American Health Information Community
Confidentiality, Privacy & Security Workgroup #13
September 6, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Welcome everybody to the 13th meeting of the Confidentiality, Privacy, and Security Workgroup. This is a Federal Advisory Committee meeting, and that means it is open to the public and the public will have an opportunity at the conclusion of the meeting for comment. Let me remind Workgroup members to please speak clearly and distinctly and to tell us your name before you speak, and also when you're not on the telephone, for those of you on the phone, to please mute your phones. Let's go around the room here and introduce ourselves and then Jennifer, if you could tell us who is on the telephone.
>> Steve Posnack:
Steve Posnack, ONC.
>> Sylvia Au:
Sylvia Au, Hawaii Department of Health.
>> Jill Callahan Dennis:
Jill Dennis, AHIMA.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Families.
>> Paul Uhrig:
Paul Uhrig, SureScripts.
>> David McDaniel:
David McDaniel, Department of Veteran Affairs, Veterans Health Administration.
>> Mazen Yacoub:
Mazen Yacoub, TRICARE Management Activity.
>> Judy Sparrow:
Great. And Jennifer, who do we have on the phone, please?
>> Jennifer Macellaro:
On the phone today we have Tracy Leeper from the Oklahoma Department of Mental Health and Substance Abuse Services; Tom Wilder from America's Health Insurance Plans; John Houston from the University of Pittsburgh Medical Center; Elizabeth Holland from CMS; Jodi Daniel from ONC; and Flora Hamilton from Family and Medical Counseling Service. Did I miss anyone on the phone? Okay.
>> Judy Sparrow:
Okay, thank you. And we'll turn it over to the chair, Kirk Nahra.
>> Kirk Nahra:
Good afternoon, everybody. Welcome back after our brief summer break. We are going to start off today with just quickly taking a look at the approval of the prior meeting summary. I'm reminded from reading that summary that I need to talk less during the meetings, apparently.
[laughter]
Apparently almost everyone in the room except for myself, and I guess Deven and Sue, were silent. If anyone remembers saying anything, please chime in. But any other questions or comments? I don't know if people have had a chance to take a look at that summary. And any questions or comments on the meeting summary?
All right, we will leave that open for a couple of days if people have a chance to look at it and see anything that they have questions about, please get those in to Steve. If not, we'll move forward with that.
Steve, do you want to give the AHIC update?
>> Steve Posnack:
Sure. This is the usual AHIC update and recap for everyone, of the past AHIC meeting, which was July 31st. This is in no order of importance or rhyme or reason. The first bit of information is to let everybody know that the Personalized Healthcare Workgroup made their set of recommendations in July, and they did include a sentence that encouraged them to work with us, the CPS Workgroup, to consider aspects of genetic slash genomic test results and family history information may raise special concerns about confidentiality, privacy, and security relative to other types of medical data, so I think that will probably roll into our differences conversation pretty well.
Next on the docket is just some information about the AHIC successor. There was a public information meeting on August 17th, so that's ancient history already. And there was a technical assistance meeting, which was held yesterday, about the Notice of Funding Availability, and, also in AHIC successor news, there's the white paper that was published almost a month ago and the comment period on that ends September 10th.
And on to the use cases, the 2008 use case cycle has ramped up. There are six prototype use cases that have been published on the ONC Website for comment. They’re remote monitoring, remote consultation, personalized health care, consultation and transfers of care, public health case reporting, and immunizations and response management. So comments on that are due by September 28th. And everyone is welcome to comment.
And finally, John Loonsk also mentioned at the last AHIC meeting that the 2009 process is being primed and there will probably be a role for Workgroups to play in refreshing priority issues that were I guess circulated and embedded amongst the Workgroups I think prior to our establishment last year, and since we weren't involved with that the first time, we probably will be asked for our input when it’s appropriate, so I'll let everybody know if and when we get asked to add additional information to that use case process.
And that's all I've got for today.
>> Kirk Nahra:
Okay. So let's turn to the major topic of our discussion today, which is to continue our discussion as a Workgroup of what we've taken in shorthand format to calling our differences discussion. As you will recall from our last meeting, we started a discussion of the differences issue, I'll flesh that out in a second. We also had many of you fill out a little bit of a questionnaire on particular areas of potential interest, areas where people thought they could benefit from some additional information, areas where they had some reactions. My view of the material was that it was very useful, very interesting, very helpful for me to get a sense of where people were coming from on some of these points, but at the same time it was, a lot of the comments were sort of not really on point. We got a lot of questions and comments about saying, you know, we should have something more here because HIPAA doesn't work very well, or we can do it differently than HIPAA just because technology has changed. You know, so it was a little different than the idea of what we're trying to focus on at this point, which is what is it about the particular HIE environment that pushes us towards having some different rules than the HIPAA rules that currently exist? So in talking with Steve and John and others, rather than move forward with testimony at this point, we were looking for a way to sort of flesh out our discussion and try to get us focused a little bit more on really the idea of differences.
So what we have come up with as a vehicle for our discussion today, obviously a little bit of an experiment, is that we came up with -- we, Steve did most of the work on this, to give him credit. He's disclaiming credit.
[laughter]
He may decide he doesn't want credit and he's done with us. But we came up with a couple scenarios, and what we wanted to do was use those scenarios for essentially two purposes. One is to discuss how those scenarios would work under the HIPAA rules today, and then to talk about what might be different because of the fact that there's a HIE environment.
We are hoping that this will sharpen our focus in terms of looking at, again, where people's views are, whether there are particular areas where we do in fact want additional testimony. I mean, again, what I guess I'm trying to accomplish here, and I'm struggling with -- I mean, it seems like a relatively clear idea, but I'm not sure that it's anything -- I'm struggling with how to take it from sort of a academic discussion to practical, is we as a Workgroup do not have the ability to say the HIPAA rule isn't a good rule. Or the HIPAA rule doesn't work because it doesn't do, X, Y, and Z. We are not here to replace, change, update, strengthen, weaken the HIPAA rule.
Our goal is to recommend, and our charge is to recommend practices related to health information exchanges. And in looking at how those recommendations might play out, my assumption has been that we're not writing on a blank slate and that we shouldn't act as if we're writing on a blank slate. I will say that some of the questionnaire responses, again, it's perfectly appropriate and helpful just to get a sense of where people were, but a number of the responses spoke as if we were talking about a blank slate, and said we should do it this way where the HIPAA rule says no, we'll do it a different way.
And so what I'm really trying to focus on, and again I want to push forward on this and we may come to a point where we decide it's just not going to work. But what I want to try to focus on is to really look at the question of, all right, here's how this would work today under the HIPAA rules. Why isn't that effective? What is it that says we need to have a different set of rules? Now, keep in mind, we are also having this discussion subsequent to our earlier recommendations. So we have dealt with some of these differences already by saying, from our last two recommendations, A, there are other people who are involved in the health information exchange environment who should be made to follow a standard at least up to HIPAA. So we've dealt with that issue. And we've said that we want those people to be covered directly, not just through business associate contracts, so we have dealt with that issue.
So the focus today is really on, all right, let's talk about the environment today as being HIPAA plus our recommendations. How would that apply in the particular scenarios, and is there something about the scenarios that doesn't work or that's different from HIPAA that requires us to have a different set of rules? Now, one thing that I want to add into our discussion, because I think it's very important, and it was certainly drilled home to me by a number of the comments from people in the Workgroup, is when we say the current HIPAA environment, we need to include within the current HIPAA environment more stringent State laws that are already in effect, because that is today's environment. That's what our existing health care privacy structure is. It's HIPAA plus whatever else there is at the State and other relevant Federal laws. So that's the environment today, and so if someone says we need a new set of rules for the health information exchange environment, because the State of Massachusetts requires consent for something, we've already got that as part of the environment. We don't need a set of rules because of the fact that -- and I'm making up the State of Massachusetts, I don't know what their consent laws -- but if some State has a higher consent standard, which HIPAA permits, that's already part of the environment today.
So that's the framework that we're going to try to operate under in terms of our discussion today. And again, I think it's important for people to share their views about weaknesses in the HIPAA structure. That's fine, and I don't want to discourage that. But what I'm trying to shy away from is having a recommendation come out of this Workgroup that says we think there needs to be something different in the health information exchange environment because HIPAA isn't very good on some point. That to me is not, it’s not that it is an inappropriate recommendation but it's not the kind of message I'm trying to work towards and the kind of recommendation that I think we've been charged with. The HIPAA baseline exists today, it is there, it is what we are working with. We can't change that standard. And so that's the baseline that I want to try to work with and really try to drill down, again, whether we have consensus opinions, whether we have open issues where we want to bring in witnesses, talk about best practices, et cetera. But that's what I really want to try to focus on today. Yeah, we may or may not finish it today but we want to try to work through that.
I should say that I know Sue has been involved in some of these discussions, we're certainly going to look to her today as we talk about some of the HIPAA components. Because I also think one of the things that was drilled home to me a little bit in reading some of the questionnaire responses, is that some of the folks on the Workgroup -- I mean, the HIPAA knowledge on our Workgroup is somewhat inconsistent. There are people that know a lot, there are people that know less than that. I don't think anyone's, you know, obviously at a zero level or even a lower level, but we've got various differences and so some people had made some comments that said something that wasn't right about HIPAA, or didn't know that HIPAA dealt with a particular issue. So I hope that we'll be able to, through our discussion of these scenarios, flesh out, again, how HIPAA would work in some of these environments, and that will allow us to figure out whether we need to have a different recommendations.
Keep in mind, it is perfectly appropriate for this Workgroup to come out with a recommendation that says now that we've brought in these other entities and now that we've made the rules or at least recommended that the rules be extended to them, we don't see any need for there to be other particular additions to the HIPAA standard. I'm not saying we're there at all, but that would be a potentially appropriate recommendation. Just as it would also be appropriate to say there are four differences that we need to deal with and therefore because of these four differences, we recommend, A, B, C, and D. So that's the discussion we want to have. That's the approach I want to try to push us towards today, and in our meetings up ahead.
With, that let me stop. Are there questions or comments on what we're trying to accomplish today? Including whether that is an appropriate approach. Anyone on the phone have any questions or comments about that?
>>
Kirk, the only comment I would have is that if we are to look at the HIPAA environment today, to include what more stringent things State laws might have out there we may have to consider that what we would like to see is what may be Boston city applies or what the State of California applies. It wouldn't necessarily be a standard across the whole United States, but would be a standard that we would want to see applied to this particular environment that would not be something that HIPAA would tell us that we have to do. But it would be that other standard that is still lying out there. It would just be a standard that we would want to adopt across all areas.
>> Kirk Nahra:
It seems to me there's two points that you're making, or two conclusions I'm going to take from the point you're making. One is that we may want to learn some more about what those more stringent standards are that are out there. That's, from my perspective, a horribly confusing question right now. I mean, I deal with it professionally outside of this health information exchange environment, all the time where we have to look at figuring out what those more stringent State laws are, and that's clearly a very difficult component of understanding health care privacy today, is to try to make sense of all those rules. So that's one piece. And we've heard some of that in some of the testimony that we've had from some of the RHIOs and some of the local organizations have come in and talked about, I think there was a Massachusetts group at one of the testimonies that said all we're doing, we're taking in certain kinds of information, excluding certain pieces because of the State laws, et cetera.
It may also be appropriate to have people talk about, you know, with a goal of having this network at some point be national, potential goal, I should say, it's not clear that we're going towards that, but talking about some of the barriers and some of the impediments that we might have because of those State rules. I'm on record in a variety of settings, personal opinion, of saying, I'd rather have one law, I don't really even care what it says, just give me one law that I can follow so I can understand it. There was -- Steve and I talked this week, I don't know how many of you -- I guess people in Washington may have seen this. There was a very interesting article in the Washington Post this weekend, by one of the columnists, Marc Fisher, following on the reports that came out of the Virginia Tech shooting. And his article basically focused on the idea that it was his conclusion -- and this is from the report -- that the fact that there were so many different laws in play that had inconsistent standards, people basically did less than they would have done, you know, that their morals and personal views would have done otherwise, simply because they didn't understand what the laws were and how they fit together and that that multiplicity of laws by itself created problems. And that's again, maybe I liked the article because it supported my views, but I mean, I see that all the time. And you certainly do see in the HIPAA environment lots of reports about people not disclosing things they're able to do because they're not sure. So we very well may want to bring in somebody that could say, well, here's gonna be the real problem, if we set up a regional RHIO that’s got 12 States and there are a whole bunch of different rules, no one is going to really have the ability, and as a result of that, certain kinds of information are kept out of the databases, and we don't know that. For example, some of the scenarios Steve that walked through, some of the points were what if this doesn't include mental health information. There are clearly issues there. So that's something we should talk about.
I guess the other piece, though, that I want to address, and again I'll give you just a personal view on this, the fact that Massachusetts might have a standard that is different and even arguably better than HIPAA, to me is sort of not what I want to look at in the sense that, again, if we're writing a blank slate, we could say what are the options that are out there in the world, let's pick the best option. We're not at that blank slate. We have a baseline HIPAA standard that is the law today. And so the fact that Massachusetts chose to do something better, even if we all around the table agreed that the Massachusetts version was better, it's -- I don't think that that's a reason to say we need something different for health information exchange environment simply because there's another possibility out there.
For example, that's going to come up in the context of whether we call it access or we call it accounting. There may be technological possibilities in a health information exchange environment that allow -- for example, 30 days, Steve's scenarios talk about this. You get 30 days under the HIPAA rules to provide access. That's just out there. And maybe that rule was developed because they were thinking about paper and that was going to take some time. The fact that it's now likely to be possible to do things faster than that in a health information exchange environment, is not in my mind a difference such that we say we're just going to force it faster if it happens to be in this environment than in another environment. I'd say we've got a baseline standard, that decision was made for, again, that's out there, we need to say what -- why do we have to have a different rule here? I suppose it's possible that we could say we have to have a different rule here because we can. But I'm certainly going to need to be convinced before we push towards something like that. So I think the State laws are out there, they're useful. If we have an area, for example, where we agree a difference requires something different, then we'd particularly want to look at what the options are. But I think we really want to look at that why first before we start to look at what's out there.
Again, reactions? I mean, I'm saying too much already, but I want to make sure to -- people have different views or similar views or anything else?
>> Sylvia Au:
Part of our recommendations were whether we recommend that Federal law needs to be added or uniform State laws need to be created.
>> Kirk Nahra:
Well, I mean, I guess I'm not sure how to answer that. It seems to me that one direction we could go in, it's not really the direction we were going in, but one direction we could go in, is to say, all right, in order to understand the current environment, which includes all these State laws, we have to, A, learn a lot more about the State laws, and B, get testimony about what those diversity of laws means for this environment. And if we had people that came in and testified that said it's going to be a mess if we have 50 different State laws and we're trying to develop RHIOs that have all these different standards and no one is going to know what to do and all of the value is going to disappear, we could certainly say, you know what, we really think there should be one standard. That's a perfectly rational approach, and again, all things being equal, I'd probably support that idea. That's sort of parallel to what we've been talking about. Do people think we should be looking at that?
>>
I think one of the considerations should also be, as we get into considering State laws and what kind of barriers, is to recognize the work that's going on under the NGA, and the implementation plans coming out of the RTI contract. Because they, you know, their purpose was to identify which among the State laws were posing these kinds of barriers to electronic exchange, and how, what the State solutions would be to removing those barriers. And so a lot of that work is going on in this other environment.
>> Kirk Nahra:
That's a very important point. Actually, I was at a NGA meeting the other day. I ended up testifying at that, not having anything to do with this organization, through something else I'm involved in. And it was very interesting listening to them. I mean, they, my impression from listening to that group was that they were essentially acting on the blank slate model. They were saying, what should the rules be for health information exchanges, and they were already moving in directions that really didn't have HIPAA as, they weren't thinking about HIPAA at all. They were saying what should we do. And we could do that.
>> Deven McGraw:
Kirk, I'm -- this is Deven McGraw. I'm in favor of the approach because we do have HIPAA as a standard and I think part of what may be holding back some of the movement to health IT is some confusion about how does HIPAA play, where does -- I mean, it's there. I think working our way around it is a good way to start. But I would say that a standard, when we think about do we need more than HIPAA, that when we think about that question, it's not just about do we need more than HIPAA because privacy isn't as well protected? But do we need more than HIPAA in order to more rapidly create a better care scenario, because we can, with a new set of technology. And it goes to your issue of the 30-day piece, where now with technology we might have the ability to do things faster. Your earlier response was, well, we have a baseline standard and that should be enough. It's only enough if the question that we're answering is do we need more in order to be more privacy protective? It's not an answer to the question if the other way, lens through which we're looking at this is how we make care better at the end of the day through the use of health IT.
>> Kirk Nahra:
That's a fair point. I mean, I guess my reaction to that -- and again, this is just purely a personal opinion -- is that I would be concerned about making a recommendation that says if somebody's in this environment, they have to do it better and faster than if they're not in the HIE environment. If somebody just contacts the hospital directly, the hospital gets to take longer and doesn't have to do as much work. But if it happens to be that they're participating in a HIE, they have to do it better and faster just because it might be possible. I would be concerned about that kind of recommendation. Which doesn't mean we don't go there. For example, there were some comments I saw about audit trails, and, you know, patients should be able to review an audit trail of everyone who looked at their records and I say, well, boy, they don't have anywhere near that right in the rest of the system. Maybe they should. Again, we could come out of this and there are certainly lots of people all over the country who say that the HIPAA rules should be replaced and we should have all these other rights. I'm agnostic on that be point. That very well may be the right answer. But I guess I'm concerned about setting up disparities just because we can. Again, not that we wouldn't end up doing that, but that's my bias going into this, is I don't want to make it -- I mean, frankly, I could probably give you a good argument that that would discourage some of the participation elements if all of a sudden if it's harder and, harder to do things, you have to do it better, faster, more thoroughly just because you're participating in an exchange, that's a potential real problem.
