American Health Information Community
Confidentiality, Privacy, and Security Workgroup Meeting #14
Thursday, October 4, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Judy Sparrow:
Good afternoon and welcome everybody to the 14th meeting of the Confidentiality, Privacy, and Security Workgroup. Just a reminder, we're operating under the auspices of FACA, which means that the meeting is being Webcast to the public and there will be an opportunity at the completion of the meeting for public to make comments. Let me remind the Workgroup members to please speak clearly and distinctly, and identify yourselves as you speak. And also, if you're not, when you're not using the phone, those on the phone, please remember to mute your telephone. With that, I think, Jennifer, if you could introduce those members on the phone and then we'll go around room here.
>> Jennifer Macellaro:
Sure. On the phone today we have Sue McAndrew from the Office for Civil Rights, Sylvia Au from the Hawaii State Department of Health, Elizabeth Holland from CMS, Jill Callahan Dennis from AHIMA, and Zinethia Clemmons from HHS. Did I miss anyone on the phone? Okay.
>> Judy Sparrow:
And here in the room we have --
>> David McDaniel:
David McDaniel from Veterans Health Administration -- Department of Veterans Affairs -- I know where I'm from.
>> Jodi Daniel:
Jodi Daniel, ONC.
>> Leslie Shaffer:
Leslie Shaffer, TRICARE Management Activity.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Deven McGraw:
Deven McGraw, National Partnership for Women and Families.
>> Alison Rein:
Alison Rein, Academy Health.
>> Steve Posnack:
Steve Posnack, ONC.
>> Judy Sparrow:
Great. And thank you all. And we have a very packed agenda this afternoon so let me turn it over to the co-chairs, Kirk Nahra and Deven McGraw.
>> Kirk Nahra:
Thank you, Judy. Let me start off by making sure that everyone noticed the plural in Judy's introduction, we now once again have co-chairs. Deven McGraw has, after months of deliberation --
>> Steve Posnack:
Long courtship.
>> Kirk Nahra:
-- long courtship, come on board as a co-chair. Deven is obviously familiar to the group, has been working with us from at least from the start, right?
>> Deven McGraw:
Right.
>> Kirk Nahra:
Welcome.
>> Deven McGraw:
Thank you.
>> Kirk Nahra:
Any words of wisdom before we get started?
>> Deven McGraw:
I don't think so, other than -- no, not -- the subject matter of course is not at all new to me, but I think we've been doing some really good work as a Workgroup and have a good rhythm, and so when Kirk asked me which part of the meeting do you want to run, I said what? So at any rate we'll try to be the least disruptive I think to what we've already got established. I've already been a part of several co-chair meetings, so it feels good. Thank you very much. I got notes from a lot of folks congratulating me, which I appreciate.
>> Kirk Nahra:
You'll find what a big honor it is going forward.
>>
Do you get your own parking spot?
>> Deven McGraw:
No. Not that I know of.
>> Kirk Nahra:
We heard about some of the folks that were perhaps interested in being co-chair and viewed it as a big sort of reward and I kept trying to figure out what I was missing. All right. Moving right along.
Did people have a chance to look at the summary of our September 6th Workgroup meeting? Let me ask if people on the phone had any comments or questions about that summary. Anybody in the room?
>>
Looks fine.
>> Kirk Nahra:
All right. What we will do is give people till the end of tomorrow if they have any questions or comments on this, please get those in to Steve. If we do not get anything additional, we will assume that this is approved for I guess public -- whatever that means. We're signed off on the summary.
>>
I want to say I worked really hard to get in the minutes.
>> Kirk Nahra:
Did you? Good. Did it work? You were successful?
>>
I didn't make it.
>> Kirk Nahra:
You didn't make it at all? Really?
>> Steve Posnack:
I'll keep it in mind next time we're reviewing it.
>>
Anybody else not get in the minutes and want --
>> Kirk Nahra:
There aren't that many other names. It is true. And I view, when Deven and I were talking about this, I view Deven's role today if she doesn't want to run particular parts, is maybe being a brake on my steam roller.
[laughter]
>> Deven McGraw:
If I get in the minutes I'll know if I've done my job.
>> Kirk Nahra:
You should be at least be in the minutes already, being introduced.
Why don't we start off today with a not sure if it's a brief or a long update on latest AHIC developments.
>> Jodi Daniel:
And I'm going to turn it over to Steve.
>> Steve Posnack:
It's definitely a brief. The AHIC that happened in September wasn't too long, if everyone remembers. The Population Health and Clinical Care Connections Workgroup made some recommendations and they were fairly comprehensive and it was a good discussion that took place, obviously I think they have a lot of work to do to go forward. The -- Governor Douglas and Governor Bredesen from the State Alliance for e-Health came and presented and discussed with the AHIC a number of their activities. There was again an AHIC successor update. And the recommended requirements for enhancing data quality in electronic health records, three representatives from that team that created the report presented their recommendations to the AHIC, and we will be discussing one of them in one of our scenarios today, that we were asked to look at by the AHIC in terms of its privacy and security elements. And I sent out an e-mail to everybody, I guess yesterday or, probably yesterday, that just asked if in the interim between our -- this meeting and the next, if you identify any other requirements that you feel have a privacy and security spin to them, that you bring them up to us and we'll try and find a way to address them at our next meeting in November.
>> Jodi Daniel:
The one that we -- the one recommendation, Recommendation 8 that we'll be talking about is the one that had gotten some press as raising some privacy concerns. That's why we wanted to have it discussed in this group, but we didn't see anything else that this group would necessarily want to bite into. But that's open still for discussion.
>> Kirk Nahra:
All right. Any other questions or comments on AHIC developments at this point? Alright. Very brief. Now we have these folks joining us?
>> Steve Posnack:
Yeah, 1:30.
>> Kirk Nahra:
What do you suggest doing before then?
>> Steve Posnack:
From the anti-fraud work.
>>
Okay.
>> Kirk Nahra:
But not till then. So do we want to start on one of the other --
>> Steve Posnack:
NCVHS?
>> Jodi Daniel:
Sure, do you want me to mention the --
>> Kirk Nahra:
Sure. We're going to need to move, we're going to probably need to do one of the other scenarios unless we can get them on earlier.
>> Steve Posnack:
I don't know if they're on yet.
>>
Who’s calling in?
>> Steve Posnack:
Reed and Rebecca.
>> Kirk Nahra:
We can get them on earlier?
>> Steve Posnack:
Probably not. I think 1:30 was the earliest he said he could get on.
>> Kirk Nahra:
Okay. Go ahead, Jodi. Why don’t you --
>> Jodi Daniel:
I wanted to give a very brief update to let folks know that this is going on. The NCVHS has been looking at the issue of secondary uses of data, and privacy issues related to secondary uses of data. This was started, they formed a subcommittee to look at this issue and it was supposed to be focused on quality activity. So the quality subgroup, or the Quality Workgroup of AHIC kept struggling with some privacy issues and how information should be, should or should not be appropriately shared for quality activities. And the NCVHS had offered to look at that specifically and come back with some recommendations that would help with the quality use case. The problem that they were having is that quality -- it's hard to define, they were getting into other questions about secondary uses in general, and they somewhat broadened the scope beyond just looking at quality or looking at secondary uses, and -- or things that would help with the quality use case. So I just wanted to let folks know that there is a subgroup of NCVHS that’s working on the issues of secondary uses and privacy. Their approach is slightly different than the approach we're taking so we wanted folks to be aware of it. And they had a meeting this morning and tomorrow morning, I believe, to talk about the recommendations or the report that they're preparing. It's still in draft form, but I think they meet again at 8:30 tomorrow morning so anybody who is interested in listening in on what's going on, I believe that there's a meeting, a public meeting tomorrow morning as well to talk about it. We could also share a draft of the report, it's public now, if folks are interested in getting a copy of this.
>> Kirk Nahra:
If you would like to get a copy of that, why don't you shoot an e-mail to Steve. I mean, what is it -- it's a long document, about 40 pages.
>> Jodi Daniel:
It’s about 40 pages, yeah.
>> Kirk Nahra:
Variety of other attachments. But it has a lot of material.
>> Jodi Daniel:
Is there any other information, Morris, about the --
>>
Probably not -- I can talk more about -- (inaudible)
>> Jodi Daniel:
Are you interested in having more of a update on specifics from the meeting this morning or is that --
>> Kirk Nahra:
Here's I guess -- the NCVHS stuff is going to be relevant to our group for a couple of reasons. And Deven and I are going to be going through that and I mean my initial reaction is that it's sort of so different from the approach we're taking that it's not necessarily something that we want to particularly comment on. I mean, they're doing some different things. The big issue that is going to be relevant to what we're doing is, you know, as our agenda today makes clear, we are really focusing our attention on trying to evaluate whether there are differences, sort of the buzzword we've been using, but differences in this health information exchange environment from the rest of what's covered by the HIPAA rules. So we're spending time on evaluating whether those differences exist, with the baseline idea being if there aren't differences, then we don't -- then we're not saying change because HIPAA isn't a good rule. We're saying there's no reason to have a different rule if the situations are the same. We're still evaluating that, and we have not reached any conclusion on whether we think that there are sufficient differences in the HIE environment to justify having specific rules for this environment, but we're trying to start with that baseline of HIPAA and understand how it applies to various scenarios to evaluate whether we need something additional than HIPAA.
That's not the approach that NCVHS is taking. I mean, they seem to be -- if you just read through the document, it looks like it's a little bit more of a -- this isn't a great word but a wish list, what should be the set of rules in this environment, without fully -- again, this is just an approach they took -- without necessarily using HIPAA as a measuring stick or evaluating whether there's particular reasons to have different rules. So I think that we are unlikely at the end of the day to do extensive comments. We may do no comments. We haven't decided that yet. But their approach is just different, and so -- I mean, I guess that's good in the sense that we're not necessarily duplicating efforts. We're looking at similar topics from a different direction. But that's really sort of where we are and how their efforts will link up with us.
Again, we may end up concluding -- and that's part of our discussion today -- that there are a lot of differences such that we're going to recommend different rules for this specific environment. We just aren’t there yet and we are still very much trying to consider whether that's the case or not.
>> Deven McGraw:
I almost think it's more important rather than thinking about commenting to NCVHS on their report, is to take it as we get to the particular topic areas that are addressed in the paper, and look at how they -- look at how they treated it and figure out whether there's some way to either fold it in if we agree, or -- and if we wanted to comment on it if we were sharply disagreeing, or agreeing, that would be one way to do it. But it's really about health care operations, so in some respects it kind of depends upon our schedule for rolling out the scenarios on the sort of bigger list of things that we need to tackle. If we think we need to move that up in order -- if this is going to get some discussion going where our voice would be noticeably absent, we might want to think about moving that one up in the queue.
>> Kirk Nahra:
Yeah, my sense is this is sort of moving quickly enough that we're probably not going to jump in too much on this.
>> Jodi Daniel:
It's moving quickly and I don't know that one -- having one advisory group making comments back to another advisory group is necessary, and you know, we could get into a debate about different approaches far long time. So I think Deven, your suggestion makes perfect sense. They will be having a final report. Do you know the timeline?
>>
Yes, if you -- as far as the timeline.
>> Morris Landau:
They said -- this is Morris Landau with ONC. They're going to meet tomorrow at 8:30 and then they’re going to try to distribute it for public comment on October 17th. And that's when they hope to get some more input, additional input, regarding the recommendations and I don't know the exact number but I want to say about 20 -- 15? Fifteen recommendations regarding secondary uses.
I’ll just add this little gloss on it. The basic themes that they were talking about was the commercialization of data, business associate contracts, a real issue between quality and research, the notion of de-identification, whether you can really de-identify information. And those were the major themes, the broad outline what they talked about. I mean, there's a lot more than obviously they discussed in a four-hour meeting, but I just wanted to give you a flavor of what they talked about.
>> Jodi Daniel:
So I guess if folks are interested in seeing the latest draft, shoot an e-mail to Steve and he'll get you a copy of the latest public draft. And I guess if anybody has a strong view that we do something more quickly, they should raise that issue at that time. But it sounds like the approach is we'll just see what they come up with and then incorporate it into our discussion as appropriate.
>> Kirk Nahra:
Right.
>>
Another question. We haven't really talked about only it's come up secondarily, the issue of secondary data.
>> Jodi Daniel:
Right.
>>
I mean, I think it's really useful that this could inform our deliberations in the future but I just wanted to be clear I wasn't missing anything because it's not like we need to go back and retrospectively fit what we've done.
>> Jodi Daniel:
No.
>> Kirk Nahra:
I think that's right and we could certainly -- I think where that will become relevant to us is our approach. I mean, we're going to come up -- and we can put this anywhere on the list -- sort of a scenario, we're talking -- we spent the last meeting and we're doing this meeting on these different scenarios. Maybe we need a scenario involving secondary uses to evaluate how the rules apply to them today, and how they might apply or what might happen in some of the HIE environments. Again, the question in my mind, and it's going to continue to be -- Morris. De-identification, yes, that's an issue, I understand that's an issue. It's an issue under the current rule, there's a way to deal with it. If the answer is, well, it's much harder to de-identify because you can usually figure out a way to re-identify, then actually that's not de-identification under the HIPAA rule. The HIPAA rule says if you know it can be re-identified even though you've removed the identifiers, it's not considered de-identified. That would be a scenario where, yes, at first blush, yes, technology may be making it harder to de-identify, but the rule deals with that and says all right, then if technology will make it harder to de-identify, then it's not de-identified.
So I think we're going to want to take the same set of questions about, you know, how the rule works today, apply it to whatever we describe as the secondary use scenario or maybe multiple scenarios, but again I think the difference with where NCVHS is going, is I don't -- again, I've been through much of that report, I haven't been through every word of it. But they're not really using the current rules as a baseline. They're sort of looking like if we're designing this system, what kind of rules would we want to have for secondary data without really saying well, here's what the rules would be today if you just had that system and you don't do anything new, here's what the rules would be. They haven't really done that, made that connection. All right. Any other questions or comments on the NCVHS issues? And again, this won't be the last we hear of this, obviously.
Let me suggest this for the next few minutes --
>> Steve Posnack:
Maybe you're reading my mind.
>> Kirk Nahra:
Go ahead, Steve.
>> Steve Posnack:
Were you going to suggest going through what may be missing in terms of the privacy rule notes?
>> Kirk Nahra:
Well, here's what I was going to suggest. We have a couple of different scenarios to talk about today. We're going to start today with the fraud-related scenario, mainly because of this issue that has come up from the RTI reports and that has been sort of referred to us by AHIC. We are going to have some folks joining us in a few minutes -- who are they with? They're with RTI or --
>> Jodi Daniel:
No, they actually participated on the model requirements executive team that RTI pulled together. They pulled together a team of experts --
>> Kirk Nahra:
They were part of the RTI project.
>> Jodi Daniel:
They were part of the project, they were members of the team, but they are not RTI employees.
>> Kirk Nahra:
All right. Okay. So they will join us in a few minutes to talk about what their -- sort of the issue that they raised was and why they're raising it and how it comes up.
What I thought we could do just in the few minutes before we bring them on board is maybe turn to just a background on how investigations, audits are dealt with today in the privacy rule. That will sort of provide us with some background to then go into the questions and scenarios that have been developed. And as I was just looking at this in the way into the meeting, I noticed that there's a couple of places in here where the rule is relevant to fraud, but there are two or three other places that I think are -- need to be added, and we'll need to be revising this. I should say that health care fraud investigations were actually a very significant area of assessment analysis when the privacy rule was being developed. Individuals from various government agencies, with the HHS, Inspector General, I think, being sort of in the lead on that, were very concerned about whether the rules would be written in a way that would restrict their ability to get access to information about fraud investigations. And, you know, the rules clearly were written to deal with that concern.
They also were written to deal with concerns about sort of other kinds of law enforcement access to health care-related information. The scenario that I kept hearing about when this was being talked about was there's a bank robbery down the street, and one of the normal things that law enforcement does when the bank guard shoots at the bank robber and thinks he hit him in the leg and the bank robber -- or law enforcement will canvass the local hospitals to see if anyone came in with a bullet wound in the leg, and there was a concern that there would be sort of rummaging through hospital records in connection with investigating something that had nothing to do with the health care system. And so the way the privacy rule has been written is there's sort of an inside the health care system set of rules for things like fraud investigations, and there's an outside the health care set of system for other kinds of law enforcement investigations that aren't really health care-related investigations.
I'm going to propose to put that piece aside. And that's not really the scenarios that have been handed to us, and not particularly the scenarios that are coming up in our analysis. I mean, those scenarios may be relevant in HIE settings. I mean, the ability of, you know, can a local police get into a RHIO and figure out if there are any coded claims from anywhere in the metropolitan area for a bullet wound. That may be a relevant issue, we want to consider that, but that's not today's discussion.
So the pieces that are in our discussion, I mean first of all the -- let's just go through this quickly and I'll try to do this quickly, sort of identify the different places.
