American Health Information Community
Confidentiality, Privacy, and Security Workgroup #19
Thursday, June 26, 2008
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Good afternoon and welcome, everybody, to the 19th meeting of the Confidentiality, Privacy, and Security Workgroup. Again, just a reminder that this is a Federal Advisory Committee and is being broadcast over the Internet, and there will be an opportunity at the close of the meeting for the public to make comments. Workgroup members on the phone, please remember to mute your lines when you’re not speaking, and please identify yourselves when you do speak.
On the phone today, we have Steven Davis from the Oklahoma Department of Mental Health and Substance Abuse; Jill Callahan Dennis from High Risk Advantage; John Houston, University of Pittsburgh Medical Center; Susan McAndrew from Health and Human Services, Office of Civil Rights; Tom Wilder from America’s Health Insurance Plan. And here in the room, we have...
>> Jodi Daniel:
Jodi Daniel with ONC.
>> Leslie Tweeton:
Leslie Tweeton with NACDS.
>> David McDaniel:
David McDaniel, Department of Veterans Affairs, Veterans Health Administration.
>> Deven McGraw:
Deven McGraw with the Center for Democracy and Technology.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Steve Posnack:
Steve Posnack, ONC.
>> Judy Sparrow:
And did we leave anybody off who’s on telephone?
>> Jill Callahan Dennis:
No, but I’m with this is Jill Dennis, and I’m with AHIMA, not Health Risk Advantage.
>> Judy Sparrow:
Oh, okay.
>> :
And we were wondering we were sitting here wondering if you (multiple speakers, laugh).
>> Judy Sparrow:
I’m so sorry. My cheat sheet here is not correct. I’ll make sure that’s changed, Jill.
>> Jill Callahan Dennis:
Thanks.
>> Judy Sparrow:
With that, I’ll turn it over to the Co-chairs, Kirk Nahra and Deven McGraw.
>> Deven McGraw:
Okay, great. Thanks, everyone. The first item on the agenda is approval of the prior meeting summary. This is our prior public meeting, which took place on Thursday, April 17, 2008. Does anyone have any changes to that summary that they want to make at this point? (Pause) Okay. Hearing none, we’ll do our usual, which is to give people a little bit more time to weigh in on this before we finalize it. What do you think?
>> Kirk Nahra:
Tuesday, Wednesday morning?
>> Deven McGraw:
Monday.
>> Kirk Nahra:
Sure.
>> Deven McGraw:
Yeah. Let us know by Monday morning. Otherwise, we’ll consider it final. Thank you.
All right, so we get to move right on to our draft recommendation letter discussion. And thanks to very good input from members, the letter should look very different, although covering the same themes that the draft that we had considered and looked at before in the in gearing up for this public meeting. We as you’ll see, we have a letter that gets really right into the meat, as opposed to going back through our Workgroup history, although that is attached as an appendix and convenient for anyone who doesn’t want to search for the separate recommendations on the Web.
And also, we need to have now sort of recommendations. Again, thanks to some very good input from Workgroup members, there are recommendations really at the end of each section, which we really when we sort of initially started to pull this together, we, you know, had a were working with the factors that hadn’t necessarily sort of crystallized into some recommendations, and now we’ve got those teed up in this, you know, first public draft of this letter again, keeping in mind that this is still a draft in progress, and the purpose of this Workgroup meeting today is to continue to gather feedback on it. It doesn’t represent nor should be construed to represent a final recommendation letter. The purpose of this meeting, again, is to continue to gather feedback as we work this into shape and hopefully do reach a point where we have a final letter. So...
>> Kirk Nahra:
You know, let me just emphasize what Deven just closed with, which is, “This is very much a discussion draft.” We are talking about whether we will move forward to try and turn some of these things into recommendations, but in this particularly for people who are seeing this for the first time in the public setting, again, this is very much how we’re going to talk about these issues, but there’s nothing in this document that you could take away and say, “That’s a recommendation. This is where they’re going. This is the direction.” We’re using it as a basis to have a discussion among our Workgroup today, with the appropriate comment from the public later in the meeting. So that’s what’s I wanted to just get to clarify that that’s what this document represents at this point. There will obviously come a point in the future or there will presumably come a point in the future where we have it more toward the final document, and the Workgroup will be uploading and approving a final set of recommendations, but that is not what the purpose of this is. Today is not a voting day. It’s not a final decision day at all. It’s very much a preliminary discussion.
>> Deven McGraw:
Okay. So having said that, let’s kind of walk through it. I don’t have any intent to read it, since this is a document that has been released to the public, but let’s just jump right in. I’ll say, does anybody have any particular comments on the introduction section? We’re even want to raise issue with the fact that we’ve now moved the sort of background history of our Workgroup to the back.
>> David McDaniel:
(Inaudible) good enough. (Laugh)
>> Deven McGraw:
Okay. David likes that. That’s good.
>> David McDaniel:
Anybody want to read that to the (inaudible)? (Laugh)
>> Deven McGraw:
You know, when you’re reminded of what we’ve done in 19 meetings... okay. (Laugh)
All right, hearing none, we’ll go right into Factor #1: “The ability of a participant in an electronic health information exchange network to access or request health information without knowledge of the source of that information creates new challenges to protecting confidentiality, privacy, and security.” And then there is a draft recommendation that follows the beginning part of that discussion, where the CPS Workgroup recommends that HHS work with other stakeholders to create a set of guidelines for protecting the confidentiality, privacy, and security of information that is collected by or shared through a health information exchange. The private process HHS should consider advising the HIPAA Privacy and Security Rules as appropriate to govern the use and disclosure of personal health information by covered entities participating in health information exchange. Anybody have any comments on that section or the text of that (inaudible)?
>> John Houston:
This is John Houston on the telephone.
>> Deven McGraw:
Yes.
>> John Houston:
Are you concerned about the fact that actually, you said “covered entities participating in an electronic health information exchange,” and it says here on my document it’s just “entities.”
>> Deven McGraw:
Oh, I’m sorry.
>> Kirk Nahra:
Right, right, yeah. We (inaudible). We were just (inaudible) on that yet. So it talked about all entities rather than just covered entities. Now, that was a very we had a discussion on that earlier, because it’s probably correct that it will end up being “covered entities,” assuming that our earlier recommendation, which recommended all these participants become covered entities, is in place. But we didn’t want you know, this letter obviously might be read independently. It might we might not have that earlier recommendation adopted by decisionmakers in the future, so we wanted to make clear that it would be all (inaudible) participating. But if all of our recommendations, once they turn to recommendations, become accepted, this would be sort of a logical follow-through, as you it would, in fact, be covered entities by definition.
>> Deven McGraw:
Yes. Sorry about that. I was reading a prior draft.
>> John Houston:
Do we need, then, to clarify or make sure that somehow we take and tie that together as part of this narrative and recommendation, so that one doesn’t get adopted out of sequence or without the adoption of the
>> :
(Inaudible) assuming that our earlier recommendations to be made
>> Kirk Nahra:
Yeah, although again, John, I’d look at it sort of the we handle it sort of the other way, which is, by taking out the phrase “covered entities” and just substituting “all entities participating,” you don’t need to have the first recommendation adopted. This recommendation can still stand on its own. If you had all of them adopted together
>> John Houston:
That’s no, you raise a good point. That’s a great point. Sorry about that.
>> Kirk Nahra:
And that’s the reason why we did that is, we did we hoped that they would be adopted sequentially as a package, but if they weren’t, this one will stand alone and still say, “Everybody who’s participating needs to have policies governing.”
>> John Houston:
That’s a good point.
>> Deven McGraw:
Any other comments on that section?
>> :
One thing that it occurs to me would be a factor, I think, just as a little nit but it talks about “without prior knowledge of the source that knowledge of the source of that information.” Should it be, like, “prior knowledge” or “independent knowledge” or something like that? Because they might get the knowledge of the source through the network. I think we meant I thought what was meant was “without or independent knowledge of the source of the information without the absent the network.”
>> Kirk Nahra:
Oh, automatically. I mean, that might happen but also might not. So sort of its un it’s not just (inaudible), but it’s not there isn’t automatic knowledge, you know. That’s the concept more than I mean, you could structure a network so that people got knowledge.
>> :
Right.
>> Kirk Nahra:
You could structure you know, before, during, or after, so you got the structure of the network not to have that knowledge (laugh).
>> :
Right, but it seems to me that the new challenges are because somebody accessing the network didn’t have knowledge of the person’s information absent that network. So, you know, am I confusing...?
>> Kirk Nahra:
Well, I’m confused, but (laugh)
>> :
Yeah. So the ability of a (inaudible) electronic health information exchange network to access or request health information without knowledge of the source creates new challenges. And
>> Kirk Nahra:
Without the source having knowledge that it’s being accessed, that is.
>> :
Oh, okay. Well, then, that’s what maybe that just needs it might just be a grammar issue, then. So that’s a source having knowledge of its being accessed.
>> Kirk Nahra:
But today, I’m permit if I’m a provider, I’m permitted to call up another provider and say, “Please send me information for treatment purposes.” The person I call up is obviously going to know that I’ve requested, because that’s the only reason they know about it. In a network setting, the person who has that earlier information might not know that I’ve had asked for it, depending on how the network
>> :
(Inaudible) should probably read “without the source having knowledge.”
>> :
Yes.
>> :
That’s what I’m (inaudible)
>> Steve Posnack:
the interpretation that I would have put on that.
>> :
Right. So that’s why I’m saying (multiple speakers)
>> Steve Posnack:
All right. I just well, all right, so maybe it’s the way but that is the purpose is probably I don’t think that what we were trying to articulate here is that it you know, now, in a paper system, you know who the source is. You call them up, and you get the information. With a network, you can get the information without knowing where the source of the information was previously.
>> :
And that’s what I’m saying is not clear for me.