>>
I think we also have to keep in mind that some of the perceived benefits like speed, for example, are things that might not be realistic when you're dealing with other people who aren't in that environment. So, for example, when you have a relationship with a provider who doesn't have an electronic medical record, they're not maintaining information electronically, and you receive information from them, you can't turn something around in 30 days when you have to receive it in the door, scan it, get it into your system. So it may seem like you could do that, if you were doing it in a vacuum within your own organization or when you were working with other organizations that were also in an electronic world. But until we eliminate all the people who aren't in the electronic world, we're still having to interface with those people.
>> Kirk Nahra:
Sure.
>>
We're working on that.
[laughter]
>> Deven McGraw:
I don't want to spend too much time quibbling over the one example. I'm just raising the possibility that the lens through which we're looking at whether HIPAA is enough is not just about whether there are now gaps, but whether in fact there might be some things we would recommend in order to spur the adoption of this technology.
>> Kirk Nahra:
And again, I agree with the point and I think it's a fair point. I mean, I guess I look at us having a couple of -- gaps, so we're talking about, although gaps may be what we already did. We're talking about differences. We're also talking about situations where HIPAA doesn't work very well. It might not be, it might not be a real difference, but for example one of the things that, where I think HIPAA doesn't work very well, we partially dealt with it in our recommendations already, but is the sort of business associate relationship. Which is the idea today under HIPAA is the covered entity basically exercises control over the business associate. The covered entity hires the business associate, has the obligation to have a contract with them, terminates the contract if they do something wrong. You know, there's a covered entity control of business associates. And there's a leader and there's a follower in that relationship. That doesn't fit very well to a RHIO. Now, we've dealt with that to some extent by making the RHIO a covered entity, but when we look at things like, again, let's use the access rule, the HIPAA access rule, we're going to talk about that in one of the scenarios. But if I go to a hospital today and say I want to see what the hospital has about me, the hospital has to check with its business associates to see if its business associates have anything that constitutes a designated record set. It’s not clear how that really fits when you start talking about a RHIO. If the hospital has a business associate relationship with the RHIO, the RHIO has information from 150 other providers or 10 other providers about me, it doesn't fit quite well. We may say, you know what, we've got to play with that relationship in this context. Not because there's something really different but because it just doesn't fit very well. We may very well come up with recommendations on that. I think that's very much something I want to talk about and look at, and I hope these scenarios that we'll talk about today will flag some of those issues. But again, that's just the it doesn't fit very well rather than, yeah, but HIPAA, covered entities under HIPAA don't have to do enough to police their business associates. That's a different issue that I want to put aside.
Other questions, comments, opinions, before we delve into the scenarios? This is important stuff. This is sort of what we're going to be doing for a while. Not forever, but the next --
>>
Just seems like it.
>> Kirk Nahra:
Well, it is -- one of the things that I guess I found the more you drill into this, is the more there is to talk about. And you could spend a long time on this. I mean, you know, and we may decide that that's really the most important thing we're going to do as a Workgroup. So anything -- I want to make sure, anyone on the phone have any other thoughts before we delve into the scenarios? All right. Anyone in the room?
>>
Yeah, I just want to make a pitch for the idea of one national standard. Because I think we already know, based on some of the data that came out of RTI, and anecdotal reports that we get through our members that having multiple sets of rules to follow and depending upon where you are, is kind of nonsensical. And it introduces the opportunity for error. By just having -- if it's here, I do this, if it's here, I do that. It's one thing if you're a provider that has a service area right in that State. It’s another thing if you're an HCA or somebody like that, trying to deal with multiple State rules. It's got to already be hurting people. To your point, about making care better. You know, you introduce these complicated decision algorithms and sooner or later information doesn't hit when it should be because somebody is unsure. And Susan, you see that all the time. People who are misinterpreting the rule. When the rules on their face look so -- you know, everything we do to complicate the process just introduces more of an opportunity for error that is sooner or later is going to hurt somebody.
>>
You have that happening on every three corners of every State in the union.
>>
Absolutely.
>>
I would agree. I think in this electronic age, information is going to flow across State lines, and having one single uniform set of requirements would be beneficial, I think, for everybody involved, patients, and providers, and health information exchanges. So you don't spend your time trying to decide whether or not information should or should not go, based on varying laws you just you know, this is what the requirements are, this is what I can or can't do.
>>
Right. Well --
>> Kirk Nahra:
Well, I certainly do encourage us to keep our eye on that and keep that in mind. Again, think about the HIPAA standard. I mean, the HIPAA standard is essentially all information is treated the same. It's given, once it's in, it's given the same uniform kinds of protection. And some of the points are dealt with by defining what you can and cannot do with that information. But the HIPAA standard doesn't say you can do 10 things with this piece of information, 12 things with this information, and only two things with this piece of information. Again, the State laws almost uniformly don't deal with it that way. You know, one of the things that I took away from I guess it was the last time we had a testimony hearing, there was a gentleman, I think from the State of Florida, who talked about, you know, how many different laws they had in their State and they were actually making it a project in their State to try and pull those together and even within the State try to make them a little more uniform.
One thing I'll just do this quickly and then we'll move on to the scenarios. But one thing that's an analogy and we could bring somebody in to testify about this if we wanted to, there's a Federal privacy law for the financial services industry, the Gramm-Leach-Bliley Act. And it is very similar to HIPAA in the sense of setting a Federal floor and permitting States to take more stringent, to pass more stringent State laws. There have been a handful of States that following passage of Gramm-Leach-Bliley have passed more stringent State laws. Handful. Two, three, four. Very limited. And what those laws did was they looked at Gramm-Leach-Bliley and said here's what Gramm-Leach-Bliley says, we want to do Gramm-Leach-Bliley plus X.
What we have in the health care industry is something very different. Which is 95, maybe 99 percent of the laws that are relevant, were passed prior to HIPAA, and use different words, and different terms, and different concepts, and aren't even internally consistent. I mean, if you go, Florida as an example. I mean, it is almost impossible to look at the laws in the State of Florida and come up with a Florida State law of health care privacy.
So, you know, one idea -- again this is way beyond anything we've talked about, but would be sort of wipe the slate clean, even pass a new law and say if you want to go do something afterwards, now that you know what the baseline is, fine, but get rid of this history -- for example, the testimony I was asked to give at the NGA, was solely to talk about the words consent and authorization. Which until HIPAA no one had really distinguished, but all of the State laws, most of the State laws say you must give your consent and that requires to you authorize. And so now you got to figure out what does that mean. When you say authorize, and a law was passed in 1972, they obviously didn't mean a HIPAA compliant authorization, but -- so lots of confusion, almost like you wrote one law in French and one law in Spanish and one law in English. It's that kind of -- again, we don't have that in the financial services industry, because there's been a handful of laws passed after. So let's keep that single Federal standard in mind as we move forward. Any other comments from the Workgroup before we move into the scenarios?
All right, why don't we turn to -- and again, these were distributed to the Workgroup sometime earlier this week, last week? Friday. They are, I believe, posted? Okay. There are two scenarios, both of which start with an imaginary District of Columbia health information exchange. Local exchange comprised of 100 providers, 10 hospitals, 3 insurers, and 2 labs. Obviously as we're talking about that example, we're going to keep in mind David's point that while there's a lot more than 100 providers in D.C, we have to keep in mind all the people that aren’t in this network. Let's read these quickly and then we’ll have a discussion, try to walk through this. What I'd like to try to do is talk about each of these scenarios -- there's only two of them right now -- talk about each of these scenarios, how does it work under today's law? I mean, these things are happening today. So how does it work today and then try to explore problems, difficulties, confusion, what else might be needed to flesh that out.
So here's the first example. It's a treatment-related discussion. Mr. Gray attends an office party and falls ill several hours later. With his condition worsening, his wife brings him to the Capital Hospital emergency room, Capital Hospital needs to obtain Mr. Gray's medical history. Baseline. All right, let's talk a little bit about how HIPAA applies in that situation. Now, so I'm in the hospital, Mr. Gray is there, Mrs. Gray is there. My choices are as follows. I think today, practically, I ask them about their medical history. I ask Mr. Gray, I ask Mrs. Gray. They give me whatever information they have. That presumably for the most part does not involve having a key fob with all of his medical records on it, although it could today, in theory, but most people certainly don't have that. Mr. Gray may be able to say, depending how ill he is, I was at the following four doctors in the past few years. The hospital can then say, you know, they can ask permission to contact those hospitals and doctors. They can presumably contact the hospitals and doctors without having any explicit permission from Mr. Gray. I mean, part of Mr. Gray's ability to, quote, consent, is to not say who his doctors and hospitals were. Again, a little hard to see why he wouldn't do that. But we always have the possibility in that scenario that Mr. Gray -- again, you know, maybe not thinking clearly, says oh, I'm going to talk about Dr. Jones and Dr. Smith, but not Dr. Johnson, my psychiatrist. Again, perfectly valid today, allowed to do that, doesn't have to say anything today.
So let's talk about some of the other, again, HIPAA impacts there. We have some discussion in the scenario about privacy rule notes. There's some discussion about minimum necessary here. You know, minimum necessary is relevant, it's presumably not going to be too much of an impediment. It's certainly designed not to be an impediment to getting the information that's needed. Mr. Gray gets to apply minimum necessary by saying whatever he says. If he doesn't want to say something, you can't make him say it. But that's part of the baseline. So the hospital is sort of forced to figure out what his medical history is and goes from there.
Other things we should think about in this treatment piece? Again, just how it would work today. So let's play it out a little bit. The hospital is going to contact four doctors. Three of those doctors are HIPAA covered entities, one of them is in the stone age and still does everything on paper and so technically doesn't have to follow any HIPAA rules. All of those providers are able to provide information. Is that right? Everyone agrees with that? They're all permitted by the HIPAA privacy rule to disclose information to the hospital to treat Mr. Gray. You have things like authentication and verification and making sure that it's really Capital Hospital. And there's a process for that that works. We do know that there have certainly been anecdotal situations, perhaps fewer than many people were concerned about, where the hospital who gets that request or the doctor who gets the request says I don't believe you, I don't want to give it to you, I'm not going to give it to you, I'm not allowed to give it to you. We know that, we know that I'm not allowed to give it to you is not the right answer. We know that I'm not going to give it to you is a permitted answer. We know it's not a useful answer, it's not a helpful answer. We know that there are clearly people who are cautious and would say no just because they don't really know what they're allowed to do. To go to Jill's point, well, I am a psychiatrist, and I don't really know whether I'm able to give that or not, so my confusion may result in me not giving out information. But again, that's all the scenario today. That's all how this would play out today. The hospital is supposed to be able to get this information. If they know who to ask and they know where to ask, they can get a hold of them and the recipient responds. Again, it's not a HIPAA access right where the hospital on the other end or the doctor on the other end is supposed to do it in 30 days. That's not helpful to the guy in the hospital today. They need to respond in real-time. Any other pieces people can think about for the sort of current day HIPAA scenario?
Okay, restrictions. Restrictions, there are two kinds of restrictions that are potentially relevant. There's confidential communications which is hard to see how it's really relevant in this situation. That typically has come up in a situation where there's, you know, domestic abuse, for example, and the wife is treated somewhere and is hiding from the husband and doesn't want the bill, doesn’t want something to go to the husband. Hard to see how that's too relevant here but there's a process for that. There's a process for requesting restrictions. That request could be anything the person wants to make of it. The HIPAA rule sets up a scenario where the covered entity has to take the request, does not have to accept it. If it does accept it, it has to make sure it follows it. Again, today, the effect of that rule has been to discourage almost everyone from accepting restrictions. That's -- again, that's part of the scenario. Now, if we were to say, God, that's a bad rule, we'd really like people to have to do restrictions unless there's a good reason not to, that's fine, but that's not the baseline standard. That's not what the rule is today.
Now, if Mr. Gray says again, the analogy would be I want you to contact these three doctors but not the fourth doctor who treated me -- I guess Peter Basch isn’t on the phone today -- but I'm assuming if a doctor knew that there was another doctor who had treated this person, and arguably relevant, and the patient said, but I don't want you to ask him, interesting question about the sort of medical piece of that. Do you ask him anyways? You're allowed to ask him anyways. You don't have to agree to the restriction. I assume the way Mr. Gray would do that is just not tell them about the doctor and rather than tell them and say I would like to request a HIPAA restriction because of my detailed knowledge of the HIPAA rules. But again there's a process to work that out. You know, let's play that out a -- let's take it a couple steps further. Let's say that these doctors do respond and do provide information. Now, the hospital has had to follow HIPAA on what it does with that information that it has. It's clearly allowed to use that information for treatment purposes. That's the primary goal. Is there some reason that the hospital would need to use someone else's records for payment purposes? Maybe. If there is, they're allowed to. I mean, for example they may have to show oh, we did a more invasive surgery because of a history. You know, we didn't just check the blood pressure, we did something more because there was a history. They're allowed to use that information. They're allowed to use it for health care operations. They can't use it to all of a sudden decide -- could they take that information from another health care provider and use it to market something? Oh, you found out that other provider was a, you know, obesity specialist and you've got a great obesity program at your hospital, so I'm going to market it to them. Under HIPAA today, that would presumably be permitted. You are allowed to use health care PHI, to quote, market, the rule says it's not marketing, but to promote your own products and services. So, that's something that's permitted today. Clearly it doesn't happen very often in that context, but allowed to happen.
Other pieces that you would think of as being part of that context today? Current HIPAA context. Again, the State law piece is if D.C. happens to have a law that really restricts the disclosure of HIV information, do doctors who are asked a question have to follow that law? Most of those laws presumably would allow disclosure in this context. Maybe the hospital needs, the hospital where Mr. Gray is now needs to get something signed. Maybe. But again that's how they would do it today. Any other pieces that we're missing? All right, this may be easier than we think. Steve?
>> Steve Posnack:
It just might be easier once we go to the differences section.
>> Kirk Nahra:
So we've got that. That's how this works today. Now let's move on to our health information exchange environment. Now we have a hospital that participates in the HIE-DC. Steve has laid out two models, the repository model, where the records are on some central system. And a non-repository model where records are not held by the HIE itself, but are locatable and available. I'm not entirely -- there's pointer systems that involve, you know, require the person on the other end to do something. You know, so we've got a variety of models here. Let's talk about differences, if any, in that scenario.
>>
One of the first things that comes to my mind is the fact that Mr. Gray may have left out the doctor that he didn’t want to you contact and he's not going to have that option in the electronic world because that information is going to be out there, it’s going to be in the environment. He's not going to have any way of saying I don't want you to look at what that doctor has on file, I only want you to look at what these three doctors have on file.
>> Kirk Nahra:
Let's go with that for a second, for our discussion. Now, that implies a couple of things. I'm not sure it's all wrong. Let's just play that through. So the hospital could today, I mean, could in a HIE environment, still say to the patient, who have you been treated by. And in this scenario, presumably the hospital would still do that because some minority, majority, but not all providers, are in that network. So they may or may not ask that question. If they ask that question, who have your doctors been, we're in the same place we were with HIPAA, right? I mean, up to at least that point. The guy either answers or doesn't answer. Then you say, all right, I'm the hospital, I'm going to, I have the ability to arguably double-check that answer. I can go to the HIE, presumably under both models, although I don't know, you know, I can query, you know, maybe not the right technical term but I can essentially plug in Mr. Gray, we have to have some way of making sure it's the right Mr. Gray, but we have to do that otherwise, too. We have to do it for the hospital, the doctor, John Smith, you have to figure out the right John Smith. We're going to query the system and maybe -- I mean, again this goes to system design. It might be that -- I don't know if anyone knows the answer to this. Can you go in today and just plug in Kirk Nahra into any -- pick a RHIO, plug in Kirk Nahra, and it will just pop up whatever is there, with nothing more? You know, I don't know. That's a question. So you can do it. You don't have to know anything about the doctor or -- I mean, you could set up the system however you want. You could set it up to require something more than that. For example, you could clearly set up a RHIO that said having the patient's name is not enough. You have to know the other provider.
>> Paul Uhrig:
Yeah, I think you got some -- I think it gets to the point that Steve made. It depends upon the algorithm and how many negative positives you're going to get. And certainly at least most I know of, you need far more than a name, because there are a lot of John Smiths. You need name, birth date, ZIP code and all the rest.
>>
But presumably one of the advantages of making this a personalized health system through HIT, is that you can query by patient and pull back from the system the --
>>
All the records.
>>
-- the birth-to-death medical history relevant to that individual. Assuming everybody’s connected. That’s not going to be there yet. So it is supposedly, I would think -- having to search for Mr. Gray and pull in all of the records that the system knows about, that are relevant to Mr. Gray, whether it's in a central place or whether they pull it from Dr. XYZ. And that's where you may have some choices in terms of how you build the system, in terms of do you get back from your initial inquiry records on Mr. Gray exist here, here, here, here, here and here. And then if you want them, you can highlight, highlight, highlight, three. I don't need his dental records, I don't need his eye exams, you know, I'm only interested in his primary care.
>>
Right.
>> Kirk Nahra:
Well, let me ask a question about that. I mean, you certainly could say that our goal is -- not our group's goal, but the system goal, is to have those records be available for that kind of a search. You could just as easily say that our goal is to make that process, once Mr. Gray has identified his four doctors, more efficient and faster. Today I've got to get on the phone and get a hold of somebody and I’ve got to get a hold of somebody that's got permission. You know, you could very clearly design a RHIO that is solely triggered by Mr. Gray identified these four people, I know where to go and I can get them right away. That's not a necessary component of the system. It may or may not be a desirable component of the system, but you could absolutely -- I mean, again, and maybe this is something where, you know, I don't know if this is part of our charge. Do we say that one of the ways that you could protect privacy and security in these systems is to require, you know, not allow those generic searches but only permit -- you know, that's a possibility.
