Confidentiality, Privacy & Security Workgroup: June 2007 Meeting Transcript

American Health Information Community

Confidentiality, Privacy, and Security Workgroup Meeting #11

Friday, June 22, 2007

Disclaimer

The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.

>> Judy Sparrow:

Welcome everybody to the 11th meeting of the Confidentiality, Privacy, and Security Workgroup. Just a reminder that we’re operating under the auspices of FACA, the meeting is open to the public, transcripts and materials are available on the ONC Website. And at the conclusion of the meeting, there will be an opportunity for the public to make comments. Also, let me just remind the members to please identify yourselves before you speak. And let's begin with introducing the members who are on the telephone and then we'll go around the room here.

>> Jennifer Macellaro:

On the phone today it looks like we have Marilyn Zigmund-Luke sitting in for Thomas Wilder of America's Health Insurance Plans, Deborah Parris in for Flora Terrell Hamilton for Family and Medical Counseling Service and Martin Prahl from the Social Security Administration. Did I miss anyone on the phone? Okay.

>> Judy Sparrow:

Here in the room we have, beginning on my right, Sue.

>> Susan McAndrew:

This is Susan McAndrew, Office for Civil Rights.

>> Vicky Brennan:

Vicky Brennan, TMA Privacy Office, DOD, sitting in for Sam Jenkins.

>> Elizabeth Holland:

Elizabeth Holland, Centers for Medicare and Medicaid Services. I’m sitting in for Tony Trenkle.

>> Rachel Nosowsky:

Rachel Nosowsky, University of Michigan, working with NCI, caBIG.

>> Christopher Sullivan:

Christopher Sullivan with the Florida Agency for Health Care Administration and the Florida Center for Health Information and Policy Analysis.

>> Jim Hansen:

Jim Hansen, with the information and health exchange entity, Healthe Mid America, in Kansas City.

>> Lory Wood:

Lory Wood with Good Health Network

>> Cassi Birnbaum:

Cassi Birnbaum, director of health information from Rady Children's Hospital in San Diego, California

>> Viki Prescott:

Viki Prescott, representing Regenstrief Institute in Indiana.

>> Kirk Nahra:

Kirk Nahra with Wiley Rein here in Washington.

>> Steve Posnack:

Steven Posnack, Office of the National Coordinator.

>> Alison Rein:

Alison Rein with AcademyHealth.

>> Steve Davis:

Steven Davis, Oklahoma Department of Mental Health and Substance Abuse Services.

>> Jill Callahan Dennis:

Jill Dennis, AHIMA

>> Sylvia Au:

Sylvia Au, Hawaii Department of Health genetics program.

>> David McDaniel:

David McDaniel, Department of Veterans Affairs, Veterans Health Administration.

>> Paul Uhrig:

Paul Uhrig with SureScripts.

>> Deven McGraw:

Deven McGraw, National Partnership for Women and Families.

>> Judy Sparrow:

Great. Thank you all, and let’s turn it over to Kirk Nahra, the chair

>> Kirk Nahra:

Thank you everybody. Welcome to, I guess, our 11th meeting. I didn't realize we were in our second set of ten. We have a lot to cover today. I think we're going to have a very interesting day. We're focusing our testimony on two specific topics I'll get to a little later when we introduce our panelists. I think we're going to have an interesting and educational day that will help us continue to make some progress on our recommendations.

Let me just start with pointing the Workgroup members to the summary of the May 17th meeting which at least the people in the room have in front of them. I assume, do people have it on the phone? Are there any questions or comments on that summary of the meeting? Obviously, at that meeting we got to a point where we were mostly finished with our recommendations. We had some discussion subsequent to the meeting that led to the recommendations that were presented to the AHIC. But if there are any questions or comments on the summary, please let me know at this point. Anyone on the phone with any questions or comments about the meeting summary? Anyone in the room? Okay. Do we have approval I guess of the meeting summary?

>> Steven Posnack:

If have you any comments you can send them to me via e-mail and we'll handle any clarifications that need to be made or reflected. Otherwise we'll approve it and post it.

>> Kirk Nahra:

All right. Steve, why don't I turn it over to you to give a summary of the AHIC meeting from June.

>> Steve Posnack:

Sure. It would like we're right on schedule, as us not usually the case. But I guess I have to buy the five minutes until John Loonsk shows up. I'll try to fill that time. As many of you know, if you haven't heard, Dr. Brailer is no longer the vice-chair of the American Health Information Community. We wish him luck with his new ventures and endeavors. There was a lot of talk about the AHIC successor and what that means and what it will look like. The three contractors that were awarded contracts to look into what potential models could be presented to the American Health Information Community, as far as I know there will be a presentation on the 31st of the next evolution of all that work, and then subsequent public comment, et cetera. So stay tuned for that. I'm sure it's going to be pretty interesting.

John Loonsk and John Halamka did an update on the HITSP work to date and the preparation to move everything to the interoperability specifications version two. And in October 2007, HITSP will present privacy and security standards, including standards for roles, access, and audits. That's something probably everyone in the Workgroup will be interested in. Obviously from a standards perspective, it will be a little more technical in nature. And then probably last but not least we went through the whole recommendation session with all of the Workgroups. The Chronic Care Workgroup presented and all their recommendations were accepted. The Electronic Health Records Workgroup’s recommendations were accepted and probably most important, our recommendation was accepted and I don't know if Kirk, you have any feedback you would like to give.

>> Kirk Nahra:

It was a pretty straightforward presentation. We had a couple of questions. The major I guess discussion point was some questions raised about sort of how far our recommendation went in terms of what kind of entities that participate in the networks and the major question that was raised by one of the AHIC members involved the communications networks that transmit information over the networks. And we had a little bit of discussion about that. I think it's still somewhat of an open issue in my mind as to whether -- we didn't really talk about that as a Workgroup. We may at some point later, although we may also just leave it up to HHS to look at that. There's clearly some questions about whether the transmission networks themselves should be sort of in or out. Those questions exist today under HIPAA for phone lines and things like that. I think historically there was an idea that those companies were just transmitters of information and really didn't keep it and really didn’t have any of those issues. The analogy was to the post office. You know,the mail service, you don't have to have a business associate agreement with the post office, because all they do is take it from here to there and they don't keep. There's some questions about how those networks work in today's environment with different kind of technologies. That was the only substantive discussion and the recommendations were in fact approved at that point. Anything else, Steve, you wanted to add about --

>> Steve Posnack:

No.

>> Kirk Nahra:

Do you want to mention just quickly what happened at the end with the privacy standards?

>> Steve Posnack:

Sure. So Dr. Kolodner mentioned that the Office of the National Coordinator is working on a process to develop a privacy and security framework. It will be presented at subsequent meetings. More information will be made available as that process develops. I think it was just more of a first look and a first glance of what is going on and to let everybody know that we will be getting a lot of people involved in this process. It is going to involve a lot of public comment and public dialogue. So look forward to it. And the role of the CPS Workgroup will be one that will also be part of that process. We haven't quite figured out the whole vetting scheme that we’ll go about and aside from doing a broad-based general public comment on it, what groups we'd like to target as well to get substantive feedback on and a lot of the AHIC Workgroups will also be ones that will be touched to provide comments. So as more information becomes available, I will be able to fill everybody in.

We didn't do such a great job of filling the time until John got here. We can continue on.

>> Kirk Nahra:

Do you think he's on his way? I don't want to delay us at this point.

>> Steve Posnack:

I can send him a message.

>> Kirk Nahra:

Why don't we do this: why don’t we go ahead and move on to the panel and we'll fill John in later. Or have him come in later at this point.

Let me turn to our first panel. We have two panels this morning that are going to address one of the issues that we specifically left open from our set of recommendations that went to the AHIC. As you recall,our recommendation focused on the concept of a level playing field and the idea that all entities that directly participate in health information exchange networks should be meeting the same standard, which at this point we've defined so far, subject to our discussions later today, to be a HIPAA standard. We also have recognized as a Workgroup that there may be some situations where some pieces of HIPAA aren't relevant to particular kind of entities. The example that we've been discussing a lot, and I think it's the easiest one, at least for me, to grasp is the idea that while clearinghouses under HIPAA are covered entities, they don't have all of the same obligations as a doctor or a hospital or a health insurer. For example, since they don't directly deal with patients very often they don't have the obligation to provide a privacy notice to individual patients. They just don't have any dealings with those individual patients. So our first two panels this morning are going to focus on that relevance idea, the question of are there particular kind of entities, categories of entities, for whom particular components of the HIPAA framework don't make any sense? And I think the idea from the Workgroup perspective has been essentially to start with everyone is in for everything, and to carve out particular issues that may not be relevant. So for the Workgroup members, what we're going to be looking for today is to get a better sense of how some of these entities operate, where there are relevant issues that may not match up with what the rest of the HIPAA standards prescribed, and for to us make some decisions, maybe today but certainly at a later point as to whether there are particular carve-outs we want to make from our earlier recommendations such that not all of the HIPAA standards will would be relevant for all of the entities that participate in the networks.

So with that said, why don't we turnover to our first panel. We have three panelists and then we have a second panel after that with also three panelists. Let me just turn, maybe Viki you can start, just introduce yourself and then go ahead with your presentation.

>> Viki Prescott:

Sure, you can all hear me? Let me just pull this closer. I'm Viki Prescott, I'm representing Regenstrief Institute in Indianapolis, Indiana today. I was their general counsel and business development person there. I recently left, although I’m still doing consulting for them and left to move to Tampa, Florida which I'm excited about. I'll be dealing with Chris Sullivan a little bit down there. I'm joining Gold Standard company down there with whom many of you are probably familiar with, in Tampa. So I'm going to be starting there in a couple weeks. So ONC asked me to speak today to give you a little background on the Indiana Network for Patient Care and to discuss a little bit, answer the questions that were presented, sent to me. So if you want to advance -- they didn't have it in PowerPoint, so it's in PDF. Go ahead and go to the next one. Thank you.

So just go give you a little bit of background on how we operate in Indiana, the legal structure, that is. It's called the Indiana Network for Patient Care, INPC, it's a virtual health information exchange. Which means it's formed in 1996 through a standard contract called the INPC participation agreement. So there's no, technically there's no separate legal entity that is the health information exchange. It's formed through contractual relationships. And it establishes different categories for re-use of the data, the contract does, for treatment, research, public health, and certain health care operations, for example quality metrics. And there's a management committee that helps make some decisions on a day-to-day type of basis. Next slide.

The legal structure for the INPC is that Regenstrief Institute is like the administrator of the network. It's a business associate of the covered entities that provide the data to the INPC for several different purposes. So we act as a business associate for the purposes of de-identifying data for research, transmitting reportable diseases to public health authorities, disclosing different personal health information to providers for use and treatment, and for aggregating data for quality reporting and several other things. But we are viewed as merely the custodian of the covered entity’s data. Next slide, please.

So the INPC participants ensure their -- they use their privacy policies to make sure that the INPC uses of the data are covered. It's actually in our participation agreement. We require them to make sure that their privacy policies are in line with allowing us do what they they're say they’re going to let us do. So we do not deal directly with patients at all, because the INPC-covered entities actually want to be the ones to maintain that direct network with the patient, they want to be the ones to interact with the patient. They don't even want to us talk to the patient. So therefore, Regenstrief itself does not have a privacy policy and in our, the participation agreement we also say that any patient request that happens to come to Regenstrief should be referred, and directly, to the covered entity that they are dealing with. And the INPC participants have agreed to consult with Regenstrief if they are contemplating granting a patient request, for instance, for a restriction or for an amendment to ensure that we can technologically actually implement that restriction that they want to do. Next slide.

And just to give you a quick scope of how big INPC is, it's the largest and oldest health information exchange in the nation. The data includes a variety of different things like lab, radiology, transcription, pathology, medication history, and more recently, actual claims data from payers. INPC participants include different hospital systems, large practices that have EMRs, several commercial payers, and there's lots of other entities contributing data to INPC, but because think don't actually get data back from IMPC they didn't have to sign a participation agreement. They sign a different agreement that says what they're allowing us to do with the data and those include Indiana Medicaid, RxHub, different private labs, and State and local health departments are also providing data to us to allow us to use it. And the INPC currently covers central Indiana which is 1.6 million people, or 25 percent of our State. We have over 95 data feeds coming in from the various sources and we receive over 5 million messages per month, so it's a pretty big system.

So the questions for today, when ONC asked me to speak today I was given a list of questions, a short list of questions, and when I prepared the written testimony that you have that I submitted, I did not really have the benefit of reviewing the recommendation letter that this Workgroup gave to the AHIC, because I was actually very off-line for a week and a half due to my relocation to Tampa and my computer unfortunately died in the middle of that transit. I'm really a little behind, and I apologize for that. As a result, the part of what I wrote attempted to address the impact that I foresee on the fledging HIE efforts that exist today if the government oversight and enforcement through civil and criminal penalties are enforced. Although it seems maybe the horse has left the barn on this issue I would like to maybe make a couple comments on that regard before turn together other questions.

First, I would like to dispel the belief that business associates can do anything they want with the data. A business associate can only do what specific things the covered entity lets them do on their behalf. The covered entities are very protective of the data. In fact, many communities are having a lot of difficulty getting the covered entities to agree to even share the data for treatment. So the business associate structure is being used in a lot of HIEs today and it's working very well as a legal vehicle. The incentive for the HIE itself to be good stewards of the data is the fear of losing business associate agreement. That is the data source contract, not just users of the system, but the data source. And if you lose the source of data,you’re obviously going to have the HIE go out of business because they'll have nothing to exchange. I think that's powerful in and of itself. Making the HIE subject to criminal and civil penalties I feel will hamper the efforts in this country. We're already struggling to get participation of people to share their data to start with, and to me the biggest problem is finding the financial sustainability model for HIE and adding this on and subjecting the HIE efforts currently underway to additional financial risks will only discourage exchange. Investors will also be less interested due to increased financial risk and increased risk of bad publicity if there's a government investigation and they happen to be the ones investing. And subjecting the leaders of HIE which are already stretched, usually, on their regular jobs, to the risk of criminal prosecution will serve as a deterrent to their involvement. I know there's a lot of people who disagree with some of my views, but I think that's why ONC keeps inviting me to speak. So I'll just keep stirring the pot and you can nail me later. So now let's jump to the questions of today. That is it. You don't have to go any further.

Assuming HIPAA did apply, what provisions would be carved out? I think most HIEs that I know of at least are not set up to deal directly with the patients. Of course, there's some exceptions. But for those who are not dealing directly with the patient, I think there's two types of HIPAA provisions that jump out at me as the ones that should be excluded. One is the privacy notice, which Kirk already mentioned. And also, the provisions dealing with individual rights. The individual right to request access, to request amendments and restrictions and accountings of disclosures. Since the HIE only has a copy of the data from the original data source, it would be more appropriate that the source, the originating source of the data be the one to handle any requests. They're in a better position to answer any questions that the patient has and they already have a trusted relationship with the patient.

Forcing -- in addition, forcing the health information exchange to develop an infrastructure to deal directly with patients and to field requests from potentially millions of patients, we have data on three million patients in Indianapolis, and if they all started calling us, we would most certainly have a problem. So I think that would only add to, another financial burden that cannot be sustained for health information exchanges. So those are a couple of the areas that to me would be carved out for HIEs that do not deal directly with patients. For those health information exchanges that deal directly with patients, for instance, to collect data, then perhaps the privacy notice and individual right provisions would be more relevant.

On the public policy disclosure section of HIPAA, it would actually be nice for that to cover health information exchanges because we wouldn't have to go back to the covered entity each time to get permission and you know, obviously, we have several contracts that we -- several covered entities we receive data from, so it's quite a big task to go back and get approval each time. I don't really know if passing this type of legislation would actually address that, because you still have to deal with the data source giving us permission, what they allow us to do with the data. So that might not really be an extra win if we did this but compliance with the other concepts in HIPAA, like HIPAA security rule, those are already included in our BA agreements. So I don't think that would be an extra burden.

And I just wrote a couple of notes at the end there. Because local and State health departments are becoming more involved in health information exchange, for example as a source of data such as immunizations and newborn screenings, perhaps they should be carved out from having to comply because they're bound by other recommendations. And then the final point on the slide, which is a note that says you might be struggling a bit with defining health information exchange and particularly those who are directly participating, but it sounds like you're really aware I of that from working a little bit with the AHIC. I would be happy to share scenarios whenever you get to that point. Thank you very much for inviting me today.

>> Kirk Nahra:

Should we move on to our next panelist? We're going to save questions, by the way, for all three of the panelists.

>> Cassi Birnbaum:

Okay. He's going to bring up my presentation. I'm Cassi Birnbaum, director of health information and privacy officer from Rady Children's Hospital in San Diego. And I'm first going to just tell you a bit about the work we've been doing within our integrated delivery system in San Diego and the information that we've been sharing and some of the challenges and what we've done to mitigate some of the concerns. Then I'm also going to outline for you the work that as a provider representative on CalRHIO what we did there and initiatives underway and based on all the feedback that we’ve received, I can share with you some of the concerns that were raised around these very issues, and some of the conclusions based on the questions that were sent to me that I've reached just, again, from a provider as well as getting the consensus from my fellow Californians.

Just to give you a little bit of background on Rady Children's Hospital, we just changed our name last year, just to confuse everyone. But we received a 60 million dollar gift which was very nice. It didn't go to our electronic health record initiative. Because that's going to cost a lot more than that, unfortunately, about 120 million dollars. But it did go towards building our new building which will cost about 250 million dollars. So essentially seed money. We have to build a whole new hospital in addition to the hospital we have because our older facility, aging facility doesn’t meet the earthquake requirements in San Diego and seismic retrofitting is too expensive. But anyway, our system is comprised of the hospital as well as the specialist and primary care group. And our mission from an information technology, information management standpoint is to enhance the care process by increasing the availability, accuracy, access, timeliness, and amount of information to treat our patients real-time, online, in a secure environment that meets the HIPAA regulations. We didn't want to leave that out. Next slide.

And this describes the name change. But we treat more than 13,000 children a year. And we have a roughly -- actually this is out of date, we now treat about 225,000 outpatient visits and we do about 80 surgeries each week. We also participate in research and we're a trauma center for a three-county area. And -- next slide.

We're the only hospital in our region dedicated to exclusively caring for children. And in addition to caring for children at the hospital itself, we have satellite facilities and urgent cares, again that cover a three-county radius. We also actually lease the in-patient neonatal intensive care units and pediatric units and all the adult providers in town. So we really see ourselves as the Switzerland of health care in our county. And as a result, we have a lot of experience with sharing information and in the electronic era, we're very proud of the fact we have a paperless record, or totally electronic on the back end. We're still working on our front end as far as physician order entry. We're in the design and development and testing of that and clinical decision support and getting all of our information paperless at the point of care. So we're still working with that, but many of our, at the point of registration we’re totally paperless as well. We've made some tremendous strides. Next slide.

And these are just some of the goals and priorities -- and I'll make my presentation available -- there are some of the things we talked about doing on a national basis as well and certainly these are the goals and priorities that are shared by all folks within our State. Okay. Next slide.

And this just shows the patient flow of information and the fact that we are sharing information electronically to fulfill some of the requirements for newborn screening. Viki talked about the immunization registry. We have an immunization registry in San Diego County, and actually, throughout the State. We are working on transmitting that information electronically. And there actually is an opt-out process that’s implemented as part of that exchange. We also share information electronically with our payers. About half of our patients are covered by Medical, Medicaid for the rest of you outside of California. And they also have California Children Services, CCS, which is Title V funds as well. And because of their need to really get down and dirty with the record and have so much access, we did work out with our electronic record a way to give them access just to that population of patients. So that's really helped with our getting our payments a little bit faster and getting them what they need. Next slide.

This just summarizes what I talked about with our IT integration with NICU units, and pediatric areas, and all the registries that we transmit our data to, as well as all of our billing offices for physicians that are outside of our integrated delivery system but still need that information. Okay. Next slide.

And this is just our goal, common patient access, front-end patient identification is the key and the challenge and linkages between our revenue and patient care cycles. And then these are just some of the benefits which we can skip through of having our information electronic. And some of the return on investment we received as well as some of the patient care successes we've had. Next slide. You can skip over that.

And then some of the key issues that we've had identifying the correct patient across our enterprise, these are the same issues that we're going to experience in a health information exchange. Next slide.

And then also I presented this at the CalRHIO summit meeting in the fall. The fact that we have a very aggressive and proactive monitoring team to ensure that everyone who is accessing the record is doing it appropriately, and that we're adhering to the minimum necessary requirement. And we have a lot of sensitive records and situations that, VIP situations. So we're very proud of our process to establish this. Next slide.

We also have a lot of folks working remotely. So that also has presented challenges. I actually have three staff that live in Virginia but work for Children's full time. I employ people all over the country to help us with our coding and some of our other functions, because we have an electronic record. We don't have to actually live in California. Next slide.

And then move together California landscape, these are just some California health care statistics that you probably have seen, with our population and the number of visits that we have, and the system is definitely broken, not just in California, but throughout the country. And I couldn't give a presentation today without showing our governator. This is his IT vision for California. Our vision is 100 percent electronic health data exchange among payers, providers, and consumers and researchers in the next ten years and providing appropriate personal health information to Californians available in a timely and secure fashion and enable affordable, safe, and accessible health care. He's been a major proponent of this and he actually came to San Diego to unveil his IT bill which is very exciting. That was folks from UCSD and we're affiliated with UCSD. So that was great for us. And then these are some of the proposals for the health IT executive order. And many of the same things that we're trying to do on a Federal level, as well. Okay. Next slide.

And then these are the specific initiatives, the e-prescribing, PHR, a pilot EMR, and then also to address ED overcrowding. And this is the nationwide landscape. California is on the map. We can move on.

And I actually participated in the very beginning with CalRHIO as one of many stakeholders representing the provider community. And we did focus groups in all the various regions, and San Diego was included. From those focus groups we were selected to serve on the various workgroups to arrive at recommendations for what we needed to do to advance HIE. Next slide.

And what we identified, over 200 business practice variations and then we condensed them into five categories. There were business practice variations that occurred in implementation, law and liability, right and responsibilities, technology, levels of knowledge, and the overarching theme is trust. Then we came up with potential solutions as well. Next slide.

Primarily just to form workgroups but I’ll get to some actual solutions later on. Next slide.

This was the structure in order to come up with the solutions we need -- I think there's just one more -- is to appoint a deputy director for health information exchange for the State of California and to look at these specific issues: operational procedures, IT security, legal, guidance and education. And then there's short-term priorities as well to discuss the very things that we talked about with the strategic initiative. Next slide.

Again, as we talked about issues with trust and it was projected that not until 2014 are we going to be able to really nail that down. But hopefully sooner than that. I'm an optimist. Okay, next slide.

And what we identified is there was trust issues among providers to ensure the same level of privacy and security of health information is maintained at all participating facilities. This came out loud and clear. As we looked at all the practice pattern variations, and as I look at practice pattern variations even in my own backyard, there's really a lack of understanding, and when you look at some of the small physician practices as well. And then trust among providers and patients to assure the quality, accuracy, timeliness, and availability and consistency of patient information, and trust that HIE system access is limited only to those with a legitimate purpose and that patients trust that their information will not be breached or used inappropriately. And a solution to address the fact that patients and consumers are uninformed about their medical right and benefits of HIE, we decided we really needed to convene a task force of medical industry stakeholders specifically consumer reps to examine the deficiencies in education requirements and processes in the health care system and provide programs to improve them. So starting with guidance and education are really the key. Next slide.

And consumer privacy and security precautions as an important protection but not a barrier to HIE, which was interesting. They lack a basic understanding of HIPAA and also there's different provider interpretations which makes it very confusing for the consumer, and patients fear a refusal or loss of their health care benefits, loss employment opportunities, misuse of information for business and financial interests and providers fear misuse of information for other than treatment purposes. And I feel very strongly, as well as the CalRHIO group, that in order for HIE to improve the quality of health care consumers and providers must believe that the chain of trust improves quality among the entire spectrum.

So getting down into the specific questions, you know, we're really facing complex and contradictory laws. And California is next to New York as far as having so many State laws that govern how we protect information. In California we had the Confidentiality of Medical Information Act long before HIPAA. So we really felt overregulated prior to that. And it's really been tough for us. And then there's a variety of legal interpretations on any given day. And then that results in business practice and policy variations that govern the use and disclosure of medical information. And it's really most prevalent to some of the variations in rural areas or communities which do not have the opportunity to participate in collaborative sharing regarding health information exchange. As I said before small provider practices are often disconnected from provider networks and do not have the tools or the resources to assure well-developed processes facilitate compliance. And the national providers and payers in California have unique challenges because there's a lot of information exchange across State lines. And I feel that could be mitigated if we did have a uniform privacy security standard. And that would really help to advance the RHIO and HIE efforts. Next slide.