>> :
Well, I think the sentence should address both of those issues, because both of those issues are part of what
>> :
Yeah. It I think that’s right. I think there
>> Steve Posnack:
So without knowing who the source is and what the source (inaudible)
>> :
or knowing that it’s been requested.
>> :
Those are both significant challenges.
>> Deven McGraw:
Yeah, because my recollection from earlier iterations was that it was about the patient not knowing. But I agree that although it’s interesting. I don’t know that any net you know
>> Kirk Nahra:
Well, the physician doesn’t know today necessarily, either.
>> Deven McGraw:
Well, except that we’ve gone through this before. In a paper-based system, you don’t know what providers have seen necessarily and aren’t going to tell you.
>> :
Right.
>> Deven McGraw:
So that’s the benefit of the exchange. And the difference in an exchange is that if I type in information that pulls up your record, whether it’s your name or an identifier or whatever, that’s you don’t have to ask me what cardiologist I saw. Ideally, that information’s already been (inaudible).
>> :
So I think there’s yeah, and I think there’s two issues. So there’s the issue of the doctor who’s seeking information in today’s world. Would it necessarily know to call the other doctor that has information? Because they would have no knowledge of the source of that other information.
>> Deven McGraw:
Not necessarily, right?
>> :
Not necessarily. And (inaudible) go to a network and get that. And then Kirk’s point is the opposite is, the doctor who has the information about you about the patient may have that their information queried by the new doctor without knowing that it’s been queried.
>> Deven McGraw:
Oh, yeah.
>> :
So I think it I think
>> Kirk Nahra:
(Inaudible) I mean, the doctor may not know where the query doctor may not know, but then we also say the patient may not know, because the patient today is presumably the source of that. Maybe we’ve got to deal with all three of those.
>> Deven McGraw:
I only see two.
>> :
Yeah, I’m not sure of the
>> Kirk Nahra:
There’s “old doctor not knowing,” there’s “new doctor not knowing where it came from,” and there’s “patient not knowing.”
>> Deven McGraw:
Okay. So I’m querying on #2, you’re talking about if they pull up if new doctor pulls up information on me from the network, that doctor’s not going to know the source of that information? I don’t get the sense that that’s how that networks are being
>> Kirk Nahra:
I thought that that was what you started with.
>> :
No, I was saying that the doctor would not know that there was information out there or know who to ask. Today, patient comes to me, and I either either a patient tells me, “Oh, I just saw this other doctor,” and I can call him; or the patient tells me nothing, and I just operate on whatever information I have. I don’t know who to call to get more information. But in a network environment, I could even if the patient doesn’t tell me that they saw this other doctor, I can look up on the network where there might be records about that patient and find information, despite the fact that the patient hasn’t told me that there’s information out there.
>> Kirk Nahra:
The patient doesn’t know that I’m asking for that information.
>> Deven McGraw:
Yeah. Right. Nor does the cardiologist that I saw, who put the inf but presumably, they assume that someone will access that data. (Multiple speakers)
>> David McDaniel:
(Inaudible) know that the data exists, because they don’t know the relationship that they had with the doctor. For example, you go inpatient if you see five different doctors, you don’t even know who those doctors are, because Medicare has picked up the cost. You don’t ever get a bill from them. You don’t even know that you’ve necessarily seen that person
>> Deven McGraw:
Right.
>> David McDaniel:
while you’ve been in your inpatient stay. And they may be going and putting information in about you that they wouldn’t even know to give to their doctor. But that information is going to be there about them.
>> :
Right. Well, although that’s true in a paper-based record, too.
>> David McDaniel:
Right.
>> Deven McGraw:
So I think what we’ve got is two things need to be reflected here, one being that the patient doesn’t realize that the doctor can get that a provider that they see can get information about them from other providers without necessarily asking them, telling them, etc. The other scenario is that the physician or hospital or provider that put information into the network won’t necessarily know that that information has been accessed by another provider. I think those are the two not-know situations, because to me, the third possibility that got thrown out, which is that when you, as a provider, query the network, you have information in front of you but don’t know the source.
>> :
Yeah. No, that’s not what I was trying to say, it’s the same part of the patient not knowing that the provider can get the information that the provider now has access to information that they wouldn’t have had in a paper-based system, because they wouldn’t know how to get it. They wouldn’t know the source of information about you. They wouldn’t know who to call to get the information. Now, they don’t know have to call. They could just
>> Deven McGraw:
I’m not sure that rises raises additional confidentiality, privacy, and security
>> :
It’s just that they’ve it’s the same issue, I think, as the patient issue. It’s just the
>> Kirk Nahra:
Yeah, and one of the questions in my mind is, today pick a city where there’s one hospital where there’s one big hospital. The doctor’s allowed to call up that hospital and say, “Have you ever treated Deven McGraw? I need the information.” Even if the patient doesn’t tell them, they could very easily have a situation today where the patient doesn’t know. It’s just that the most efficient way to get that information is from the patient, but, you know because I ought to get that information from the patient. There may be various situations where you don’t get that information from the patient. So one of the questions is that we’ve been talking about this in the context of differences. So one of the questions is, “Is the fact that you now have a clear, obvious alternative source necessarily a difference that requires new rules?” We can have a discussion about that. It’s I don’t think it’s it’s not factually correct to say that the patient today is the only source of that information.
>> :
Right.
>> Kirk Nahra:
The patient may be the best and most efficient source. As David was just saying, there may be lots of situations, particularly in a hospital setting, where the patient is not even a good source of that information.
>> :
I think something you said is might be a good way of saying it, Kirk, which was that the provider now has a new source of information, so it’s not just calling up other providers and figuring out either because they
>> Kirk Nahra:
They have more efficiency. They could call all the providers today. You could call every doctor in town if you wanted to do that, just that you wouldn’t do that because that’s not efficient we’re making this making it more efficient to do that if you have a network. But it’s really an efficiency rather than a po you know, it’s just that it’s impractical, but it’s permitted today.
>> Deven McGraw:
Right. Anybody else have any comments on this?
>> :
So doesn’t that create an additional challenge for privacy and security and availability and so much already?
>> Kirk Nahra:
That’s a quest I mean, that’s the question: Does the fact that this information is I mean (multiple speakers)
>> :
If I can just look at it in a system and I don’t have to make the decision that I’m going to call over three or four hospital systems to find it out, then that changes the dynamic, because the likelihood of the the information being available is much greater than if you didn’t have
>> Kirk Nahra:
I absolutely agree that it changes the dynamic. The question is whether changing the dynamic means you need new rules or not. And that’s the question we’ve been struggling with, or that’s one of the main questions we’ve been struggling with. And it’s a question that, frankly, we sort of punt on in this. We’re trying to identify the components of that issue. Yeah, what we’re doing in this first factor, I think, is trying to advance the ball by getting by pulling out some of the issues that we’ve been dealing with, even though we don’t really have answers to those questions. Rather than just turning it over as a blank slate, we’re trying to turn it over with well, the fact that this information is now more efficiently available is one of the things you’ve got to factor in. We don’t have an answer to the question of whether that requires new rules or not. I agree it changes the dynamic. You know, one of the things I want to understand is, efficiency does not, in my mind, necessarily change the privacy rules. It’s not an automatic. It just is a little different. Maybe what it does is, it changes the security rules and not the pro you know, I can see a variety of ways to play that out, and we haven’t, as a Group, answered what those rules would be.
>> :
Which then meets the recommendation that they should just consider revising or clarifying (inaudible) the Privacy and Security Rules. And this is the fact that they just consider in making that decision.
>> Steve Posnack:
So process-wise, it should be this is Steve I brought this up to the Co-chairs before the meeting. A couple of the comments that we got out of the factors, in terms of the recommendations and the factors, were that they were somewhat redundant in some places throughout the letter. And we had discussed whether or not they had reached the end of their utility in terms of being there as a factor. I can see us turning this whole conversation into a paragraph or topic sentence for the section. We had as we walked through, we had to consider whether we want to keep the factors or not. So...
>> :
Okay.
>> Steve Posnack:
Just to key that up for folks’ consideration.
>> Deven McGraw:
Any other thoughts on recommendations factor 1 and the text that precedes Recommendation #1, and Recommendation #1? (Pause) Okay. Moving on. So the Recommendation #2, which had text preceding it to lead up to it: “CPS Workgroup recommends that the guidelines developed by HHS pursuant to Recommendation 1 and then any revisions to the HIPAA Privacy and Security Rules address the potential uses and disclosure of personal health information outside an episode of care and by an entity that has no current or prior relationship with the individual, including for research purposes.” And obviously, that recommendation is keyed off of the discussion that precedes it that raises those particular concerns. Any thoughts there?
>> Susan McAndrew:
This is Sue McAndrew. In terms of phrasing this as an episode of care, what kind of boundaries are you drawing vis-à-vis the broader definition of a treatment purpose?
>> Deven McGraw:
We haven’t, Sue. We and nor have we defined “episode of care.” Let me find the part of the text where we talk about it.
>> Susan McAndrew:
I was just wondering if you intended to do something different than what the universe currently does with respect to treatment conversations.
>> Thomas Wilder:
This is Tom Wilder. Is the question when we say “outside of the episode of care,” are we talking about my physician, you know, treats me for a whole bunch of different things, but they look at my record outside you know, outside of any incidence around my last physical? Or are you talking about both, other than my provider, people that had no, you know, treatment of me whatsoever looking at my record?
>> Deven McGraw:
Well, I think as this has evolved, I think it is not I mean, I think it is both about your provider and maybe potentially other providers. And I think the concern was, again, the easier availability of this information and an ability for providers to query it means that and when I say “outside an episode of care,” it would be outside of needing to access it to treat you.
>> :
So, Sue, are you suggesting that if we’re are you suggesting that if we’re needing are we needing treatment? And if so, should we use the term “treatment” so that it’s clear to (inaudible)
>> Kirk Nahra:
If not, it would be something narrower or broader than (inaudible).
>> Deven McGraw:
Right.
>> :
Right.
>> :
Okay.