Section 506 of the privacy rule is in some ways the most critical component of the whole rule. Basically says here are the things that covered entities can do to disclose information for treatment, payment, health care operations. And you know, that's the broadest single piece of the rule, obviously lots of other sections of the rule fill in what those words mean. But obviously a covered entity can disclose information for their own treatment, payment, health care operations purposes. That provision we probably should reference in here. The part that's listed specifically is a section that allows one covered entity to disclose information for the health care operations purposes of another covered entity. Now, it's not clear how often that comes up, you know, that I'm disclosing information solely for someone else's purposes, and there are some restrictions on when that can take place. But essentially one covered entity may disclose to another covered entity for the receiving entity's purposes, where the purpose is health care, fraud and abuse detection, or compliance. So that's one of the places where health care fraud is sort of singled out and said, you know, I can disclose for your investigation, I'm permitted to do that. Now, obviously that doesn't make someone do that. It's not mandatory, it's not a requirement, it's a permission.
The other places that are relevant in terms of fraud and abuse disclosures. One would be the health care operations definition itself. Obviously, companies can disclose for health care operations, there is a specific provision of the health care operations definition that says you can disclose when you are conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection, and compliance programs. So that is part of the health care operations activity. I mean, part of the health care operations definition. Again, very specific.
The other place where it comes up is in Section 512 of the privacy rule. The sort of public policy disclosures and there is a specific provision in that section dealing with uses and disclosures for health oversight activities. And this essentially is the inside the health care system set of regulatory reviews, audits, fraud investigations, and whatever.
So I look at -- you know, those two provisions fit together, they clearly permit covered entities to disclose to law enforcement and regulatory agencies when they are involved in a health care investigation. The health care operations piece permits covered entities to do their own investigations to initiate disclosures to engage in their own activities. But again, pretty broad, thorough discussion of fraud and abuse investigations, pretty broad, pretty broad permission to disclose information, use and disclose information, in connection with fraud investigations.
I should say that in that same Section 512, the provision that deals with other kinds of law enforcement purposes is a separate section, headed disclosures for law enforcement purposes. And that's essentially non-health care kinds of investigations. There may be health care information that is involved, but the underlying law enforcement issue is not oversight of the health care system. That would be my bank robbery scenario where the crime has nothing to do with the health care system. It's robbing a bank, but health care information might be relevant to that. Again, there’s just a different set of standards. We can debate whether those standards are appropriate or not. There are certainly people who think that they are too permissive and allow law enforcement too much access to information, but again that's sort of outside of what we wanted to try and discuss today.
That's sort of the basic background. We'll be revising this section in the scenario just to bring in some of those other, some of those other pieces. Do we know if the other folks have joined the call? They have not?
>> Peter Basch:
This is Peter Basch, I'm on the call. I've been on mute for the past 20, 30 minutes.
>> Kirk Nahra:
Okay, thank you.
>> Jodi Daniel:
Do you want to walk through the scenario, or do you want some background?
>> Alison Rein;
I had a general question about something that was raised in all three scenarios.
>> Kirk Nahra:
Sure.
>>
Are they on?
>> Kirk Nahra:
Why don't you go ahead, Alison?
>> Alison Rein:
It has to do with this definition of repository and non-repository model, and based on my -- some of my discussions with people in the sort of non-repository model, explicitly I'm thinking of a record locator service, it is actually not at all ensured this would be available 24/7. So you would actually be able to locate 24/7, but the actual data behind it might not be available, in fact likely would not be available. So I just didn't know if that was something that we should consider as being another possible alternative, or if people have other views that they've heard on that. That's just something that has come up in a lot of sort of technology discussions.
>> Peter Basch:
This is Peter. I think that's exactly right and one of the benefits of repository model in terms of making it less likely that aggregated information can be tapped into is also a weakness and at least until more and more small physician offices and small hospitals can get 24/7 availability to their data, that's probably more likely than not.
>> Kirk Nahra:
Let's play out what the implications of that are, Alison. I certainly agree what you're describing is a real world -- it happens. There's clearly scenarios set up that way. And I guess I'm trying to figure out sort of how much it matters for going forward with this. For example, if we just cut off that definition, cut out the word 24/7, that presumably includes both 24/7 access and ones that aren't. Does that end up mattering in any of the scenarios?
>> Alison Rein;
I think it does in some of the ones that talk about the timeframe within which it's reasonable to expect someone to be able to access records, whether or not that request is made on behalf of an individual or another institution. I mean, I think in all of these -- I mean, I'm not suggesting that it's going to be 60 days, but I just wanted to raise that because I think it's a very real thing right now, that -- I don't know of any record locator service or other models that exist that even get close to 24/7 access. So either we just strike that and broaden our thinking from here on out, or we ask whether or not there's a difference between 24/7 and --
>> Kirk Nahra:
So I would suggest let's drop that from the definition. I don’t think it matters. Similarly, in terms of something like access, where the HIPAA rule today says 30 days and we're going to decide whether the technology is such that that's a difference because it can be done easier. Whether it's 24/7 or 5 days a week, 8 hours a day. The idea would be you could do it faster than 30 days so probably would end up -- I mean instantaneous versus tomorrow or two days from tomorrow. But let's just -- I don't think there's any particular -- now, do we think that that 24/7 issue exists with repository models as well? I mean, are those always open, or is that -- I don't have a sense of that one way or another.
>> Rebecca Busch:
Hi. Becky is on the phone.
>> Kirk Nahra:
And actually let me back up. On the non-repository piece, Alison you were mentioning, is it the, the records themselves that continue to be held by individual providers? Those aren't available 24/7, right? But is the locator system available?
>> Alison Rein:
Theoretically, yes.
>> Kirk Nahra:
Okay.
>> Alison Rein:
They could tell you whether or not somebody has records located at a particular institution.
>> Kirk Nahra:
I might not be able to get it until the next day.
>> Alison Rein:
Very likely wouldn't.
>> Kirk Nahra:
So the difference there would be that part of the system is probably available 24/7 and part of it is not.
>> Alison Rein;
The ability to say, Alison Rein has records in the following places, is something that you could do. That gets you nothing about the actual data behind it.
>>Peter Basch:
This is Peter. I have a question for Alison. I may have brought this up two calls ago. So the workflow for somebody going through the record locator service, assuming that was up 24/7, would be to identify components of what they want and then make individual requests of the data owners for the particular information, right?
>> Alison Rein:
Right, and there's no guarantee that they have to honor that request.
>> Peter Basch:
No, understand that. But in other words the request might be electronic, it might be a telephone call. You know, there's unfortunately too few models of any of these services to really know what the real state of the (inaudible) is right now. But in your experience has it been where it's used, it's been followed by a phone call? And the implication of that is if it's not a hospital with 24/7 staff in a medical records room, we would know for a fact that the request would not be entertained except during some narrowly defined business hours.
>> Kirk Nahra:
Let's do this for the time being. Let's just cut that 24/7 from the non-repository model.
>> Peter Basch:
Okay.
>> Kirk Nahra:
Let’s keep that -- and again that doesn't mean it's not 24/7. It just means we're not defining it to only that be that.
>> Peter Basch:
Right.
>> Kirk Nahra:
And then let's keep that timing idea in mind as we walk through the scenarios. As I said, it's not clear to me that it necessarily changes our analysis of the scenarios. But if there's a situation where it, does we have got to be conscious of that.
>> Peter Basch:
That's fair.
>> Kirk Nahra:
Do we want to turn -- we have two guests with us today that are going to sort of set the stage for the fraud discussion. And Steve or Jodi, do you want to introduce them?
>> Jodi Daniel:
We have Reed Gelzer and Rebecca Busch on the line. They were both part of the model requirements executive team that RTI had pulled together to identify requirements, recommended requirements, for electronic health records that could be used to ensure data quality, as well as prevent or detect potential fraud. And both Reed and Becky presented at the AHIC meeting where they presented the recommendations that this group came up with and they both generously volunteered to join us so that if there are any questions about the recommendations or the process, or what was intended by the recommendations and the like, that they could provide that expertise and knowledge. And, Reed or Becky, is there anything you want to add before we jump into this?
>> Reed Gelzer:
This is Reed, just welcome the opportunity. There's been a lot of question in particular about item 8, and so any questions that have arisen, we're happy to clarify or to take back for amendment to the report. We do have an opportunity from time to time to feed back to the original report group concerns, since there is follow-up to this report intended.
>> Kirk Nahra:
All right, maybe what you guys could do is sort of walk us through what this requirement is, and what was driving it.
>> Rebecca Busch:
This is Becky. The role with the auditor, I think the first part was first acknowledging that the role currently exists, and is active, and that you have all kinds of audits that are occurring in the marketplace, and that from the provider side, the employer side, the payer side, and even the vendor side. So one of the attributes was one, recognizing it as a user. Two, accommodating it, you've got all kinds of audit-type roles that are being recognized in other industries. And three, to make sure that the process for disclosure and purpose of the audit is also intact.
That kind of leads into one of the final commentaries that I know I made that day, is that in any e-health system, at any point in time you always want to be able to identify who did what, where, why, and how. And since one of the attributes of verifying reimbursement or doing any kind of fraud detection, what have you, is there's usually some type of auditor investigator role. I think it's just as simple as incorporating that into the process. And if the policy guidelines, you know, into the future ever had the notion of -- there was some discussion, for example, that the payer should directly access the medical records so they can verify reimbursement. And I think that was modified. So in that sense it's almost like you'd want to parallel having the audit role used because a lot of times information is taken and it is used for more than its intended purpose. Does that make sense? It's -- I don't know, a little bit of a global response and it might be easier if you had like specific questions that I could answer.
>> Kirk Nahra:
This is Kirk. Let me describe what -- I don't know how much you heard of the discussion. We had a discussion a few minutes before and I'm not sure if you guys were on about sort of how the privacy rule currently deals with fraud investigations and audits. And I guess what I've been struggling with is trying to get a handle on how these recommendations connect up to what the rules say. I mean, it is certainly correct that all kinds of audits and investigations go on today. It is clear today that there is often difficulty in getting access to information. I mean, if I'm a health insurer -- and I'll use that as an example just because that's the side I'm more familiar with -- but a health insurer is doing an investigation of a local hospital, for example, I'm allowed to use any information that I have in my own systems, paper, electronic, whatever it is, to conduct that fraud investigation. I can look at -- if I'm concerned about how the hospital treated Steve, I can look at Steve's records. If I want to compare Kirk and Jodi's records to Steve's records in order to do that investigation, I'm allowed to do that, with information that I already have.
>> Rebecca Busch:
Okay.
>> Kirk Nahra:
I am permitted to go to the hospital and say, I need to see your records on Steve. The hospital is clearly permitted to disclose those to me, whether that would be for the hospital's own payment purposes, whether it would be pursuant to the Section 506 provision that we read that allows them to disclose for my purposes. They clearly are permitted to disclose it. Sometimes there are contracts that contractually make them disclose it. Lots of times the provider doesn't want to disclose it and there's nothing in the HIPAA rule that makes them. Today, if I call up, if I'm a health insurer, let's just say I'm a Blue Cross Blue Shield plan, for example, and I call up the hospital and say I think you're committing fraud on my patients and so I need to see Aetna or Cigna's patients in order to do my investigation, it's not at all clear that the hospital can disclose that. It wouldn't fit that 506 section. It's a little harder, and frankly, the hospitals just don't disclose that. You know, there might be some situation where they would, but for the most part they don't have to and so they're not going to.
So that's how it plays out today. If you look at things like the security rule, well, yes, if I'm an investigator for a health insurer and I'm doing stuff in the health insurer's computer system, the security rule should be able -- the security rule tells the health insurer that I can only get access to certain things, or they need to have a policy that only gives me access to certain things. They need to have audit trails in their system, et cetera, so that they know that if I'm only to look at, you know, Steve's records and I looked at somebody else's, they should be able to track that, or are supposed to have systems to prevent that. What I've struggled with in reading these recommendations is trying to match the recommendations up to what the rules are today.
>> Rebecca Busch:
Okay, well, let me give you two scenarios. I could probably hit every angle but since you brought up the insurance side. Like, for example, if you go in, if an insurer goes in and obtains health information, either in the course of a investigation or let's say just to verify services to see if they match up with what is presented, like on the UB-92 or the HCFA-1500. What I don't clearly see addressed in the marketplace is if that information leaves let's say the adjudication cycle, and goes into underwriting to re-evaluate benefits of an insured. Or it leaves the adjudication cycle and then that information, not necessarily on an individual scale, but on an aggregate scale, is -- it goes back and is used for data analytics to renegotiate a provider contract. Okay? So there's other -- that's just like two examples. So there's other uses of data intelligence that may be used in scenarios where financial interests can be intertwined.
In another example, actually I was dealing with a consumer this morning where there's a false diagnosis code that's on a claim, and so I was able to help her write the appropriate letter under HIPAA to have the provider correct what he wrote, but really there's no provision for a consumer to go to a carrier or an employer or anyone else who happens to now house that ICD9 code that is going to affect her basically for the rest of her life, whether she applies for disability, future services, what have you. It doesn’t -- there's not a clean consumer right to correct incorrect information throughout the whole health care continuum. So that would be from like that perspective.
>> Reed Gelzer:
And from a somewhat different perspective, the particular points that drove the discussion for requirement 8, I think that as close as you're going to get to a mapping to existing laws, et cetera, is the last sentence of the header item 8 itself. We did not attempt to map specific functions to specific laws or requirements. We simply stated that the functionality had to support the applicable framework, if you will.
The larger question, from the point of view of our charge, was to recommend broad requirements and in the marketplace currently, such basic functions are not necessarily available as the auditor as a specific user type with appropriate business rules assigned to that user type. What is actually happening in the field now, as you probably are aware, is that if an auditor is given access to an electronic health record system, they're usually given administrator rights or clinician rights which has very few, if any, parameters to place outer bounds on what they can look at. And so technically speaking, in order to place bounds, you clearly have to have a user type to attach that to. So these requirements were really thinking of these systems at a much higher level than the kind of granularity of specific requirements.
The other thing I would note is that the state of the market is such that in some cases if a payer, for example, wanted to have an inquiry on all of John Smith's encounters from June 1st to September 30th, 2007, in some systems that would require a unique database inquiry report to be written at time and materials costs for each and every one of those individual encounters. So the state of the functionality in the marketplace is extremely basic and in some cases for an auditor's need only exists as a -- at the level of a database expert writing discrete and individual reports. So with that in mind, you know, hopefully that will help explain why these are in, not even within shouting distance of the kind of direct mapping to specific legal requirements that you point to.
>> Kirk Nahra:
Let me just ask a couple of questions and then we'll maybe turn to the scenario. When you talk about the marketplace, you mean the marketplace for EHR systems?
>> Reed Gelzer:
Yes. Remember that our charge was to recommend requirements for EHR functions.
>> Kirk Nahra:
But -- so -- but when you talk about the marketplace, you're talking about vendors that sell EHR systems haven't written auditors into them?
>> Reed Gelzer:
Correct.
>> Kirk Nahra:
Okay. Now --
>> Reed Gelzer:
As you can imagine, that's not a high demand item for most clinicians.
>> Kirk Nahra:
That actually goes to my next question, which is what you're describing when you say auditors come in and they're given administrator rights, sounds like internal auditors, an auditor for the hospital, for example.
>> Reed Gelzer:
Not necessarily.
>> Kirk Nahra:
I would be astonished --
>> Reed Gelzer:
Please be astonished.
>> Kirk Nahra:
Let me finish my question. I mean, I've worked with fraud investigators all over the country. I have never seen an insurance company fraud investigator who is given free rein to wander into a hospital's computer system. Never, ever.
>> Rebecca Busch:
You know what, I have. It's not --
>> Kirk Nahra:
What hospital is doing that?
>> Reed Gelzer:
Sorry, be astonished.
>> Rebecca Busch:
I don't think, in the context of hi, auditor, come in and have free rein, I have never seen it presented in that light. But when you sit someone down at a computer and say oh, here's the password, go in, I'm not sure I've seen the appropriate expertise to even realize that they're in essence giving the person administrator rights. I don't think anyone --
>> Kirk Nahra:
But that's a different point. That's a failure of the hospital's current security system and a failure of their current security program, not a weakness in the rules or a weakness -- I mean, that's just dumb.
>> Rebecca Busch:
Well, but you know what, though -- I have to be careful how I say this. I have not come across an e-health system that I have been overly impressed with how it's built. So I'm not sure that the market is providing or selling products that should have maybe the level of sophistication that the banking industry has today. We’re kind of like 20 years behind with some of our offerings.
>> Jodi Daniel:
Are you suggesting that because doctors wouldn't necessarily be demanding an auditor function in their EHR, that if in fact an auditor comes in and wants to access records for a fraud investigation, that they're giving them the ability to look at everything because they don't have the -- the software doesn't allow them to restrict it by -- for the auditor?
>> Rebecca Busch:
I think -- I can address the question that you're asking, but I think -- I'm trying to find the exact language right now in the report. I think you may be over-reading what was put in this particular report with that question. I think because a lot of information is reviewed and -- for a whole host of reasons out there, that the purpose -- Reed, what page is it on in our report, do you know?
>> Reed Gelzer:
I'm just looking at it in the Adobe version. It’s on page 48 of 115.
>> Rebecca Busch:
Okay, good, I'm almost there. There it is. If you look at the definition, the system shall have the capacity to allow authorized entities read-only access to the EHR according to agreed upon uses and only as a part of identified audit, subject to appropriate authentication, authorization, and access control functionality. And then there's a few other things. Require auditor to be a supported class user, limit to pertinent functions, for view only. So it's really more addressing -- don't look at it as an auditor for like an SIU unit of a carrier. It's audit in terms of behavior of people actually reviewing the information.