And then how do we address areas not covered or partially covered by HIPAA? And being from the pediatric side, we have many challenges just within our own four walls regarding rights of access by legal guardians. So HIPAA really defers to the States to govern access, which produces a myriad of challenges from State to State. And what happens too, if a notice of privacy practice is signed by the parent or if an opt-out approach is used with the HIE? When the patient turns 18, what happens then? And then also, State laws vary greatly regarding emancipated minors, guardian rights, confidential treatment. Okay. Next slide.

Some possible solutions that we recommended from the CalRHIO group was to create a privacy and security oversight board, develop and use standard business practice documents and health information content. So a business associate agreement with standard privacy and security language that everyone can agree with. Standardization of health record content, standard contract language between vendors and providers. And notice of privacy practice that is not ten pages long. Authorization consent documents in standard easy to read and HIPAA- and State law-compliant format. Okay. Next.

And then regarding covered versus non-covered entities, HIPAA creates this distinct among entities handling the individually identifiable information and it creates the potential for practice and disclosure variations among covered and non-covered entities. And the consensus among the stakeholders is that there's wide variation in practice in disclosing health information and differences with security protections between these entities. Next slide.

Some of this comes from the various interpretations between HIPAA, State law, and their intersection, and the business practice variations resulted from different approaches to implement optimal and addressable provisions in HIPAA. So some of the recommendations to mitigate covered versus non-covered entities, so privacy and security production should be applied to the health care information, not the entities handling the information or data. If this were the case, providers and other covered entities and consumer concerns would be addressed and the risk of improper disclosure would be greatly mitigated. So it should be applied to all and should protect the data, not the -- as it relates to national health information exchange, and the hosting of personal health records the HIPAA privacy and security regulations should be the floor with additional protections layered.

We also identified data architecture issues. There are no data architecture or data classification systems that can adequately identify and separate health information to ensure that only the minimum necessary information for the purpose of the requests was shared. So if we do use HIPAA as the floor, we still have minimum necessary to deal with. If a disclosure restriction was approved, or in the case of a minor's record who was legally able to consent for treatment, or a condition, how can this information be flagged in a case of a minor who is pregnant? How could other confidential markers, drug and alcohol treatment, be maintained and the overarching concern of providers and consumers is how would my data be protected from identity theft. So proven, transparent, and sound practices need to be applied.

>> Kirk Nahra:

We’re going to have a timing issue.

>> Cassi Birnbaum:

Sure. What kind of information can a provider share? We had consensus around the fact that you know, in an emergency medical situation, where time is of the essence, that we could share information and in this scenario the minimum necessary would not apply. If a notice of privacy practice or an opt-out process is utilized to ensure consumer notification there should be language around emergency treatment exceptions. Other types of exchange for routine care, treatment, pharmacy refills, diagnostic therapeutic testing would require some type of notice of privacy practice or a clear opt-out process. The next, final slide.

And then what type of information are providers comfortable sharing? Disclosure for non-mandated public health inquiries, research, and secondary uses of data would require authorization and stakeholders for mental health and behavioral health were very concerned about the exposure if this information was shared and we do need to make sure that we apply HIPAA privacy protections and make sure access and security controls are appropriately layered to address these stakeholder concerns.

>> Kirk Nahra:

Thank you very much, Cassi. Why don't we move on? Lory?

>> Lory Wood:

As he's bringing up the presentation, I'm Lory Wood with Good Health Network. I'm the chief security and privacy officer. I just took over that new role two months ago. Part of that for the last six years I've been the CIO. So in bringing our company, which is a health care technologies company, we have a secure PHR, and from inception to production I brought it through all the hurdles we had to get through with that, and you know, obviously we had to deal with the security and privacy issues as well. Here we go.

I know we've got a timing issue here. I'm going to go through these quickly. This is just an outline of what the presentation is. If you go to the next one.

Our company was established in 2000. We have a trusted, secure network where patients, providers, and payers can share information. We currently participate in several of the standards organizations, I'm on the HITSP consumer empowerment and the security and privacy technical committees, and several of the other organizations we participate in as well. As I said, we do have a PKI-enabled PHR. Next slide, please.

We have security services associated with our company as well. We do identity-proofing and use digital certificates and authentication. Go ahead and go to the next slide.

We were partners with Gold Standard multimedia that Viki went to work with. We did face-to-face credentialing for over 1,500 physicians. We were using their pharmacology product in doing a pilot of e-prescribing in the State of Florida. So we've got extensive experience in working with providers and doing identity-proofing and utilizing secure networks. Next slide.

We were given your hypothesis and asked to answer some of the questions. So let's go forward. GHN is not a covered entity by definition. We are a PHR provider to consumers. Employers and small physician practices also use our applications. But by definition we're not a covered entity. We voluntarily are compliant with the HIPAA regulations. And we meet or exceed all of the privacy rules. We exceed the security requirements. And as I said, we're active participants at the national level. Next slide.

This is just a brief overview of the requirements with the privacy side and the security side which I'm sure all of you are very aware of. Next slide.

These are the general categories: having appropriate and reasonable safeguards, mapping PHI dataflow, protecting appropriate data, having access control, having third-party agreements in place, accountability, training, and awareness. Next slide.

Taking those categories, what I did was map them to whether they were security or privacy requirement and then how we have fulfilled each one of those requirements. We are the only PHR right now that also is a health care certification authority using X.509 certificates with the ISO health care extensions. As I said, it's PKI-enabled. We use USB tokens and smart cards for authentication of users and we also use ICE technology for break the glass scenarios. This is just showing the security token smart card. You can go on.

Just to set a basis here, for levels of assurance and amount of risk you're willing to take, we, our high-level assurance using two factor authentication. Next slide.

Currently we're using two factor authentication and our next generation product will actually be using three factor with biometrics. Next slide.

As I said earlier, we do identity proofing, we have, this is what we use to the forefront of using our PKI. Using digital certificates allows us to do full roles-based access control. We do transparent real-time auditing. Our auditing is color-coded. So at a glance, people can very quickly see what category of user was viewing their data and what portions of their data was being viewed. Next slide.

So, the key here to the questions that were asked, we provide secure collaborative tools for patients and providers. We build a trusted relationship within the community. And that's foundational to the HIE being successful, is the trust factor. I think that's a common thread you'll hear from everyone. We are an enabler of consumer-driven health care. We give complete control to the patient on who is able to see their record and not just who is able to see the record, but what portions of data they can see. So they can restrict it all the way down to the record level. Again, there is transparent audit trails. We allow for secure storage of information, which is a complete trusted network which gives full data integrity. We've allowed for the improvement of quality of health care for the entire community. So -- next slide.

Looking at how this impacts our company, specifically in the PHR industry in general, we consider this movement if we were to require everyone to have the same requirements that are going to participate in a RHIO to actually give us a level playing field. We already meet those requirements, so we would like to see the rest of the players, you know, raised to that level as well. It stabilizes the rules of engagement for interoperability when you're exchanging data, the data integrity, the trust factor, all those things incorporated. If we use the standards that are being recommended through the HITSP process again that enables everyone to be at a level playing field. There were face-to-face meetings in San Diego this week, and outcome of that, there was lots of discussion about privacy, the HISPC ruling that just came out with RTI and the Governors Association. There's lots of issues that are being addressed from the outcome of those. I think HITSP will come up with constructs that will allow the RHIOs to participate using all of the use cases in a secure environment that incorporates the privacy issues into that. Next slide.

We are committed to following whatever the requirements are that are laid out. And we just appreciate the opportunity to address the panel and look forward to your questions.

>> Kirk Nahra:

Thank you very much. Let me do this as at this point. Let me make a brief change in the agenda and interrupt for a second and have John do his presentation. Then my suggestion would be that we go -- do any of the three of you have immediate time issues? What I would like to do after John is go to the next panel and then do questions for the whole package. So John, if you could go ahead please?

>> John Loonsk:

Thank you, and I appreciate your flexibility. I'm John Loonsk with the Office of the National Coordinator. I'm here to update you on the activities in the Nationwide Health Information Network process. If you can go to the first slide.

As I think most of you know, the Office of the National Coordinator has an initiative to advance health information exchange at a national level and to build the Nationwide Health Information Network as a network of networks built out of health information exchanges. Last year we had four prototype architectures that were developed in conjunction with four consortia that included twelve different health markets and health information exchanges as well as technical companies and service -- number of different technical service providers in accomplishing that output of prototype architectures. Right now we have a request for proposals that is open for the next step in the NHIN process, which we're calling trial implementations. So the succession here is prototype architectures, developing concepts and advancing capabilities, trial implementations, which move the target to health information exchanges as the likely contractor offeror that leads this activity. Last year, Systems Integrators led the prototype architecture work. This year we're targeting health information exchanges as the likely lead for this. They too will have to engage a number of different capabilities, but to advance this forward. And that these health information exchanges will begin to comprise the work -- the networks working together to make up this network of networks.

The way we're addressing this is to -- since this is kind of a peer model, a peer model for networks that come together, we don't have a national data store associated with the NHIN, centralized systems at the national level, no national patient identifier. We have to have these health information exchanges that work well together and support each other in a kind of reciprocal arrangement as well. And the way to get to that is to define shared architecture as well as processes and procedures for what those health information exchanges need to do to be part of this network of networks. And what I'm here to talk to you about a little bit today are some of the elements of that shared architecture that is coming forward to advance the next round of the trial implementations. Next slide, please.

So just from a terminology standpoint, we have, in the context this activity, we have defined a health information exchange according to the definition at the top of the slide. We are expecting that the offeror, the prime offeror on this request for proposals will be a health information exchange. But we also expect that they may need to engage what we have termed a health information service provider, which may be a technical company, an operations company that may support that health information exchange in accomplishing their activities. This is an important consideration in terms of advancing this area of health information exchange at a broad, national level. That we have focused on trust in governance aspects of health information exchanges as necessary components of what they have to bring to the table. They may also do the operations and the technical services themselves. That's a viable model. But they also may indeed sub some of that activity to a company or to another organization that provides those 7 by 24 technical and operation services necessary to meet this highly demanding activity of health information exchange.

We have also the term of an NHIE. And the NHIE strategically, we decided that we would not acronymize that as NHIN HIE or ninny, we --

[laughter]

The NHIEs will be the HIEs that meet the architecture policies and procedures that as they develop to form this network of networks of health information exchanges. We have left the door open to specialty networks and functionally specific networks that may participate in the NHIN as well. For the time being, in this next round of trial implementations we are focused on health information exchanges as the type of network that is coming together to start to pull this network of networks together. Next slide, please.

We have used the products of the first year's work, and I use the term first year's work broadly to include a number of associated processes, as guidance for this next round of activity. So the prototype architectures developed a number of materials, a number of different groups have been working on related activities including this working group, and we have put those specifically into this request for proposals. So there are many ways we can move towards this vision of a Nationwide Health Information Network. One way is through regulation and recommendations and various activities. Another way is through using this contracting process to advance the capabilities. And so we are making that statement with these inclusions that these are part of what we expect the NHIEs to accomplish. And the ways, some of the ways we expect them to accomplish it in moving forward in these trial implementations.

So we have now seven use cases from the American Health Information Community. That helps express the breadth and the types of activities that need to be considered in moving forward. We are going to be asking this next round of trial implementation contractors to implement what we're calling core services in two of the seven use cases and through the process of contract negotiations,we're going to try to get spread across all seven use cases. So we're going to be trying to advance the totality of the work although from a practical standpoint what we're asking of the specific health information exchanges in this first year is to address core services and two of the use cases. Also included in the request for proposals are the use of the HITSP standards and some of the functional requirements and things from the prototype architectures. And specifically I want to point out the fact that the CPS recommendations are included in this as well, and that also work from NCVHS on their privacy and confidentiality recommendations.

And specifically for the rest of this brief presentation, I want to point you to these core services that are being advanced as helping to define what an HIE needs to do in this developing environment. In the last couple of weeks, there was, we, we released a report, a summary report on the first year's prototype architecture work. And that summary report includes a description of a good amount of what happened in the first year, and it includes a summary of these -- next slide, please -- core services. And the types of transactions at a technical level that need to occur to make them happen. So these core services are really more operational services than they are technical services. The summary report goes into a fair amount of technical details about how they have to occur. But what we're doing with this is to try to put in place the kinds of capabilities that need to be available from health information exchanges to support the developing processes and considerations for this activity.

So I'm just going to touch on some of these core services and reference them. We'll certainly be happy to talk in greater detail about the specifics as per your desires down the road. But right now, these services are part of what is being expected of the up to 15 HIEs that will participate in this next round of trial implementations. So the core services are broken into data services, user and subject identity management, general management services, and consumer services. And I would like to just touch on these first three and then spend a little more time on the consumer services part, because I think it may relate most directly to some of your work.

So clearly, a good amount of health information exchange is about data delivery and retrieval. In the data services area, there are services that need to be supported to address data delivery, data look-up and retrieval, the subject and data matching capabilities, the data integrity and non-repudiation checking, audit logging and error handling, and data anonymization and de-identification services are some of the things that are articulated at this level. Next slide please.

Under user and subject identity management in this context, when we say a user, we're talking about either providers or consumers who take advantage of health information exchange capabilities directly, i.e., they may log on to a health information exchange in some permutations or indirectly through an application or an organization that connects up to that health information exchange. So it could be a user via a PHR that is connected. It could be a provider through an EHR that's connected. Subject here, is the subject, the identity, being identified in data or information that is being used or exchanged in the context of the activity. So first, in terms of services, there need to be services that support identity-proofing and/or attestation of third party identity-proofing through those connected through an HIE and similarly authentication and/or attestation of third party identification through those connected through an HIE. There are issues around -- there's authentication, identity-proofing, and authentication and authorization capabilities as well. There's subject and user identity arbitration. So these needs -- if two health information exchanges need to exchange data between them, they need to be able to work to make sure that the identity that they're exchanging information about is indeed, the identity, the same identity that they're both talking about. And this is part of the challenge and part of the context of not having a national patient identifier is that these arbitration activities need to occur and the health information exchanges will need to support them. There's management of the credential information. There this is mostly about security and access. But it does border into medical credentials in the context as needed to support network roles as appropriate in the context of selected access to information. And I will talk about that in a moment. Next slide, please.

There are some core management services, if you think about how this network of networks needs to come together. Each of the health information exchanges will need to be able to not only perform activities into and among their jurisdictions but also at times be responsive to needs coming from other health information exchanges. So, for example, there may be times where if there's an investigation into an issue with an access or use, that there may need to be a temporarily de-authorization of a direct third party user, that those kind of capabilities need to be in the mix as these move forward to be able to support that. I will also point to emergency access capabilities to support individual and population emergency access needs as being referenced here as well. Next slide please.

So slowing down a little bit, I’d like to just talk about the consumer services that are referenced here and that these consumer services are derivative of some of the good work done in the initial, the prototype architecture activity and point to a number of things that I think border on the discussions here. So first of all, the first consumer service here is that they, a consumer should be able to identify their preferred location for storage of their personal health records. And records plural is used here not to induce multiple records, but to recognize the fact that both when one is moving from one record to another, or with a functionally-specific record there may be circumstances where a consumer has more than one personal health record. The core of this is to be able to say that the consumer should be able to say, and this is in keeping with the use case on, the first year’s Consumer Empowerment use case on registration information, the consumer should be able to say this is my preferred location for my PHR data. And they should be able to communicate that location or those locations to others.

The second service here is about the support of consumer information location requests. So a lot of the context for health information exchanges has been about provider location requests and discussions of how to make sure that providers have that information. And it's absolutely part of the process here, and a part of the functionality that needs to be supported internal to an HIE as well as cross-HIE information location and retrievals as well. So the second service here is supporting a consumer’s ability to do that information location request and as appropriate to support the routing of information to the consumers PHR. There's a lot of technical complexity under these covers, but it's one of the things that, a consumer service that is being advanced here.

The third service here is around management of consumer control, providers of care, and access permissions. What specifically is being advanced here is that a consumer should be able to advance access control information about their personal health record, and access to their personal health records, as well as, in this context about health information exchanges and the ability to exchange consumer access permissions between different applications and between different organizations in this context. So one of the capabilities being advanced here is for the consumer to advance access controls and to have those access controls be exchangeable among the different participants in this activity.

There is also the service to allow the consumer to indicate their choice to not participate in network services, the consumers service to be able to access logging and disclosure information for PHR and HIE data, and the routing of consumer requests for data corrections. So in the circumstance where the consumer's PHR has data that originates in a different context, that the health information exchange should play a facilitative role in allowing the consumer to make a request for changes to information they view as incorrect, and to play a role in routing that data correction request to the originator of that, of those data. So, next slide.

I think that's it. These services will be worked on by each of the health information exchanges. The timeframe for this activity is that we anticipate these groups, up to 15 health information exchanges to start up in the fall, probably a September timeframe. There's a timeline for a number of different activities in what we're calling the NHIN cooperative where these will come together and work on some of the even further specification of the data exchanges and service interactions that need to occur to support these activities. And then it will culminate at the end of that first year period of performance with some demonstration of these capabilities as well as some joint testing to ensure that these health information exchanges can indeed provide these kind of services across health information exchanges as well as inside of their own activities. So there's a lot under those covers but since this request for proposals is now on the street, since it references CPS work as well as a lot of other work done in the course of the last year, we wanted to make sure that you were aware of the status of this request for proposals and we would be pleased to present more detailed information as you desire. I'm going away. Thank you for your attention.

>> Kirk Nahra:

All right, do we have questions from anyone in the room on the Workgroup for John at this point? Alison.

>> Alison Rein:

Thank you, that was really useful. I hope this is not too down in the weeds. It strikes me that at least some of the capabilities you described under the consumer services do not have standards that support them. And in fact, one of the jobs of HITSP is to identify all the gaps in standards. So I’m wondering if you can talk about sort of the interrelationship between advancing, but advancing where we know that standards don't exist to do the things we're talking about here.

>> John Loonsk:

Thank you. I’d like to respond to that at two levels. One is sort of the general level of timing and synchronization which is a challenge in many respects, and then the other level specifically with those standards. So clearly, and we've recognized in the past, that with the NHIN we're taking steps to get to eventually a production network and that the steps include multiple iterations starting with prototype architectures, going to trial implementations, et cetera. The prototypes last year did not have the benefits of HITSP standard as they advance their work, and so we -- it is one of the complexities we have to work through, is the expectations. In other words, the trial implementations can only be expected to work with a certain amount of this material that's available now when they're starting out and although we try to get them to be sensitive to coming material, the material that comes during the course of the year, there's a limited amount that they'll be able to incorporate over -- as they're flying, so to speak.

Specifically with the security standards and the confidentiality standards that you referenced, we believe that all of the service capabilities here that I have alluded to are also now covered in the totality of the seven use cases that are now out there. So there was an effort to correlate these services with the ask that is in the now seven AHIC use cases. So last year, three use cases, some work done, some work on privacy and security being deferred to this year. We now feel that the, that with the addition of the four new use cases that are now done that there's coverage on that. Will that mean that all the standards are in place for the trial implementations to go forward? No. So part of the expectation of the NHIN cooperative is to also have the Health Information Technology Standards Panel sit at the table and work with them to try to make sure that the processes going forward are compatible with the directions of those standards determinations. And it's going to be a synchronization challenge. But that is part of the stated expectations of the RFP that indeed they will, that HITSP will be there at the table and helping to support it. It may mean that before, after this round of trial implementations that there's additional work to bring together some of the efforts into those standards, but we think that, -- these trial implementations can also help feed HITSP with some of the practical specifications needed to do this work and carry forth their standardization as well. So I think it can work both ways

>> Kirk Nahra:

Other questions from folks in the room for John. Anyone on the phone? Okay. John, thank you very much.

>> John Loonsk:

Thank you.

>> Kirk Nahra:

Why don't we at this point turn to our next panel following up on the topic of today's session which is to identify particular components of the HIPAA standards that might or might not be relevant to particular entities that will be covered by our earlier recommendations. Jim, maybe we can start off with you and work our way down the group.

>> Jim Hansen:

Good morning. My name is Jim Hansen. I'm CEO of Healthe Mid America. We’re a health information exchange organization, independent, non-profit entity based in Kansas City. If you're not familiar with Kansas City, the metro area is split right down the middle between Kansas and Missouri. So right off the bat we have multi-State regulatory and cultural challenges that we address on a daily basis. We are, what we call our entity is a community health record. It's a longitudinal set of information that is shared both with consumers and providers. They both have views. We're very excited about the next wave of the use cases, the Consumer Empowerment, many of the things that we're working on and providing. We're actually operational and so many of the things we grapple with on a daily basis are being asked in that use case and we are having to work through those issues, so I appreciate the opportunity to share some of our personal experiences out in the trenches.

I wanted to give a little bit of background quickly about Healthe Mid America, just because we’re a little bit different, so I think that’s important for you to understand in the context of HIES. We have a sustainable business model. We're employer-sponsored. Sponsored means the employers pay the bills. So consumer and the providers access the system for free. Providers -- or employers provide the service as an employee benefit. They look at it as a way for the employee to get engaged in their health care, not only to manage the cost portion of which both the employer and employee benefit but also the quality and the productivity piece. It's very much a consumer-focused approach. We have 100,000 covered lives currently contracted with our 24 founding sponsor employers and it ranged from a very large corporation such as Sprint down to 100 employee companies including four different health systems as well as the State of Kansas and so we're very excited. We have also have the Federal Reserve Bank. So we have a very large constituent in terms of employers. And really their mission is to get this information out to people and help them make it actionable. And having said that, what I would like to do is sort of go through -- and I don't have a PowerPoint, and for those who know me, I'm a longtime health care consultant, I do everything with PowerPoint, but what we wanted to do is hit very specific components here, so we put it into a document, because this really is where the rubber meets the road. So I apologize, it won't facilitate the talk. I'll just hit a couple of these and you can refer to the document at your leisure.

The first piece is the enforceable mechanism. It is, our feeling is that we need something in an organization similar to a JCAHO- or an NCQA-type independent group to validate and certify HIEs, for a number of reasons and we'll get into those later on. But we really believe that's important. We're spending an enormous amount of time and energy having to prove and reprove ourselves to the covered entities that we are getting data from and creating exchange documents with. It would be much better to say that there's an independent group who has done this, done this work once, and you can go to them in terms of what their standards are and their results. It's a very big burden for us. And so I would suggest to this group that you contemplate that type of enforceable mechanism. I think that group can also track statistics in terms of breaches and levels of breaches and those types of metrics and get that in a very consistent third party point for analysis. We think that that would be a way to address many of the pain points we have on a daily basis.

Specific to relevant requirements, I think the biggest piece for us is that there is a consumer and provider view, that the consumer can see their data just as well as the provider. That's a core of what we do. So that's the basis of what you'll hear me share with you this morning.

And again, specifically down to the HIPAA regulatory components. Definitions, section 160.103, we do think that the covered entity should include health information exchanges and/or organizations that provide services for health information exchange as was defined on that slide just a minute ago. Maybe the health information service providers. I think we -- there's a trust issue with folks that do these types of services and we believe that we should be involved in there and the way HIPAA was conceived in terms of clearinghouses, you know, it's different than what an HIE is and I think we need to specifically add that.

164.520, the notice of privacy practices. We do think that it should be mandated that there's posting of the NPPs on Websites. I understand that some folks don't have access to that. But you know from a cost and an information distribution standpoint, it really would be helpful if that would be the direction, the preference that that goes. We have to make allowances for people obviously that don't have Internet access, but we really think that that is important.

Section 164.510, uses and disclosures requiring opportunity for the individual to agree or object. Our thought is that it was not anticipated that we would have the concept of the Internet and how it would be used to be a network of networks really was not envisioned back then. And so as you become part of a facility directory, our thought is by participating in a health information exchange a patient may be part this directory and it's not just facility-focused. The directory will be extra facilities. We have to account for that kind of a concept if we are going to do any kind of record-locating service type information. You know, there's questions around, should I? Can I be even listed in there? And if I am, how much of my information is listed and what is not? And of course, how much information will very much drive whether we get successful matches on patient look-ups.