>> :
“So is this treatment, or is it was there an intent to either make it broader or narrower?”, I think, is the question on the table.
>> Deven McGraw:
I believe the intent was beyond treatment. But, you know, again, this has been evolving in a sort of working draft form for many months and, I think, queued off of some sort of initial concern.
>> :
What do folks think about this?
>> Tom Wilder:
This is Tom again. I you know, I think we just need to define what we mean by “episode of care.” And I guess there is a question to be asked about, you know, my health care provider just looking at my record when they have no kind of treatment reason to do so, even though they are you know, I had an established relationship with them.
>> Steve Posnack:
That was my original understanding of the intent of this. By “episode of care,” I think we probably meant “treatment,” but we just didn’t say it. That makes the most sense to me. I can’t think of
>> Deven McGraw:
Yeah.
>> Steve Posnack:
You know, it was just the fact that, you know, they have a provider has access to the network. They may not be treating you anymore. They may have seen you 6 months ago. There’s absolutely no reason for them to use the network again to
>> Deven McGraw:
Well, I think it’s both no reason and also the squeamishness, I think, that people have about using the network for the health care operations, as opposed to for treatment or for payment. And this dates back to conversations that we had in trying to sort of resolve the consumer choice issue about
>> David McDaniel:
But I could see a situation where, if you went with just “episode of care,” you’d be talking about a particular event, whereas if you’re talking about treatment, I can see say you access the information to treat that patient in an episode of care, but then you want to do coordination of care down the line to be a more thorough provider. It has nothing to do with that episode of care, but it would fit the definition of treatment because of coordination of care. So you’d you wouldn’t tie a provider’s hands to keep them from using that information for a legitimate treatment purpose that was outside of that episode of care that would be appropriate for them to be able to (inaudible).
>> Kirk Nahra:
I think Sue, let me paraphrase your question, but I think what you were saying was, “episode of care” is a different word than “treatment.” Is it the same, is it broader, or is it narrower? And I don’t think we have an answer to that. So I guess my sense and I think this is what Steve said is, we should use the same words. We’re not intending it I mean, if it’s describing situations where “episode of care” would be too narrow, maybe there are situations where it would be too broad, although I’m not sure about that example. But we’re intending to I don’t think we were intending to carve out the situation you described, so we should use “treatment.”
(Inaudible) as Deven said a minute ago I mean, we had a discussion in this Workgroup 3 or 4 months ago about whether the network could be you know, whether we could define the universe of appropriate usage for the network to try to mirror HIPAA, meaning they would have been treatment, payment, and the health care operations categories where covered entities were allowed to exchange for each other’s purposes. We had a lot of discussion about whether that was the right model. Some people, myself included, liked that model, but there were other people who didn’t like that model. I think everybody was comfortable with the idea of treatment. The issues beyond treatment, even in that core category, were subject to some discussion. So we need to talk you know, we had basically, I think the purpose of this recommendation is to say, “What else besides treatment, and who else besides the people participating in the networks that don’t have you know, that don’t deal with treatment?” So that’s sort of the framework, I think, for how we got to where this language is.
>> John Houston:
Okay. This is John Houston. And looking at the actual language, though, in the recommendation, I think one of the things that’s missing here is there’s it’s only implied that, with regards to information gathered outside of episode of care, it’s by a provider that has a treatment relationship with the patient. Do we want to clarify the fact that there still has to be a treatment relationship established prior to getting that information, even outside the episode of care?
>> Kirk Nahra:
Well, how let me just ask you a, I guess, sort of theoretical question I which is, “How would a provider say, ‘I am doing treatment under the HIPAA Privacy Rule,’ without having a relationship with the patient?”
>> John Houston:
You wouldn’t. But that’s just might not that’s what I’m saying is assumed. Some people I mean, I think that we need to be clear that that is one of the assumed criteria here is that, A, you have to be you have to have a treatment relationship prior to the time you can get information, whether it be part of an episode of care or outside of an episode of care, because I think there this is rich for interpretation, I guess, at this point in time.
>> Kirk Nahra:
Yeah, although I guess, John, I just an opinion, and I have a different view, which is, if we’re going to use the whole purpose of using the same word would be to use the word that’s already got a set of principles around it.
>> John Houston:
Which word?
>> Kirk Nahra:
(Inaudible) sorry?
>> John Houston:
Which word is that?
>> Kirk Nahra:
“Treatment.” I mean, I don’t think a prov I mean, if a provider says, “I’m allowed to access information about Deven just because I feel like it,” they would be violating the HIPAA Privacy Rule today. They would not be engaged in treatment activity. And so, I don’t think we have to I mean, my view would be, we don’t have to reinvent that wheel here.
>> Jill Callahan Dennis:
Well, this is Jill. I prefer the word “treatment,” because it actually does have a broader meaning, I think, than a specific episode of care. Let me give you an example of how data gets shared in sort of odd ways that a lot of people aren’t aware of. Let’s say a patient’s been referred to a long-term care facility. Before the long-term care facility ever lays their hands or eyes on that patient, they’re reviewing information to see if this placement is appropriate and if the services that they offer match up to the patient’s needs. Now, in a network in a paper environment, somebody gets the patient to sign (laugh) a sheet of paper, and information gets faxed around. But in a networked environment, you could see, you know, the efficiencies possible of, you know, being able to even though they’re not in the episode of care stage yet, they’re sort of planning for treatment. And the definition of treatment under HIPAA does incor it does anticipate those kinds of planning activities. So I think it’s just a safer bet, given that there’s going to be uses of that information that aren’t, you know, necessarily readily apparent to us now.
>> Deven McGraw:
Okay. There does appear to be a consensus that “treatment” is the better word to use, just in terms of if for no other reason, then that’s certainly a term that has a definition and that we’re all (multiple speakers).
>> John Houston:
Do we believe (multiple speakers)?
>> Kirk Nahra:
Well, let me let’s break up the issues. I think that Jill and John are talking about two different things.
>> John Houston:
But they are they do have some relationship.
>> Kirk Nahra:
I understand that, but let’s separate them out. The first issue is I think we are all on the same page on, but let me be clear is, we should substitute the word “treatment” instead of “episode of care.” Is there anyone who disagrees with that? (Pause) All right. Now, John, to go to your point, the question is, when we substituted “treatment,” do we need some additional explanation of what “treatment” means?
>> John Houston:
Or who’s yes, or and let me give you an example that may I’m just verbally thinking here. What if we I’m sure that once a larger this all forms NHIN forms that you’re going to find health insurers who are doing some type of, you know, health, wellness, chronic care support things like that. We’re going to want to or love to have access to all of this information in order to manage their members.
>> Kirk Nahra:
Although I think, by definition, today, health insurers cannot provide treatment.
>> John Houston:
Well, they can well, if yeah, there are a lot of things that they can do under the Privacy Rule get at information for a variety of purposes that might be related that and I forget what they are at this point, but I remember doing an analysis, and there are s they do have certain rights to get at accessing data under the Privacy Rule that you arguably relate to health management and alternative therapies (inaudible)
>> Kirk Nahra:
John, I was pointing out that they specifically cannot do the word “treatment.”
>> John Houston:
But there are a lot of things that they can do. So, okay, if you’re sick, but it’s and it’s outside, it’s the outside treatment.
>> Kirk Nahra:
Right, so it’s not when we say “treatment,” we don’t include the stuff that insurers can do, because they can’t do treatment.
>> John Houston:
But we’re look at the first word under num under Paren 1, which is “outside.”
>> Kirk Nahra:
Right, they need to address the uses outside of treatment. What we’re saying is, we all think treatment is good. It’s the only thing we can agree on is uniformly good, and therefore everything else has got to be subject to future discussion, including all of the things that insurers do that are close to treatment but that aren’t treatment.
>> John Houston:
Okay.
>> Steve Posnack:
I think we could probably say here “outside of treating an individual” or “outside treating the individual.” It might make it a little more clear.
>> :
Treatment of individuals? (Inaudible)
>> Kirk Nahra:
I still think any time you use a different word, even if it’s a similar word, you raise the question as to whether it’s something different. We could say “outside of treatment” (inaudible). But John, your the issues you were raising are things that insurers today under the HIPAA Privacy Rule can do in some circumstances under the rubric of either payment or health care operations.
>> John Houston:
You’re correct.
>> Kirk Nahra:
Those issues would all be uses, and so they’re outside of treatment. And therefore, they’re exactly the kind of thing we’re saying needs to be looked at.
>> John Houston:
So therefore, we do need to use the word “treatment” here with we use you know, almost capitalizing the word “treatment.”
>> Kirk Nahra:
Right. You know, treatment’s in. Everything else is up for debate.
>> :
And let me ask a question. Is it worth just noting I know we note in here about other I’m wondering maybe we don’t need to note it if it’s worth noting some of these other activities I mentioned research here is it worth noting that there are some treatment-related activities that would not that health plans might be engaged in that are not...
>> :
Well, that could be a really long letter.
>> :
Yeah, I know.
>> Deven McGraw:
The reason why research was specifically noted here was because we’ve had Workgroup discussions not extensive ones about the research rules and decided that it was not the right time to come up with some recommendations pending, you know, the big island effort to look at this thing. And so that’s why research is specifically mentioned, not in an effort to sort of because we weren’t trying to define the field. We were going to try to address the fact that we talked about the specific (inaudible)
>> David McDaniel:
What if we generalized and said something to the effect or other things that are currently provided in the paper world outside of treatment so that (multiple speakers) I know that there’s a battery of things that they really need to be looking at.