I'm just thinking like the last couple of audits I’ve done, where I can't even access what was billed. They can't even pull it up. There's like no user function to even do any type of retrospective analysis and retrieval of stuff that they've billed for. And it's not so much the vulnerability of sometimes people often think of, you know, false claims on the provider. I'm just thinking in the scenarios I've been in, where I'm looking for embezzlement of their billing agent, that some of these products that have been sold to especially physician clinics and even your larger entities, I can't even -- I don't even understand -- I can't even fathom why they were built the way they were unless it's for the intended purpose of always having to pay for user support to come and figure stuff out.
Here I think maybe there's a couple things happening. One, I think people are over-reading into this too much. And some of the use scenarios that we've talked about, one is just on a pure access level. And two, because sometimes people go in and do a type of review, where it appears that they have a singular purpose, is to make it really clear that all purposes are identified. And part of this is actually just access. Because some of the ones I've seen, I don't know, I could probably go on for another hour where it would take me three hours to print a one-page (inaudible) or when people do an e-dump of a file, it's -- they don't have the capacity so it's just a raw data dump that is sent out in request to responses. So some of the backend functions with e-health records I’ve seen are just horrible for once the patient leaves a facility. They're really targeted at developing systems that help them work day-to-day while the patient is in-house, but the back office functions I've not been impressed with most of the offerings that I've seen.
>> Rick Gelzer:
And I would wholeheartedly agree with Rebecca to take -- to just request that you take care to not over-read the level of detail that was intended here. Again, our assignment was to recommend basic functionalities, and because of the state of current market offerings, there is an enormous variation in the capability of products to, as Rebecca illustrated, to demonstrate any kind of retrospective analysis of documentation. So these are very much intended to be requirements relating to auditing, whether it's internal, external, whether it's a compliance audit or simply a care quality audit, just auditor in the broadest sense. And that the other elements within the RTI report were also intended to work with this requirement in stipulating types of data that needed to be captured in an EHR in order to support the traceability that an audit in turn then displays.
>> Kirk Nahra:
Why don't we do this? I guess I have a personal reaction that says to me that I would not lump together an internal auditor, an insurance company auditor, and a HHS OIG auditor into one category. I think you're going to do all kinds of disservices to the providers if -- you know, I can understand why an internal auditor might in fact deserve unlimited access to systems --
>> Reed Gelzer:
There is nothing in here suggesting that anyone should have unlimited, uncontrolled access.
>> Kirk Nahra:
Well, my point is different. My point is -- but my statement, I'm going to stick by my statement. I could support the idea that an internal auditor might need full and unfettered access to anything in the system. I think it would be astonishing to give an insurance company auditor or an HHS OIG auditor full and complete access. So I would not want one set of standards that applies to, quote, auditors, whether they are inside, outside, or government. I just think that's -- that strikes me as a bad idea.
>> Reed Gelzer:
It strikes us as a bad idea, too, and that's not what the recommendation says. The recommendation is that the system has to be built so that it can support applicable rules, laws, et cetera. And certainly different rules will apply to different users. Our problem is -- was approaching it from a very high level, that the concept of an auditor as any type of supported class of user, does not exist in the market today.
>> Kirk Nahra:
So your recommendation doesn't address whether this access needs to be more than current rules permit, or less than current rules permit, or should stay the same as current rules permit.
>> Rebecca Busch:
It actually has nothing -- this is Becky, if I can jump in again -- it has actually nothing to do with the current rules or the future rules. What it has to do with is the system's capacity. And think of a auditor who is taking information and reconciling it against something else. Usually it's health information with reimbursement. It could be reconciling -- it's when you're reconciling at minimum two sets of data points. And it's having the functional ability to do that. The 12 physician group right now, my goal is to figure out which revenue went to which doc. The system functionally will not let me even do that basic function. That functionality doesn't even exist for a review process. The way it works is that when claims are processed, closed out, it's gone, it's purged, okay? And a lot of systems work like that. Which, again, is shocking, okay? And even on the payer side, if they ever get e-health, you know, standards for any health, it doesn't matter who it is, whether you're an employer, payer, or provider. I've worked on the payer side where it's frustrating because when you get to certain points in the adjudication points, half the data elements are gone because of business decisions, all right? So this is -- just simplify this, this is only talking about the fact that the functionalities should include a provision that it has an audit access function. So if someone needs to go for some designated, agreed upon purpose, okay? That they have the functionality to go back in there and look at or retrieve whatever it is that they're going to retrieve. If you look at it, such access control shall also support the applicable release of information, local audit policy, minimum necessary, and other contractual arrangements, and laws, et cetera. That it's really focusing more on, I don't know, it's like building an office and you have to put in a front door so people can get in and out. I'm trying to think of a mental visual, is that. And that's -- this is what -- this is how basic this purpose is. And I guess it's easy to over-read into it, because you would assume that this already pretty much exists in the market, and it doesn't.
>> Kirk Nahra:
All right, well, let me throw this out to the Workgroup. What I'm hearing is while we've been directed to address this recommendation, it's really a recommendation that is sort of parallel to what we're doing. It's not -- it's not really -- it's an issue about system capabilities, and it's not -- it doesn't say anything one way or another about the privacy rule. The fact that you have the capability doesn't mean you use it or the rules permit it or they don't permit it. It doesn't say whether everybody gets to do it, nobody gets to do it, only if you have super secret permission, whatever.
>> Alison Rein:
Can I interject a point, though? If the privacy rule is silent on whether or not there's a protocol and different defined types of users, who should have audit access, and if it's silent on what constitutes minimum necessary for auditing purposes, then it is completely relevant.
>> Kirk Nahra:
But Alison -- I mean that's sort of -- I mean, the privacy rule doesn't say anything about any specific person in the world. It doesn't say what a doctor can do, doesn't say --
>> Alison Rein;
That's their point. It’s because it doesn’t exist, nobody has to build -- maybe I'm misinterpreting, but I sort of think that's what the point of the argument is, that nobody is specified, it's not being built into products, it's not being demanded in the marketplace because there's no rule that says that it should be.
>> Kirk Nahra:
Well, okay, there's two different things. The rule says it should. The rule says everybody should have -- for example the security rule, not the privacy rule, talks about role-based access. So the doctor should have a set of access rules, the auditor should have a set of access rules, the nurse should have a set of access rules. That's -- the rule says that today. The minimum necessary rule says all of your uses and disclosures, forget the couple of exceptions to that, any use of disclosure covered by minimum necessary, you need to have a set of minimum necessary standards for that. It doesn't say, the rule doesn't say when you have a fraud investigation, these people get access and this is the minimum necessary standard, it says that you need to say who has access and what the minimum necessary standards are.
>> Rebecca Busch:
And if you go back to the very first part of the sentence, it's talking about the system shall have. And see, one of the issues I have for providers on a compliance standpoint, if you look at all the OIG HHS compliance guidance, in theory some, some of the market players have to have the ability to do internal audits, reviews, and what have you. And if you purchase a system that doesn't have the capacity to let you retrieve the information -- so it's like -- it's like the discussions are almost pulling out individual parts of the sentences here, but if you read it in its entirety, it's saying the system shall have the capacity to allow the authorized entities read-only, whatever. And then it goes on to such access, you know, shall support the applicable whatever. The rest of the sentence. The guidelines and rules. We're not specifying what the rule is.
>>
Right, no, I think -- we're not -- Becky and Reed, we're not being critical about your recommendations. It's more we're trying to reconcile your set of tasks versus our set of tasks, which are not -- I mean, there's definitely some areas of overlap, but it's not to judge what -- necessarily what functionality should or shouldn't be in a system. That's the role that you all played. I think what we need to do is take a look at what they’ve recommended be in a system, figure out where HIPAA is currently with respect to those recommendations, and whether there needs to be any modifications to those rules in order to advance any of those recommendations.
>> David McDaniel:
And haven't we in a way sort of already addressed this in our first recommendation in that the HIPAA standards be a minimum applicable? And if the security rule already has the expectation that you should be able to audit, haven't we already said that? We're essentially agreeing with this recommendation.
>> Kirk Nahra:
Well, I mean, if you go through each of these, I mean the eight, the heading sentence, look at such access controls shall also support the applicable release of information protocols, local audit policies, minimum necessary criteria, and other contractual arrangements. That's I suppose what HIPAA says at some level. It doesn't say anything about contractual arrangements. Require auditor to be a supported class of user. So the privacy rule doesn't say auditor anywhere, it doesn’t say it in the security rule, but all users are supposed to have, you know, access. Limit access to pertinent functions, I mean again that's minimum necessary, that's use and disclosure, whatever you want to call it. Access remains controlled by the facility. Not entirely sure what that means. Same authentication and audit supports would apply, same. Not sure what that means. Remote access may be offered. Again that's a security rule, you allow that, if you've got appropriate security controls you're permitted, you don't have to. Demonstrate the ability to provide a paper copy of such information. I mean, again, I guess HIPAA doesn't say anything one way or the other about having paper copies of anything. So that would be something different than HIPAA. But not -- I don't know if that's a privacy issue at all.
>> David McDaniel:
Talk about the availability of the data and if you don't have electronic availability, you should have some sort of --
>> Kirk Nahra:
I'm not sure -- that's a fair point, David. I'm not sure that means available to other people necessarily, outsiders, necessarily.
>> Rebecca Busch:
Hey, Reed, are you still on the phone?
>> Reed Gelzer:
Yes, I had to step off for a second.
>> Rebecca Busch:
After listening to the requirements I almost wish requirement 8 read review access, putting review in parentheses instead of auditor, and 8.1, require review access ability. Put review to be supported as a function, instead of as a user, that that probably would have made it a cleaner point.
>> Reed Gelzer:
Okay.
>> Rebecca Busch:
I don't know if that can be changed.
>> Reed Gelzer:
It's something we can recommend as the document goes forward.
>> Rebecca Busch:
As it moves forward? Because I think there's too many perceptions of what auditor means. That --
>> Reed Gelzer:
Okay.
>> Rebecca Busch:
I don't know, I mean, we can think about that and I don't know who would even give feedback to. Again, if you took 8.2, limit access to pertinent functions and reviews only to patient records recovered by the designated review. Because that would cover any role, it would be auditor, whether you're dealing with pre-certification. I know that 8.3 -- no, actually remote access offered -- okay, 8.3, derived from discussions because at one point there was debate going back and forth that if we had a true interoperable environment that direct access could just be made by a third party like the payer or whatever into the provider’s direct medical records or the patient or what have you, and that was kind of like a compromise from the group that there should be some level of filtering, that it shouldn't just be an autopilot direct access. That was the history behind 8.3. Does that make more sense to the folks listening online?
>> Kirk Nahra:
I think that's probably consistent with -- I mean, my friends and clients who are fraud investigators would kill to have open access to the provider systems.
>> Rebecca Busch:
There's days that I would, too.
[laughter]
I would, too.
>> Kirk Nahra:
But I don't envision that happening.
>> Rebecca Busch:
No.
>> Kirk Nahra:
My sense, I understand what the recommendations are. We as our Workgroup can talk through the fraud scenario and discuss that in context of our differences. Are there other particular issues we want to talk about in connection with the 8-point set of recommendations that are coming out of this --
>> Rebecca Busch;
Any of the other ones or just 8?
>> Kirk Nahra:
All we’ve seen is 8.
>> Rebecca Busch:
Oh. Okay.
>> Kirk Nahra:
Any other questions or comments for the folks who have joined us today?
>> Jill Callahan Dennis:
Yeah, this is Jill. Reed and Becky, if you’re going to work on still tweaking the language, let me ask you just a couple of questions.
>> Rebecca Busch:
Sure.
>> Jill Callahan Dennis:
In the main sentence after 8 it says the system shall have the capacity to allow authorized entities read-only access. Do you mean authorized by law, or are you talking about some sort of actual authorization, and by whom? I think you mean authorized by law, and I'm just not sure that's clear.
>> Reed Gelzer:
Actually, it was authorized in the broader sense, under the control of the local facility.
>> Jill Callahan Dennis:
But you don't mean necessarily subject to some sort of authorization process that the patient's necessarily involved in?
>> Rebecca Busch:
No, I think we intentionally kept it general you can have different situations. In other words, there has to be some -- you can't just have an open door.
>> Jill Callahan Dennis:
But I'm saying when you use the word authorized, it raises different meanings for different people, in terms of whether you're talking about an actual patient authorization process or just, you know, permitted by law, or what. So I just think that wording is a little unclear.
>> Reed Gelzer:
We intended authorized in the broadest sense, because as we all know what constitutes authorization is going to change.
>> Jill Callahan Dennis:
I agree with that. I just think that it may be one of the red flags that people react to.
And the other question I had was when you get into the rationale statement. And where I started to have a lot of specific privacy questions was as it relates to the sentence that says reviewing information over an entire episode of care for a single patient allows greater ability to detect fraud. And of course it does. But then you run into all kinds of issues when there's different pay sources involved in that entire episode of care. And I don't work on the pay side of it, and I don't know how coordination of benefits works, but I mean that is one of the main problems from a privacy standpoint is Cigna wants access to Aetna and Aetna wants access to Cigna and you have the facility in the middle. So I'm not sure your group intended to go there, but having that sentence in there kind of forces us to go there.
>> Reed Gelzer:
Again then the follow-on statement then says such access should be subject to appropriate protocols, et cetera.
>> Jill Callahan Dennis:
I know, but it makes it sounds like your group is recommending that there should be --
>> Rebecca Busch:
Oh, I know how you're reading this. Entire episode of care might be like -- I didn't write this but --
[multiple speakers]
-- like for example the entire hospital stay.
>> Jill Callahan Dennis:
I meant it much broader than that.
>> Rebecca Busch:
I know you are.
>> Jill Callahan Dennis:
Episode of care actually could go over multiple hospital stays for a particular treatment. I mean, you may come in for an outpatient lung biopsy and then come in a week later for a full-fledged lobectomy, and depending on who you’re talking to, that episode of care would actually be bigger than just the one, you know, the outpatient treatment wouldn't in itself be the episode of care. I just think that when you have definitions like that, people tend to get drawn in to those discussions and I'm not sure that -- after hearing your explanation of this, I don't think that's really what you want to say necessarily.
>> Reed Gelzer:
Okay.
>> Rebecca Busch:
Sometimes I use episode of care meaning like that episode, either that confinement or that visit or that whatever. I can see how you can read that, though.
>> Kirk Nahra:
Put it this way. It seems that whole rationale paragraph raises an issue that I'm not sure you meant to raise.
>> Rebecca Busch:
No.
>> Jill Callahan Dennis:
That's what I'm trying to say.
>> Kirk Nahra:
The whole thing. What Jill is focusing on is part of it. But I mean, I don't know whether -- when you describe the rationale, it sounds like you're suggesting there should be more access to records than some standard that I'm not sure what it is, but you're not really saying that.
>> Rebecca Busch:
No, because --
>> Kirk Nahra:
I would delete your rationale. I don't think your rationale connects to your recommendations.
>> Rebecca Busch:
Reed, do we have the authority to do that?
>> Reed Gelzer:
We can only collect recommendations. The report has been accepted by the ONC, where you are, so we will convey those recommendations with our continuing contact with the report. But keep in mind that all of these are recommendations that have many other processes to go through before they would ever be translated into, say, for example, a functional requirement for certification under CCHIT. This is at the very, very front end of a very long process, but these discussions are extremely helpful just because we did not have universal representation of every possible viewpoint at the table, of course. And so there are nuances that we don't intend, and there's nuances that we thought were fairly straightforward and obvious, but obviously were not.
>> Kirk Nahra:
Okay. All right, any other questions or comments for the folks that are on the phone? Any questions from people on the phone?
>> Reed Gelzer:
The only request that I would make would be that it's very helpful for all of the venues that are working on these issues to keep in mind that at least for a long period of time, we're not going to have the best things we can come up with. And the vendors are having a great deal of trouble figuring out how to get from where they are now to the vision that's 10 to 20 years away. So as we go through these things to keep in mind, like Becky and I mentioned, there are widely deployed systems out there that have for all practical purposes no review functions, no traceability functions at all, is a context that need to be kept in mind as you're describing the ideal condition.
>> Kirk Nahra:
Sure. Now, one of the things, and this is a general comment for our Workgroup, which is one of the things we should think about as we’re looking at all of these different issues, and this was driven home to me at I think the very first hearing where we had testimony. I remember one of the witnesses when we were talking about I think it was access restrictions and one of the people from the hospitals, I'm paraphrasing but essentially said yeah, we can't possibly put all those access restrictions in, because we wouldn't be able to run the hospital. What I'm hearing as we hear some of these points is the stuff you're describing, making sure that people have appropriate access restrictions, are in fact actually covered by the rule today. The reality may be people aren't doing it.
>>
The functional aspect.
>> Kirk Nahra:
And maybe part of our recommendation is the rule is appropriate, but people really better take this seriously now, because it's now a bigger risk.
>> Reed Gelzer:
Exactly.
>> Kirk Nahra:
It’s something they’re supposed to be doing anyway, maybe they’re just not doing it.
>> Reed Gelzer:
Exactly.
>> Kirk Nahra:
We're having a little bit of a discussion in the room right now as to whether the alarm that's ringing requires us to --
>>
It stopped.
>> Kirk Nahra:
Okay. I guess we won't be abandoning the building.
>> Reed Gelzer:
That is exactly the point that we had hoped would be conveyed by this report, is that there are wide ranges of rules out there that are well accepted, and in some cases in law, that are not captured by existing systems.
