American Health Information Community
Confidentiality, Privacy, and Security Workgroup Meeting #12
Thursday, July 26, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Welcome, everybody, to the 12th meeting of the Confidentiality, Privacy and Security Workgroup. Just a reminder that we're operating under the auspices of the Federal Advisory Committee Act, which means the public is invited to attend. And we will have a period of public comment at the end of the meeting. And a reminder to the Workgroup members to please speak clearly and distinctly and identify yourself before you speak. And please mute your telephones when you're not speaking. Jennifer, why don't we introduce those who are on the telephone and then we'll go around the table here at ONC?
>> Jennifer Macellaro:
Sure. On the phone today we have Peter Basch from MedStar e-Health, Sylvia Au from the Hawaii Department of Health, Don Detmer from AMIA, John Houston from Pittsburgh Medical Center, Tom Wilder from America’s Health Insurance Plans, Flora Hamilton from Family and Medical Counseling Service, and Jill Dennis from AHIMA. Did I miss work any Workgroup members on the phone? Okay.
>> Judy Sparrow:
Okay, thank you, Jennifer. Here in the room we have
>> Mazen Yacoub:
Mazen Yacoub, TMA privacy office.
>> David McDaniel:
David McDaniel, Department of Veterans Affairs, Veterans Health Administration.
>> Steve Posnack:
Steven Posnack, ONC.
>> Paul Uhrig:
Paul Uhrig, SureScripts.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Families.
>> Alison Rein:
Alison Rein, AcademyHealth.
>> Sue McAndrew:
Sue McAndrew, Office for Civil Rights.
>> Judy Sparrow:
Great. Let's turn it over to the chair, Kirk Nahra.
>> Kirk Nahra:
Thank you, everybody. Can I have an extra copy of the agenda? All right. Why don't we start with the approval of the prior meeting summary? Everyone or anyone had a chance to take a look at that? Any questions, comments, corrections, anything else about those meeting minutes? All right. Why don’t we -- we will approve those if people, we’ll give a 24hour, if anybody has any comments or questions and can get them to Steve tomorrow if there's any other changes, but other than that, we will assume that these are okay and move on.
Let me turn to what we want to try and cover today. I guess as I look at things, we really have two major topics for our discussion with one potential third if we have time. The first thing we're going to talk about is to continue a discussion that we've started at some of our most recent meetings and which was sort of set up for us to look at based on our last set of recommendations. We've taken to calling this the "differences" issue. Let me just explain what that means to make sure everyone's on the same page with that. We made in our last set of recommendations to the AHIC, the recommendation that essentially all participants in the health information exchange area should be required to meet a standard that was at least equivalent to the HIPAA rules. The idea there was that there should be a level playing field for people who are participating in health information exchanges and we recognize that there were certain players, frankly a large number of players, who were not otherwise within the scope of the HIPAA rules. And we wanted everyone participating to be playing by the same rules. And we preserved the issue for future discussion as to whether, now that we’ve lifted everyone up to the HIPAA standard, whether we wanted to have a situation where there would be, our recommendation would be that the standard should in fact be something higher than that or whether we were comfortable with the standard being at a HIPAA level. So that's essentially what we're calling the differences.
And let me, I guess, add to that in terms of why we're calling it the differences. We are walking a little bit of a line based on the jurisdiction of this group. Obviously we don't have any formal jurisdiction. But, I mean, our task is to look at privacy and security rules for health information exchanges and health information technology, personal health records, electronic medical records, et cetera. We are not asked to evaluate the HIPAA privacy rule as a whole, whether it's a good rule, whether it’s a bad rule, whether things are too hard or easy about it. Obviously the health information exchanges are a portion of what goes on in the health care industry, it may be an increasingly growing proportion, but it's still just a piece of the overall picture. So we are not looking at the overall question of whether the HIPAA rule is a good idea or not. We are looking at the question of whether in this particular environment, the HIPAA rules are appropriate. And therefore what we've tried to do is focus attention on the idea of is there something different about this environment such that the HIPAA rules either don't fit well or don't provide sufficient protection? And so, again, that's a little bit of an artificial line and I understand that, and I know that some of the folks on the Workgroup have had a little bit of trouble with that line. I do, also. And obviously when we get to the point of taking steps to implement our recommendations, one of the questions will be is our recommendation something that can be implemented with sort of that theoretical line in place? But that's right for now not our particular issue.
What I want to focus on is what is it about this environment, the health information exchange environment, that may or may not require additional changes to the HIPAA rules or, excuse me, to HIPAA principles. We'd be talking about creation of a set of rules for this environment. Obviously if we’ve reached the conclusion at the end of the day after our deliberations that we think the HIPAA rules are fine for this environment that becomes a very easy recommendation. We are still left with the question from our earlier recommendation as to how to extend that rule in this context to some of the other entities that aren’t covered entities today. That obviously makes it for the rest of the world the playing field becomes a HIPAA rule, becomes a HIPAA playing field. That's the question that we're looking at. Our group has obviously not made any conclusions on that. We are very much still looking at that question. So that's what I want to try to focus on as the first issue.
The second issue is related. It's coming from a slightly different direction, which is we have had some discussions with the Consumer Empowerment working group about appropriate provisions of privacy notices in the context of personal health records. And the Consumer Empowerment group has made some suggestions. We had a Workgroup with some of the folks from our group working with them, and there are a set of recommendations that are being discussed in connection with PHR privacy notices. What we want to make sure we do today is have a discussion about how those recommendations track with the current provisions of the HIPAA privacy rule for privacy notices. I want to make sure that we understand how the recommendations track. I don't want to back into a recommendation to say, oh, we should have a different kind of privacy notice in this environment, because that's sort of what we're looking for with the differences idea, but we obviously want to look at that issue, maybe it's a question of saying, oh, does the privacy rule requirement for notices in the HIPAA context work well in this context? In that sense it may be exactly the same we’re talking about in the differences panel. We will focus some specific attention on privacy notices.
The last issue which we are not required to get to today but will have some discussion on if there’s time is the issue we had some testimony on at our last public testimony hearing related to what we've called the relevance point. Again, just to refresh people's recollection, one of our recommendations was that all participants in health information exchange networks should meet the relevant HIPAA privacy rule requirements. And we've looked at the question of which requirements are relevant or, I guess more precisely, are there any components that are not relevant for particular entities? The easiest example, at least easiest for me to understand, has been privacy notices. Which is we've looked at groups like RHIOs and said well maybe it doesn't make sense to have RHIOs have to send out privacy notices to all of the individuals whose medical information flows through those RHIOs, because the RHIOs themselves don't have relationships with the individual patients. We haven't made a conclusion on that but that's the sort of conceptual issue. And we had some testimony, which didn't, I think, push us too far down the road. So what I would like to talk about today if we have time or in the future is the question of where next do we go on that relevance issue?
Well with that, let me sort of throw this out as a basis of for our discussion today. Steve has circulated to the Workgroup members a chart that sort of broke out the specific components of the privacy rules. The idea behind that chart, and let me make sure that we're all on the same page with this, which is we've tried to we had with our first panel in the last public testimony hearing some discussion of why the health information exchange environment may be different. And we had some general discussions at sort of a big picture level. The idea with this chart was to try and get some thinking on a more focused level, which was to talk about some of the principles of the HIPAA privacy rule and get our group thinking about how we would evaluate whether those principles are appropriate. I heard feedback from a couple of folks that this chart is sort of too precise, too detailed, and too focused on specific components of the rule rather than some of the principles of the rule. So I guess what I'd like to propose for our, just sort of guide our discussion today is to take some of the principles of the HIPAA privacy rule, and I'll identify particular ones from this chart, and to have a discussion in our group today focusing really on two ideas. One is, is that an area that people think we should be looking at in terms of differences? And if so, talk a little bit about how we would propose to gather information that would allow us to make recommendations. I think that's going to be one of our real challenges. If we decide, for example, that we want to look at the question of appropriate disclosures under, in health information exchanges without additional consent, then we want to evaluate whether that’s appropriate, how would we learn about that? Who would we bring in to hear about that issue? How would we evaluate whether the current HIPAA rules are appropriate or whether we need something new? Those are the two issues that I'd like to really focus on today. Now, I know that's sort of a long introductory note, but is that at least as a sort of marching plan for today make sense to people?
>> Peter Basch:
Kirk, this is Peter. I have a question before we march into that.
>> Kirk Nahra:
Sure.
>> Peter Basch:
I apologize if this has been settled or if in your introduction in saying that there is a line and we don't have to worry too much about that line now, but we'll talk more about it later. I was curious as to whether or not, fine line aside, if we just had a rough sense of what we all understood by an electronic health information exchange environment and whether we're clear enough on what's in that and what's not in that so that we can begin to talk about differences. Is the assumption that we're talking about, at least what's currently in favor, a federated record locater service model versus a records bank model versus a data repository model? Are we including in the environment of electronic health information exchange point-to-point transfer of information done electronically? Just curious if we could get some guidance as to kind of the broad outline of the environment, because that makes it easier to think about differences, at least for me.
>> Kirk Nahra:
Well let me give you my own reaction to that, which is just my own opinion. Actually let me back up. Let me ask you, if you think point-to-point electronic exchange, what did you mean by that?
>> Peter Basch:
Okay. So that would be, for example, in the let's say disclosure of information now, which is typically done point to point, provider to provider, provider to payer, provider to patient. That is from a host system, a system that owns data, let's say a lab system, to one other individual. Now, it might be, in this case, that a request for information comes in via phone call, via letter, via fax, via a secure message. It may be that's what point to point is, in other words, from one owner system to one recipient system. And that's, at least in my view, how most health information is moved nowadays. It is conceivable with at least some versions of an electronic health information exchange model, particularly if there's a record locater service, that that mode of transmission and the responsibilities of controlling disclosures wouldn't change very much from current model to an electronic health information exchange model. There are other models of health information exchange where the control and access to disclosures might be very different.
>> Kirk Nahra:
Okay. What do people think about that? I guess I'm not sure how to answer that. I mean I think when you talk about some point to point, that's obviously something, that, for the most part, is exactly on point with what HIPAA covers today.
>> Peter Basch:
Right.
>> Kirk Nahra:
Obviously I won't say obviously. Presumably our job would be much, much, much easier if we say this is similar to what HIPAA covers. We really don't need anything new. We could be out of here by 2:30 and adjourn our committee, I suspect, if we took that approach, which I'm not averse to.
[laughter]
>> Peter Basch:
Let's put that up for a vote.
>> Kirk Nahra:
Well, what do people think? How do we propose to answer that? Now is that one, do we have to answer that now? Maybe that's a question. Two is if we do, what, how do we answer that?
>> Alison Rein:
This is Alison. And as I listened to that description, Peter, it made me think that we don't know the answer to that question. And the goal of the effort thus far by HHS has specifically prohibited anyone from specifying not prohibited, but encouraged people not to specify what exactly that model is going to look like. So it adds, perhaps, a little layer of frustration for this group. But I would imagine that we need to at least envision all of the above. And if there are differences in those models, maybe it's our job to start pointing them out. I don't think we can just pick one and limit ourselves to that, because I don’t think that’s -- at least as far as I've understood, that's not something that we're doing.
>> Kirk Nahra:
Right. I would certainly agree with that. Peter, you started out, you gave several examples of these exchange networks and then talked about the point to point. If you had stopped before the point to point, I would have said we need to talk about all those models, which is I think exactly what Alison was saying. I guess the question with the point to point is does that again, if what we're saying is today's environment is in fact very similar to these various models, again, that would be a reason to conclude we don't need to recommend any changes.
>> Peter Basch:
Right. And the reason I asked it that way -- and by the way, for the Workgroup members, I've asked this question of just about anyone I can ask it of the last couple of years about what exactly do we mean? It becomes a very germane question if we talk about expanding privacy rules or in some cases where there is talk about quality bonuses if data is exchanged in a health information exchange environment, very important to know exactly what one means. And I've never gotten an answer other than we're not sure yet and it could be many different things. That's okay, but I just wanted to call out as we talk about differences, if we're talking about electronic version of the current model, which HIPAA covers well, I think the one thing we want to be clear about is that if we are thinking in our mind about a different model and then we elevate the privacy rights under what we are envisioning of a model and we're not clear that we're not wanting to necessarily elevate those privacy rights under the existing model, we might find that providers and owners of data find themselves inadvertently, if our recommendations are actually listened to, switching to an electronic model for ease and kind of following kind of a national movement and finding that they now have to operate under stricter guidelines than they did when they were mailing or faxing. And I don't think that that's necessarily our intention. My goal would be that when we think about electronic health information exchanges that are different from the existing model or different from an electronic version of the existing point-to-point model which HIPAA covers well, that there we have real differences, or could have real differences.
>> Kirk Nahra:
Let me ask the question this way and I'd like to get thoughts from other people, which is, clearly, Peter, at a minimum, what you're saying should be an information point as we think about these issues.
>> Peter Basch:
Sure.
>> Kirk Nahra:
Do the Workgroup members think we need to answer Peter's quasi-rhetorical questions in order to move forward on this issue? Anyone on the phone with an answer to that? Or a view on that?
>> Jill Callahan Dennis:
This is Jill. I would say that as you go through the principles and you examine how they could apply, I think that's the point at which you have to raise some of the different, the many different models that are out there to make sure you're not having an unintended effect, as Peter suggests. But I think it's going to be naturally dealt with as we start working our way through these examples. But I mean it's just good that we've got to keep these different models like a repository versus, you know, just a federated record locater service in mind as we go through and try to apply these principles to sort of the wild woolly west, everything's being developed right now.
>> Kirk Nahra:
And I think the other component, Jill, as I'm listening to what you're saying, I think I agree with what you're saying, is that we may find that at the end of our discussion we say there's so many variables and there's so many interactions and all these things do are different all these are are different ways of doing what we do today, that might be a basis to conclude that we don't need a different set of principles. Again, we're not there yet, but that seems to me to be what we're looking to discuss and to evaluate is is there something that is HIPAA was clearly intended, or at least has functioned as something that can evolve as the health care industry evolves. It's not a perfect vehicle for that. And there obviously have been developments that don't fit very well. But in general there are lots of things that nobody was thinking about in 1999 when the first drafts of the rule were done that you can say, oh, this is a new issue today. How does it fit? Okay. We can make it fit. So at a most general level, we're looking at is this something that’s just the next evolution and HIPAA fits fine, or is there something that’s so significantly different that the evolution doesn't work? And again, we've dealt with part of that issue already by saying there clearly are players in this environment who need to have rules applied to them. RHIOs didn't have anything to do with health care portability or standard transactions, therefore we understand why they weren't both talked about in the HIPAA law and weren't part of the discussion, because they didn't exist at that time. But we've dealt with that issue. We’ve said yes, we want to bring them up to the same standard that everyone else is playing with. The question is do we need to go beyond that? Is there something that makes this not a good fit, not subject to the otherwise appropriate evolution of HIPAA such that we need new rules? Or do we say no, this is perfectly within the scope of what could be evolved and therefore the rules are fine?
>> John Houston:
This is John Houston. First of all, I think -- two points. One, I think we're going back too far historically. The HIPAA rules really ultimately were finalized in 2001, 2002? And there were CHINs, or at least the thought of a CHIN back in those days. I think some people should have been at least thinking about what was evolving in the industry and the types of dataflows that might exist. But I think we also have to be very mindful of God only knows what this landscape is going to look like in 10 or 15 years. And I don't think we -- we should do things in a way that prevents having to do rework every 5 or 6 or 8 or 10 years. We try to put something in place that has some flexibility. But I do agree with the premise that we don't have any idea what the design is going to be. And it is very difficult to engineer and come up with relevant solutions for privacy and security when you don't understand conceptually how this whole framework's going to work.
>> Peter Basch:
That's very true. I didn't mean to throw actually, I did mean to throw a monkey wrench in this early in the discussion. But the concepts of disclosure and minimum necessary, makes sense when you're talking about a, someone who’s doing disclosing or someone who is evaluating a request to determine what to disclose. If, let's say, we moved off from the current model du jour to a record bank model or some kind of a regional repository which has copies of data and the requestor is determining what is relevant to what they need for either patient care or payment purposes or whatever, then the concept of the data, the original data owner who populated a copy of the information into that record bank at the behest of the patient having any ability to control the disclosure or use or put their arms around what they define as minimum evaporates. So I agree. We don't know what the model's going to look like. And there probably will be many different models before we settle down on one or two that seem to work for most people, but it does call into question, I think, fundamental principles of applicability of HIPAA.
>> Kirk Nahra:
Let me just focus again on what I want to focus our discussion on now. Do we need to answer that question of what this environment is going to look like in order for this discussion to be productive?
>> Peter Basch:
No.
>> Kirk Nahra:
Are there other views?