>> Kirk Nahra:
Again, I mean, I guess I’m leaning toward maybe we need to break this up into a couple pieces. But the first piece is, people who are within HIPAA today have the ability to use and exchange use and disclose information for treatment payment health care operations purposes covered entities. They can one covered entity can ask another covered entity to give them information for treatment, payment, and some health care operations not all health care operations. So the first question we debated was whether that rule, which, in HIPAA, says I can ask another covered entity to give me information for my treatment payment health care oper and some health care operations purposes, whether we want to translate that to the electronic environment. There were definitely people on this Workgroup who said we didn’t want to just make that translation, because we were uncomfortable with some of the things on that list other than treatment. We were uncomfortable with some of the payment issues. We were uncomfortable with some of the health care operations pieces, even recognizing that there were only a couple of health care operations pieces. So we couldn’t we didn’t reach a conclusion on that. So we’re identifying that issue, which is a between-covered-entities issue, full stop.
The second point, which is currently in this recommendation, is somewhat different, and maybe enough different that it justifies putting in a different recommendation, which is, we also look at the question of whether there were additional potential values from this network for other public purposes that involve people who weren’t covered entities. Research entities and public health were the two main ones that came up. And we had a lot of discussion about whether we would say it’s okay to use these networks for research and public health purposes. We did not reach a conclusion on whether it was okay to use these networks for research and public health purposes or, probably to say it a little more fairly, what conditions would be imposed in connection with research and public health purposes. But that’s a very that’s a different kind of analysis.
I mean, I would personally, I would love to see the HIPAA rule on TP and (inaudible) just translated, because I don’t personally see the differences that go to those points. I have a lot of questions about the research and public health fees. From my mind, that’s a very different situation than we have today. It’s a question where we’re going to balance the potential positives of the networks with some other kinds of issues, and we haven’t drawn a conclusion where that balance is.
So maybe what we need to do is, we need to break those two points out and identify them I mean, it can be an A and a B, if we want to do that. But they really are different issues. One is what the covered entities, the core health care participants, can do. The other is what other kinds of people can do with the information.
>> Deven McGraw:
I guess that makes sense.
>> John Houston:
I see no objection to that. Are we going to talk about the second one, though?
>> Kirk Nahra:
The second one being the research?
>> John Houston:
Yes.
>> Kirk Nahra:
Well, again, what we’ve said on here I mean, again, my understanding of where this Group was when we talked about those issues before was, we didn’t reach any particular conclusion. We thought, on research, that a lot of other people were looking at research, and so we weren’t going to spend a lot of time on research. We had the public health people come in and sort of talk about what they were doing, and our conclusion was sort of that nothing that they were doing today really was all that different or controversial or things that were worth spending a lot of time on, so we sort of punted on that whole issue.
>> John Houston:
So can I ask a question? And maybe it’ll avoid further discussion, but is OHRP part of HHS?
>> Deven McGraw:
Yes.
>> John Houston:
Okay.
>> Kirk Nahra:
What? I’m sorry. What does that stand for?
>> Deven McGraw:
Office of Human Resources Protection.
>> Kirk Nahra:
Oh, okay. Uh-huh.
>> John Houston:
Because if it is, then I think, you know I think OHRP needs to be involved in a research discussion. But obviously, if they’re part of HHS, it’s part of a broader recommendation.
>> Kirk Nahra:
Well, and again but our discussion is essentially that we’re not going to deal with this.
>> Deven McGraw:
Well, no, but (inaudible) we need to mention OHRP being involved, but if we’ve got HHS at large did I am I paraphrasing you right, John? We don’t need a path away from C.
>> John Houston:
That is correct.
>> Deven McGraw:
Okay. So what I Kirk, that sounds like a good idea. And when we do there is a recommendation on or there’s some text, at least, on public health. I’m trying to remember if we actually did have a recommendation on it. So it’s more towards the back of the letter. So certainly, if we’re going to sort of bifurcate this discussion and recommendation into two parts, we would obviously move that up. And I think when we get to the public health piece, you know, we can discuss what we’ve said there in some more detail. Does that make sense? (Pause) Okay.
Moving on to Recommendation 3, what happens after Recommendation 2 is, the letter goes into a discussion about whether the HIPAA minimum necessary rules are at all helpful in addressing some of the questions that are actually raised above in Recommendation 2. And there, you know, is a recognition that if our previous recommendation were adopted, minimum necessary would apply. And there’s kind of a series of bulleted considerations about, you know, if what additional con what does that get you at the end of the day, essentially? (Inaudible)
>> Kirk Nahra:
Let me just jump in for 1 second which is Deven is pointing out that the Recommendation 3 sort of goes back to the points raised in Recommendation 2. We don’t really have much in Recommendation 2 (laugh) that sort of explains the recommendation. I think we’ve got to that we’re going to separate those out, but I’d like to have we need drafts of language to sort of explain what we’re talking about in Recommendation 2. I mean, the stuff under that is more of a lead-in to Recommendation 3 than it is an explanation of Recommendation 2.
>> Deven McGraw:
Well, and you although that’s the way the letter is structured overall.
>> Kirk Nahra:
(Inaudible) we have it up before that, you mean?
>> Deven McGraw:
Well, we may not.
>> Kirk Nahra:
Okay. (Inaudible)
>> Deven McGraw:
I mean, we should not, especially now that we’re breaking it into two, so...
>> Kirk Nahra:
Yeah, okay. Well, it may just be an organizational issue, but we need to make sure that’s covered.
>> Deven McGraw:
Right. We do have I mean, it is true. You raised a point. The way that this is structured now, the text that leads to the recommendation is in front of the recommendation, versus putting the recommendation up front and then having this text explained why we got there. So that is my preference, because I think if you read these recommendations cold, you don’t without the context, you’re likely to
>> Kirk Nahra:
(Inaudible) conclusion more than a...
>> Deven McGraw:
Right.
>> Kirk Nahra:
That’s fair. Okay.
>> Deven McGraw:
So but I’m you know, I’m hap if folks feel differently, we can put that back on the table. So and the way that it became more obvious to me was, in some that this was a good model with in some previous iterations that Kirk and I were looking at prior to this meeting, he had put some summary records the summar all the recommendations up in the front as a nice summary of, you know, sort of what our sort of conclusions were, at least our conclusions that are advice to the next body that’s going to take this up, and really out of read out of context in that way, you know, you could if people didn’t read the whole letter, we would have been in a little trouble. (Multiple speakers)
>> :
Well, let me ask you a question, because eventually, if this were to go through, it would be presented to the AHIC. And usually, if we will present the recommendations, we get to be there and explain it.
>> :
(Inaudible) Absolutely.
>> :
I just wanted to make that point that they may be pulled out from the letter so that they could be presented.
>> Kirk Nahra:
I guess just to go back to my point, I think we need to add some discussions. In the precursor to Recommendation 2, all that this talks about right now is the sort of positive side, meaning that why we talked about treatment and why we said treatment is good. It doesn’t raise the back end, which is, today, this would be payment and some health care operations as well. We haven’t suggested that for because of these issue you know, so that piece just gets lost in that explanation. The “why it isn’t broader” piece gets lost.
>> Deven McGraw:
Right.
>> Kirk Nahra:
And okay.
>> Deven McGraw:
All right. So there’s a lot of discussion about what you know, application of minimum necessary by an electronic health exchange network dome questions that get teed up. And then the recommendation itself, Recommendation #3: “CPS Workgroup recommends that the guidelines developed by HHS pursuant to Recommendation 1 and any revisions to the rules address the concept of minimum necessary for uses and disclosures of personal health information within the context of electronic health information exchange networks.” For example examples of how it works in an electronic health inform how it works or how it would work in an ex electronic health information exchange environment. But... okay?
>> Kirk Nahra:
Well, again, what not having thoughts at this point doesn’t mean that this is the end of the
>> Deven McGraw:
That’s right.
>> Kirk Nahra:
discussion. It’s just, “Okay, we’re trying to look to move this along to future drafts.” So, you know, if people have other comments at later points, feel free to send them in. But as far as discussion, we’ll move on to the next one.
>> Deven McGraw:
Okay. So with respect to the text that follows after Factor 2 and before Recommendation #4, I think just refreshing my memory. Actually, they’re 4 and 5 together are responses to the text above. I think this was where all right, these recommend I’m just refreshing my memory turning into a really long letter. Number 4 was about “As part of this effort to create a set of guidelines, again for protecting the confidentiality, privacy, and security of information collected by or shared through an electronic health information exchange network pursuant to Recommendation 1, the Workgroup recommends that HHS also work with stakeholders to consider the appropriate uses and disclosures by and from the network itself, which is the notion that we’re not just talking about what the participants in the network can do with information in the network, but also the network now has access presumably and may even be storing information under certain models. What can the network do? And then Recommendation 5, again, is HHS is con work doing its work on these guidelines and considering whether there need to be revisions to the rules also to consider that work with stakeholders to ensure the security of personal health information within an electronic health information exchange network from unauthorized access, both internally and externally.
Any thoughts on any of those? (Pause) Again, the text that precedes this really does deal with both the access of it both what the network can do and also, again, the sort of dangers of people hacking in.
>> Jodi Daniel:
Would it be I’m wondering if we should move I’m looking at this, just how it’s set up if we should move Recommendation 4 up into this other language specifically dealing with security. It’s right above 5. I’m seeing if that makes sense.
>> Deven McGraw:
Okay. I’m sorry Jodi. Can you say again?
>> Jodi Daniel:
I was just wondering if we have this recommendation pulled together, if there is a break between these two points these two discussion points, and if the Recommendation 4 should be moved up to... between the two paragraphs
>> Deven McGraw:
Oh, okay.
>> Jodi Daniel:
so that it more immediately follows the discussion.
>> Deven McGraw:
I see.
>> :
The paragraphs are short enough to where it’s I mean, it’s okay with me.
>> Jodi Daniel:
Okay. Either way.
>> :
But I mean, I see your point, but I think if you were reading it, you’d just realize that we’re making (inaudible) recommendations off of it.