Section 164.528, accounting for the disclosures of protected information. We think there needs to be accounting for both uses and disclosures and they must be available to the patient. One of the key features we have of our system is we have an online report that the consumer can go to at any time and they can see who has accessed their system. It will show them that they’ve accessed it and if there’s been any provider who accessed it it will say who it was, what their role was, we have up to eight different roles that we define for providers and what organization and what time. So they, as we started to roll out this concept last fall in Kansas City we tried to cross a lot of the barriers that we were getting with folks. They said, you know, this is a new concept. You're a new organization, you seem like you’re good people but I don't know if we trust you. We took that as a challenge. Fine, we'll put that report and that access out to the consumer and they can get to it any time they want. So they, in effect, are the ones who will manage that, because they're the only ones who really know if there was a need to know. And so that will be the basis for trust and if anybody is familiar with the credit monitoring processes I think there's a very good analogy for what we're doing here in terms of being able to track and notify people when their records have been accessed.

Section 164.506, uses and disclosures to carry out treatment, payment, and health care operations. You know, the big gigantic hole or opportunity for interpretation in the HIPAA standard, we really believe that there needs to be a consent to participate in the HIE, however, this benefit is for the individual to view their information only. And they have controls regarding this release. So our question is, is this really necessary if the consumer is in the driving, driver's seat and their providing access where they're saying I allow this sensitive information to be accessed or not, I allow these providers to be accessed or not, or providers at all to have access or not. I think that whole concept needs to be rethought. In our particular situation for sensitive information we've had to take a very conservative approach. We have to block the HIV, STD, mental health, all those components because we don't have guidance now to be able to do that in a way that we're comfortable with. And that's unfortunate. Because there's elements of mild depression and things like that that are very prevalent and we're not able to include that in our records. And aside from that, the Kansas and Missouri statutes on those elements, the sensitive data elements are, not surprisingly, very different. So even if we had guidance, it's very difficult for us to manage that in a cross-State situation. So we have no choice but to block those without future guidance. So that's a huge part of what we would like to see worked on.

Section 2 on business associates. We absolutely agree with a number of the speakers earlier this morning. We try to comply to be a covered entity as much as we can. We think that that is, it's just, you know, a matter of time before that happens. It actually is a huge barrier. And I think Viki mentioned this morning as a business associate, it's really hard to get the data and cooperation of the covered entities. And I think when the HIPAA statutes and thought processes were put together, I don't think they anticipated the situation where if I'm a provider and I go get billing services and that's a business associate, that's one thing. But if I'm an HIE and I'm asking a payer to access data as an agent on behalf of a consumer, you know, that's, that may be a, you know, that may be a semi-competitive or at least a situation that is not totally controlled by the covered entity as selecting business partners to kind of do my work. So it's a different relationship. And so that caused an enormous amount of legal time, people time, we have 16 agreements with various entities and one of them is going on 14 months now. It's just, it's crazy. We want to be covered entity. But we have to prove and reprove that we're up to, we have gone through multiple audits, system audits, process audits, and it's really energy that we don't have time. We have a million other problems to solve here besides that. So go back to the whole JCAHO-, NCQA-type process. These are real things that are right in our face today.

And then when we get down to the general questions about competitiveness, it really gets to the fact that I think we all need to be covered entities. One of my fears is that with the identity theft issues and some of even the health information shared situations, if we have folks who come in who are undercapitalized and do not put the proper controls in place and have breaches, that's going to hurt all of us. And I think we need to be very careful to protect that. We're in a very sensitive part of this life cycle. And so I think we all have to be at a certain level in order to try to minimize that kind of exposure. And I absolutely support that, want to do that, and I think it makes sense for to us do that as an industry.

Our particular data is held in a data center bunker that only contains very large-scale health care data that is all, obviously, it's all HIPAA audited and controlled and we feel very comfortable about that scenario. If I was a fledging PHR and I had my data in just a ISP somewhere and it was in a rack, someone could easily take that, that disk drive with that information, and walk out the door and that would not bode well for the rest of us. So we have to make sure that we have people acting and participating at a level that we all feel is comfortable, and to get back to what everyone said, it's all about trust. The consumer trust and the provider trust and it's whatever we can do to help with the trust piece. One of the other things we do in our system is provider access, the consumers can get online and real-time they can toggle grant and deny access at any time. So if they feel uncomfortable one day when they wake up they can hit deny. Next provider that gets on can't see anything. They get a message they can hit grant access. In future versions we will be allowing them to grant and deny access based on provider organizations and even down to specific providers. Including and excluding, that's a very complex process because just coming up with a provider directory that is accurate and can be used to do that kind of process is extremely difficult. That's what we're hearing from our consumers. They want to be able to do those types of thing.

As was mentioned earlier we're also working to support the break the glass concept where I may say I only want it to go to this clinic and this hospital and this primary physician but I'll check a box that says if I end up in a car crash, end up in an emergency room somewhere, you have the right if I'm in that scenario to go in and access my data even though I have not declared access to you as a specific provider. Those are the types of things we're hearing back from consumers in terms of items that will give them more comfort and more trust. So we're working to work on this really on a daily basis.

And those were our specific pieces there. They're out in the PDF document. And I welcome any kind o, any questions or comments in terms of specifics around that. There's a lot more. Those are the ones we thought were the most appropriate as you had asked us in terms of what are the relevant requirements. I think it's HIPAA was not -- was put in place as a time where the consumer was not -- they were really thought to have been coddled and protected and they were not really thought to be a primary participant in this process. And the Internet, and the vision, the way it has been rolled out in the last ten years was not really anticipated. And I think all these sections need tweaks in order to reflect that. That would be our recommendation.

>> Kirk Nahra:

Thank you very much. Mr. Sullivan?

>> Christopher Sullivan:

Thank you. And it's a great honor for me to be here presenting to this Workgroup. We've been following your actions carefully. I'm with the Agency for Health Care Administration in the State of Florida and with the Florida Center for Health Information and Policy Analysis. And I'm in the administrative health information technology office. And we were asked to address general questions to make recommendations to the Workgroup on determining which HIPAA requirements are relative for your business model and to provide characteristics and roles in an information exchange environment to identify specific sections of HIPAA that are not, that are not required under your business model. Next slide.

Our business model at the State level is the Florida Health Information Network. And as such, we are floating in the Gulf there somewhere waiting for the next hurricane. And what we are working with is a consortium of health information exchanges across the State. We provide a Florida health information grants program to leverage these HIEs and to help them get started and we try to work in close collaboration with them. My comments are taken from the State level and a lot of our perspective comes from the HISPC project for which we were granted some funds and which proved to be very beneficial to us in really looking at our privacy policies.

The next slide for today's presentation, what I wanted to do was to address three Workgroup questions that were sent along to us about a month ago. That is enforceable mechanisms, relevant requirements, and business associates. Then I’d like to do a summary report on the relevant findings from our HISPC project. And in a funny sense, our approach to HIPAA is pretty much, if it isn’t broke, don't fix it. So that's the perspective we have been taking. And I’d like to very much summarize the three questions in our approach and this is the summary of a lot of people working together. We've had tremendous support from upper management in the agency as well as in particular really visionary leadership from the director of the Florida Center, Lisa Rawlins.

Next slide, in terms of addressing enforceable mechanisms, the question presupposes that the current mechanisms are adequate to protect patient rights and privacy. And we have some questions about the adequacy of those protections especially since it's on a national level. In general the existing enforcement mechanisms should be the foundation for enforcement at the State and national level and these mechanisms should be strengthened. We suggest perhaps establishing or designating a State-level organization to enforce security within the network of each State on behalf of the NHIN. We feel that if we can bring enforcement mechanisms closer to home that that might make enforcement all the more doable and would work for our health information exchanges. Next slide.

In terms of addressing relevant requirements, we found that HIPAA is not problematic in our health information exchanges for information exchange and patient care. So we urge caution in making changes to HIPAA. The findings from the privacy and security project indicate that the most important barriers to help information exchange are confusion about HIPAA requirements and misinterpretation, as well as Federal and State laws that are inconsistent or more stringent then HIPAA. What we find, our problems are not with HIPAA but with the fact that HIPAA conflicts with our State laws. And I'll speak about that a little towards the end.

Now the Florida Health Information Network, as we have conceived it, does not meet the description of a health plan or health care clearinghouse or a health care provider. Hence we are not covered or would not be a covered entity and therefore not legally required to adhere to specifications of HIPAA, in that our role would be to transact information. However, we feel that as a best practice for the secure exchange of protected health information that the Florida Health Information Network and any health information exchange that is connected to the Health Information Network should work under the HIPAA security rule and that should be followed by the administrators of the Health Information Network and other HIEs. We feel that even if they fall under the radar as being defined as covered entities they should still work with HIPAA, work under HIPAA, we feel that’s very important for the HIEs. This is also important because a lot of the RHIOs or regional health information organizations in Florida are developing repositories of data and as such they're the caretakers of protected health information. We feel it's very important for them to come under all of the HIPAA security regulations.

For the third slide, how does your organization assure compliance with security policies? We find that health information exchanges, including paper-based exchanges, require trust relationships. But there needs to be a level playing field regarding the accountability and enforceability to the extent possible. We feel that everyone should be under the HIPAA rule. We feel it should be a level playing field for everybody so we know that there's security for all records. Expanding direct accountability for meeting relevant HIPAA requirements to those entities such as personal health record systems, should be, would be beneficial. So we feel that vendors who provide personal health information systems, perhaps ASP models of electronic medical record systems, should come under HIPAA security requirements. That would be to the benefit of everybody involved.

And then addressing the general questions, is there a minimum set of confidentiality, privacy, and security protections? We feel that HIPAA is an appropriate minimum. That's what we’ve found in the course of a year-long study talking to health care groups across the State. The rationale for these responses come out of our HISPC project in which we worked with stakeholders around the State. If you don't mind I would like to address some of the problems we did fine in the State and how those do conflict with HIPAA. The next slide, please.

Just in general, you're probably aware of the HISPC project. There were 32 States and Puerto Rico that were given a contract to study business practices. Next slide.

Our job was to identify business practices and policies related to electronic health information exchange, to analyze policies and laws that are barriers to HIE, and to identify solutions to the barriers and then develop a plan for implementing the solutions, which we have done. In the course of our work, we worked with 37 health care stakeholders from across Florida. When I say stakeholders -- I would have listed them all but it would have taken several slides -- we did work with large associations, Florida Medical Association, Florida Hospital Association, I could go on. We brought in a dentist, we brought in every medical association, as well as representatives of consumer groups and other stakeholders who had an interest. And we had a very active group of participants in our workshops and I feel that we really dug down and got a lot of information out about barriers to health information exchange. If we could get the next slide.

Our summary conclusion for barriers is that HIPAA is not the problem. Rather it's a misinterpretation of HIPAA policies and regulations. We refer to this as HIPAA folklore. And the folklore runs like this: HIPAA won't let me exchange information, therefore, you can't get any. And that is sort of the barrier. And you stop there and say, well, HIPAA will and here are the conditions. Then they say, well, the Agency for Healthcare won't let us exchange information because of HIPAA and you run a big round. And what we found was that even at the provider level, the understanding of what HIPAA will and will not was not clearly understood and therefore, the general barrier, whether it was an excuse or a true misinterpretation was that we could not exchange data. We also found that there were inconsistent and contradictory laws at the State and Federal level. I would like to address a couple of the contradictory laws at our State level just so you can see the problems that we face in creating health information exchange.

One of the spin-offs of that was the problem of consent. We found that there was mistrust of other health care entities and there were liability concerns. We label this the battle of consent forms. For example, we found that one hospital's consent form was not the same as another hospital's consent form, but the hospital that required consent wanted its form filled out, not the other guy's form. So you find tremendous barriers to deliver consent to trade records. We also found there's a limited use of technology in electronic health information systems. In Florida we're fairly lucky in that we have between 18 and 20 percent adoption rate of electronic medical records. Those are not necessarily interoperable EMRs, but they're EMRs nonetheless. And what we found was that the 80 percent are still faxing, still sending records and who knows where the faxes go? We have recommended, and you'll see at the end, really the use of electronic health information exchange will actually increase the confidentiality, privacy, and security of all health information exchange.

To move on to the HIPAA folklore. As I said, HIPAA requirements are often misunderstood. The misinterpretation was that it prevented any health careinformation from being exchanged. And this HIPAA folklore rationale was cited by numerous providers. We go to the next slide. I'm running ahead of you here. Consent forms, keep going. Oh, they're coming up one at a time, that's why. All right.

And the HIPAA folklore was the rationale cited by numerous providers and a lot of hospitals for why they could not share health care data with a RHIO. As it turns out there are other reasons why a hospital can't exchange health care information with a RHIO, not HIPAA, but we can go on to that.

The next slide talks about inconsistent -- we're running one piece at a time? You might have to hit it again. I thought they were all one slide up and it's done.

>> Kirk Nahra:

Why don't you go ahead?

>> Christopher Sullivan:

That's fine. During the course of our project, we found that there were at least 45 sections of Florida law that were potentially applicable to HIPAA. In our HISPC report we reported a major barrier. And as inconsistency between records disclosure requirements for health records maintained by health care providers and hospitals. I give you the citations for the two chapters. Next slide.

Chapter 456 et cetera in the Florida statutes provides applicable requirements for treatment and payment disclosures by health care practitioners. Pursuant to this chapter a health care provider may release a patient’s records without a patient’s written or oral consent, to another health care provider involved in the care and treatment of the patient. We see that as consistent with HIPAA. However, under 395, separate chapter, separate listing, a patient's hospital records cannot be disclosed to a treating provider without the patient's consent, unless the provider is a licensed facility personnel or an attending physician. That means if you were a physician and your patient went to am emergency room in a hospital for which you did not have rights, then that hospital would not send you information on your patient. This is the way the Statute runs.

Now, with this -- now, the inconsistency, between these two laws, is a barrier to health information exchange. A clear barrier. Especially in emergency situations when consent is unavailable. The most curious fact we found is a rationale for the inconsistency is unknown. We don't know how they got there, but there they are. We found the patient -- the problem with hospital consent requirement has several spin offs. One is the consent form. Hospitals create their own consent forms and then want those consent forms. Hospitals are unwilling to provide their data into a health information exchange because they feel it is inconsistent with Florida statute. And because it’s inconsistent they don't want to take any chances that they're breaking the law. So our RHIOs have had tremendous problems, even with the business associate agreements, getting a feed from the hospital for data exchange, because they feel it's a repository and we're giving information to a provider who is not recognized.

And one of the RHIOs in Tallahassee, one of the ways around it is they worked with -- every doctor, that is, has an arrangement with one emergency department has an arrangement with the other emergency department. All doctors in the RHIO are licensed or regularly working with the facilities. At any rate, what this does is it places a burden on providers, so health care providers must understand multiple laws governing health information exchange, health care providers must determine which laws are applicable in an often un -- ambiguous context of events, and health care providers must rely on the other provider making requests for facts, context and what is determined by applicable law. There's a tremendous trust factor here. It's maintaining trust between facilities, particularly competing facilities, that becomes a challenge.

Our proposed solution, some of our solutions for this statutory barrier is, one, to consolidate statutes related to exchange of information among physicians, hospitals, and other health care entities. Right now they're filed across several chapters. We propose to take all those regulations to one chapter and then rationalize them so they work together not against each other. We also are proposing to adopt uniform standards for consent across the State, so that if you have a consent form in one facility, that consent form will work in all facilities. We are suggesting we facilitate electronic patient consent through the use of authentication mechanism such as an electronic signature or a digital signature, so the patient can consent electronically, and then in an emergency situation that patient's records can be moved to where they can be used to best purposes. And finally, we need to address emergency care when either the patient or a medical surrogate is able to consent. And one of the recommendations we have made for breaking the glass is if two physicians consent it's an emergency situation, we must break the glass, they can do so, but then they have requirements to notify the patient after the fact.

And finally, the solutions, the goals of our HISPC project, which embrace these issues, are, one, to establish uniform privacy policies for e-health. When you have disparate policies, when you have policies that contradict each other, statutes that contradict each other, you have tremendous barriers for health information exchange. By providing a uniform privacy policy and trying to clarify all of the relevant statutes, we find that would be one of the best steps forward for helping health information exchange in Florida. Our second goal is to adopt a technological framework for e-health. That is the Florida Health Information Network. We feel that the current situation is actually fraught with disclosure problems, that there's no policy for faxes where you know that they went to the right person, that if we were able to put protected health information into an electronic environment, especially the audit trails that people have been talking about here, that we would have a much more secure and privacy-ensured environment for trading information on patients. We feel that's the way we should move. Our third goal to raise community awareness. We agree with Mr. Hansen that patients do not have the knowledge they need to manage their own records. And we feel that they should know their rights and they should be educated to be able to take firm control. And we have taken a lot of initiatives in transparency in Florida to provide information to patients so that they can take an active role with their information. Finally, we want to actively participate in the framing of national standards for e-health and work actively with the national health information network. That's our perspective from Florida, and I appreciate the time to talk to you.

>> Kirk Nahra:

Thank you very much. Rachel, why don't you go ahead.

>> Rachel Nosowsky:

Hi, my name is Rachel Nosowsky and I'm here today as a member of the National Cancer Institute data sharing and intellectual capital work space, which I'll tell you about in a moment. And I thank the panel for allowing me to speak to you today about the work of NCI caBIG initiative and the reasons why we think some HIPAA standards should be extended and others should be reconsidered.

CaBIG is the Cancer Biomedical Informatics Grid. I’m sorry -- I would like to acknowledge Ken Buetow and Wendy Patterson from NCI and Marsha Young from Booz Allen Hamilton and a number of other people who I mentioned in our written testimony. I'm going to in the interest of time speak quickly about a large amount of information. There's more detail in our written testimony if there are questions. And normally this is something that several of us spend several hours talking about. So I'll try to make it as clear as possible. The genesis of caBIG was the desire to use personalized medicine to move NCI’s mission of reducing the burden of cancer and coming up with a cure forward. caBIG is a large scale multi-institutional network of scientific collaboration that is necessary to address scientific questions for this purpose. We're starting from the idea in this community that sharing of data is a good thing. It's just a matter of doing it in the right way to protect privacy and other interests.

One of our major challenges in the medical community as a whole and the cancer community specifically is there is a ton of information to harness. We sometimes refer to it as a tsunami, and it's not an inapt reference. The reason is the more we find out the more we learn that every little piece of information is important and it can help guide us into appropriate clinical treatment of individual patients. And one of the things we would like to get across to this panel and to the community more broadly is the idea that research is not a divorced activity from clinical care. There is no such thing as evidence-based medicine without research. In the long run,research will help us find out the best ways to treat individual patients in real-time.

One of the challenges that caBIG seeks to address is that there's no consistent way currently of collecting or communicating information. And we are all struggling with this in various ways across the health care community. The idea of interoperable health information as a baseline so that we can exchange information and use it well is critical. So what caBIG is or seeks to be is an interconnected web of data, individuals, and organizations that will define how research is conducted and how clinical care is provided and how patients and research participants interact with the biomedical research enterprise. What we are in the end is an international network of networks, as it's called. At least that's a piece of what we are. So when you look -- and there's a slide in a moment -- butt when you look at kind of how we're set up, there are lots of different nodes and an interconnected network and lots of different ways for individual organizations to interact with one another and share information.

I'll tell you a little about the structure of caBIG and how it operates. You can go to the next slide. And Cassi Birnbaum's description sounded a little bit familiar to me, with just kind of maybe a little bit of a different flavor. But caBIG is divided among a number of different workspaces, and three different types of workspaces. The first is domain workspaces and these are areas where communities work on specific problems, specific research interest groups build tools that will help them share data to address challenges they have today. The representation in these workspaces, in each workspace and in the community at large, includes medical professionals, clinical trial professionals, patient advocates, a broad range of people. I'll get to that in a moment. There's also a number of cross-cutting workspaces that support the construction of the basic infrastructure of the caBIG technologies. And these include a vocabularies and common data elements workspace and an architecture workspace. And finally, the last group of workspaces, and the one that DSIC is a part of, are strategic-level workspaces and these are designed to provide a broad framework for the whole enterprise and overlay pretty much everything we’re doing within the caBIG community. The mission of the DSIC workspace is to facilitate data sharing between and among caBIG participants by addressing the legal, regulatory, policy, ethics, proprietary and contractual barriers to data exchange. Our membership, for that reason, given our broad mission, is very diverse. We include biomedical researchers, clinicians, tech transfer experts, intellectual property and regulatory attorneys, policy specialists, patient advocates, bioethicists, and bioinformaticists.

DSIC has identified a number of challenges for the caBIG community to achieve our goals. And while there are tremendous scientific opportunities presented by the ability to combine data, we need a great deal of collaboration and cooperation to make that happen. Our challenge, and one that we're beginning to address, is to really maximize the caBIG infrastructure by providing answers to these various barriers that we've identified. And at a high level the issue is really balancing the need to protect the confidentiality of data and privacy of individuals while at the same time avoiding excessive restrictions that are going to choke advances in science. Some of the challenges you’ve heard and are familiar with most of them I think are varying obligations we have under Federal and State and even international privacy and security laws and standards. So the caBIG community includes cancer centers from all across the country, States that have very highly restrictive privacy law, States that have less restrictive privacy laws. Some members of the community are regulated by HIPAA. Others are not regulated by HIPAA. Some members have to deal with European Union directives and other information privacy and security standards. We also are faced with oversight by ethical review boards or institutional review boards that by regulation and by design address local standards, local ethical standards for research. So they tend to have very diverse views about what is appropriate and what is not. And that sometimes creates another layer of sometimes inconsistent standards on data privacy and confidentiality. There's also academic considerations that sometimes stand in the way of sharing data. Including the need to secure grants and publish results in peer-reviewed publications, academics are concerned about sharing results of their studies too quickly, because if they do then they won't get that grant or they won’t be able to publish. There are researcher, institutional, and sponsor concerns about protecting intellectual property and various funding restrictions often stand in the way of sharing data even if we get over the privacy and confidentiality concerns. There are also safety concerns that are raised by clinicians and practitioners related to premature access to unvalidated information. A lot of data we collect during clinical trials is very raw and very early. And if there is direct access to data, there is a concern that it will be used to make poor decisions. And there are also the challenges with public perceptions about privacy, security, and confidentiality of electronic data.

So to you can go to the next slide -- to address these concerns we have been working through a kind of threetiered framework to help us get to the next level. One is a federated architecture that enables local control of research and clinical data. And we will talk about the details of that architecture in a moment. Another is an analytical framework to help encourage participants in the caBIG community to at least analyze their requirements in a standardized way. So to get to the point of HIPAA myths and facts, as we like to call them, we want everyone to look at these requirements and not come up with 12 different answers on what they actually even mean. So that's one of the purposes of this framework. Also to look at ethical requirements. There is lots of guidance that’s coming out from the Office of Human Research Protections on the use of data, and privacy and confidentiality issues, and not all institutions have even grasped kind of where that national standard is going. And then we are developing standardsand tools and infrastructure to, and making these broadly available, to kind of minimize individual institutions' needs to kind of reinvent the wheel.

So this is caBIG. Basically what caBIG does is create tools, applications and other tools, to allow the sharing of information, both on a local level and on a national level. So if you think about caBIG, we refer to this kind of infrastructure as the CaGrid, the Cancer Grid. There is the NCI's CaGrid which is kind of the national framework or maybe the kind of American health information network type of model. And then there are mini-networks, maybe like miniRHIOs, that actually, that actually contribute to that model. If you go to the next slide, you can see a different kind of picture of that.

So there are multiple instances of these different grids. And the design is to make all of the data that is housed in these places interoperable so that when we want to exchange the data we can do so easily. What the federated approach does though is it allows each individual, institution, or instance of a grid to make local decisions about whether data is shared and to what extent. And our idea is that we want to maximize the amount of data in an appropriate way that's shared within the local grids or even at the national infrastructure but allow this local control so it allows for, for instance, maintaining local standards. If I'm an institution in California and I have a very different set of requirements than an institution in Michigan but we are engaged together in a clinical trial and we want to share information, we might end up having an agreement kind of outside of the grid to share that information, share really detailed information. But we might also share kind of higher level, more aggregated or more deidentified information in a broader way across the network. So the local control kind of facilitates the maintenance of local standards.

Our analytical framework it's hard to look at on that slide but it is in the material, in the materials. It has, what we basically have done is look at the barriers to data sharing along four different axes. And our idea is to help participants in the caBIG community to look at these barriers in a consistent way and to define when they are going to allow data to be shared over the CaGrid. The four axes kind of go to the barriers that we identified earlier. They address kind of economic or proprietary challenges to data sharing, the data sensitivity challenges, privacy and security requirements, ethical challenges related to the use of participant data from research, and then sponsor or contractual challenges imposed by contracts with research sponsors. And our idea is that where the sensitivity is low, hopefully we can share more data. When the sensitivity gets very high, maybe we need bilateral agreements to really create that extra level of trust and maybe we need higher levels of security to create that extra level of trust. And if we create kind of different levels of trust, we can share different levels of data and make as much available as possible.