>> John Houston:
One of the things I keep struggling with, Kirk, is when I look at HIPAA, I think that the basic concepts are good concepts toward privacy and security. And where I see this struggle with trying to apply it to today's landscape is where we did not think about or didn't know about methods of being able to transmit data or uses of data or the players that would be playing in the sandbox with us. And to the degree that the concepts are there, the struggle, for me, is the applicability to the new groups. And we could define that with what we know about different models today, and it would be obsolete 10 years from now or 5 years from now. I think if we spend more time trying to apply it to what we know, it's only going to createthat same problem replicating itself 5 or 10 years from now. I would rather see us put some energy into looking at the concepts and saying yes, these are good, wellgrounded concepts, now how do we make those concepts scalable as new things come up? As new things present themselves, how can we look at that new environment and say how do we make this, make these privacy concepts fit that new model?
So, for example, you take the example of the notice of privacy practices. When you have new groups that come on the scene or new environments, you may decide that to varying degrees, those concepts apply. But the actual right to have a notice of what somebody's doing may stand. It may just stand in varying degrees based on the level of risk to the individual or the level of need to be able to present that out. If we look at it from a standpoint we start drilling into the models that we know today, I think we're just going to do the very same thing that the wellmeaning people did with HIPAA when they were coming up with the three covered entities back in 2000 and 2001. I just throw that out there that I think that that would be a better use of our time. We really want to make this scalable longterm.
>> Kirk Nahra:
Other people's thoughts on the question of whether we need to resolve the model question before we move on?
>> Lorraine Doo:
Kirk, this is Lorraine. And just a question for grounding. What is our I guess trying to figure out where our time or how our time should be spent, what are our charges for what this group is supposed to come up with? And does that question, then, fit into that so that we stay on track?
>> Kirk Nahra:
Let me give you recollection. Our original charge, we had sort of a broad charge and a narrow charge. I don't have those particular documents in front of me, but we're to look at privacy and security principles. There were some specific use cases which we went beyond in one of our first meetings and said that we really didn't want to focus too much attention on those particulars for some of the reasons that David was just saying. It didn't make any sense to say there should be one set of rules if you're talking about this one little use case and a different set of rules somewhere else. So I view our charge at this point as making recommendations, as appropriate, about privacy and security principles for this environment, recognizing, as Peter had said, that what the environment is is a little bit up in the air. But I guess my thought, Lorraine, is that we can sort of selfdefine it.
Again, it's very easy for us if we wanted to conclude that, boy, we don't really know. There's lots of models. We don't want to tailor this to any particular model and therefore we don't see any reason to have different principles. That's a perfectly valid conclusion. We may make that conclusion at some point. I don't hear us being there yet. I'm not sure but that would be a perfectly appropriate decision to come out of this Workgroup after the appropriate fact gathering and after appropriate discussion, if that's what people think. And again, we could get to that point by saying we have considered all the options and we think these rules are appropriate for all the options, or by getting to the point that says since there are so many options, we can't really determine that there's any reason to have different rules. Those are alternate ways of getting to that same place. But, again, I don't know if that's where the group is going to end up going.
>> Lorraine Doo:
Right. Okay.
>> John Houston:
I heard you say two things that I think are, at least in my mind, distinctly different. And I thought I heard you use them interchangeably. And I'm not sure that I heard you correctly. The concepts, the privacy concepts, the protections, the rights, whatever you want to call them and the rules. And I think the rules that we have with HIPAA today, I think all of us have at one point or another agreed that in this new environment, some of the models that are out there would have a very difficult time if we said go thou and apply HIPAA, they would have a very hard time applying it for the way it is written for the three covered entities that we have today. And so new covered entities would have a difficulty implementing the rules the way they are today. I think they would be able to implement the concepts if you were to scale the requirements to those types of covered entities or those types of organizations and keep the concepts, the privacy rights and responsibility concepts there, but at the same time recognize that applying those may have to be different in the same way that HIPAA accounted for how a clearinghouse applies differently than a health plan versus
>> Kirk Nahra:
Let me stop you right there. I know you said you had two points. But that seems to me to be exactly the kind of discussion we need to have, which is if we look at this and say, you know what? It doesn't make any sense to apply this business associate idea to a RHIO, because are they the business associate or this covered entity, are they both? It doesn’t fit very well. That's a perfect conclusion. That would be a wonderful piece of what we're looking at. Similarly, if we said, you know what? We made our earlier recommendation that personal health record vendors, if they’re participating in these networks, have to follow the same rules. But X, Y, and Z, we don't know how they could possibly do that, that's exactly what I'd like to drill down on. And we could come away we could make a recommendation that says we need something different for several reasons. One of the reasons, which frankly, I guess I'm personally leaning towards a little bit more is that some of the ideas just don't fit very well. The business associate model, who is going to control the actions of a RHIO? Right now HIPAA says a covered entity is supposed to oversee the operations of the business associate. Is that really going to work in a RHIO model where you've got 1,000 or 5,000 or 10,000 covered entities who are all working with the same RHIO? It doesn't quite maybe it doesn't fit that well.
I think that that's exactly the kind of idea we want to look at. We may say the rules don't fit, or we may say, you know what? There's something so different about this environment that my personal information isn't staying with my doctor but it's going to be available to all kinds of other people that I haven't dealt with, maybe we need a different consent model. Those are different sort of ways to get to a recommendation that said we think there are differences here. But that's what I want to drill down on. I want to be able to pick some examples. I want to be able to get people to come in and say here's why it's different. Here's why it's the same. Here's why HIPAA is going to work, here's why HIPAA’s not going to work. So that we can package it together and draw some conclusions on whether it works or not. So your examples are real good ones. We need 20 more like that. Or we need conceptually to think how are we going to go without saying footnote 16 on Page 422 doesn't quite work, we need to have something between all or nothing and every little line.
>> John Houston:
So how do we go back to hearings that would be people that would be impacted by a decision to apply the HIPAA rules to them and have them tell us something other than well we're proactively applying HIPAA already, which was not helpful for me to hear that. What would have been helpful for me to hear if you give me this rule, then I have to follow it, this is what it will do to my business model and it will hamstring me here and here. And this is what would work for me. Again, same concept of that privacy right. That would be helpful to me.
>> Kirk Nahra:
Although to be fair to everybody, we did ask them to say that. Now, I had somewhat the same reaction that I think you did, which is that I sort of didn’t believe all of it. I mean when they say I'm following HIPAA, I thought well you're not giving a privacy notice, so no, you're not. They sort of think they're following HIPAA.
>>
They're following what they want to.
>> Kirk Nahra:
That's a fair point. Or they may think they're doing it all. But we did give them that chance to say that. So we could bring in more people to make that point. Again, we had some testimony that clearly was not wellfocused on exactly the questions that had been asked. But I guess maybe as we've tried to define particular issues, we've defined we had that first question. Should other covered entities have to rise to same level playing field? Then we looked at that relevance question. Are all of the if we have a level playing field, maybe not all the rules are the same. And then we're talking about differences. Maybe we can't separate the issues that starkly. I mean, you're raising some points that say, you know what? The HIPAA access rule might not really work very well for a RHIO. We could look at that as a difference or we can look at that as a relevance point. If the RHIOs come in and say, you know what, we want the -- and in fact one of the RHIOs did say this in the testimony. They said we don't want to have to give individual rights to everybody whose records are flowing through us. It should be the obligation of the person who created the record. Well that's a perfectly fair answer. I thought it was a little sort of too quickly said it would cost us too much money, we can't do it. The hospital could say the same thing.
>> Peter Basch:
Well, Kirk
>> Kirk Nahra:
So I think that's something we have to drill down on. Are there pieces that don't fit very well?
>> Peter Basch:
This is Peter. I would say that that's a very good response for somebody who doesn't want to burden a new enterprise with a difficult to follow or maybe an impossible to follow set of privacy rules. I’ve certainly heard that argument before from RHIOs that it's not their problem because they're just serving as a switch in the middle. They're not really disclosing anything, information is flowing through them. And that assumes a particular model and we have heard from people in particular models where in fact that may be the correct answer. All I'm saying is that, as you said, we need to generalize and we need to keep open the idea that depending on the model, tomorrow's RHIO may indeed be an organization that should be responsible for a heightened privacy rule or as the data publishers may have very little to do with disclosure once it goes through there. The fact that we heard testimony to that, I think that may be true for one model or may be that people are trying to avoid being responsible for what they should be responsible for.
>> Kirk Nahra:
Let me just use that one as an example. I heard the RHIO I don't remember if it was more than one. At least one of the RHIOs said that they wouldn't be able to do that feasibly, economically, whatever the word was. The policy debate there is do you say it's the responsibility of the creator of the record to make the individual rights available? Or do you say, you know what? It would be much easier for an individual patient to go to the RHIO who's got all the records rather than to have to track down each of the providers. That's a judgment call. I mean HIPAA today essentially puts the burden for that on the, what I call the creator, you have a covered entity. The covered entity has to reach out to the business associates. But if the patient calls the business associate, the business associate's going to say talk to your insurance company or hospital, whatever. So the question is is there something different about this environment such that we should change that rule, recommend that there be a change in the rule in this environment? Based on nothing more than thinking about this for 30 seconds, I'd say the only difference is it might, in some circumstances, be easier to go to the RHIO. That doesn't strike me as a reason to change the rule. But that's the kind of discussion I think we need to have. And we need to have it on enough issues that we can make a general recommendation and not so many issues that we're here until 2020. So that's going to be, you know, I think our real challenge. And again, I think that the point that Peter started with, you know, is a real fair one, which is we may decide that there simply is so much variation among the different models and that the issues we're talking about each have different implications based on the different models that our conclusion is we can't recommend that there be a higher standard across the board. Again, that's a perfectly valid conclusion for us to draw. I don't know if we're going to get there, but that's a logical conclusion, to say some of these models, maybe there's different rules. Some of these models, maybe there's not. And since we don't know, we're not going to recommend a higher set of rules. So we have to figure out to get from where we are today to a point where this group feels comfortable saying higher standards are recommended, saying they’re not recommended, or saying we don’t know.
>>
Don't you have to know what the potential for higher risk to the individual would be in those models in order to determine whether a higher standard is needed? Because if the level of risk to the individual and their privacy is the same as what it would be for the three covered entities that we know today, then you don't really need a higher standard, you just need some applicability of the current standard. But if there's a need for a higher standard, it might be because there's a higher level of risk. Say one of these models because the data is electronically stored and it's electronically stored in large volume and the potential for risk of losing multiple records is greater, that the risk should be greater, then there should be security and privacy standards to be greater, you have to know that to be able to make that
>> Kirk Nahra:
Again, that's a perfect example of what I want to know. For example, there are some quotes from one of the GAO reports. I used this in a presentation the other day that basically said something along the lines of because information in a health information exchange would be available, more information would be available to more people, you need stronger protections. Well that's not an obvious statement to me. And it wasn't clear to me whether they were talking about privacy or security. I'm not at all sure that more volume means more need for privacy or security. Maybe it does. But I want to know why that is. I mean for example, HIPAA, it's clear to me that HIPAA applies to the tiniest hospital in the smallest city in the country in the same way that it applies to HCA or Tenent or whoever the biggest hospital chains are. So in that sense, the rules are the same, small volume and big volume. But that's the kind of question we need to look at.
>>
How many people are in your ZIP Code?
>> Kirk Nahra:
Yes, okay. That's my footnote 16 example. We can't drill down on that, but the question is we need an organized vehicle to evaluate those differences. You're raising the possibilities that one of the differences is volume. I don't know. I'm not sure what volume means in and of itself. I'm not sure I want to learn. I'm not sure whether volume is in fact all that much different. I want to understand whether volume in and of itself leads to the need to have different rules. Again, based on 30 seconds of thinking about this, I'm not convinced that volume in and of itself requires any different rule, if the security rule, for example, is clearly written to be scalable.
>>
Kirk, I would agree with you on that point. I don't think it's volume either. But I do think, as you pointed out before, that the current burden under HIPAA, at least in terms of penalties, is on the disclosor, the owner of the data who discloses it, rather than the user of the data. That may be very different in certain types of health information exchange models where the initial disclosure is really a permission to send a duplicate of information to a records bank or a repository, and that from that point on, the disclosor of that information cannot reasonably be assumed to be responsible for subsequent disclosures that are made by authorized people to a records bank. And that's a very distinct change from our current model.
>> Kirk Nahra:
So, again, what we're doing here in this discussion today is sort of what I had hoped to have over the last couple weeks where people were going to make suggestions about what topics to look at. That's what we need to do. We need to have an organized basis on which to come up with a list of issues that we are going to look at to evaluate whether we're going to recommend different rules or not.
>> Jill Callahan Dennis:
This is Jill. It seems to me there is a couple ways you can skin this cat. One way to organize the group's work is to look at each known or anticipated model. The other way is the way that was suggested in the grid that Steven sent out, is by looking at the principles and trying to apply the models that we can at least know of or dream of today. I mean, we're going to have to do one or the other, otherwise we won't get anywhere. And I'm not sure I have a preference. But I'm just saying that we have got to kind of move off the dime, from my perspective, and either start looking at these specific models and applying those HIPAA principles or looking at the principles and talking about the models in the context of each of those principles one by one. I just think we need to start focusing in on some of these principles.
>> Kirk Nahra:
Jill, I guess the choice that you laid out was the reason I was asking about whether we need, whether people thought we needed to identify a particular model before we could move on. My suggestion would be to focus more on the principles than on the models. But we always need to have when we're asking questions of the people providing testimony or when we're giving them questions to address, we should essentially have them -- tell us which model you're talking about. Tell us whether the point you're testifying on matters under any of these models. Peter, you can be a designated person to ask that question it's that kind of thing. We've got to keep that in mind as a factor in our consideration. But I think that's going to come up each time. I mean, it may be that a privacy notice, for example, we don't need any additional information to be put in a privacy notice regardless of the model. It may be that we decide oh, we do need different principles. But I guess I would suggest maybe turning to these principles. I don't want to cut off our discussion too quickly. But I guess my suggestion would be let's move to the principles and, again, have a little bit of basis for that, think about what it may be that there are some that people are not as interested in hearing about. There may be that there are some that everyone wants to hear about. Is that okay with the group?
>>
I think as we go through
>>
Yes.
>>
I think that some of them are going to be a really good fit for the environment that we know about. And we won't really want to have a lot of discussion about those because we'll come to consensus pretty quickly that those do fit. I think we’re going to migrate to the ones that are going to be problematic in some of the models that we know of today, and those are going to be the ones that we'll have a struggle with. Do we they even apply at all? Do they apply but they need to be applied differently? And that's going to create that discussion.
>> Kirk Nahra:
Okay.
>>
If I could just add a question. You know, we have been talking about the principles generally within HIPAA, but there's also this notion of how those principles are applied and enforced. And are we considering that all to be within the domain of the principles themselves, or is that sort of a separate way of tracking on these issues? Because I kept hearing you refer to the principles, and to me, the principles are all fine and good, but if in practice there's actually no mechanism for enforcing them, then that, to me, means they're rendered meaningless.
>> Kirk Nahra:
Okay. Let me give you a sense of how I would answer that question, which is, again, the idea that I think we're trying to work on is to not say HIPAA itself is good or bad, but HIPAA works or doesn't work in this environment. And so, for example, if we were to say there needs to be different enforcement principles in the health information exchange environment because of some difference that makes it different from the rest of HIPAA, that's a perfectly valid basis. If our decision is, you know what? We don't think HIPAA is being enforced today anywhere, therefore we want enforcement, that strikes me as a criticism of HIPAA, not saying there are differences here. So we did have, in our earlier recommendation, the recommendation being that there needed to be enforceable standards at the level of HIPAA for all of these participants. We all recognize that there's going to need to be some further action by someone, HHS, Congress, whatever, to bring a RHIO into being covered directly, to bring a PHR vendor into being covered directly. So I would say the enforcement issue is only on the table if we want to look at something being so different here that the enforcement model today doesn't work, not that they're not doing anything with the enforcement model today. I don't think that's our jurisdiction. But, again, that's my view.
>>
I would just encourage us not to lose the connection between the privacy rights and responsibilities and the principles that get driven out, that they are driven from. Because otherwise we begin to lose the whole concept of trying to find the best privacy and security wrapper around today's new and evolving environment. And I think that if we look at the principles and their applicability, we can't just throw the principle out with the bathwater just because we can't make it fit. We have to look at it and say is there something else that gets back to that privacy right or responsibility that this was derived from in the first place? Because these principles didn't just magically come out of HIPAA for no reason. And so if we can hold to that and remember that we're, the whole purpose of this is to try and insure privacy rights and responsibilities are appropriate for these different new groups, then we have really done something. So I would say if we look at the principles and say let's look at the principles not only as to whether they're applicable or whether they're doable, but are they also, is there another way that should be being done? If we say that a notice of privacy practices isn't the right thing for a RHIO, is there something that gets to that that would provide that right? Or is that right even protected in other ways that we wouldn't have to apply it to that particular group? But I think as we look at each one of the principles, we need to look at it from that framework.
>>
One other quick comment that's a little bit unrelated. You were talking about identifying areas where we might want to bring in additional speakers. I appreciate hearing testimony, but my sense is that we will never get somebody who's currently in this space to give us sort of a candid, flexible account of what theoretically should exist because it's impossible for them to separate their own institutional interest from this conceptual principle notion. And I would encourage us to think about inviting testimony from players who are thinking about coming into this space as opposed to people who are actively involved in information exchange, or at least in addition to, because they may bring to bear some more novel thinking about those issues.