>> Kirk Nahra:
For the folks on the phone, we are being told we do in fact need to -- we do in fact need to leave the building for a fire drill. I'm not sure how we will re-notify you, but we will let you know when we are back.
You're welcome to stay on.
>>
Kirk, if you could have somebody send a blast e-mail when you're back in the room, that will get us back on.
>> Kirk Nahra:
I'll do that.
>>
Thank you.
>> Reed Gelzer:
Rebecca?
>> Rebecca Busch:
Yeah. Hi. Are you there?
>> Reed Gelzer:
Yes.
>> Jennifer Macellaro:
This is Jennifer, I don't mean to interrupt, but just so everybody knows, we're still being broadcast live on the Internet.
>> Reed Gelzer:
Very good, thank you. Before we start sharing our innermost personal secrets.
>> Jennifer Macellaro:
Exactly.
>> Reed Gelzer:
Appreciate that.
>> Rebecca Busch:
It's interesting how all these different terms and definitions are being interpreted.
>> Reed Gelzer:
Yes, but in a lot of ways don't you think that in some respects this is exactly what we were hoping as an outcome, because a lot of these definitions kind of get blithely thrown out as if everybody agrees on exactly how they should work and that they already exist. I think if nothing else, I'm very heartened that we were able to insert in the conversation that the concept that some of the issues they're debating are really kind of moot.
>> Rebecca Busch:
Yeah. No, no, no. Each one, you know, as you progress or take a step forward. And I don't know --
>> Reed Gelzer:
Well, and the other fact, that unfortunately until people start attending to these issues more, those products out there that have developed robust review functions have no competitive advantage in the marketplace.
>> Rebecca Busch:
No, I mean you have more experience on the vendor side. I just get stuck auditing whatever someone happened to purchase. But I don't understand from, from a business side, personally responding, I don't understand from a business side why they're not being incorporated as a function anyway. They know how the vendors are reaction. We're hearing different -- have you heard of any vendors reacting to this report?
>> Reed Gelzer:
Yes.
>> Rebecca Busch:
And they’re having heart attacks?
>> Reed Gelzer:
Well, it varies immensely because the risk varies immensely. What has -- just again speaking just from my personal observation -- what I have found disheartening -- well, disheartening is too strong of a word. What I've had difficulty understanding is why companies that have robust products are not using this report to illuminate their superiorities.
>> Rebecca Busch:
I think some of them are growing too quickly and too fast.
>> Reed Gelzer:
I think part has to do with the concept that the people buying these systems for the most part are not particularly anxious in making external review easier. And that's a completely fair thing from the point of view of the current marketplace, it's just, I don't know anybody that craves a higher level of accountability.
>> Rebecca Busch:
You know what, though? I think it might be even simpler than that because I don't see a lot of back office function roles involved in the purchase of it.
>> Reed Gelzer:
That is another excellent point.
>> Rebecca Busch:
That's more of what I've seen.
>> Reed Gelzer:
I guess I'm going to congratulate you that you have actually have had contact with organizations that when you're looking to do a review, are doing something other than printing out the records and giving you printed copies.
>> Rebecca Busch:
I offer people for free if I've ever audited them, that I will come and sit on their purchasing committee when they go to buy a system. Because of this reason alone, retrieval access is a nightmare.
>> Reed Gelzer:
Excellent. How many people have taken you up on that?
>> Rebecca Busch:
You know what? A lot of them.
>> Reed Gelzer:
Really? That's excellent.
>> Rebecca Busch:
Just because it makes my job a hundred times harder. And their ability to I think (inaudible) themselves or deal with reimbursement issues or quality issues. I mean, it all trickles down.
>> Reed Gelzer:
You've just given me an excellent suggestion that I can recommend to other people I run into that do auditing and who do have audit clients buying these systems. That's a value-add that they can offer that works for both sides of the equation.
>> Rebecca Busch:
Yes. I would think so. Now, they wanted us to be available to answer questions, and they're out doing a fire drill right now.
>> Reed Gelzer:
Apparently there's some sort of event that required them to evacuate the building. I'm thinking we can always just -- there's a moderator still online, yes?
>> Jennifer Macellaro:
Yes.
>> Rebecca Busch:
Do you want to let us know if they would like us to come back if they were able to address other questions? Do you want to us hang on for a little bit?
>> Jennifer Macellaro:
I'm not sure how long they're going to be and I don't personally have contact information for you, but if you wanted to get off the line, I can just have them give you a call back if they needed to when they return.
>> Rebecca Busch:
Do you have e-mail? Do you have access to e-mail?
>> Jennifer Macellaro:
I do.
>> Rebecca Busch:
What's your e-mail?
>> Jennifer Macellaro:
What?
>> Rebecca Busch:
What is your e-mail address?
>> Jennifer Macellaro:
We're being broadcast over the Internet so it would probably be easier to do it -- I mean, if they've got the contact information for you --
>> Rebecca Busch;
Okay.
>> Reed Gelzer:
Yes, they do.
>> Jennifer Macellaro:
That way we could have them contact you when they return.
>> Rebecca Busch:
That's fine.
>> Jennifer Macellaro:
I'm hoping to hear from some of our staff soon about when they're going to be back in the building.
>> Rebecca Busch:
Okay.
>> Reed Gelzer:
How big is the building?
>> Jennifer Macellaro:
It's not that big a building.
>> Rebecca Busch:
Oh, okay.
>> Jennifer Macellaro:
But there is security at the front and they'll have to go through that process.
>> Reed Gelzer:
So they're going to be gone for a while. And I have a 3:00 phone call I have to prepare for anyway.
>> Jennifer Macellaro:
Okay, so I'll tell them, then, to give you, Rebecca, a call if they need you, when they return?
>> Rebecca Busch:
They can call us both.
>> Jennifer Macellaro:
Okay.
>> Rebecca Busch:
The person who originally contacted us has our contact information, right?
>> Jennifer Macellaro:
Right.
>> Rebecca Busch:
And I assume he was part of the meeting?
>> Jennifer Macellaro:
Right.
>> Reed Gelzer:
Very good.
>> Rebecca Busch:
That sounds good. Thank you.
>> Jennifer Macellaro:
Uh-huh.
>> Reed Gelzer:
Bye.
[break in meeting due to fire drill]
>> Chris Weaver:
Hey, it's Chris.
>> Jennifer Macellaro:
Hi, Chris.
>> Chris Weaver:
Just so you know, I got off the phone and they are still out in the parking lot, fire truck just got there. And I told him about the two people that hung up and that we could bring them back in. But not past 3:00 because he had a conference call?
>> Jennifer Macellaro:
Right, but the woman didn't say so.
>> Chris Weaver:
FYI, they're still in the parking lot.
>> Jennifer Macellaro:
Okay.
>>
All right.
>>
They are still out in the street of the we are on hold.
>>
Okay.
>> Jennifer Macellaro:
Hi, this is Jennifer. We've got word they're back into the building, so it should be 5 or 10 more minutes.
>> Judy Sparrow:
Jennifer, are people on line?
>> Jennifer Macellaro:
Many people are on the line. Some people have disconnected. I know that you said you were going to send an e-mail to let people know when you were getting back. I don't know if that has been done yet.
>> Kirk Nahra:
That has gone out.
>> Thomas Wilder:
This is Tom Wilder. I've now been able to join you. Thank you.
>> Kirk Nahra:
Did you miss the fire drill, Tom?
>> Thomas Wilder:
Yeah, apparently so, yes.
>> Kirk Nahra:
Too bad you weren't here with us.
>> Thomas Wilder:
I could have run down here or something.
>> Kirk Nahra:
Sit outside in the sun.
>> Jodi Daniel:
I missed the fire drill, I was in my office and couldn't actually hear it.
>>
When I was in the basement, I heard it go off.
>> Kirk Nahra:
Did it really?
>>
Some guys ran in and shut the door.
>> Kirk Nahra:
Oh, that's how it works.
[laughter]
>> Jodi Daniel:
You do know there was, in fact, a fire in this building in the past few, about a year ago.
[multiple speakers]
>> Kirk Nahra:
Oh, okay. All right. Are they back in? People back on?
>> Judy Sparrow:
Rebecca and Reed, are you on the line?
>> Jennifer Macellaro:
I told them that -- they disconnected, I told them we would call them if they were needed.
>> Judy Sparrow:
Thank you.
>> Kirk Nahra:
But are the rest of the people on, the lines are open?
>> Jennifer Macellaro:
Yes.
>> Kirk Nahra:
Okay. All right. We are going to start back up again. For those on the phone, you missed a wonderful happy hour out -- what street is that, C Street? In the 90-degree heat.
Let me turn it over to Deven for a second to sort of summarize where -- we had some discussions out on the street. But sort of summarize those for purposes of where we're going to go with the rest of the discussion of those, that fraud recommendation.
>> Deven McGraw:
Yeah, we continued to do a little work out there. So what we thought would make sense, and we want to get feedback from the other folks in the room as well as people on the phone, is we heard from Reed and Becky about what, the functions that they recommend be part of an EHR for various auditor purposes. And they didn't really consider the legal requirements, obviously there's a catchall sort of legal requirements piece. Given that we've been asked to respond to AHIC about this recommendation, what we thought would make sense would be for us to essentially say that the recommendations that they make for functionalities of EHRs to support various auditor functions are in fact consistent with the existing HIPAA rule. And -- as far as we can tell, and we don't see any need for modifications at this point. This is our response. Again, it's consistent with our approach and the work that we're doing to look at how HIPAA applies and whether there are gaps that might need to be filled. So that was our suggestion. Did I miss any piece of it?
>> Kirk Nahra:
Unless we wanted to suggest that they delete that rationale.
>> Deven McGraw:
Oh.
>> Kirk Nahra:
Because that seemed to raise privacy issues that they didn't intend to raise.
>> Deven McGraw:
Right, actually, and you just reminded me of another thing. Two other pieces that we might add to our response. One is the one that Kirk just mentioned, and the second is you know, clearly -- well, they think that the EHRs that are being produced now are not meeting those functions, and since those functions are arguably already required by current rule, you know, there may be a role here for better enforcement, better education, et cetera.
>> Kirk Nahra:
Deven wanted to make sure we kept working on the break because she now gets her higher pay raise, being a co-chair.
>> Peter Basch:
This is Peter. If could I add to that, as opposed to, or in addition to the concepts of better education and enforcement, I just think it's also (inaudible) imperative to have those functions because I speak with EHR vendors frequently about competing needs and a lot of them are struggling now in a market where they're just trying to kind of meet the price point of demand and increasing provider needs, increasing CCHIT functionality needs, and if this bubbled up through the AHIC, I think it would be something that would be more likely to be on the table for EHR developers, because I agree with what's been presented, that auditing functionings has been patchwork at best.
>> Kirk Nahra:
That's an interesting point, and I guess this ties in to what the folks were saying earlier. I mean, one of the things that we've had as a little bit of a guiding principle, although it hasn't come up particularly recently, came up a lot when we were looking at identity proofing, was we didn't want to make recommendations that were going to be a problem to developments in the marketplace, were going to be an impediment to the marketplace. It's just an interesting point you make, Peter, that basically they, what -- and I'm paraphrasing you a little bit, I realize, that the EHR vendors are basically saying we can't develop this at a price point that anyone will buy it including these functions.
>> Peter Basch:
Well, they could but right now, if we look seriously at where most EHRs are, they're still fairly primitive and they are struggling to, within their development (inaudible), which are not (inaudible) because the market is still fairly immature and they're still trying to create their business case for providers and provider systems to buy them, to prioritize what needs to happen first. And I can tell you from a personal perspective, that a lot of the quality and safety functionality improvements that people like myself have been arguing for, for years have been put on hold for a while, while companies have struggled to meet 2006, 2007 CCHIT requirements and what was brought up about fairly -- this doesn't sound very polite but I'll say it anyway -- lame audit functions within the EHRs. I bet you most EHR companies are aware of that, and because there has not been intense pressure to develop those functions, that just goes to the bottom of a long list of development needs.
>>
But if you were a HIPAA-informed provider you wouldn't want to purchase something that was going to make you non-compliant with HIPAA to begin with.
>> Peter Basch:
No, of course not. Of course not. But is this something that most providers would be aware of? No. And the EHR vendors would say that they are, and that the audit functioning exists, or the audit role functioning exists, but that it's not particularly advanced. You know, if I were to look at many of the EHRs I've looked at in terms of the audit capabilities, they certainly exist and they certainly do have some control and some read-only control. They're not highly developed. So I think that from the provider perspective and I don't mean to represent vendors here because I don't, but I think from what I've heard from vendors, they wouldn't say they're not HIPAA compliant. They would say that their audit capabilities are, you know, reasonable and meeting the marketplace demand. Clearly they need to be better.
>> Kirk Nahra:
One other thing that brings to mind, and this is going to come up in some of the other elements we're talking about today, and in the Federal Register notice that's going out for questions from the RHIOs, but for example we had some discussion last week, or at our last meeting, excuse me, about access requirements and amendment requirements. And things like was there -- did the RHIOs have the ability to let individual patients come to them and make access requests? And there was some discussion about patient identification and identity proofing and authorizations and things like that. And there seemed to be a sense around the room that that was something that was going to be easy for the RHIOs to handle. But I do wonder, when we're hearing about some of these technological limitations on some of these products, whether that's in fact going to be a much harder challenge and whether some of our assumptions about how advanced the technology is may not in fact be right. I mean, that's something we're going to just need -- it's not directly relevant to any particular issue we're talking about today but I do think we should keep that in mind when we are going through issues and we're saying oh, we can add in this functionality, we can have aspirational goals, perhaps, but we want to keep in mind if we're making recommendations that don't us to necessarily sound that involved, for example, the idea that something should have an audit trail doesn't sound that involved because we know it's something that should exist already. But if the answer is no, it is actually really hard or not feasible or not what people are doing, we've got to be conscious of that, aware of it. Again, I don't know that that means we don't make a recommendation that it doesn't need an audit trail but we have to be aware of the meaning of that.
>> Peter Basch:
And Kirk, my point was not -- I think at least my experience and it's not as extensive as our two presenters, I think, is that most EHRs I've looked at do have audit trails. But do they have an auditor function that is as robust as it should be? That's what I think the distinction is. You know, I shouldn't admit to multi-tasking, but while I was listening I just went into my own system remotely and certainly I can see audit trails for certainly contributors to documents and who has been looking at particular documents. But do we have a role in the system where I can assign somebody as an auditor? No. Do I have a read-only access? Sure. But is it as robust as the two presenters were describing? Absolutely not.
>> Deven McGraw:
So it sounds like part of the recommendation could be -- of course, we can draft this up and then obviously circulate it to the Workgroup members for comment. But that maybe one part of it is a general recommendation, again, that the HIPAA rules in fact are supportive of and arguably require the functionalities to be part of EHRs. And again, that goes to the education and enforcement piece. I mean, I'm not sure how far we can take that recommendation beyond that component. But at a minimum I'm certainly comfortable with going that far.
>> Peter Basch:
Sounds reasonable.
>> Kirk Nahra:
We'll try to write something up and get that circulated.
>> Steve Posnack:
We've got until January at least, though.
>>
That’s the next AHIC meeting?
>> Steve Posnack:
In November, but I think it’s slated--
>> Jodi Daniel:
It's slated to be talked about in January although we can bring it back in November and make sure people are comfortable with the recommendation.
>> Deven McGraw:
Plenty of time for drafting.
>> Steve Posnack:
Right. That's what I was getting at.
>> Deven McGraw:
Okay, good to know.
>> Kirk Nahra:
All right. What we are going to do in the interests of time, given our earlier events of the day, we are not going to talk about the fraud scenario for the time being. It's a pretty -- it's an un-evolved scenario at this point, it’s sort of a sentence, so we’re going to flush that out, and then probably bring that back to the group at some other point.
We have two other scenarios that were distributed with the meeting materials, and the one we're going to spend some time with today, not clear if we'll get to the second one or not, is to focus on the one that deals with accounting of disclosure. And this is I guess a two-page document that was circulated. We've had a lot of discussion about various individual rights. We've also had some discussion of things like audit trails, which are obviously a component of a system’s security, something that companies are today supposed to have in their system so they can figure out who has been looking at certain things, but that idea of an audit trail does not today carry over to any patient right or any consumer right. So we're going to try to spend a few minutes talking about that topic, and then sort of see where that takes us and we'll decide if we have time to move on to our next scenario.
So the scenario again, very straightforward. We're not putting a lot of meat on these today. But Mr. Johnson has contacted several entities to request an accounting of disclosures. We are talking again, we're using our HIE-DC, which is a local health information exchange comprised of 100 providers, 10 hospitals, 3 insurers, and 2 labs, presumably a reasonably small subset of providers in the market, but again just sort of what we're using as our overall framework. We've got this idea of repository model and non-repository model. We'll obviously make the same changes we had talked about earlier in terms of the availability.
In terms of the baseline, how this rule works today, how this would be handled today, is Mr. Johnson has the ability to make a request of any of the providers or health insurers that he has a relationship with. He has an obligation to essentially make them individually. This rule -- this right is governed by Section 528 of the privacy rule. It is critical to understand that Section 528 of the privacy rule gives individuals the ability to receive an accounting of only certain disclosures and that those disclosures are very much limited. The major limitations being any disclosures for treatment, payment, and health care operations, those are not included on the accounting statement. I don't know that I've seen any statistics, but I would guess that that's somewhere north of 95 percent of all the uses and disclosures that are made, are subject to -- are TPO disclosures and therefore are not included on an accounting statement. There also are not -- you do not include disclosures that are pursuant to an authorization. The idea behind that is obviously I have to -- if I have to authorize you to make a disclosure, I know about that disclosure and so therefore it doesn't need to go on the accounting list. And there are a variety of other sort of less significant exceptions.
