But immunization data, newborn screening data, genetic testing data can all be dumped into EHRs for everybody without
>> Kirk Nahra:
Perfect example. That's what we need. We need examples like that so that we can think about all right, we’re not going to get every public health program, can we get somebody to come in and testify who’s a --
>>
You don't want every public health program?
[laughter]
>> Kirk Nahra:
And we don't know whether there are 10 other things that are sort of like that.
>>
Exactly my point.
>> Kirk Nahra:
That's what I mean. We need to know what examples of that specifically. That's better than where we are now. The best one would be to say John Smith at this program in this state. I'm not expecting to get that. So that is the idea for the June hearing, which is going to be a testimony hearing. Again, I recognize that travel and everything, if people are here, that one will be more important to be here in person for. It's not that you can't listen on the phone. It's just that obviously we do have questions and answers. I thought the inperson hearing we had a couple weeks ago was very useful and very efective. Was anyone in the room on the phone for that hearing?
>> Sylvia Au:
I was.
>> Kirk Nahra:
I know we had some problems. We had some technology problems, but other than that
>> Sylvia Au:
Your next meeting starts at 4 a.m. Hawaii time. So that would be my main concern.
>> Kirk Nahra:
Well, that’s why we wanted you here. I guess what I was looking for is how important was it to be here? Did you get the sense you were able to participate and hear things?
>>
I do a lot of meetings through conference calls. It's more difficult when you're having testimony. This kind of meeting like today is much easier doing on the phone.
>> Kirk Nahra:
So again, if people listen, I'm down the street so this is easy for me to say. If you're going to pick and choose, this is one to put on your higher priority list. Obviously people can participate through the phone if they need to. But if you're debating which ones to do, these testimony hearings are important.
All right. So I encourage anybody who's got thoughts on either this sort of what's different idea, what's different about HIPAA in the future or the relevance point, or both, please get them in to Steve as quickly as we can.
What do you want to do with that?
>> Steven Posnack:
Do you want to talk, walk through it a little bit?
>> Kirk Nahra:
Let me just mention this. There is an attachment for people at the end of the package for people in the room. It was distributed to the Workgroup members.
>> Steven Posnack:
It is online, as well.
>> Kirk Nahra:
It's a twopage chart. Not really a title, but up at the top it says for Workgroup consideration and discussion. It's a chart that says HIPAA Privacy Rule, Health Care Provider, Health Plan & Group Health Plan across the top. This was the start of an effort to sort of look at the relevance idea as it's currently set up in the HIPAA rule. The HIPAA rule draws some of the distinctions we're talking about. Despite the fact that there are three categories of covered entities, not all covered entities in all circumstances have to follow all of the rules. So this was an effort to look at some of the situations, even under the HIPAA rule itself, where lines are drawn between categories of covered entities. Again, I think that the health care clearinghouse is the easiest one to get a handle on. The HIPAA rule does not impose privacy notice obligations, again, dissemination of privacy notice obligations on a clearinghouse because they don't have individual customers. That's one that, again, at least in my mind, I can get a handle on that. I can understand why they made that rule. That's a perfectly appropriate distinction.
I encourage people to take a look at this. It's really just a start. Again, just to sort of get you thinking about the kinds of things that we're going to be talking about in our first one or two panels in June. It's the idea of relevance. The word that's in our recommendation where we're saying we want everybody to meet the level playing field, but there may be some rules that just don't make sense for particular entities. To David's point earlier, again, we're talking about following everything with potential carveouts rather than building the other way up. So everybody's got to follow all of these rules unless we come to some conclusions that there are particular pieces that we are going to carve out. Steve, anything else you want to say about that at this point?
>> Steven Posnack:
I think that's it. I hope we didn't get anything wrong and people are not too angry at us.
>>
Are we going to do one of these for the security rule or just privacy?
>> Kirk Nahra:
These are just examples. We wanted to get people thinking about how this works today so that we can translate it. This is set in stone. This is the HIPAA rule. We are not changing it.
>>
It's the HIPAA privacy rule.
>> Kirk Nahra:
This is the existing HIPAA. We're not amending HIPAA. We just want to be able to think about this as we look at some of the entities that are in the health information
>>
But her point, these are the privacy rule pieces, and security rule pieces need to be applicable, too. Because our recommendations
>> Kirk Nahra:
I agree. This is just examples of how this would look. This is a very preliminary partial analysis. Anything else we need to do on planning for next meeting?
>> Steven Posnack:
Public comment?
>> Kirk Nahra:
Before we get to that. We’ll do public comment in a minute. Anything else on planning for the next meeting? I think we're in good shape on that.
All right. Do we want to set up the public comment quickly? If people have comments, the number is posted on the Web at this point. We will take a couple minutes and then let’s open that up for comment.
Just for people in the Workgroup, the main assignment is give some thought to whether you have suggestions of whether it's people, categories, companies, businesses, whatever, for Steve. We will try to turn the recommendation letter around promptly without we all know how precise a word that is. Ideal would be to try to have something ready for the AHIC. But we'll do that if we can.
Want to open up?
>> Matt McCoy:
Nobody has dialed in yet. Maybe we could give it another 30, 40 seconds?
>> Kirk Nahra:
Okay. Anything else, people in the room want to say before we give our public comment a last minute? How about anybody of our Workgroup on the phone? Any other comments? All right, Matt, any?
>> Matt McCoy:
Nope. Nobody on the phone today.
>> Kirk Nahra:
Do we have any public in the room? I don't think we do. All right. I know people would like to stay until 5:00 when our meeting's ending. Steve's hosting happy hour. Other than that, thank you very much for your participation today and we will speak with you shortly. Thank you.