>> Kirk Nahra:
Well, let me just, let me followup on that. What I want to focus our time on today, for the rest of our discussion, is to identify some of the principles and see I don't want to answer the question of whether they're right or wrong for this environment. I want to have us discuss two issues. One is is it a principle that this group would like to gather information on, for purposes of this differences approach? And second, if we’re going to do that, that how do we do it? And that maybe goes to your point, Alison, which is, again, we had some testimony last time. Some of it was very much not on point. Some of it was closer to being on point. There wasn't a whole lot I don't think we advanced the ball all that much on the issues that we had in mind. So I think that question of how do we what's the information we need to learn is very much what we should be talking about. I think that some of that I don't expect we'll finish that discussion today. I think that that's a lot of the work that Steve and John and others will be doing over the next couple of weeks, for example, getting ready for our next testimony hearings. And that's a hard thing. Because our experience last time was we weren't great at finding people that could talk about the right things.
All right. Well with that said, let me throw this one out for discussion as a principle to see whether it's an issue that people are interested in hearing about, interested in applying this differences idea to, and then talk about, if so, how we would learn information about it. What I want to do is the concept, the principle, of individual rights. There are a handful of specific individual rights set out in the HIPAA privacy law. I'm going to put notice aside for a second. We're going to talk about that separately. But the HIPAA privacy rule talks about amendment rights, access rights, accounting rights. You could arguably put right to request a restriction and confidential communications in there. Those rights are pretty specific, there's lots of controversy about whether they're good enough or bad enough today. But let's use that as a starting point. I mean, do people, are people interested in learning more information about whether there's something different in this new environment such that we might need different rules on individual rights?
>> Peter Basch:
This is Peter. I would say yes, if only because the prior assumption that patients being able to find out about information and correct or amend information that needed correcting really is approached very differently on and doable in very different ways in a, let’s say a one-owner model of a record versus a, information that's mobilized in any number of models of health information exchange. There a patient might see a copy or a copy seven times removed of information. And being able to make an amendment or correction whose purpose is not just to correct a piece of data but to correct, let's say, new medical errors from being made or potential drug interactions might not be successful unless it touches all of the appropriate places where that data has been. So the simple right to amend or correct without knowing more about where that data came from and where it's been might not be giving patients what the intent was in those rights to amend and correct.
>> Jill Callahan Dennis:
This is Jill, and I agree 100 percent with that. I also think this is where some of the different models have different implications. For example, a repository model, HIE versus others that are not going to retain data, will have very different needs under this section. So it is something that we need to dig in on, in my view.
>> Kirk Nahra:
Other people's thoughts?
>>
I agree.
>>
Ditto. I think another example may be the issue of audits. One thing that I've heard from a number of folks who worked with applying HIPAA is that they keep extensive records and they don't know for what purpose for presumable, eventual access by the consumer. But what they're actually keeping under HIPAA is very different from what a patient may want to see when they look at their audit trail. And so I think the reg requirements for HIPAA
>> Kirk Nahra:
You mean accounting or audit?
>>
Audit under the security rule.
>> Jill Callahan Dennis:
I think she's talking about the difference between an accounting of a disclosure and an audit trail.
>>
Yes.
>> Kirk Nahra:
Let's use that example. I mean an audit trail is, I wouldn't view that as being anything that's an individual right under the HIPAA privacy rule. There are some security rule requirements for you to be able to figure out who got into your data if there was a security breach, for example, but I look at the accounting rule as accounting rule is clearly one of the individual rights. I personally think the accounting rule is a complete waste of time. The rule was basically set up to exclude most things that a consumer would be interested in. And the things that are left, you know, people aren't asking for it, it's not a right that's being used, et cetera. But I would look at that as an issue that it either works or doesn’t work under HIPAA. I'm not at all convinced that there's anything different in this environment such that we should have a different accounting rule for this environment other than saying well it doesn't work very well in this environment.
>>
But if the point, from a consumer perspective, if theoretically the point of the accounting rule is to give people the ability to sort of go back and see who has touched their record. Then there are certainly easier and better ways of doing that that we could facilitate in a health information exchange environment.
>> Kirk Nahra:
And my view is that’s not actually what the accounting rule was designed and set up to do, because they’ve excluded 95 percent of what happens. So, we could put it on the list. I think, again, maybe it's going to be a good example of this perhaps artificial line I'm trying to draw, which is not criticizing HIPAA as HIPAA but looking at it in this context to see what's different.
>>
Sue, can you clarify, sorry to put you on the spot here, but sort of the impetus behind the accounting rule because maybe I had a misunderstanding of what it was intended to achieve.
>> Sue McAndrew:
I think more in terms of this discussion one of the things that comes up repeatedly is whether or not in this environment something more akin to an audit trail is what can be used to fulfill the accounting requirement. And how much information, how much of an audit trail as typically done today on many computer systems would actually satisfy the reporting requirements that would come out in the accounting is one issue. Currently an audit trail would cover much more information and different types of information than we necessarily require an accounting for under the current HIPAA rule. So that, I mean there are tradeoffs. But it clearly has been part of lots of discussions about the potential of electronic health information exchange, through computerized tracking, to facilitate accounting for more information, different kinds of information than the rule currently puts on people, because it’s an additional recordkeeping structure.
>>
To me the context for this is that instead of just having the single institution sort of touching the information in this health information exchange context, you have all of these different entities. And so the desire to know and the desire to edit or account for who's touching is there heightened because you're in a virtual environment. So to me, while it may not exactly sort of slice in the way you've defined in your mind, it's sort of by virtue of the environment it just becomes an example. But I don't know how others see that issue.
>> Jill Callahan Dennis:
I think it's a useful discussion. I think you have to keep in mind the difference of internal uses of data which an audit trail would typically cover, and external disclosures which was, as I read it, the purpose of the accounting provisions in HIPAA.
The other sort of ringer I would throw in here is that although I'm no fan, frankly, of the accounting provisions, I do think it may have some legs as it relates to PHRs, given that that data is generally collected primarily for the benefit of the patient and for the ownership of the patient in terms of a much greater level of control. So that might be a wrinkle that we want to look at as it relates to the utility of having some sort of accounting for disclosures from a PHR.
>> Peter Basch:
Yeah -- this is Peter -- I also think that the line between audit and accounting blurs when we look at some models of health information exchange, particularly as we think of data shifting from systemcentric to patientcentric. And what may be a look, even in a record locater service model, of what's available, well, is that a release of data? Is that a disclosure of data? Is that somebody opening up something to look at it and see if they need to use it? How do you even consider that? And certainly that is auditable. It is something that one can look at and in some cases one should be looking at, probably in all cases one should be looking at. But I think the line is blurred. So I think this is a case where what seemed to be clearcut when HIPAA was written has to be looked at again in many of the health information exchange environments.
>> Don Detmer:
I agree with that. This is Don Detmer. I agree with those comments.
>> Kirk Nahra:
All right. Let me throw this out for moving on. The group does think that individual rights is a topic that we should be looking at to evaluate differences?
>> Don Detmer:
I think so. I'm not sure we'll come up with more. But I don't think it's a bad idea to at least review it.
>> Kirk Nahra:
And Don, let me be clear about that. Putting it up for discussion is not at all a suggestion that we have changes. It’s a question of whether we want to look at the issue to determine whether we think it's appropriate or whether we would recommend changes. So --
>> Don Detmer:
Yeah, I think in light of personalized records and so forth we ought to look at it.
>> Kirk Nahra:
So that's point 1. Point 2 on that topic would be how would we gather useful information to help us in evaluating whether we should recommend a different standard than what is currently under HIPAA? Now I want to open a short discussion on that point now, but I also would like and let's see. Let's put this for a specific follow-up going out to the group. I would like people to have specific recommendations, you know, components of individual rights that they would like to have looked at. What would you like to hear? I mean ideally, who would you like to hear it from? But, I mean, we need to go from here are questions to here are vehicles to get the answers. And I think that's going to be hard, but we’ve got to put some attention to that. I mean I don't the result if we don't put enough work into that question is another hearing where we spend a day not getting information that we're interested in. So that's going to be an important component of trying to do this. And I think anyone's help that we can get on that. Now, let me open for a couple of minutes. Are there particular questions you would like us to ask? Particular the big topic is individual rights. Are there particular pieces we should be looking at under the category of individual rights?
>> Peter Basch:
This is Peter. Just one that I think we need to look at is the example, and here, testimony might be useful of, and there are, because we do have some functional health information exchanges in the country now, we should be able to find some examples of consumers who have attempted to look at, amend, or correct components of their medical information once that information has become widely mobilized and to hear if indeed it is something that some of us are projecting as theoretically more difficult or ended up being not so much of a problem because they were able to trace back to the source and have a correction from the source populate all the recipients of the data that was in error. I mean that's speculation on my part. It would be useful to get some testimony.
>> Don Detmer:
Yeah, I guess my, somewhat [inaudible] and that is to look through some of the consent things and see if in fact they cover issues as we thought they'd cover.
>> Kirk Nahra:
I'm sorry, Don. Say that again. I didn't understand that.
>> Don Detmer:
Sorry. I went back on mute. I'm saying that I think there is some value to look at the current consent kinds of things as a general rule and see whether some of these new issues and uses would cover those as we'd like to see them covered. It wouldn't necessarily be an expansion, it’s just a matter of seeing whether current procedures would fit current environments.
>> Kirk Nahra:
Let me put that aside for a second, Don. I’m going to put that in a different category. I want to focus on the individual rights piece right now. And, again, are there particular questions and again we can define individual rights differently. But right now we're talking about access, amendment, accounting, right to request restriction, confidential communications.
>>
Does this get into granularity of data use, specifying data use, or are we putting that in --
>> Kirk Nahra:
I would put that in the uses and disclosure of information, I think that's the next topic I wanted to turn to.
>>
Okay. I just wanted to figure out
>> Kirk Nahra:
On Steve's chart, it's 522, it's 524, it's 526, it's 528 of the privacy rule are probably the main things, the main currently spelled out individual rights under the HIPAA privacy rule.
>> Sue McAndrew:
I think probably it is the right to request restriction that begins to bleed all of that into when the once they're in the system, does the individual get to say where their data goes and what are the conditions to do that? I think it's legitimate to have that as part of a separate conversation from individual rights.
>> Kirk Nahra:
I would look at it as a use and disclosure issue more than the individual right. Frankly today, again we can quibble about the current privacy rule, but right now you have a right to ask and nobody has to say yes, and most people don’t say yes because there are very dire consequences if you say yes and you screw it up. So it’s a rule that -- the HIPAA privacy rule today I think is a little bit of a, it's a theoretical right that's very actually hard to gain anything from. The question about uses and disclosures and consent, I mean that's frankly going to be the hardest issue and probably the most controversial issue we have. I think that's better to address on the front end than as part of a largely not very strong current individual right. Are there other questions that people would like to look at?
>>
I think one that is pretty fundamental that we ought to, it may not take a great deal of thought, but the whole right of access of individuals to PHI? How far does that extend? If we do, again, have repository models in HIE, there is some potential for convenience to the consumer of one-stop shopping for their medical information. So I think it's something we should at least look at.
>> Kirk Nahra:
All right. Let's take that for a second. That convenience versus sort of who's got the burden question, do we want to address that question, and if so, who do we want to hear from? Do we want to hear from other RHIOs? What do we want to learn from that?
>>
Well, I'd specifically like to know if there are repository models out there that are allowing patients to directly request data from the repository as opposed to five different individual providers across the State.
>>
The other minor provision in HIPAA in that regard is sort of for a reasonable fee. Previously I think the understanding was that reasonable fee accounts for the time and energy and resources required to produce a copy. And in a virtual exchange environment, I don't know if that's as relevant. I mean they still may want to keep the fee. But from a consumer access standpoint, that becomes
>> Kirk Nahra:
All right. So when we get down to a recommendation, the question would be does that provision in HIPAA today that says you can charge a reasonable fee, do we need to write a different rule, or is the answer that what's reasonable may be much less in this context than it would be when you're copying, sitting there with a bunch of paper files. That's a question. I don’t know whether --
>>
I think it's the latter. I think you leave the rule the way it reads and it's already scalable. Why monkey with it?
>> Kirk Nahra:
That's the question. My instinct is probably where you are. But that's the question. I think we'd want to look at whether, whether to do that. I mean, for example, I know there are some State laws that spell out 28 cents a page kind of stuff. There's nothing in HIPAA that really defines what's a reasonable charge.
>>
Cost-based.
>> Kirk Nahra:
Costbased. Again, right now in theory
>> Alison Rein:
You get $50 it helps pay for the doc’s EMR system.
>> Kirk Nahra:
But Alison, I think it's a fair question to look at. But again, what I'm hoping to avoid we may not be able to do that is to say I mean, that's true today. If I call up my doctor and I say I want a copy of my record and all the records are stored electronically and it's a question of just sending me an email, the doctor is allowed to charge me 50 dollars or whatever is reasonable. So the question would be is there anything different today that means we need to put more precision on that? I agree there is some imprecision today and there's some opportunities for people to discourage access through economics. I'm not sure those opportunities are I'm not sure. Maybe they are different. Maybe we really need to have a different set of rules here. That's how I want to try to frame the question. I'm sorry to cut you off there.
>> Alison Rein:
No, you didn't. Just along those lines, because the records are now, more records are stored electronically, arguably easier to access, make copies of, send you electronically may suggest something beyond a cost structure that could justify 50 dollars.
>> Kirk Nahra:
This is a general question. I don't know that you would have a sense of this. I understand there's been lots of complaints about people not giving access to information and sort of but have there been cost complaints?
>> Sue McAndrew:
Yes. We get a lot of complaints. A lot of them are based on the fact that some State laws allow you to have a flat fee and then a, plus a page copy. And challenging whether that flat fee, which is generally for administrative type expenses, can be considered part of the reasonable cost. So we get into those kinds of issues whether there's a State law or not.
>> Alison Rein:
I mean I only raise it as being different in this context because presumably part of the impetus behind this is to have a more actively engaged consumer participant in their health care. And so in that context, it then becomes
>> Sue McAndrew:
Clearly in an electronic environment it's very different in terms of trying to figure out what is, what is the cost. When I zip an email or attach a document to an email, what exactly have I done? And how do I figure out what that little nanosecond has cost me?
>>
Maybe your liability insurance and your security
>>
Yeah.
>>
It's totally legitimate.
>> Sue McAndrew:
The other thing is a lot of personal health records and even some systems brought up by providers charge the recipient. It is not necessarily free to the recipient. So does that become the equivalent of a copy machine in this environment? Can we allow people to charge individuals to have a personal health record? Or are we going to demand that that be provided free?
>> Peter Basch:
This is Peter. My take on this, and I do work primarily in an electronic environment, is that the reasonableness of the cost of producing copies of information is a bit backwards in electronic data exchange than in analog using paper because in fact the greatest difficulty with paper is finding the record and having someone pull it apart to make copies of relevant sections. And what a lot of physicians do, because they don't have staff to do that, is they subcontract out to copying companies that set their own fees, and then physician offices typically just get out of that business and let the companies charge patients whatever is allowed under State laws. What I find in the electronic environment is more time is spent looking at what the request is, who the requestor is, and going through easily transmittable information to make sure you're sending the right information, the right patient, the right attachments. And if there is an obligation to comply with a minimum necessary, culling down what can be sent.
The easiest thing to do in an electronic environment is to look at a request quickly or to sort of kind of look at it quickly and to select all and send, and that clearly is not in the best privacy interests of patients. So time is spent on limiting what's sent and making sure that the request is met and the request is met under ethical and privacy standards. There is no real per-unit cost in sending data. There might be monthly fees in terms of secure messaging fees, but there's very little incremental cost in terms of adding a piece of information have. Even our concept of a per-page cost becomes very artificial when we think about transmitting data.
>> Kirk Nahra:
All right. Let's try to wrap this piece up. Are there other particular components of these individual rights issues that people would like to have addressed? And again, we're going to followup this up with a specific set of questions to everybody for additional thoughts. But I just want to ask that question while we're on the phone today. Anything else sort of pop to mind at this point? All right. Be alerted. You will get an email from Steve that says what question what are you looking at? What would you like to learn more information about concerning individual rights? And how would you propose to get that information? Because we've got to go from the I mean presumably we want to take testimony or gather information. I mean I say presumably because we could just sit and talk about a lot of these issues. That may be an appropriate vehicle for some of these things. It may also be an appropriate vehicle to have research done as distinct from gathering testimony. It may be that that’s a better vehicle. We do, obviously, have resource limitations, although if we had specific research projects it may be easier to get resources. So please do think about those questions. We'll send out, with a week turn-around or something, relatively quick, to try and get some more information on that.
>>
Just a question. Could we also, as one of our recommendations, say that we think it’s a scenario requiring further research and it may not be research that circles back to us in the next one to two months but that informs this broader discussion? Because maybe it's a research project that requires more than the time we have allotted.