So essentially if you try to parse this together, and one of the things that's hard about the accounting rule is it basically says you account for everything except the following things, and so companies struggled for a while, all right, what is left? What is that everything that we have to account for? And if you go through the rule, essentially what I think that means are the Section 512 disclosures for public policy purposes, so that if I make a disclosure in connection with a public health disclosure or there is a disclosure to a law enforcement agency who is investigating a bank robbery, you know, subject to those rules, or there are research disclosures, litigation disclosures, whatever, those are what need to be included on the accounting list.
I think it is fair to say -- if people have different opinions, I would appreciate hearing them -- but I think it is fair to say that the accounting right has been very limited in its use by individuals. I am aware certainly of large health insurers, large hospital systems, who don't run out of fingers on one hand counting the number of accounting requests that they've gotten in four or five years. Some companies had a small trickle of these at the time the privacy rule went into effect. Some people wrote in and said I want an accounting of disclosures and were surprised to find out after two days, the answer was there weren't any disclosures subject to an accounting of disclosures because it takes a while to build up. So right as of today, it is a right that is not very well -- not utilized very extensively. I don't know whether anyone has an opinion on whether that is because people don't understand the right, don't know it exists, think it covers more than it does. Although, think it covers more than it does, I've heard that as an explanation, but I would think that would lead to lots of requests with unsatisfied -- people getting unsatisfied answers, rather than not making requests. If I think I'm going to get all the disclosures, I still make the request and then when it comes back there was only one disclosure I'd be surprised at that. I don't really know what to make of it. I do know that a lot of covered entities put a lot of time and effort into building an accounting of disclosure system. For most companies that has been a lot of work and effort for no particular value. Certainly no value to the companies and essentially no value to patients, just because they're not asking for it, so people are not getting the benefits of that.
>>
Kirk, just as another perspective, those of us who also have to comply with the Privacy Act of 74, do have to account for more disclosures than would be shown in the industry as a whole. And I think when we're looking at EHRs or sharing agreements where we might be sharing information in government agencies with non-government providers, that's going to become a factor for us because we would have to be able to account for disclosures that they wouldn't necessarily have to account for. Just something to throw out.
>> Kirk Nahra:
The other thing to keep in mind about the accounting of disclosures. A couple of facts that people should bear in mind. One is it's not all disclosures, it excludes, in fact, most disclosures. The other piece of it is that it's not an affirmative obligation to disclose anything to individuals. And so for example, you know, every health insurer will 100 times a year disclose certain information to law enforcement agencies in connection with a fraud investigation, for example. That might involve a thousand patients. I mean, I'm making up numbers. But unless one of those thousand happens to be the one making the accounting request, there won't be any connection between the two. If one of the other patients asks for an accounting request and their record didn't happen to be one of the ones that went to the law enforcement agency, they'll still get an answer back saying there were no disclosures. So it is not at all an affirmative disclosure obligation. That has become relevant to health care companies who are dealing with things like State security breach laws that do impose affirmative obligations. Sometimes people are saying, well, I'm going to deal with that by putting it on my accounting of disclosures list. I'm going to put a privacy breach on my accounting of disclosures list and that will take care of things. Well, it certainly doesn't result in notification to an individual unless that individual by pure coincidence happens to write in for an accounting and happens to write in at the right time after the security -- you know, close enough to the security breach happening for it to be useful but before it happens because there wouldn't be any information there. So this right again is, it's set out as a fairly limited right, isn't affirmative.
You know, the other piece that I guess will be relevant as we start talking about the RHIOs, is that in theory business associates are supposed to keep track of disclosures that trigger the accounting rule as well. If I'm a health insurer and I get five accounting requests a year, in theory I'm supposed to have some vehicle for reaching out to my business associates to figure out if there have been disclosures that would trigger an accounting requirement, that's become an enormous practical issue because there's no particular vehicle by which to do that. I mean, the idea that seems to be envisioned in the privacy rule, although this isn't explicit, is that when I get a request, I would now reach out to every one of my 5,000 vendors and say, Jodi has made a request for an accounting, do you have anything triggering Jodi's accounting? And you will get at least 4,999 either no responses at all, or no, I haven’t. So companies are essentially not, in many instances either not doing that or trying to find some other vehicle around that. Again, there's a lot of steps that would be done to have a perfect accounting system. Right now it's a lot of time and effort and resources being put into something that is not today being used.
So that's sort of the HIPAA baseline. Is anything anybody wants to add about how that rule works today, either what's in the rule or their experiences in practice with the rule?
>> Leslie Shaffer:
I know within the TRICARE Management Activity -- I’m Leslie Shaffer, by the way -- that we do have a system that does that accounting for disclosure, and our MTFs, our medical treatment facilities, actually enter those into the system and so we've got a centrally managed repository so that if anyone can ask, if any beneficiary asks for that accounting of disclosure, we can provide that. It is a challenge, I think that it's a situation where we need more awareness, they don't understand it. So I have to agree with you there. They do not understand it. So we've noticed where sometimes they'll do an accounting for disclosure, and obviously it's treatment, payment, health care operations, which you would never do. But anyway, we at least meet the requirement.
>> Kirk Nahra:
You know, a couple other things with that. I think there are certainly companies and agencies that are going through those steps. You know, I get questions a lot that come -- for example, a company might be in litigation. Let's say that -- I don't know if this happens to TRICARE because of the way government agencies get sued. But if a health insurer gets sued saying, class action lawsuit that involves whether doctors got paid enough for pediatric, you know, regular healthy child visits. So in the course of that litigation, and you're going to produce claims information for, you know, 5 million healthy child visits, the idea that a company should sit down and key in to their system 5 million or 5,000 or whatever entries of healthy child visits that were produced in this litigation pursuant to a protective order, because it's possible that one of those families might make an accounting request later, is a real challenge. And again, it's one -- you know, I think companies are looking for ways around that. There's certainly not -- the system you're describing, Leslie, makes it very easy on the back end when the request comes in. It's more work on the front end to get it ready. A lot of companies will do things like make a note in their system, we had to produce five million healthy child records, if somebody writes in we can figure out if their record happened to be on there, it's more work on the back end but you do it one time instead of five million times. Companies are dealing with this and I don't think for the most part companies aren't following the rules. But if all of a sudden there was an onslaught of accounting requests, companies might find that they're not in fact able to meet those requirements.
>> Leslie Shaffer:
And we also have our managed care support contractors, they may not use the system per se but they have to account for those disclosures so they would be providing that information.
>>
We've actually been putting a lot of pressure on our facilities to keep a list of their business associates that do make disclosures on their behalf that would require an accounting and periodically review those. What we found is that you may have a lot of business associates, but only a very, very small number ever make disclosures on your behalf. And --
>> Kirk Nahra:
But you may not have any idea who those are going to be.
>>
Right, but the facilities are now being asked to keep a record of all their business associates. And then cull that down to the ones that make disclosures on their behalf, based on the services they're providing. And then periodically see, can these people account for disclosures. So in the event that one does come up, we can go to that vendor and get it.
>> Kirk Nahra:
There's a lot of different approaches that one of the hard things about that is somebody that doesn't produce information on your behalf might get sued some day or might have a regulatory investigation or might have something that is not the course of providing a service to you but it still requires production of -- so it's a little hard, I think, to, again, in reality to just guarantee. I mean, you can absolutely play the odds and play the odds particularly where no one is asking, again there's a cost benefit issue there. But it's a very difficult rule right now. Again, if you were to be perfectly set up to do it every time, it's a very difficult rule to comply with, without at this point at least seeing much benefit. Things like access and amendment we talked about last month. I think those are being used far less than we might have expected, but they are being used and there's a real -- nobody is talking about getting four access requests in four years. It might be 400 or 4,000 rather than 40,000 but it's at least something that’s coming in on some kind of a regular basis. I'm aware of health insurers that have had zero in four or five years. And so that's the baseline.
Now, any other reactions, comments? Any other pieces we missed about sort of the state of the play today? Anything from anyone on the phone about that? Okay.
>> Peter Basch:
Kirk, it's Peter. I would agree with your comments.
>> Kirk Nahra:
Peter, let me ask you this. Do you see any different experience on the physician side? I have the least experience in that regard. I assume physicians aren't get any more of these requests?
>> Peter Basch:
No, I agree completely, and you know, I don't want to speculate either on why we're seeing so few, but I certainly count on -- actually, I would say the numbers I'm aware of is about zero in my health system. I was going to say one hand, but less than one finger. But I agree with your comments about access and amendments. We're seeing some.
>> Kirk Nahra:
Well, the other thing that's interesting, again, if somebody is aware enough of the privacy rule to ask for an accounting requirement, they probably can figure out that they're actually going to -- they're not going to get information they probably care about. Is the parent of a child likely to have any particular -- I mean, someone might, but is there any particular reason why if my child's records for a healthy child visit were one of five million produced in litigation pursuant to a protective order, do I particularly care about that? It's not a case about my child. It's not any publicity. I mean, it's sort -- most of the public policy disclosures really have very little to do with the individual person.
>> Peter Basch:
No, I agree.
>> Kirk Nahra:
There are exceptions to that, maybe a public health -- if somebody’s HIV I don't know, whatever things require public reporting, that obviously is direct to an individual. But most of the things on there, the litigation, and you know, the fraud disclosures typically that the investigation is involving a doctor or hospital, not the -- the patient is just a vehicle. It's not that -- it doesn't really matter whose records it was. That's again I think another part of why that rule -- or that right has been exercised so little.
>> Peter Basch:
Right.
>> Kirk Nahra:
All right. So what we should spend our time on today, and we can do as much or as little as we need on this, is again, the differences question, how this would be different in a HIE environment. One of the obvious answers and I think it’s essentially the same issue that we talked about with access and amendment, was you now have the possibility through a HIE to make 1 accounting request, you know, if you've been to 10 doctors and you have 1 health insurer, you have the ability in theory, we should talk about whether it works, to make 1 accounting request rather than 11 separate accounting requests.
Obviously, we've got a couple of issues to that. One is do we want that to be the question, I mean, the approach? Two is do we actually have any reason to think that the HIE would in fact be able to do that? I mean, would an HIE be able to answer the question of what disclosures one of the hospitals made in connection, for example, with litigation, or a fraud investigation, or public health reporting. I sort of assume that the answer is the HIE would have far less-- whatever ability they would have to provide access, they would have far less ability just because they're not involved in the operations of the hospital, health insurer, or doctor.
>>
We talked about that last meeting, and that because of all those operations influences that might cause disclosures that an HIE wouldn't have any record of, that it almost has to be pushed back to the covered entity to do that. While it would be a great service to be able to go and do one-stop shopping to get that information, you'd have to change the dynamics of what kind of information is given to the HIE in order to do that.
>> Deven McGraw:
Well, and the kind of information that's available through an accounting.
>> Kirk Nahra:
Well, but actually, David, you said one thing that triggered something in my mind. One-stop shopping could be the request, even if it's not the response to the request. For example, could you set up -- you have the ability to say you can make an accounting request through the HIE. The HIE's responsibility is to send it out to the relevant facilities and then they have to deal with it.
>> Jill Callahan Dennis:
But Kirk they're not going to know which the relevant facilities are because they won't have any knowledge of what disclosures have taken place. What they would have to do is send it to every participant in the network and say have you made any trackable disclosures?
>> Kirk Nahra:
Well, there's two -- okay, that's a fair question. Let me break that down a little bit, Jill. It seems to me there's two possibilities there. One is the relevant entities would be -- well, a couple of possibilities -- one is the relevant entities would be whoever the patient says the relevant entities are. Rather than me -- I mean, I know the doctors and hospitals I went to. Here they are, can you send this out to them? That's one vehicle. That would eliminate that particular problem. Second would be the HIE would know what providers I've been to, at least, you know, were the creators of records for me. The third and the broadest would be the possibility that some provider I've never heard of both accessed my records and made a disclosure that would trigger an accounting request. I don't know how often that would happen.
>>
Could be a lab, you don't necessarily know what --
>> Kirk Nahra:
True, but play that out. Would -- I don't know, I mean I don't know how an accounting request goes to a lab today, because I don't know they exist. But I also don't know how likely it is, and there's a question for the group, how likely it is that someone sort of I don't know about would -- I mean, we know some of them have access to records, we know it’s not that many of them, presumably. But would they have any reason to make a disclosure that would trigger an accounting request?
>> Peter Basch:
You wouldn't think so.
>> Kirk Nahra:
That's sort of my initial reaction, Peter. But let's think that through. What are the scenarios by which a provider I've never heard of look at my records, again, putting aside security breach kind of situations? I mean -- but a hospital that I've never been to -- we've got the front end issue of whether that hospital is ever going to see my records anyway. That's a bigger issue.
>>
I'm just thinking out loud here but I'm thinking perhaps a specialized facility that's considering a patient that's been referred to them and then rejects that patient for whatever reason. You know, a skilled nursing facility might take a look at a patient who is being treated in a hospital and run them past their admission criteria and say no, we can't handle that patient.
>> Kirk Nahra:
Let's go with that example. I don't have any idea how often that happens or whether the patient knows about that. But let's put that aside for a second. So they do that, they make their analysis and say sorry, we can't keep them.
>>
You can't even take them.
>> Kirk Nahra:
Is there any reason why that skilled nursing facility would make some subsequent disclosure of information that would trigger an accounting request?
>>
That's where I'm just sort of thinking off the top of my head. And I can't come up with any scenario off the top of my head where they'd be making --
>>
Maybe were compelled by law to disclosure disclose criteria for accepting patients.
>>
That would work, yeah.
>> Kirk Nahra:
Let's play that out. A couple of things. First of all, I would think that the normal course of events under HIPAA for that facility would be they probably shouldn't keep that information in the first place. I mean, if they're not -- and frankly, I probably wouldn't want to keep -- if I'm -- so I would be keeping information about somebody that I refused admission to. And I don't know if there's anyone on the phone that would know the answer. Is there any reason that hospital would keep that information, that nursing facility would keep that information?
>>
I wouldn't think so. I think the example that was given is close to a realistic one if we flip it around a little bit, which is when a provider might refer a patient to another specialist and the patient changes their mind and doesn't go. That happens with a fair amount of regularity. Providers who like to get ahead of the curve will send information to a specialist A, you know, assuming that the patient will keep the appointment and then because of either geography or transportation issues, chooses to go elsewhere. And that happens with some regularity and I think as you suggested, Kirk, that the -- in that case providers typically don't keep the records when the patient doesn't keep the appointment.
>> Kirk Nahra:
Let's play that out. Let's assume that for whatever number of situations that referring doctor does keep the information, nursing facility, that may be a better example. They keep it for whatever reason. They keep it. So they'd have to -- there's some number of patients that they get referrals they don't accept. There’s some number that they keep the records for whatever reason. Then you have the question about is there a disclosure? So Alison's scenario is they get sued a month later, all the patients they've referred have been -- that they've rejected admission to have been, I don't know, African-American and there's a discrimination lawsuit. And so those records get caught up into it. Possibility.
>>
But even in that scenario, I'm sort of running through the privacy rule in my head, and you know, your disclosure of that information for your own defense falls under health care operations, so that's not a --
>> Kirk Nahra:
Interesting question. I'm not sure that interpretation is right just because there is a specific provision of the rule for that. I mean, you're raising an ambiguity in the current rule. But I guess the question in our analysis is going to be, that example strikes me as possible but kind of far-fetched. And in the discussion about the HIE, the difference would be -- I mean, I'm sort of supportive of where David started, which is I don't know that the HIE should have any role in this. But if we give them a role and we have those three choices of what the patient identified, what I know, the people I know treated the patient, or everybody in the system, the only way to capture that one would be everybody in the system, and you do that a whole lot of times for the needle in the haystack that might happen once.
>>
I tend to agree with David's point of view on that. The only -- (inaudible) if you have --
>>
We have a new Workgroup member.
>>
Is that a dog?
>>
Yeah.
>>
Not at my house.
[laughter]
>>
But if you hear a cat meowing, that's what it's going to be from.
>>
That's what set the dog off.
>>
Listen, if you've got a repository model HIE that as part of their business model does some sort of, you know, sell-off of the data, and I'm not suggesting there are models out there doing this, I don't know, and I think that's one of the things we're kind of flying blind on. But if somebody were going to use some of the data to make some sort of external disclosures for marketing purposes or whatever, I mean I think if the health information exchange is going to get into the business of making trackable disclosures, then they need to be subject to the rule. But I don't know that any exchanges intend to go into the business of making trackable disclosures.
>> Kirk Nahra:
That's a fair addition. If the exchange itself is making disclosures, again, today -- today they have to respond -- I mean, if I'm a, you know, pharmacy benefit manager for example today and that means that the patient might know those people exist even if they're not who my direct relationship is with, I can go to them and make an accounting request, or I can clearly go to my health insurer and say I want this request to include disclosures made by this vendor of yours. That clearly is part of the rule today. I think the issue here would be do we make the HIE reach out to, you know, again let's say I've been to 5 of these 100 providers, do we make the HIE reach out to the other 95 on the needle in the haystack possibility that A, they got my records for some reason that I don't know about, B, they kept my records for reasons that don't sound very normal, and C, they happened to make a disclosure subject to -- I mean, I'll guarantee you that at least 94 out of 95 times the answer will -- you need all three of those to be yes.