>>
So what we're advancing with here, then; is a discussion of whether or not those systems would have to have standards developed as to what a RHIO standard is going to look like, so that when you create a system, it has to have certain elements and certain capabilities in order for you to restrict or protect the information or delve out the information in a certain fashion.
>> Kirk Nahra:
Well, I guess just to play that out and try to put into our HIPAA context, if you designed a RHIO so that it was a more efficient way of getting the records that Mr. Gray identified, I would say that's no different. That's no different than we have under HIPAA, because you're dependent on Mr. Gray identifying it. If you have a system that lets me query beyond and above what Mr. Gray says, including things that he consciously chose not to tell me, maybe that's a difference. But that's only relevant if the system is set up that way.
>>
But at a minimum you’d have to have some sort of regulatory requirement on setting those systems up to have that capability. However you wanted to do that.
>> Kirk Nahra:
Right, and I guess my point being we need to be careful about making a recommendation that says because you have this ability to do this electronically, you need additional protections, because sometimes you might and sometimes you might not. We've been dancing around -- we've got all these different scenarios and these different, what do you call them, different models, for health information exchange. Maybe we can't generalize. That's clearly going to be an issue.
>> Sylvia Au:
But if you're using it to improve care, the person comes into emergency unconscious and you have their driver's license out of their wallet. You would want to be able to query just their name and other information to get the records.
>> Kirk Nahra:
Put it this way. If your goal is improved care, you want all the information whether the patient wants to give it to you or not. If your goal is to improve care. Again, we could certainly say that -- again, that's a great result if your goal is improved care. Part of our calculus is how far do we go to achieve that goal if the tradeoff is less privacy? And that's, I mean, that's a tough one for me. Let's use Mr. Gray, who is fully conscious, who says you know what, I don't want them to know about my psychiatrist, even though that psychiatrist prescribed me all kinds of drugs that are going to cause a real problem when they don't know about it. Medical care, you want that information. I don't care -- you know, in that context -- again, if I want to treat this guy right, I don't care about whether he doesn't want to tell me or is embarrassed and doesn’t want me to know about that. I want the information.
>> Sue McAndrew:
It seems to me the other -- I think in general, the privacy interest is factored into that. Not by restricting what the individual -- what you can request out of the system or how the system can pull it up. But if Mr. Gray doesn't want his medical records -- mental health records shared, then you have a system where he can block, with the agreement of his mental health treatment person, not to put his records, not to make those records accessible through the network. And then you get into the blocking and the masking.
>>
An opt-in scenario versus an opt-out.
>> Kirk Nahra:
Well, it would be a request for restriction under the current rule.
>> Sue McAndrew:
Under the current rule there would be that kind of request for restrictions. That this, these medical records are not accessible to others for treatment purposes unless I say so.
>>
Sue, let me take that same scenario and take it a little different direction. What if Mr. Gray didn't really mind, and hadn't opted out that, or made that request for restriction with his mental health provider, because with his normal provider he wouldn't mind that normal provider having that information. But now all of a sudden he's shown up in an ER with doctors that he doesn't know and he would like to make that choice, but now he can't make that choice because he didn't make it prior to, and he's in a circumstance where he's there with his wife and a doctor he doesn't know. He doesn't want to share that information with the doctor he doesn't know and now you've created a scenario where he can't do anything to ask for that information to be restricted. You've taken that right away from him.
>> Sue McAndrew:
I haven't taken that right away from him. You know, he -- whether or not -- I mean, today, you know, if, if his mental health practitioner is just part of that practice, they're going to know about it. I don't even know under the current system, other than withholding information, that you put a right of restriction on someone who is going to be requesting information from the (inaudible) restriction is between the information that entity holds on you and the confidentiality --
>>
So I guess what you're saying is the right is really not the right of restriction. It's the right to request a restriction. And if you make that distinction, then you take it back to Mr. Gray might say to this doctor in the ER, I really don't want you to look at what my psychiatrist has in that record. And they would still have the right to request restriction at the time of the ER visit and the provider would still have the right to choose whether to accept that restriction or not.
>> Kirk Nahra:
Let's play it out. So that's how it would currently work today. We've got to recognize, again, maybe this is just context, probably runs against what I said about the HIPAA rule not working. We have to regulate it. Most people don't have any idea that that right exists. And similarly, the rule is really set up, I think, to discourage people from agreeing to that. I mean, I would never -- I basically tell companies I work with, don't say this, but you should never agree to a restriction. There's nothing but downside for someone to agree to a restriction. I do wonder, again, we should think about whether we have any insights from health care providers in this context. I would think that would be, I mean, very questionable medical practice to say oh, you're right, I'm not going to ask for something that's potentially relevant to what I'm going to do because you don't want, you know, because you've asked for a restriction. I would think that, to me, those sort of questions are going to be real issues going down the road. We're going to have a situation with this 100 provider HIE all right, well, they've got to query the network, but what about the 4,000 providers who aren't in the network. Lots of questions that I know the health care provider community is very concerned about, with these partial networks.
>>
It's the same clinical liability of not going out and asking for that information, the same liability that people don't want to accept by accepting restriction request in the first place. I'm not going to not give it to somebody else because if the other person needs it and I didn't give it to them, I withheld it, then what's my liability there, even if it's ethical.
>> Kirk Nahra:
Right, and I would think for the provider who’s doing the treatment now, their concern about something like malpractice has got to be higher than their concern about the possibility of a privacy violation down the road. Frankly, people should, again, if you ever have your emergency situation where someone is unconscious, I'm generally going to say, I'm not making any close calls on privacy rules. I'm going to get the information and do what I can to help this person. And that's, you know, our system should encourage that, clearly. I don't know if it does or not right now. But it certainly should.
>> Sue Andrew:
In most cases, even where they talk about the masking, they usually are accompanied by a break-the-glass emergency access proviso. So that life-saving, you know, that access is permitted, it's just additional --
>> Kirk Nahra:
Again, let's play it out using our differences idea, which is we have two patients, we have conscious Mr. Gray and unconscious Mr. Black. Do we create different rules because there might be, one 1 of 100 might be Mr. Black? Do we allow the possibility of a different -- HIPAA deals with that again now. I mean, today -- again, it's not efficient. If the hospital has somebody on the emergency room table who is unconscious, it is inefficient and probably not very effective to try and find where those records might be. You know, if there's one doctor in town, presumably they call the one doctor in town. I mean, there's some level at which you try to gather that information. A health information exchange environment makes the efficiency greater. But do you set up, you know, do you allow a system that says we're going to let, as long as you have Kirk Nahra's name, you can look for all his records because we might have that need sometimes when someone is unconscious? Or do you have that be a break-the-glass exception?
Again, I guess what I'm trying to explore is whether this situation in a HIE environment is sufficiently different from how we deal with situations today such that our group is at some point in the future going to make a recommendation that says higher standard than otherwise if you're in an HIE environment. I mean, that's at the end of the day the challenge we have, is is there some reason that is strong enough for us to say different and harder set of rules, recognizing complexity, then. We're adding another level of complexity, just because of this HIE environment.
>> Jodi Daniel:
This is Jodi Daniel. Hi, everybody, I'm back. I think, I'm not going to answer the question you just raised, Kirk, but I do think, it seems to me that there is enough of a difference when you have the conscious patient that shows up in the emergency room, in that there's information that is available under HIE that was not available before. So the risks of privacy violations or, you know, or information getting out that the person wouldn't want to get out, all of a sudden becomes greater than there was in the paper world. So I think it is at least a difference that's worth thinking about, whether or not there should be a different policy. And then again, while it's hard to come up with -- you don't necessarily want to have two different policies if somebody is unconscious versus conscious. There may be a different calculus if somebody's life -- if somebody is in an unconscious, life threatening and there's no indication otherwise that they wouldn't want that information shared and HIPAA does have similar kinds of differences in emergency circumstances. So there is already a precedent for doing that.
>> Kirk Nahra:
Well, again, to play that out. I mean, yes, it's clearly more likely with the unconscious patient, or conscious patient for that matter, that somebody in an HIE environment could locate additional information. Is that good or bad? I mean, that's clearly, on your treatment level, one of the goals of something like this, is the ability to generate more information than you had today.
>> Jodi Daniel:
So from my standpoint, I think if -- since you want to encourage the information to be available for treatment purposes, because it does improve quality of care, you'd want to have a rule that would allow for people to search for information that is available, but then, you know, with the appropriate protections when there is a privacy concern. So you wouldn't want to, if we have the ability to improve quality of care, and have all this information available, to come up with a rule that says any HIE, unless you have the name of the doctor, you can never get access to the information about the patient, you know, even if the patient is unconscious, that would counter the improvements in quality of care that HIE can offer. So, you know, I think we do have to think about, we have to sort of digest all of these different scenarios and think about, you know, what policy would both increase quality of care at least to the majority of cases, or in a larger proportion of cases, and then how do we protect privacy so that people aren't taking other privacy protective measures to make sure that information is never available because they may not want it available some time.
>> Kirk Nahra:
All right.
>>
In my mind some of this goes to the system capabilities that are going to be generated and how that's going to play out. For example, as Jodi was talking, I was thinking in my mind, okay, Mr. Gray comes in and he tells me what doctors I can go and look at in his system and I pull up the system and I put a little check mark by the providers and all the information from those providers come to me. Then Mr. Black comes in, I have no idea who Mr. Black is going to see so I put Mr. Black in, I see all the providers that he’s seen, and I just click all. And it gives me everybody because I now have the right to see Mr. Black's information because I'm making that determination on his behalf because he can't make a determination for me. That gives the patient the right to say, I want to not have you look at that information, I have some control over the information. And at the same time the information is always there in the event that somebody needed that information to make a decision. And you could always say, you know what, Mr. Gray or Mr. Brown or whoever it was, I really want to see what these other providers say and I appreciate your requesting a restriction on that but I really feel like I need to see it.
>>
I don’t need details, but I need to know what meds.
>> Kirk Nahra:
But let's play it out. Again, what I'm trying to focus on, again maybe just I've got this academic line in my mind that doesn't really exist. But I think the scenario you laid out is going to happen daily in an HIE environment. We're going to have that tension all the time. That tension somewhat exists today. We have more information available that can make some of these things better. Does that mean we need different rules? I mean, for example, there were some, there was a GAO report that came out of a year or so ago that said because more information can be available in an HIE environment, we need more privacy and security protection. I didn't get that. I mean, I'm not sure why more information means you need more privacy and security. It could mean -- but that's not an automatic -- that's like saying a bigger hospital, you know, it has to be a whole different set of rules if you're a bigger hospital than if you’re a smaller hospital. We have a flexible rule, we’ve got a scalable, we’ve got rules that say -- you know, we've already built that in to some extent, for better or worse, into the current HIPAA security rule.
So in that example, are we going to say because we have the ability to gather information better or faster, that you need a different set of rules? Maybe your medical practice, I mean for example -- again, we need some more medical providers to give us some information. What should a doctor do for practice? Should a doctor say let's say the doctor had a list of 50 doctors that a very sick patient had been to in the last couple years. Should the doctor sit down with the patient and say which of these would you like me to look at? Or does the doctor say, I'm going to look at all of these? Is there any one -- I mean, I'm not sure how that conversation plays out today. But do we want to force a different set of principles in that environment?
>> Sylvia Au:
Your current doctors for the time period. If they went to someone two years ago, one visit, I don't really care.
>> Deven McGraw:
What you just said and what David just said -- this is Deven -- made me think about some things. We have a HIPAA rule that doesn't require consent to access information for treatment purposes. But if that record isn't sitting within the walls of the health care provider I’m seeing at the moment, they’ve got to know where --
>> Kirk Nahra:
Or I don't tell them about it.
>> Deven McGraw:
And I don't tell them. So today and in more of a paper world, you actually have to ask the patient. Who are the doctors, and there probably is a corollary question of can I get in touch with them to get the records? And so there's almost a pseudo-consent built in, even though it's not required. What you have in a potential HIE environment, where suddenly that record could be available just by knowing who that person is, it doesn't really matter anymore whether the patient comes consciously or unconsciously, you can get those records because HIPAA allows it for treatment purposes. So to some extent while there is no HIPAA requirement to get consent to get records that don't belong to that provider for treatment purposes, it sounds like operationally the way that it works on the ground is that there is a consent-type discussion because you have to find out where the records are to get access to them in the first place.
>> Kirk Nahra:
Because the knowledge isn't there otherwise.
>> Deven McGraw:
So to that extent you do have an electronic world that changes things, and I do think people perceive it as being different. If I'm having a conversation with my doctor and I say, yes, doctor, you can get the, you should get the records from my primary care doctor, that's a conversation that I get to have that is suddenly, I'm in an HIE environment and involuntarily in an HIE environment. In other words, all my providers have decided to participate but there's not a sort of opt in, opt-out conversation made available to me, that discussion no longer takes place, and I feel less control over where my records are going and who is using them and for what.
>> Sylvia Au:
To add to that, like right now, when you get a call saying so-and-so is in the emergency room and needs treatment, we understand you saw them, the doctor is filtering information from the medical record, saying oh yeah, I see them for X, Y, Z, and they're on these meds. There is also information on that health information record that says, oh, so-and-so told me that they needed birth control because they're having an affair. Or you know, other personal information that if it's in an electronic form, there's information in there that you might get that absolutely has nothing to do with anything you need for treatment. But more information than filtered through an expert who knows what information you might need to treat the patient.
>>
Which gets to another concern that I have in all of this is how, even when you're sharing information for treatment, you should share the minimum necessary information. And if you're giving out information that's clearly not related to that person's treatment at all, say, for example, I go in and I look at all the providers even the podiatrist that you saw and you're in presenting for something that has nothing to do with or couldn't have anything to do with your podiatry visit, why am I looking at that information?
>> Sue McAndrew:
How do you write a rule for that?
>> Kirk Nahra:
Well, let me go a different direction.
>>
That's precisely why the industry is sort of self-regulating right now.
>> Kirk Nahra:
But no, no, you have a rule for that today. You have a rule today that is both rule and practice. I mean, minimum necessary is a concept that exists. There are carve-outs to minimum necessary. That might be one of them. But a doctor -- again, a doctor is -- well, first of all, that discussion assumes that the person answering the phone call is a professional who knows what they're doing, which a lot of times we know is not the case, it's a records clerk. But in theory they're supposed to do some of that calculus today. In theory I would think from a -- you know, if there's any close call, you want the information to go out in that context, right? I mean, if it's perhaps relevant, I want to disclose it for treatment purposes, not withhold it.
>>
Right.
>> Kirk Nahra:
Is the difference that we're describing the fact that that control isn't there anymore? Or have we just turned the control to the asking person? These are all covered entities here. I mean, in that situation, let's say that I'm the emergency room physician and I can go to that screen and find out that Deven has gone to 15 doctors in the last couple years, do you leave it up to the originator of the record to decide what I should see or do you put the burden on me, which I think it would, again, would probably be under HIPAA to say, you know what, I don't need the podiatry records, I'm not going to look at that. So is there a difference there? Do we need to make that more explicit? Again, I think that is, if I went in today and took information -- if I'm that emergency room physician today, again there are RHIOs that exist today. If I go in today and take information that I know I do not need, have I violated HIPAA today? No, I don't have to -- I don't have any minimum necessary restriction on what I take?
>> Sue McAndrew:
Under HIPAA today, the requester is in control.
>>
Right.
>> Sue McAndrew:
Because the disclosure does not have minimum necessary restrictions when the disclosure is for treatment purposes. In terms of minimum necessary, using it as a think twice before you disclose kind of rule, we wanted to expedite treatment so you don't even have to think twice. Give the requester what he thinks he needs, what he's asked for, just give it to him. At least in terms of, you are not going to be liable under this rule if you just give them, give the treating provider what he thinks he needs and what he has asked for. Whether or not, and I would expect, the practice to be that the doctor does do some filtering.
>> Kirk Nahra:
The disclosing doctor.
>> Sue McAndrew:
The disclosing doctor does do some filtering in what is disclosed. But is not required by the rule because it would take time away from an expedited response to that treatment need.
>> Kirk Nahra:
Okay but let me play it out --
>>
I would ask for three elements.
>> Sue McAndrew:
It is just what he asks for.
>>
What if he only asks for three elements?
>> Sue McAndrew:
He gets what he asked for.
>>
And then the person disclosing disclosed more than that?
>> Kirk Nahra:
But that's a problem today. That's, I mean, it's not necessarily a violation today. No minimum necessary for treatment. They shouldn't do it today. It's a bad practice today. But again, the rule deals with that today. My question, Sue, I guess was the opposite of that. You said the burden is sort of put on the requester.
>>
Right.
>> Kirk Nahra:
I'm saying the same example. If I'm the emergency room physician, I'm the requester, and I can go into the HIE environment and see 20 records there. Is it the burden on me to only pull out the 15 or the 2 or the 5 that are relevant? I think it's a limited burden. It's not a bright line burden. But if there's clearly, you know -- if it's a podiatry -- I'm trying to think of something that's extreme. But if it's podiatry record, I'm in there with a heart attack. The burden is sort of on me not to ask for that information. Do we need a different rule that forces that answer?
>> Sue McAndrew:
Having watched House, you never know what's going to be relevant, so you take it on, you make the best diagnosis.