>> Deven McGraw:
Yeah, they are short, although and I neglected I to read Recommenda this is actually a trio of recommendations here that go (inaudible). And the sixth one has to do with HHS conducting research to gather evidence and determine the extent to which the current deidentification algorithm provides satisfactory assurances that a person could not be reidentified it says “could be reidentified”; it should say not be reidentified through the use of public databases and the like. Consider revising the Privacy Rule as appropriate. And I do think I Jodi, I see that Recommendation 5, which deals with security issues; and #6, which deals with deidentification both of which are addressed in the second paragraph, whereas Recommendation 4 is really limited to the one above. So well, let’s experiment with that and see how it looks.
>> :
(Inaudible)
>> Deven McGraw:
Yeah. I think you’re right that you don’t get too lost in this paragraph. (Inaudible) sure, but as we continue to develop this, this paragraph might get longer (laugh). You never know.
>> :
Is this do you think this is well-fleshed out enough to lead to the recommendation? There were a couple of comments earlier on earlier sections that just I think they are.
>> Deven McGraw:
Well, does anybody folks have been a little quiet on this one, maybe because we’ve been talking a lot in the room. Did anybody have any anyone on the phone have thoughts or concerns that they want to chime in on this section? (Pause) Okay. Again, not our last bite at this apple. Okay.
>> :
Make sure the phone line’s open there.
>> Deven McGraw:
(Laugh) Are people are you there? (Laugh)
>> :
Oh, yeah. (Laugh)
>> Deven McGraw:
All right, well, let’s move right on, then. Factor 3 and we have spent some time as we were working through this on this particular issue. This is the one about how we don’t want to have two sets of rules governing the same piece of information. And so Recommendation 7 reads, “The CPS Workgroup recommends that as HHS develops policy guidelines or requirements for protecting health information exchanged in a network environment, network participants should not be required to protect information differently depending upon its source.” Any response thoughts on that? We had a lot of comments about how to word this in a way that made it clear. So I think we’ve improved it, but of course, if folks want to submit some comments, please do so.
All right. The next factor deals with the roles, rights, and responsibilities of consumers with respect to their personal information that is stored and shared within the exchange networks, as well as legitimate needs that providers and other entities have to access, use, and disclose health information.
And there is a shortened amount of text here, and the recommendation that follows and there’s a recommendation and a sub related recommendation: “The Workgroup recommends that policies, guidelines, or requirements developed by HHS with respect to electronic health information exchange networks specifically address the role of consumers and their caregivers, providers, family members, and other authorized individuals. The policies, guidelines, and requirement, should determine whether consumers should be permitted to control the use or disclosure of their personal health information by an electronic health information exchange network.” And then the related recommendation: “The Workgroup recommends that at times where consumers are provided the opportunity to choose whether to share personal health information or not that such a choice be accompanied by appropriate education.” This really is the wording of sort of where we are on the consumer choice question.
>> John Houston:
This is John Houston.
>> Deven McGraw:
Hey, John.
>> John Houston:
Hey. I apologize. I had to step away for a second. But one point I think we need to clarify here is in that last sentence in Recommendation 8. I would advise that we say, “These policies, guidelines, or requirements should determine the degree to which”
>> :
I agree, John. It’s not an all-or-nothing issue.
>> John Houston:
Yeah.
>> :
Okay.
>> John Houston:
And take out “whether and if the consumer should be permitted to control the use or disclosure of their personal health information.”
>> :
Mm-hmm. Okay.
>> Kirk Nahra:
Well, then, also, I mean, just I guess there’s also two points. One is the sort of consumer choice point. The second point is, consumer choice, whatever you decide it should be, isn’t the end of the story. We need to have you can’t put all the burden on the consumer choice piece.
>> Deven McGraw:
Right.
>> Kirk Nahra:
I’m not sure that’s covered by Recommendation 8, which is (inaudible) that’s in the text, but we should probably
>> Deven McGraw:
Yeah. Okay.
>> Kirk Nahra:
Yeah. The idea that consumer choice I don’t think I don’t have the words to say this yet, but Deven, probably the issue we were talking about on the listserv: You can’t place all responsibility for controlling these issues on the patient. You still want to have rules that deal with the other participants. It’s not enough just to talk of to address it as consumer choice issue. You need to address the consumer choice issue, but you need to have the additional component as well. (Inaudible) we talk about that in the text, so it doesn’t
>> Deven McGraw:
It doesn’t get reflected in the recommendation. Okay. That makes sense. Any other thoughts?
>> Jill Callahan Dennis:
Yeah, but you guys are going to kill me. I was just actually, my eye caught on something in Recommendation 6, and I just wanted to check wording with you guys. Can we flip back just for a moment?
>> Deven McGraw:
Of course.
>> Jill Callahan Dennis:
Where we talk about the extent to where the current deidentification algorithm provides satisfactory assurances that a person could be
>> Deven McGraw:
(Inaudible) “could not.”
>> Jill Callahan Dennis:
You mean “could not be.” Okay. All right. I missed that the first time.
>> Deven McGraw:
That’s okay.
>> Jill Callahan Dennis:
All right. Thanks.
>> Deven McGraw:
That would (inaudible) if somebody had not caught that, Jill, that would not have been good, so... (laugh)
>> Steve Posnack:
That’s why they’re draft recommendations. (Laugh)
>> Deven McGraw:
We’re just making sure people are awake. (Laugh) Okay. Moving on to
>> Jill Callahan Dennis:
So we will have something in Recommendation 8 to reflect the fact that consumer choice is not the end of is just part of the equation.
>> Deven McGraw:
Right. I think we need to reflect or make a reference back to the other component is what we recommended, so...
>> Jill Callahan Dennis:
Yes. Okay.
>> Deven McGraw:
Okay, now we get to the second all of the recommendations that we’ve just been through go to electronic health information exchange network. The set of recommendations that are at this end of the letter have to do with personal health records. So the first one follow the first, Recommendation 9, follows from Factor 5, which talks about policymakers considering the roles, rights, and responsibilities of entities that provide PHRs for use by consumers and their caregivers, including HIPAA-covered entities, third-party vendors not subject to the HIPAA Privacy Rule, and health information exchange networks. And the recommendation and draft reads as follows: “The Workgroup recommends that HHS work with other stakeholders to create a set of guidelines, policies, or requirements for safeguarding personal health information within a PHR. These policies, guidelines, or requirements should support the right of consumers to control how information is” or “is used or disclosed from their PHR. As part of this process, HHS should consider revising or clarifying the HIPAA Privacy and Security Rules as appropriate to provide for the privacy and security of PHRs maintained by a covered entity or their business associates.”
>> John Houston:
This is John Houston.
>> Deven McGraw:
Hey, John.
>> John Houston:
I’m not sure I mean, once you get outside of once you’ve limited that PHR space where it’s you know, it’s a free Web site or a vendor-sponsored Web site, what is the I’m not asking a question I don’t know isn’t such things often under the purview of the Federal Trade Commission?
>> Deven McGraw:
Yes.
>> :
Although not always, John. If it’s a 501(c)3 organization that sponsors the PHR and Dossia, for instance, organized as a 5
>> Deven McGraw:
They’re organized as a nonprofit. Their tax-exempt status is yet to be determined.
>> :
Oh, okay. They’re a nonprofit. FTC has some limitations in their jurisdiction, and they don’t apply this is according to the FTC (inaudible), as far as I understand. (Repeating a barely audible other speaker) They don’t seem to have jurisdiction over 50 (c)3, tax-exempt organizations.
>> John Houston:
Right. Okay.
>> Deven McGraw:
I think it’s over tax-exempt organizations and, you know...
>> John Houston:
Mayb because maybe what we need to do here is and I don’t know how far we can make this recommendation, but it might also be appropriate to fashion a recommendation such that FTC, which may decide it has control over at least some of these PHRs you know, for them to work with HHS on establishing, you know, appropriate rules.
>> Deven McGraw:
I would endorse that, John. I know that’s been our position, in part because the organization where I am now does a lot of work on consumer privacy issues with use of the Internet generally. And the Internet-based companies operate on a quite different model than a health care system entity. And so, I know that we’ve certainly been eager to see the Federal Trade Commission, which regulates Internet-based companies in a range of their activities dealing with the consumer (inaudible) involved.
>> John Houston:
Yeah, because my thought is that it may be easier to get FTC to be able to put some type of rules in place than trying to get revision or clarification on the HIPAA Privacy and Security Rules and trying to be very practical about this. You know, again, if you can if HHS can engage the FTC, maybe we get where we need to go faster.
>> Kirk Nahra:
Well, there’s a couple of points in this. I mean, again, we’d talked about the sequential idea earlier. I mean, our earlier recommendation was that entities participating in these networks would be covered by the HIPAA rule. So a PHR vendor who was participating in a network would be covered by the Privacy Rule in that direction. Again, if you go sequentially, someone who did you know, if all I did was gave you a piece of software that’s essentially a file folder, you’re not participating in the network. And so we were out that would be outside of our earlier recommendation.
>> Deven McGraw:
Well, you wouldn’t be participating in a network either if you got the information just directly from a provider.
>> Kirk Nahra:
No, that’s what I’m saying. But I mean, well and that’s different, but it depends how they
>> Deven McGraw:
Define “network.”
>> Kirk Nahra:
how you define “network” and how the providers provide. So there’s a question there. But my prototype would be, you know, the electronic filing cabinet, where all it is is, you put a place to store and organize your own stuff. And whatever you bring in, you can put in. But that’s not that wouldn’t be part of the network. That’s not covered by our recommendation. So there’s clearly a role for the FTC there.
