American Health Information Community
Confidentiality, Privacy and Security Workgroup Meeting # 15
Thursday, November 8, 2007
Disclaimer
The views expressed in written conference materials or publications and by speakers and moderators at HHS-sponsored conferences do not necessarily reflect the official policies of HHS; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.
>> Chris Weaver:
Okay, Judy, we’re ready to go.
>> Judy Sparrow:
Great. Thank you, Chris. And good afternoon. Welcome, everybody, to the 15th meeting of the Confidentiality, Privacy and Security Workgroup. This is a federal advisory committee, and we are being Webcast over the Internet, and a transcript will be made available on our Web site at a later time. Just a reminder to the Workgroup members to please speak clearly and distinctly and identify yourselves for the transcriber. And when you’re not using the telephone, please mute your phone.
Let me just introduce those members that are on the telephone, and then we’ll go around the room here, members at ONC. On the phone, we have John Houston from the University of Pittsburgh, Sue McAndrew from Health and Human Services Office of Civil Rights, and Elizabeth Holland from CMS. And here in the room, we have…
>> David McDaniel:
David McDaniel, Department of Veterans Affairs, Veterans Health Administration.
>> Alison Rein:
Alison Rein, Academy Health.
>> Paul Uhrig:
Paul Uhrig, SureScripts.
>> Kirk Nahra:
Kirk Nahra, Wiley Rein.
>> Jodi Daniel:
Jodi Daniel, ONC.
>> Steve Posnack:
Steve Posnack, ONC.
>> Dan Rode:
Dan Rode, AHIMA.
>> Judy Sparrow:
And did I miss anybody on the telephone?
>> Tom Wilder:
Yes. This is Tom Wilder with America’s Health Insurance Plans.
>> Mike Pagels:
Mike Pagels, CMS.
>> Judy Sparrow:
I’m sorry. I didn’t hear the name.
>> Mike Pagels:
Mike Pagels at CMS.
>> Judy Sparrow:
Okay. All right. I think with that, we have a rather jam-packed agenda. I’ll turn it over to our Co-chair, Kirk Nahra.
>> Kirk Nahra:
Thanks, Judy. We’re going to go ahead and get started. Deven should be joining us shortly. She was at a meeting on Capitol Hill, I know, earlier today.
People have draft minutes of our October 4 meeting. As we have done for both these meetings, I’d like to see if people have comments but then leave it open for another day or so before we close them off. Any comments from anyone about the minutes? Anybody in the room? (Pause) Anybody on the phone? (Pause) All right, well, if you have any comments in the next say, by the end of the day tomorrow, let Steve know. Otherwise, we will finalize these.
The bulk of our meeting today is going to involve hearing from five witnesses who are representatives of different health information exchanges around the country. They will all be appearing on the phone, so there aren’t any people in the room with us today. They’ll be on the phone. We will hear from them on some of the issues involving their particular models and their particular activities.
The goal of this session is to get us again, one is just informational. We talk a lot in our discussions about what can be done, what is being done. And obviously, these witnesses are not intended to be a survey of what’s going on, but five individual examples that hopefully, that composite of information will be helpful as we think about these issues going forward.
Is there any particular order or just the order of the names that are listed? Okay.
Why don’t we start off with Amy Zimmerman? And what I’d like people to do is just give a two-sentence introduction of themselves and then go into their comments that are responding to the information that Steve’s put out in terms of topics we’d like you to cover. Amy, could you go ahead are you on the line, Amy?
>> Amy Zimmerman:
I am on the line.
>> Kirk Nahra:
Okay. Could you go ahead, and why don’t you start us off today? Thank you.
>> Amy Zimmerman:
Sure. Well, thank you for the opportunity to talk with you today, and I’m sorry I can’t be there in person. My name is Amy Zimmerman, and I work at the Department of Health in Rhode Island. And the Department of Health actually received a contract from AHRQ to try to start to help the health information exchange efforts get going in the state, in collaboration with the Rhode Island Quality Institute, a nonprofit collaborative. And I’m overseeing that effort.
So what I wanted to do today and I don’t know; do you have the slides in front of you?
>> Kirk Nahra:
Yes.
>> Amy Zimmerman:
Okay, great. Good. So next slide, please. I’ll try to remember to say that. But I’ll just go get started, because it may be out of synch with mine.