>>
Let me give you another scenario that sort of puts a wrinkle in this whole concept of having them be responsible of reaching out, based on information they're getting from the patient as to who they might be getting that information from or who they’ve seen. Say you've got an elderly patient who is recently been cared for by one of their children and this elderly patient is suffering from senility and can't even remember what doctors they've seen, and the accounting would be necessary for the son or daughter to get a better handle on who has seen my parent, and you know, what kind of services have they gotten so far. They're going to this one --
>> Kirk Nahra:
The accounting would be a horrible way to get that information, you'd only get the accidents of some other kind of disclosures.
>> Jodi Daniel:
It seems the me the only place -- one place it might be valuable is the place you had mentioned which is security breaches, if there's a concern that either the HIE directly or that an organization, that a particular organization had a security breach, those are accountable.
>> Kirk Nahra:
I'm not even sure I'd agree with that. But it's a terrible vehicle -- I mean, if you want to tell people about a security breach, the State laws force you to tell people about a security breach.
>>
Not -- very few.
>> Kirk Nahra:
Forty States. That's hardly very few and every company now is treating that -- that's a fact, Alison.
>>
I didn't know it was that high.
>> Kirk Nahra:
It's astonishing to me that -- no company that operates in more than one State right now is saying I'll tell people in these 12 but not in the 2 that -- it's happening more, but -- and that's clearly a potential gap in the HIPAA structure because people weren't really thinking about that when the HIPAA rules were passed. But accounting a terrible vehicle to do it because it's a complete accident if somebody, you know -- you have to initiate an accounting request, and be the victim of a security breach, and have the timing be such that it's, you know, it works out. I mean, it's a bad vehicle for that.
>>
Can we refer to the baseline question, the last one says does the model of the HIE matter, and I think the answer to that is yes because depending on the model, they may be much better equipped with their infrastructure to not have it be an exercise of looking for a needle in a haystack. They actually may be the entity that's better poised to look throughout their system.
>> Kirk Nahra:
Okay, let's walk through that. What would a model -- what would a model be that -- where that would be the case?
>>
A lot of the State-based models that are emerging.
>> Kirk Nahra:
Play that out. What does that mean?
>>
I don't know exactly how their infrastructure works, but I'm just suggesting that they have -- that a health information exchange at a State level has connections with all of these entities, and they have sort of decided as a State how each one of these entities has to interrelate with the health information exchange. So there isn't sort of the latitude that may exist with some other health information exchanges. So I am not 100 percent sure, but I would imagine that they may actually be able to ping all of their systems or even look, if it's an aggregated data set, and just do a search.
>> Kirk Nahra:
But let's play that out. That's where I was going, which is let's say that system exists and let's say you have a model where I'm the RHIO, and I even know everyone who has gotten information about Jodi. And it may include some hospitals and providers Jodi doesn't know about. So I know all those people. My point about needle in the haystack, that's only the first of the three steps in the needle in the haystack. So you're going to ping all of those people, A, to find out if they in fact got records, we're going to say yes to that. We're going to assume in some systems the answer is they know who got them. But they're going to A, have to have kept them, and B, have to have made a disclosure that would trigger an accounting risk. I think those two are going to be the needle in the haystack. The people that will keep the records are mainly people treating me and I'm going to know about them. The ones that -- the nursing facility, the referring doctor that doesn't end up treating me, I don't think they're going to keep any of those records, so they're not going to have anything to disclose anyway. Let me finish up. They're not going to have those records, and they've got -- even if they still have something, there’s got to be that discrimination lawsuit that produces the disclosure that would trigger an accounting response anyway.
>>
I think what you're assuming, though, is they don't have some sort of formal mechanism for accounting for all disclosures. If you look at an organization like ours, if somebody were using a common system to ours, and the central location was able to ping that, they could tell by virtue of the fact that when we get a disclosure for any purpose, a lawsuit or any other kind of purpose that requires an accounting, we have a release of information software that you log that in to and you can ping that system any time and know
>>
But not all facilities will have that.
>>
Her point is if you could put that functionality in place and everybody shared that, then you would have everybody using a common methodology for accounting disclosures.
>> Kirk Nahra:
Do we have any reason to think there's any system that’s anywhere near that?
>>
Yeah --
>>
I'm not.
>> Kirk Nahra:
I'm talking about an HIE system.
>>
They're similar.
>>
As someone pointed out earlier it's such an emerging field we're not sure but I think there are certain States and maybe other HIEs at a regional or some other level that are trying to get that level of coordination --
>> Kirk Nahra:
Let’s find that out.
>>
I think that’s true. I don’t think that -- it’s certainly true that it’s an emerging field, but I’m not aware of any that have that functionality. And I’m sorry, I don’t know who all the other people speaking are, but the gentleman who said that his system keeps an automated tracking of disclosures, from an institutional perspective, is that something that your organization would feel comfortable pushing up a level to an HIE to have visibility of and to be able to ping at will, or would you still want for political, organizational, administrative reasons those requests to come to you?
>> David McDaniel:
It was David McDaniel from Department of Veterans Affairs.
>>
Apologize, didn't recognize your voice.
>> David McDaniel:
That's okay. Well, first of all, we're probably a bad example because we have other Title 38 regulations that prohibit us from participating in those groups right now and we're working on trying to get some relief on that. But I think we would be, we would be willing to do whatever served our veteran population the best. And if we were participating in a group like that, and I think that we would, you know, we would consider that. I mean, certainly if you could build an infrastructure where you're moving the whole industry closer to a model where we're talking the same language, why not do that? I mean, that’s what the HIPAA transactions and code sets and standard identifiers started this whole discussion on.
>> Kirk Nahra:
But part of that -- so that would mean that you've now disclosed to this HIE the fact that you've conducted 438 fraud investigations involving these patients, that there's been litigation involving these people and public health reporting involving a bunch of your veterans. It's a lot of pretty sensitive information. I mean, the categories --
>> David McDaniel:
Most of that's probably pointable to us anyway.
>>
The point of health information exchange is better access to information and transparency for everyone. So I know that's a big picture off-topic, but I guess when I read these examples, I'm looking at it as it exists now, and as people are envisioning it to be, and the models that I see emerging, it’s a possibility that they would have the capacity to do this.
>> Kirk Nahra:
But okay, let's play that out. What do we do that with that? Peter said earlier that the vendors and all the technology people are trying to figure out what to do and they've got -- one of the reasons they haven't put auditing role is that that's not a priority. Here we've got a right that today is being exercised by almost no one. I guess I struggle -- I mean, yeah, we could say we want a system that has all of these things. It's possible, it's -- I would love to hear if there's anyone today who is doing anything like this in a HIE environment, or that's even on their radar screen as a function they're really trying to do. I would be hesitant to make a recommendation that says you should put that high on your priority list, when what it really is doing, it's making more convenient something that people aren't using today.
>> Deven McGraw:
Well, I want to -- I want to go back to the question of why people aren't using it today. Because in some respects the discussions about whether we should impose these requirements on HIEs is way ahead of what to me is a threshold question of this is a meaningless requirement and are people not using it because in fact they don't care about accounting, or are they not using it because the information that they would ever get out of it is not what they want. What they want is who looked at my record for treatment, payment, and health care operations.
>> Kirk Nahra:
Okay, that is an absolutely fair point. We don't -- we can speculate as to why people aren't using it.
>> Deven McGraw:
We probably won’t be able to get that answer but it always went out of the gate as a limited right.
>> Kirk Nahra:
All right, so that's a good way to refocus our discussion, which is the HIPAA rule today created a specific accounting rule. For better or worse it created a specific accounting rule.
>>
And we must comply with that. We have to do it.
>> Kirk Nahra:
But that's the rule today. So the question is, what is there about the HIE environment that would have us push a recommendation for something different? Now, one of them is because we can, or because we might be able to. That's a possibility. Second is that possibility might create convenience. Again, a possibility. We should discuss whether there are other differences that push us towards saying you can, you know, you get more information about who looks at your records in this environment than you do in the rest of the health care environment. What's the, you know, what's the difference between the environments? That's how we're -- that's the sort of focus --
>> Jodi Daniel:
Right, and one potential difference in an HIE environment is that an entity can essentially pull (inaudible) and whether or not it’s a disclosure for which an accounting is required, but an entity can pull data, perhaps without the entity who is holding the data knowing that there's been a specific request. So if a specialist is saying, well, I want to see data on -- this is for treatment purposes, but if a specialist is saying I want to see data on this patient because I'm going to be treating them and I want to know what else is out there, it is possible for that specialist to request from the HIE, where else is this data on this patient, and get access to that information without the specific primary care doctor saying, oh, I do know the specialist? Should I disclose this to the specialist? Because they're all part of the same HIE and they’[ve all agreed to the same rules. So the information could potentially flow more easily through a HIE based on rules that are established by the HIE, and so therefore I think it's a difference that's worth discussing as to whether or not that necessitates different rules with respect to who has seen my record. Maybe the accounting --
>>
Because that's for treatment purposes, is that germane to the discussion?
>>
Yes.
>> Jodi Daniel:
I was saying it's not about the accounting right under HIPAA. But it is a question, it goes to number 3 about auditing functionality and about what Deven said as to well maybe it's because the information that you can get from accounting isn't what they want. And the question is, is there something different in an HIE.
>>
I actually think there is because depending upon how the HIE is constituted, if it strictly is a record locator service that gives nothing but a same and some identifier, so one can make an appropriate request to a provider or institution for information, maybe not. But if what's displayed, and what I've seen with some is there's a lot richer detail. Some might even put up, you know -- we have lab information or we have EKGs, and in some case you can drill down one additional level and you can see what you're looking at before you go down deeper. So in that sense there could be a very distinct difference between today's environment and -- a current segment of our environment and your future environment.
>> Deven McGraw:
But I appreciate that, Peter. This is Deven. And I'm actually in my head trying to separate the discussion of whether we impose these requirements or an expanded set of requirements on HIEs, and I want to go back to talking first about whether this rule in an exchange environment is the right rule even for the existing set of covered entities. And I know that the principles that some of the consumer organizations have developed with respect to the building of these systems pretty much all say you should be able to get an accounting of who has looked at your records.
>> Jodi Daniel:
Not a HIPAA accounting?
>> Deven McGraw:
They mean more from -- yeah, it's basically a real accounting. Who looked at your records and touched it or used it or disclosed it, et cetera. And I think that they're in there because people have the perception whether it's right or it's wrong, that in an electronic environment with the computer technology where it is now, that's actually a lot easier to do than it was in a paper world because the systems track users. They track our cookies when we’re on the Internet, they know what we look at on the Web, they know who we are and what we like. And we have a health care system that we hold up to the model that in fact has more permissive accounting -- accounting disclosure possibilities. So we know it's possible. It is something that people have requested. So back to the sort of threshold question about what needs to happen to HIPAA, not just to fill gaps, but to advance the system. If this is a trust-building piece, is it worth exploring a recommendation for something, for a stronger requirement? And I put that out there because we started talking already about well, here's the rule, and do we apply it to HIEs and I know part of our exercise is supposed to be is there more -- do we need or want more than HIPAA?
>>
That's fair.
>>
I think there would be incredible frustration among many stakeholders, probably not just consumer organizations, if we got all of the benefits of a health information exchange for every other entity and that did not afford any additional rights for patients. I mean, that seems, if you're going to talk about greater consumer engagement in their health care, you just throw it all out the window if you only look at the accounting that’s currently provided by HIPAA.
>> Deven McGraw:
And I think it would be helpful, actually to know, and I wouldn't necessarily ask this question to RHIOs, although maybe I would ask it in addition to provider-based systems, internal systems, how are they building them? Are they building them with stronger ability to give patients an accounting? Are they letting patients know that this possibility exists? Because HIPAA, we know is just a baseline. People may be, as a market-driven -- I don't know -- I mean, I can't quite frankly imagine myself ever asking for this, but it certainly is something that I know some of the constituents that we work with and the different organizations feel pretty strongly about.
>>
Some of the discrete providers are building portals, but that doesn't get you to connect to all the other entities that provider has a relationship. That's something I don't think has evolved in the market. But I think that's the vision.
>>
Kirk, you're awfully quiet.
>> Kirk Nahra:
I just figured I’d let people talk for a while.
>>
I had to go on mute so you wouldn't hear my dog barking again.
>>
That was your dog?
>>
I confess it's mine. Sorry.
>>
It sounded like a big dog.
>>
He is, he's a big white fluffy snow dog who hates this warm weather. So he is expressing his unhappiness. I apologize.
>> Steve Posnack:
This is Steve. Maybe I can summarize what I understand. Maybe that will help, in terms of filling the air time here. So we have an accounting rule that isn't particularly useful in terms of the information that people would like to have in it. If we --
>>
And is consequently underutilized.
>> Steve Posnack:
And is underutilized.
>> Kirk Nahra:
Although we're definitely making a assumption. Again, keep in mind, none of the HIPAA individual rights are being used right now.
>>
That's right --
>> Kirk Nahra:
Way less than I think people expected it to be used. It's not as small as accounting but it's pretty low.
>> Deven McGraw:
I don't know if we'll ever get to whether there's a causal relationship between one or the other. Again, it could -- you know, I don't know that it matters.
>> Kirk Nahra:
Well, it matters to the extent we end up making -- it matters if we're basing a decision on what we think people want and they don't actually care about it.
>> Deven McGraw:
I wouldn't -- well --
>> Kirk Nahra:
Or they're not going to use it. It's a right they're not going to use.
>> Steve Posnack:
Pushing me into the conversation. So I guess my question is, we have all of these unconnected covered entities that are obligated to comply with the rule right now. Now we connect them up. In terms of the differences that we've got, the differences that in this environment, in a connected environment, there could be a new obligation to identify when the exchanges are taking place. The pull example is a good difference as an example, you don't know that you're getting -- you don't know that you're disclosing information, because people are pulling it from you, and you don't have any interaction with that.
>> Kirk Nahra:
You, the provider?
>> Steve Posnack:
The people’s systems that are getting the data pulled from them. So we could come up with a recommendation where we would say everyone is interconnected now and the concern or the desire from a consumer perspective is that we would like to know when information is being exchanged, those -- an accounting of that. Because -- I guess -- I don't know if you want to expand the current set in addition to saying this is the new environment, I'm a specialist, I go and pull a bunch of your records, Deven, and now Deven comes to the health information exchange and says I'd like an accounting of disclosures of whatever has taken place in the exchange. So you get an accounting that I went and pulled all your records which it gets to who is viewing your records.
>>
As a consumer of health care, when -- if my providers were in a pull me, push me sort of relationship with my data, I would want a higher level of accountability. I would want them to be able to know -- tell me who is going out and pulling this information. And is it somebody that's legitimately going out and pulling this information. If it's my podiatrist that pulling it from my GP, that's great, if I know they have a need for it. But if it's somebody doing research on me, I'd kind of like to know that, too.
>> Kirk Nahra:
Isn't there a way to control that, create the rules to do that, rather than an accounting rule? The researcher -- we're either going to allow a researcher to pull that or we're not. The system is either going to permit that or not. But the best way to control that is whether you let the researcher do it or not, not did the --
>> Jodi Daniel:
They do permit it. But the question is not knowing whether it's permitted or not. Assuming that some things will be permitted, the question is should there be an ability for consumers to find that out?
>>
Or providers.
>>
Or providers.
>>
You know, did this person get pinged for some research study based on --
>>
Yeah -- that's a completely different issue.
[multiple speakers]
>> Kirk Nahra:
Probably controlled by the rules -- for example, I mean, Steve, you mentioned a pull system where -- I'm trying to figure out how this works. But a pull system where the hospital that has put records into the HIE wouldn't know that someone else on the other end has pulled their records? Is that a scenario --
>> Steve Posnack:
This is the one that you used the other day where I present myself to the hospital and all you've got is my driver's license, you type in my name. And then 18 records from all different places that I've been comes up and you click them and you hit give me the records. And it just pulls them from, and there's no kind of signoff from the other end that you can have those records.
>>
Because they've already made a global signoff on this level of information for this patient is allowed to go to these X, Y, Z.
>> Kirk Nahra:
If I'm the hospital, am I going to be able to know who those people are? If I wanted to check, could I do that, usually?
>>
Depends, I think, on the agreement they have with the HIE.
>>
I think you would.
>> Kirk Nahra:
Whether an accounting, a modified accounting rule is the way to control that or whether you do it other ways.
>> Jodi Daniel:
There's an issue of control and there's an issue of transparency.
>>
Yeah.
>> Jodi Daniel:
And I think they're two separate issues and I think we should address both, and we're only talking about the transparency.
>> Kirk Nahra:
Again, my dead horse, I've been beating this forever, is today --
>> Jodi Daniel:
We're going to get Kirk's dead horse.
>> Kirk Nahra:
I mean, today there are various doctors, you know, the specialist scenario we just described. Forget HIEs. A doctor, my GP may be able to send my records to a specialist to figure out if I should go there. The patient -- whatever. In the HIPAA world today, which would be that world today, I have no right to know about that, through an accounting request or any other request that I can make. I want to try to focus on we're going -- are we going to give people that right here when they don't have it here? That's the question in my mind. We may all in this room -- I mean, I personally think the accounting rule is a ridiculous rule. You have two options -- I would see no reason to it in its current form. So you either get rid of it or you make it useful.