>> Kirk Nahra:
Again, that's exactly right. Again, that's sort of what happens today, is there something different because more information is potentially available that says different rules? That's the thing I struggle with. I mean, how is the patient going to know in the House scenario, which of these things are relevant?
>> Sue McAndrew:
Right.
>> Kirk Nahra:
And in fact the one -- the patient is not likely to say, I don't want to tell you about my podiatrist because -- you know, they're likely to say I want to tell you about my HIV treatment, you know, something that probably is likely to be relevant.
>> Sue McAndrew:
I mean, there is a minimum necessary requirement within the institution for their uses of information. But since we allow the entity to write their own rule, with respect to what they think is minimally necessary for treatment, we also tolerate a very broad treatment use.
>> Sylvia Au:
I can tell you in the teaching hospitals, a lot of the med students tend to over-get information for treatment, because they don't want to miss anything.
>> Sue McAndrew:
Oh, sure.
>> Kirk Nahra:
Well, there's nothing necessarily wrong -- again, if your goal -- I mean, from a privacy perspective, potentially a negative, from a treatment perspective, clearly a positive. And probably on balance, again, people could vote differently on this, but presumably we want to err on the side of better treatment, again, unless there's a real problem on the privacy side.
>> Deven McGraw:
I want to posit something. And I'm trying to think of a way to use and maybe strengthen the restrictions requirement but focusing less on separate pieces of information and more on participation in the network in the first place, for any of your records and maybe sort of a provider-by-provider distinction. The folks from Massachusetts raised this because of the presence of psychiatric facilities that everybody knows if you're there, what kind of care you're getting. And partly it's playing off the point I was making earlier. People think right now they have a consent right because they have, they're asked about records from other providers, which they wouldn't be necessarily in the context. Which could make them very nervous about the, you know, really supporting health information exchange in their communities or nationwide. That if they had the right not to participate and whether that's opt-in, because they're asked the question on the front end or opt-out because they're asked it on the backend I don’t think matters as much to me.
But they get through the right of restriction, which I think you have to strengthen it, since right now it doesn't necessarily have to be honored, to say either I'm not comfortable doing this at all, or I'm comfortable doing this but only for these doctors and these hospitals. Now, it does raise issues that there will be information that won't be available, and that's not as effective for health care, but that's a scenario we have now because people don't self-report.
The other thing, but I think that it could actually do a lot to resolve some of the trust issues that have come up in some of the polling data about what makes people so nervous about putting their information online. The other thing I'll bring up, and again this is based on conversations that I've had with folks in Massachusetts, with the models they're building there, is they've done opt-in but they've done it with a lot of education and they've got 98 percent of the people participating. Because when you sit down and explain it to people, they realize that the benefits of having all your information available so that people who are treating you under any set of circumstances have all of the possible relevant information, certainly outweighs whatever risks or embarrassment might be caused by them seeing that you're on birth control because you're having an affair.
>> Kirk Nahra:
Again, I don't disagree as a policy matter with anything you said. I guess what I still struggle with, and again I think what we want to sort of drill down on is, if today we're in a scenario, or in the future we're in a scenario, where the asking doctor is not in an HIE network, they don't have to go through any of those steps. And you know, they don't have to -- again, maybe the, maybe the difference is just that yeah, we don't have a consent rule under HIPAA, but if the person doesn't tell them about it --
>> Deven McGraw:
How do I know to get it?
>> Kirk Nahra:
That's a fair, practical distinction. And it may, again, that is the kind of thing we're trying to drill down. That's a practical distinction. Not a rule distinction but a factual, operational distinction. Perfectly fair one. Like I said, I want to just push as to whether that -- the fact you can now do it better, you can gather information better, for better treatment, means you put in those extra rules.
>> Steve Posnack:
I can piggyback on that and hopefully I don't set this up bad. With respect to the Massachusetts example, that to me seems like a fresh slate look, to get into the health information exchange, I guess the question would be why in the first place is there a difference, and Kirk and I have talked about this before, why in the first place was it determined that there needed to be an opt-in or opt-out? And because you can do it for treatment, and you know, you can set up this network for treatment to be a more efficient mechanism for providers to exchange information presumably without a patient's authorization for the treatment data, you know, this gets to your involuntary participation, I think, quote unquote example that you were referencing Deven. So Massachusetts has decided to do an opt-in. But why did they get to that point? I guess is my question.
>> Deven McGraw:
I think they were concerned the people in their community would resist the efforts to move the providers to a networked online system as opposed to what exists now. And there are a lot of providers that have electronic records in the Commonwealth because there’s some pretty advanced stuff going on out there. But to link them all together so you could be reaching out to Brigham and Women's even though your community hospital at Brockton is what you usually go to. And their fear was that people would resist and push back to the extent that they could through public policy levers or however it is that, you know, --
>> Steve Posnack:
I guess I'm trying to tease out the difference in the current HIPAA environment, you know, for that option.
>> Deven McGraw:
Right. And --
>> Steve Posnack:
Doesn't necessarily need to be exercised.
>> Sylvia Au:
That is a political decision, not a legal --
>> Steve Posnack:
Right, but that's not a decision that -- correct me if I'm wrong.
>>
And there’s the perception of vulnerability. When you get into an electronic environment, and certainly our organization experienced this over the past year, when you get into an electronic environment and all of your information is in one place, it feels as though, if all of my doctors’ information is somehow stolen on a CD, or a disk, it's all now available to whoever stole it. And if it were just a situation where it was just my doctor's office, and not five other doctors' offices that are connected with me, I don't feel as vulnerable. And that vulnerability factor, I think, would drive whether or not you would choose to allow somebody to opt in or out of that, because essentially you would be forcing them to accept that sense of vulnerability.
>> Deven McGraw:
In some respects, it's a recognition that the way things, again, operate now, give people a sense that they have more control again for records outside their own providers than is actually legally permissible. So it's kind of going to the point I made earlier, maybe this is not a loophole or misfit that needs to be corrected but instead an affirmative step to take to advance health IT.
>> Kirk Nahra:
Let's play this out a little bit. And I do want -- I mean, I get the sense that we've got, that we've essentially identified a potential difference. And it seems to me that we want to take that potential difference, and maybe it's a couple of potential differences, and tie it into, all right, how are we going to gather information such that we can make a decision as to what our recommendations are going to be? The mere existence of that difference, or potential difference, doesn't mean we recommend a different standard. It just means, okay, that is a possibility, that's something that makes sense as we might need a different rule, let's figure out if we do need a different rule.
So I'm going to try to summarize this potential difference without any particular confidence that I'm going to do this right. I mean, the idea being that at least in some models, again, some of this could be dealt with by system design that says you can't find it unless the patient tells you about it. Put that aside for a second, although I don't want to lose sight of that. For example, it would be very easy to say because of this difference, we recommend that systems be set up with this way and if you do it that way, the HIPAA rule works fine. That's a possible outcome. Put that aside, with a break-the-glass emergency if you need it. But the fact that this information is more broadly available without the, without the need for a patient to identify where the sources of that information might be, is a difference that might lead to a different kind of consent model than we have under HIPAA. So we would, we would want to understand, you called it the trust factor, Deven. We would want to understand a little bit about how people think about that. Somebody could tell us that that matters, doesn't matter, the vulnerability sense that David was describing, does that really matter to people? I don't know the answer to that. I'm sure -- probably -- but somebody could come in and give us information about that.
Then we've got the question of how would you do it, or what would you, what would respond to that issue? All right, we've got the potential issue. What are we trying to provide? We're trying to give information, we're trying to, I think you said, Deven, in the Massachusetts model, that there was educated opt-in or something like that. I know that when you read the HIPAA rule, you get the sense that every time you go to a doctor you're going to sit down and have this great brilliant discussion of privacy philosophy with your doctor when he gives you the privacy notice and we all know that never happens. So, you know, we should talk about okay, how would you achieve this kind of thing? Would it be better to say -- I mean, again, what I'm hearing a little bit of what they did in Massachusetts, maybe we bring those -- I think they were at one of the earlier hearings, but maybe we bring them back -- is if what we're doing is we're going through an exercise that is designed to build confidence and because it's 98 percent of the people, it really doesn't have any detrimental effect on the system, although I'd want to understand a little bit who that 2 percent is because that may be the people we care a lot about.
>> Deven McGraw:
Right.
>> Kirk Nahra:
Those are things that sound again like they might be useful things to start learning about. Again, if they come in and say yeah, it's a little different, but all it is is it’s faster and you know, we get better information, the doctors are happy, maybe we say okay, well, HIPAA is good enough. So that, is that sort of going in the right direction of what I'm hearing today?
>>
Yeah, I think logistically there's some other things I'd like to know about that. In terms of how they're administering that. Is it an opt-in applicable to all providers? A one-time decision? Is it provider-by-provider? In other words, I opt in with Dr. Jones' stuff, I choose not to with Dr. Black. Is it an opt-in specific to a visit? Okay, so is it provider-by-provider or once --
>> Deven McGraw:
In the model I'm talking about, people probably do it differently --
>>
But I'd like to know.
>> Deven McGraw:
-- just an example. Oh, I would, too.
>>
And shoot, there was another point but it's gone. I'm sure it will pop out in another five minutes or so.
>> Sylvia Au:
But they might have privacy policies that are properly explained and make people feel comfortable that they were stringent enough that their information was not just being looked at by Joe Blow, Dr. Joe Blow for no reason.
>> Kirk Nahra:
But that's not being looked at by Dr. Joe Blow for no reason is covered by HIPAA. We have to keep that in mind. Now, again, there was a lot of commentary when the HIPAA rules came out, particularly the change in the consent model, that said oh, people are going to be reluctant. I don't know if you have any thoughts on this. But I don't get the sense that that has played out that way. That we don't have people who are saying I'm not going to go to the doctor or I'm going to pay cash to make sure that nothing goes to my insurance company, whatever it is. I mean, there may be some of that.
>>
There's a little of that.
>> Kirk Nahra:
But it’s far less than I think there were some who speculated there was going to be.
>>
I got to get this out before I forget again. The other thing that I think we're assuming is that all of the networks that are developing have sort of this rich full-text model of being able to access any data element in the record like the divorce and stuff like that. That's not my understanding of how these models are developing. I don't know about Massachusetts, I don't recall really what their model was, but you have like North Carolina that has just basically an emergency department database and that’s all that’s in there is emergency department visits. So the trust issue I think is affected by kind of the scope of the exchange. And if you're getting into full-text access to this because of a divorce and stuff like that, people are going to have a different level of concern, I would think, than an emergency department database. Yeah, I was treated for a broken ankle, for whatever.
>> Kirk Nahra:
Although presumably our challenge and our charge is to -- I mean, we don't have to come up with one rule necessarily, but we're supposed to have recommendations that deal with present and future, focusing more on the future, and if we need five rules, we need five rules, but you know, it's relevant facts to what people are doing now. But I assume we're going to be thinking about an environment that is more closer to full access to full data, or full data availability.
>>
I think so too. But I think it may have implications for the rules that we would come up in terms of how stringent do you really need to be based on the richness of the --
>> Kirk Nahra:
The other piece that I guess I'm interested in professionally, although I'm not sure who testifies about this, is I mean, it sounds like what is happening in Massachusetts, and I've heard this sort of generally, is you sort of make a one-time front end decision. That's real tough. I mean, I just don't know -- I guess, you can just say yeah, okay, I'm comfortable with it. But the point -- I mean, if you're uncomfortable now, the problem is going to come up later. And if I'm, if I'm comfortable today and I say, yes, but five years from now I have, you know, whatever psychiatric breakdown, or five minutes from now, you know, then it's a whole different environment so do I get to change my mind? That starts to get --
>>
That gets to authorization, which is very problematic. How can you give a knowing consent to something that doesn't exist yet?
>> Kirk Nahra:
And if you always say yes when you’re on the emergency room table with a heart attack, you may not when you’re in for your foot surgery.
>> Sue McAndrew:
I do think part of the Massachusetts system is that you can change that. You can move the toggle to a no at any point in time. It's not a yes and you can't change that.
>> Sylvia Au:
And they pull all your information as soon as you say no?
>> Sue McAndrew:
I don't know what -- I don't know how they store the information, I don't know where that information exists. I don't think that they would pull it back from other people that may have used it. Just not send any more once the no is there. I would also say, I think in Massachusetts this is a small -- it's not Statewide.
>> Deven McGraw:
No, it’s not statewide.
>> Sue McAndrew:
They have multiple networks that are coming on line and this is just one of the, this is just the first of the networks, and others I think may even be conceptualizing this opt-in, opt-out differently and they have different --
>> Sylvia Au:
So could you opt-out and then have something like a genetic test and then that's not included in it, and then after you've had it, then opt back in, so --
>> Sue McAndrew:
You know, it seems to me that, you know -- and NCVHS is having similar discussions at the same time in terms of how granular -- one, they have already recommended that individuals have either an opt-in or an opt-out choice of having their information on the network or not.
>> Kirk Nahra:
NCVHS did?
>> Sue McAndrew:
Yes.
>> Kirk Nahra:
That's one size fits all, either all in or all out?
>> Sue McAndrew:
No, but there's, there ought to be a fundamental choice at the outset and I think they're conceptualizing with each provider that you see is that you give that provider, and they did not make the opt-in or opt-out decision. But they said the choice to participate in the network ought to be made at the outset. And now they're moving on from that in terms of saying, and in addition to this basic yes, or at least the ability to say no, I don't want any of this. But even if, once you're in, is to have additional choices in terms of the nature of the information that you would permit to go into the system and be connected to other providers.
>> Kirk Nahra:
So following up on that, another factual piece of information that I'd like to hear about, and again I don't know who tells us this, is we've got goals for this system of improved health care, increased efficiency, lower administrative costs, I'd like to understand a little better how those various choices are going to affect our ability to have improved health care. I mean, I'm going to assume that the health care system, put privacy totally to one side, that if your only goal was improved health care, you'd put all the information in and you'd make everybody put all the information in. And that that would be, that would result in the best health care treatment. So the question is, as you move back away from that and you give some ability to pick and choose, what does that do to our desire to have improved health care? What does that do to our desire to have administrative efficiency?
Now, I have a little bit of a sense that as technology has gotten better, that the administrative efficiency piece is a little bit of a red herring. You can click that off and that doesn't make that much-- we may be able to deal with that part. But I think it's a real issue on the health care side. And it's particularly an issue -- I mean, for example, if my choice, if we're going to give me a choice and my choice is all in or all out, maybe that's easy because if the hospital is looking in a network that has nothing about me, they just have to deal with that. The harder part may be you have some of mine but not all of mine. I'd like to hear somebody tell me what difference that's going to make, if you let me -- again, my concern is that the information that the most sensitive people are most sensitive about is often going to be very relevant information.
>> Sue McAndrew:
I mean, there are, part of the testimony before the NCVHS, particularly in the area of should we or should we not be masking sensitive information, however you want to (inaudible) was -- and if the individual has consent -- or wants that information masked, what do you tell other people about that?
>> Kirk Nahra:
There’s something there, or there's something there and we can't tell you what is it, or there’s something there versus you don't know there’s something there.
>> Sue McAndrew:
Right. And how much do you reveal about what's been masked and I think by and large they're coming to a conclusion that you just tell them that something is masked. There may be then the ability to have the conversation with the individual to say, hmm, I see from your electronic record that you have something masked. Do you want to give me a --
[laughter]
>> Kirk Nahra:
For example, I mean, I've seen this in a slightly different context under HIPAA. I deal with a lot of my clients are health insurers who do fraud investigations. And they do fraud investigations of the provider, they're allowed to go to the provider and say we're doing an investigation, we need this information on the person, and some very savvy providers are saying, I'm not going to give you -- or basically, they say to themselves, I'm going to withhold certain things because I don't think it's minimum necessary. Inevitably it's the stuff the person wants. One of the things I’ve told my clients is get them to tell you you've withheld anything because of that. Knowing that something exists but isn't there is important. Let's put that in a factual category. Relevant information, not sure who's going to tell us about this, but I want to know what difference it's going to make to the health care side of these networks if people pick and choose what goes into them.
>> Paul Uhrig:
But that drives me to the conclusion that we would come to a recommendation that the patient cannot pick and choose.
>> Kirk Nahra:
No, if they come back and say it doesn't matter or we think we can deal with that, or -- I mean, I'm not sure what that is. I just want to know if it's relevant. If the medical community says we'll take anything we can get, and more is -- you know, more than today is better, even if it's not everything, and we can deal with that. We don't think it will have a big difference, maybe that pushes towards giving them the ability to pick and choose. If the medical community comes in and says a half-assed system is going to be a disaster, I'd rather not have the system at all. Okay, I want to know that. I don't think that's what they're going to say that. But they might say that. They might say the people in Massachusetts that are the 2 percent are the most vulnerable population who are the most likely to have health care problems and it’s a real negative, a real negative on the treatment side. I don't know. It may be people that don't like to disclose their bunions.
>>
Or maybe it's okay as long as there's a caveat being able to break the glass.
>> Kirk Nahra:
Or knowing that there's something that's been withheld, or -- so I don't -- that's what I want to learn. I mean, you're right that that's a potential conclusion if potential testimony comes, if testimony comes in a certain way. But I just don't know what the answer is. I don't know the facts behind that.
>> Sylvia Au:
Are there networks that have been around long enough to be able to give us that data on the --
>> Kirk Nahra:
I'm not sure where we get the information from.
>> Sylvia Au:
Because I'm thinking --
>> Kirk Nahra:
Well, we got to figure out what we can learn about that.
>>
Right.
>> Kirk Nahra:
Put it this way. If we have no ability to ascertain what difference it would make if we give people a right to choose, to opt in versus not, you know, I'm not sure we should be in the business of making a recommendation there.
>> Sylvia Au:
The recommendation could be that research needs to be done in that area.