>> Kirk Nahra:
Yeah, I just think we sort of want to define what that would be. I'm not sure exactly I mean put it this way, I guess when we talked about some of the examples with finding a RHIO that does X, Y, and Z, I don't know that I want to bring someone in for 20 minutes of testimony when what we really need is 30 seconds of answer. And so the question would be is there a way to get the 30 seconds of answer through information? You know, Yuriy had done some of that work on the personal health notices records, which again he was sort of stuck with what he could get, but maybe there's some projects like that. But I think if there are, we have to define exactly what those are. And if there’s something that's a much bigger deal, maybe that would lend itself to someone other than us doing that. I'm not sure what the thesis is, what the headline on that is. All right. So that will be one of the topics that we want to try to address in the shortterm. It's obviously an important one and one I think, particularly given Alison's point about the consumer empowerment side of this, getting consumers involved, it's obviously going to be a very important one.
Let me throw out a next principle. I'm sure that everyone will conclude that we don't even need to talk about this, which is the use and disclosure principles.
>>
Don't go there.
>> Kirk Nahra:
There is a couple components of this. I mean, we have Section 512 of the privacy rule, which is sort of public policy exceptions. Do people feel that we have any particular reason to revisit those? Now let me be a little bit more clear about this. Those are essentially exceptions to the consent and authorization principles. They are essentially a set of conclusions that say these are reasons that information should be disclosed, essentially whether the patient wants it or not, for public policy purposes. Do we think there's a reason to reevaluate those principles for this environment? Now, these are things like subpoenas, law enforcement inquiries, public health disclosures, fraud and abuse investigations. I mean there's a laundry list of, I don’t know, 15 or so exceptions. Research. We should carve out research. I think research, there will be a question about research. But maybe put that one aside.
>>
Kirk, does biosurveillance fall under public health? Hello?
>> Kirk Nahra:
Speak up.
>>
Sorry. I was just saying I think we may need to learn more about some of these categories, like research and biosurveillance.
>> Kirk Nahra:
Let's put research aside, because I think we will want to, I think that's a different dynamic. I don't have my rule with me. For example, subpoenas. Is there any reason to have a different rule relating to how a body responds to a subpoena because it's in a RHIO environment than directly?
>>
Depends on the health information exchange model.
>> Kirk Nahra:
Why would that matter? What would be the rationale for having a different, a different subpoena rule?
>>
Well, if it was a data repository model or a records bank model, I'm presuming, then, the subpoena would go to
>> Kirk Nahra:
We don't know who the subpoena would go to. The subpoena goes to whoever the lawyer or the courts directs it to. I mean, the current rules say I'll paraphrase the long rule, but the current rules basically say information doesn't get produced pursuant to a subpoena unless there's notice to the patient or there is a specific protective order entered in a court proceeding. Protective order.
>> Sue McAndrew:
A court ordered subpoena goes with compelled by law. It's only if the subpoena, at least an administrative proceeding, comes without a court order do you wind up with these additional protections [inaudible]
>> Kirk Nahra:
So the issue would be do we think we need to look at whether there's something different about this environment such that we're going to produce a different set of rules related to subpoenas.
>>
I think there may be a difference between HIEs and PHRs on this measure. The idea of subpoenaing someone's own personal health record where they’ve sort of voluntarily put in their own data, whatever they choose, I think there may be a difference there. But it's the only subpoena difference that comes to mind for me.
>>
I agree with that. Because if I subscribe to a PHR, just because the PHR happens to be collocated someplace else and I'm not keeping the actual data on my premises, I own the data but I pay them to keep it under lock and key, so I wonder if there's a difference there, too.
>> Sue McAndrew:
But is that a function of the privacy rule or is that a function of normal reach of subpoenas under civil or criminal law, whatever it is you're alluding to?
>>
I don't know.
>> Sue McAndrew:
As it goes whoever they can go to.
>>
They’ll go to.
>> Sue McAndrew:
They'll go to.
>>
And your mistake as an individual is writing it down and sticking it somewhere. That’s horrible, we want to encourage people to do that, and then -- it is what it is. There are a whole lot of other laws that are that we’re not going to fix in this group, or in this process.
>>
You play or don't play. You get your Bennies and you go home.
>> Kirk Nahra:
Today, in today's environment, let's say in my personal record today consists of a file cabinet in my office, I can be subpoenaed in many contexts. Now, I am not going to be a covered entity under any of the scenarios we've carved out for patients. My doctor can be subpoenaed today. My employer can be subpoenaed today. My doctor who doesn't bill electronically and therefore isn't covered by the privacy rule could be subpoenaed today. Anyone that I've talked to can be subpoenaed today.
>>
So really what you're saying is there really is no difference?
>> Kirk Nahra:
That's the question.
>>
I think you're right.
>> Kirk Nahra:
I'm one of 15 votes on that.
>>
I think you're right.
>>
I'm just thinking there's the difference between your doctor's file cabinet and your own PHR is your own sort of selfincrimination. If that's sort of accessible by subpoena, I think that may have some chilling effect on the utility of PHRs for patients. I don't know. It's just sort of an off the top of my head thought.
>> Kirk Nahra:
Let me ask the question a little differently, which is, we could go line by line through the privacy rule but we've got to prioritize. I guess let me ask it that way. Do we think that these 512 public policy disclosures are high on the list of priorities of issues we should be looking at to determine whether there are differences?
>>
Probably not our highest priority, in my view. But actually I had one issue that came up that wasn't subpoenarelated. Do you want to hear that or not?
>> Kirk Nahra:
512, you mean?
>>
Yeah.
>> Kirk Nahra:
Okay.
>>
It was the whole permitted disclosures for abuse and neglect and domestic violence. And the thing that sort of rang an alarm bell for me is going to extend the permission again to repository model HIEs to sort of mine their data and report potential domestic violence and potential abuse and neglect based on the kinds of symptom clustering that were seen and things like that. I would have some concerns about that. But I'm not so sure it's a high priority item because frankly I'm not so sure there's all that many repository models out there. But it is one that rang a bell to me as I went through 12 exceptions to the authorization.
>> Sue McAndrew:
Currently the domestic violence 512 doesn't really go to that kind of oh gosh, let's look for potential stuff and patterns within our patients.
>>
It's not mandatory, but it is permissive.
>> Sue McAndrew:
What that is permitting is that in an individual case of domestic violence, you are permitted and you may actually be required by law, in some places, to report that. We separate that from other kinds of either general public health reporting or even required by law reporting simply in deference to giving the individual a larger role in controlling or knowing about those kinds of reports because it may be critical because of the relationship between the individual and the abuser in many of those situations and they need for their own safety sometimes to know about when that's going to be reported.
>> Kirk Nahra:
For example, the rule again, if you drill down the rule it says to the extent disclosure is required by law. Well if it's required by law, it's required by law. This is just saying you don’t have a conflict with the privacy rule if it's required by law. If the individual agrees to the disclosure, I mean that gives the person permission. There's a couple of it's a pretty narrow piece. So again, go back to whether it's priorities or what, but is there something that we again, we don't have to conclude that there isn't or is or isn’t something different. We have to decide that we think there's enough question that we want to spend the time of this Workgroup to look at that issue. And so the question is whether we talk about 512 generally? I'm happy to go through each one of them. We can say subpoenas, yes or no. We can say abuse, yes or no. But in general, are there reasons that we think that this environment is sufficiently different that we want to put on our list for the shortterm to look at those issues?
>>
I'm not sure that I I don't know that it's a priority issue. But I'm also not 100 percent comfortable just saying it's not something you should deal with. But I'm not even sure that the people around this table know if they're the best people qualified to go through that analytical process. And I would almost say that this is an area where we may want to suggest a legal analysis or additional research in order to inform and to sort of take it off of our plate for the moment. These are issues that I haven't thought about honestly at all. So I'm a little uncomfortable saying absolutely not, they aren't important, or, yes, we should proceed with hearing about why it's different or why it's not different.
>> Kirk Nahra:
Any other thoughts on that point?
All right. Let me do this for the next couple of minutes. I am going to assume, without even asking, that people think that the sort of TPO disclosures, the consent, the authorization, that sort of package of issues is something that we want to look at in this environment. Is there anyone who disagrees with that?
Okay. So the question that we're going to need to focus on is what are the questions and how do we learn about it? Again, if you tie it to the privacy rule, I think we're talking about the uses and disclosures section, the idea of TPO, the idea that TPO disclosures do not require consents. I'm not sure we need to tinker with the authorization idea only because the authorization idea is sort of the harder to make disclosures already, the ones you need particular permission so that conceptually I think the question is are we looking at pushing more uses and disclosures into an authorization kind of environment or pushing them into an environment where some kind of permission from the patient is needed.
I guess what I would like to do is this. We are scheduled to take a break essentially right now. I would like, again, I would like people to think about, both over our break and then we'll send out this as a second piece of our questionnaire. What particular questions related to uses and disclosures would you like to see examined? What would you like to learn about? What would you like to hear about? What would help you make a decision on whether you want to recommend a different approach in this environment than we currently have under the HIPAA rule? So with that, why don't we take a break? I have 2:37 on my watch. Why don't we be back at 2:50? And then we will go a couple minutes on any people's reactions to this and then we will turn to our PHR discussion. All right? Thanks.
>> Steve Posnack:
We’ll be back.
[break]
>> Kirk Nahra:
Welcome back, everybody. We are ready to get started this afternoon again. Let me ask the Workgroup members just quickly whether people had any quick reactions on the use and disclosure points. Again, trying to drill down to particular questions or ways to learn more information. Anyone have any thoughts at this point in time? Anyone on the phone?
>> Sylvia Au:
For the use and -- this is Sylvia -- for the use and disclosure to carry out treatment, payment, and healthcare operations, my question is then can you look through other people's EHRs to get that information, other family members? Get that information for the treatment, payment, or payment for your patient?
>> Kirk Nahra:
So the question would be if I'm being treated, can someone get access to my parents' or children's records?
>> Sylvia Au:
Or uncles, aunts, whatever. Because a lot of times we can't determine maybe what kind of genetic testing you can have or whether you're appropriate for it unless we know the result of a family member that actually has the disorder and has been tested.
>> Kirk Nahra:
Okay. So the question would be is there, again tying into the differences idea, is there anything different about that environment than there is today? I mean, for example, if I'm in the hospital today and it's a hospital that by happenstance has treated my parents, my uncle, my cousin, whatever it is, could they do that today?
>> Sylvia Au:
We get paper consent. We actually have, have to have the relative sign a consent.
>> Kirk Nahra:
But aside from a consent, today that would be a violation of the rule.
>> Sylvia Au:
If you just
>> Kirk Nahra:
Are you saying no to that, Sue? You're saying it wouldn't be a violation? Could the hospital disclose my father's records in treatment of me?
>> Sue McAndrew:
Yes.
>> Kirk Nahra:
Because it's treatment?
>> Sue McAndrew:
Because PHI can be disclosed without the consent of the individual for treatment purposes. And that can include the treatment of the individual. It can be something that's relevant to the treatment of somebody else.
>> Sylvia Au:
I think the government the risk and lawyers for the medical centers and doctors would not agree with that.
>> Sue McAndrew:
Well they didn't write the rule. Now whether or not
>> Sylvia Au:
Or a HIPAA privacy officer.
>> Kirk Nahra:
All right. So there's two relevant questions then. One, I suppose, is what does the current rule say? The second is does the fact that it's probably easier to do that in a health information exchange environment mean we should have a different rule?
>> Sylvia Au:
Yes.
>> Kirk Nahra:
Any other particular -- again, this is not you last chance although we are going to make you answer this question over the next week or so, mainly because we have to figure out what we're going to do about moving this forward. Steve?
>> Steve Posnack:
I just had a process question because I think and this will help me help you.
[laughter]
Exactly. Kirk's making the motions right now.
[laughter]
The table that we sent out for discussion purposes, basically to get feedback on, it didn't resonate well with everybody. And we need something as a better tool. And I guess my suggestion would be to give people more context, which I think they’re asking for, if we were to provide the particular section of the rule with what we were thinking about doing, plus the questions, would that be more I'm just trying to get out
>> Kirk Nahra:
We can talk about this, but my sense is that we should probably not focus as much on the particular sections of the rule. It's basically what do you want to know about in the context of uses and disclosures of information to help you evaluate whether we need new rules for this environment? And it's particular questions and it's also what would be useful to hear?
I mean, to go back to Sylvia's point, let's say we're going to use that as one of the questions. What would help you I mean this is the kind of thing we need to figure out. What would help you come to an opinion on that point? Is it you already have an opinion and we don't really need any information? Or we want again, we want a RHIO to talk about what would be possible? Or we want to talk to a doctor about what things they would look for? I'm not surewhat I mean, I understand the issue. I think it's an important issue. I'm not sure what factual information would help me decide whether I would say we need a different rule or the same rule is good enough.
>> Sue McAndrew:
And in part, again going back to that example, and I don't know if it helps or hurts, but then there are other AHIC Workgroups that are working on that issue. I mean there is the Personalized Healthcare Workgroup that is looking into how to share what they want out of the system in relation to genetic information, genetic testing, and how all of this can advance personalized health care. And they're asking the same kind of questions. Today, can in what kind of scenarios or use cases can this information be shared under HIPAA and if not how do we get rid of the barrier?
>> Kirk Nahra:
I guess I want to use that particular example both for the substance of that example, but also I do think we need to get to that second part. I want a question and I want people to think about how we're going to answer the question. Using that particular example I don't know if we have to talk about it here, but what would help the people in this room and on the phone come to a conclusion on whether we need a different rule? That's how we go from sitting around the table talking about it to having an informed basis on which to make a conclusion. Again, I don't mean to denigrate sitting around the table and having an opinion. I mean some of these issues are opinion issues, there are policy issues we are talking about. And we may just say we don't think it's right to go into my father's records without his permission, or of course that's we could all just have an opinion on that. But unless we're going to do this based on our own opinions, we need a basis to learn more information. And I'm struggling, and I'm going to hazard a guess that Steve has been struggling to figure out what do we do on that? What do we do to address that topic? And I'm assuming we're going to come up 10 other questions where we also need to figure out how we're going to learn about that topic so that we can come to an informed conclusion.
>>
Yeah, but Kirk, I would caution us to think and I'm sure everyone is fully aware of this but just having testimony from mostly people with vested interests is not necessarily going to inform our opinions any more than hearing their perhaps even colored opinions. Ours may be less colored. So for me what would be helpful on that particular issue is getting clarity, getting that very clear line which we talked about we weren't going to do already, do this time, with models of health information exchange, exact bright line definitions of use and disclosure as we think about how mobilized medical information appears in any number of models because, in fact, getting a very clear definition might inform us very quickly that we do need to think about use and disclosure very differently.
>> Kirk Nahra:
All right. Let's do this. We will send out a questionnaire. I mean it will be a couple of questions but in general, that's what we're going to need from you. I'm going to limit it to the two topics we've talked about today, which is individual rights and use and disclosures. Not because we're going to talk about other things but for right now that will be plenty for our next hearing and maybe another hearing after that. So we're going to limit it to those two topics. I want people to think about particular questions, particular aspects of that that you want to learn more about, and where you want to learn more about a question, what would be helpful to you in learning about that?
All right. Let's move on to the next point on our agenda, which is the PHR privacy policy components discussion. I guess I will turn that over to Steve or to Sue. Steve, are you going to do that?
>> Steve Posnack:
I can intro or emcee.
>> Kirk Nahra:
Okay. Why don’t you emcee?
>> Steve Posnack:
So from the last time that we presented we had another meeting of the subgroup of the Consumer Empowerment and CPS Workgroup members. A number of them are here today because they had to be, and I hope they'll be able to chime in as well. And we talked a little bit about the best way to present these. And this intro page, which if everyone hasn't had a chance to read, might be helpful to read. And that basically lays out the expectations of the subgroup and explains the work done to date and some of the challenges that we had in explaining particular issues, as well as the bottom part which, as I'm done emceeing I'll turn it over to Sue, because she's singlehandedly revolutionized the table and having this crosswalk of how HIPAA compares to the privacy policy components that the subgroup has come up with. And as Kirk foreshadowed in the beginning, we'll have to evaluate how all this pans out in relation to our larger differences question. And I think this may also, in parallel, help inform some of the other differences questions that we're grappling with, whether or not they relate to individual rights or use and disclosures. That's the two columns we're working on now.
>> Kirk Nahra:
Let me just add something to that. I haven't been involved in the subgroup particularly, but my sense is that what sort of happened is that there was a lot of discussion about what would be good to have in a privacy notice?
>>
Not just notice. Privacy policy.