Some of the tools we are looking at developing, or are in the process of developing through DSIC include this decision framework, a data sharing checklist and researcher questionnaire to help researchers really help their institutions understand what their needs are going to be, some model provisions for institutional review board applications and data use agreements and material transfer agreements that will help standardize what requirements we impose on data sharing and help educate the community about data sharing, security policies and procedures for CaGrid-wide authentication and authorization, webbased information products for various institutional constituencies, and a real commitment to the process of evolving culture of collaboration by participating in the workspace.

One additional working group that's been created within caBIG to specifically focus on security issues is the security working group. And it considers and recommends security policies and procedures for sharing data via the NCI CAGrid. It is like the other kind of strategic-level or cross-cutting work groups. The policy side of this work group is open, as with all the other workspaces, to everyone who wants to participate. So our idea is that we are going to create a great deal more buy-in. If anyone who is interested within the public, within the research community, among patient advocates, is empowered to participate. There are explicitly workspace representatives from each of the different domains, cross-cutting workspaces, and strategic workspaces. There are also patient advocates who sit on the security working group. And we also have pro tem members who are available on an as-needed basis to address specific challenges as they arise.

To our response to the working hypothesis, we start from a premise that research is an essential component of the health care delivery system. And we agree that minimum standards are necessary to enable us to do what we need to do and that they need to be enforceable. But we recognize, too, that examples are legendary of instances where routine or standard practice was demonstrated to be ineffective or in some cases even unsafe after prospective control trials or large epidemiological studies. And what we want to do in every opportunity we have is to encourage us to think about research as an essential component of the health care delivery system.

With regard to the relevant standards, first off, when we talk about HIPAA as a minimum standard, I think we need to be very careful. HIPAA is a big thing. It is a very, very detailed and complex regulation. And it happens to be one that, as it was drafted, kind of thought about research as an afterthought. And the challenge that HIPAA presents to the research community and more broadly sometimes exists within its very detailed implementation specifications and not at the higher level of do we all agree that privacy is important, do we all agree that there is certain minimum standards for privacy, do we all agree on what some of those minimum standards are? I think that's easy to get to. So I think we embrace HIPAAlike standards at the very least, if not the HIPAA regulation, writ large in all of its detail.

Some of the challenges that HIPAA presents to us in the research community are described here. And these are challenges we think should not be extended to institutions in the research community who are not currently covered by the regulation. One relates to HIPAA's prohibition on what are called blanket authorizations or the prohibition on authorization for unspecified future research. The challenge here is that there was a time before HIPAA where research subjects could say I want to participate in this trial and it's okay to use my data in this trial only, or it is okay to it use my data in any trial related to this condition, or it is okay to use my data in any research. And the challenge with this defining much more specifically than that what the uses of one's information are going to be within the realm of research is we don't always know the question in advance. And there are great examples of major advances in medicine that have been made because we happened to have the data, and then the technology came along where we could really use it well or the knowledge came along where we could use it well. If we had had to define in advance each specific purpose of the collection or use of the information, we never would have gotten there. So while HIPAA allows people to agree, for instance, that their data can be in a registry, it still requires a new agreement once the data is taken out of that registry. So we really recommend that this kind of administrative restriction that's encompassed in HIPAA does not get extended beyond where it already exists.

With respect to business associate agreements, theoretically they don't really apply to research. So a health care provider does not need a business associate agreement with a researcher in order to disclose data to the researcher. What the researcher needs is either an authorization from a patient or a waiver from an institutional review board or there are a couple of other complex ways that researchers can get information. We do agree, of course, that, you know, standard terms of use, various types of trust agreements are important for everybody who works in a space where identifiable information is maintained. But the idea of requiring researchers who participate in one way or another in an electronic health information exchange to sign business associate agreements is something we would hope would not be adopted.

With respect to the notice of privacy practices, we do think that health information exchange organizations need to post notices about what their privacy practices are. I scratch my head a little bit. I know that health care clearinghouses are not required to say much of anything to anybody, but that's not a that's not an industry standard. Virtually every organization that has a presence on the Web has some sort of Web privacy statement, some sort of notice about how information is collected, what information is collected, and how or under what circumstances it will be used. That said, HIPAA does impose some requirements with respect to notices again in these implementations specifications that may not make sense. So for instance, the requirement to submit notices in writing, unless someone agrees to receive them electronically, or the requirement to get a written acknowledgment from a patient or some other participant, a consumer participant in the exchange that they received the notice. Maybe that doesn't work. But the idea of having some sort of notice is something that we all agree, from a kind of patients’ right perspective, is critical. And it actually goes to the idea of education. You know, if we can't tell, how are people going to opt in or opt out or participate in any real way unless they understand how their information is going to be used.

You can skip that slide. That's a picture of all the complex analysis we sometimes try and do.

With regard to enforcement, obviously there are lots of, lots of ways that HIPAA or HIPAAlike standards can be enforced. They can be enforced through statutory or regulatory requirements that impose civil or criminal penalties. They can be enforced against licensed health care providers through licensing sanctions. They can be enforced by contract, by trust agreements of various types. A health information exchange can bar access to people who don't, people or organizations who don't protect privacy. So there are lots of enforcement mechanisms available. Go to the next slide.

We do think it is unnecessary to extend HIPAA from a regulatory perspective further than its gone because, actually, we think in some ways HIPAA is broke. In some ways it really does interfere with research. These are welldocumented in peer-reviewed literature what HIPAA has done to research, and even to the validity of research results. We know of lots of instances, some wellpublicized recently, where new information came to light where the information was really already there and it just hadn't been analyzed appropriately or hadn't been used well. And HIPAA makes it harder to do that well. And so the idea is, again, all of us can embrace minimum standards. We are all patients. All of our information is going to be up there too. So all of us can embrace minimum standards for privacy and confidentiality and security. The question is whether HIPAA is those standards, whether we should simply extend the regulation.

If we were to extend the regulation, we would very much encourage that research be recognized as central to the health care delivery system, as a health care operation. And you could condition that. So for instance, you could say that research gets that kind of preferential treatment only if it is reviewed and approved by an institutional review board that's subject to Federal regulation. You could, you know, you can do things to make sure it is done well and that it's not just kind of whoever says they’re doing research gets access to information. But we would hope that people will begin to recognize the centrality of research to the delivery of health care.

So in conclusion, personalized medicine, evidencebased medicine can't exist apart from biomedical research. We can share data broadly among researchers and clinicians while still providing important safeguards to identifiable health information. Thank you.

>> Kirk Nahra:

All right. Thank you very much to the panel. I'd like to open it up to questions from our Workgroup. Why don't we start with folks in the room, and then we will turn to some people on the phone. Are there questions from any of the Workgroup members? Alison?

>> Alison Rein:

I will do my best to articulate, thinking back that far, but going back to Viki's presentation, you suggested that it would be really a challenge for your health information exchange to accommodate the, you know, multiplicity and the complexity of requests, you know, should you fall under the purview of this regulation. But then there was a discussion when Dr. Loonsk spoke about the creation of these entities, like third-party entities that would be able to manage that process for you. And I wondered if you could speak a little bit to that in a relationship. The third party they could manage a lot of the queries to your system if it works, both the regulation I mean that's am I understanding that that was generally what he was describing?

>> Viki Prescott:

I guess the answer is, it is going to well, a few answers. It is going to be adding more complexity. It is going to be adding more costs. Someone is going to pay for that additional responsibility.

The other thing is, you know, we only do what the covered entities say we can do with the data. And, you know, if the patient just comes in directly and wants access, we really have to go back and we would have to evaluate all of our agreements with our current covered entities to figure out, you know, what control they want to still maintain, do we have to call them every time we get a request? I mean, it is not just farming something out and telling people what queries are being done, etcetera.

The other thing is, we do not own the data. It is not our data. It is the covered entity's data. If there is an amendment that's going to be made to that data that the patient wants and we are required to make or whatever, it is going to be the originating data source that's going to send that amendment to us. The way we do it now is, they send it electronically to us as a new HL7 or amended HL7 or whatever. So we have to make sure that we are guarding the data that's being given to us from the covered entity.

So having the patients come directly to us is going to cause a major burden and we'd really have to evaluate the financial sustainability that we currently have, and the whole way we do our operations now, as far as our interactions with the covered entities and I will tell you right now, the hospitals do not want us to be talking directly to the patients. It is their customers, and they don't want us involved.

So I mean, I understand that you can farm out some of these things or some of these quote queries. It is not merely a technological solution that's required.

>> Kirk Nahra:

Let me add it up a second. And it raises, in my mind, a couple of issues that we'll want to put on our list of things to be thinking about.

One of the questions that comes up with business associates in general, they all have to sign an agreement that says we are going to provide individual rights. But 95 percent of the time the business associate doesn't actually have anything new. And so a lot of times the prototype is, if somebody goes to a business associate, you say, well, go talk to the doctor or hospital or health insurer first. So we could decide that that would be a model, would be the response of someone, someone like a RHIO or an entity like that would be, no, go back to the original person and get the data. Now, I could also see why an individual might want to go to the RHIO, because then he doesn't have to go to 10 or 15 different providers. I can understand that issue. That's a question we are going to want to look at. We will want to think about it that way.

Another piece, there might be some things that are unique to the health information exchange network. The accounting rule, for example. There may be disclosures that they make that the doctor/hospital wouldn't have made so they have to be on the accounting list. I'm personally reluctant to recommend expanding anything with the accounting rule because right now I think that's, personally that rule is being very few patients are asking for that. I know large numbers of hospitals and health insurers who haven't run out of fingers on one hand with the number of accounting requests they have gotten in four or five years. So I think those are things we going to want to factor in, is where do we want to put that burden. It may be analogous to the idea of notice which is they are not the people that have the direct relationship with the patient. But again so I think we'll want to keep that on our list of issues to be thinking about that.

>> Viki Prescott:

Maybe one other comment on that, is that the hospital for instance that had the data originally, it is important to go back to them. Because they could have sent it to other people too, not just to the RHIO to get the change made. So the consumer might get confused, thinking I will just go to the RHIO. And the RHIO doesn't have all the data by any means. And we don't know what other places it is being sent so

>> Kirk Nahra:

Other questions? Sue?

>> Sue McAndrew:

First I want to apologize to the speakers whose presentations I missed, but I have looked at your written submissions and I think they are very good.

I just wanted to focus the conversation for just a second on another aspect of some of the concerns that have come up in terms of this network and the role of some of these entities as a business associate, other than simply the uniformity of the processes that you may be required to engage in or the limitations on that. And that is the enforcement mechanism of those, of the business associate requirements and whether or not, for the consumer trust component, do we need to subject what now would be a business associate to more direct liability, similar to that which would go to the covered entity itself were they making that, doing that activity directly? I know that there has been, some of the testimony indicated that that kind of direct liability would actually be a brake on the system and the viability of some of these health information networks. But I would just like to hear a little more discussion about how you see that, how you see direct liability being an important element on the accountability of a business associate.

You mean direct liability from a regulatory context as opposed to

>> Sue McAndrew:

However imposed, I guess, would be still an open question but

Because I think, to some degree I think every exchange has some level of trust agreement that’s inherent to the exchange. So the different participants, nonconsumer participants in the exchange are bound by a contract to do X but not Y. And so there is some level of enforced direct accountability through those contractual agreements that they have. And so the question is, you know, what can you set up in terms of if you violated this contractual agreement, what next? And even beyond those contractual agreements, some participants will have direct liability. So one of the examples I gave was through licensure. If I'm a doctor and I abuse my privileges through a health information exchange, my licensing board may well sanction my license directly if they find that that actually happened, because licensing boards take breach of privacy extremely seriously. So I think there are multiple levels, even today, through any of these types of exchanges of direct accountability. There might it might not be that HIPAA directly applies to business associates or to things that are not anything today, because some of these entities that might participate are not even business associates, but there is lots of direct accountability.

>> Viki Prescott:

Since I'm the one who kind of made some of those comments at the beginning, I can go into depth a little bit more fully. I mean, I guess, I look at more government regulation and enforcement as not necessarily spurring more business ventures in general. And I don't know that that's a solution. First of all, I don't know that there is a problem to start out with, except just this concept of making sure we have consumers trusting. I mean, where has there been any evidence that, you know well, I don't want to go there. But anyway, just as far as the direct liability, like she was just saying, the contracts, that's going to hold that is really the crux of a health information exchange organization. Most of the ones I'm aware of, other than the PHRs that have kind of come up more recently, but I want to talk in general about local, community-led, provider-type-led, organizations, most of them are all nonprofit. They operate on a shoe string. They have grants for maybe getting things started today. They have no financial sustainability model. Regenstrief has been around a lot longer, but part of our sustainability model is getting grants to be able to support evaluating the network, improving the network, et cetera, on a longterm basis. Plus we are funded also by some private foundation money, who believes in the cause, who believes it is going to improve health care. That's our goal. We are a medical research institute. We are not in the business to make money. And I don't think most of the RHIOs today that are coming up, aside from the PHR issue, really is in it to do that. They just want to be able to sustain it because they know it is going to improve health care. But people are having problems trying to figure out who is really going to be willing to pay for this. Because the benefits are really across several different stakeholders, and you can’t say to one that you're the one who should be paying for the whole thing that's going to benefit all these other people. And if we layer on this direct liability civil penalties, that's financial, HIE criminal penalties, I don't think I want to be running a RHIO and have that exposure. I mean, we are just layering more on, and there really isn't a problem to be solved by doing this. Why don't you, you know, wait? At least reconsider this. Maybe wait a little bit longer to make sure that things are functioning the way they are, the way they should be. Because like she said, there's a lot of people that are actually doing more than what is required. So I I don't want to talk too long but those are some thoughts.

>> Kirk Nahra:

Okay. Let me turn to David. I want to see if people on the phone have questions.

>> David McDaniel:

If you could expand on that just a little bit. Because I guess what I've heard today is that many of you are already complying with HIPAA because it is a good best practice to do and it is a way to increase the trust of all parties involved. I've also heard some of the concerns related to how some of the HIPAA folklore keeps that from happening, and indeed there may not be a problem except in the interpretation of HIPAA. So I guess I would like to hear a little bit more of, if this were extended, as Sue suggested in her question, if this were extended to you as something that you were required to do, not as a business associate but as a covered entity, how indeed would that impact you if you are already able to do that? I'm not really fully understanding how that would be a major impact to you.

>> Viki Prescott:

One point is that a lot of the people talking today were involved with PHR consumers, direct consumer involvement. So they might be complying with the HIPAA privacy issues aspects with notice of privacy policy, request from the patient for access. I mean, their whole business model is based on consent from the patient, period. Whereas, like our business model is not, we don't allow consumers we don't have a business model to interact with consumers. We are providing the data, getting the data from the providers and pushing the data back out to the providers. So it is a little different business model, as far as that goes. And we do comply with the HIPAA security rule part of HIPAA because our BA agreements require us to do that. But as far as the specific interactions with consumers that are part of the HIPAA privacy rule, we are not involved in that. I just wanted to clarify that.

We are a I called it a community health record, but a networked PHR. We're still a nonprofit, independent group. So we're kind of a hybrid between Lory and Viki. But we are, so we are doing the back channel provider-to-provider stuff, and we are also doing out to consumers. So we are doing both. Not one or the other. So we are having to deal with 360 of all of these issues. But we embrace it. We want that because of my previous statement. We are constantly having to go through audits and questions and responses of due diligence that would, if we were at the covered entity level, you know if I'm sitting in their shoes, I would want to do that kind of due diligence as well, given the business associate situation. And if I really didn't want to play in the sandbox, I would use that as a way to lengthen out the amount of time it would take to get to where we had an agreement to produce data, and that we have clearly seen from a number of our folks.

>> Rachel Nosowsky:

I would like to emphasize that when we talk about, what would be the harm if everyone is basically everybody complying with HIPAA, I would like to emphasize that we have got to be very careful about what we are talking about. If we are talking about high-level standards versus some of the detailed specifications, there is a really appreciable difference. So that if all that happened was imposing the regulation as it is currently written on a lot of players in the health care industry who are not currently covered, I think that can stop a lot of progress in a broad array of activities that are legitimate activities that we all want to happen. We have got lots of published evidence about the negative impact of HIPAA on research and on public health. And we, I think we need to think very hard about just superimposing the regulation across the industry rather than maybe rethinking it and superimposing minimum standards that we can all agree are reasonable minimum standards on the information as opposed to on the players.

>> Kirk Nahra:

All right. Let me jump in for a second. I do want to turn to the phone for a second, but let me just take what Rachel said and use that with the group for a second. We drifted a little bit in the testimony today from what was a specific focus of our hearing. So I would like to offer this for your thoughts probably later. But your last point, Rachel, is exactly what we were trying to get at today, which is, we came up with a recommendation that said there should be a minimum standard for all of the people that touch information in these exchange networks, and we started at the HIPAA standard as a baseline. We are going to talk this afternoon about whether that's a good baseline. The subject we were hoping to address this morning, and we got a little bit, but I actually don't think we got anywhere near enough information on this, is what are the differences in your business, category of business, type of business, that says this one doesn't fit for us. The only one that I have really heard that again, is the easy one for me to understand, is a privacy notice. And we heard some variations on that. Some people said let's post them. You know, the issue is not the privacy notice itself, it is the who you have to give it to. It makes sense to me to say that, Viki, your organization, it makes no sense for you to send out electronically, mail, anyway, to every patient whose information goes through. They are not going to have any idea who you are. They couldn’t care -- it is not on their radar screen. That makes perfect sense to me. But if there are other pieces of it. We heard a little bit about the individual rights. Rachel, I think you have been talking about, as I understand your concern, it is a little bit on the uses and disclosure. That's what we want to know. We want to know if you say HIPAA applies to all of these people, we don't want this part of HIPAA to apply for us, for this particular reason. That's the information that we are really trying to gather. So I do encourage all of you, subsequent to the hearing, send us a followup note. It can be something as easy as an email to Steve. That's really what we are trying to understand is are there particular pieces where we should carve out? Our basic baseline standard, which this group has already recommended -- doesn't mean we cannot revisit it -- but our recommendation is that's the baseline recommendation for anyone participating in these networks. We have left open the question of should we remove particular pieces of that baseline for particular categories of entities, and that's where I would like to get some more information on.

I also want to, I guess, caution this is both for people testifying today and others that may be listening which is I heard a little bit in the discussion, Rachel, you had about research, that there are concerns with how HIPAA works generally on research. Our idea and our jurisdiction is not to fix HIPAA. And so to the extent that there are problems that apply to HIPAA today, certainly want to hear that extending these rules to other people will make that worse. But it sounds like the problem there is more a problem of HIPAA overall and less a problem of the extension, recognizing that extension you know, I understand that piece.

So that's what I want to focus on, is if we take this hypothesis and apply it to all the people that are participating in these networks, are there particular pieces that are simply not relevant to your kind of organization? Does it make no sense to say you must send out a privacy notice to all the people when you don't have customers, you don't have patients? So that's really what will we want to try to focus on.

With that said, let me just turn to the phone for a minute. Are there Workgroup members on the phone that had questions at all?

Okay. Any last questions, recognizing I do want to keep moving on our time. Are there any other questions from folks in the room? And again, this is clearly the start of a discussion that's going to be continuing for this Workgroup. We will want to hear, I don't know whether it is more public testimony versus written information, we are going to clearly need to pursue this topic a little bit more. I think both of the topics we are addressing today, I don't have any, any sense that we are going to try to wrap these up. That's just not feasible today for either one of them. So we're clearly going to be looking at these in the future. You will have other opportunities. Anything else pressing for particular folks on this panel? Paul.

>> Paul Uhrig:

One comment. I guess, in the event anybody takes up Kirk’s invitation to call up some examples. I think another piece is sort of defining what that applies to. Everybody talks about HIEs, RHIOs, and it all gets down to the definition. So to the extent people have thoughts or specificity as to what you're talking about, I think that would also be helpful in our deliberations as we think through this issue.

>> Kirk Nahra:

Let me follow up on that. One of the things I don't remember which testimony it was, but one of the witnesses talked about, and maybe it was written testimony simply amending the definition of a clearinghouse in HIPAA to deal with RHIOs and things like that. I always say to my clients when they ask questions about clearinghouses, well, in HIPAA you don't look in the dictionary for what a clearinghouse is. You look at HIPAA. It is a very particular kind of clearinghouse. Maybe that is something that would make sense in that context, just to say look, clearinghouse we are going to mover closer to what the dictionary says, which is these information exchanges. If that were to happen, maybe all we do is say, all right, all the things that clearinghouses don’t have to do today under HIPAA, a RHIO doesn't have to do. If there is something other than that, I would certainly be interested in hearing about that. If there is some other piece that doesn't fit because of the particular nature of your kind of business, that's really the you know, I don't understand enough about the details of all your businesses, whether it is specific to your business or to categories, to be able to say, aha, that one doesn't fit. This one does fit. So that's really what we'd like to try and get information on. Elizabeth, do you have a question?

>> Elizabeth Holland:

I just wanted people to think in the context of, we're talking about possibly expanding this, expanding possibly the definition of covered entities. But HIPAA just is not privacy and security. It is also electronic transactions and things like that. Would that have other ramifications for your business, if we made additional people covered entities, or some other way we could get people to do the HIPAA standards for privacy and security without making them covered entities?

>> Kirk Nahra:

All right. With that, it is a little before, about 10 of 1:00. We are going to reconvene at 1:30. I would like everyone ready to go at 1:30 with our next panel. Thank you to all the people that came to us to testify today. Appreciate that very much. If you do have any followup information, please send it along to us. We would be happy to hear it. Thank you very much for your participation today.

[lunch break]

>> Kirk Nahra:

We're going to go ahead and get started with our afternoon panel. We view this panel as starting off what is going to be, I expect, a lively discussion of essentially the following issue which is the recommendation that we had submitted to the AHIC last month, I guess earlier this month, related, as you could tell from this morning, to having the level playing field across entities that are participating in health information exchange networks. The discussion this afternoon is going to start a discussion of what that level playing field should be. Essentially, are there differences in today's environment such that the HIPAA rules in this context don't fit well, don't work well, don't deal with things that are just different today? Our goal, as I said earlier today, is not to address whether the HIPAA rule is a good rule or a bad rule, is it working well, is it not working well, does it have gaps, does it not have gaps. We are not looking at the entire universe of what is covered by the HIPAA privacy rule. We are focusing on our particular contours, in the area of these integrated health networks, and, again, our discussion today is to focus on are there differences in this environment, are there reasons why we should have a different rule or different set of standards that would constitute the level playing field, or is the rule in fact appropriate for this context.

And, again, I envision that we'll be discussing this topic in a number of meetings in the future. We tried to gather today on our panel people that have been involved in these issues for awhile, that can give us some perspective, can give us a sense and a little bit of a big picture as to how the HIPAA context relates to the context that we're working in today in these integrated health networks. We have essentially an hour scheduled for the testimony today. We have five presenters, I realize that that -- if you're a math expert that that calculates out to 12 minutes, I would have no objection if each of you took up to 15, please try not to go more than that. And we obviously have some time for question and answers after that. Why don't we start to my immediate left, and we'll go from there.

>> Isaac Kohane:

Good afternoon, Mr. Chairman, members of the committee. Thank you for inviting me. My name is Isaac Kohane, I'm the co-director of the Center of Biomedical Informatics at Harvard Medical School. By training I'm a physician and a computer scientist, and I've been working over the last 10 years on personally-controlled health records, to be distinguished from personal health records. We'll perhaps go more into that. And on the genomics expression, especially the genomics of autism spectrum disorder. So what I'd like to address is a perspective of health care that I think informs quite dramatically of what needs to be the scope of our protections on privacy, and what are the potential mechanisms. And I'll do this in the following way, in the following context.

I think that we're at a point in our history that is very much akin to where we were a century ago. A century ago, 97 years ago Abraham Flexner issued the Flexner Report and in it he said, you know, medical schools don't teach state of the art knowledge like infectious disease and how to control it, they don't require to you see patients, necessarily, they don't require to you have gone to a college and as a result, fully half the medical schools -- and as a result of the report that he pushed out in 1910, Abraham Flexner did, with the support of the Carnegie Foundation, half of the medical schools in the United States closed. And I'm going to contend that we’re a century later, at a very, very similar point.