>> Kirk Nahra:
For example, I would be very uncomfortable, even if we agree these are all significant differences, I would be very uncomfortable with the recommendation that says we're going to give people the ability to opt in to this system if we have, if we don't know that that won't destroy the system. So I want to do what we can. Again, we may conclude that there is nobody that has the right information and that's exactly what we want to look for. Again, I want to figure out what we can learn about the impact from the medical side, and again maybe -- I think we should probably think about the cost side, although my sense is the technology is going to take care of the cost side, although they thought that with HIPAA standard transactions, too and it didn't work out that way. So let's try -- let's figure out what kind of information we can gather to learn about -- again, whether you say it's opt-in -- I mean, again it seems to me opt-in versus opt-out is going to be a big difference. If everyone is in unless you say no. Massachusetts sounds like it was 98 in an opt-in, and I know -- I'm not being precise. You're not a guarantor of their information. That's your sense.
>> Deven McGraw:
My understanding is that they used a pure opt-in model and they asked people, not the other way around. But there certainly are -- it's a big discussion going on in a lot of different RHIOs.
>> Paul Uhrig:
And there are States that are leaning in the opposite direction.
>>
Right.
>> Kirk Nahra:
So let's at a minimum make sure we hear from both of those models.
>>
Yeah.
>> Kirk Nahra:
And let's see what else -- I mean, I'd like to know a couple things. I'd like to know what their success is. I’d like to know what the impact is, and again, Sylvia, your point is probably right, maybe there's not enough history to have health care results, but let's figure out -- 98 percent is an interesting number. I'd also be a little bit intrigued what the two percent is.
>>
Right.
>> Kirk Nahra:
If that fits any particular pattern.
>>
ACEP might be a good source for -- American College of Emergency Physicians might be a good source for sort of the provider sort of receiving the information on that end. You know, that sort of dimension as opposed to just looking at it from the HIE perspective. Look at it from the consumer or the data perspective. I don't know if they've done any work on this but it might be something -- they have a pretty active policy group. Might be a source of information for us.
>>
I'd also be curious to see how accountability plays into this in terms of being able to capture who accessed what information, not just who modified a record, but maybe even who accessed a record. And maybe that's an example of factors that promote trust when you're dealing with an opt-in, opt-out decision. Or maybe it's a separate issue by itself, but I feel like on the tail end, especially if you're talking about breaking the glass, who broke the glass, when and why, and does the ability to capture that information make a difference, maybe it's not so much the restrictions that might have to be changed or reinforced, but how you track it, how you track it in practice.
>> Kirk Nahra:
Sure and that's a good breaking point. That's part of our next scenario, some of the individual rights side of this and how that’s played out. We are scheduled to do a break, let me just -- let's try to wrap this up a little bit. I think this has been a very helpful discussion. Amazingly enough, served to do exactly what we're trying to do. First time that's worked in a while. So --
>> Steve Posnack:
I feel a little lost, but if you're okay.
>> Kirk Nahra:
I don't think we answered -- I think what we did today was we made some progress with that scenario towards identifying some things that are potential differences that may lead to a recommendation of some difference. You know, of something other than HIPAA. And our challenge is going to be to go from this discussion where we all have opinions, to figuring out where we can get useful information to again add some facts to our opinions. And that's not an easy task. But I think that's -- at least we've got topics now to identify, try to identify some witnesses on. I don't think this is the end of this discussion, obviously, but are there other points that people want to make now? Are there particular topics that you want to -- again, what we're trying to do is look towards our next couple of meetings and think about what kinds of information we're going to be bringing into this group. Are there other points -- anyone on the phone want to make any points about this? Anyone else in the room?
>> Deven McGraw:
The choice of the doctor not to disclose the information.
>> Kirk Nahra:
Meaning what, if I'm a hospital and I contact you and say I need to get the records when you treated Paul?
>> Deven McGraw:
Right. And I say no, because clearly I can.
>> Kirk Nahra:
Well, you can say no because HIPAA doesn't force you to do much of anything.
>> Deven McGraw:
Right.
>> Kirk Nahra:
HIPAA permits you to disclose in that context, presumably encourages you to disclose, but you haven't violated any HIPAA rules by not disclosing.
>> Steve Posnack:
That was one of the differences I was highlighting with the health information exchange, you can query and depending how that is set up, that interaction doesn't happen anymore.
>> Deven McGraw:
Right.
>> Kirk Nahra:
Again, now, that's clearly an interaction that has led to some kinds of complaints, although the complaints have more typically been -- there have been far fewer complaints than many people predicted about providers not agreeing to disclose when another provider requests. Where we are seeing lots of complaints is providers not disclosing to other people, you know, you about your grandmother kind of stuff. Now, I'm not at all sure those complaints are valid. I mean, if it's harder -- if a hospital doesn't want to give me a lot of information about my grandmother who is there, or my mother or my child or my divorced spouse or my 24-year-old son with a drug problem, part of the rule is that they're sort of discouraged from doing that. So that's another piece of it is the sort of outward disclosure from the provider side. But yeah, again, that's current rule today. Does creating an HIE system where the burden is on the person who wants the information not -- again, part of the problem we have now is that there's no incentive from a privacy perspective of the doctor to disclose today.
>> Deven McGraw:
Right.
>> Kirk Nahra:
All they can do is screw it up. Disclose something they're not supposed to disclose. They can't violate the rule by saying no. If we cut that choice out; is that a better choice, is that a better system? That's something that’s worth thinking about.
>> Sylvia Au:
Back to the filtering part again. If you come into the emergency room with a broken leg and you call Dr. So-and-so who knows your Huntington's disease status, they're not going to tell you the Huntington's disease status because you have a broken leg.
>> Kirk Nahra:
And that's a fair example. But the reverse fair example is that's relevant and I don't want to disclose it because I don't see any upside to me but the person on this end needs to know, so do you flip the system so that it's their problem? We have the opportunity to do that in an HIE environment we don't today. If I don't have the information and it's solely held by the doctor, I can't get it unless the doctor gives it to me. HIE environment, maybe I can get it without the need to get the doctor involved. That might be good. That's good in some situations. You could say yes, it removes a filter, although it maybe imposes a filter on the doctor. It also removes the nervous uncomfortable resistant lazy response.
>> Steve Posnack:
I just have a differences question. It will either be shot down or you'll embrace it. With respect to the restrictions, you know, while I was going through this and the logic involved in that, I guess the question in my mind was, is that analogous to the opt-in or opt-out question?
>>
Yes.
>> Paul Uhrig:
Steve, I'm sorry, is what in that?
>> Steve Posnack:
Restrictions. Because the way I was envisioning it was that if you go to a particular provider, you can ask them now if they'll restrict this information. You can ask them to restrict your whole record. Which is essentially if you port that over to electronic health information exchanges, don't put it on the network.
>>
Yes.
>> Steve Posnack:
So that I wanted to try to flush out and see if we could tease as a conversation piece. It may not be giving opt-in and opt-out. It may be what's different about restrictions.
>> Kirk Nahra:
That's a fair point, David. The current scenario has two ways for somebody to keep their information out of that -- out of sharing. One is not to tell them about it in the first place. The other is to tell them about it with the request for restriction which may or may not be granted. So our comparison is that scenario versus what happens in the HIE, is it good enough? And again, we may absolutely conclude that the restriction, again, restrictions I think in practicality today under HIPAA play a very small role. Maybe what we're describing is a system where the restrictions request plays a bigger role. Now, again, part of my hesitation with that I mean this is counter to a lot of what I've been saying otherwise, is I don't think the HIPAA rule really permits that restriction to be that effective because you don't have to do anything. You don't even have to think about it. You can just blindly say no every time. So maybe what we require, maybe what our recommendation is is we're not going to have basic opt-in and opt-out. We're going to put everything in restrictions, but in order to make that work it needs to be a stronger restrictions rule. Again, could be a perfectly viable realistic recommendation. I guess one other thing to throw out in that regard, and I say this as sort of a background point, which is we could go in with a set of recommendations that blow up the HIPAA rule. Or we could go -- my presumption would be I'd rather make fewer, smaller changes, than blow it up.
>>
Right.
>> Kirk Nahra:
So the fewer -- changing the overall consent model is a big change. Putting the restrictions requirement that says if they ask, you really need to grant it unless there's a good reason not to, is a little tweak.
>> Sue McAndrew:
It's not a little tweak from a practical matter. You wouldn't believe the nature of the restrictions that you literally cannot do.
>> Kirk Nahra:
Well, then, you don’t do it. That's a good reason not to -- or maybe put it in this context or you say, if it's a request related to X, Y, and Z. Again if I go in and have a restriction that says I don't want my information ever shared with a vendor for any purpose, that's not -- that can't happen. But if I say, I don't want this put into the health information exchange network, again, so we've got to tinker with it. That's a smaller change to the overall health care privacy environment than changing the consents model. Now, that may -- again, that would be my view, I would rather have a small change than a big change. But maybe other people might disagree with that.
>> Paul Uhrig:
We're talking about restrictions, I would like to sort of know, is there data in the world I live in, providers typically do agree to restrictions, because it's relatively easy and they don't want a patient to walk somewhere else for care. I don't know if there's any data as to why providers do or don't agree, the number of times, and the why.
>> Sue McAndrew:
I don't know about the number of times. But I mean, in our association, our common experience is that it very often gets down to how do you wall off information from a particular person. That's the scenario probably 75 percent of the time. I don't want Joe Blow who works in the ICU to see my information. Well, that's fine if you're a pediatrics patient that's not in the ICU. If you're in the ICU, there's no practical way that you could guarantee that that wouldn't happen. Is it a physical impossibility? No, there's ways you could do it. But honestly, from a practical standpoint there's no way you could guarantee it. There's staffing issues, there are all kinds of things that would (inaudible) your ability to do that reliably, and the last thing you want to do is promise something you can't deliver.
>> Paul Uhrig:
Right. And then I guess my question is, does that change as we move into a more electronic world? Does it change where if I say I don't want Joe to see it, and practically the only way Joe could see it, is he enters his password and name, that's probably easier to block than in a paper world.
>> Sue McAndrew:
In some scenarios it would be easier to block. But again, you have other dimensions like who is on duty, who is scheduled to care for the patient, that kind of thing.
>>
Some systems wouldn't -- they're role-based systems and so if that person has that role, you're going to have to revamp the whole system to be able to be person-based rather than role-based, which is going to revamp almost all the existing systems.
>> Deven McGraw:
I think it goes to the question that we have already asked, that we wanted information on, in terms of making decisions about the granularity of what you can restrict.
>> Sue McAndrew:
Yeah.
>> Deven McGraw:
If you are considering taking this existing restriction --
>> Sue McAndrew:
Yeah. I mean, if we were anticipating --
>> Deven McGraw:
-- but subject to a certain set of parameters --
>> Sue McAndrew:
For example, as it relates to participation in the network. That would be a restriction request that I think would be fairly administratively simple to do. But if you blow up restrictions altogether and say you've got to accommodate them, whatever they are --
>> Kirk Nahra:
Maybe what you do -- okay, you're raising a fair point, maybe I was too -- we could certainly say if the request for restriction goes to participation you got to deal with it.
>> Sue McAndrew:
Right.
>> Kirk Nahra:
That would be a minor tweak rather than a -- again, I would always prefer a smaller change than a bigger change, unless there's a real good reason for a bigger change. That way you could accommodate our goal without -- again, in this context -- I mean, for example, I don't think we ever want to get in a position that says a HIPAA rule for every purpose, 95 percent of which has nothing to do with health information exchanges, needs to be changed to accommodate HIEs. I think we want to avoid that. So that would be a example. We don't want to blow up the whole rule, we want to make a change in this context perhaps.
>> Steve Posnack:
The other two points I wanted to get that will help people continue to think when we get to the next scenario. I think for the most part we've been talking about multiple records in multiple places and the one point we were trying to make in the repository model was if the repository combines all the records, and you’ve got one big comprehensive conglomerate of a record, how do you deal with that? And then, if you lay our recommendation from June over the top of that, this health information exchange now would be infused with the responsibilities that it didn't, you know, have in this other world, or would have currently, and they would have to provide for restrictions or other types of individual rights and et cetera. Just other considerations as you think about the next scenario, those types of differences that we were trying to get out.
>>
Yeah, and what I don't know about those repository models is whether they're deferring decision making on those portions of that big file again to the original provider or whether they've got a central staff who makes those and I don't know the answer to that. But it's relevant.
>> Steve Posnack:
And there are questions about that and the staff of the health information exchange when we get to the access scenario.
>> Kirk Nahra:
All right. Anything else on that scenario? You know, please if you have thoughts following today's meeting on witnesses, tweaks to the topics, you know, pieces to that, that's very important for us to gather. We're going to -- again, this has been very useful in terms of trying to flesh out where these potential differences might be and how we might deal with them.
It is essentially 3:00, 3:02. Let's take -- I guess let's be back here at 3:15 ready to go. Thanks, everybody.
[break]
>> Judy Sparrow:
Jennifer?
>> Jennifer Macellaro:
Hi, Judy.
>> Judy Sparrow:
Hi, we're ready to resume.
>> Jennifer Macellaro:
Okay, great.
>> Judy Sparrow:
Thank you.
>> Kirk Nahra:
Welcome back, everybody. We're going to spend the rest of our time this afternoon talking about the second scenario in our materials. It is a variation of sorts on the first model. The major idea is to focus on the sort of individual rights pieces of this equation. The scenario, let me just read it quickly to you. Excuse me.
>> Steve Posnack:
I was going with color names, too.
>> Kirk Nahra:
I did notice that. I didn't focus on that one, you just said Mr. Gray, but as soon as we got to Mr. Red, or Ms. Red and Mrs. Violet. Mrs. Red has just recovered from her second heart attack. She has decided to move from D.C, to live with her daughter Ms. Violet in New York and wants to get a copy of her medical records to bring to her new doctor. So that is the scenario.
And I do think, Steve, that the Ms. Violet was just extraneous. Gratuitous.
[laughter]
>> Steve Posnack:
It was just to make a one point, in case we --
>> Kirk Nahra:
With the lead pipe --
>> Steve Posnack:
For anyone who has seen Reservoir Dogs.
>>
Reservoir Dogs?
>> Steve Posnack:
They name the criminals colored -- you know, not -- different colors.
>> Kirk Nahra:
Got it. I was thinking of Clue.
>>
Me, too.
>> Kirk Nahra:
I played Clue last week. All right, moving right along. Here's an example, we're going to talk about the access right. We can also talk, I suppose, about the accounting right. I don’t know, have people had a chance to read through this? I don't know that it's worth -- the HIPAA piece is relatively straightforward. She has the right to ask for the records in her designated record set. Providers are required to respond to her, required to provide information with very few exceptions. This is an area, just to follow up on our State law discussion, where there is some enormous confusion with State laws. There are many State laws that grant access rights but impose on providers stricter obligations not to disclose information in certain circumstances. You know, they have an ability to sort of exercise more judgment than they have under HIPAA. That's created a lot of confusion in some scenarios because that's presumably for the patient's interest but not for the patient's interest in privacy necessarily. So there's even a debate as to whether those rules are more stringent or less stringent. But putting that aside. So that's sort of the -- again, relatively straightforward. You got to make sure that you have some sense that this is in fact Mrs. Red. You can't just give this out to a stranger. So you have verification and those kinds of issues. And then essentially you provide the designated record set absent very limited exceptions. Is that sort of a fair, short description of the HIPAA piece of that?
>>
And you can make a photocopy fee, and a postage fee if you're sending them by mail.
>> Deven McGraw:
What is a designated record set?
>> Kirk Nahra:
Well, that's a real good question and it's a question that I want to flag when we get to the HIE environment in particular. I'll just throw this out for people to think about, which is if the HIE holds a copy of what a bunch of individual providers have, is a designated record set?
>>
Yes.
>> Kirk Nahra:
Why? HIE is not doing anything with it. The HIE is not making any decisions with it.
>> Sue McAndrew:
Some provider is.
>> Kirk Nahra:
Why is it the providers -- it's a fair question, because today if I'm a, today if I am a business associate and I have a copy of the doctor's record, I do not have a designated record set. Same information, but I don't have the designated record set because I'm not doing anything with it. So it wasn't as obvious to me reading the scenarios that the HIE information was ever a designated record set under HIPAA.
>> Sue McAndrew:
Possibly. At least with the central repository.
>> Kirk Nahra:
Either model. If it's a pointer, they don't have anything.
>> Sue McAndrew:
Right. But there's a designated record set at the provider, the provider’s EHR.
>> Kirk Nahra:
Always the provider’s copy. Designated record set is essentially -- let me see if I can do this quickly. I mean, it's essentially the records about an individual that are used to make decisions about the individual.
>> Sue McAndrew:
I mean, that's -- it is the medical record. Arguably. I mean --
>>
Right.
>> Sue McAndrew:
We don't define that, but it is whatever one would conceive of as the medical record. In a plan situation it's the billing record. And then the catchall. Any other record, system of records that is used to make decisions about individuals. So it doesn't include all PHI that's that may be littered throughout the institution, but just those that are collected and actually used to make decisions about an individual.
>> Kirk Nahra:
So, you know, any particular HIPAA issues that people see, any other pieces we want to -- again, it's pretty straightforward. You make the request, you have to follow the covered entity's process for that, they’re supposed to tell you the process in your privacy notice, in their privacy notice, you know, say it has to be in writing to this address, you got to make it in writing to that address. Again, pretty straightforward. There are obviously other --
>> Steve Posnack:
Do you want me to step through, because -- I could step through the different types -- because this one had multiple iterations.
>> Kirk Nahra:
So type two was a non-HIE --
>> Steve Posnack:
Right, but electronic.