>> Kirk Nahra:
What would be good to have in those policies? A little bit starting from a blank slate and what we wanted to try to do today was sort of compare that list to the HIPAA rule. If we sat down and said, you know what? We're going to start to talk about appropriate privacy principles for electronic health information exchanges, we could very easily end up with something very different from HIPAA. If any of us were starting from like seven or eight years ago, we might have come up with something different from HIPAA. But we have HIPAA, and it's out there. I didn't want to back us into a conclusion that said well we're going to recommend a whole bunch of different things in notices and privacy policies without getting to that question of do we really need a different set of rules. So the idea of this crosswalk is to try and look at a little bit of a wish list and compare it. If it turns out there's 47 things that people think would be a great idea here, none of it ever required in HIPAA, we're going to have to assess that. So that's what we wanted to do with the crosswalk. Anything else you want to say?
>> Steve Posnack:
I think others on the subgroup can correct me if I'm wrong, but I think the overall impetus to this, the beginning for this, was to find a way to bring those PHRs that aren't going to be offered by covered entities under some type of privacy policy regime. That was at least one of the issues. And how that compares to HIPAA, if we're going to make this for all PHRs, then that's where the tension lies and where the challenge lies. And that's hopefully where Sue can be our guiding light.
>>
Right. But this particular exercise was about what would be a private policy, policies for a certification standard. It's not sort of setting requirements that would be written into law, but instead would be, ideally, again, part of the certification process.
>> Kirk Nahra:
Well, let me ask -- Steve, one thing you said I want to make sure I understand -- is the idea in coming up with this list that it would be for non-covered entity’s PHRs? Or for all PHRs? Do we know that?
>>
I don't know that we made a distinction.
>> Kirk Nahra:
Steve said that you’re going to have a tension, we're going to have a tension with HIPAA. We will clearly have a tension with HIPAA over covered entity PHRs. We’re going to have a tension with all PHRs to the extent that our recommendation said all PHRs should be brought up to the standards of HIPAA, in any event. But I didn't know what the suggestions were tied to, whether it was just tied to that.
>> Sue McAndrew:
I do think that they began with the concept of many of the vendors many of these are -- the concern was the freestanding vendors that were not subject to any law. And what are good, consumeroriented practices to think about before you go and contract with one of these vendors. And then I think that kind of evolved into a general, far more generalizable set of privacy principles for anyone offering PHRs. But I don't think, at least on the consumer empowerment side, that they ever stopped to focus on tethered PHRs or PHRs in an environment where HIPAA already applies.
>> Kirk Nahra:
Let me ask one other question. Deven, you said something about how this was privacy policies.
>> Deven McGraw:
Sometimes a notice but not all. Presumably all of these are enumerated in the notice. But the focus is not what’s in the notice per se but what of your policies, of course, would have to be included in the notice.
>> Kirk Nahra:
I hadn't understood that distinction. I understood it to be all be tied to the
>> Deven McGraw:
Ideally the notice would have it all.
>> Kirk Nahra:
I mean hospital's privacy policies are 500 pages, their notices hopefully not. Could be.
>> Sue McAndrew:
I think it's one of the evolutionary things where as I recall the effort began with a more narrow focus on notice. And then as the discussion broadened about well, what should be in the notice and what should the notice say? It just evolved into well, what is the policy we want? It happened here. And then categories were added and rearranged and attributes were changed and all of a sudden we weren’t talking just about what you needed to post on your Website so much as the types of behaviors you should engage in and collaterally inform the individual about the activities you were engaging.
>>
You know I think in some respects in terms of where the tension is with HIPAA again our, my understanding, our goal here was not to create a set of rules per se, but instead just create a set of policy principles, best practices that if you're going to get your product certified, which in some instances or at least ideally would be sort of a Good Housekeeping seal of approval or a these are recommended products, that this is what we would want to see in terms of at least among the members of the Workgroup, which again was a combination of people here and then the folks from Consumer Empowerment.
>>
If Consumer Reports were to do an issue on PHRs, what would be sort of like the threshold that they would hold these to? These might be a set of principles that they would comment on.
>> Kirk Nahra:
Do we want to walk through what I'd like to hear certainly at a minimum is are there components on this list that are inconsistent with HIPAA, don't have a counterpart? Would be saying to somebody, you have to do something that on this side you wouldn't have to do? I think in general that's.
>> Sue McAndrew:
I think in general that's what I tried to with the crosswalk and I can highlight. It’s a little troubling. It was more difficult to say what was inconsistent with HIPAA. There were clearly areas where HIPAA just doesn't go there, and so there's no HIPAA equivalent.
>> Kirk Nahra:
But I want to make sure we understand those.
>> Sue McAndrew:
Those are clearly -- there are other areas where HIPAA plays in the same pool but does it slightly differently or not with [inaudible]. And so I can certainly summarize those kinds of distinctions for you, and I will not try to step through all of the actual HIPAA parallels so much as just trying to point out from the components where the differences where at least those two differences.
>> Paul Uhrig:
Let me ask a question. What are we trying to achieve here? An enormous amount of time went into this. As I understood it, this was going to be presented to CCHIT. Are we here to approve this? Inform the discussion? What are we trying to achieve today on this? I'm not necessarily clear on that.
>> Kirk Nahra:
That's a good question. This is something that originated with Consumer Empowerment. I don’t remember what -- there was a specific sort of passover to us for something, but I don't remember what the something was.
>> Steve Posnack:
I don't have the exact recommendations on me.
>> Kirk Nahra:
They wanted -- at one point Consumer Empowerment was sort of kicking it to us to take it over.
>> Sue McAndrew:
Make the privacy recommendations.
>> Kirk Nahra:
I didn't understand at that point the CCHIT connection. Has that evolved?
>> Sue McAndrew:
Again, I don't remember exactly the timing. I think that may have evolved since the kickover, that they have not really given up ownership of this and the privacy components of this, hence the ad hoc little Workgroup to which this got kicked in order to expedite it.
>> Steve Posnack:
If I remember correctly, this recommendation was made in coordination with the more controversial certification recommendation? And the idea was that you could certify, they didn't want to certify on the functionality pieces, but they felt that they could certify on some of these other pieces, like privacy and security.
>>
Well, you didn't want to do one without the other, is my understanding. If you had a bunch of products out there that were getting certified through CCHIT as meeting certain functionality, and therefore being sort of promoted out to the public as being, you know, here are the certified products which you could see a company using as a marketing tool, that we really shouldn't be advancing the functional standards without some sort of policies on the privacy end.
>> Kirk Nahra:
Let me do this. Let me suggest that Sue walk through the crosswalk. And let's hold but not forget Paul's question. Because I think we want at a minimum to talk about if there are areas where there are differences or tensions or things like that, I think we want to talk about that and see whether we have views, given the other discussion that we're talking about differences, again, I don't want to cut off our ability to say we think the HIPAA privacy rule generally works well in this environment, if we ever were to conclude that. I just don't want to be backed into that because we looked at this privacy policy and notice issue first. Again, I don't have sense of whether we're going to get there or not. But that's very much what we're spending our time on over the next few months. But let's see what those issues are and then hold your question about what our conclusion is at the end of today.
>> Paul Uhrig:
I guess I'll speak up because it was my understanding we weren't, to be perfectly blunt, that we weren't going to wordsmith this because there was an enormous amount of time spent on this. Again, people want to wordsmith this.
>> Kirk Nahra:
I don't envision wordsmithing it. I'd like to know, this group has said we need to have these three things on privacy notice and HIPAA says nothing about that. Okay. Well that would be a requirement, that again, whatever status, but something that's different. Do we think that's a good idea? Not is this word the right word.
>> Sue McAndrew:
So with that, the first category is communication between the PHR provider and the user about privacy policies. And it has four attributes. The first of which is privacy contact, making available privacy contact information. They specified three components, the first of which has a HIPAA, a fairly close HIPAA counterpart and that is a specific contact or contact information is easily and promptly accessible to users seeking information about privacy policy. And HIPAA clearly requires, at least in the notice, that you specify how to get in contact with the entities if you've got privacy questions or if you want to make a complaint. So the first bullet is comparable to what HIPAA requires. The second two bullets, however, there really is nothing in HIPAA that speaks to this, and that is timeframes for responding to requests, and that those responses should be made as soon as reasonably possible. The first attribute, the fundamental contact information, is the same as HIPAA. The other two [inaudible] go beyond what HIPAA requires. It is certainly not in conflict. Just not there.
>> Kirk Nahra:
The HIPAA reference is for questions about the policy, not just complaints? It goes to both?
>> Sue McAndrew:
Yes, you have to have a contact. The contact person or office in the notice has to be there so that if you have a question about privacy, you can go there, or if you have a complaint to lodge you can go there.
>> Kirk Nahra:
I remember the complaint piece for the question.
>>
And Sue, what was the reason behind the second two being added as additional requirements?
>> Sue McAndrew:
Um
>> Kirk Nahra:
Were you on the subgroup?
>> Sue McAndrew:
Yes, I'm on all these groups.
[laughter]
>> Kirk Nahra:
So the rationale question could go to anyone on the subgroup.
>> Paul Uhrig:
Was there a response? I think just this is where we had sort of a tension between are we just in a process here of disclosing what is reality or being more direct in saying do something. I think this is one we felt a consensus that there should be a greater obligation to respond in a prompt period of time. There was even a discussion about X days. I think we landed more on a reasonable time period. So this is one of those areas where we had the conclusion there should be an obligation to respond in a reasonable period of time.
>> Kirk Nahra:
Now let me ask this, since it was talked about. Is there a sense, again, to tie it to the differences idea, is there a sense that that need to respond in a reasonable timeframe is something that is particularly unique about a PHR privacy notice as distinct from wouldn’t it be great if doctors and hospitals did the same thing, or is there something specific about PHRs?
>>
Kind of a veiled question.
>> Tom Wilder:
This is Tom Wilder. I don't think we talked about it in other contexts other than PHRs. And again we were just trying to say you ought to give people some understanding of the fact that the questions are going to get answered and here's how long it will take us to get back to you.
>>
In part an artificial difference may be that the job of the PHR is to serve the need of the end user, which is the individual consumer whereas the primary job of these other entities, like the provider, is to serve the needs of all of their consumers.
>>
Which you will actually see reflected in a lot of the judgment calls that get made here.
>>
Part of it is just a relational
>> Kirk Nahra:
That's a potential difference. I mean, I'm going to assume that most of us would probably say, as a general matter, wouldn't it be nice if people actually responded to questions that were asked to them? But that there are some reasons that even if we're not going to say the HIPAA rule is a bad rule, we might recommend something different here.
>>
Right. And again, I think it goes to the heart of what the purpose for which we came together to do this, which was again to set the certification standards, and I guess the collective vision, if not, that might be implied, although not expressly stated, is that certification should connote, again, a Good Housekeeping seal of approval. These are the standards to which we should all be trying to achieve even if the rule doesn't require you necessarily to get there.
>> Kirk Nahra:
Let me ask you a question. I don't have a good handle on exactly what CCHIT does. I had understood that they were sort of a technical standards group. Is that not right? For example, this provision is going to be a paragraph in a privacy notice and presumably has a parallel in the company's internal policies. But it's not going to be part of the record itself, it will not be an automatic trigger that technologically there has to be an answer kicked back, I assume. Is that not what CCHIT really does?
>> Sue McAndrew:
I think in general, yes. I mean most of their business is to go out and look at existing standards and define those in a certain way. I think their challenge as we move more into the privacy area is where to find comparable standards, how to accomplish certification, perhaps in the absence of that kind of technical standard. So are there certification criteria that would be more policyoriented but more contentoriented than simply having this language should be used?
>> Kirk Nahra:
I just remember a discussion at one of the AHIC meetings that I was at was that there was an objection to something that wasn’t because it was sort of operational.
>>
Right. Well, right now it's focused on functional standards, but CCHIT's role is evolving. And every party that's engaged in this effort, HITSP and CCHIT, are getting pushed to think about it in the context of this policy, or the absence right now, of a real policy framework. But it remains a question to me whether CCHIT is the right body to even send this to as a certification. It may be that it's a consumer coalition organization that ends up being the one that vets these kind of principles. It may be that it's CCHIT, but I think it was a reasonable exercise to pursue regardless of who sort of picks up on it.
>> Sue McAndrew:
The Consumer Empowerment recommendations specify
>> Kirk Nahra:
Is that a question?
[laughter]
>>
There was a dissenting view that CCHIT should not be in the business of certifying personal health records at all.
>> Steve Posnack:
I don't think it was specifically CCHIT. I think it was certification in general.
>>
Right, yes. They should not be subject to certification, in part because it is such a novel and emerging field.
>> Kirk Nahra:
That was AHIC? That was a dissenting opinion?
>>
That was dissenting opinion from the Consumer Empowerment Workgroup.
>> Jill Callahan Dennis:
This is Jill. You won't find me disagreeing with those policy statements because I think they're good, but my understanding of what CCHIT does is define particular software. So I wonder how the administrative standards will fit under some of those contexts, but certainly I don't disagree with the sentiment that's being expressed here. I'm just not sure how it fits in the CCHIT construct.
>>
Would it be helpful to go through the exercise just removing the CCHIT allusion? Because I don't think anybody knows what's going to happen in that regard.
>> Kirk Nahra:
I think it's more I mean, there's nothing in this document that says CCHIT.
>>
No.
>> Kirk Nahra:
I think we should just continue to walk through it. I mean I was looking at, for example, we've had this first point where we've got this timeframes issue. There's not a parallel in HIPAA. It's certainly not something that would be a technical component of a record. It would be purely a company policy. But that's context for me. I don't know that it means we do or don't make a recommendation on that. I want to still get convinced that there's a reason I'm not saying it's a bad idea. I want to be convinced that there's a reason to make a recommendation that will push somebody to do something that, if they're covered by HIPAA, they don't have to do. Again, I'm just still waiting to be convinced. I'm not convinced that we shouldn't do it, but that's the part where and again, that's my view right now on all of these differences issue is I need a good strong reason to say we're going to make a recommendation to require something that is not currently required by the level playing field that we set in our last set of recommendations. We did have a good basis, I thought, and I think the whole Workgroup agreed, to say there are a whole bunch of people that aren't covered by HIPAA that we think should come up to that standard. We had enough information to do that. Everyone was on board with that. I'm not sure we're there yet on these differences issues in particular, and we're further along, obviously, on these privacy policy questions than we are on individual rights and the other things we talked about earlier, but that doesn't mean we jump over that line yet.
>> Sue McAndrew:
Moving on?
>> Kirk Nahra:
Yes, please.
>> Sue McAndrew:
Version management. Again, the first bullet is simply that the policies visibly display the effective date and that is comparable to a HIPAA requirement both in terms of whether you're talking about a notice or a privacy policy.
The second bullet is that historical policies and effective dates of amendments shall be available to the consumer upon request. This is not something that HIPAA currently requires. You do have to maintain these historical copies. They may be relevant in an investigation, but making them available to the consumer is not currently required. The consumer gets what is currently in effect at the time of the request.
Notification of a policy change, I think both of these are not go over what HIPAA currently requires. The first one is that the policy requires users to be notified of when a policy is changed or amended with a clear indication of what the differences are between the new policy and the previously effective policy. And, two, that that shall be done within a reasonable timeframe, such as 30 days prior to when that change becomes effective. The closest thing I could find in HIPAA went to a change in your notice requirement. There a provider needs to have that new notice available for individuals to request it and receive it as of its effective date, but they don't get any prior notice of that. And they don't you had no way of requiring all providers to send out to their customers a change notice. Did require a health plan to have a more steady and known customer base to send out changes in their notice to their beneficiaries, but that is not in advance of the change being made, that's within a reasonable time after the change has been incorporated.
>> Kirk Nahra:
Let me ask a couple of questions here. Is and Deven, this may go to your difference between the notice and the policy.
>> Deven McGraw:
Right.
>> Kirk Nahra:
Is this actually talking about a company's internal privacy policies, or is it really talking about something that would be in the notice?
>>
Something that would be in the notice.
>> Kirk Nahra:
So this should say notice rather than policy because other times we're talking about policies being what the company operates.
>>
I don't know. I don't want to say that. Can we hold that until you get through the end of it?
>> Kirk Nahra:
I'm thinking of all kinds of policy changes.
>>
We're talking about policies that have to do with the information that flows in and out of the PHR, as opposed to privacy policies that don't have to do with the relationship between PHR vendor and the consumer.
>> Kirk Nahra:
I think at a minimum we have to specify that. I can think of all kinds of policies and procedures that get changed all the time that don't have any that the customer doesn't, didn't see the old policy, wouldn't see the new policy, it's not anything that's visible to them. So there wouldn't be any point in telling them.
>>
Right. But I think we could take care of that with a caveat right up front. That this is dealing with caveats that govern the relationships between
>> Kirk Nahra:
That’s fine. I want to understand the terms. One of the other things that's in the current rule is the idea of material. Do we want material? I mean, for example, let's say that the ZIP Code of, some little thing that's in the notice, is it everything that has to any change? Or is it -- the current rule has a materiality element? Do we want to add in a materiality element?