Let me illustrate it to you in the following way. Let's think about cancer genetic screening tests. How often do you think in the simple study that I've listed in my written testimony do practitioners, primary care practitioners order genetic tests for cancer screening? One percent, I saw someone mouth. That is the modal answer of all very smart panels that I've ever presented that anecdote. In the papers that I cite, surprisingly the answer is 30 percent. In the interest of time I won't torture you, asking you what you think is the best predictor, whether it's the education of the physician, whether it's the family history, and so on. It turns out it's the patients asking for tests. Moreover, other studies have shown that you can increase the ordering of these tests by patients by advertising. And most importantly it's shown that physicians both are uncomfortable in interpreting these tests, and can't interpret these tests. So now you have a full recipe for this intermediation of the health care system. No authoritative oversight of the use of resources, and no authoritative interpretation, and significant decision-making, like removal of breasts and ovaries, based on these tests. What bigger failure could there be? Very much akin to what we saw 100 years ago, with the misunderstanding of infection.

Now, what does this have to do with what we're talking about here? Well, it has to do with the fact that there are a number of companies in the genetic space alone that are saying, given the fact that the health care system is silent on this issue, we're going to step in as companies. And their business plans are varied from one stop shop you give us the blood and we'll give you -- and your question, and we'll give you the interpretation, to you give us the data and we'll give you the interpretation, and a whole bunch of variations thereof.

They are performing very much the role that the health care system has abdicated, and increasingly so. Consequently, in this era, where these decisions, merely in the genetic era, not only have important implications for them, the patients, but also for their families. Because if they're correctly told something, something will be perhaps done in the rest of the family, in the screening for kids. And if it's incorrect, some people might make dramatic life decisions based on incorrect perceptions of what are the odds of a good or bad event happening to them in the near or distant future. How can we not impose the same expectations on the entities that are performing this medical care, fundamentally, than we do for the rest of the health care system? And in this Internet-borne age, increasing the expectation of all of us will be that that's going to be more the norm than the exception, and not just for genetics.

And I just heard a very sad story from Rady Hospital today where I heard that they had a great -- they were renamed because of a 60 million dollars gift, but it was going to cost them 120 million dollars to implement the informational health system. That's a lot of health care dollars. And it seems to me that for 120 million dollars you can do a lot of consumer-oriented health IT support. And I bet other large companies like Google are thinking of doing exactly that. Consequently, I would make a bold prediction that not only is this area of user consumer-borne, extra-institutional, health care institutional delivery of health care going to grow, it will become dominant. Because 120 million dollars for a small hospital just for the IT system and each hospital being slightly different, will not scale to the national level. For all those reasons I believe that these other entities taking patient information from other sources or directly generated from the patient, and directly giving back support to the patient, is going to be an area that those of us who care about good practice of medicine will want to see regulated in ways that promotes safety.

I published a paper last year about called the Incidentalome, you've heard of the genome, but the Incidentalome is the ome of all incidental findings. As increasingly we'll have -- this was in JAMA last year. If you look at the thousands of genetic tests that are going to be interpreted, just like the prostate-specific antigen causes a number of prostates from some of the men in the room to eventually be removed incorrectly, there will be thousands of more such unfortunate events. So this does need regulation.

In the interest of time I'll hold my piece on that section of my concern, and proceed to research. Here I'll take a different tack, which is to say that -- well, actually, let me finish my prior remarks, which is I think the recognition of this extra-institutional activity means it's not only regulation that we have to consider, but fundamentally who is going to control the flow of information. And I think it's ultimately going to be the patient. And we have been pushing this with a lot of generous funding from the National Library of Medicine through an actual implementation called Indivo that's open source and freely available. But we think again this will be more often than not the norm. So making the patient the controller for disclosure of information for any purpose, health care delivery and research. I know the researchers among us, including my closest colleagues, worry about that. But in the end, why should patients owe us anything involuntarily? And I think that that infrastructure is going to happen one way or another. We need to have protections for patients in that context. But it may mean a lot of what we're talking about may not be quite as applicable as we had hoped.

So moving on to the next topic, in terms of research I think there are ways that we can be fully compliant with HIPAA, and involve patients in a much more significant way in research. Right now if you and I get involved in one of these genome life scans that you read about every day, where they're measuring 500,000 single nucleotide polymorphisms, 500,000 variants on one chip for 250 dollars, it's really quite remarkable, and they look for heart disease, autism any of the common diseases that we care about like diabetes. Any result that pertains to you particularly, or to me, will never be reported, to us, because we're entered into a pact of mutual ignorance. We, the patients, have stipulated that we will never try to find out what was particular about us in that study, and we will just profit as part of a class of patients with a disease, perhaps. Likewise, the researcher says give me your data, I will anonymize it, and I promise never to find out who you are. And that's problematic. In my own research in autism research, I found two patients where I was doing, measuring a bunch of genes, and I found two patients who had something that I really needed to tell them about, about a particular risk about a very bad disease, and I couldn't easily without either breaking the law or worrying the entire cohort of patients.

And so we wrote in the magazine Science a few weeks ago an article that suggests how to use the personally-controlled health record in ways that we're actually going to implement in the coming year, a system that allows patients to participate directly with collaborators in research, where they find out their particular results in a way that's actionable without breaching their anonymity. And how is this done? It's done very simply. Fortunately most of you are -- or unfortunately -- as old as I am, so can remember UHF and VHF television, which my students don't remember. And what happens is at a time of the consent of this patient, in what we're calling now the informed cohort, the patient gives you their blood, as they would normally after a detailed consent process, and all the data as usual gets de-identified and stuck into a database. At the same time, all that data, not de-identified, gets shoved into your personally-controlled health record that only you have access to. And there's a little software agent that for the sake of argument we'll call a listener that's there.

So let's say a researcher finds a finding of interest. Good news, here's a drug that might work for your disease. Bad news, we found an unanticipated risk. Under current regulation it will be consented, if the patient was consented for autism and it was a cancer risk, no way I could tell you about it. But here what we do about it is we broadcast on the Internet the following things: if you have the following genetic characteristics and you have the following personal characteristics, we might want to see you. Now, how is this message going to be received? No one is going to be listening on the Internet. What's going to be happening, just like a television, tuned in or out. First of all, the television may be off. You may not want to be getting any broadcasts, the patient can switch off the television. If you switch on the television, that is the listener agent on your personal health record is on, it intercept your broadcasts. And then it says this broadcast pertains to a channel I care about. I might tune into the autism channel or the cancer channel or heart disease channel, or any other channel. So you don't get worried about things that you don't want to get worried about. So you maintain full patient autonomy. And then, if your television set is on and you're tuned into the right channel and there's a match, and it's a very simple match, nothing sophisticated. Does this bit of DNA match your bit of DNA? Do these characteristics match your characteristics? Then you get a notification that is being carefully crafted by what we're calling the informed consent -- informed cohort oversight board which is basically a bunch of IRB people and communication experts, how to do effective communication without unnecessarily worrying people, to give them that message. So note, we have now full contact with the patient, without knowing who they are. They know who they are. They're receiving the message, and they can decide whether or not to respond to the message, come to Children's Hospital for further investigation, or we have a drug that might be helpful for your disease.

So in this fashion, without changing anything in terms of regulation, but just by creating this personal health record, we're able to create a full loop. And the patient can keep contributing more information to the system in that fashion, in a long-term fashion, and we don't have to restart a new expensive clinical research trial every time we want to go back to those patients. It's a way of maintaining an ongoing relationship. And our hypothesis, unproven, is that by making patients profit directly, and making it transparent to them how the information is being used and when, we will get more, not less, participation in these trials.

And so in closing, I do think as highlighted by the failure of our system ascribed to human genetics, but I believe it's a larger failure illustrated most keenly by that, by genetics. We are, at this important point, just as we were 100 years ago. Now, it may be that, unlike what happened in 1910, we will not respond in a timely fashion, and then there will be a very, very big change in health care system. Not just closing down of medical schools, but actually changing the whole health care delivery system. I know that sounds a little bit overly visionary, but I think none of us would have thought we'd be buying our books on the net 10 years ago. So I just want to extend my appreciation to the committee for having invited me, and I hope my comments are seen as constructive and thought-provoking rather than stirring the pot. Thank you.

>> Kirk Nahra:

Thank you very much.

>> Brad Malin:

Can you put that up? I'm not as good as you at talking without slides. I'm Brad Malin, I'm an assistant professor of biomedical informatics, and an assistant professor of computer science at Vanderbilt University. So what I’m going to talk about today is not so much -- it's not going to be down on HIPAA, more along the lines of how you can actually enhance HIPAA and make the policy process more informed with respect to data sharing for secondary research purposes within information exchanges.

Currently the situation is that the policy is designed for de-identification such that information, once de-identified, it is allowed to be shared for research purposes without informed consent, provided that an initial consent was offered in the first place. The challenge is that you have to make sure that this information is actually de-identified in the first place, which is much harder to do than maybe initially thought. So you can -- next slide.

So just to rehash, and I don't want to beat a dead horse if everybody is familiar with this, HIPAA basically gives us three different ways in which we can find policies for data sharing. The first being safe harbor -- if you can skip to the next slide. Safe harbor, if you're not familiar with it, or if you are, just to review, basically says that you can remove 18 specific identifiers that correspond to an individual, and if you remove those 18 identifiers, mainly which correspond to the name, the street address, ages that are beyond a particular point in somebody's life, if you will remove these features, then are you allowed to share this information unfetteringly. So it's not necessarily even the point that you have to have data use agreements in place even within an information exchange. And this is just something to recognize, because the policy in that respect is a little bit limited. So to skip forward, that's all of them.

So for about maybe five, seven years I've actually been looking into the ways in which if you just took an individual’s piece of DNA and the information associated with it, what exactly does it tell you about this individual in ways that it could lead to their identity, and how hard would it be to actually identify an individual. So there's been a lot of different techniques that I and Latanya Sweeney and several other collaborators have developed over the last couple of years that evaluate certain things such as how could you do genotype, phenotype inference such that you could take an individual's DNA and cross-list it with just a typical discharge database. Next slide.

More recently, we've been looking at what happens when you take DNA and you tie pedigrees to it. This has become more and more common practice within population resources and population-based studies, such that the types of pedigrees that you get are actually quite detailed. Unfortunately, the more detail you have, the more ability you have to go out to public resources, such as genealogy databases, or death indexes, or obituaries, and reconstruct the individual's family. In many cases if you go to genealogy.net, this is actually already done for you. So you don't necessarily have to write a software program, which we did. Skipping forward.

I really wanted to take a second and talk about what it means for data to be identifying. And especially with respect to genomic data, but in a sense this is a generalizable model. I'm just showing you with respect to DNA. In a sense what you've got on the left is you have people who are publishing de-identified DNA information, and then on the right what you have is identified information. Now, the question is, how do you actually relate the two of them? And re-identification requires two things. First, it requires the information to be unique. Okay? If it's not unique, you have no ability to distinguish between people within a population. All right? So as soon as you have uniqueness, you can say okay, I can distinguish between you, but that does not necessarily tell you that the data itself is going to be re-identified. To conduct a re-identification you actually have to figure out what makes it linkable. So for instance, is it the genealogy, is it the public information within birth records or death records or marriage records, how exactly do you perform that linkage? All right, so if you know that these are the two criteria -- turn -- you basically have two ways in which you could protect the information in a more formal way than just doing a policy specification that says remove the identifying information.

First you could say we're going to make the data non-unique, this is just one option. The second option would be you figure out what it is about the linkage model that makes this data linked to identifying information, and you figure out how to thwart that. You have to be cognizant of the fact that a lot of this information is already in the public realm. And since it's in the public realm, you can't just remove that. So you have to be aware of if this stuff is out there, what exactly do I need to do to my information before I'm allowed to publish it. Next slide.

I'm going to skip the second aspect of HIPAA, the second aspect of the HIPAA privacy rule to talk about the statistical standard for a second. This is, this is something that's not used very often in practice, one of the reasons being is that it's a very fuzzy gray space in the way that HIPAA is defined. Basically what you have to do is find a statistician or a scientist who can say yeah, here's a certifiable method for sharing your information. We're currently sitting at a point at which this is not currently done. And I believe that this is something that we can move forward towards, it's just going to require people working in the space and being intelligent about what they do. Let me give you an example of what I mean. Next slide. Sorry.

So back in the late 90s and early 2000s, Latanya Sweeney published her Ph.D. dissertation in which she proposed several different models in which you could do privacy protection. One of them being this model called k-Map. And k-Map said for every piece of record I'm going to give out, I'll guarantee it relates to k people in the population, I'll guarantee it. Now, she didn't say how you could do that. And so that led into another model that was called k-Anonymity, which has received a lot of traction within the computer science community, because it's a really interesting computational problem. But from a policy perspective, k-Anonymity is really simple to implement, just says I make k records exactly the same. If I make them exactly the same, you can't distinguish between those k people. Moving forward, recently we've been playing with another model which we called k-Unlinkability. We don't necessarily have to make the data equivalent to each other, we just go back to that linkage model and we say how do we actually distort that linkage so that we make a piece of information relate to k people. And then prove that. So next slide.

Let me give you another example. There's another type of re-identification problem that exists. It's not just with respect to DNA information, this is a problem that happens in public surveillance, on the Internet. Basically what we've observed, and we've used real data to verify this, is that people go to multiple places and their information gets shared independently by multiple places. And as a result, you end up getting these patterns, which we call trails. Where exactly was this person? All right, and in this type of situation what you see is you've got de-identified information on the right, identified information on the left, but the patterns are exactly the same for the individual, and they're unique. So skipping forward.

How do you actually address trails? One of the ways in which we addressed trails was we figured out what exactly it was within the trail that needed to be suppressed in order to make it linked to multiple people, all right? So we called this the secure trail anonymization protocol. Next slide.

And it works basically as follows: each group is going to take their data, click, they'll encrypt it. Click, they'll send it to some third party, we're not going to define who that is at the present time in time. That third party is going to, click, tell what you information can't be disclosed to satisfy your model, send it back to you, you will decrypt it. You will then send it into the information exchange. Okay? Final click. All right, one more click. Lots of clicks. Basically, what we're doing is we're giving everybody the ability to satisfy a formal model of protection, and in the process we're not revealing any of the information until it's guaranteed to be protected in the end. We did do some experiments on this, I just wanted to show you that it works in the real world, at least with real data. Basically, we took hospital discharge databases from the State of Illinois during the 1990s, we extracted a bunch of different genetic disorders. And basically what's really interesting about this is with -- so this is for a test of k equals 5, those are the disorders all the way on the left, you can see how many samples there are and how many hospitals are participating. If everybody discloses the information, then the re-identification is actually pretty high for k equals 5. What that means is that you'd be able to link a piece of information to less than k identities. All right. So if you ran our protocol, we could guarantee that none of the data would be re-identified. And yet you could still get for the most part usually on the order of, in this case, three quarters to a little bit more of the dataset, available for research purposes. So next slide.

Just to give you a little bit more in depth of what's going on, you could vary this as however you want to set k. Obviously, if k increases the identifiability of the data would increase. What we're saying is that somebody who really doesn't care how many people the data relates to, if they're willing to accept 30 people as a re-identification, that's what k equals 30 on the left would imply, that 60 percent of 1,150 patients would be re-identified. But if you look at the right, this is if you apply our model, you can see that the number of people that are allowed, their data is allowed to be used for research purposes, decreases at a slower rate than that re-identification rate was increasing. Okay, so next slide.

One of the reasons why I find these types of models really interesting is that it gives you an explicit way to tie the technology directly to your policy. So if somebody has an initial setting, they say, all the administrators come together, and they say k needs to be 40, don't know where the number comes from yet, that may be from an informed community model, but you say k equals 40. If that sets the research, the amount of research data lower than what a researcher needs, they could come back to you and say hey, I need to have a little bit more data, which would give you the ability to reset your system. So that you can give them more information, but at the same time you can quantify how much additional risk you've actually entered into the system. So last slide-- almost last slide.

I also want to be very careful. This is a very specific model, I'm just giving you an example of how these types of formal models can be applied in practice. DNA data unto itself is a unique identifier. It's not necessarily identifying, but it's a unique value for the most part, depending on how many SNPs you have or how many regions of the genome you're taking into consideration. And so if you're not doing anything to the DNA, sometimes you have to be a little bit more careful in terms of the way you're doing disclosure. It's also the fact that it's not just going to be DNA that's shared for research purposes within information exchange. It's going to be tied to clinical information. Because if it wasn't, it would not necessarily be useful for any type of research. It's going to be tied to pharmaco-information, it's going to be tied to clinical information. It may be tied with doctor's notes so you have an indication of what this person was presenting, without having to use very standardized diagnosis codes.

So at Vanderbilt we actually -- we are also doing a project with DNA databases, and we're basically building one large limited dataset, which gives you the ability to have more detail in the information, for researchers, but at the same time you are going to require them to sign some kind of a contractual agreement. So even if there is residual identifiers, residual information, you're basically telling them don't attempt the re-identification.

I just want to be clear, here. You could imagine that every single type of research use in this information exchange could use a limited dataset. This is going to be increasingly a burden, as the amount of research that takes place within this system increases. So one of the things that we're trying to advocate here is that if you can have some type of a formal model of privacy, some type of an indication of where the risks lie, then you can have a limited dataset or a contract that is more appropriate to the situation. It's basically just a matter of understanding where all the problems could potentially occur. Next slide. This isn't important, next slide. Keep going. Keep going. Just click through the slide. All right. All right, good.

Basically what we also did at Vanderbilt is we have an operations oversight board. All right, so it's not just that contract sits in place, it's if somebody wants to do research with this information currently we have it so that they do apply to do research within the space. It's not just that we're going to publish the information that will be made available.

So just in conclusion, so I don't overstep time, here, I basically just wanted to say that the re-identification threat within these systems, it does exist, but the point of this is not to try to scare people, or show that this is the worst possible scenario for sharing information, it's just to inform you that HIPAA doesn't necessarily cover information in the way that people expect it to. And you just have to be cognizant of all the potential threats that exist.

I empathically believe that formal privacy protection models from a technical perspective can be built, and that this can be tied with policy to have a more formidable type of protection. But I don't believe that either one of them by itself is going to be the way to go. So as my third bullet, my final point, don't go yet, is that this is very much a research phase, and this is very much something that's coming on the horizon. And there are more and more people that are getting involved, but it's still something that's going to take a little bit of time until we say we have all the problems solved. So that's it.

>> Kirk Nahra:

Thank you very much. Joy?

>> Joy Pritts:

Good afternoon. Excuse me. Good afternoon, my name is Joy Pritts, and I'm an associate research professor with Georgetown University's Health Policy Institute. Thank you for inviting me to be here today with your Workgroup. At the Health Policy Institute I focus on research that looks at policy issues, not surprisingly, primarily from a consumer perspective. And my particular area of focus is the consumer's perspective on how their medical information is used, and whether they can access it, and how they can control it.

Today, we're looking at whether these new, new horizons, new environment, new perspective, and whether these new mechanisms can be covered adequately by the HIPAA privacy rule. Our starting point for these discussions I think should really focus a little bit beyond HIPAA. And the first point is that all of these methods of sharing health information should follow the fair information principles that have been established. So before you even get to HIPAA, you need to look at the fair information practices, and when you're looking at that, is this going to work with this type of health information exchange? I'm not going to go through all of these principles in detail, we've probably been through them a lot through many of these meetings. But they include things such as openness; collection limitation; specification for what purpose the information is being used; limitation on the use and disclosure; make sure that the data has quality, is of proper quality; that the individual participates, that is, that they know what is happening with their information, and that they have some degree of control over how it is used; that there be security safeguards for the information; and most appropriate, I think, for the discussion we're having today is that all entities who collect personal data and maintain personal data on individuals should be held accountable.

That's where we are today. And many, many people and many organizations are held accountable now under the HIPAA privacy rule. Many of these new electronic health information exchange models, though, are different, and they raise different issues. And today, what I'm going to speak on is I'm going to focus a little bit on what is generically called a personal health record and see how that really interplays with HIPAA, to show that the HIPAA privacy rule, while it is modeled for a specific group of users, that model does not necessarily transfer to these new developing entities. There are a lot of different definitions of a personal health record, and I'm going to focus on what I would call the stand-alone model. So that it is not tied to a health care provider or a health plan, and that it is a stand-alone model that is being more or less marketed to the individual by a third entity that is not necessarily covered by HIPAA. Most of these personal health records are being marketed to the individual as something that they're going to be able to control. So one of the key issues you look at is how the HIPAA privacy rule is structured, versus how these personal health records are intended to work.

Now, under the personal -- under the HIPAA privacy rule, the entire premise is that the provider and the plan are the entities that primarily control the information. They have traditionally controlled the health information that they hold, the individual is recognized as having an interest in that information. But that's the entire model that HIPAA is premised on. And there are a lot of consequences that arise from that model. In contrast, these personal health records assume that the individual is the person or entity that's in control. And so the model, the premise and the new model, they just don't match.

I'm going to give a few examples of this, as to how it would actually work. You really would not want me to go through provision by provision for HIPAA, but what I'm going to do today is just an example of what you could do with almost every section in HIPAA, and see how it really just doesn't match up with these stand-alone personal health record entities.

Under HIPAA, for example, providers and plans can use and disclose health information without patient permission for treatment, payment, health care operations. And health care operations includes as one of its elements suggesting alternative treatments. There are a number of other purposes, I think there are 18 to 20, also under which HIPAA permits currently covered entities to use and share health information. Most of those are for purposes that these entities have always traditionally used this information for. In contrast, you have now this personal health record. Under the personal health record, the way it's being marketed, it’s patient-centric. The patient controls the information. So the selling point of these is that the patient is the one who decides what information is contained in their personal health record. They choose what information goes in. The patient is the one who decides who sees the information. Nobody gets to see the information unless the patient gives their permission. What information that person sees is also controlled by the individual. And the individual also will be -- is seen as having the right to determine some of the circumstances under which their personal health information can be shared, such as you could share my health information with any provider if it's an emergency, which is typically called the break the glass provision.

It doesn't say -- what it doesn't -- what this model doesn't do, is it doesn't normally say, by the way, and providers and health plans can share your health information for all these different reasons, and they don't have to ask you about it. It just -- or that the entity that's holding the information, more importantly, can share that health information in a similar manner. So what -- and particularly of interest here is when you get down to the health care operations purpose, because one of the elements of health care operations is the ability for a covered entity to inform or advise an individual of alternative medical treatment, and facilities where they can obtain treatment. And it holds a very different meaning, I think, than when it's a provider advising you of those different mechanisms, those different treatments. When it becomes an independent third party who is trying to maintain their cash flow, I don't think it takes a great leap of imagination to see pop-up ads appearing on people's personal health records, and legally, without their permission, for that to happen.

So I guess the long and the short of it is that I know that there is a great reluctance to change the existing structure of the HIPAA privacy rules, and I would caution that you cannot simply take the privacy rule and apply -- as it exists, and apply it to many of these developing new models of sharing health information. It doesn't work. It's like trying to put a square peg in a round hole. And it simply does not meet the new models that are developing. Thank you.

>> Kirk Nahra:

Thank you very much. Mary?

>> Mary Grealy:

I'm Mary Grealy, president of the Healthcare Leadership Council, and on behalf of the Healthcare Leadership Council, I really thank you having us here today to testify on this extremely important topic.

As we move closer to that day -- and I hope we're getting much closer -- in which virtually all health information will be communicated electronically, it's important that we have this discussion regarding the HIPAA privacy rule, and how patients can be assured that their confidentiality will be protected, but I think more importantly, that the information will be used to provide health care of the highest quality. And that's a big component of how can we improve health care. It's a complex issue requiring a balancing of many, many critical interests, and I think you've heard many of them here today. And it requires very thoughtful consideration. I want to thank the working group for taking on what I consider a very, very big challenge.

Let me say just a word about the Healthcare Leadership Council and our interest here. We're a not-for-profit trade association that's comprised of chief executive officers of many of the nation's leading health care companies and organizations, both for profit and not-for-profit, but uniquely representing virtually every sector of health care: hospitals; health plans; medical device manufacturers; large distributors, like McKesson, Cardinal Health Care; retail pharmacies, like CVS; academic health centers, like the Mayo clinic, Cleveland clinic. So as you can see very, very diverse group. Many of our members have been the early adopters of health information technology. They not only have a great deal of expertise in dealing with electronic medical records, but they also have a lot of experience and a strong interest in protecting patient privacy.

The Healthcare Leadership Council has also headed up a confidentiality coalition of over 100 members that really has devoted its time and effort both legislatively as well as working with the Administration on developing workable privacy legislation, as well as a workable privacy rule.