What I wanted to do today was try to organize the questions that you had posed to us and put them in order. So by the end of the presentation, hopefully, I’ve answered all of them, but I’m not going to sort of go question and answer. I’m going to give you an overview of our health information exchange efforts; a little bit about the privacy and security safeguards that we’re developing and how we’ve been approaching that through legislation, regulation, and policy; a sense of the policies and procedures that are under development now for health information exchange; and some of the challenges that relate to this particular area, and there are many of them. Next slide, please.
So just a little bit about the governance. As I said, we started this project as a public-private partnership, the Quality Institute and other community partners at the health department to be the applicants, and receive and we successfully received AHRQ funding in 2004. We’re one of the five or one of the six state and regional demonstration projects under that funding category. And the Quality Institute, which is a nonprofit collaborative, really does provide the governance. They’re a collaborative including providers, insurers, consumers, academics, business community, and they were already in existence as a nonprofit organization whose mission it is to improve safety, value, and quality of health care in the state.
It was never it was always our intent as a state agency to transition the health information exchange, once up and running, out and to be administered through community efforts. And in fact, two summers ago, a budget article passed that actually would allow the state to kick in state funds proportionate to the number of covered lives that the state sort of is responsible for through health insurance, both through Medicaid and through state employees, contingent upon the other insurers in the state kicking in their fair share and contingent upon the state actually designating, through an open bid process, a RHIO.
So we and this is just a little aside, but we’ve just been through a process where we have actually issued an RFP, and we received one applicant from the Rhode Island Quality Institute, and actually yesterday, they were notified that the state will be designating them as the state RHIO and will be starting some contract negotiations. There won’t be any money flowing initially, because it’s contingent on them now to get the other sources of funding from the insurers before the state dollars can go in.
Next slide, please. The next slide really just is a very high-level I’m not going to spend time on this. It just goes to show the committee structure that we’ve put in place. All these committees, for the most part, are being operated with volunteer members, and the ones that are in blue over the gray those are the committees that are most directly related with the health information exchange.
Next slide, please. A little bit about our initial scope and who’s participating in this initial first phase of the HIE. You know, it is tightly scoped initially. Our plan is to exchange laboratory and medication history data for clinical care purposes and evaluation, initially, as part of Phase 1. We have four initial data-sharing partners, three in the laboratory area: our largest integrated delivery network system, Lifespan; Eastside Clinical Labs, which is a large, proprietary, privately owned laboratory chain that has a large market share in Rhode Island; and our Department of Health laboratory. And then we’re working with SureScripts to make medication history available through our HIE. And we have five others that we can add in the pilot first phase, who we haven’t determined who they’ll be yet.
So those are the individuals that will be contributing the organizations contributing laboratory and medication history data. And then we’ll have five pilot user sites. Those are locations, not individual providers. And then we just received a Medicaid transformation grant, and that’s going to allow us to expand the user base and contributing entities. So we will likely be bringing in long-term care facilities and ER departments as users.
Our future scope, though we have a much broader vision. It’s really we have the option through our current contract with our vendor who our technical vendor, who is EDF to add more data types, more entities submitting data, and more data users. We will be focusing on radiology, reports, allergies, diagnosis, and also linking more with some of our Medicaid data and social support information coming from the Medicaid system. Our long-term future scope is also includes interfacing in a bidirectional way with electronic medical records; to include some decision support functionality; and, importantly, to create a Web-based patient portal to the HIE, which would allow individuals online to view their own clinical data, view who’s accessed their data, and, you know, potentially amend or notate their own record. And lastly, also, a vision long-term to create aggregate data repository to be able to use the information for public health evaluation and research purposes. Next slide, please.
Our architecture is actually a hybrid model, in the sense that some data will be sent from the health care entity and re-stored and in a repository at the HIE data center. That’s how we’re going to be working with the laboratory data and some of the other data sources. But we also have some data that will be more pulled from in a federated model such as being able to access medication history data through SureScripts. And also, our Department of Health already has an integrated child health information system that has a lot of immunization history, lead screening data, and other information already in a data warehouse. And again, that more most likely will be pulling that when a user requests to see it, as opposed to sending it and restaging it and storing it at an HIE in a vault.
Next slide, please. So that just covers a little bit of background in terms of the overview of the sort of scope and architecture of the way we’re approaching developing our health information exchange. It does not include e-prescribing capability through the HIE. We do not intend it to be a laboratory results delivery system. It really is an ability to be able to pull up or eventually download into an EMR an integrated, aggregated view of a patient’s health information from various sources.