>>
Here's the thing. Others from the Workgroup
>> Kirk Nahra:
I don’t mean to put you on --
>>
I'm just trying to remember if we had a discussion about that because I can pretty much map out what would have happened if someone wanted to impose because the HIPAA comparison, we didn't do this because it wasn't our task to create something that either was HIPAA or HIPAA plus. It was sort of almost a fresh look at it and what would be, I keep going back to this sort of ideal standard, for better or for worse. I can tell you that if the term material had come up, we would have batted it around and tried to figure, one, it would have to be defined, what constitutes material and what’s not material, and going back to what the function of a PHR is generally, which is to serve largely the needs of the patient. And the sense that we probably wouldn’t be able to -- what's material to one person may not be material to another. And that basically we wanted people to be notified of the changes that occurred. And that it was their decision about whether to continue the relationship going forward.
>> Sue McAndrew:
Yeah, I think what was in the minds of people is that this again, I think they were thinking of this as a standalone vendor whose sole relationship with the individual is selling them this product. I think a lot of this really was on that model as opposed to I mean, I think they were clearly free to generalize it, but I think at the core, a lot of these go to someone who's doing a PHR system as a commercial product and that this is a business relationship and what the individual needs to know because they're supposed to be in the driver's seat and it's all supposed to be for their benefit, as opposed to a PHR that's kind of a window onto an EHR.
>> Kirk Nahra:
Let me ask another sort of background question. All of these seem to say privacy policy. Does that mean security was not a focus to the discussion?
>>
Security was not a focus.
>> Kirk Nahra:
So whatever I do on my security end doesn't fall into this. I don't have to notify about changes in my security policy, if I’ve got encryption or I don’t have encryption, that's not a component to this?
>>
Not yet.
>> Kirk Nahra:
I guess I do have a sense -- I mean, I understand the uses and the disclosures part. If, for example, the PHR vendor says, you know what? All of a sudden I want to start selling your data to somebody, obviously you want to notify them of that. Although frankly with our earlier recommendation that they would be brought to the same standard, they would be prohibited from doing that. But I want to make sure that we narrow it down. I could see lots of things where I decide that this department is going to handle something instead of that department’s going to handle something. A lot of stuff that the individual wouldn't care about or wouldn't
>>
You’re assuming they wouldn't care about it.
>> Kirk Nahra:
Well, they wouldn’t know about it in the first place, so the change doesn't if I don't know what department is handling something today and we've changed it so that a different department is handling it, what's the point of telling you about the change if you don't know what the status quo was?
>>
Right. But if that's not in the privacy policy to begin with
>> Kirk Nahra:
I think we have to be clear on what we're saying here. If it's having to do with my direct interaction with you, that's fine. Right now I'm just concerned these are very broad, partially because we have the mix between what's in the notice, for example, what department handles something wouldn't be in a notice typically.
>>
They're broad because they are normative principles. They are not regs or specifications. Any principle, almost by definition, is broad.
>> Kirk Nahra:
Yes. But I'm trying to understand what the principle is. If the principle is any time the PHR vendor makes any change in how they do something, they have to notify all their customers, I'm not saying I'd necessarily object to that principle. I just want to understand if that is what this says. I don't think that's what this says. I don't think this is the principle that comes out of this group. I wasn't in the discussion.
>> Paul Uhrig:
I don't think it's the intent that the company decides that employees now need to use different pass codes or passwords that the consumer -- really that's the relationship between PHR and the consumer I think getting to your point, that business relationship, as you can say what the consumer would care about, which is a wrong way of saying it, but that's really what our intent was.
>>
Right. It says the policy, but perhaps I'm leaning more toward the need for a caveat at the top where what we're talking about is the privacy policies that pertain to the relationship between the PHR seller or what was the service provider and the customer, their consumer and the use of the data that's inherent in that relationship that is really the crux of it.
>> Sue McAndew:
Keeping in mind this whole these are attributes of a category that's about what is the communication? What are the essential components of the communication between that vendor and the user or the consumer?
>>
Right.
>> Sue McAndew:
It's generally who to contact
>> Kirk Nahra:
That goes back to the idea of the notice. I really wonder whether we're going to be better off describing these as things in a privacy notice rather than privacy policies of the company?
>> Sue McAndrew:
But it's not it may not be that. I mean do we want, do we want PHR vendors to communicate to consumers about changes in their policies? Now, that may be done. You may need a notice to do that. You may have your policies all just posted and whether you conceptualize that posting as a big running notice maybe, or it's a different way of having the individual access policies. Frankly, I joined you in the struggle about are we really talking notice here or are we talking broader? And I keep reverting automatically to a notice context although it's not necessarily
>>
But it’s not really true, although I just went through the entire universe of what we have in here. And to some extent, all of these pieces of the policy we would expect to be communicated in a notice. In some respects, it is about the notice. But that's just a communication vehicle for communication to the consumer or to the patient about what your decisions are, about the way you're going to conduct your relationship with the person that buys your product or accepts your product or however that is defined. So that's why I'm struggling it with just calling it this is what the notice has to say. Because essentially the notice is, this is an amalgamation of decisions. Steve?
[laughter]
>> Steve Posnack:
Paul is backing up. This might help -- I was trying to get Kirk's attention, too -- this may help, this may hurt the conversation. What you're talking about, Deven, is it more of the user agreement between the PHR service provider and the consumer? I know Kirk's making this distinction that if the PHR service provider has other policies that are out there that governs the business relationships and other things like that, that's not really what's part of this. But when you sign up for this service, you should be presented obviously this gets kind of the notice, but there's other situations where in different types of software or anything else that you buy, they don't give you a privacy notice. You sign your EULA or whatever, your End User License Agreement, and that tells you what's in there. Nobody reads it. I don't read it for the most part half the time. It comes down to you just accept it.
>>
I mean, I don't know that there's a real meaningful distinction other than I'm resistant to just calling it a piece of paper.
>> Kirk Nahra:
For example, here's my concern. We've got this discussion talks about notification of changes. I want to make sure we're only requiring notification of changes where they had to tell you something about it in the first place. But it doesn't say that. I don't know if that's worth stating. But conceptually, that's why I look to a notice. The current rule says if you make a change of something that's in the notice, you’ve got to tell people about it. But if you make changes to something that's not part of the notice in the first place, that's not something that would be a notice issue.
>>
Unless it's such a huge change that there would be a reason that a consumer might need to know about it.
>> Kirk Nahra:
\Need to know about it is a hard one. I want to know as a consumer, I suppose, if you're changing your encryption model. Do I want to know about that? You don't have any right to that today. Zero right to that today.
>>
But there's a difference between a right and a best practice.
>> Kirk Nahra:
There's no best practice on that today, either. No one would ever think to tell their customers about this.
>>
There’s no best practice for PHRs.
>> Kirk Nahra:
But in any context you would never think to tell you we've gone from this bit encryption to that bit encryption. it just wouldn't happen.
>>
You can actually select when you're in an outlook environment to what extent you want to protect yourself. There are mechanisms that consumers use to define just these things. And some people who are more risk averse take advantage of them and others
>> Kirk Nahra:
I agree with that. That's why I'm saying we can't look at it as well, if we start to look at it as what a consumer would want to know, we're taking a totally different approach to these. Which is okay. I'm just trying to flag that that's a sea change in what we've been talking about. I don't know the HIPAA privacy notice, I suppose, is some combination of things that someone thought people would want to know about, but it's clearly not everything that they would want to know about it. And there's a bunch of things in that privacy notice where I guarantee you no one wants to know about it.
>>
But the HIPAA relationship is other institutions providing health services, we're talking about a very consumeroriented business model. And so it's different. And the environment is different. I think it would be helpful to almost I think the crosswalk is really helpful, but if you think about it in terms of a notice form or a policy, it's not static. There is no definition of what a PHR is. I mean I think these are just normative principles of what people engaging in this space want to know. And maybe it requires modification, but is it that you change your notice and post your notice depending upon what's changed? Maybe an e-mail blast goes out. Who knows?
>> Kirk Nahra:
We haven't talked about communication channels. That isn't part of what we were talking about here.
>>
But when it gets to this point of whether it's a notice and what a notice is, is it a piece of paper as Deven was saying or is it different because of the environment? That's the only reason.
>> Kirk Nahra:
I was not maybe I'm being imprecise in my wording. What I mean when I say a notice, is something that is communicated to the individual. We could talk about what the vehicle for that is, whether it's paper, electronic, any of those. I think of privacy policies as internal documents that a company uses to control their operations. Privacy policies, which I see all the time, at least in my experience, are very detailed operational documents, a component of which end up getting moved over to the notice that's communicated to the individuals, but it’s a pretty limited component of that. The HIPAA privacy rules spells out 15 things that need to be in a privacy notice. Again, we can talk about different ways of communicating. I'm just not sure it makes any sense to I mean we could come up with best practices for what should be in, what's communicated to a customer when they buy a PHR, for example, or when they're exploring which PHRs to buy. We could say we think you should tell the customer these 10 things. You should tell them the contact person. You should tell them what you will do with the information. I'm not sure whatever else is on that list. And if you change something about one of those things, you've got to notify. Talk about how you do that. But you've got to tell them that you made the change. I have no problem with any of those things. I want to know if we’re going to put on that list things that today a doctor doesn't have to tell their patient. I want to know if there's things on that list that are different. I'm concerned the way this is written right now at both I'm not even sure what we're saying not just wordsmithing, but conceptually what are we talking about? I think if we start to say what might the consumer want to know? That’s perhaps a whole bunch of different things that today is not communicated to individual customers.
>>
I don’t think we went there. For better or worse we didn't go there. And folks on the Workgroup speak up if I'm misstating what we did here. But I think what we did is essentially a combination of two things. One, not just about what should be in the notice, but certain aspects of a privacy policy that we wanted to make sure that the company made decisions about and then communicated through some notice or posting to the consumer slash patient. It's a subset essentially of a universe of other things that a company might on its own choose to put in the privacy policy. But I think when we talk about notifications of privacy change, we're talking about the universe of items that we have enumerated in this document as the items that we want to see in a company's policy. There might be more things that a company might put in its privacy policy, but I don't think we were saying here that if there's a change in those items that we haven't enumerated as being among the subset of items that should be part of the policy and therefore communicated to the consumer. So we could put a caveat, I think, in the front about what we’re talking about in terms of this is, would likely be a subset of items that a company might put in its 15page privacy policy. But these are the items that we decided as subgroup members that we wanted to see in there. If the company wanted to put more in, yes. And if they made a change to those other items, I didn't think that we were suggesting here that a consumer would have to be notified.
>>
Well, part of the confusion here, as Sue pointed out, they were probably in this exercise thinking of the discrete PHR vendor, which is very different as an institution than a provider, hospital, or group practice that has a whole other slew, like you say, is a 500page privacy policy document. But we did recognize that there would be multiple types of PHR vendors, because there's that caveat about -- you'll see when we get to it, if we get to it.
[laughter]
The piece about what type of consumer what type of information the consumer has control over. And we did envision that there would be situations where there's information that sort of is in the PHR versus information that also exists in a provider's EHR or EMR or whatever is the particular terminology that's being used. And we weren't attempting to say anything about what would be the rights to control that data because that clearly is covered by a different set of
>>
You really just sort of took it out of the context for what the notice requirements for HIPAA would be and put it in the context of this is what we would like to see in the best world that we can --
>>
That's it in a nutshell.
>> Kirk Nahra:
Sue, why don't you continue with this crosswalk?
>> Sue McAndrew:
The last attribute on the communications category is what the options are for the user after being notified in advance of a change in privacy policy. And this gives him an opportunity to either affirmatively accept the change or be allowed to terminate the contract with the PHR service vendor without penalty. Again, these really don't have any these requirements have no HIPAA counterpart. Only because there's no advance notice of a change in policy but a contemporaneous notification. And other than of course if you don't like what you see, you can always vote with your feet. Clearly limitations to the ability to exercise that option, being that because this may be in more commerciallybased relationships, that you should be able to have those options.
>>
Is it assumed in here that if they decided they didn't agree with the policy changes and they wanted to vote with their feet, that they get to take their records with them? And any copies or any backups would have to be destroyed?
>>
That’s dealt with later.
>>
There are all sorts of technology implications to that.
>>
Later in the document.
>>
Can I ask another question to the subgroup? It's about the affirmatively accept language. I'm wondering about sort of how that's operationalized. So unless a provider, or unless a patient, rather, sort of signs onto this change, would then the PHR be obliged to sort of dump them if they don't affirmatively hear from them? It's sort of that old opt in, opt out kind of thing. So how do you see that working?
>> Kirk Nahra:
Is the choice that you give them you either agree or you leave?
>>
Yes.
>> Kirk Nahra:
So, to your point, it would be you either leave or you've accepted it, essentially.
>>
That's what I'm asking. Because I can see how, you know, so many people don't read their mail. And they're going to end up having their PHR sort of pulled out the rug from under them because they haven't responded to this.
>> Kirk Nahra:
Here's the question, and I don't know la the recommendation is to this. If I don't read my mail or don't like the change, can I say no, don't implement it, but I want to stay your customer?
>>
That's not what I'm asking.
>> Kirk Nahra:
I'm asking that. What is the event of an I either don't notice that this has been sent to me or I don't like the proposed change? What are my choices?
>>
Go ahead, Paul.
>> Paul Uhrig:
On the don't like the change, we had a very long discussion about this. It is that you can take your information and go and should not be subject to any termination penalties or fees or anything like that. So that is to answer your question.
>> Kirk Nahra:
That's if I read it and have a viewpoint on it.
>>
Correct.
>> Kirk Nahra:
I can either choose to accept it or if I choose not to accept it, again I can't say keep me on but don't make that change?
>>
You can't be, yes. Exclusion, everybody would be under the same policy because otherwise it would be a horror to administer. I have to confess I don't remember the affirmatively accept language, which I think is the other --
>> Kirk Nahra:
For people who don't read the notice.
>> Steve Posnack:
Well, if I can elaborate on that one, I think the idea was that if you have a PHR, you're going to be using it and it would this gets to Jill's question about how it's operationalized. A slew of different methods to operationalize that. And the idea, I think, and the intent of the subgroup was that if you're going to be using the PHR and it's your tool, it's your portal, you're going to be interacting with it. And in order to continue to interact with it, you're presented with a login screen just like when your password expires at work, you need to change your password now or else you can't get in.
>> Kirk Nahra:
There won't be anyone who will ignore their mail. I suppose there’s people who just stopped using it.
>> Steve Posnack:
It's not even in your mail. You won't be able to use your PHR unless you affirmatively select I agree or disagree with this policy.
>>
This is one of those instances where the technology actually affords us an opportunity to create something like this because of this sort of log-in.
>> Kirk Nahra:
What about the person who stops using it? They just continue?
>>
They've essentially by default
>> Jill Callahan Dennis:
I think that works up to a point but I think it conflicts with your 30-day timeframe, the other principle. Because the provider's going to have to make this change. They got to give you 30 days' notice. But if you haven't logged on in that 30day timeframe, you've had no opportunity to affirmatively accept the change. So are they going to have to dump your PHR? Or hold up the entire progress of the company in changing the policy because you haven't signed on within 30 days? Do you see what I'm saying?
>> Steve Posnack:
Sorry, Jill. I don't think it’s -- the policy shall include a reasonable timeframe within which the consumer must be notified of changes or amendments before the change becomes effective.
>>
It becomes effective whether you’ve accept it or not.
>> Kirk Nahra:
That’s why the affirmatively accepts comes in.
>> Jill Callahan Dennis:
I'm seeing a conflict.
>> Kirk Nahra:
Essentially what -- I think the way to integrate those is to say you have 30 days to decide to stop doing business with these people otherwise the change is going to go into effect. So it's not affirmatively accept.
>>
Affirmatively accept within a 30-day
>> Steve Posnack:
I don't think it's even that. Your PHR basically goes into some hiatus until you log onto it again. That's what's happening. You've been notified. You've been given 30 days. You’ve missed your 30day window. You're still going, now you will log into your PHR on day 31. You have a chance to accept the policy still or you don't
>>
Or you terminate it.
>> Steve Posnack:
Or you terminate it.
>> Kirk Nahra:
What does the PHR vendor do if the policy changes that we are now going to de-identify your information for research purposes? Do they do that or don't do that for the people who haven't signed on?
>> Steve Posnack:
They just keep them in a separate bucket of inactive, they deactivate their accounts, basically, until they affirmatively accept the policy.
>> Kirk Nahra:
Okay. If that’s what we’re saying we have to be real clear about that. We say that you now, as a PHR vendor, need to have the capability to have a bucket of people that haven’t signed on for a certain period of time.
>>
Yeah, but they’re not governed by a different policy.
>> Kirk Nahra:
I don't know at all sure people will be, I mean I don’t know the technology, but that's a pretty specific mandate for somebody to have.
>>
Should be pretty easy.
>>
You're absolutely right. It's pretty specific.
>>
We’re prescribing how their technology is going to work.
>>
Yep.
>>
Sort of. Sort of not. It just has to recognize a date function. So you're not actually specifying how it has to work. You're saying, you’re specifying that, you know --
>> Kirk Nahra:
You’re specifying that you can’t do any of these thing with that data.
>>
That's a business practice, not a function. There's a big distinction between those two issues.