There are a few important points that I'd like to make today concerning the existing HIPAA privacy protections, and as well as how our privacy environment needs to be improved as we move towards this national health information network. I think it would be useful just for a moment to revisit how this privacy rule came into being. As I said, the Confidentiality Coalition has been in existence for 10 years, and it's been a lot of work -- time working on it. I think it's not surprising, given the extraordinary complexity of our health care system, that it took about five years to enact the legislation and then go through the regulatory process, to develop the HIPAA privacy rule that we have today. And we dealt both with the Republican administration as well as the Democratic administration in getting that final rule published.

The key word in creating that privacy rule, then, and I think it's even more important today, is the word balance. It was essential to create a rule that would of course protect the sanctity of the patient's medical information, but at the same time, ensuring that necessary information is available for providing quality health care, and for conducting important medical research.

I think by any measure, the HIPAA rule, which does carry very strong civil and criminal penalties for noncompliance, has reached this or achieved this balance. Health care providers and payers and other covered entities, as well as their business associates, have implemented very comprehensive training and compliance plans to adhere to the privacy rule. I think you heard especially from the earlier panels just how complex this HIPAA privacy rule is, and how much work it has taken to achieve that compliance. I would say in many instances we're actually seeing what I would call hyper-compliance. And that may address some of the folklore that Mr.Sullivan was talking about this morning, where we really see people going above and beyond what the requirements of that Federal rule happen to be.

Because we are in the midst of this transition to an electronic health care record, questions are being raised about the privacy and the security of health information in this digital age. But I think it's important to know that that original HIPAA privacy rule was spurred by a concern about the electronic transmission of identifiable patient information. And so in many ways, I think the HIPAA rule already includes ample protections governing the confidentiality of electronically transmitted patient information, in fact, whether it's electronically transmitted or otherwise. We're concerned that because the policymakers and the public may not be fully aware, and it's clear that they're not fully aware, of the current protections that are already in place as part of this HIPAA privacy rule, and as we transition to electronic medical records, that we're going to see what I would term a reactive advocacy in some quarters to really impose additional and perhaps very burdensome, and in many instances, unnecessary privacy regulations. And so I hearken back to how important it is that we really achieve this balance between protection, but also making sure that we can have the necessary flow of that medical information for all the important purposes that are out there.

We're seeing a continuing debate about the issue of patient consent, as well as control of those medical records. This was a matter that was debated at great length as we were developing the current HIPAA privacy rule. Now, some have suggested, and still do, that providers and payers should have to obtain prior consent from patients before they can use their health information for treatment, payment, and health care operations. I hope we don't have to revisit that debate. As I said, I think people are in compliance, and it's working, and we've really struck the right balance. That idea was rejected as part of the HIPAA privacy rule, but it was clear that if we did have that prior authorization, that it really could delay important treatment. And I think in a very practical sense could make it difficult for people to get the health care treatment in a timely fashion that they might need, and particularly for very vulnerable populations.

Well, we all know that health care information technology can have great benefits for patients, both for their safety as well as their quality of care. And that I think that the potential for it really will not be realized if we constrain that exchange of information. Again, by excessive or overly burdensome consent requirements or other barriers that might be imposed as we're taking a look at what we need to do in the privacy area. I think the same reasoning also holds true when we begin to discuss personal health records. We agree, and I think as Joy has pointed out here, that in respect to personal health records, individuals will want to control their distribution. And that does appear to be the way they're working now, that that contractual relationship between those that are providing the personal health records, is that the patient, the individual, really is going to control that disclosure.

We're a little concerned, though, as we transfer some of that information from the personal health record to the true medical record, that the rules will change a little bit, in terms of what should the patient controls be in that particular environment. Physicians, in providing treatment, must be assured that they do have the patient's accurate information, and that they have complete information. So as we transfer from the personal health record, and people are giving these entities permission to do that, that we make sure that we're under that HIPAA umbrella, once it becomes part of that medical record. We think personal health records should be controlled by the individuals, but as I said, once it gets in the medical record we think it should be HIPAA controlled.

There is some question, and I think we've heard a lot of it today, over the regulation of those personal health records. What should it be? Because clearly, the HIPAA privacy rule did not envision these type of entities when that legislation and the rule was being developed. I think we all envisioned, as Joy pointed out, that these records really were going to be housed either with hospitals or physicians, in some instances with the payers. In other words, all those covered entities. Well, today individuals are giving these companies the permission to hold their personal health records, and then those companies are going to send that information to clinicians and to health care providers, once they receive the authorization from the patient. Now, these companies include health plans, in many instances, as well as stand-alone organizations, and often there's the division of much larger diversified corporations that may not be health care companies. Now, to the extent that these records are held by health plans, then clearly, they're a HIPAA covered entity. But to the extent that they're not, what we've heard today is that these are essentially unregulated entities for purposes of privacy, other than through the contractual agreement between those consumers and the companies that are providing the service. We would support reasonable -- and I emphasize reasonable -- efforts to ensure that personal health records that are held by these organizations, and that are not HIPAA covered entities, be required to meet HIPAA privacy and security rule requirements. Now, maybe it's HIPAA-like, and that's really open for discussion. We think it really should be done in a way that does not stifle this innovation.

What we're seeing now, and I think it's very important and what we would hope to see, as a patient-centered health care system, that patients are getting more active in managing their health care. And these personal health records can really foster that. Perhaps one possible solution to this is to really treat these health information exchanges as health care clearinghouses. Don't have the same strict requirements or all the requirements that other covered entities do, and perhaps this is one thing that should be looked at. But that is some way to sort of bring these entities under the HIPAA statute.

Well, I said at the outset that I wanted to briefly discuss how our privacy environment needs to be improved in the electronic age. Now, while the HIPAA privacy rule is effective in protecting patient confidentiality, it is becoming increasingly clear that as we develop these multi-State health information exchanges, that we really do need the creation of a uniform national privacy standard. This is something that we've sought for a long time, but I think it's increasingly important in this new environment. We all know that while HIPAA establishes a Federal privacy standard, it permits very significant State variations that are found in thousands of statutes, regulations, common law principles, and advisories. And I think Mr. Sullivan really gave you a good example of just what's going on within one State, to say nothing of what happens when you go across State borders. So we do have in essence this patchwork quilt that creates a lot of confusion among those who hold this identifiable health information, and those who seek to establish the information exchanges. We have a morass of rules and regulations that really are going to create even more serious impediments to interoperable sharing, and the sending of health information across State lines. HHS does not provide a comprehensive analysis of these variations. It really has been up to the private sector and individual providers to figure this out on their own, often at great cost. So we really need to work on this, especially in this 50 State environment. Many organizations just don't have access or the resources to really to do this analysis.

The Healthcare Leadership Council is not alone in calling for this national uniform standard. The Commission on Systemic Interoperability, charged with developing recommendations on HIT implementation and adoption, recommended to Congress that they authorize the Secretary of Health and Human Services to develop a uniform Federal information privacy standard for the nation. We think that this would really help facilitate broader data exchange interoperability.

Well, so often those of us in the policy arena talk about these privacy issues in very abstract terms, very abstract terms. I've learned very recently that oftentimes it's helpful to come face-to-face in our health care system with these issues on a very personal level. And to get a much more vivid sense of how our health care system is working, but I think more importantly, how can our health care system be improved.

My family currently has a very compelling example in the person of my dad, Joe Grealy and he's given me full information to talk about his medical condition. My 88-year-old father lives in Fort Lauderdale, Florida, and just a few months ago after a brief hospital stay for acute kidney failure he began a regimen of dialysis three times a week. At the same time, he was just finishing receiving radiation therapy five days a week for prostate cancer. I can tell you firsthand that the staff of the hospital, the staff of the oncology center, the dialysis center, and all the different physicians and their staff that my dad has been dealing with, are fully complying with the HIPAA privacy statute and their rules. Oftentimes to the extent that it's been difficult for me and my five brothers and sisters to get the information that we need to really coordinate his care. More importantly, however, I'm experiencing firsthand the absolutely critical need for an electronic health record, so that my dad's oncologist, the radiologist, the dialysis center, the nutritionist, the cardiologist, could have in real-time the information about what are each of them doing, what are each of them prescribing, what are his lab test results, so that they really know what his condition is. An electronic health record would have avoided my dad's recent experience, within the last three weeks, of receiving Procrit for anemia from his oncologist while he was receiving a similar medication, Epogen, at the dialysis center. He didn't realize what he was receiving from either of those providers, because it wasn't clearly communicated to him. But more importantly, it fell to us, his family, to notify those two providers of the potential conflict here. Obviously, with an electronic health record, they would have had that information in real-time, and we wouldn't have had that problem.

So as I said, we often work on policy issues in the abstract. I've had the experience of seeing this firsthand, and it's why I feel so strongly that as we move forward and try to figure out how should we deal with privacy in this electronic health information technology age, that we're not doing things to slow down more rapid deployment of getting this done. So I would just really strongly recommend that we do this balancing act. It's a difficult challenge, a difficult charge, but we have got to move ahead with this as rapidly as we possibly can.

And I think we also have to keep in mind, especially from the provider perspective, they've done a fantastic job of compliance with the HIPAA privacy rules. But in doing so, they have had to divert dollars away from direct patient care in order to do all of the administrative things that are required as part of this. So again, I just hope we don't continue to make it complicated, and as we expand the reach, possibly, of the HIPAA statute, that we do it in a way that will not stifle innovation and will not divert critical resources. So thank you, and I look forward to working with you.

>> Kirk Nahra:

Thank you very much. Bill?

>> Bill Braithwaite:

Thank you, Mr. Chairman, for inviting me to contribute to this conversation. My name is Bill Braithwaite, I'm a retired physician, (inaudible), probably best known as the author of the Administrative Simplification subtitle of HIPAA, and co-author, as a senior advisor at HHS, of many of the regulations, including the privacy and security regulations that we've been talking about. Next slide, please.

What I'd like to do is very quickly point out that 13 years ago the Administrative Simplification subtitle was written, and it included very specific administrative and financial transaction standards requirements to the Secretary. And that the privacy and security aspects of that were directly related to this demand for putting these financial transactions electronically. Next slide.

The people that were being covered by this are explicitly health plans, health care clearing houses, and only those health care providers who conducted the HIPAA-defined standard transactions. Now, Medicare made sure that all providers of greater than 10 FTEs had to report electronically using those standards, so they got wrapped in. And HHS had to make up a concept of business associates, which wasn't even in the original law, because this concept didn't even exist. But the idea of having private information going out to an organization that wasn't controlled by the law or the rules didn't make any sense. So the concept of business associates was developed so that the information would still be protected when its processing was outsourced. Next slide.

Protected health information was defined at the time in such a way that de-identified information is not covered. And Zach was very -- no, it was Bud, who laid out the differences there between de-identified information, and I'm very pleased to see that there is some developments in that area, because that was a very, very difficult scientific and political decision to make about how to define what was covered and what was not. Next slide.

To reiterate with a slightly different verbiage, the HIPAA privacy rule was written keeping these five principles, which originated in the 1973 principles for fair information practice: that the existence and purpose of record keeping systems must be known by the subjects of that database; that they, those subjects, have choice in the sense that the information is only collected with the knowledge and permission of the subject, used only in ways relevant to the purpose for which the data was collected, and disclosed only with permission of the subject or some overriding public law, legal authority; the patients or subjects have access to the information to assure its quality; that reasonable safeguards for confidentiality, integrity, and availability are in place; and that violations result in reasonable penalties and mitigation. These principles are what we would all want for our own personal information. And virtually every other country except ours has adopted these principles and passed laws to protect all individually identifiable information in all walks of life, not just health information. But despite that, these are the principles on which the privacy rule was written.

The security rule, on the other hand, was written with a very general set of process requirements: that each entity that held protected information identify and assess the risks and threats to that information, and take reasonable steps to reduce those risks. And then there's a bunch of slightly more detailed information about what kinds of risks, and what kinds of things you might do to reduce those risks, but it was very open, and very flexible. Next.

These different approaches had -- there's a reason for these two different approaches that we need to keep in mind when we talk about how to extend these principles to new areas. The privacy rule was based on the application of simple, stable principles to the most complex human endeavor in history. Think about that. What we ended up with was an extremely detailed set of regulations, which were intended to be followed because it was perceived, at least, that the change in both the principles and the practice at the level of the privacy practices would be very slow. And perhaps the recent developments that we've been talking about here say that maybe that change isn't as slow as was expected when we first wrote these rules.

The security rule, on the other hand, was based on the idea that general principles applied to a rapidly changing environment was in order. Highly technical threats and potential protections change rapidly. We've all seen the amount of theft on portable devices going up, which, if you did your analysis, would require that the data be encrypted under the HIPAA security rules, if applied properly. We've also seen the identity theft issues, and the ability to tap into people doing remote access, which if you went through the process specified by HIPAA security, would mean you require two-factor authentication for every remote access to protected health information. So the rule is there and can be adapted to those things very quickly, because it was set up to be flexible to respond to these technical and rapidly changing threats.

The preemption was a bit of a problem, politically. And let's not forget that it was in the minds of the people writing these rules to try and make these rules as complete and as consistent across the nation as possible. But there were political reasons for not being able to do that, hence, the ability of a State law to provide more stringent privacy standards. It also exempted the preemption of other Federal laws. So what we ended with is a complex web of regulations, based on other Federal laws and State laws that are more stringent and local laws that are more stringent. So the complexity has a root in the political inability to make a national standard for health information privacy. And let's not forget this as we decide what to do next.

You've heard a little bit about this, the variation that the HISPC study has found in the ability of people out there trying to implement these things due a lot to misunderstandings and differing applications -- next slide -- due to variations related to State privacy laws, which turned out to be scattered all over the place, and when they were found, they hadn't been enforced so nobody even knew they existed, and then they turned out to be conflicting, and they were antiquated because they were based on privacy for a paper-based system. Trust, as several people have already said, turned out to be an extremely important aspect here, because organizations mistrust each other, or say they mistrust each other, for a variety of other purposes. And consumers and patients mistrust other organizations that their doctors don't belong to. And that's pretty well supported by the surveys that have been out there. There's lots of concerns about liability for incidental or inappropriate disclosures. And then the general resistance to change out there in the industry often uses HIPAA as an excuse for not doing anything. Next.

So to summarize from a very personal perspective what the HISPC study is coming up with, I would say that fear, uncertainty, and doubt are impeding health information exchange, and health information technology initiatives, and those things have to be resolved. I think the GAO report that came out earlier this month is also reiterating some of those issues, but the HISPC States are starting to understand the issue, and they are coming up with solutions for practice and policy issues, legal and regulatory solutions, technology and data standards, and education and outreach within their States. Very little so far has come out in those reports that would go across States or nationwide. But you should expect that the final report, which is in revision and clearance now, will recommend multi-State and national level recommendations to deal with some of these problems.

So how do we deal with it? Just a couple of alternatives for you to think about. I've been thinking about this for a couple of decades, so I thought it might be useful to hear from that perspective. It would clearly be useful to have a new comprehensive Federal law, because it would cover all participants equally. But don't forget how difficult it is to get that passed. Since 1973, our Congress has been trying to pass a comprehensive health information privacy law, and every decade they try it and they fail, because they start arguing about States’ rights and abortion rights and minors’ rights and things that get them diverted off passing this sort of law.

However, there are three different approaches to this comprehensive Federal law that I think are worth considering. The first is a nondiscrimination law, particularly with a genetic nondiscrimination law on the books and with some momentum. If we could make it illegal for organizations to discriminate against individuals based on their health status, it would in fact remove the major motivation for people who want to keep their health information secret, making the rest of what is really a privacy issue much easier to handle.

Comprehensive privacy law. I think that's not really possible. But a different approach to comprehensive privacy law might be, which is requiring each State to pass laws that meet certain criteria. This is the approach taken by the EU, their directive on personal data protection, where each of the nations have to pass laws that meet certain criteria. The downside of that, of course, is that States that sign up for such an approach may not send or share individually identifiable information with the States who haven't signed up. That's both a motivation for the States to sign up, and a difficulty for sharing information in the way we would like to do that.

A third approach is the comprehensive health information privacy law, similar to what HIPAA recommended in the first place, even though it wasn't passed. This would apply to any person who handles the individually identifiable health information of another person, no matter who that person is, and would limit State variability to enable electronic health information exchange across the nation. That's a big thing to bite off, it's not something that can be debated overnight, but I think it's something to keep in mind as a potential solution.

A Federal law that modifies HIPAA is a potential approach. But remember that a law that adds new types of organizations that handle individually identifiable health information would require a brand new set of regulations applying those same principles to the new functions. You can't just say a health information exchange is another kind of clearinghouse. And you can't just say okay, they're covered entities, because the rest of the law and the rules are focused on administrative transactions that those guys don't do. Now, maybe that's an excuse to set standards for the clinical exchange transactions, and HIPAA was written to kind of allow that, but it's very slippery, and no Secretary has taken up that gauntlet yet. But maybe a change in the law could put those two things together and make it feasible.

Including requirements for specific clinical information -- I already said that. The transaction standards.

Classifying health information exchange organizations as a new type of clearinghouse would require new regulations with new tweaks to make sure that it meets the business models of health information exchanges, because there's a lot of diverse business models being developed, and they don't look like administrative clearing houses at this point at all. Particularly, record services are, have to be covered entities in the sense that they have direct interaction with patients, but their business models are hugely different from health plans and providers. So again, a new set of regulations would have to be written specifically for that group.

A third approach is a model for State laws. If there was a common model that, based on the HIPAA regulations and the underlying principles, that could enable States to pass very similar laws. This is conceptually based on the successful passage and use of the Uniform Commercial Code, or another example is the notary public law. These are not Federal laws, but they're like Federal laws in the sense that every State has passed a law that is very similar to the model. And if we can keep them tightly coupled to those models, then the differences can be easily identified between the States and dealt with as we have to exchange health information across the borders.

So in conclusion, I think the HIPAA privacy and security rules are based on solid principles, but HIPAA cannot be used alone, in its present form, to adequately cover these new kinds of health information exchanges. The applicability and the regulatory details just don't fit. But HIPAA is a good guide as to how to apply these principles to new environments. We've got a couple of ways that it was done that could be modified and applied to these new environments. But the HIPAA implementation challenges that you've heard about not only in this discussion but in many others should serve to forewarn about the similar kinds of implementation difficulties that these new regulations would undertake and to motivate prevention of those similar difficulties in future legislative and regulatory efforts. Thank you.

>> Kirk Nahra:

Thank you very much to the panel. Why don't we take some time now to open the floor up for the Workgroup to ask questions? Anyone want to start us off? Jill?

>> Jill Callahan Dennis:

Sure. Dr. Braithwaite, I'm intrigued by the Uniform Commercial Code approach, and I'm familiar with the work that was done back in the 80s with the Uniform Health-Care Information Act that the Uniform Law Commissioners put forward. And that was adopted by only two States, two or three. Do you think the climate has changed sufficient that another stab through that route might be more successful?

>> Bill Braithwaite:

My opinion is that things have changed enough to make them pay attention. Not only has HIPAA gone forth and everybody had to comply with it, at least to some degree, or maybe even hyper-comply with it, I think the States who have been investigating under the HISPC rules about how bad the situation is, about the lack of overlap between the Federal and the State laws and regulations, has made people much more -- the States in particular -- much more aware of what the issues are. And several of the States involved in that project have already proposed that they change all their State laws to be exactly like HIPAA with some modification. So I think the timing is ripe for that kind of approach. Particularly if we could take one of the comprehensive proposals I said and pass something like the EU directive at a Federal level, that kind of forces all the States to pass something, and then try and get them to comply with a set of criteria that makes it feasible for us to do cost-effective electronic health information exchange across State lines.

-- the HISPC meetings, one of the people, when we were talking about the different stringencies of the Federal confidentiality law for substance abuse records, some brave soul made the comment that the States would prefer, would so much more prefer some uniformity, that they would be willing to go more stringent to get it. So with that sort of as a concept, what is your own opinion about how stringent they might go? I mean, what would a compromise, based on your conversations with them,what would they tolerate if you were going to go more stringent, with the payoff of getting uniformity?

>> Bill Braithwaite:

More stringent about what, would be my first question.

Well, protection. Greater protection.

>> Bill Braithwaite:

Because greater protection means something different to everybody.

I would say more control over -- in -- via consent, client consent.

>> Bill Braithwaite:

I have major issues with that concept. Because HIPAA was written originally, and then changed, and then came somewhat back to the original concept, which is that if you show up at a doctor's office, the implicit permission that you are giving by showing up in their office is that they are going to do their job, which implies that they get information from you and about you and use it to help you make clinical decisions. Sticking a consent in front of that means absolutely nothing. It is a false and burdensome and misleading quote-unquote protection. So I think from the consent perspective, HIPAA requires consent in the form of authorization where it's appropriate. But does not require consent where it's implied, where what you're doing is what the patient expects to be done in order for you to do your job, and the consent is absolutely meaningless. So from that perspective I would say I wouldn't personally recommend any change, it's already probably a little bit too far in the fact that people have to get signatures that you saw that notice of privacy protection, which is a useless burden, from my perspective.

On the other hand, there's the concept of sensitive information. Every State has -- except a couple -- have this concept that some information is more, is due more protection than others. HIPAA was written with the concept that all health information is sensitive, and ought to be treated that way. And whether you've got a broken leg or HIV, that information ought to be protected as well as possible within the system. Now, people with HIV might feel differently about that, because if they broke their leg they wouldn't care, but the basketball player whose contract is dependent on somebody learning that there's a crack in their leg, you know, they might think that that's much more sensitive than whether or not they have HIV. Maybe a bad example, but you get the idea, that every person has a different idea of what's sensitive to them. So perhaps an approach that said there's some special treatment that we give to information that each patient can label as sensitive, and build that into the technology and the policy and the procedures that we all follow, and then let the patients decide what is sensitive, rather than passing a bunch of disease-specific laws, might be a reasonable approach to that problem.

Okay, so you're saying shift the concept from consent to patients identifying what's sensitive, and creating a technology that allows protection. Okay.

So what a good question I asked, look at all this -- so Joy was next, and then I'll turn it back over to Kirk.

>> Joy Pritts:

Well, I wanted to -- I'm going to go back to Ms. Dennis's question, first, I'm also on the HISPC team. I would say that it would be difficult to get all the States to agree on one model. I mean, obviously they didn't in the 1980s, when they, they first came up with the model law. Have things changed? Yes, I do. But my perspective on hearing what the States were saying is that at a core level, the States are fairly committed to some principles. There are States at one end of the continuum who are very committed to sharing health information very freely with -- and that includes sensitive health information -- very freely without any patient consent or authorization. So they had strong, stronger laws before HIPAA, and actually I would say reduced the protections or reduced the requirements for consent, or authorization, in their laws, to the HIPAA level after it was promulgated. On the other end of the continuum you have some States who require patient consent or authorization for everything. They -- I can tell you from being at these meetings, these two, they will never meet if they have any choice in the matter.

The vast majority of the States, though, are in the middle, and they have, they require patient permission to share health information, certain types of health information. And where it gets really messy is how you go about doing that. And that's where I think most of the States are willing to get together and say, you know, your authorization form is only good for 14, for a year, ours is good for two years. Can we have -- you know, can we all reach an agreement on this? Or in certain States they even have requirements like the point, the size of font that has to be used, they have different requirements. So I think that from the sense that I got from a lot of these meetings is they're really willing to shave around the edges, but I don't think you're ever going to get just one. The model law approach actually kind of accommodates that. Because often what they do when they draft these types of model laws is they give them, you know, a little menu of choices. You can choose one or two or three, and if everybody has a limited choice that might make people happy. If they were going to go that route, I would highly suggest that somebody actually look at what the States are already doing to kind of try to limit, put those, you know, what they're doing in buckets, to see how similar things are. Because I'd be willing to bet you're not going to find 50 of them. For the core concepts there's many fewer, and a lot of it can be, I think a lot of it can be subject to agreement.

>> Isaac Kohane:

So first of all, very glad to hear Bill articulate in a very useful way how different types of information will be sensitive for different patients. And I think it reflects a reality that there will be no one-size-fits-all set of protections. And in fact, that is why I am a big advocate, not to say of patient consent, but patient control. The patient knows, at any given time, and actually can change over their lifetime, what is sensitive and what is not.