The second part is, we can talk about the FTC on the assumption that our recommendation was not adopted. I mean, that was your second point, John, about you know, might be easier to get. And that’s a fair point, but I think that that is a we should talk about that as a group. I mean, do we want to do we want to make recommendations in this letter that assume our earlier recommendations are not in place or won’t be in place? I mean, do we have to have a that just raises a can of worms. I’m not sure opens a can of worms. I’m not sure it’s a bad idea, but it’s just something we’ve got to think about. I mean, we’ve
>> John Houston:
But it does do I understand your point. At NCVHS I know we’ve been fairly careful about not assuming that it’s going to be easy or timely to modify the Privacy Rule or the Security Rule. And so and you do sort of make if you make an all-or-none strategy, you may find (inaudible) none, and then nothing happens. So
>> Thomas Wilder:
I guess this is Tom Wilder. I mean, I guess I take a little bit different tack. I think our recommendations are properly directed at HHS, since we’re making these up to AHIC and from AHIC to the Secretary. And I’m not saying that FTC doesn’t have a role, but I think it’s really, in a sense, outside our scope. I guess one of the concerns I have and I’m not sure I mean, one of the concerns I have, quite frankly, is have one Federal agency set up one set of rules for PHRs and then another Federal agency set up an entirely different set of rules for PHRs that are done by other entities. And
>> John Houston:
And Tom, to my my point was, I think that’s why we need to use the wording “HHS should work with FTC,” rather than try to call it “FTC” separately.
>> Thomas Wilder:
Right, and or, you know, “FTC and other stakeholders.”
>> John Houston:
(Inaudible) good point.
>> Thomas Wilder:
And the other point I had and again, maybe I’m just that I wanted to raise and maybe I’m just totally misreading this last sentence, where it talks about revising the Privacy Rule. I think it is appropriate for HHS to take a look at the Privacy and Security Rules in the context of PHRs. The way I read the sentence, it sounded to me like we were saying the Privacy and Security Rules don’t currently apply to
>> Deven McGraw:
Covered entities.
>> Thomas Wilder:
a PHR right. And it’s the same issue I raised with some of the earlier recommendations, which you guys did fix. And again, maybe I’m not maybe I’m just overreading this.
>> Deven McGraw:
Yeah. We thought we’d fixed it, but I guess we didn’t.
>> :
You’re saying because it says “to provide”
>> Thomas Wilder:
“To provide for.” So to me, at least and again, I realize maybe I’m overreading this it sounds like, “Well, it doesn’t provide for it now, so they need to make sure it does provide for.”
>> Kirk Nahra:
So, okay, that’s a fair point, Tom. But it was I mean, let me ask this for both you and the others in the room here, which is, is our point here that they should consider whether there is the need for revisions or clarifications for PHRs offered by covered entities, full stop, not saying that they’re not covered, but just whether we need something new for them? Again, it’s considered. It’s not saying they must, just that they should consider whether there needs to be changes for those.
>> Thomas Wilder :
I mean, that’s certainly kind of where I’m coming from. I mean, I personally think the Privacy Rule is sufficient. I realize there’s a great deal of controversy and debate around that. I think it’s entirely appropriate for HHS to say, “Okay, we have these new technologies, these new things, these health information networks, these PHRs. Let’s reexamine the Privacy and Security Rules to see if they’re doing all they should be doing.”
>> Kirk Nahra:
That makes sense. I think we’re on the same page with that. I mean, the issue, I presume, Tom, for a PHR offered by a covered entity, is, if you say “covered by HIPAA today,” that means that the covered entity can use and disclose for all of the GPO purposes. And for example, if Google said, “We’re going to use and disclose all of the information in PHRs for GPO purposes,” that would be way beyond what they’re saying they’re going to use them for, which is they’re saying almost nothing. So it may not be a good fit.
>> Thomas Wilder:
Right.
>> Kirk Nahra:
So that’s the “consider” part, you know.
>> Thomas Wilder:
And you know, I mean, from an AHIC standpoint, we believe that the information in the PHR is under the control of the consumer, and they ought to make that decision. And we did sign onto the Markle Foundation principle, so...
>> Kirk Nahra:
But so I mean but even in that example, which I agree with, I think what it ends up being technically is that AHIC, for example, or Blue Cross Blue Shield Association or whoever, is in fact, choosing to make far fewer uses of disclosures of information than they could as a covered entity, because the idea is consumer control but that means that the HIPAA, at least the Privacy Rule, really isn’t a good fit. It’s not that it doesn’t apply. It’s that it’s probably too generous. It’s almost you know, secur I’m not sure the Security Rule necessarily needs to change at all. But again, you guys in the same way that Google and Microsoft and whoever else is saying, “Consumers control; they tell us what to do; we’re not doing much of anything on our own,” you’re doing the same thing, or your members are doing the same thing, not because that’s what the rule forces them to do, but because that’s how you want to act in regards to your members. But it’s more self-controlled than HIPAA-controlled.
>> :
Need some refresher.
>> Deven McGraw:
Yeah. I mean
>> Kirk Nahra:
(Inaudible) a business choice rather than a requirement rule, because the requirements of the rule would say it’s all vivid information you can use (inaudible).
>> Deven McGraw:
And I think the other thing that this recommendation does is, it really does relate just to the whether the HIPAA rules need to be modified in any way to protect consumers using PHRs. And that’s the PHRs maintained by a covered entity or a business associate of a covered entity. Do we need to, in fact I think we need to add to this letter a bit and talk about the PHRs that are offered by noncovered entities as well. And what I heard was that we ideally want we don’t want to have a duplicative set of standards, but recognizing that the FTC does have a role and could have some valuable input on what the rules would be and should be for Internet-based companies, to the extent that there need to be some unique provisions directed at non-health care entities that are offering these PHRs that we might come up with some wording that, again, makes sure we’re not creating two completely different sets of rules. We have sort of a common set of rules, but acknowledging that there’s value to FTC input on those with respect to noncovered entities, PHRs and as long as, again, they’re working together, and we’re not
>> Kirk Nahra:
I think, yeah, the FTC discussion is interesting. I think I mean, there’s a couple of places where the FTC is relevant. I mean, one is on the sort of enforcement side, which is, if any PHR vendor I’m now maybe Google, but it could be anybody in that marketplace in fact, has a privacy notice that it uses, the FTC, assuming they’re not a 501(c)3 I don’t know about that in particular, but (inaudible) for most other companies, the FTC can say, “You did something that wasn’t consistent with your privacy notice. We have to r we can go after you.” And they can clearly do that today. And in that sense, they’re a potential gap filler on enforcement today.
Second issue is whether the FTC will develop general principles for how those companies should, in fact, act in this environment. And they haven’t done much on that. I mean, they’ve got their fair information principles, but they don’t particularly tell I mean, again, this is a slightly overbroad statement, but not that much overbroad statement: They don’t really tell companies how to run their business, for the most part. They say, “You’ve got to do what you say you’re doing in the privacy context.” So it’s not clear to me that the FTC ultimately would, in fact, be a useful source of information on what those standards should be. Similarly and maybe this Tom referenced the Markle stuff that just came out. I mean, I’m not at all sure that what we aren’t looking for is some general standard for PHRs, whether it’s covered entities or not covered entities.
I mean, I agree that we don’t want to have we may have two different standards now, because we’ve got two different regulatory structures for them. But assuming that the idea of a PHR is that this is a customer you know, the consumer-driven side of this, I’m not sure that, at the end of the day, if we’re going to make recommendations, we’re going to say one set of rules for all those people regardless of who the offering entity is. But again, I’m not sure that’s the kind of thing I’d have to go back through some of the FTC stuff, but they really struggled to do that in the Internet environment, other than just, you know, topics for privacy notices. But even that you know, that’s really the fair information practices. I mean, it’s really not much more than that. They just haven’t been I don’t want to say they haven’t been good at it. I don’t think it’s been part of their agenda to come up with I mean, they don’t really say what needs to be in a privacy notice, even for you know, even for the (inaudible). They want us to have one. They never they can’t really require you to even have one, but...
>> Deven McGraw:
But if you have one, you have (multiple speakers).
>> Kirk Nahra:
(Inaudible) Exactly. But if you it’s not at all clear to me that if you wrote a privacy notice that says, “We can do whatever the hell we want with your information” that that’s not okay. I mean, that’s not I mean, they have done some things on security that are a little more interesting than that, and they sort of they basically created an obligation to have reasonable and appropriate security one could say sort of out of the air. I mean, that applies to any company in any industry right now that has personal information about consumers or employees. But they’ve never really done that on the privacy side. They’ve never said, “You have to have a privacy notice.” They’ve never said, “You have to have these following things.” They’ve never said, “You have to, you know, tell them tell customers this, that, or the other thing.”
>> Deven McGraw:
Well, one of you know, one of the places where the FTC is starting to get a little more active is in the targeted behavioral advertising, which is going to be qu potentially quite relevant, because with the PHRs being free, there you know, the revenue base to support them, you know, depending on who you talk to, could come from advertising and how people’s searches using you know, jumping off of their PHR platform might get tracked.
>> :
But they’re working you’re right. They’re working on that, and they have some principles or draft principles for behavioral advertising, but you see there’s something new here, or
>> Deven McGraw:
It’s not something that I would I say that we have to necessarily reference, but I guess I’m still in some way, would like to think about whether we would mention them at all in the letter. Maybe (multiple speakers) I get Tom’s point that from a jurisdictional standpoint, our job is to make recommendations to AHIC, which then adopt them or not for HHS.
>> :
What about one suggestion, just based on what I’m hearing, is perhaps including some language in the text, leading up to explaining the issue of jurisdiction and the issue of not having two different agencies regulate. And maybe it doesn’t come to a recommendation, but just saying that this is something that the group discussed and, you know, that should be or maybe just on the fact
>> Kirk Nahra:
Well, I guess I just Tom, would you have a concern if we said something like “including consultation with the Federal Trade Commission as appropriate”?
>> John Houston:
You said “Tom” or “John”?
>> Kirk Nahra:
I’m sorry whoever was raising that before. I think it was Tom, but maybe not. Well, would anyone have a concern if we said something like that?
>> :
No.
>> :
No.
>> Kirk Nahra:
I mean, I’m not at all sure at the end of the day, given HHS’s limited jurisdiction, that the FTC doesn’t become a better place to represent to regulate a broader range of people in this PHR marketplace. You know, that didn’t if today if we said somebody has to make a rule today that covers the most people in this marketplace, that’s the FTC more than HHS, I think.