>> Kirk Nahra:
Okay. Go ahead.
>> Steve Posnack:
So when we get to this differences part, I think the differences are pretty much the same when it's electronic, between the HIE or just an electronic request. So generally if it was a direct electronic request for access to Capital Hospital, Capital Hospital’s similarity to the baseline. Capital Hospital's policy states that all requests for access must be submitted n writing so they can do that electronically. Through some electronic means Miss Red would make the access request, through some other means electronically Capital Hospital would have to verify Miss Red's identity.
>> Kirk Nahra:
And the rest is the same.
>> Steve Posnack:
And then the rest of it is the same. The differences we could possibly hold off until we get to the health information exchange environment scenario. So --
>> Kirk Nahra:
Again, let's be clear. Today under HIPAA, the rules are the same whether it's a paper request or an electronic request. Some of these, you know, some of these distinctions are relevant today in the HIPAA environment. Cost questions in the HIPAA environment, relevant. Electronic environment meaning the hospital's records exist in electronic form, not an HIE, but electronic. You've got timing issues, all these things exist today. Right? Let's hold off seeing how much privacy (inaudible). Keep in mind, though, there are two other sort of related individual rights that we could be talking about here, right to amend. You know, we could expand the scenario out to say Mrs. Red gets the record and says wait a minute, I had a heart attack, but I don't also have HIV, take that off my record. And then we have how that plays out. We also have the accounting request, which triggers a different set of issues. I mean, it's an individual right, I think amendment and access would be treated very similarly under these rules, both tied to designated record sets. The accounting rule would allow her to ask, you know, in certain limited situations, whether other people have seen her records. Let's certainly hold that one to one side. Then --
>> Steve Posnack:
So if we go into type three now, in a repository model, and I may have got this interpretation wrong but I couldn't see a way that the health information exchange, HIE-DC, would be obligated to fulfill an access request unless it was following our equivalence recommendation from June.
>> Kirk Nahra:
Again, that's what --
>> Steve Posnack:
But my question, you wouldn't necessarily go to the business associate, you would --
>> Kirk Nahra:
You can. Today there clearly are situations where you can go to a business associate. For example, where that becomes relatively common would be something like a health insurer for a self-insured health plan, where the employer who is the self-insured health plan doesn't really have anything, the health insurer is the third-party administrator, they have all the data, Blue Cross Blue Shield plan sets it up and the employer wants to agree that you go to the health insurer to get -- even though they're not a covered entity in that situation. So the individual is allowed to go to the business associate, they would only go -- there are certain business associates that are sort of client-facing. I mean, if a hospital hires some financial accounting firm to, you know, do a review of its records to figure out whether it's going to go broke, no individual patient would have ever heard of them and would have no idea that they exist and would have no reason to go to them. All business associate agreements have to say that we'll agree to provide access to information and usually they say if a request comes in to us we'll send it back to the covered entity.
So today if you had a RHIO who was only a business associate and a request came in to the RHIO, the RHIO's obligation to respond to that request for access would be defined by the business associate contract. HIPAA would typically say give it to the covered entity. I mean, HIPAA would typically push it there unless there was something different in the business associate agreement.
>> Steve Posnack:
So in the case where you've got multiple business associate contracts and some have said the RHIO should act on my behalf to, you know, to honor the access request, and others that are part of the RHIO that have said no, we're going to handle it, I guess you see that as a difference.
>> Kirk Nahra:
Well, I'm not sure -- I'm not sure I'd agree with that, only in the sense that let's say I'm a health insurer today and I've got 50 clients. I mean, my goal as a health insurer would be to have all my contracts say the same thing. But the reality is that they don't. Sometimes -- I mean, it's not clear to me -- again, if I'm the health insurer, I have most of the information, it's possible I don't have everything. So in theory that request really needs to go to the covered entity because they're the one’s responsible. So I'm not sure that that’s any different today. I mean, the RHIO, I'm going to assume that most RHIOs, and again we could get information on this if we decide it's relevant. I'm assuming that most RHIOs that have business associate contracts have a one-size-fits-all business associate contract, that they do not --
>> Sue McAndrew:
That would be the assumption.
>> Kirk Nahra:
They're not negotiating individual contracts with individual doctors and hospitals. It's just too hard.
>> Sue McAndrew:
Too hard and one would assume that the RHIO would want uniformity.
>> Kirk Nahra:
Uniformity. Absolutely.
>> Sue McAndrew:
Across providers. I mean, that being said, what the repository model does raise, it's a little different, is the fact that what they are holding is some sort of blended record that may contain parts contributed by multiple providers.
>> Kirk Nahra:
That's -- does the repository model mean blended or they have all of them?
>> Sue McAndrew:
It could mean either. They could have independent databases for each provider or they could have a big blended database. If they have a blended database --
>> Kirk Nahra:
Do we know what the norm is? Is there a norm?
>> Sue McAndrew:
I don't think there's enough to have a norm. And I'm not sure that this is really a growing model.
>> Kirk Nahra:
Which, the repository model?
>> Sue McAndrew:
The repository model. I think because of -- it's the same kind of reaction to, you know, the national network resulting in a great big national database. That sends up red flags to most people. And even a big regional model with a big regional database is likely to send up more flags than a network where you, each provider maintains their own records and you just have pointers and pulls.
>>
I mean, the separate records to me was akin to a Web hosting-type thing. You go and register your domain name and get your own space on some company's big data, bit server farm of -- you get your Website and that could be your electronic medical records, electronic health records site for your practice. And that could be part of just one large company's data warehouse that they hold. So the question is, is that a health information exchange at that point?
>> Kirk Nahra:
Well, here's I guess how I look at -- I mean, let's talk about three, maybe three models of this context of HIEs. There's HIEs with a blended record where -- and concept -- I'm not sure practically how that works -- but where all the provider's stuff is shoved into one big record that doesn't exist anywhere else except in this HIE. That's one option, one model. Second model is what I would consider normally the word repository. All the individual are held in one place. They're still individual records but they're all compiled. And the third would be some kind of locator system, where you have information that Dr. Jones has a record but you don't have Dr. Jones' record.
So today, under HIPAA, the idea is you go to the provider. The core idea is you go to the provider. You go to the people you're dealing with. In the future, you've got a right to those records. You can go to an individual doctor to get that doctor's record. You can go to ten individual doctors to get your records held by each of the individual doctors. In theory, you now have the ability to go to the HIE and either in one place get ten individual records or possibly this blended record which is a unique document, because it doesn't exist -- unique package of documents, because it doesn't exist anywhere else
The question in my mind, I suppose, is we now have that possibility because of the existence of the network. Does that existence of that network and the possibility that you can go to one place mean that we should change the rules to send people to that one place? Or change the rules to force that one place to respond to these requests? So that's conceptually. I mean, we can nitpick the technical details. But that seems to me to be the major issue there, which is, do you now impose the access responsibility on the network rather than today it's on the individual providers.
>>
Aren't you going to have to know which of these models are going to survive, to be able to make those kinds of recommendations?
>> Kirk Nahra:
Well, I mean, my question, I think, is would we do it for any of them? The locator model, it seems to me, the network can't do anything anyway. They don't have the record. So you'd still have to go to each individual provider. They'd have to pull it.
>> Deven McGraw:
They'd have to pull it, but they could. Because they could pull it for any other purpose. That's the purpose for having it.
>> Kirk Nahra:
Fair point. So would we, would we say just because we could have them do it, technologically, we're going to have them do it? That's a question. That's a combination of law, policy, business. We heard at least one, maybe more, of the RHIOs that testified recently saying, I thought in a little bit of a knee-jerk fashion, that that would be a real problem for them. The other thing to keep in mind in this discussion is the relevance idea, remember we had that discussion we were going to impose on RHIOs and others all of the relevant HIPAA requirements? We could very easily say in the same way that because RHIOs don't have any individual relationship with patients, that they don't need to give them a privacy notice, we could very easily say because they don't have any individual relationships with patients, they're not the ones to do access and individual rights either. We could say that. I'm not saying we have to say that at all. There is a consistency of some sort to that idea.
>>
I do see a convenience advantage down the road to patients to be able to do that.
>> Kirk Nahra:
Absolutely.
>>
But my understanding of the marketplace right now with RHIOs is that they’re struggling to survive. And putting the obligation to be able to do, to field those requests and sort through them and make sure they're accurately fulfilled does imply some costs.
>>
And some logistical implications.
>>
Absolutely.
>>
I would say one of the things that comes out of this is you're going to have to deal with requests for amendment.
>>
Right.
>>
Then you're going to have to go back to the provider to get verification that the amendment is even going to be accepted.
>> Kirk Nahra:
Okay, I lumped access and amendment. Maybe I shouldn’t do that, because that's clearly an issue that’s relevant in amendment, not relevant in access. That’s a fair point. Although one of the access issues would be some of those State laws that impose a judgment on the provider, presumably the network can't exercise that judgment.
>> Steve Posnack:
I guess for the cost issue, though, depending upon the State law, they could impose a cost to give that information to you. And it's reasonable.
>>
Although, I will parenthetically add that the cost, the restriction on the cost that you charge the patient for the access doesn't really begin to cover the actual cost of pulling and comparing and all of those things. It's the reasonable cost of copying that you're allowed under the rule.
>> Kirk Nahra:
It's not the administrative --
>>
Not the pulling, comparing, sharing --
>>
Refiling.
>>
Explaining, I mean there's, there are costs there.
>> Kirk Nahra:
Hopefully no refiling here.
>>
That's true.
[laughter]
>> Sylvia Au:
With the RHIO, let's say you're located in Hawaii and the RHIO is located in California --
>> Kirk Nahra:
You’re the patient?
>> Sylvia Au:
Yes. Verification on the patient's end will be costly because they'll have to be -- let's say there's no electronic verification that that's really the patient. You have to go to a notary, maybe, and have them sign a form --
>> Kirk Nahra:
Okay, again, the issue there, it seems to me, is verification is clearly an issue. It's an issue today. Is the issue any particularly different? I mean, for example, in this scenario, Mrs. Red, or whatever her name is, is now in New York instead of Washington. So you have that verification issue that exists today. Is there any difference in the verification issue? Clearly Mrs. Red, I mean there's a question about whether the RHIO -- I mean maybe that's the practical question. The RHIO presumably has current situations to verify providers, but the patients wouldn't normally be accessing the RHIO. So they don't have any idea who these people are.
>> Sue McAndrew:
It seems to me that we've dealt in part with authentication requirements --
>> Kirk Nahra:
Well, we sort of skipped them, actually.
>> Sue McAndrew:
So that, I mean, presumably there will be a way to identify individuals.
>>
If they're logging on to the network to make a request as opposed to just sending an e-mail request.
>> Sue McAndrew:
Right. But if you're taking an e-mail request, same way as if you would today get a written request, they would be -- there would be some --
>>
Additional steps.
>> Sue McAndrew:
Something that you would have in place to recognize that party before you would entertain any --
>> Kirk Nahra:
Here's I think what the issue is with this, is do we -- the difference is the convenience of being able to go to one place to make an access request. Today you can't do that. The question is, does convenience in and of itself justify really changing the system, where today it's provider-centered? You go with your provider, not to the third party. One of the factors that balances that convenience is harder ability to verify, I think because these are people who otherwise don't have any relationship. The individual patients are going to be strangers to the RHIO. Why would they have -- I mean, why would the average patient have any dealing with a RHIO?
>> Sue McAndrew:
The RHIO will be a stranger to an individual.
>> Kirk Nahra:
And vice versa.
>> Sue McAndrew:
Well, no, because that's their business. Their business is to deal with these authenticated individuals’ information.
>> Kirk Nahra:
But aren’t they -- their quote market is the providers for the most part, and the payers, not the patients.
>> Sue McAndrew:
But to me it doesn't matter. You know, they're not really -- whoever is running this network isn't really going to know Dr. X. any more than he's going to know Patient 123. But --
>> Kirk Nahra:
I mean, Dr. X. is going to be dealing with them routinely every day. I mean, if nothing else, it's going to be -- well, particularly if we're talking about some -- our example here of 100 doctors, presumably every one of those 100 doctors is there weekly and if not daily, and often multiple times daily, where the patient is going to make an access request once every five years and most patients will never make an access request.
>> Sue McAndrew:
Yeah, but their knowledge of who the -- it really depends upon how your authentication identification would be for people to have access to that information and if you have a system -- have an individual and you allow that individual to query the system, whether it's through the doctor or directly with the network, then it's simply a matter of whatever your credentialing and authentication rules are with respect to that individual. I mean, that's -- the identity of the individual it seems to me is a technological issue that the system will have the capacity to deal with.
>> Kirk Nahra:
I'd want to have information on that. I guess I don't agree with that.
>> Sue McAndrew:
Hmm. Okay.
>> Kirk Nahra:
We struggled, going back to our earlier discussions, we really struggled with what to do -- we could not come up with a verification, I mean, we were calling it an identity-proofing, other than in-person for people that didn't have a pre-existing relationship. We did not come up with that example. That's what this situation is.
>> Sue McAndrew:
No, no, no. But the people with the information in the system have gone through that in-person identifier. Whether it's by the provider or --
>>
Physicians have it.
>> Deven McGraw:
Not with the RHIO, with their provider.
>> Sue McAndrew:
But the file gets set up, the provider has authenticated Individual One, and however the system uniquely identifies Individual One so that if Individual One comes in through another provider, they know that okay, this is additional information about the same patient, and they can call that up. I mean, the RHIO is just there linking up this information.
>> Kirk Nahra:
Yeah, but when I'm outside that system and I'm saying I'm Deven, how do they know, how does the RHIO know that I'm Deven? I don't think we found that --
>> Deven McGraw:
We didn’t reach authentication but we didn't reach it not because we struggled with it but because we skipped it.
>> Kirk Nahra:
But I'm not sure I agree with that.
>> Deven McGraw:
We had a lot of discussion on identity-proofing, which is the first entry --
>> Kirk Nahra:
We have -- I don't think identity proofing -- maybe we’ve skipped the question of whether -- we skipped the question, I suppose, although we talked about it, who else was going to be able to rely on that identity-proofing, and I think we came to the conclusion, at least making a recommendation on this, that people were going to want to do their own identity-proofing, not rely on somebody else's identity-proofing, which is what would be happening here. We're going to have that difficulty of making sure when Dr. Jones sees you and Dr. Smith sees you, making sure it's the same you. We know that's going to be an issue already, even for providers that are dealing with you face to face. I'm not sure it's -- all I'm saying is I'd want to see some information, testimony from somebody, that says that this is not an issue. Because we're already going to talk about this convenience, does convenience or potential convenience mean we change the rule? If we change the rule and there's this other negative, that's a factor in my mind. I want to know that that piece, again, where someone who is otherwise a stranger to the RHIO, because they've never dealt with the RHIO, if that becomes a non-event because of technology, I'm fine with that conclusion. I just don't want to assume that's the answer because I don't think that's what we heard before.
>> Sue McAndrew:
Okay. Skipping over that again, it seems to me that the two differences I see concern the fact that I don't see that you would ever make it a requirement. You may add the RHIO in as an additional point of contact, to exercise this right. I don't know that you would ever make it a point of contact to the exclusion of any of the providers.
>> Kirk Nahra:
And I haven't heard anyone saying that either. It's whether you use -- whether you give that -- whether you impose an obligation on the RHIO because of the convenience.
>> Sue McAndrew:
And then the question comes either because you can, one provider can now pull all of the information from other providers and/or you have this blended record, as to when a request for access gets made, what is that now going to be about?
>> Kirk Nahra:
Because Dr. Jones could pull, through the RHIO, information through all the other doctors?
>> Sue McAndrew:
Right. When I come to Dr. Jones am I requesting access for my designated record set created by Dr. Jones? Is it my designated record set as it exists throughout the RHIO? Is it this blended record, if that is what they have, even though Dr. Jones only had one piece of it?
>> Kirk Nahra:
So you're raising the possibility that the convenience is not only we allow you to go to the RHIO, but convenience might be that we allow you to go to your doctor and make them get everyone else's records.
>> Sue McAndrew:
Right.
>>
Aren't there implications to this from the standpoint of -- well, a number of things, but one thing that comes to mind is for the three really large government health care providers, having to comply with the Privacy Act of '74, are there going to be data ownership issues that come into play in this whole, you know, who is going to give access to a record that --
>> Kirk Nahra:
Put it this way. My reaction, and this is a reaction not -- I mean we have to think about whether there are facts here -- it would be a terrible say that Dr. Jones, Dr. Jones' access obligation now requires Dr. Jones to get information from every other provider that's out there. I think that would be a terrible result.
>>
Just trying to figure out who is agreed to a restriction.
>> Kirk Nahra:
I think that would be an awful result. I think it's a potentially more viable approach to say I, the patient, can go to the RHIO and through the RHIO get everybody's information. I don't love that answer either but that at least strikes me as something we should be talking about. But I do think the question is, because there is the possibility of convenience, do we change, do we recommend a change to the HIPAA rule simply because, primarily because of that convenience? Or are there other reasons supporting it as well?
>> Sue McAndrew:
And then the other -- just one other -- since right to restrictions was brought up, is that one downside from going to the RHIO, or expecting access from other providers through just one provider on the RHIO, is that if you do have the existence of these opt-outs or masked information on these other systems, the RHIO is not going to have access to that. But your right of access nonetheless would go to those records from that individual.
>> Kirk Nahra:
So you're going to get more information by going to 10 individual providers than you would by going to the RHIO, or by pulling it through one provider?
>> Sue McAndrew:
Depending upon how you have set up your opt-out, right.