>>
My recollection was, we did, we batted this around a lot. And there was a sense from particularly the more technologically savvy in the Workgroup, which I would not count myself as one of them, that this was real easy to do from an operational standpoint. Click. You're in or --
>>
You're in limbo.
>>
-- maybe limbo or you're out.
>> Kirk Nahra:
Well, I suggest that if that's the view, we need to make that clearer in here. All right. Sue, do you want to continue?
>> Steve Posnack:
We're going to make it through today whether we like it or not.
>> Sue McAndrew:
The next category is the accessibility and readability of the policy. And this has its own little attribute, a solitary attribute. Currently there is a HIPAA requirement with regard to the notice, that if you have a Website that you use for content communications, that your notice is posted there. So I assume the first bullet to be largely currently consistent with HIPAA. And that the policy in HIPAA is that you can provide the consumer with the notice either electronically or in a hard copy form. Again, policy here being notice. And that the notice be written in plain language. The other part of that, the language requirement, is not in HIPAA. And the need for the notice to be, or other important documents to be, in other languages is really driven more by civil rights laws than by HIPAA. We do not address that as part of HIPAA.
>> Kirk Nahra:
I'm sorry. Does HIPAA require the notice to be written in plain language, right?
>>
Yes.
>> Kirk Nahra:
So maybe that goes back to the policy. I assume that the group doesn't care all that much about what a company's internal policies, how they're written. You care about whether the customer can read what it gets, right?
>>
Yes.
>> Kirk Nahra:
So that should be one where it’s privacy notice what's sent to the consumer and then it's consistent with it.
>>
Yes.
>> Kirk Nahra:
Does the -- oh, I see [inaudible]
>> Sue McAndrew:
Okay. Terminated accounts, change in company status, discontinuing service we raised earlier. Treatment of PHI within terminated accounts. The components are how the PHR handles personal health information once the user terminates their contract. Ceasing any further use or disclosure following determination, whether identifiable or not, and addressing how long that information is to be maintained after the account has been terminated. Provided, also, that there is a reasonable amount of time for the user to download data to another service. Most of these do not have a HIPAA equivalent, mostly because HIPAA is speaking to the underlying medical records for information in the billing system, as opposed to what information would be under the control of the individual in a PHR environment. So there clearly, the uses and disclosures can continue under HIPAA and the protection continues for so long as you maintain the record, or so long as you maintain your relationship with the individual. And we don't have record retention requirements. We allow other law and policy to govern how long you keep records. Individual rights to the record is an access issue. And the other thing that is different about this, these sets of policies, that is clearly different and may come close to a conflict with HIPAA, is that they want to govern the information, whether identifiable or not. And clearly HIPAA stops at the point of identifiability.
>> Kirk Nahra:
What was that the justification for that?
>>
Again
>> Kirk Nahra:
The aggregate piece, not the individually identifiable.
>>
Oh.
>> Kirk Nahra:
Well, maybe is aggregate there used to mean the same as de-identified?
>>
Keeping in mind this is a viewpoint that this is geared for the patient product and the notion being that we - there is a justifiable stronger level of control, whether than an individual piece of data or an aggregated piece of data, again, talking only about the data that’s in the PHR, not the data that rests in the EHR, that we didn’t have to make that distinction. That there was a desire to create, again, a stronger level of control that you will see quite clearly when we get into use and disclosure.
>> Kirk Nahra:
I am wondering the why. Is there a concern that people -- I mean, HIPAA sets up, it basically says right or wrong, that people have no privacy interest in de-identified data. I mean, we can -- I’m not certain that’s at all right.
>> Sue McAndrew:
In general, it stems from the idea that this information is there for the consumer. And so, if you no longer have that relationship with the consumer, we're not going to make a distinction about it is still okay then for you to go and de-identify that information or to aggregate, to include that former customer's information in some of de-identified research data that you give out or sell or use in some other way.
>> Steve Posnack:
Take them out of the denominator.
>>
Sure. Once you pool that information, once they leave your business, you have no more business with their business.
>> Kirk Nahra:
Meaning it is not their business.
>>
It is their business.
>> Kirk Nahra:
Even if you made it not their business. That is the HIPAA rule.
>>
What we are maintaining, in the PHR it is always your business.
>> Kirk Nahra:
We don't say when I go to the doctor and I say, you know what? I am not coming back to you anymore, we don't say you can't put it in, you can’t use it to treat other patients, you can’t --
>>
We don't, but that is the doctor's record.
>> Kirk Nahra:
Let me ask one other question, which is, shall cease any further use or disclosure of the consumer data. Now, we talked a few minutes earlier about the subpoena stuff, things like that. I get nervous, I represent defendants on that side where they say we will never do X and sometimes they have to do X. Do we need to at least carve out required by law?
>>
Well, it depends on whether they’ve already destroyed it.
>> Kirk Nahra:
If they don't have it, they can't be forced to produce it. For example, if nothing else, there is a timeperiod lag here. I would be nervous saying no use, period, even though law enforcement shows up with a search warrant the next day.
>> Paul Uhrig:
And we discussed this. And we weren't trying to trump the subpoena law and everything else.
>> Kirk Nahra:
I think that is too absolute of a statement. I can understand saying you can't include it in the marketing pitch you do next month.
>>
Except as provided by law, whatever.
>> Kirk Nahra:
Well, required by law would be the minimum I would want to see. The question, is there anything beyond that? And I don't know that there is. Permitted by law would be too broad. Required by law is the narrowest. I wouldn't want anything less narrow than required by law. The question is whether there’s anything else, and I don't know if there is anything else. That may be enough. You don't want the company to choose to say I can make money off this, I can sell it, I can do whatever. I mean are there
>>
I just don't know enough about FTC or other oversights for these kind of things as to what rights they would have to, going in and investigating it or how they kept the promises, whether the data would be needed for any investigatory --
>> Kirk Nahra:
I think we should consider whether that is required by law. That would be one where I’m not forced to give it to you, but I need to defend myself or I need to -- would there be any affirmative reasons? Let's say I pulled it out, going back to abuse context. Is there anything affirmative in there that we want to say, geez, we really want these people to reach out to a public health authority or someone else.
>> Sue McAndrew:
I think that's more of
>>
You want the PHR company to be able to reach out?
>> Kirk Nahra:
I am just asking
>>
I just wanted to clarify --
>>
For example, let’s say that what I put in my PHR -- well, let's say what I put in my PHR is I have this contagious disease and I am going around, giving it to everyone. And I then pull it out. We have that stuff in the HIPAA rules. The question is, are we so certain that we don't need it in this context? If the answer is yes, that is fine. We made provisions for that in the rest of the health care context. We have given the doctor the ability to say you have come in with this problem, and even though I’m here to treat you, I’m going to be able to report this to other people. Do we want to say that the PHR people can’t, cannot do that?
>>
To some extent I think this is going to be governed by the market as opposed to governed by whatever we say. Because I can't imagine any company would want to be exposed to, you know, the potential ridicule associated with knowledge that they divulged that information, whether or not it was lawful to act in that regard, just what sort of chilling affect that may have on the market share as a PHR vendor. Just speculating. It sounds like a Law and Order episode.
>> Sue McAndrew:
Also, we have uses and disclosures later on. In terms of what happens. Focus on what happens after it is terminated.
>>
Yeah. What happens if they’re deceased?
>>
Not terminated.
>>
I don’t know if you all talked about that.
>> Paul Uhrig:
About what?
>>
Dead people.
>>
Consumers.
>>
They won’t affirmatively accept their privacy policy.
>>
They’re at least in limbo, if not terminated.
>>
Purgatory.
>>
Does it get at if the PHR vendor has both consumer and say corporate clients, if they have a product that crosses over?
>>
Again, this is about the relationship between the PHR and the patient, that we are trying to confine the policy to.
>> Kirk Nahra:
Is your question whether, I know some employers are offering these, are there any employers that are offering these where the employer has any role in this? I don't know that there are, but is it all just a service to the individual? Anything that the employer
>>
Most of them go to great pains to say that
>> Kirk Nahra:
We have nothing to do with it.
>>
You know.
>> Kirk Nahra:
We’ve cut a good deal for you to buy this or we’ve made it available for free.
>>
Right.
>> Paul Uhrig:
Under the assumption that it will help manage the costs.
>>
I’m sorry, you guys are drifting off. Is the assumption that PHRs are offered just for the sole good of the consumer? Is that what the question was? And that employers
>> Kirk Nahra:
That is the question, essentially.
>>
I don't think we can assume that. We can hope that, but I don't think that we can assume that.
>>
I am not sure payers are operating under that assumption either.
>>
Of course they’re not. That’s why they’re tremendously interested in this field.
>>
Payers as insurers would be covered separately. We are not targeting payers as insurers offering that. Employers offering this are a little --
>>
We are not saying it doesn't apply to them. We didn't carve out, we didn’t say standalone PHRs only. And keep in mind, again, we did not do these as recommendations for changes to HIPAA, which would be a set of rules that would apply to everything. We set it up as certification standards. Again, we were looking for ideal, which is why we have crafted these very much in the interest of the individual patient slash consumer.
>> Steve Posnack:
Time to revisit the recommendations real quick, maybe, for context?
>>
What recommendations?
>> Steve Posnack:
The recommendations that spurred this initiative altogether. This is a better time than any?
>>
Sure, go ahead.
>> Steve Posnack:
The first one that came out in January, and there were two, and the certification one had to go back and was presented in March. The one that asked us to work together was the recommendation 2.1 from January in that it said the AHIC CPS Workgroup, in collaboration with the Consumer Empowerment Workgroup, should develop principles and identify best practices for privacy policies for consumers’ PHR data that are interoperable, i.e., protections that follow the consumer in his or her data moves, that follow the consumer as his or her data moves or is shared. These recommendations should apply to all individuals and entities, including covered and uncovered entities under HIPAA.
>> Kirk Nahra:
That is the Consumer Empowerment recommendation?
>> Steve Posnack:
Correct. The certification one that got rephrased with the dissenting presentation afterwards was HHS should support CCHIT and/or other certifying entities in identifying a pathway and timeline for voluntary certification of PHRs after adequate industry experience has been achieved in the market. Such certification should include specifications for PHR privacy and security, interoperability between PHRs and personal health data sources including EHRs, consistent with HITSP identified standards and PHR portability. The certification criteria development process should take into account the best practices for security and privacy policies to be identified by the Consumer Empowerment Workgroup and the CPS Workgroup and other relevant groups. And I think they were silent on the functionality piece, which is what we had discussed before. The intent was to enable or provide CCHIT with criteria that they could use for privacy and security and interoperability. Not functionality. Although it is fuzzy between how much interoperability and functionality differ.
>>
Steve, could you read the very first sentence of the charge regarding the PHR?
>> Steve Posnack:
The certification one or the --
>>
No, the first one you read.
>> Steve Posnack:
The AHIC CPS Workgroup, in collaboration with the Consumer Empowerment Workgroup, should develop principles and identify best practices for privacy policies for consumers’ PHR data that are interoperable.
>>
Ah. That’s what I thought you said. They didn't say PHR, they said PHR data that is interoperable, right?
>> Steve Posnack:
That is what it says here, correct.
>>
Okay. Because to me, that broadens their ask. They are not really asking for privacy policies, per se, around a defined application, which keeps us from asking again, so what exactly is a PHR. But they are functionally defining it as PHR data. Which I think is a slightly different charge.
>>
Yeah. The other thing that I took from that is that it doesn't relate to just standalone PHR models. It is much broader than that.
>>
Sure, it could be patient portal. One could even interpret that to mean historical data that patients provide to the clinic as personal health data.
>> Steve Posnack:
I mean the end part of that recommendation articulates that it should basically apply to everybody. Do you want me to read it again?
>>
I'm fine with it, unless anyone else does.
>> Steve Posnack:
Sorry for taking us off the track.
>> Kirk Nahra:
Why don't we do this? Sue, why don't you work through the rest of this and let’s just go through and identify the differences.
>> Sue McAndrew:
Okay. The next, the second component about terminated accounts goes to what happens, the policy needed to address what happens with information held by the PHR service provider when it, as a business, changes hands or goes out of business. There again, this is not a -- the HIPAA privacy rule currently covers is the permission within health care operations to share the information as necessary with the sale, acquisition, or merger of the business. But it doesn't require that this policy be provided expressly to the public. And also the information should go to the person acquiring the vendor, and they are silent other than safeguarding the disposal of the information if you are no longer in business, what to do basically if you cease operations. So this is, there really is no, it doesn't specifically tell you what you are supposed to do in these circumstances. It simply says whatever you decide to do you need to notify the public about it.
The next category really doesn't have any HIPAA equivalent that I could find, and that is the collection of data on the user, and tracking the uses and activities of a particular -- cookie phenomenon in the computer world. So really, HIPAA has no equivalent to notifying the public about the use and purpose of the data points collected by the provider about the consumer, unless this is being translated into some sort of demographic information that you would take as far as family history that you would put into your applications for health benefits. It didn’t seem to be directed to that kind of demographic information. And this is a unique policy peculiar to the computerized business world model.
The next category is the actual use and disclosure policy with regard to the data that is the content within the PHR, and this says the policy shall state that the information, regardless of source, within the PHR, is under the sole control of the consumer, and that any uses and disclosures, again whether the information being disclosed is identifiable or not, shall be done with authorization and that any uses and disclosures must be disclosed to the individual. Clearly, there is a notice equivalent for the disclosure to the individual about uses and disclosures of information. There is HIPAA talks a lot about uses. There is nothing in HIPAA that would really prevent you from giving the individual sole control. But that, clearly, is not something that HIPAA requires you to do. So this clearly is a policy that could be done within the scope of HIPAA for a PHR set of data, but is not a policy that would be assumed through HIPAA, permitted uses and disclosures over into the PHR context.
The availability of an audit trail, we touched on briefly before. This would be a privacy component that would require that the user has access to information on when and by whom the data was accessed within the PHR. It is described here as an audit trail, may be more equivalent somewhat to an accounting requirement under HIPAA. Although clearly the HIPAA requirement right now only goes to specific types of disclosures, not uses. And much -- particularly if you are assuming that the disclosures are by the individual, most of those would also not be subject to a HIPAA accounting now. The individual already knows about those disclosures because they authorized them. I would just note, it's not that this couldn't be done under HIPAA, even under the HIPAA accounting rules, provided the information that they had access to pursuant to this audit trail met the data points we require in an accounting for disclosures, we don't prohibit them from accounting for uses, we just don't require them to do so.
>> Kirk Nahra:
It would be very dramatically different.
>> Sue McAndrew:
Yes.
>> Kirk Nahra:
But could you comply with both.
>> Sue McAndrew:
You could comply with both. I think in general in all of this, you can comply with both. It's just how much over and above --
>> Kirk Nahra:
We are looking at I am presuming when we talk about differences generally we are not ever going to recommend a lower standard or protection. It would be inconsistent.
>> Sue McAndrew:
Right.
>> Kirk Nahra:
We are only talking about whether we will recommend higher standards.
>> Sue McAndrew:
The next category is the definition of key terms. Most of these terms have somewhat of a HIPAA counterpart, but those are regulatory definitions, they are not definitions that we require the consumer be notified of through the privacy policy. I guess the only one that is not really defined is de-identified personal health information. That is a whole series of regulatory standards for getting to de-identified information. So it is way beyond a definition.
Adherence to published guidance and codes, this is saying that they have to tell you about what they are subject to, and if they are subject to HIPAA that they are in compliance with HIPAA, and that recourse is available if their privacy policies have been violated. We do require the entities have their own internal complaint process. And that that be part of the notice so the individual consumer can complain directly to the covered entity. They also have the right to complain to us. I am not sure how this would work out for the uncovered entities subject to this other set of business practices.
>> Kirk Nahra:
Can I ask you a question, and this reflects my lack of knowledge about some of the technology. When we talked at an earlier point about PHRs we talked about the pull and pushing of data, and that we had standalone PHRs which neither pulled nor pushed. We had PHRs that pulled, and by that I understood it to mean could sort of go out to providers and bring stuff in to the PHR. Are there any that do push? Is that a model that exists? Stuff that goes into provider records, it gets sent out from the PHR somewhere else?
>>
I think so.
>>
Sure. There is a question of whether providers will accept the data. But there are a lot of models now for patiententered data for symptoms, for vital signs, weights, blood pressure readings, blood sugar readings that can be pushed as structured into provider electronic health records.
>> Kirk Nahra:
How does that model fit with the idea, which is laid out in these policies, which is that the consumer controls everything?
>>
Prior authorization for that to happen.
>>
I'm sorry, I didn't hear that comment.
>>
I would think through prior authorization that they agree, you know, for a provider, if they have a relationship with provider X, that is monitoring their diabetes, that that homeentered data is acceptable then to doctor X, either if he decides to go look at it or if it gets, he gets alerts that new information is in there to look at.
>> Kirk Nahra:
Okay, let me push what the definition of push, push means it is available to a provider or it’s sent to a provider.
>>
It could be both.