>> Thomas Wilder:
Actually, I this is Tom again. Actually, I think we have, with some tweaking, said what we want to say in Recommendation 9. So the first sentence says, “The CPS Workgroup recommends that HHS work with other stakeholders” and you could in you know, say something like “including the Federal Trade Commission” “to create a set of guidelines, policies, and requirements for safeguarding personal health information within a PHR.” And these policies, guidelines and requirements, you know, should support the right of consumers to control how the information and then, as part of this process, HHS should consider and this is where I might tweak a little bit more is this you know, something like “HHS should consider whether the HIPAA and Privacy and Security Rules should be revised.”
>> :
And what about the “clarify” part? Because I think that
>> Thomas Wilder:
Should yeah, should consider whether the HIPAA Privacy and Security Rules should be revised or clarified, you know...
>> :
That’s fine.
>> John Houston:
Well, that I think the only I would agree with that part, but back to your first part, I to me, I always think of stakeholders as being nongovernmental agencies.
>> Thomas Wilder:
Oh. See, I guess I’m not sure I’d I would
>> Kirk Nahra:
Well, we could avoid that by just identifying them specifically.
>> John Houston:
Or we can say “governmental agencies and other stakeholders, such other governmental agencies such as A as FTC and other stakeholders.”
>> Kirk Nahra:
We’ll play with those words. That’s an easy one.
>> John Houston:
Okay.
>> Deven McGraw:
Then I’m going to suggest that it not just become “privacy and security of PHRs maintained by a covered entity or their business associates.” It would be “PHRs.”
>> :
Period.
>> :
Right.
>> :
Yeah.
>> :
Well, but when it this is the end part of the process, and only focusing on the Privacy and Security Rules. That’s why
>> Kirk Nahra:
Right. So the first (inaudible) covers everything. And then the second part is
>> Deven McGraw:
Okay, okay. I see.
>> :
And if you know, we could pull that out as a sub if that makes it
>> Deven McGraw:
Probably should, only (multiple speakers, laugh).
>> Kirk Nahra:
(Inaudible) Let me make one other nit while I’m noticing this and while I’m thinking about it. We use two phrases in here which, I think, are used interchangeably, but they’re not the same, and we should just be careful about this, which is, we use the word “personal health information” sometimes, and we use “protected health information” sometimes. And I think we probably want to use “personal health information” so that it’s not the HIPAA-defined term, which wouldn’t the HIPAA-defined term is narrow enough in scope, in terms of covered entities, that we’ve you know, so we probably want to use “personal health information” generally.
>> :
Where is it? (Inaudible)
>> Kirk Nahra:
It’s right above 9. Currently, health care provider may use again, that’s arguably, you could say that’s correct, because it’s sort of a description of the HIPAA rule, but it’s not the cap I just want to be careful about that. And again, my suggestion is that we use the non-HIPAA phrase, “personal health information.” That’s not an obvious answer. I mean, if people have a different view on that, we could (multiple speakers).
>> David McDaniel:
Given our discussion just a moment ago about the noncovered PHR providers, we would want to be able to use the broader term. (Multiple speakers)
>> Kirk Nahra:
I agree with that. That’s exactly my view, but...
>> :
Okay.
>> Jill Callahan Dennis:
I think that’s true, but I think you got to be careful when you go through. You can’t do a universal substitution, because if you look at the sentence where we are referring to HIPAA I mean, several points throughout here, where it talks about you know, a health care provider may use or disclose protected health information. So you’ll just have to you can’t just blanket-substitute, because at some point, we’re referring specifically to the HIPAA rule.
>> Kirk Nahra:
I think we should probably if nothing else, let’s capitalize it. When we say “protected health information” and we intend to mean something specific to HIPAA, let’s capitalize it so it looks like it’s a defined term using the HIPAA Privacy Rule.
>> Deven McGraw:
Which maybe we should do that with the word “treatment” as well, where we mean (multiple speakers) if not recommendation.
>> David McDaniel:
But I think Jill’s point, though you can’t just document (multiple speakers), because some of them are specifically talking about protected health information, as defined by HIPAA. Others are
>> Steve Posnack:
But they (inaudible) then, for example, Jill would
>> :
Which sentence?
>> Steve Posnack:
That’s the one that Kirk just recommended changing to “personal health information,” but I’m hearing change it back to “protected health information” and capitalize it. We would also capitalize “treatment,” “payment,” and “health care operations” in this sentence as well, then.
>> Kirk Nahra:
I guess I’m here’s the reason I’m mentioning this. I feel I mean, I’m indifferent, although (inaudible) treatment. My concern is that we’ve got two similar, very close, almost identical phrases that we don’t use to mean the same thing. If we were saying “treatment” and “completement” and we meant you know, we meant something different, we’d ask to identify them, but we’re only using one word. So I’m not worried about that. It’s what that is is essentially the episode-of-care-versus-treatment debate. We wanted to go with the defined term. We mean something different when we say “personal health information,” so I think we want to make it clear that it’s not just a typo or sloppy. We’re only using “treatment” here. We’re not using other any other word for treatment. But I’m less I’m indifferent on that. I think it’s important where there’s two close phrases that are being used intentionally to mean different things.
>> Deven McGraw:
Right. So let’s go we can go through
>> :
I’ll give it (inaudible).
>> Deven McGraw:
Okay. (Multiple speakers) All right. So, I mean, if somebody raised something I want to follow up on a comment that was made or a suggestion about looking at the Markle common framework that we just released to see if we wanted to make a recommendation about that being some sort of baseline. Is that is there an interest in going down that roa Jodi’s making a face.
>> Jodi Daniel:
(Laugh) I haven’t looked at it yet.
>> Kirk Nahra:
I haven’t looked at it enough, and I think that’s a big deal. I mean, it’s a big project if we’re going to...
>> Jodi Daniel:
Well, that was sort of my face (laugh). I have no comment at all on the framework itself, but...
>> Deven McGraw:
Admittedly, we might get (inaudible).
>> Kirk Nahra:
Well, (inaudible) if nothing else, I had my assistant print out the stuff and I don’t know, 200 pages, or something. So, I mean, that’s a lot to go through and
>> Deven McGraw:
Two years in the making. Yeah, so, at any rate... Well, all right. We’ll sit out there.
Okay. The next recommendation this has to do with some points that have been raised by a number of researchers about research information in PHRs. And I haven’t read through some of these articles, but I think the concern is that if the PHR movement really kicks off and is a vehicle for connecting providing better-connected and coordinated health care that, in fact, we may end up with a richer database of information in people’s PHRs than we would have by doing research on, you know, EHR networks.
So Recommendation 10 is about that issue and says that the Workgroup recommends that policies, guidelines, or requirements developed by HHS with respect to PHRs specifically address the conduct of research activities using personal health information contained in we say “personal health records” here. I think we can abbreviate it to “PHRs” (inaudible) health care. Now, it’s a pretty broadly I mean, I sort of brought up the sort of futuristic in lead-up to this recommendation, I brought up a futuristic scenario where we’d all have PHRs, but we wouldn’t have interconnected EHRs or but this is a pretty broad recommendation, which just goes to asking the asking HHS to look at research on PHRs as it develops these guidelines, so...
>> Susan McAndrew:
This is Sue McAndrew. Are you thinking that this is really something someone had brought up the Office of Research Subjects Protection
>> Deven McGraw:
Right.
>> Susan McAndrew:
the research privacy requirements for the common rule. Are you really looking at it from their perspective?
>> Deven McGraw:
Well, I mean, I would want I would think they would need to be involved, but this gets back, I think, to, you know, the other context where we used HHS, where research was involved and didn’t specify the Human Subject Office. Again, it also kind of follows from the recommendation that precedes it that sort of tasked HHS to work with other again, work with other stakeholders. Maybe when we talk about the other government agencies, that would you know, it would include the maybe we would specifically mention the Research Office. But you all have research rules in HIPAA 2, don’t you?
>> Susan McAndrew:
Yes (laugh). But I’m not sure how again, I guess I’m just thinking that, in most cases, many of these kinds of PHRs systems are not going to be really subject to those kinds of rules.
>> Kirk Nahra:
Google would not be able to say, “I’ll follow the HIPAA Privacy Rule on research,” because it just doesn’t it’s a disconnect.
>> Susan McAndrew:
Right.
>> Deven McGraw:
It wouldn’t be required to (inaudible).
>> Kirk Nahra:
It wouldn’t be required, and they I’m not even really sure they could.
>> Deven McGraw:
Or the common rule, either, more than likely, depending on the...
>> Susan McAndrew:
And I guess the other thing I mean, if the general concept of the personal health record is consumer control, I mean, doesn’t that override these kinds of issues?
>> Kirk Nahra:
I mean, I think 10 is going to be I mean, 10 is going to be an interesting one, and maybe it’s maybe there’s so many issues that we don’t even make it. But I mean, for example, it almost seems like HHS is I’m not sure what HHS could possibly say on that. I mean, they say, “We’re going to come up with rules for how people we don’t have any control over deal with information in their relationship with people we also don’t have any con you know, they’re customers we don’t have any control over.”
I mean, the big the issue here and this is a piece of it is, you know, we’re building these networks for a variety of reasons. And we’re building, you know, EMR networks, and we’re building these personal health rec you know, we’re building all these networks, and there’s this great opportunity this great potential opportunity to do something with all this information. And we’ve had you know, one of our big picture issues has been, “Are we going to take that full benefit? Are we going to take part of that benefit? Or are we going to take none of that benefit none of that potential benefit?” And I mean, on the one hand, I presume it would be lovely to say, “Let’s all get a benefit out of the data that’s available for research purposes, as long as we have appropriate privacy and security protections.” And what we’re debating is what those should be.