>>
Another concept to throw out here is that a lot of HIPAA was driven off of the whole concept of administrative simplification and if we're putting huge administrative burdens on health care to try and sort through this, just for the convenience, are we not hamstringing the whole industry on something that currently is working?
>> Kirk Nahra:
Okay, let's play it out a little bit. I mean, is the question whether the convenience of going to the RHIO is sufficient to have us recommend a different rule? Or are there other pieces we should be factoring into that question? Then we talk about, all right, we can either have an opinion on that or we can try to gather information as to what that would mean. But what else would go into that question?
>> Deven McGraw:
I have a HIPAA question, actually, which is that if we didn't require the RHIO to make these records available but it was still something that they decided that they wanted to do from a marketing perspective or they saw it as a potentially good business model for themselves, assuming they could charge for that convenience, then a reasonable charge of copying since they're not required -- is there anything in HIPAA that would prevent a sort of voluntary model where if a RHIO saw it has an advantage to offer this service to the patients whose records are stored there or that run through it, that they could do so and that they could charge for that commercial -- for that convenience.
>> Kirk Nahra:
Put the cost aside for a second. I would assume a business associate could choose -- I mean, a business associate contract could push that function to the (inaudible) and if all of the RHIO’s business associate contracts said we'll take care of requests, that could happen.
>> Deven McGraw:
Yeah, but wouldn't they be tied back into the HIPAA reg that they couldn't charge more than the reasonable cost --
>> Kirk Nahra:
Well, but again, part of the issue is there's a -- I mean, Sue, I don't remember if there's all that much definition of what the cost is under HIPAA. Again, State law, a lot of the State law set a specific per-page and that kind of stuff. I don't think there's much in HIPAA what that cost is.
>> Sue McAndrew:
Reasonable cost-based fees for copying expenses only, and postage.
>> Kirk Nahra:
Just copying expenses. So it’s not a question of buying the copier. You can't allocate the buying --you can't say we're going to charge -- we're going to add 10 dollars to everyone's charge to pay off the cost or that the cost of copying is not just how much the piece of paper but includes maintenance and includes all the --
>> Sue McAndrew:
There is an element of overhead that’s allowed in the copying. But specifically it, you cannot base your cost on retrieval, your retrieval activities, your refiling activities, your compilation activities, that it is simply the -- for instance, if an individual simply wants to see their record, you cannot charge for them to see their record.
>> Kirk Nahra:
Even if it costs you something to gather it and put it together.
>>
It does.
>> Sue McAndrew:
Right. And a lot of people, you’ve got to sit in the room with them, because you don't want them to be tearing out pages and doing damage to the record. So either you've copied the record so that they can sit in the room unescorted or you've given them the real record in which case someone has to be there looking at them. And you can't charge just to have access to the record. You can only charge if they want to get a copy of the record. And then it's just that cost-based fee for copying the record and making it available to the individual.
>> Sylvia Au:
But that's the individual. So if you were going to do that as a business model, why would you present it to the participants, that providers, and say I will take that work away from you and you pay me X number of dollars for every one of your patients that accesses the record through us and that will help -- so you're not passing on the cost to the individual. You're taking money from the provider and subsidizing your work or making money.
>> Kirk Nahra:
The business difficulty there would be not everybody would agree, and if it's half your people, then you got to -- I mean, it -- potentially it could work under HIPAA. There would be some practical issues, I suspect, suspect, it would be difficult for a RHIO to say this is going to be a real money-maker for us.
>> Deven McGraw:
I can't imagine them getting rich on it, but I am persuaded --
>> Kirk Nahra:
Or even justify it.
>> Deven McGraw:
Right. The business model and the fact that a lot of these RHIOs are really struggling is much more persuasive to me for not imposing this requirement on them than anything else, because I -- but I like the convenience factor, so I was trying to figure out a way to --
>> Kirk Nahra:
Although, it's interesting. Sue, I don't know what your experience has been, but all of the individual rights have been less utilized than I think we thought. And at least in my experience, which again tends to be payer-side more than hospital- or doctor-side, even where requests for access come in, they don't really want to see the designated record set. I have a problem with a claim, I want to see what happened here or I want to see this. The number of times where someone would want to say I want everything that's out there, --
>> Sue McAndrew:
I do think, on the provider side, I think it's far more likely --
>> Kirk Nahra:
-- to come in and just see my whole record.
>> Sue McAndrew:
-- this kind of scenario.
>> Kirk Nahra:
But it's moving. It's taking it away, not just to look at it.
>>
Yeah.
>> Kirk Nahra:
Presumably you wouldn't need to do that. Well, I guess you might need to move it from RHIO to RHIO, if here you're moving from D.C. to New York, you need to shift it to the next RHIO.
>> Sue McAndrew:
Presumably in the great world this will all be done electronically anyway and it will be no problem. But actually what conceptually -- I really think we had been looking at the work being done on the personal health record, as the way of providing or achieving access rather than focusing on how it would work in an HIE environment. You know, that the personal health record was, is being designed as the individual window into the EHR and giving them the 24/7 access to their information. And so much of this may, hopefully, become irrelevant if the PHR actually develops along those lines.
>> Kirk Nahra:
The other piece of that, I mean I guess my sense is -- and maybe, I think, Deven, this is consistent with what you were saying, because of the business downsides and some of the economic downsides, this is a real uphill battle for me to think we should impose this obligation on the RHIOs, with one exception, which is a real transfer. And maybe it's exactly this exception. I don't particularly see why the convenience factor is just, I want to just see what's there, I want to just read. But -- but, you can go to the doctor. All I'm saying is shifting the responsibility. I'm not sure the ability to just look at stuff is enough to justify imposing this new burden on the RHIOs. I do think it's fair to say if' I'm moving from D.C. to New York that I can got to the RHIO and have them send all my records there.
>> Deven McGraw:
Or populating a personal health record --
>> Kirk Nahra:
Somehow make it easy for me to make it portable.
>>
Right.
>> Kirk Nahra:
But that's a leaving here and going there, not I want to look at it every few months. I could see having that be a particular focus.
>> Paul Uhrig:
I think the PHR is where you get into your business model. The PHR you want to connect with a network, not every individual doctor. So there's where you're getting into -- pushes it towards a network.
>> Kirk Nahra:
So the RHIOs are going to do this because the PHR vendors would be supporting it? The economics would come from the PHR vendors?
>> Paul Uhrig:
Uh-huh.
>> Sylvia Au:
You’re going to run into all those problems, even if you have access to all this data, the people in New York use an entirely different system. Even if the patient had everything on a thumb drive, they go and pop it in in New York, the fields are all different, the sizes of the fields are all different. And --
>>
(inaudible)
>> Sylvia Au:
It doesn't help the patient anyway, even if they have it.
>> Kirk Nahra:
But again, that may be a today, but as Sue said, that's clearly not -- the goal would be -- let's play that out. I mean, is there -- again, there's three ways we can go on this. We can say we don't think there should be any change to these rules at all in this regard. We don't see the differences such that we're going to recommend any rules. We could say million differences, we recommend that there be lots of changes. Or we need to gather more information. I don't hear anyone saying we agree there are lots of differences and we think we should today recommend lots of changes. Am I correct in that? I hear some people saying we don't see the basis for recommending changes and that the HIPAA rules work fine here. Are we --
>> Deven McGraw:
Or that we wouldn't apply this particular rule to the RHIO or health exchange since we've already suggested that they should be under the umbrella.
>> Kirk Nahra:
There may be two pieces. That's an important component of that. So it would -- not only do we not recommend changing the HIPAA rule to push it to this environment, we're going to carve it out under the relevance idea. That's a fair point. The third option would be gather more information. Where are people? Are there people who think we should gather more information, and if so, what would that information be?
>> Deven McGraw:
I think it would be helpful, since we're already talking about bringing in some RHIOs and others to table about the questions raised in the other scenario, to just check in with them about how easy is the push of information? How easy would it be to respond to people's requests to either see or have information transferred? I think, I mean, our assumption is that one is easier than the other, but it would be just interesting to hear it directly from them.
>> Kirk Nahra:
In the context of what have we're talking about, if a RHIO thought it was easy, it could clearly set up relationships to do that under the current rule.
>> Jodi Daniel:
It might be helpful to know also what kind of cost they would incur to do this. Because given there are cost limitations on what could be charged if it is part of access, it might be interesting to find out if there's a significant cost for RHIOs to gather all that information and make it available and do the authentication and et cetera.
>> Kirk Nahra:
Okay, let me go back to the two choices we have. The discussion I’ve been hearing before was I guess maybe assuming some of that cost information. And basically saying there's clearly going to be some cost and we didn’t see enough basis to push it to them. If we were going to take testimony, it would be to evaluate whether we are going to be recommending a different than HIPAA rule. Something that would push -- you know, and the only one I've heard, I guess, as a possibility would be a rule that would permit patients to go to the RHIO and get everything from the RHIO. So do people think that's enough of a possible good idea that we want to go get information as to what the impact of that would be? Or are people today saying we don't see the basis for that and let's not go in that direction in.
>> Paul Uhrig:
Can I rephrase the question? You said allows the patient participation to go. Are you really saying that forces the RHIO to respond to the request?
>> Kirk Nahra:
Yes.
>> Paul Uhrig:
That's what you're saying.
>> Kirk Nahra:
They can go today. That would put a burden on the RHIO to provide everyone’s information. That’s a fair distinction. What do we think? Do we want to get information about those possibilities because we might recommend that or are we inclined not to recommend that?
>> Sue McAndrew:
I just don't know that there even is a RHIO out there that is doing any sort of release of information. I don't know where we would get the cost information. I think you could perhaps analogize it from hospitals that have EHRs and the cost attendant to release of information in that setting versus paper setting. And there are considerable costs even in an electronic setting to acting on an authorization, making sure it's valid to begin with, matching up identities, looking for the data elements that are requested. Going to the system and supplying only the information that's asked for. So -- but I just don't know where you get that from a RHIO. I don't know that anybody is doing that.
>> Kirk Nahra:
The other thing and again, this is based on my limited experience of these access requests. They’ve tended to be narrower rather than broad. If I go in and basically we ballyhoo this as a convenience, those costs have to be all of a sudden pretty high. It's expensive enough -- if I've been in a hospital and I really want a copy of my whole medical record and they're going to charge me 50 cents a page that's going to start to be a big number. If it's the hospital plus 25 doctors, that's going to be a real big number. I suppose there's a convenience to giving an individual that choice. Do we really think that many individuals would exercise that choice given where people -- I don't know.
>> Deven McGraw:
I mean, I don't think people utilize this right of access now much but I think if the PHR movement really takes off and people have a need to populate a record in an area where in fact there is a RHIO in existence and some valuable data that can be pushed into the PHR or pulled into it in a much easier way coming from the RHIO than the 10 doctors that I've seen in the last four years.
>> Kirk Nahra:
Let me ask another --
>> Sue McAndrew:
I would just say that certainly unlike accounting where we are getting lots of information that -- like five people a year if you're lucky. I think access resonates much -- and is used much more broadly in the population. You know, by no other measure than the number of complaints that we get.
>>
(inaudible)
>> Sue McAndrew:
And it does, it's always been in one of the top five numbers of complaints.
>> Kirk Nahra:
Let me ask you a question about the -- for example, today, obviously the existence of electronic records generally, independent of the RHIOs, makes the ability of a provider to grant access presumably somewhat easier. If a hospital has an electronic health record, I assume it's easier for them to grant access to the record than it is for the paper record.
>>
I'm not sure why you're assuming that.
>> Kirk Nahra:
Then why would we want to make it -- well, --
>>
It's a difference between going to ten providers and going through that exercise as a patient and going to one source.
>> Kirk Nahra:
But if it's not easier for the one provider, why is it not infinitely harder for the RHIO to do it? Why is it harder for the provider, or why is it not easier for the provider when there's an electronic record to make that available?
>> Sue McAndrew:
It would be easier for the provider through a mechanism like a personal health record. But today it seems to me the practicality is what it means is you either have to print out this electronic record and look at it on paper or you have to sit this person down at a terminal.
>>
And teach them how to use your hardware.
>> Kirk Nahra:
Presumably, just a second. I'm assuming that the whole point of this discussion is that somebody is going to send the equivalent of an encrypted file to people if they go to the RHIO. Somebody is going to visit the RHIO, and sit in their office and read stuff?
>>Sylvia Au:
They might have to ask for a paper version because let's say you're moving to Italy.
>>
What if I don't want a paper version?
>> Kirk Nahra:
Wait a minute. Maybe I've got this whole thing wrong. But I thought the whole point of having this stuff electronic was that it could be transmitted electronically.
>> Paul Uhrig:
What if you're my mother?
>> Kirk Nahra:
But then why would you have the RHIO do this? If you're going to impose the RHIO the obligation to print out and mail, and have computer terminals and have people come into their offices, that's now an enormous burden on the RHIOs.
>>
That's what we're saying.
>> Kirk Nahra:
I thought we were there ten minutes ago. Now we're talking about --
>>
Kirk, I hate to bring this up again because I've already been accused of trying to get rid of them but there are those people who aren't electronic and won't be for some time and those people, if somebody asks for a full accounting of a record and they want to see the whole record, we're not only going to have to give them what's in our electronic record today but we’re going to have to pull everything that's paper that we haven't gotten scanned in.
>> Kirk Nahra:
Here's my hypothesis. I thought we were here a few minutes ago and then we weren't. I don't think we should spend our time looking to justify a rule that's going to force RHIOs to respond to all these records. It's expensive, hard, it's not going to be complete anyways. I'm prepared to say we don't go there. Is there anyone who thinks we should gather testimony and gather information to support the idea that we're going to push RHIOs to have to respond to these?
>> Deven McGraw:
No, in fact I think we gather information to bolster the conclusion that we make that it's not worth doing. Because there will be some people that will wonder why we didn't pursue a more convenient course of action for patients.
>> Kirk Nahra:
Do we need more than what we've just laid out? I mean, we just laid out a bunch --
>> Deven McGraw:
We’re already asking these people some questions anyway. Throw in a couple more to the mix --
>> Steve Posnack:
Because they answer when they come anyway.
>>
You know what they're going to say.
>> Kirk Nahra:
Here's why -- what I'd say to that, which is, for better or for worse, we've got limited testimony time, we've had, I think it's fair to say a hard time getting people to focus on even the issues we really need them to talk about, much less adding other stuff. So I don't think it's just a question of adding it into -- I mean, I don't think it's just a question of adding it to somebody's testimony. I think that would distract and detract from what we really need them to talk about. Now, I don't have a problem if we want to get paper or written stuff. I would not want to take our limited in-person testimony time to support an idea that we all agree with. I mean, we could write a paragraph -- I mean, this would sort of be a non-recommendation, so we're not making non-recommendations very often, or a recommendation of no action. But if we wanted to say we looked at the question of whether there should be stronger than HIPAA rules in connection with what is now called a HIPAA access right, and we reached the conclusion that there shouldn't be and that the access right should continue to work with individuals going to their providers directly because we're concerned about cost, because we're concerned about operational difficulties, because we're concerned about completeness, that wouldn't really be -- you couldn't conclude that they have everything anyways that's good enough. I mean, that's -- and we don't need to spend our limited -- my view would be we don't need to spend our limited time on providing additional support for a non-recommendation.
>> Sue McAndrew:
But it seems to me where that comes in is, as you mentioned earlier, at the point of applying the relevance test. If we're making the RHIO a covered entity, we considered the access rights not relevant because --
>> Kirk Nahra:
I think there's two -- you're right. That's perhaps a recommendation rather than a non-recommendation. But there's two pieces of it. One is we're not going to recommend a different HIPAA rule in our differences discussion. Two, we are going to add that to the list of non-relevant, so right now it's privacy notices and access rights. Or handing out privacy notices to everybody and access rights. I think that's a good -- All right, now. We have two options. We can call it a day, which is fine.
[laughter]
We can spend a few minutes going to that amendment point.
Now, I guess let's spend a few minutes on the amendment issue. So the HIPAA rule says that you have the right to request an amendment to information in a designated record set. It's got a little more back and forth than you have with the access right. I mean, the access right, the provider pretty much has to grant it with very limited exceptions. Amendment is there's a process and a lot of times the provider will not agree and there's a mechanism for basically saying we don't agree, et cetera, et cetera. My view would be there's even less reason to push the RHIOs into the amendment business because they don't have any ability to side right or wrong. Only the originator of the record can be the one to agree, disagree, et cetera. Does anyone have a different view on that?
>>
No, I don't see any way it would even be doable.
>> Kirk Nahra:
So we can -- can we add to our half recommendation, half non-recommendation, we're not going to recommend any changes to the amendment right in this situation. We're also going to add on the relevance point, not having amendment be an obligation imposed on the RHIOs?
>> Sue McAndrew:
I would only -- it does seem to me that the RHIO may have, not in terms of making the amendments or not, but the RHIO may have some unique capability of facilitating the tracking of where that wrong -- or where the corrected information needs to go to catch up with records that contained erroneous information.
>> Kirk Nahra:
All right. Let's talk about that for a second. Now, again, how the HIPAA rule would work, as I understand it, is we've just said if I'm the patient I have to go back to my provider and go through my amendment request. Let's say the provider just agrees, yes, that's a mistake, we'll correct that. The provider's obligation under HIPAA today is to communicate that information to any of its -- I think business associates, maybe -- I don't think it has an obligation to communicate with non-business associates -- to communicate that that information has been amended.
>>
Isn't it to make a reasonable effort to anybody you've communicated with?
>> Kirk Nahra:
So if I , in theory if I shared it, if I had provided information to a hospital a month ago, I have an obligation at some level to try to communicate with that hospital.
>> Steve Posnack:
You want me to read it?
>>
Uh-huh.