>>
Right.
>> Kirk Nahra:
I'm indifferent on which of those you do.
>> Deven McGraw:
Okay, good, because I'm not.
[laughter]
>> Kirk Nahra:
But pick whatever. But what I'm struggling with is why you would have one rule in the rest of the health care system and a different rule in this system, and I want to understand why we say have it here when what I think we're really saying is we don't like the original rule.
>>
In part because the old system is a paper-based system and I don't pretend that I know what the drafters of HIPAA were thinking, you guys would probably be much better able to do that but I imagine it's that it would be far too burdensome to expect that for all these different reasons we should have every transaction subject to a person's request at every possible level of the health care system because that's just way too much paper for us to wade through and we’d have to have 50 full-time employees in order to do that, hypothetically.
>>
But the game changes when you go into that electronic environment.
>>
Exactly.
>> Kirk Nahra:
So the reason to do it would be that we can?
>>
It's a different medium, it's far more feasible.
>> Deven McGraw:
It's we can and it also presumes that but for the burden it was desirable.
>>
It’s a far more fluid medium, too. To share that information is easier.
>> Kirk Nahra:
I mean, I'd be curious whether that's in fact the rationale for --
>> Deven McGraw:
Oh, I suspect there's a lot of other things buried in there. I'm not that naive.
>> Steve Posnack:
I think that's what I was trying to get at --
>> Deven McGraw:
Yeah, you did summarize, it you put an extra layer on it, which is to open it up more but only for discrete situations and I'm not ready for that modification yet, but, you know, it may be that in order to get consensus, that's where we end up going. But yeah, I don't like the rule, I'm not in favor of a dual set of circumstances, and I also don't think it's going to be a dual set of circumstances for all -- for very long, which I think is the point I raise every time we talk about why are we going to have different rules for these people and different rules for others. We're moving into an era where we're not going to have that many people -- or that's the desire and I think we should be setting up a system for what it is that, the world that we want --
>> Kirk Nahra:
Yeah. Let's play that out a little bit. I guess I don't view the world today as paper and HIE. I mean, the way that would work out is if we're moving to a system where everything is only through the HIEs. And even if everything is electronic, that assumes, that idea would be that all activity of all the health care organizations is trackable through the HIE. Let's use litigation as an example, which is a huge source of large disclosures that are required to be put on an accounting list. I would be astonished if that normally goes through an HIE. If a hospital is in litigation and has to have material produced to some plaintiff's lawyer pursuant to a protective order, that there would be any realistic scenario, brainstorming on technology, but where the HIE would be involved in that, or would know about it, or would be tracking what the hospital is doing in its malpractice defense litigation. And so I think that part of the two levels is we're going to continue to have a health care system that's not only HIE. Everyone may be part of an HIE, but that doesn't mean the HIE runs the whole health care business. So I mean -- so we're still going to have a HIPAA world and a HIE world. Right now it's mostly a HIPAA world. We may -- that percentage may move so bigger and bigger parts are HIE, but that's never going to take over the whole health care universe.
>>
-- because all of these discrete providers and other parts of the health care system are both part of the HIPAA world and the health information world. So all we're saying is that they have a technology that supports and enables their usual business practices or they don't. And right now, the preponderance of them don't, and one day we hope they will.
>> Kirk Nahra:
Do we have any reason to think those business practices that an HIE environment supports will also control how hospital defends its litigation and produces records in discovery?
>>
They may produce them electronically, I have no idea.
>> Kirk Nahra:
But I'm not sure -- I'm not sure electronically is the right word there because it wouldn't go through the HIE in any way. I mean, electronic exists today without HIE, for most -- I mean, most of these productions are going to be electronic today. No one else knows -- none of the other business partners of that hospital know what the hospital is doing, when it produces records in litigation. It might even be against the HIE. So there's just no reason to make that -- I don't see the connection between the two, and even if all hospitals in the future are part of an HIE, I still don't see why the HIE would have any knowledge under any scenario of what the hospital is doing to defend itself against litigation.
>> Deven McGraw:
Right, I guess you're collapsing the earlier distinction that I made, which was whether we apply a set of accounting rules, whether it's these or some new and improved version that I'm trying to get us to consider, to HIEs. I want to -- I’d really love to take that off the table. Because I'm just talking about what gets applied to current covered entities. Because I think it does get confusing when you talk about whether the HIE is going to be required to produce the accounting. Are they going to know about what got disclosed? Is it just about what they disclose versus what gets disclosed by the covered -- I mean, it raises a different set of issues, but I think you have to answer the threshold question, which I hope we can get to, which is this rule in this environment as applied to covered entities.
>> Kirk Nahra:
Say again the threshold issue.
>> Deven McGraw:
I mean, I would like us to consider, because I don't think you can get to the question of whether the rules should be applied to HIEs or not before you address the question about whether the rule is a good rule for covered -- current covered entities, providers, plans, et cetera, in an electronic environment that is increasingly becoming more interconnected.
>>
We don't get the same number of those requests in our organization that we do for other requests, access requests, but we do get some and we get probably a fair number. And I wonder if it's because we do account for some of those disclosures under the Privacy Act, that normally, under HIPAA, other covered entities wouldn't have apply. And I think that's to your point, maybe it is more attractive to the consumer if they can get information about where you're providing to other health care providers or to health plans or some of the operations areas that you wouldn't otherwise be capturing under HIPAA. We're doing that under the Privacy Act and I wonder if maybe that's why, because it's more attractive. You're getting more information.
>> Kirk Nahra:
Let me go back to your question, Deven, there were two elements to that question. One was as people move to electronic, and two, that electronic environment is increasingly integrated.
>> Deven McGraw:
Right.
>> Kirk Nahra:
There are plenty of people today who are electronic.
>> Deven McGraw:
Right.
>> Kirk Nahra:
And --
>>
Not necessarily for medical record and treatment. That's a huge distinction.
>> Kirk Nahra:
Okay, fine. So I guess what I'm -- I'm just trying to understand about the threshold you're setting up. If we're going to ask is this rule a bad rule for when people go electronic, whenever that's going to be, 100 percent electronic, not -- the integrated is separate step, but if Peter's company is 100 percent electronic, and we're going to discuss whether the accounting rule is a good rule oar bad rule for that covered entity company and that setting, we can have that discussion, that's exactly, I think, unless I'm missing something, the discussion that we've been trying not to have, which is, is HIPAA good or bad. Isn't it?
>> Deven McGraw:
I thought part of the discussion we were having is does HIPAA still work in an environment that is different than it was when it was enacted?
>> Kirk Nahra:
It's a little different phrasing.
>> Deven McGraw:
But I don't think it's the same thing. Because the circumstances have changed and are evolving even more still with every year that we engage in these discussions, and efforts on the Hill, for whatever they're worth whether anything’s going to happen to try to push this further, coalitions of stakeholders trying to push this harder, get it done faster, we all need to be electronic, first of all, then we all need to be connected, it's not the world we were living in when it was enacted. So I'm not saying good, bad HIPAA for that particular set of circumstances. I'm saying does HIPAA still work in this new environment? And it's about both whatever gaps there might be but also what you might need to do to facilitate movement in this system.
>> David McDaniel:
So if it's inevitable that we're moving in that direction, do we really have to discuss it from the standpoint of is it working in today's environment with covered entities? If we have the discussion about whether or not it's workable in a future tense electronic environment, aren't we in fact dealing with the current because of the undercurrent pushing us to move in that direction anyway? Rather than having to deal with, to Kirk's point, is HIPAA good, is HIPAA bad, does HIPAA work in what we see in our very near future and does it need to be manifested in a different way so that we get the best benefit in that new world order?
>> Deven McGraw:
It works in an electronic environment fine, because you know, people can still submit these requests theoretically for information that don't actually want or they can not submit those requests. But is it something that we think is positive for where we want to go in the broader sense of a health information exchange, then you can't get there --
>> David McDaniel:
I would argue it might not work given the new complexities of the environment that's just on the horizon. Because of the amount of information flow, the ease of information flow, the accountability factor has to increase. And I think, you know, if we say it does work in electronic environment, in status quo, yes, it does. But the broader picture of what we're trying to reach with this new connectivity, I don't think it does. I don't think it fits.
>> Steve Posnack:
Question. This is Steve again. So I think I'm going to summarize a little of what David just said in that if you make everyone electronic, the rule still works. Right? I don't know if anyone is disagreeing with that.
>> Kirk Nahra:
David had a different view on that.
>> David McDaniel:
I’d like to hear his synopsis.
>> Steve Posnack:
Okay. So if -- I don't know if -- I don't want to put words in your mouth either. Let me just ask this question. If we move everyone to being 100 percent electronic, and we look at the accounting rule, it works as it is. It functions status quo, as it is. It's not --
>> Deven McGraw:
There's no defect in the rule.
>> Steve Posnack:
Right. There’s no defect in the rule. By virtue of the fact of that, there isn't a difference there. We get to a tension here now where we don't believe -- we believe it could be implemented better. And I think I'm hearing Kirk's question is, what Kirk has been articulating is because we can. And I guess my follow-up question to that is going to be why?
>>
The other thing I heard, Steve, was not just because we can, but because there's going to be a necessity for consumer buy-in to these health information exchanges for them to be successful. And that some additional transparency may be warranted in order for people to be willing to opt in or, you know, participate in those exchanges. And that's just the other thread that I heard.
>> Steve Posnack:
Answering my why.
>> David McDaniel:
You picked it right from my brain because that's what I was thinking when I was trying to convey that. Because I really do believe that as we get more capability of having one proprietor go and pull information so that they're ready to treat me, I want, I want the confidence that is there that says I still have some control over that. Because it seems for me as a consumer that it gets real out of control. If all of this exchange of information is happening without me having any control over it, or even being able to know what's happening, it's a scary environment for me. And I may not buy into that environment. And I think that does up the ante from what we've had as our current model.
>> Steve Posnack:
I guess the follow-on question to the scope of how one would like to improve the accounting requirement, and kind of David's point in terms of the bandwidth and the throughput and everything that would need to be tracked electronically, there's the capability to do that, but I guess there's a question of the volume of all that information.
>> Deven McGraw:
Well, I don't know what it would be, and I think David is probably right that as the systems build and the information flows more easily, that it -- you can ask for your accounting and you would end up with a stack of paper. Or they'd extend to you electronically it would blow up your computer. I don't know. I would be interested to know, because this is I think a complicated topic that probably you don't resolve in one meeting, I would be interested to know as we're gathering information from some of these systems being built, whether they're giving consideration to this and building in stronger requirements -- well, I don't want to call them requirements, but a stronger accounting function.
>>
Like audit trail capability I think is what we would want to ask them about.
>>
Yeah.
>>
But you could also, if you had the ability to make a request, even electronically as a consumer, you could specify the parameters, so you could say give me everything in the last six years, although I don't know that anyone would really want to do that.
>>
It will look like your iPhone bill.
>>
Right. But you could also say I'm really just interested in the month of June so it might not be -- maybe by engaging people, you're opening up the possibility that you’re not imposing the level of burden you anticipate.
>> Steve Posnack:
I guess my other scope question is what do people want to see the most? Would it just be treatment? I mean, because right now it doesn’t include TPO, so do we not care about P and O, and we want them to --
[laughter]
>>
O is the big one.
>>
Yeah, you know.
>> Kirk Nahra:
You say O is the big one. I don’t understand. O is the big one because --
>>
A big one.
>> Kirk Nahra:
But I want -- here's the question. Are we talking about within companies, or disclosures?
>> Deven McGraw:
That’s a good question.
>> Kirk Nahra:
Because I mean, within a company, does somebody care that their health insurance claim goes into the person who pays the claim and also goes to a finance person and an underwriting person to figure out their protocols for future --
>>
We're talking about accounting for disclosure, so it would be talking about disclosures.
>> Kirk Nahra:
We're not talking about accounting for disclosures. We're talking about something entirely different. So --
>>
We're talking about an audit trail.
>>
Which is likely uses.
>> Kirk Nahra:
That's a question. If we're talking about uses. Are we talking about uses in a hospital? You want to know, again this is a question. Do we want to know every single person in that hospital that ever saw that record?
>>
Some people do.
>> Kirk Nahra:
What are we going to do about that? If all of a sudden, that's an enormous tracking device, most of which is not part of the HIE. I mean, are we assuming the HIE is going to know everything that's going on -- right. But that's not the integrated environment. My question earlier was --
>> Deven McGraw:
Yes, it is Kirk.
>>
It is, actually. If you're entering information into a database, usually when the person logs in, it has a signature that then recognizes that all of the information entered by that person is somehow flagged in a certain way. So let's say there's four different people in an institution, there's four different flags that appear. If you're --
>> Kirk Nahra:
Where do they appear, at the hospital or in the RHIO?
>>
Depends upon how they're structured. Could appear in both. Certainly appear in the institutional level, and I don't know, you know, enough about the system -- I don't know there are enough systems that are fully based to be able to answer that question. But I would suspect that it's at least a possibility that they would be able to look at that level.
>>
Certainly if it's the author of an entry of a data element that's going flow through the exchange, you're going to be able to know who it is. But you'll never know who looked up within an institution at the exchange level, I wouldn't think. Just a mere lookup.
>> Kirk Nahra:
I mean, that's my question. If we're going to track uses for purposes of this, whatever we're, accounting-like thing --
>>
And I guess the other thing in reality is if you generate the kind of audit reports that would be generated by that, who is going to be able to monitor them? Except for a request for accounting where you could go back and say these are all the people who touched your record or used your record or disclosed your record or changed it. I mean, that would be great, but that's going to generate whole computer systems full of data, just the audit trails capabilities. A lot of people would not be able to do that because it would just take their systems to their knees.
>>
Right. You know --
>>
That's the struggle.
>>
The question does come up in the accounting of disclosures section. I know that what people are desiring is something that looks more like, you know, this person logged in and looked at my record and I get to know that, whether it was internal, external, whatever. I don't know whether that's possible or reasonable. And I don't know that we could be prepared to be able to sort of set those parameters. I'd like to have a discussion about it.
>> Kirk Nahra:
How do we do that?
>>
Auditing function is a requirement under HIPAA security. That’s for sure. It's a requirement.
>>
And I actually, I would suggest that the requests for audit trails is becoming more common than the requests for the accounting of disclosures. And the context in which it comes up, at least in acute care is typically a patient who senses or has a suspicion there's been an internal lookup by someone who knows them, inappropriately. And very often the hospital will agree to share, to do an audit trail for lookups on that patient. And will either confirm to the patient there was an inappropriate lookup and we're dealing with it, or that we found no evidence of anything inappropriate.
So there is that desire out there, but before we sort of came up with a recommendation that suggested sort of full-fledged audit trail access for any possible reason, I guess I'd want to know what sort of burden might go along with that in terms of technical bandwidth and the things that audit trails require. Because I just don't have a sense of that.
>>
Yeah, I would --
>>
That's definitely a problem for us.
>>
And Jill, that literally could be an FTE, or more going through and looking at them.
>>
Oh, yeah, I could easily see that happening.
>>
Is it possible one day, though, that if consumer has access to a portal to the health information exchange, or can have some vehicle for communicating electronically that they could specify the search parameters and the data would automatically be pulled? Is this -- is this out of the realm of the possibility? So then I wonder what the relative burden is on those institutions to actually -- so one is the institution having to produce a report based on just an e-mail request or a letter request saying I want X, Y, Z information. Another is just a consumer querying the system for recent activity. And I would assume -- I could be totally wrong -- that you may end up getting more of the latter than the former. I'm not sure why I make that assumption. But I think if we are going to hear testimony, I'd want to hear sort about the feasibility.
>>
How do you give that information, you still have to cross the hurdle of giving them access in some way to a system that you know uniquely that's the individual that's asking for that.
>>
That's an authentication question.
>>
Open that whole can of worms back up --
[multiple speakers]
>>
That's got to get solved. I mean, that's a separate conversation, has to get solved. But in my mind at least, from where I sit, that's the vision and that's the goal, so it's not to necessarily always have to interface with Susie in the accounting department. It's that I can go and find out in the month of December who saw my stuff. And just, you know, get that in whatever format. So it's not burdensome. It requires, I think on the back end, a great deal of work, and so that's what I'm interested in knowing sort of where we are on the continuum of getting to that point. I guess I would just want to hear both sorts of testimony. One in terms of somebody actually producing a report, and how close we are to getting to a system that would allow people to do that on the fly --
>> Deven McGraw:
And the VA and other government entities required under the Privacy Act to provide greater disclosure, an audit trail or greater universe of disclosures, what the experience has been, what the burden on the facilities in the system are.
>>
I can tell you the system burden is great. When you turn on audit trails for a system the size of ours, it just --
>> Deven McGraw:
Yeah, I can imagine.
>> Kirk Nahra:
The other thing I'd like to know is -- the other thing I'd like to know is even in this what we can imagine technology world, how much is the HIE still going to know?
>> Deven McGraw:
Right. I would like to know that, too.