>> Kirk Nahra:
It could be both. How do we deal with the could be both in some of these things, like if the patient says I don't want to do this anymore, I want to terminate, I want to pull out, I control everything.
>>
That is up to them if they are pushing the data.
>> Kirk Nahra:
Could they pull out? What happens if they terminate?
>>
If it’s then incorporated as part of the medical record of that provider, it is considered to be part of the permanent medical record.
>> Kirk Nahra:
Once it is pushed, it is no longer part --
>>
You cannot extract it once it’s become part of the medical records.
>>
Same as simply telling your doctor something.
>>
I guess I'm struggling a little bit with just making sure that -- some of the things in here are about the patient controls everything.
>>
Right. We had a lot of discussion about that. But the sense was, and we tried to be fairly clear about it, and there was a lot of back and forth. When it is the PHR, the patient has sole control. They don't have control of it once it has been pushed out. Or the fact that, you know, if it is pulled in and exists essentially in two places, the EMR and PHR, it doesn't follow the data. It depends on where it is.
>>
But that's then it becomes then the patient's ability to determine what pieces of the information in their PHR get communicated to which providers. And that is where sort of the patient control comes in.
>>
Right. But after the transmission occurs, they can't withdraw it.
>>
Right.
>>
They still have the ultimate decision, though, to make --
>>
Right.
>>
-- as to whether it gets pushed somewhere elsewhere they would lose control over it. They still have, at face value, the ultimate control over it.
>>
The initial control. But then once it is in the hand of providers, if he or she wants to use that for internal quality monitoring that’s then the decision of the provider, as opposed to the patient. I just want to make sure I’m understanding the concept.
>> Kirk Nahra:
Is it worth saying something? I mean, I think that’s the right answer, I’m just wondering whether -- it wasn't obvious.
>>
It wasn't to me either. But I think it needs to be, because it solves a lot of my issues with the questions that I have about what a provider can or can't do given that they are a covered identity but they may also have a PHR.
>>
Then this becomes part of the upfront conversation if you're talking about a care provider institution offering a PHR it becomes part of the discussion at the front end of how we may or may not use your data. What is our latitude as a provider when you share your information us with?
>> Kirk Nahra:
Okay, let me use that. Are the push models, and I know anytime we talk about what is operating now we maybe too tight on that, but are the push models only things operated by a provider? Could a standalone vendor also push it out?
>>
They could. I am not aware of any that are doing it at the moment. There is no reason they couldn't.
>> Kirk Nahra:
Some of the people, it wouldn't be part of the conversation with the PHR vendor, they would not be the ones doing it.
>>
As the broker they may chose to do that. Part of their disclosure may be that when you make this decision to share with your provider, you should be aware of the following.
>> Kirk Nahra:
Although it will be a limit as to how much they can say about what the provider is going to do.
>> Deven McGraw:
What I would direct folks to, and we did try to address that clarification a bit in the introduction that is on top of the chart, so I would ask people to take a look at that in combination with the language in the policy, and then if you think that it's still not clear, I think notwithstanding that we are highly reluctant to wordsmith the whole thing, I think we do want to be clear on that point. It is an important thing, among others.
>> Steve Posnack:
And Deven is specifically referencing the section that has the italicized control of personal health information.
>>
I just read that and I think that does help clear it up.
>> Deven McGraw:
It's on the top. Right on the top of the chart.
>> Kirk Nahra:
I guess one of the other things that I was thinking about, just listening to this, you know, we have, I think, in our earlier discussions and earlier recommendations, recognizing some of the ambiguities that Peter and others raised about the different models and what they look like, we’ve sort of dealt with PHRs and EHRs as all part of the same big picture. And I do wonder, listening to the discussion today and about the consumer control and some of these much more stringent standards, whether that is a mistake, whether we do want to pull out PHRs. I mean we could say PHRs essentially are their own category and we’re not going to try to map them to HIPAA or do all this other stuff or decide whether there should be more stringent control than HIPAA. What we’re going to really worry about on the differences panel is the more integrated environment that is essentially the provider side.
>>
I don't know if I would well, I am not saying --
>> Kirk Nahra:
We are going to end up with a different set of rules if we --
>>
They are not rules. We weren’t trying to create rules.
>> Kirk Nahra:
You have a principle that says that you can't, a principle that says the PHR vendor can do nothing with the data whatsoever other than what the consumer tells it, it may be perfectly appropriate for the model, it’s just a completely different environment that what the rest of the, the other parties in the exchange process are going to have. And I wonder about whether you break that out and say it’s different rather than try to navigate a consistent standard.
>>
To break it out, and I haven’t thought this entirely out, but my initial reaction to that is to break it out is to further silo our discussions about this in the context of the health care system, which is exactly what virtual integration through health information exchange is intended to negate. So I am really reluctant to go down this path of extrication, because the ideal is to fully integrate at some point so that we don't have these artificial, you know, boundaries. I mean I understand for expediency’s sake, for simplification, but I feel like if we go down that road we may not really be adding much value, because there is still going to be such a sticking point as this new sort of paradigm emerges.
>> Kirk Nahra:
And I’m not at all suggesting -- I am raising that because of listening to the discussions today, a lot of things that I have not thought about before. But I guess I struggle how we are going to come up with again, I understand they are not rules. But presumably whatever the rules are going to be are not going to be completely different than these. It would be odd to say here are the rules, but the best practices are completely different.
>>
What is the floor versus what is something that we want to set for certification?
>> Kirk Nahra:
That is a fair distinction. I guess I do struggle with how we're going to come up with an integrated set of principles where part of the paradigm, even aspirational, is so different from the rest of the paradigm. And it’s just a question in my mind as to whether we separate it out. Again, if what we are saying is this is a part that the patient controls fully and absolutely, and the rest of the system, the patient has got to accept, you know, they don't have complete control, I am not sure that integrates or whatever. I am not sure that is an impediment to a fully integrated --
>>
Kirk, how is that different if you had a PHR where the person opted to have their information pushed to an EHR, then they are choosing to let go of control. [inaudible] There is that integration there you can't pull apart I think.
>>
We are kind of putting forth in my mind almost a ridiculous message, which is in this new interoperable world of information sharing which will hopefully protect privacy but also make care far better than it is now, you can have absolute privacy rights in the PHR as long as you keep it totally siloed. I would not tell a patient by the way this is yours, it’s absolutely private, you have 100 percent control over it, and you have to keep it locked in a secure vault that even you can't access. In a sense a PHR is very, very limited, one could argue zero value if you keep it siloed. I mean, the reason we are talking about all of these changes and, I shouldn't use the world rules, but guidelines, is because we are trying to open it up to improve care and communication. I think giving a message of absolute control, absolutely yours, you can do whatever you want, however keep it siloed is the wrong message.
>>
And I don't think, I don't see anyone recommending siloing it in that fashion that you --
>>
No, no, of course not. But if we make kind of part of the opening prologue this is yours to exercise complete control over it and all of the data that flows to and from it is a bit disingenuous in a shared information model which is really what we are encouraging.
>> Kirk Nahra:
We are not going to resolve this today. I think it is something we need to just, we need to keep all of these balls in the air and keep in mind all of the different balls that we have in the air. And I think that thatthere are some tensions there and that doesn't mean we can't work them out. It doesn't mean that we are not going down the right path. It may, also, just be a question of, maybe it is an education question or a notice question which is look, if you control this when it is in your hands and your information, you control it, but once you say it is out, it is subject to all of these other principles. I mean, maybe that’s the part of the message, and part of the message is it is of limited value in an silo and you may want to consider these other benefits are going to come with some other things that go along with it.
>>
And I think that is a great idea, Kirk.
>>
The electronic data world is a tightrope walk of risk versus benefit regardless.
>>
Yep.
>>
And I think that balance of riskbenefit is the whole discussion around this. And the consumer has to begin to learn as they are creating their personal health record, I can create this thing in a vacuum, it’s not going to be good for anybody but me, I’m really going to start getting benefit from it if I accept some of the risk to share it further, and yet that does relinquish some of my privacy rights but it also nets me benefit on better health care that I wouldn’t get otherwise. I think that is going to have to evolve.
>>
So I wouldn’t totally discount the notion that if they just use their PHR to aggregate their information they can derive tremendous value from it even if it never goes back out to their providers.
>>
Right. It would be a different level of utility.
>>
Well, it’s a different type of utility, and there could be tremendous utility in that, particularly for chronic disease management.
>>
I wasn’t suggesting that the benefit was null, it would be lessened.
>>
Can I I'm sorry, Alison. Can I ask, since I did a tremendous amount of talking, I am not the only Workgroup member, nor is Paul, that it would be helpful for the folks in this Workgroup to get a sense of who participated from our Workgroup as well as the other so people get a sense of the diversity of perspectives that came into the creation of the document. Just so they don't think it is all me, it wasn't.
>> Kirk Nahra:
Who from our Workgroup is on it? Paul. Tom? Tom Wilder.
>> Steve Posnack:
John Houston, Sue, Lorraine’s here today and she’s a dual figure as well in terms of Consumer Empowerment and CPS. I think we have most of the people here today versus, you know.
>>
Right. And it was voluntary. I remember when the email went out
>> Steve Posnack:
Right.
>>
-- that you asked for volunteers from the Workgroup. For better or for worse.
>> Kirk Nahra:
We are at 4:35. We will set up the public comment in about five minutes, just so the operator can get that ready. We have on our agenda planning for next meeting, which I don't think we are going to do too much of today. I mean the idea for the next meeting is we have half a day, I think, set aside, rather than a full day.
>> Steve Posnack:
We can change it if need be. Right now it is from 1:00 to 5:00.
>> Kirk Nahra:
And it’s envisioned being a testimony hearing, right? We don't know that.
>> Steve Posnack:
We can make it whatever we want.
>> Kirk Nahra:
I think what we’ll have to decide in the next couple of weeks is whether we make that September meeting a continuation of today's discussion or start to have some testimony on at least the individual rights pieces and the uses and disclosures.
>> Steve Posnack:
I guess sorry, Paul. I guess questionwise, we can keep it 1:00 to 5:00, process-, organizationwise. And if we go with just one topic, would it be more beneficial? How -- we have experienced testimony a few times now and I am trying to refine the process so that it best serves everyone's time. And I think that if we were to find two or three good people, I think we are getting at the point, Kirk articulated the challenge already, sometimes it’s finding needles in multiple haystacks, to try to find the right person to talk about the issue free and openly and has a good span of knowledge in a variety of areas. If we get two or three people that can come in and sit with the Workgroup as kind of subject matter experts for the four hours we have it scheduled for, would that be the best methodology to structure the meeting? Or do you want something else?
>> Kirk Nahra:
My sense is that we need to get people's thoughts from the short followup questionnaire that we are going to get on what they’d like to hear and how they’d like to, you know, what information would be useful before we can answer the question. I mean, I don’t have a good, I mean, individual rights, I just don't have a good sense of I sort of know what the issues are, but I don't have a good sense of what facts or information would add to that. I haven’t thought about that enough, and I just don't have a good sense of that. And obviously our quick discussion on that today didn’t -- people have to give some thought to that. If we come up with three or four good ideas at least of people like that, great. If not, I think we probably won’t bring people in. I don't want to bring people in just to have people in.
>> Paul Uhrig:
I agree with all that, but I think getting somewhat to what Steve was saying, but as a matter of process, I think this was attempted the last time. The very defined questions that we have, and somehow to make sure that whoever is presenting is answering those questions.
>> Kirk Nahra:
We thought we had that last time.
>>
Maybe can we ask them just to submit written testimony in which case we can just chuck it if it doesn't answer the question?
>> Kirk Nahra:
Put it this way, that’s part of -- I think that’s a real good point.
>>
Disregard it, not chuck it. This is a matter of public record, of course.
>> Kirk Nahra:
It goes to the idea of research, and frankly you can get 50 people to do written testimony, or you have the possibility of a lot more people.
>>
Page limits.
>> Kirk Nahra:
But I think that is a real question. It's not it is not at all clear to me that I'm not sure what those, even if we had one question we wanted people to answer, it is not clear to me today what that one question would be and that is what I think people are going to need to focus on. And Steve and I, we will meet next week and figure out whether we have those questions or not. But I just don't know that answer yet. Maybe our next meeting is trying to refine where we are on that. I think that it would be great to have a long list of questions that we can look, spread out, put some out for writing, we can put some out for testimony. I think that is one of the things we’ve tried to get a little bit ahead of the curve and we did it for awhile and now we are not ahead of the curve, now we’re back at the curve or something. I think that is a real challenge to make our that last hearing wasn't efficient. It wasn't that productive. It wasn't worthless, but it wasn't a good value for the time that people put into participating. Both the presenters and us, we need to try and do a better job.
>>
Our next homework exercise gets us better at what we really want to ask them and we put it out, maybe we could put it out for written testimony and then take the written testimony of the people who are really getting at some of the things that we think we need to explore, and we could target those people and maybe have them come in for a facetoface where we can ask them questions and dialogue with them and that may pin it down.
>> Kirk Nahra:
That is a great idea. It goes to timing issues. For example, we couldn't do that and have an early September hearing, which is fine. That would be a, you know
>> Steve Posnack:
A multimonth
>> Kirk Nahra:
That means we have to get the notices out, we have to get the responses in, we have to get through them, and then we’ve got a lot. And that may absolutely be the way to go. That was a little bit of what we tried to do last time, we had a written deadline in advance, it wasn't enough in advance.
>> Steve Posnack:
We did pull a couple people in from responses we got, so we did try to do that.
>> Kirk Nahra:
Which may not be a process --
[laughter]
We thought it was a process --
>> Steve Posnack:
Kirk, John, and I sat down in March and said we needed a threemonth process. And I think we, you know, got 80, 85 percent of the way there. But timingwise it is difficult.
>>
But the dialogue versus presentation I think is a huge point. Because when somebody is giving a presentation, five minutes into it you can't just cut them off and be like stop. That is no longer relevant. But if it is a conversation, you can say that is not really what I meant and redirect.
>>
And you can guide it to what you really need to get out of them. And if you have a sense that they have those goods coming in the door and they can give you that, then --
>> Kirk Nahra:
And our challenge is to figure out what it is that we want them to tell us.
>>
Right.
>> Kirk Nahra:
That is what we need to do and that is our challenge right now on these two big issues. I'm not trying to minimize that, but they are big issues. Let me ask you this. I want to get something out in the next day or two that people have essentially a week to look at. Is it too much to do? I mean, those are two topics, the individual rights and uses and disclosures. They are both big topics. Is it better to send out two and see what we get back? Is it better to pick one? Is that too much work for people? What do we think?
>>
Well, first of all, when you are talking uses and disclosures, are you really talking TP and O, [inaudible]
>>
And minimum necessary. Right?
>> Kirk Nahra:
I wasn't thinking about minimum necessary per se. It’s not about 512, 512, I think, it’s TPO and [inaudible] authorization, sort of that.
>>
I though that is what you meant.
>>
Even though it is more work at once I’m going to suggest that do you it at the same time because there is so much crossover between the two I think it is hard to --
>> Kirk Nahra:
That is my inclination. But we need to get I would rather get good information on one of them than not good on both. But I think we should try to get if people, put it this way, if people only have views or thoughts on one of them, that is fine. Let's just get what we can. Trying to drill down, what are the questions, if you had the perfect witness who would actually answer our questions, what are the questions that we want? What are the questions that we want answered? Or conversely, what would help you come to a decision point on whether you want to recommend something different? HIPAA is fine and if so, what that would be. That is what we are looking to do is gather information that will help us. Why don't we at this point turn quickly for the public comment period?
>> Judy Sparrow:
Jennifer, you’ve already got that up there?
>> Jennifer Macellaro:
Sure, I just put the slide up a minute ago. There’s a phone number for people who are listening over the Web. And if you are already dialed in you just need to press star 1 to alert the operator that you would like to make a comment. And there is an e-mail address there if anyone would like to write in comments after the meeting. I will check back with you in a minute.
>> Kirk Nahra:
All right, so people in the Workgroup should look for that, you know, I guess realistically probably Monday.
>> Steve Posnack:
Maybe tomorrow.
>> Kirk Nahra:
Either tomorrow or Monday, and we will shoot for
>> Steve Posnack:
Saturday?
>> Kirk Nahra:
It needs to be a short thing. It may not be that hard to do. But Friday or Monday and then we will give you until next Friday or the following Monday to get responses back. And then we will figure out from there. All right, operator, do we have any?
>> Jennifer Macellaro:
There is no one calling in today, no.
>>
Everybody left.
>> Kirk Nahra:
All right, so look out for that. You know, be thinking about some of the other topics that are going to be on our list. Please feel free to just brainstorm if you have thoughts on people who you think will be helpful to this whole discussion. The more the merrier at this point and we can bring stuff in even if what we are doing is we are holding them for a couple of months. Any other questions or comments from anyone on any of the topics that we talked about today? Someone on the phone for that? All right, thank you very much, everybody for today. I think it was a real good discussion of, again, what is clearly going to be the hardest set of topics that we are going to deal with. So thank you very much and we will talk to you all soon.