I mean, it’s clearly a value here. I mean, you know, if we said to Google, “We’re going to ignore privacy and security,” and whenever somebody wants to do a research program on, you know, heart disease, you could go through all your records and figure out who might be a good subject for research, and we’ll give that to the researchers. That might be a wonderful model for research. Presumably, we’re not going to support that idea from a privacy and security perspective, because that’s not what these PHRs you know, being designed to permit the people. Would we allow a researcher to go to Google and say, “Hey, we want you to reach out to anybody who might have a heart problem to see if they want to participate in this study” or “You have to send it out to everybody that has a Google record, whether they have a heart problem or not, and let them figure” I mean, those are all tricky questions, but I don’t know. Are we going to say, “HHS, figure that out”?
>> Deven McGraw:
I don’t know. I mean, I was thinking a bit. Again, the PHR model is built on consumer control. On the other hand, when we look at the a consent-based model as for EHRs as being not as privacy protective, and yet, on the research question, it just comes down to whether or not people consent or not whether this other protection’s to build around that I guess I had I don’t have a formed opinion on this, but I think it’s I’m trying to figure out whether it’s worth having this in there at all.
>> Steve Posnack:
I think the logic, when we originally came one this example and we were trying to come up with an example to put here, was because we were factoring in our June 12 recommendation from last year and saying, “You’ve got a PHR. It’s now become, you know, a quote-unquote ‘covered entity’ under our recommendations.” If they’re if ignoring the fact that we talked about the control the consumer, in this case, the PHR company or vendor could go through the standard covered entity procedure, getting you know, having IRB approval or privacy board to get that information out of the PHRs.
>> Deven McGraw:
They were treated the same as other covered entities.
>> Steve Posnack:
Right, and that’s what we were articulating in this example. And that may not be the direction that we want to take things in, because we’ve been articulating this consumer control point a little bit harder.
>> Deven McGraw:
Yeah. All right, then I’m going to propose that we take out Recommendation 10.
>> Steve Posnack:
(Multiple speakers) Okay.
>> Deven McGraw:
Is that agreeable?
>> Susan McAndrew:
Yeah.
>> John Houston:
Yeah.
>> Deven McGraw:
Okay. (Multiple speakers, laugh) That’s going to end up being taken up by some other discussion that we agreed to flesh out.
Just a note that we do have some text here, again, because we’ve been talking about PHRs, reminding our readers that under Factor 3 that the recommendation we made pertinent to Factor 3 is relevant here, too, so that if there are different policies that get developed for uses and disclosures of health information by a PHR service provider that when the information is transferred to a health care provider or plan and then stored in the provider or plan’s records that then the HIPAA rules would govern, again, consistent with our shouldn’t have two rules to apply to the same thing. Okay.
This is the last one. This is the public health recommendation that we alluded to earlier. It’s the text talks about how we could get some testimony on what’s currently happening, the current rules that public health has already had and anticipate having in an electronic health information exchange network you know, based on the testimony, what the sort of general current use is and what the public health (inaudible) using networks for in the future and our conclusion that they didn’t seem to raise any new issues at this time but, of course, if there’s activities, would change. HHS would, or should, examine the impact on confidentiality, privacy, and security. And so the recommendation reads that the Workgroup recommends that HHS work with other stakeholders to continue to monitor whether there are any specific issues related to the use or disclosure of personal health information through an electronic health information exchange network for public health and to the extent that we’re taking that earlier recommendation of bifurcating it so there’s a public health and research discussion. We’re likely to move there. Any comments on that? (Pause) Okay.
>> Steve Posnack:
So back to the initial question that I raised, then, to the factors.
>> Deven McGraw:
Oh, right.
>> Steve Posnack:
Because, I mean, Factor 6, whether we like it or not, is a little bit less descriptive than some of the other factors that we have kind of tees up the topic. So we may or may not need that. There may be a couple factors that seem to have a bigger role than others. So...
>> John Houston:
That’s we’ll work with that.
>> Steve Posnack:
All right.
>> Kirk Nahra:
I think I don’t think that the I think the factors have been very useful in our thinking about these issues, and you know, we’ll just figure out if they’re still necessary now.
>> :
You mean if some are and some aren’t, or they might (inaudible).
>> Kirk Nahra:
Or and if it’s 2, we can probably just reword it into the text, too.
>> Steve Posnack:
Okay, cool.
>> Deven McGraw:
All right. Next on the agenda is planning for upcoming meetings.
>> Kirk Nahra:
(Inaudible) Let’s just I mean, what we’re going to do is, we will take the discussion from today, turn this into you know, work on revised versions of this letter. If people on the phone have, you know, other thoughts or comments, please get them in to Steve, you know, in the next couple of days. I would have no objection if people want to raise other topics for inclusion in this letter. We could certainly include other things. Don’t feel you have to do that, but if there’s other topics or there’s other pieces of the topics we’ve covered that you want to address, we’re happy to, you know, try to get those involved and see if we can work them into the letter.
We’ll probably do just with the timing of our next meeting, we’ll probably do some internal drafts, just among Co-chairs and HHS staff, and get those together. You know, I presume the whole Workgroup will see other drafts over the course of the next couple of weeks, and then we’ll have another version presumably before our next public meeting or at our next for our next public meeting. But don’t hesitate to send in comments or suggestions or either on the recommendations that are here or on other potential topics.
We want to do the public (inaudible) before we do the planning, or should we tee that up, or...?
>> Deven McGraw:
Yeah.
>> Judy Sparrow:
Tee it up (inaudible), right?
>> Deven McGraw:
Yeah.
>> Judy Sparrow:
Alison, can you bring in the public, please?
>> Alison Gary:
Sure. For those who are online, you’ll see a slide on how to call in to comment or ask a question. If you’re already on the phone, just press star-1 on your phone now to comment. Any last-minute comments while waiting for the public?
>> :
See, I just back to your suggestion about the factors, I really as I read through this, it’s almost like a good press point to queue up for the discussion. And I would really think that leaving it there might be better than to (inaudible).
>> :
That’s fine.
>> :
It would just sort of make it more readable.
>> Steve Posnack:
Must have utility, have to keep them in. (Laugh)
>> :
Maybe we might we could also play with the number, so we don’t have, like, Factor 6 and Recommendation 11 or something.
>> Deven McGraw:
Oh, right.
>> Steve Posnack:
So we need to just leave them in, italicized, right at the beginning.
>> :
Yeah. That’s a good idea. To pull it out, I’ve got (multiple speakers) “You were looking at Factor 6 and Recommendation 6, and I’d like to know why,” and they could be off, yeah.
>> :
Fair enough.
>> Alison Gary:
We don’t have any comments from the public.
>> Judy Sparrow:
Okay, thanks, Alison.
>> :
The next Workgroup meeting is July 24 (inaudible) July 24, Thursday.
>> Kirk Nahra:
All right, so it’s essentially a month from today. Make sure we’ve got at least one other version out for the Workgroup to look at between now and then, and we’ll have
>>:
Probably mid-July.
>> :
Okay.
>> :
Any other comments?
>> Judy Sparrow:
The next AHIC meeting is July 29.
>> Kirk Nahra:
Is there any update for us on AHIC in general or our Group and when we’re going to play or anything like that? It would certainly be nice to know.
>> Steve Posnack:
Starting your vacation plans? (Laugh)
>> :
I’m going away.
>> Judy Sparrow:
At the moment, there are three scheduled AHIC meetings remaining: the July 29, September 23, and November 18. And that’s, right now, scheduled to be the last AHIC meeting for this AHIC 1.
>> :
And I think the thinking was that we would have, assuming we have a letter that the Workgroup wanted to send up that we would try to get it on the September agenda. We weren’t anticipating the July agenda.
>> Kirk Nahra:
That would be July. (Multiple speakers) But September meeting means it’s quick. (Multiple speakers) That means we have one more (inaudible).
>> :
Yeah.
>> Kirk Nahra:
And then we would be done?
>> Steve Posnack:
Unless there’s any follow-up from the September meeting, I guess, that we would have to (inaudible).
>> :
Yeah, they have come back and asked us to clarify things or revise things or figure out things.
>> Kirk Nahra:
Okay, but should we operate on the assumption that that’s the only task that we’re going to shoot for? I mean, I guess this is important for our planning. We’re going to shoot to have this thing finished by, whatever, September 10 or whatever that deadline is, meaning the Workgroup’s got to sign off on it probably at the August meeting.
>> Steve Posnack:
We have a September meeting before AHIC, don’t we?
>> Judy Sparrow:
You have an August 21 and a September 11.
>> Kirk Nahra:
Okay, so right before that one. All right, so no later than September 11, we’ve got to have the Workgroup sign off on that letter, and then assuming that that is signed off at that point, the only thing we would have remaining on our plate is any follow-up, if any, from the AHIC meeting, and if AHIC accepts what we’ve got at that meeting, then we’re done?
>> :
Well, we can talk with the folks internally who are looking at A2 and trying to figure out transition planning. From everything I’ve heard, any the expectation is that HHS would continue to be working on policy-related issues, including privacy and security issues, which means that I think there are some workers that may roll over to A2. I would anticipate that this would be one of those. And then there’s the question of possibly having a FACA that would deal with policy issues, although if AHIC isn’t here the subgroup of AHIC, there isn’t there would need to be a different process to a different structure. So there may be a new group that forms. There is some legislation that is suggesting new policy and a health IT FACA. And there are also, obviously, other Federal Advisory Committees that exist that this could be tacked onto. But I would anticipate that once there isn’t you know, if AHIC does, in fact, (inaudible) as planned that this Workgroup should not continue, because there wouldn’t be an AHIC, and I don’t believe that there’s a plan for this to carry over to A2. But that’s the news as of now. I don’t have anything sort of finalized. But I’ll give I’ll keep us posted as I hear more.
>> Kirk Nahra:
All right. Anything else for anyone on the phone? (Pause) Anyone else in the room?
>> :
Nope.
>> Kirk Nahra:
All right, thank you very much. Enjoy your afternoon.
>> :
Thanks, all.
(General farewells)