And first of all, what I do disagree with Bill, is the doctor is entitled to, and is expecting, all the information that the patient is willing to give him. Because speaking as, unfortunately, a very part-time pediatric endocrinologist at this point, I have patients with diabetes who will come to me sometimes with a paper notebook of all their blood glucoses, and the blood glucoses look beautiful. I look carefully, these are kids, and it's all in the same handwriting, with the same pen, and I know they just filled it out before they saw me. Why did they do that? To make me feel good about them. That's a relatively innocuous example. But do they have the right of autonomy? Who am I to tell them what they can or cannot tell me? I am only supposed to, nor should I do anything more, than make the best possible decision I have given what the patient is comfortable telling me. And I think that going anything beyond that is being paternalistic in a way that oversteps the current relationship.

I also want to say that because of that, when I look back on what Mary Grealy is saying, and I'll put aside the fact that too many of my colleagues are now spending much more time with computers than with their patients because of electronic health systems, that the biggest problem is actually not within the health, these health care institutions that are spending 120 million dollars on the health care system. It's going across them. And there's very little evidence that while we're spending all that money that there's still a will to share. Forget the privacy concerns. And that's why again I think that the faster we get to the patient control of how the information flows, it will not be very limiting. It will enable the person who goes from one health institution to the competing one across the street to get the electronic dump into their personally-controlled health record.

And I'd like to pose to you, so we make sure we're thinking about not something that's happening in 10 years, that's happening today, that when a person goes into another State with a different set of regulations, how can we get back the full data squeeze from this other State in a way that's not hobbled by particularities of the States?

>> Kirk Nahra:

Other questions from our group? Paul?

>> Paul Uhrig:

This really goes I think to de-identified information. I'm probably starting at a very basic level, here, and I have two questions. I mean, in any eight-hour period I hear people say don't talk about de-identified information because it doesn't exist. I hear people argue the exact opposite just as passionately. And the people in the middle who say it can be de-identified but, you know, it takes technology, intellect, intent, to then, you know, re-identify it. I'm just trying to have one -- can you level-set us to where you think reality is in those three positions?

Then my second question is, is this an initiative that's always existed? Mindful of our charge, is this an issue that's always existed or -- I'm struggling with how the advent of RHIOs has really impacted this. Or would this be an issue even if we weren't dealing with RHIOs and health information exchanges as we understand it.

>> Brad Malin:

I'll take the second question first, because that one is a lot easier. The answer first -- because there's actually two sub-questions in that one. One is that the situation is changing in that -- it's changed from probably even a decade ago -- in that the amount of information that's now in electronic form and is now available, publicly available, has definitely made the identifiability of information go through the roof.

That said, the second aspect is what is different with the RHIO. I think it's the fact that it's going to end up making systems or forcing systems to be more interoperable. So you're going to have information flows. And it's not just going to be information flows within, intra-organization, it's going to be across organizations. In that respect, you're subject to a completely different environment and it becomes umpteenth more complex because it's not just regulations like Vanderbilt like we have, you know, like 20 hospitals, and different medical groups that are associated with us. It's going to be, you know, that 20 plus everybody else that's in middle Tennessee, everybody that's in western Tennessee, everybody that's in eastern Tennessee, and God knows where all the patients are actually going or being referred to. So in that respect, the situation does change. Because each of those groups has different ways in which they regulate the control of their information.

One of the things I didn't talk about today was that there was a study that was done back in the late 1990s that showed that when there were concerns with respect to privacy, not even so much just de-identification, but when researchers wanted to share things like pedigrees, a decent number of them were actually changing the information before putting it online or passing it along. And so they didn't believe that the de-identification was even sufficient, that at the same time they didn't know exactly what they should do, so they thought that one of the best things they could do would be to change the data around a little bit. This is absolutely something that should be unacceptable, especially when they didn't tell anybody that things like this would occur. So if you don't have any type of a technology that exists to protect information, or to guide people along in the way it should be done, you're going to be in a state of affairs where maybe the information has lost any of its useful value, and the health information exchange is just someplace where you can throw anything into it, which I would be sincerely worried about.

So as to your first question regarding re-identification and how hard it is, it's very much context-dependent, and the type of information that we're talking about. I will be the first one to readily admit that the re-identification of DNA data unto itself takes some work. I will readily admit that. Except I do believe that it's going to continually get easier. And if anybody was paying attention to the news earlier in the week, we saw the agreement between, I believe it was ancestry.com, with a private organization that said they were going to take all genetic tests that people were associated with, with ancestry, and they would be posting it online. So it wasn't just going to be that I would have to be a researcher, that would go to a hospital and say, hey, can I see somebody who had a CAG repeat mutation with Huntington’s disease, it would be I'm going to look on ancestry.com and I'm going to see okay, what's associated with this family?

So it's going to be very much content dependent, it's going to depend on the type of data that's available. And until we characterize the different types of information that are available and the risk that's associated with it, I don't think we're going to -- I can't give you a "this is how easy it is." But I do think it's going to continually get easier.

But just one last thing. It's not going to be that it's the scientist or the researcher who is going to be out hell-bent on a malevolent purpose. It's going to be the scientist who shares that information with somebody else, or somebody who just gains access. The ones I worry about most are the ones where they say we created a public repository, so anybody who wants to tap into the exchange and use this for research purposes, where research is, even in HIPAA, is very fuzzy, I think it's going to be a condition where it's going to be unregulated, so to speak.

>> Bill Braithwaite:

I just wanted to add that the word de-identified was made up when the regulation was written to distinguish it from anonymous. De-identified was intended not to be anonymous, as a warning to people that in fact it was not anonymous, but it was a temporary, practical way of getting almost anonymized data out there for good purposes. Given the fact that as things progress, better techniques for anonymizing will come forward, and better techniques for detecting identification in a de-identified data set will come forward, and at some point when those curves cross, the regulation will have to be changed. But that was the expectation.

Just if you could give me a sense of where you think, if we were to try to go down the path of creating the next generation of HIPAA, if you will, how would you go about making that scaleable to account for the emerging technologies, the other kinds of potential covered entities, the ways that data might be used tomorrow that is not being used today? I mean, I'm thinking about my parents' generation, who I'm not sure would even want to take control of their own information, because they wouldn't know what to do with it, nor would they have a computer to use it on. My generation, who remembers the first television on the block, and then there's the we generation coming along behind us that is going to take for granted the fact that their information should be their own, and how they have some sense of responsibility toward that. How do you put privacy regulation around that that is scaleable, and willing to go along with the flow of society in this environment?

Can I say one thing, first? So I actually think that coming from that younger generation, there's been a lot-- recently, there's been some interesting socio studies that have shown that people who are currently in their teens, their 20s, are not very concerned with the privacy of their information. And so they don't even recognize that there's a privacy concern until there's an actual violation that occurs. And so one of the things that I would strongly recommend, which has not been done very well, is having a public awareness campaign to try to even educate the public, whether through media, or through education via the HHS. There's something that's amiss, even with -- security? People get it. Secure transmission over an unsecured channel, not a problem. Privacy? That guy who posts information online about what his mother was doing 10 minutes ago does not realize how that's going to impact her in a year, or even himself. And I think that even before we have some type of regulations set in place, I actually think they need to be complemented by some type of public awareness campaign.

>> Mary Grealy:

But I think that public awareness campaign should be the other side. I mean, I couldn't agree with you more, the whole Facebook generation, I think we're all appalled at what they're willing to put up there, but I think also what we have found -- and it's because I do a lot of work with Congress, as part of the health information technology legislation that was being considered the last couple of years, and will be up again this year, and because you have so much turnover in Congressional staff, you would have thought that the HIPAA privacy rule did not exist. I mean, they just weren't aware of it, you know. And this is a body that's working on that legislation and developing those rules. And it's quite clear to me that the general public I think their knowledge is around I have to sign this notice form, and what a hassle that is. So we need to do a better job of educating people about what is out there, and then also how you should be treating and sharing your information. I think education and outreach has got to go hand-in-hand with whatever we're doing. It should be happening currently, but certainly as we move forward in developing health information technology and the more rapid exchange of that information.

>> Isaac Kohane:

So I think you raised -- you may be underestimating your parents, but you raised an issue that's fairly broad, which is of course there's a number of disadvantaged communities who, because of problem with literacy or access, may actually have a problem with any of this part of the system. Although I have to say parenthetically that in our first, in the '90s, explorations of direct to patient communications over the Internet at Children’s Hospital in Boston, we tried to encourage everybody to use it, and the nurse came up to one of my colleagues, Ken Mandl, and said should we involve this woman, she's from a homeless shelter? He said this is a full formal trial, do it. It turns out this woman actually had access to the Web in the homeless shelter and was actually communicating with the emergency room afterwards. So we shouldn't underestimate people.

Nonetheless, I think there are issues of equity. And at the same time you don't want yourself -- for example your parents, you don't want, even though your parents are willing to share, if, A, they share their DNA they're going to tell a whole bunch of things about you that you may not want people to know.

So I think that education is a big part of it. And some system of proxies and guardianship for people who need it or want it. And that has to be put in place. If we disenfranchise the poorly literate or health illiterate, or people who are technologically disadvantaged, it's going to be obviously a showstopper. So I think that's less a regulatory issue as, I think, so much as an implementation issue.

>> Joy Pritts:

I'm going to turn back a little bit on a bigger picture, I think, to your question about HIPAA, too, and I'm going to look at it not from just the regulation perspective, but more from the statutory perspective. Because that's really where the change would need to be made, because the narrowness of HIPAA really is based on what the HIPAA, HIPAA, the statute, says. It only covers the small area of all the entities that can hold health care -- health information.

One of the problems that I think has been made very clear in the last few years is that it doesn't work very well to regulate by entity. Because the entities are changing quicker than the regulation possibly can. They have dealt with this in other countries, as Bill brought up, which is that there is a national, there's an overarching national law which sets some very broad-based standards which the HIPAA privacy rule, and most of the FTC privacy regs and all of those, are pretty much based on. The advantage of having at least a high-level statutory requirement to adhere to fair information principles, is that when you have new entities springing up, at least you have this general framework in which you're going to work.

>> Kirk Nahra:

I just want to add one other thing that goes to David's question, something for the Workgroup to think about as we go forward. We've been talking about the HIPAA rules, and I'm going to put aside the standard transactions rule because I think that doesn't have much relevance to the stuff we're talking about. But if you're talking about privacy and security, it may be that most of the issues we're going to spend our time on are really privacy rules and not security rules. It may be that the security rule is very easy to translate. I guess it was Bill was talking about -- it's adaptive, you could argue it's not a good rule because it isn't tight enough, but in general it's a very flexible rule, it's very adaptable, you've got -- you know, can apply it to all kinds of different entities. We may find that there's really no need to go beyond HIPAA as a security rule premise, but that the real difficulty is on the privacy side. And in making, making the privacy rule fit, stronger, weaker, just fit in general. So maybe just conceptually that's something we want to think about as we going forward.

I want to mention as Bill mentioned earlier that when the privacy rule was being written, it was being written for a specific purpose, and that was to address the privacy and security around organizations that were doing electronic transactions. So it was sort of built around that premise that they were going to be doing those. Then we have had these other organizations that crop up that are using what we would consider to be protected health information that is indeed not protected health information, it just happens to be individually identifiable health information. But because the HIPAA rules don't reach it, it's out there, it's available to be misused, and we don't have the protections around it.

>> Kirk Nahra:

Well, the other side of one of the things we did talk about in some of our earlier meetings were as simple as the under-10-FTE doctor who doesn't bill electronically today. I mean, I don't know that anyone would take a -- if they were looking at this from a purely privacy perspective, say that makes any sense. So we have some entities that are sort of easy extensions, other entities that are, you know, much less obvious and maybe much more -- I mean, again, I would be very surprised if we come out with our recommendation on relevance, for example, and say that a doctor who doesn't bill electronically, you know, doesn't have to send a privacy notice out. We're going to say no -- my guess is we're going to say all of these, all of the HIPAA principles are relevant for a doctor in this context, you know, without any carve-outs. That was something to think about going forward. Yes, Elizabeth.

>> Elizabeth Holland:

I just want to comment on your statement about security being flexible, and therefore, we might not have to consider it. The problem I think we need to consider with security is that the implementation specifications, a lot of them are addressable, and some are required. And I'm not sure that it's appropriate for all of them to remain addressable in some of the HIE contexts. Like encryption, for example, of the transmission. Is that something that we believe should really --

>> Kirk Nahra:

That's a very good, that's a very good point. And I guess let me, let me expand on that a little bit. Our group today has looked at two different issues. One is this difference issue, the other is the level playing field. Your point, very well taken, goes to that level playing field. Maybe everybody needs to step -- maybe we need to impose a higher level. I think there aren't going to be all that many in the HIPAA security rule, but you're right, that I was probably going too far in saying it's nothing. I think it's more the more difficult ones, and the more complexity. It may be on the difference, the relevance piece that we talked about this morning a little bit, again, it may be that those are ones well, no, we want everybody to follow all those security rule principles. We're not going to carve any of those out, even though we may carve out privacy notice and we may carve out individual rights.

>> Brad Malin:

May I make one more comment?

>> Kirk Nahra:

Sure.

>> Brad Malin:

We've had very similar discussions along these lines at Vanderbilt as we tried to grow our electronic medical record system to providers who are not a core component of the Vanderbilt Medical Group. And one of the things that has come up with respect to the security rule is that it is very much associated with the auditing policies that are associated with the security rule. Because you can require -- this is something that you can tell everybody who is in the information exchange auditing is something that's necessary, you have to have access logging set in place, and then it becomes a question of who is actually given access to these auditing logs and what they're allowed to do with them, and then who is allowed to have the ability for reprimanding, or policing, with respect to this information. And as soon as you start talking about organizations with differing policies, the ability to implement the security rule with respect to auditing becomes a very hairy situation. So I wouldn't say that it's -- I do, I agree with you in that the privacy rule is something that's very much semantic-oriented and requires further investigation, but I wouldn't say the security rule is completely clear-cut.

>> Kirk Nahra:

That's a fair point and supplements what Elizabeth said. It does seem to me that one other piece of our discussion -- and again, just for us to keep in mind, we didn't touch on it too much today -- you know, we've talked about whether the situation in health information exchange is different such that a tougher standard is needed. Again, open issue, our Workgroup is very much still looking at that question. One of the other aspects of that is whether HIPAA just isn't a good fit in this environment. And I've thought about that a lot in the context of, for example, some of the points that you're making. When you've got a RHIO, today under HIPAA with a RHIO, the RHIO is a business associate of, you know, 500 providers in a State or a region. Who is responsible for doing all those things? Who is responsible for policing security -- you know, it's not a good match. The model of a business associate -- and again, we talked about this in some of the other contexts -- the model of a business associate is I'm a hospital, I hire to you to do X for me, and I can police you in that. But, you know, none of us are really hiring the RHIO to do anything, or we're all hiring -- so I think there are some fit issues there. Again, that may be a different vehicle for us to come up with some recommendations that say we're not necessarily saying we need more than HIPAA, we just may need different than HIPAA in some of these contexts. That's another avenue that's available to us. And I don't know, again, you know, I don't know that we'll get there either. Today is very much the start of what I expect to be, unfortunately, a long and difficult discussion for us. I don't know that there's any particularly easy answers on this. But just something to keep in mind.

Let me ask one other question of the panelists and I'd be interested in views from any of you on this. One of the things -- I mean, I've looked at this idea of sort of simplicity in a number of different fields, and we've seen lots of reports about confusion over HIPAA, it was called HIPAA folklore this morning, and there was another term, I think Rachel used a different term this, you know, confusion over HIPAA. We heard from some of the RHIOs in earlier testimony about how hard it was to figure out the State laws. We heard the Florida gentleman this morning talking about how difficult, you know, in his State. Yeah, we also come back to this idea of preemption, and we heard about the politics, and how that just wasn't going to work. I mean, how important is simplicity to this whole system?

The other piece that I wanted to mention was this sort of consumer understanding. And I don't know how a consumer who lives in, you know, lives in Maryland and works in Virginia, and has a health plan through DC could possibly figure out what all their rights are. I just wonder, again purely a personal view, I've always been of the view essentially in broad strokes, just give me a law. I don't -- I'm not even sure I care what it says, give me one thing that I can figure out what it is. I mean, how important is getting to a single standard going to be in this environment, to deal with consumer empowerment and confusion and need to get it across? Or can we continue to live with 50 or 100 or 500 different rules? Anyone want to, anyone want to touch that?

>> Mary Grealy:

Well, it's interesting, as I was listening to the discussion, I was -- the word that was coming to mind is how can we simplify it, if you really want it to work. And I think that a big part of it is, how do you, one, assure -- three things. One, you know, let people know what their rights are. Assure them, you know, why is it good for us, health care providers, researchers, health -- why is it good for these entities to have your information? How is it going to improve your health, how is it going to improve the health of future generations? So, and again, that's sort of part of that education thing.

But also, how are we going to protect that information? And I think we could simplify it as to, one, why we want it, how we're going to use it, how we're going to protect it, and of course penalties if you do the wrong thing. But you know, we can continue to go along with this myriad, this patchwork quilt, and I think a lot of it depends on someone is going to come in, if someone decides to do very aggressive enforcement, I think a lot of people would be in big trouble. You know they're out of compliance, you know that people aren't undertaking million dollar studies to figure out just how they should be complying. And I think a lot of them are just sort of getting by, and it's because we haven't had people doing aggressive punitive enforcement. It's been much more about education.

But I think it's just such a tremendous waste of resources to have all this complexity. And that the more we can do to simplify it, it just makes it more workable. But make sure it's something that people are comfortable with, they feel their information is being protected, and I think security does play a big role in that.

>> Joy Pritts:

Well, what I'm about to toss on the table I'm sure will just be shot down in flames, but if you want -- okay, if you want simplicity, the way they've accomplished that in some other countries is they just basically put it in the hands of the consumer and say you decide what you want to share, what you don't want to share. I don't think that that necessarily works in our system, but it makes it very easy.

>> Kirk Nahra:

I'm not really sure that's what the other countries, what the other countries do is a little different, they say --

>> Joy Pritts:

Is opt-out.

>> Kirk Nahra:

Well, it's not really even opt-out, they basically say your information is protected wherever it goes, whoever has got it. It's a little different. It imposes burdens on sort of everybody who has got that information.

>> Joy Pritts:

Right, it does that, and that makes things a little bit -- a lot easier, I'll say, because one of the things we figured out, we've heard in this HISPC project, is that when you have some entities that are covered, and some that the aren't, they don't want -- the ones that are covered don't want to share their health information with those that aren't because of liability concerns. So that makes it easy. But within the health care context, for example, both in the UK and in Canada, and I think this is probably true in all of the European Union countries, there is a presumption that the information is shared, but the patients -- they don't have these laws that say you can't share HIV information, you can't share mental health information, you can't share this. They just say to the patients, you have your -- the assumption is your information is going to be shared. If you don't want it to be shared, then you can opt out. And technologically, that is a little easier to implement than the detailed requirements that we have now. So I mean, one of the issues that we've had all along is, frankly, the reason we're not able to get to a unified law is because there's a huge fight between whether the uniform law is going to be down here, or here. And we've never been able to get to that. So when they did HIPAA, we were able to agree to this much. And the rest of it, where there is all this contention about, they punted back to the States. I don't know how you're ever going to solve that. Especially in the issues like, you know, when a minor gets health care, who has the right to get that information? I don't know how you get around those.

>> Kirk Nahra:

I know a couple of you were involved in HISPC. Has there been any analysis of -- you said punted back to the States, which is an interesting term. Because my impression is that most of the laws that are causing confusion at the State level actually predated HIPAA. I mean, is there -- has there actually been much since HIPAA at the State level? I’m aware of a handful of things but --

>> Joy Pritts:

I have looked in detail at the access provisions, and how they have changed since HIPAA. I would say about 30 percent of them have changed.

>> Kirk Nahra:

That many? Okay.

>> Joy Pritts:

And most of them have changed, not necessarily in major ways, but they've changed in ways where States didn't have anything before, now they have something that's kind of similar to HIPAA, so that they can enforce HIPAA, you know, kind of enforce HIPAA locally. So in that area, there's been quite, I think, you know, more change than I was expecting to see. But not -- I haven't looked at the disclosure.

>> Kirk Nahra:

I mean, for example, there haven't been a lot of new State laws to my knowledge that go in and say, you know what, we want to make sure that cancer information is given, you know, is a new sensitive condition, or we want to have, you know, for all the health information that's out there, we're going to actually make something more stringent than HIPAA.

>> Joy Pritts:

No. What you have seen more likely, have seen more of the, well, now we have HIPAA in place, we're going to lower that. I can tell you a handful of States that I know that have actually done that.

>> Mary Grealy:

Well, I think the reason it was so politically contentious trying to get that preemption was because States that were going to do the parental notification, or non-notification, that was already on the books, so that's what sort of what led to that political battle and debate.

>> Kirk Nahra:

Those couple little issues you mentioned before seemed to drive --

>> Mary Grealy:

I think it's interesting when you're talking about sensitive information, you know, there's a special provision for mental health notes, and I suppose there are some accommodations that could be made on what those sensitive areas are. But you're right, it's ever-evolving. What may be considered sensitive today, there may be something different tomorrow. And I think the key is how do you get something, you know, that's sort of a living document. That can evolve.

If you were to have at least a national identification of levels of sensitivity or classification of types of data, I know we struggle with that in our organization about what's real SSN data versus data that's a scrambled SSN or no SSN. And it's considered, you know, more protected because of the implications of identity theft and whatnot. If there were some sort of standard that set that playing field, would it be easier to try and get the States to come to a closer common way of looking at privacy?

>> Kirk Nahra:

I was going to ask something very similar which is you mentioned you had the two extremes and your large middle. Let me add on to that, go to -- for Mary and Joy. Would your folks -- my understanding from your testimony was that generally you like the HIPAA standard. You like preemption and you like the current HIPAA standard. Would you be willing to take a higher HIPAA standard with preemption and do you think as David was saying, the States would be more likely to accept it if some of the State laws were incorporated into --

>> Mary Grealy:

We were willing, as part of the legislative process, the last couple of years on health information technology, we thought that getting a national uniform standard was so important that we were willing to take the risk of have the Secretary of HHS examine what are those variations. Now, with the caveat that when you make your recommendation as to what the standard should be, that it is something that is workable, that it's a common sense approach, and that you also include the concept of efficiency. Because you will have vendors that will tell you I can build in, you know, a gazillion protections, but it's going to be an unaffordable system, so we thought that was important. So yes, I think people would be willing to come up to a higher standard but you're right, there will be a huge debate as to what that standard would be.

>> Joy Pritts:

And I think from a State perspective they would not be happy with preemption, in any event. I mean, they may be happy with more uniform standards, but they still want to be able to have their laws, because this is an area that the States have regulated for a very long time. And there are mechanisms, in other laws, where there is Federal regulation, where the States still are able to enforce, but they do so in a more uniform fashion.

>> Kirk Nahra:

Although it's interesting, you read a lot today about, you know, criticism of HIPAA enforcement, but I'm astonished how many of those more stringent State laws that have been around for 40 years have never had any, you know, never been enforced by -- it's interesting, it's sort of a theoretical we really care a lot about these protections but we're not --

>> Joy Pritts:

Well some of it never -- I'll tell you one thing just from the phone calls that I get, because I have a Website that has State guides to how people can access their own health information. After I started posting these, I started getting phone calls. Now, if I get one phone call a day I'm happy, because I usually get four or five phone calls a day, every day of the week when I'm there, with people having trouble just getting access to their medical records. So the fact that they haven't been enforced doesn't mean that the issue hasn't existed. And the other thing is they do, a lot of people do try to resolve these things through the medical board, and other possible ways of solving these things, without bringing a lawsuit. And that's how you would find out about it. But a lawsuit is the result, you know, the last resort for most people. It's expensive.

>> Kirk Nahra:

Sure. All right, we are closing down on our timing for the day. Are there other questions -- actually, let me ask are there any questions from people on the phone? From the Workgroup? All right, other last questions from any -- Jill?

>> Jill Callahan Dennis:

Yeah, I want to get back to Mary's point about doing what's workable for people. And there was a difference of opinion on the panel in terms of the extent of patient control that's desirable. And it's actually one of the things that I worry about, not from so much an equity standpoint, but as a practical operational standpoint. And I'm just wondering, I'm wondering how far you can go without frustrating the purposes of health information exchange to begin with, which is to allow greater access to, for better care. So I'm just wondering if you have any comments on that in terms of where is that threshold, where is that reasonable balance in terms of patient control versus readily accessible data to care providers?