>> Steve Posnack:
So this is informing others, 164 526 -- I always get lost here -- C 3. The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to little I, persons identified by the individual as having received protected health information about the individual and needing the amendment.
>> Kirk Nahra:
That's persons identified by the individual.
>> Steve Posnack:
And little double I, persons, including business associates, that the covered entity knows have the protected health information that is subject -- that is the subject of the amendment and that may have relied or could foreseeably rely on such information to the detriment of the individual.
>> Kirk Nahra:
So interesting question. Sue, I don't know if you have any experience with this. I don't. But whether that piece other than business associates is happening. I mean, whether there's any general communication of information. For example, to other health care providers, there is?
>>
We do it all the time.
>> Kirk Nahra:
Okay, good. So the question would be -- so all right, let's play that out. So today, without any changes to the rules, the provider would make the amendment, the provider would communicate that to the RHIO, because it's a business associate who has that information. So that would certainly apply to the provider's information. Would the RHIO have any reason to know -- I guess the RHIO might have, might have reason to know if some other provider -- Dr. Smith is the original provider, if some other provider pulled Dr. Smith's information. They presumably have some tracking of that. So the RHIO might have the ability, maybe you impose on the RHIO, although again impose on the RHIO would be business associate more than the rule, to disseminate to anyone that --
>> Sue McAndrew:
Yeah, I mean, I guess the expectation would be that the RHIO would have an audit trail of --
>> Kirk Nahra:
But there's also a difference in my mind between --
>>
They would be less of a position to make -- did they rely on it, is it foreseeable that they would? So it would be more of an automatic business practice.
>> Kirk Nahra:
Sort of after --
>>
You don't know whether they've relied on it or not so you provide it.
>> Kirk Nahra:
It's also sort of after the fact. It's a little bit weird to have -- so again, let's say that my medical record, when I look at it, I see that my medical record says I had a broken leg, and I did not have a broken leg. And I know that a hospital three months earlier had gotten information that included a medical record that said I had a broken leg when I was in for my heart surgery three months ago. So we'd want the RHIO, we'd want someone to reach out to that other hospital and say, by the way, he didn't really have a broken leg. You already acted on that three months ago when he was there in the hospital for a heart attack, you did you whatever you were going to do, but he didn't have it.
>>
You put that in the context of patient safety, though, from the standpoint of not a broken leg,but you say that I'm not allergic to tetanus and I am allergic to tetanus. Now if I go into that other provider they're depending on that information that you gave me once before that said this person is not allergic --
>> Kirk Nahra:
Let me push one piece of what you said, and I don't know how this works. So I was in the hospital three months ago, you thought I was not allergic to whatever you said, and I really was. So again, you did whatever you did before. Now I come back to the hospital a year later. Am I going to rely on that old record or am I going to reach out again? Am I going to take the year-old record or go back to the RHIO and get whatever is current?
>> Sue McAndrew:
You'll probably do both.
>> Kirk Nahra:
But I guess my point is wouldn't I pick up the amendment when I need it, which is the year later when you show up?
>> Sue McAndrew:
You know, if it was relevant, and you had an adverse event and the information comes in even unfortunately after the adverse event, I mean, it's going to provide clues that you might be sitting there scratching your head, why did this guy just up and die on me?
>> Kirk Nahra:
All right. So are we going to -- again, so the issue in the context of our discussion would be today there is an obligation on the covered entity to disseminate that amended information to people that it knows had, whatever the standard was, some defined group of people. There is no obligation in the HIPAA rule, I don't think, for the business associate -- I guess the business associate has to communicate to people it's communicated the information to. The question is do we turn that into RHIOs have to figure out all the providers and send it out to them? Or is that how it would already work today anyways? Do we need a new rule for that?
>> Deven McGraw:
Or, is this rule relevant?
>> Kirk Nahra:
Or do we say it's not --
>>
Right.
>> Kirk Nahra:
Again, the relevance would be on them as a covered entity.
>>
Right.
>> Kirk Nahra:
Not on them as business associate.
>>
Right.
>>
Also related to this, what if you get an amendment request and you deny the amendment request and then they have the opportunity to put a letter of disagreement. That's also going to have to go with the record forward, so that's another piece of information that the patient has the right to have included in their record. It's also going to have to be factored in there somewhere related to this whole thing.
>> Sue McAndrew:
I do see that the RHIO could play a helpful role to the provider who has this obligation to share the information, in tracking sort of who else has gotten it that the provider may not know about it. But couldn't we leave the obligation as it is under HIPAA with the provider? And then it would be up to the provider to query the RHIO and use that tracking mechanism to identify those. But I think you avoid tweaking the rule that way. Is it the responsibility stays with the provider to make sure it happens, but they certainly have access to the network in order to query who has gotten that, rather than saying the RHIO now has the responsibility to make sure --
>>
That model would certainly give RHIOs a little more leverage to pull providers in to participate because they could say if you'll participate in this RHIO, we'll help take care of that for you and make sure those things get disseminated.
>> Kirk Nahra:
Which it could do today under the rule.
>>
Which, Sue's point, you’re giving them some place in the game to be a player in facilitating that to happen. But they wouldn't be obligated to do it. The provider would still have that --
>>
It gives the benefit without putting the obligation on them to have an independent duty to do that. Because I do see the value of using that tracking mechanism to identify --
>> Sue McAndrew:
I think it just bears some -- I would certainly agree that it probably would not be a good idea to make the RHIO, as a new covered entity, responsible for picking up the decision on to amend or not amend. I think it bears closer scrutiny whether or not the entire amendment becomes not relevant or whether that one piece should go over to the RHIO as an obligation or it's just something that's negotiated through the business associate-type relationship.
>> Kirk Nahra:
What would be helpful to flesh that out? I mean, that’s really what we’ve got to struggle with. Do we discuss that or try to gather --
>> Steve Posnack:
Is it a process versus policy question? There's policy distinctions that we need to make if you want to require the RHIO to do it and there’s also the process piece. If you use them as a facilitator to disseminate that information, you could -- someone makes the amendment, they have to notify the business associate which would be the RHIO, and the RHIO could then send out a message to all the people linked to that record to say, there's been a correction, you need to go and check. I mean, that's a way to do it. But that's not --
>> Kirk Nahra:
And that's clearly available to a RHIO that wants to do that, to make that as part of the value-add that they provide. We don't have to do anything.
>>
I really, believe, though, Kirk, that up to the point of either granting or denying the amendment, you have to leave that responsibility with the health care provider.
>> Kirk Nahra:
I think we've agreed with that. We've decided that.
>>
And at that point, then, you could have a discussion as to what role the RHIO plays.
>> Kirk Nahra:
Again, the issue would be are we going to bring in testimony with the idea of evaluating whether we're going to make the RHIO do something, whereas the status quo is if they can figure out a way that they want to be valuable to their participants to do this, that that's clearly available to them. Are we going to make them do that? Do people want to try to gather information that would be used to support or potentially support a recommendation that's going to make them do it? I struggle with that.
>> Steve Posnack:
It seems like another convenience question.
>> Kirk Nahra:
That's the thing. If a RHIO can do this, and again that's one where they can charge the providers whatever they, that's whatever they can fit in their business model, great, more power to them. Clearly an opportunity to do that today. Do we want to, again, do we want to gather information -- (inaudible)
>>
Aren't we actually encouraging them to be innovative and creative and competitive by not requiring it --
>> Kirk Nahra:
I think requiring it would be bad idea, personally.
>>
Then you're going to get two notices of this, because you got the provider who has the obligation and then you'd have the RHIO that also has the obligation.
>> Kirk Nahra:
I think there will be clearly some RHIO models that won't have, currently won’t have an effective mechanism to do that, and it would require them to create one. Again, my view would be we don't go there. If, again, if someone wants to make that part of the model, more power to them and we don't need to make any changes to do that. But forcing them would be a bad idea and therefore my view would be we not, again, we not put our time into trying to build that case because we don't think it's a good case. What do people think about that? Is there anyone who thinks we should be looking to the question of should we be forcing RHIOs to do that?
>>
At the risk of agreeing with you, Kirk --
>> Kirk Nahra:
It happened once before.
>> Steve Posnack:
You set some precedent.
>> Deven McGraw:
I still think gathering written testimony only to create our record for why we're rejecting because ultimately we've already made a recommendation that we think RHIOs should be covered entities. In some respects this is about the relevance discussion that we aren't, that we're engaging in and so I like the idea of creating a record as to why we're rejecting some of these things that would be conveniences for people. I don't disagree with the outcome at all.
>> Kirk Nahra:
Although the easy part of that discussion I think, Deven, is the earlier part which was it's clearly a bad idea to have the RHIOs be on the front end of the amendment.
>> Deven McGraw:
Right.
>> Kirk Nahra:
And I mean, I didn't hear anyone disagreeing with that piece of it. And so you've already carved out most of the amendment -- I mean, the major part of the amendment right anyways.
>> Paul Uhrig:
I don't know that I have a different view yet, but I'm struggling with it because I view it as more than just convenience. In my own mind, I see it much more as patient safety, you want a correct record out there. So I'm struggling a little bit with the just a convenience argument.
>> Kirk Nahra:
There's an obligation to correct records anyways that exists on the provider today.
>> Paul Uhrig:
No, I understand.
>>
So Paul, does that struggle get any better or worse when you're -- depending upon what kind of RHIO you’re talking about, and what kind of record, whether it's a joint melded record or whether it's a more of a database of records that you're pinging or -- does that change your -- It does for me a little bit, and that’s why I sort of hammered on the agreement with Kirk. I kind of think that there is that opportunity for the RHIO, since it does hold all these records, to help disseminate it to everybody that has had it.
>> Kirk Nahra:
Let’s play that out. The blended record. I don't have any sense of whether that exists or not. But the blended record would have the amendment in it. Right? I mean, that's something that the RHIO would have to do anyway, even as just purely a business associate. They would put it in a blended record. So anyone who looks at that blended record in the future would have that information. It's clearly there.
>>
But haven't we already sort of come to the conclusion that that model is not the real strong model out there?
>> Kirk Nahra:
Yes, that's an example --
>> Deven McGraw:
In all three models the RHIO gets the information right away.
>> Kirk Nahra:
Correct. But the other example is the database, or I don’t know what you call it, but the repository where they now have 10 medical records, and so the crux of the matter seems to be in that model. If they don't have any of the information, they can't disseminate it either. If they have the record, they've got 10 records, or 50, or 100, and they know record 1 has been amended, and they have some ability to know that 3, 11, and 14 pooled information from that record, does the RHIO get forced to send something out to 3, 11 and 14? That's what we're -- I mean, I think that's what we're talking about. The provider today -- again, maybe the provider doesn't know -- maybe provider 1 doesn't know that 3, 11, and 14 got something from the RHIO. Do we presume that there's some way for the provider to tell that? I mean, that's another business model for, the business model that the RHIO can come up is not we’ll send it out, but we'll tell you where you need to send it.
>>
I guess the reason I keep going back to I think this belongs to the provider, is that it’s really, it's an ethical responsibility to make sure that when I've made an error in a record and I've admitted, by granting a amendment request, I have admitted that I've made an error in that record. It's my obligation to make sure that everybody that got that record is, has that new amended version. And to pass that on to somebody else that doesn't have that level of ethical responsibility just makes me a little squeamish.
>> Kirk Nahra:
Sue, do you have any sense just in the experience of how -- again, the amendments that I've seen, a skewed sampling, are mainly disagreements. I mean, it's been, you know -- for example, I'm actually involved right now in an HHS investigation where it was a billing dispute. I mean, the patient thought they got charged too much, and you know, the payer ultimately said, fine, whatever, we're not going to fight you on it, and HHS has turned it into an amendment problem. But it's been disagreements. It's not that oh, we said you had a broken leg and you had a broken arm. It's just disagreements.
>>
Right.
>> Kirk Nahra:
Are there -- I mean, are we seeing amendments that are really -- you know, true out-and-out just mistakes? I mean, it wouldn't come to you either.
>> Sue McAndrew:
It hasn't hit our radar screen big time other than in the initial crafting of the rule, at which point, the biggest characterization of the type of amendment you got, were the people who wanted to have included in their medical records the fact that little green men were putting --
>>
No, I'm not crazy.
>>
There's right, left issues, too, but that's never going to hit a complaint --
>> Kirk Nahra:
That was sort of my point. My point was, if there's really a mistake, they presumably do want to fix it and there wouldn't be any reason to go to HHS about that. The reason to go to HHS is I'm not crazy and they said I am, and they won't change it.
>> Sylvia Au:
Yeah. We get a lot of, we used to get a lot of social comment changes. The mother is (inaudible) or --
>> Kirk Nahra:
I am not.
>>
My child's record says what?
>>
And --
>> Kirk Nahra:
Stuff that shouldn't be in there anyway.
>>Sue McAndrew:
Yes. And some of the thought that was with the new right of access, a lot of the color commentary --
>> Kirk Nahra:
Wouldn't be there in the first place.
>> Sue McAndrew:
-- will be coming out of the records going forward.
>> Kirk Nahra:
Let me try to push this -- let's go back to our question for discussion today, which is we've reached a conclusion that we think the primary, I mean, the responsibility to judge whether an amendment should be made stays with the provider. Now we're talking about the question of disseminating an amendment. Many of which, to be clear, will be disagreements. You know, so a lot of the volume, presumably, will be patient says no little green men and, you know, that kind of stuff. So that's a big part of the amendment right; that whole statement of disagreement piece. There's presumably not --
>> Sue McAndrew:
You don't have to send that out.
>>
It has to go with the record --
>>
In future releases.
>> Kirk Nahra:
But no correction mechanisms? So the only correction measure would be real mistakes.
>>
Yes.
>> Kirk Nahra:
Okay.
>>
We've agreed to a change.
>>
The other wrinkle to this before we get too far, is that we're assuming we're only talking about disseminating to providers that are in our RHIO. What about other people, other business associates or people we've done disclosure to on our own as a health care provider that didn't go through that joint record? Now you're talking about the health care provider is going to have to make sure that those get identified and those get sent forward and then you're going to make the RHIO responsible for getting the ones out -- it gets real convoluted.
>> Kirk Nahra:
My view, just to be clear about it, is we don't do this. We don't impose any covered entity obligations on the RHIO to disseminate these amendments. You keep that obligation with the covered entity provider as well. That would be my view. And we were sort of there a few minutes ago, and now we're back discussing this. So the question would be, do we want to gather information, testimony or oral, to push us towards -- well, Deven's point being maybe we gather that information even if the answer is we're not going to make the recommendation. Let me ask it this way, is anyone still considering we make a recommendation that pushes this obligation to the RHIO? Anyone on the phone supportive of that? All right, so now we're talking, I guess here would be my suggestion, which is we can add it to requests for written testimony, if we want. I would tell people not -- I wouldn't spend any time on it in the oral discussion.
>>
That's fine.
>> Kirk Nahra:
Is that okay with everybody? Okay. My suggestion for today is that we open it up for public comment, planning for next meeting -- can you alert the operator, I guess, that we're going to do public comment in a couple minutes.
>> Judy Sparrow:
Jennifer, in a few minutes.
>> Kirk Nahra:
Is that all you need to do, Judy?
>> Judy Sparrow:
Yeah.
>> Kirk Nahra:
We have an item on here for planning for next meeting. I think that mainly what we have to do is we have to reconvene after this and try to start thinking about our next steps on testimony-related issues we talked about today. I think we have two possibilities, really. We have that testimony piece or we may have another discussion like this with some additional scenarios. And where we go on that may depend a little bit on how easy it is to figure out testimony. We're in a position right now, I think our next hearing, it maybe be October --
>> Steve Posnack:
4th.
>> Kirk Nahra:
Less than a month away. My assumption is that we're not going to be in a position to find, locate, identify, get people to testify, on these very specific questions by October 4th. So my expectation is that October 4th will be perhaps some other scenarios so we can continue to flesh this discussion out. And that we'll look towards a November hearing with testimony. Does that make sense, Steve?
>> Steve Posnack:
We had talked about having any results from today that guided testimony be for November and any results from the October meeting guide for January. As a way to think ahead for everybody.
>> Kirk Nahra:
All right. Does that make sense for people? All right. Judy, can we turn to public comment?
>> Judy Sparrow:
Jennifer, is anybody on the phone?
>> Jennifer Macellaro:
The slide has been up there for a couple of minutes now and anyone who is already on the phone just needs to press star-1. The number is there for people who have been listening over the Web, and e-mail address as well if anybody wants to write in comments after the meeting and I'll just wait about a minute and check back in with you.
>> Judy Sparrow:
Okay.
>> Kirk Nahra:
All right. Anything else today from the Workgroup before we turn to our public comment and then adjourn?
>>
I mean, I would just, in terms of looking for testimony, encourage some data mining of the NCVHS record from their hearing last year as well as some of the more specific hearings that they held earlier this year.
>> Kirk Nahra:
And just to play up on, that it may that be we can gather some of that testimony and distribute it. Maybe we don't -- if they got good people and got good testimony. There's a difference between the oral and the --
>> Steve Posnack:
They have transcripts of everything, so --
>> Kirk Nahra:
Let's figure that out.
>> Steve Posnack:
A lot of data mining on our end.
>> Kirk Nahra:
It's a hearing, it can't be too much. Do we have any --
>> Judy Sparrow:
Anybody, Jennifer?
>> Jennifer Macellaro:
I don't have anybody on the phone today, no.
>> Judy Sparrow:
Okay. I think that's it.
>> Kirk Nahra:
Anything else before we adjourn for the day? All right, everybody, thank you very much. I think we made a lot of progress today in terms of really trying to focus our discussion on where we needed to go with the differences idea, and hopefully we'll make some more progress next month. Thank you very much.