>> Kirk Nahra:
Because I guess, I mean even recognizing my vast limitations of knowledge on what these HIEs are doing, I just have such trouble imagining any reason why there would be connection up through the HIE for a lot of disclosures with information made, and I continue to think that a lot of the activities of health care providers are not going to involve the medical record that is connected to the HIE. And that we're going to have forever a two-system -- again, doesn't mean not interoperable. It just means that lots of what goes on at health care companies is not the medical record. And again, that's the piece that I'm very much struggling with, is -- I mean, we can talk about the movement from paper to electronic and whether HIPAA envisioned that, and you know, I struggle saying we didn’t envision an electronic environment when the whole security rule is an electronic rule. But I also think that's sort of not the question.
The question is going to be how much of the business of health care, of hospitals and doctors and health insurers and other people that are going to be participating in the networks is going to be controlled, overseen, run through these HIEs. And I understand why these core sort of medical records will, and the goal is to have all of those run through them. I don't have any sense that even in the wildest dreams they're going to be the controllers of the health care system, they're going to run the basic operations of a hospital or a health insurer.
So that's the piece that I'm -- I want to know how much -- I mean, again even the people that have the most grandiose ambitions, what do they envision their HIE doing and knowing about just day-to-day, you know, again, not core medical records, I understand the issues with core medical records, I understand where we're trying to go with those. But the rest of the world, the rest of what goes on in the health care world.
>>
I sort of see there's the potential, and I'm thinking from the consumer standpoint of getting benefit from this environment as well as providers getting the benefit of ready access to information to do treatment. But I don't think anybody is intending for these organizations to run health care. But certainly be a repository or a conduit for the exchange of information, I think there is that possibility. And I think that's going to require some standards in different kinds of business processes, whatever business process you would want that information to float up to that central location, you're going to have to have some standard mechanism or methodology for being able to capture that information. So if there are business processes that you want to share your information on, you're going to have to be speaking the same language for all those business processes for that central repository of data to work. And if right now all we can think of is we really want to do that just for the health record maybe that's the next bite on the apple. But is that where we want to stop? Do we want to stop just in that exchange of information or do we want to have the capability of thinking through all these other business processes where it would be good to exchange information, and start thinking of how do we standardize this so that when we do get to that point we haven't created something obsolete just by focusing on --
>> Kirk Nahra:
Let me use an example and it may be helpful to come up with some other ones. Let's say a hospital is trying to figure out whether to build a new wing and they're trying to figure out whether it should be a pediatric wing or a heart surgery wing or podiatry. And so they hire some consultant to go in and review costs and claims payments for pediatric claims and podiatry claims and heart surgery claims. So that consultant is clearly going to get handed a bunch of -- disseminated to them a bunch of information for purposes of coming up with some financial analysis on what the hospital should do, making a recommendation. Is there any reason to think -- again, broadest ambition, that the HIE is going to know anything about that?
>>
It's possible.
>> Kirk Nahra:
Why?
>>
In a lot of scenarios, the HIE, depending upon the structure of the HIE and the business model that perpetuates the existence of the HIE, you may want to collaborate on which hospital establishes a new wing for serving this type patient, so you have appropriate spread of the services you offer within your health information exchange. So maybe you decide not to do podiatry because that's covered by another institution, and if --
[multiple speakers]
>> Kirk Nahra:
That's a perfect example but that would be a conscious, clear decision to bring that in.
>>
You're talking about fixing health care.
>>
I'm hopeful.
>> Kirk Nahra:
That's a fair example, but it's not my example. But --
>>
Trying to go there.
>> Kirk Nahra:
No, I understand. But I understand if we decide we're going to use the HIE, and stuff is funneled through them, we can figure out, they are going to know a lot of things. I understand that part. What I'm still getting a handle on and maybe this is your reaction, today, maybe in the future hospitals will in fact collaborate in their communities and figure out that I'm going to do heart surgery and you're going to do pediatrics and she’s going to do do podiatry because we're all in it for the community, whatever.
>>
Health care.
[laughter]
>> Kirk Nahra:
We can base our activities on that assumption.
>>
You guys are cracking me up.
>> Kirk Nahra:
Again, model today would be I go hire somebody to crunch some numbers. And not only is there no reason to bring the HIE involved, I wouldn't want anybody else to know about any of that. And I think that's a lot of what the business of running a hospital is. And so when we come up with a rule, or an idea that says we want to know who has touched all that information, it's going to not cover that if we go through -- so that's my point about the two different -- I mean, I don't see that ever going away.
>>
But I don't think we're talking about the information that we don't want to share. I think we're talking about the information that we do want to share.
>> Kirk Nahra:
But it's based on information that's from records. And it's probably based at some point on records that have gone through the HIE, right? I mean, that --
>> Deven McGraw:
That would be one possible way to confine it, from the entire universe to the data likely exchanged at least for treatment. Now, this is where I think what we're asking the HIEs and the RHIOs to provide and to give us information on what we might get some help from outside counsel in helping us get a better snapshot of what these RHIOs are actually doing would be helpful. I sat on a panel recently with folks from Regenstrief and from Memphis and they've really limited the amount of information that they're exchanging, just to treatment. In Memphis it's just ED information, not anything else. And in -- both of them have decided psychotherapy notes, they don't want them, they don't want to deal with it. They're sort of crafting, they're starting with sort of some defined sets of information. Now, where they go from there, I don't know. But in terms of -- but I certainly think we should think about because we're talking about a universe of information that's enormous and that probably was at least one of the reasons why the original rule became so narrow, was speculation about the amount of information and the amount of record touches you would have to provide and what kind of burden that might be going forward. I want to know whether that burden gets lessened in an electronic system. It may not. You guys are electronic, you're telling me that in fact it's still an enormous big deal.
>> Kirk Nahra:
May be less, but less doesn't mean it's not still a big deal.
>> Deven McGraw:
Right, exactly. And taking all of this information into consideration, what is -- what is -- if there is a recommendation, we can all collectively agree on, what would that be?
>> Kirk Nahra:
Let me interrupt for a second. We were scheduled about ten minutes ago to turn to planning for the next meeting. I don't know that we really need to do too much of that. Steve and Deven and I have been working on that although -- I'm not sure there's anything to discuss today particularly.
>> Steve Posnack:
I can do a quick update I've been in contact with a few information exchange contacts, already, and I've gotten some close to confirmation that they would like to come and speak in November. So, looking good.
>> Kirk Nahra:
All right. Judy, in about two minutes why don't we turn to public comment? We need to let --
>> Judy Sparrow:
Jennifer, can you do that in about two minutes?
>> Kirk Nahra:
Let them know it's happening.
>> Judy Sparrow:
She will. She does that.
>> Kirk Nahra:
All right. What do people want to do with this discussion today? I mean -- well, where -- what -- what's our next step? How do we take this from a very involved discussion to a set of questions, a set of issues?
>> Steve Posnack:
I guess there's two questions in my mind. It's obvious that we want to do something, people want to do something with accounting. Like it or not. And there's the scope that it belongs to the traditional covered entities, the people that are -- doesn't matter if they're connected or not. And then there's the scope of what we would require of a health information exchange. And I think those are two possibly separate things. And when you were mentioning about a compromise, Deven, earlier and my earlier comments, it was more about I was focused on the scope of what we could ask a health information exchange to provide as an accounting, in terms of who has exchanged your information via the health information exchange. And they would be able to provide with you that because they would need to keep track of that for you. And we would be able to say we'd like them to do that. And that's something that we can -- that gets to what we can ask them to do, because we want to. Going into the traditional areas, a little bit of a bigger uphill battle.
>>
Yes.
>> Steve Posnack:
So those are the two scope areas that I see us working in.
>>
Let me ask a question of Deven. It sounds like we need to gather more information before we even draft -- start drafting recommendations.
>> Deven McGraw:
Oh, yeah.
>>
I mean, I think that we don't necessarily -- we have the two big picture questions, so if we could craft the presentations --
>> Steve Posnack:
Yeah. Let me ask you this question. In terms of expanding accounting in electronic environments, we could call in AHA, and ask them how hospitals have handled that. Or I mean, I guess my question is you're saying if we make everyone electronic that’s a traditional covered entity, they should be obligated to meet new accounting environments requirements, independent of them being connected to a health information exchange.
>> Kirk Nahra:
That's what I struggle with. I don't know why we're looking at that question.
>>
Why don't you have DOD do it? They already account for a broader number disclosures because of the Privacy Act. They already do it electronically.
>> Deven McGraw:
Yes, I definitely would like to hear from them. I think, you know, it's the exchange environment that raises the sensitivity level.
>> Kirk Nahra:
Absolutely. So that's my question of why we're looking at if somebody converts electronically and is unconnected, why -- I mean, we can care about that but it seems to me not our issue. That's just what can you do electronically, not what can you do with an integrated environment.
>> Steve Posnack:
Then I guess my question was, whose responsibility is it to keep track of?
>>
But it is if you convert to an electronic environment, and the burden of producing all of these records and papers for a treatment, payment, operation, you know, is theoretically simpler because it's electronic, then why wouldn't you then just make that available on request to a patient who asks? Either electronically or not electronically? I think that's the question in the non-exchange environment.
>> Kirk Nahra:
I don't see why that's our question, I guess. I mean, that's a we should change the HIPAA rule if anybody has electronic information. And again, that's my dead horse, but I'm trying to stay away from here's how we would change the HIPAA rule for the health care system. I think we should focus on the electronic -- the exchange environment and see whether there's enough things different in that environment to justify changing it. If -- I mean, for example, our conclusion might be we see so much ability as information moves electronically to have a completely different paradigm for patient access to information about who saw their records, but we can't divvy it up into exchange versus electronic. We think the whole thing should be changed system-wide for all of this stuff, any time people have electronic information, they should be obligated to provide more information. That would be a perfectly fine recommendation, but that's essentially a recommendation to change the HIPAA rules on this. And I'm okay with that recommendation, that's just not what we've been doing when we have this differences discussion. It may be -- maybe in this situation it may be an inevitable -- I mean, one of the things that I've been thinking about with each one of these issues, is even if we come up with, quote, differences, perfectly legitimate differences where we all agree that there should be -- there's something different, then the question flips back and sort of says, all right, if we're going to do it here, shouldn't we do it for the rest of the system and maybe that means we just say it's all got to be done differently? I'm okay with that, I'm just trying to avoid a discussion that says we're going to make a recommendation for this environment because we don't like the HIPAA rule.
>>
It almost has to be presented as a precursor to the electronic environment in order to facilitate moving in an electronic environment. If I have to do that with electronic information today, then it's not an added burden if I do it in the exchange environment in the future, if it's already a requirement.
>> Steve Posnack:
Maybe I can rephrase the question, then. Do we see down the road people conducting business -- maybe I'll restate it as a statement. There won't be any other way for health care providers, hospitals, insurers to function in a business environment without going through a health information exchange. And through that it would be the -- so you're answering my question, so there's not -- there's still going to be --
>> Deven McGraw:
You said there won't be any way.
>> Kirk Nahra:
There will still be other ways.
>> Deven McGraw:
There's still going to be other things. Right. It was that phrasing of it that --
>> Kirk Nahra:
You set up a straw horse --
>> Steve Posnack:
I'll try to rephrase.
>> Deven McGraw:
We're going to kill it and then Kirk is going to say we're not going to raise it anymore.
>> Steve Posnack:
The question I'm trying to tease out is that do we foresee any way in which most of the business that they're going to be undertaking is going to be going through the health information exchange and that's how disclosures are going to be made? So if you're going to make a disclosure, it's going to be routed through the health information exchange, from one provider to the next, from a provider to an insurer. All of that information was --
>> Kirk Nahra:
That's part of my question about uses versus disclosures. I mean, I suppose I could envision an environment where the main way to transmit information from one entity to another is through the HIEs. I don't have any sense that that's what's going to happen. But I can understand that. I can conceptually see it. Of you're building -- you know, it's like making a health care Internet, essentially. I can understand that.
>> Deven McGraw:
We could call it the national health information network.
>>
So --
>> Kirk Nahra:
I could see that. I could see that. What I don't see -- again, somebody could tell me differently. What I don't see is that all of my internal business is going to go through that HIE.
>> Deven McGraw:
Right, and I'm not trying to argue that it will.
>> Kirk Nahra:
So for example are we going to carve out uses? Now, what I hear Alison and Deven saying is a lot of people want to know about those uses. I absolutely agree with that. They probably want it today, they probably want it in the HIPAA environment. Again, and we might say that the HIPAA rule is bad, but that's not been our task. So that's why I said what do we want to do with this? Because I think we have to confine our questions and I would love to confine them to ones more tailored to the exchange environment, like the disclosure piece. I mean, maybe at the end of the day the HIE should be the one responsible for tracking any disclosures that go through it. I'm okay, that's a perfectly rational thing.
>> Deven McGraw:
I'm not at all opposed to that and I think I would much rather hear from some of the systems that are currently being built and how they're handling this issue and if they're doing something different, than I would to hear from trade associations that represent stakeholders. If we get to the point where we're actually coming up with a recommendation that will blow this open, we're going to have to hear from a broad range of people. But I'm okay with limiting it. I think we do have to consider it in that context because this -- we could spend a year arguing over it otherwise. And we have a lot of things that we need to get to. That would be my recommendation.
>> Kirk Nahra:
Can we open up and see if we have any public comment?
>> Judy Sparrow:
Jennifer, anything? It's been up there for a while.
>> Jennifer Macellaro:
I'll let anybody who happens to be listening on the phone but not looking at the Website that they need to press star-1 if do want to get into the queue. So far we haven't had anyone call in.
>> Kirk Nahra:
Can you let us know -- Jennifer, could you let us know if somebody does come on, we're going to continue.
>> Jennifer Macellaro:
Sure, go right ahead.
>> Kirk Nahra:
All right, so it seems -- in November we're going to hear from some of these organizations on mainly some other topics, and I guess one of the questions is we want -- we wanted to avoid, particularly since we're trying to hear from a number of different people, giving them 50 things to talk about.
>> Deven McGraw:
Right.
>> Kirk Nahra:
Maybe we end up adding some of these issues to whether it's a different Federal Register notice or whatever. Why don't we -- I mean, my suggestion would be we sort of go on parallel tracks for a while. We go on our November track meeting with the issues we were going to talk about in November. We take the issues we talked about today, put them on a different track to try to develop some questions and topics that we can then have in future, whether it's these meetings or get testimony, whether it’s the same people -- a lot of these things, if we can come up with our topics, I think that we'll get better information written so we can get more of it and perhaps more focused and maybe we can pick and choose people to come and give testimony. I mean, I'm still concerned about our history on testimony is we've had stuff that wasn't necessarily -- you have far less ability to control the testimony. If somebody turns in a written piece of paper that's not on topic, we just put it aside and we don't have to spend time looking at it.
>> Deven McGraw:
Right.
>> Kirk Nahra:
That's my suggestion. Deven, does that make sense?
>> Deven McGraw:
Yes, it does.
>> Kirk Nahra:
I think rather than try to race it in to these people that are already being talked about for November.
>> Steve Posnack:
Leave it as an open opportunity? We’re going to have four hours again in November. Depending upon how many people we get in. Let me ask this question. I think I've got about three people committed for November. I could easily get a couple more. It’s just, you know, it's the larger the group, the more chaos there is.
>> Kirk Nahra:
Can you do this? Can you give us a sense -- I mean, not today, maybe (inaudible) or wherever -- who those people are and what they generally think they're going to talk about, so we have a sense of --
>> Steve Posnack:
Well, the intent is to have them answer the questions that we --
>> Kirk Nahra:
The Federal Register. Those specific ones. Okay. And do they envision talking about all of them, do you know?
>> Steve Posnack:
I'd have to speak to them. I sent them our list so they weren't running away from it.
>> Kirk Nahra:
Yeah. Four hours -- I mean, I guess -- let me throw this out. My sense would be to add 1 or 2 and have 2 panels, you know, 2 hour-and-a-half panels, so try to shoot for 20 minutes a person and some time for questions. There's a bunch of topics in there.
[multiple speakers]
>>
They'll start with about five minutes of intro.
>> Kirk Nahra:
We asked them last time not to do that and they did it anyways. You know, I put myself in their shoes. If I'm brought in to testify on behalf of an organization, I want to tell the people who the organization -- I mean, it's --
>>
Include it in the slides.
[laughter]
>> Steve Posnack:
Here’s the abridged version.
>> Kirk Nahra:
When we have you testify, you'll do a great job and you'll shut out all that and your organization won't get mentioned. No one will know who you are and any of that stuff. Jennifer, did we have anyone join in?
>> Jennifer Macellaro:
We don't have any comments on the phone, no.
>> Kirk Nahra:
Okay. Any -- that's sort of our plan for the next -- we have sort of two parallel tracks we're working on. We will come back at some point to both the security breach scenario which was in your materials for this meeting. We will flesh out a fraud scenario.
>> Deven McGraw:
We'll have the fraud -- the response to recommendation number 8.
>> Kirk Nahra:
Recommendation number 8. If anyone does read the NCVHS report, and have any particular comments, let us know. No one is required to do that. It's not a homework or -- mainly if somebody has an interest and wants to read it. Again, if you want to see the report, I think we said shoot an e-mail to Steve and he can get it out to you. Any comments or questions from anyone on the phone before we conclude?
Any questions or comments from anyone in the room?
>>
I had get off mute so you wouldn’t hear my dog commenting. None, thanks.
>> Kirk Nahra:
Any comments or questions from anyone in the room? Thank you very much, we will talk to you next month.
>>
Thank you.