>> Mary Grealy:

Well, it's interesting, we were -- we have a CEO-level task force on patient safety and quality, and this is one of the big issues, health information technology, how can we really encourage the broader implementation? You know, I raised -- here are some of the things that are being discussed, giving patients that, you know, much greater control, being able to withhold information. And I have to tell you, it's just like wait a minute, you know, that -- and one of the people that was most concerned about this is involved in one of the CMS quality demonstration projects with hospitals, where it is so critical. I mean, the way they're improving quality is by having access to information and sharing that information, developing best practices. And their biggest fear is that if we give too much control over patients withholding information, then we're going to wind up, whether it's research data or treatment data or whatever, that it's just not going to be useful data, and in fact, we may wind up doing the wrong thing.

So you know, to me it's a balance of patients having a sense of control, and maybe it's more what are the security systems that we have in place, so that they're assured that that information isn't being shared inappropriately. At a minimum, if we're going to wall off these areas, I think we have to flag the system, and let providers know information is being withheld from you. Because I think unlike other countries, there's a lot more litigation here. You know, if you do the wrong thing.

>> Kirk Nahra:

Joy?

>> Joy Pritts:

Well, there are a few points there. One is that when, when you look at systems where they actually have let patients, generally, it's an opt-out situation, okay, so the information is presumed to flow unless the patient does something. British Columbia has a prescription database that's been operation, an electronic prescription database for the province that's been operational for over a decade, I believe. Their historical opt-out rate is I think two percent, or less. It's much less, actually. It's -- I'm trying to remember, we did the math one time, and it was under one percent. So it's very small. People -- I'm not making light of this -- but individuals want the ability, but don't necessarily exercise it, is I guess what I would say.

>> Kirk Nahra:

-- this is how the individual rights provisions have been --

>> Joy Pritts:

Right.

>> Kirk Nahra:

They're there, people want them, but they're not being used very often.

>> Joy Pritts:

Well, right. But when they want them, they really want them. I mean, the people who want them, want them very badly. But it's more -- and -- they do, I mean. And the ability to control, though, is something that I think is desired on a much broader basis, just because it gives people a sense that they as an individual are being respected, and they have some input into it. But as a technical matter, also, I understand Mary Grealy's concerns about the information being available for quality control and for research, and they've kind of worked that out in some of these systems, where the information flows in a, what we would probably call more of a limited dataset for those functions. And so it's, you know, there are ways you can do this, so the information is still available in some format that may not be fully identifiable, that may make most people happy.

>> Mary Grealy:

But I would strongly underscore the huge difference between opt-in and opt-out. The percentage difference is astronomical. If it's opt-in, you're going to get probably get less than 10 percent of the people that would take that affirmative step. So if that's the path you wind up going down in terms of giving control, I would -- opt-out.

>> Kirk Nahra:

That's what's been demonstrated in the financial services industry, no one opts out, because they don't read the notices. And if you make it opt-in, the only people that would read it would never opt in, so it's a very different system.

>> Brad Malin:

Can I just address that question also? There's one issue that I think, I think it's been said multiple times, now, that if the information is withheld, changed, something that changes the useful, the ability of the system to achieve its goals, you end up in a situation where the exchange is not going to be viable or the system itself is not going to remain viable. And in that extent, it has to be evaluated to what ability an individual should be able to withhold information if it's for things such as clinical care. Because if you end up making the system more dangerous than not having the system, I think, I think that that would be a poor result. At the same time, one thing that I believe would make people happier, though not necessarily give them all the power that they want, is increased transparency within the health care environment, which is the fact that most people have absolutely no idea where their information goes, or what it's used for, even though a lot of people want to know. It may just give them more peace of mind to know that okay, it was accessed 100 times, but you know what, that was all for clinical care-related purposes. As opposed to I have no idea, maybe there's some guy who is looking at my records that's just not supposed to. But people don't know. And sometimes I think that when people claim they want to have more control over their information, they really just want to know what's going on with it.

>> Kirk Nahra:

All right, are there other questions for the panel? I'm sorry.

That's okay, go ahead. 45 minutes, look over this way.

[laughter]

Sorry, Kirk.

>> Kirk Nahra:

[inaudible]

I know, a shrinking violet.

No, I actually wanted to get back to a comment that Bill made awhile ago about consent, so we have this sort of quaint notion of consent with the form that we sign in the office. But we also have these terms in HIPAA that you can drive a truck through, the minimum necessary and the business purposes. So I'm wondering if you could talk a little bit more about your comment about consent, in the context of consenting to a broader health information exchange where we're not just talking about the public good of improving the health care system, and quality, and research, but the business motive of why everybody wants all this data. Because that's why people are freaked out. And you touched on it a little bit with saying well, if we just had some provisions about nondiscrimination, I mean, that could be a very easy solution. But I was wondering if you could maybe give a little more nuance to your comments about consent.

You know he doesn't say no.

>> Bill Braithwaite:

You are so right.

I think consent is a major issue of discussion because I think, as I said, people mean different things by it. When HIPAA talked about consent to treatment, payment, and health care operations, it was intended to be an implied consent that you knew what was going on, and you were given a piece of paper that laid out what was going on when you went to the doctor's office, and that the doctor could not, or the hospital, could not stay in business without doing this. You had to get paid, you had to meet the NCQA requirements to keep your license, and all that sort, all those kinds of things were intended to say the patient has to expect what's going on, has to know what's going on, as part of the notice principle, and then they imply consent to those things when they arrive for treatment.

I don't think, at least in the current level of knowledge and education in the general public, that consent is implied that their information should be shared with some larger scope of information sharing outside of sharing it with another doctor who is going to be treating them. So I think we have to be very careful about what the patient thinks their implied consent is when they're going to an institution for care. I know, from surveys, that they think that when they get referred across the town to another doctor, that that doctor has access to their information. So that somehow it got there. And they don't really care how, whether it's by messenger or fax or by an electronic health information exchange. But if that health information exchange is now doing other things, sharing their information in ways that they can't conceive of and didn't think of when they went to the doctor, then we have to be very careful about how that implied consent rolls over into these larger functions without educating the consumer, making sure that they really do understand what that's about, and being careful about what we do with it, without additional authorizations.

>> Jill Callahan Dennis:

I wanted to ask you that question because I knew I would get such a lovely answer, thank you.

>>:

Yes, I just wanted to mention that we've talked almost entirely about HIPAA, but there -- and I noticed on one of your slides you mentioned, had 42 CFR, and I was disappointed you didn't actually talk about it -- but there are other laws that influence our sharing information, health information. And I work in a State system, and I'm concerned about being able to integrate data across systems to be able to evaluate the coordination of services and outcomes of services. And a lot of health care is provided in other entities, like schools, for one, and there's FERPA legislation that interferes with my being able to get that data. Child welfare has their own set of rules about data sharing, and juvenile justice. So I really like this notion of a comprehensive privacy policy that would help make that more uniform across all those entities. And I think we just need to keep in mind that it's not just HIPAA that influences how data gets shared.

>> Kirk Nahra:

I think that's a fair point. I think it also, you know, it -- I also want to keep in mind what our group is sort of able to do. I mean, there's a limit to -- you know, we I think go beyond our scope if we say the entire HIPAA rule needs to be redone for the following 12 reasons. Similarly, we probably go beyond it if we say, you know, we want to create the EU privacy rule in this country, so that all information -- you know, I think we have to keep that stuff in mind and we have to -- for example, schools would be an example. I don't know whether schools would have any reason to be participating in a RHIO. Not, you know, not as a medical facility, but I mean a school as a school? Would that be stuff going in? They may get caught through the back door of our hypothesis without us really thinking about them. So if they're directly accesses the RHIO, we've now, you know, we've made a recommendation that they should have to follow HIPAA rules, you may have issues there because the FERPA rules may be more stringent. We want to keep those things in mind, the 42 CFR as well, for a different way of looking at certain kinds of sensitive data.

-- largest health care provider in the country, and we're currently not participating in any RHIOs because of legislation of our own. We're asking for Congressional relief to work on that. But I think if we don't look at some of those other things that are outliers, we may actually be holding ourselves back from being able to accomplish this.

>> Kirk Nahra:

Okay. All right, other questions from the Workgroup?

All right, well, let me -- I'd like to thank our panel for again the start of a very interesting discussion. We'll be continuing over our work in the future, and, you know, hope you follow what we're doing a little bit, and if you have other things you'd like to add we'd certainly be interested in hearing them. But thank you very much.

We are going to spend just a little bit of time with our Workgroup talking about the subgroup that had been in place working on, with the Consumer Empowerment Workgroup, on some issues related to privacy notices, and some common elements that they're looking for in privacy notices. So let me turn that over to Steve.

>> Steve Posnack:

If I remember correctly, I did give an update at the last meeting, maybe on the 15th, about the progress that the Consumer Empowerment and this Workgroup had done, some of the members from the Consumer Empowerment Workgroup and this Workgroup, in terms of forming a subgroup to work on the Consumer Empowerment Workgroup's recommendation from January about privacy policies for PHRs. And Deven and Paul Uhrig are here, I won't put them on spot straight away, but Deven helped to co-chair that effort along with Ross from the Consumer Empowerment Workgroup, and if they have any information to add in they're more than welcome to chime in. But this got distributed to members and it's also been posted on the Website, because the Consumer Empowerment Workgroup discussed it last week. And we've been asked to perform a particular task that the staff has started to go through here at ONC as well as some of our other friends and family throughout the Federal Government, to add a fourth column, and just do a kind of quick mapping to see how this lines up with HIPAA, and if there are any kind of conflicts. We discussed with Kirk at our co-chair call, at least primarily to identify if there's something below HIPAA that we're recommending in this table of components, or if there's something different. Did I get that right? I want to make sure we define the scope correctly.

>> Kirk Nahra:

Let me jump in. I had seen this document and looked at it very quickly, and I'm not sure exactly how some of these provisions connect up to HIPAA. So you want to look at it, is it the same, is it lower, is it higher? Just before we, you know, wanted to understand that before we get this up for full discussion with the Workgroup. I don't want to recommend something that's more stringent than HIPAA on privacy notices unless we realize that it's more stringent than HIPAA and decide to make a recommendation on that anyway, so --

>> Steve Posnack:

Process-wise, I guess I'll do about a minute on that. The subgroup has met numerous times, we are scheduled to meet on the 27th of June again, I guess to discuss feedback that we've gotten from both of the major Workgroups, the main Workgroups. And I'm sure that saddens all of the subgroup members, because we reached a pretty good consensus on at least this final draft that we wanted to show to both Workgroups. And put simply, this comes from the central privacy policy components that the Consumer Empowerment Workgroup recommended, and had discussed several months ago, and this subgroup had been working through them and identified, by category and attribute, components that should be in a PHR privacy policy, recognizing that there are some entities out there that aren't covered by HIPAA, and they may not have to include a privacy policy for their PHR. So in order to get PHRs toone privacy policy standard, that was kind of the goal and the simplistic idea that at least there would be something out there for these PHRs to communicate to consumers. So I don't know if, Deven or Paul, you'd like to add in any other information.

Aside from the fact that, before I let you do that, the idea, and we discussed with Kirk, you know, if and when the proper time would be to make a recommendation, we discussed the process with the subgroup and, you know, we've been working on this for a few months now at this point, and it's been deferred to us as the Confidentiality, Privacy, and Security Workgroup to issue the recommendation from the Consumer Empowerment Workgroup, with their input and feedback. But it would probably come out of our shop. So the idea would be to have probably a more robust discussion on our July, at our July meeting, about this document. And it would be referred to the AHIC as a recommendation in this form, as a table, and one of the other components that this would be used for would be to send to CCHIT, as a first step to developing criteria for certification of PHRs, and with respect to their privacy components. These wouldn't be translated one-to-one into certification criteria, so that was one of the statements that I was making at the Consumer Empowerment Workgroup. We've had some conversations with Mark Leavitt at CCHIT, and they're going to, you know, if they're so instructed, to form a workgroup for PHRs, which I don't think they have yet. This would be a good first start for them to help evaluate how to develop criteria. So it wouldn't be translated immediately into this is how you need to certify a PHR. Deven or Paul? Yeah, sorry.

>> Deven McGraw:

I think it will be helpful to see how this compares to HIPAA. Even though I think the whole time we were discussing this, we assumed that most, a lot of the entities that were authoring these PHRs were in fact covered by HIPAA, and that was part of the reason why we were going through this exercise of figuring out what should be in a policy. But I also -- so I welcome the opportunity to discuss it in more detail with the Workgroup. And I also think it was a really interesting experience, because it picked up some folks beyond our group, and brought them into a conversation about privacy issues that we have been dealing with for several months now, but that they don't -- it's not their primary topic, although I'm sure it's come up at their Consumer Empowerment Workgroup. And it was just very interesting, and in my view refreshing to -- they were really committed, like everyone around the table, to figuring out something that would create strong policies, and really create an environment that would move these PHRs forward. More so in a way maybe even than what we have now, which is sort of a lack of regulation, and some uncertainty. So that was just -- that's a personal observation, not --

>> Kirk Nahra:

Let me just jump in with a question, and maybe this goes to the point of that column about HIPAA. I mean, I understand the discussion was focused on the idea that PHR vendors are heavily unregulated, but I do want to put that in the context of what we're doing, which is we've made a recommendation that says they should be regulated, meaning our recommendation for them as of now is they should have to do everything that a hospital has to do on a privacy notice, so that a recommendation as to elements that are less than HIPAA would be in some ways inconsistent with our recommendation. Similarly, we started the discussion today that says should we be recommending a standard higher than HIPAA. And I'm somewhat uncomfortable jumping the gun on that specific to privacy notices, if there's components of that that are stronger than HIPAA. So it's just -- it's a tricky dynamic. I mean, again, I don't, I don't know where we're going to come out. I mean, Steve and I had us discussed in the context of do we want a higher standard than HIPAA. You know, we talked about whether to try that working hypothesis approach, which we tried with, you know, our last recommendation, and I think it worked well. The main reason I think it worked well is that when we were writing the first working hypothesis, I pretty much had a sense that everybody on the Workgroup was going to be pretty supportive of that based on things that we've been saying for the last year.

I don't have any sense of where we're going to be on -- you know, do we want to recommend something higher or lower than HIPAA. I didn't want to just put something out there for discussion that half the people would disagree with. So I do want to be a little cautious. If it turns out that there are half a dozen things on that chart that are, in fact would put the PHR vendors in a position of having to do more than a hospital would have to do, or a doctor would have to do now, again, I just want to be careful before we make that step, given that we're looking at that as a real big picture issue as to whether we're going to impose, suggest imposing different obligations.

>> Paul Uhrig:

I think one of the things that was interesting about the discussion, or I thought so, I think we went from one end of the spectrum to an other and ended up in the middle probably a little bit, is whether we're going to be directive in the disclosure, in other words, you know, PHR shall, you know, provide 30 days notice of X. Or just say PHR needs to disclose what its notification policy is. And in some cases I think we were directive and in others we weren't. And as you go through the document, I guess appreciate there was enormous discussion and certainly not unanimity on that issue.

>> Deven McGraw:

And by the way, just so you know, I wasn't always the left flank in that discussion. I was sometimes in the middle.

>> Kirk Nahra:

In that context I wouldn't have guessed you in the left flank much at all, but --

Steve, did you write that down?

>> Steve Posnack:

It's on the record, in the transcript, so. So that's another parallel activity that we'll have aside from the conversations that we had today. I think the people that we had come and testify today gave me some insight in who I need to bring in next time for everybody, and how I can structure my instructions a little bit better so that it will be 10 times more productive than today. Not to say that today wasn't productive, but, you know, it's an iterative process. I think we've learned from each hearing that depending on what topic we've gotten, the second time around is usually a lot better. Just because we've got a flavor of what everybody's perspectives are and what you'd like to hear. So if you have any suggestions of people that you think should come and talk about the relevancy issue, because we didn't really get too far down into the weeds today at the hearing, I would encourage you to send me them as soon as possible. Because next week is probably the golden week to get them before the July 4th week, and then we're kind of in that quasi-period of it's too late already before the next hearing.

>> Kirk Nahra:

Our next hearing isn't scheduled to be a testimony hearing, is it?

>> Steve Posnack:

We could have people come in. It's a four hour meeting.

>> Kirk Nahra:

In addition to people, I guess I would really like to encourage people to think about categories. For example, I hadn't thought about the schools in that, the context of RHIOs. And maybe we -- you know, know maybe that's a relevant piece. I mean, they have -- I'm not sure, just thinking about it for 30 seconds, it may be that some of the HIPAA privacy stuff is directly on point for them, and that some of them -- you know, I don't know about a notice. Should they be giving students a notice about how they use their health care information as distinct from what else -- yeah, so I mean I think that may be an interesting group. But again, I'd be interested in categories. Today was essentially the RHIO, you know, that model. But please give some thought to both people and categories, or those people that are in a category but doing things a little differently, that would be very helpful.

>> Steve Posnack:

Just to structure things, Judy, the operator, because we need to take public comment. I think we're in the next meeting planning phase on the agenda already, so --

>> Judy Sparrow:

Are you ready?

>> Steve Posnack:

Could we get that number flashed?

>> Judy Sparrow::

Yes. Matt, would you put that up, please?

>> Matt McCoy:

Yes, I will, it will be up in just one second, and I will explain how folks can call in. You'll see the number that comes up on the screen, once you're dialed in, press star 1 to alert the operator to the fact that you'd like to make a comment. We may also have some members of the public who have dialed in along the way during this meeting, so if you're already on the phone, same goes for you, just press star 1 to alert the operator that you'd like to make a comment.

If we have questions already on some of the language in here, do you want them in advance, do you want to hold them for July or what do you want?

>> Steve Posnack:

If you have immediate questions it would best be served to send them to me as soon as possible, because we will have that subgroup meeting this coming Wednesday, so I can present them to the subgroup to digest.

And getting back to, you know, pulling in a couple other subject matter experts to participate at our July meeting, any, any filter that I could give would be if anyone you suggest has a specific interaction with the service, and can articulate the privacy and security pieces, that's probably -- you know, if we could get them to walk through it, I mean, almost, in terms of the relevancy part. Instead of providing questions like we did the last time, you know, we could ask them almost to step through, you know, how their business applies the privacy and security requirements.

>> Kirk Nahra:

Why don't we go ahead and do the public comment?

>> Matt McCoy:

Nobody is on the phone right now calling in.

>> Judy Sparrow:

Anybody in the room?

>> Kirk Nahra:

All right, we'll continue that strategy of having these long hearings.

[laughter]

Steve, anything else you wanted to add about planning for the next meeting? Or was that all at this point? I mean, we, we're set, we have a July meeting, and I think we're off until September, is that right?

>> Steve Posnack:

We have -- and I'll send them out -- we have established, we've penciled in days for October and November. And Kirk was available at this point in time to go to them. So we'll send them out to everybody, hopefully it's enough notice in advance. Because Kirk can go, you can go. So I think --

>> Kirk Nahra:

The other thing is that there was a number of written handouts distributed that were testimony from other folks who did not appear in person. Steve, I'd like to ask to make sure staff go through and see -- particularly on the relevance point if there are particular other pieces identified there -- I mean, I'd like to try and -- I don't know if it's a chart or something, but I'd like to try and identify those common categories.

Sarah, did you have a --

>> Sarah Wattenberg:

Yeah, I didn't know where we left this FERPA thing. Was that in the conversation of trying to identify future topics, or -- because --

>> Kirk Nahra:

I guess I look at -- it seems to me there's two aspects of what Steve had raised. One is that when we're looking at, you know, what our eventual recommendation will be on, you know, is HIPAA higher, are we going to suggest a higher standard or not, we not only want to think about what State laws have, but we also want to think about some of the other relevant Federal laws. So that's sort of one thing that I think to keep in the back of our mind. I personally wouldn't put it as, you know, it's not the first, second, or third thing we're going to look at on that topic, but it's something we need to keep in mind.

The piece that is I think is more immediate and I don't know if you want to call it a FERPA issue versus the schools is that relevance topic. If schools are being brought into our recommendation because they're going to be directly participating in RHIOS, I at least hadn't thought of them in that category, they weren't on the list -- maybe they made that list we had, we had a long list of sort of entities that may be participating, I just hadn't thought about them. So I think we want to get the schools in more quickly to think about it as a relevance issue. And again, that's sort of FERPA, but it's more of the schools rather than FERPA, I would think.

>> Sarah Wattenberg:

Well, I would just make the general comment that we should spend some time exploring the relationship of FERPA and HIPAA to this vast, vast area of health care that takes place for children. I mean, for children, kids in colleges, a lot of our, you know, lower income kids get a lot of their health care from their schools. And so if we don't -- I mean, FERPA keeps coming up in so many little ways that, you know, if we don't sort of eventually sit down and really think through, you know, how those records are going to be handled, we're going to lose a lot of information about a lot of people, and a lot of people are going to lose the advantages of interoperable health records. So, you know, I don't know if there's anything -- Sue is giving me funny looks -- if there's anything really to -- why would I want to go there? Well, you know, it comes up a lot in mental health and substance abuse records.

>> Kirk Nahra:

It's been in the news recently.

>> Sarah Wattenberg:

Yeah, at Virginia Tech and -- immunizations, I mean it's --

>> Kirk Nahra:

NCVHS has been looking specifically at that interaction, and they -- is it currently?

>> Steve Posnack:

I haven't been able to follow along --

They're about done. They had a recommendation letter but it really is nothing more than getting -- actually, they had, their concerns this round were largely were the inadequacies of FERPA in allowing public health sharing, and they also had concerns with the FERPA restrictions on parental notification. More so -- although there was a general concern about confusion, between HIPAA and FERPA, I wouldn't say that the way HIPAA works is if you have -- if FERPA covers the record, HIPAA does not.

Right.

So there are -- to the extent student medical records are FERPA-covered records, HIPAA does not apply to them.

>> Kirk Nahra:

So that will be a significant issue in the RHIO context, which is if information is coming into the RHIOs, is it, is it FERPA, is it HIPAA, is it now plus HIPAA because of our recommendation? I mean, that does seem to be a complication. We should think of. But let's see what NCVHS -- you know, they said they spent some time looking at as well.

>> Matt McCoy:

We actually have somebody called in on the phone for public comment if you'd like to take that now.

>> Kirk Nahra:

Why don't we take that, then we'll see if there's anyone else, then we'll finish up the public comment.

>> Matt McCoy:

Okay, Vicki Hunter, go ahead.

>> Vicki Hohner:

Thank you. Hi, I'm Vicki Hohner with Fox Systems, Incorporated, but I've spent much of my life working in the public sector. And in listening to the last couple meetings, there doesn't seem to be as much consideration of the public sector and the different way that they operate and the fact that they also do things like provide services, pay for services, not just through Medicaid and Medicare, but mental health, substance abuse, you mentioned 42 CFR, and I'm sure a lot of other programs,little ones, big ones, all size, shapes, and forms. How are they going to be factored into this process?

>> Kirk Nahra:

All right, well, we're mainly looking at taking comments rather than answering questions but I mean --

>> Vicki Hohner:

I thought you were taking questions.

>> Kirk Nahra:

No, we're taking comments. We'd be happy to have suggestions as to things we should be covering. And you know, we obviously have a variety of public sector entities that are on our Workgroup. So I think we're at least thinking about that on a regular basis.

>> Vicki Hohner:

I guess my comment then would be I think I've seen some of them on are often at the Federal level, but there are many, many other concerns States and counties already struggle with even beginning to comply with HIPAA because it doesn't speak to the way that they provide services. So even trying to comply with the HIPAA minimum is difficult, if not impossible for some of them. So even using that as a start point, and not having any guidance that has come forth from the Feds, has really stymied a lot of them in getting up to speed in this, and might hinder participation as well as exchanging the information. So I just wanted to make sure that that was recognized.

>> Kirk Nahra:

Okay, great, thank you very much. Was there anyone else on the public comment line?

>> Matt McCoy:

No, that's it.

>> Kirk Nahra:

Okay. All right, why don't we finish that.

Steve, do you have anything else you want to touch on today?

>> Steve Posnack:

If anyone has got any questions or -- from the Workgroup, just send an e-mail.

>> Kirk Nahra:

I think we had a good start today, I was hoping we'd get maybe a little further on the relevance piece than I think we did, but we'll need to try and drill down on that. I think, you know, we're going to have a real challenge in the next few months as to how to, you know, focus on the topic of our second panel. We can, you know, that's something I could see us doing for five years, and we're not going to be around in five years, so we've got to figure out a way to really drill down on that. But it's, as you could tell from the discussion, it was, I mean, it was an interesting discussion. I think to some extent the panelists didn't necessarily answer our questions at all, but it obviously led to a lot of good discussion. We want to try to drill down on that. But that's really going to be a big challenge for us over the next few months ahead. So thank you very much for your participation today, and we will speak to you soon. Thank you very much.