As a result of almost 3 years of discussion since we started to work on this around privacy, security, and confidentiality, we’ve had multiple committees and went through a very long process to come up with what we referred to as our authorization or consent policy. And I’ll come back to that in a minute. As a result of that, a whole lot other issues surfaced, and the concept and what seemed to be acceptable to the community was really to develop safeguards and to propose that and get that in some draft legislation.
So what I have on this slide, really, is a list of the areas that draft legislation that will be introduced by the Quality Institute as a you know, getting some sponsors in our legislative session starting in January, we spent the summer drafting legislation as a community to assure that the proper safeguards could be put in place.
And what you have in front of you is just a list of some of the areas. I will cover some of these in more detail than others in just a minute. The others that aren’t bulleted down here, but I probably should have put them on was safeguards around the use of data, and there’s some discussion about creating a or in the draft legislation. There is it specifies creating an HIE policy advisory commission. And also, there’s some safeguards around immunity and safe harbors for providers.
It’s important to note that the legislation that was drafted and is going to be introduced is really meant to specifically apply to the state’s health information exchange that we’re building and not to the electronic exchange of all health information. And there are reasons for that, because some of you’ll see in a minute as I talk about it some of what we’re discussing really is more stricter than HIPAA, and for individual organizations sharing within their organization or between on a point-to-point basis, it could be problematic from the provider perspective.
So let me get a little bit more into that. The authorization policy, which we really is our sort of consent approach the health information exchange will be voluntary to participate in, both for patients and for providers. And let me just mention that where you see the “L” in parentheses after a bullet, that means that that concept is actually stated in legislation. And where you will see a “P,” it means we didn’t get explicit in legislation, but it’s intended to go into policy or regulation. So the legislation, if it passes, would require a regulatory agency to write regulation. And again, this was a large discussion in our community about what was appropriate for legislation, regulation, and policy and how do we safeguard using those different opportunities. It will be
>> Kirk Nahra:
Amy? Amy, this is Kirk Nahra. Can I just interrupt one second? When you say “legislation,” you mean proposed legislation.
>> Amy Zimmerman:
Proposed legislation, yeah.
>> Kirk Nahra:
So you’re not operating right now with any none of this is currently in legislation.
>> Amy Zimmerman:
Correct, and I’m sorry. Thank you for clarifying that. Yes. It’s all draft to be introduced this session, so we don’t know what will happen with it.
The sentiment of our community is that we should actively enroll individuals and that they would be opting in. This is based on a number of different factors, but we also have a state mental health law that was interpreted with a lot of variety in our state. And basically the ruling of the the outcome of a lot of discussion around that was that data could not leave its originating source without the consent of the individual.
So we needed to get an enrollment process in place, and we will need to get an enrollment process in place, so we can actively even just enter demographic data for patients in the HIE. It will take us longer to build the HIE, because we will need to develop and market, to some extent, this enrollment process as our opt-in.
What the enrollment means is that a patient’s data can now flow to or through the HIE. It doesn’t mean it’ll be viewed yet, and I’ll come back to that on the next slide when I talk about disclosure.
The other important point on this is that it would make all data available to the HIE. So we are not approaching the HIE by saying a patient can say, “I don’t want certain data in, but I want other data in.” You can’t pick and choose. If you agree to enroll in the health information exchange, all your data can be made available. And you can withdraw your enrollment status at any time. Next slide, please.
From a disclosure point of view, there’s a second level of authorization or consent, and that is that patients will, again, need to be able to authorize who can see their data. So there’s really two levels here. There are emergency and public health exceptions to that, so that we will have “break-the-glass” rules and allow data to be used for public health purposes that are required under law, such as disease reporting. We’re also going to be developing role-based access definitions and permissions. And again, patient authorization at the disclosure level as well as at the enrollment level you a patient could change that and have the ability to withdraw at any time that they want a certain provider to see their data or not.
And when I say “provider,” we still need to work out whether we mean at what level. Are we talking about a practice setting? Are we talking about an ER? Are we talking about an inpatient unit? So we do have a lot more work to really drill down to say, “Well, what do we mean? What is that grouping of when a patient authorizes someone to view? You know, at what level of the facility or the individual is that?” Next slide, please.
The legislation and our approach also addresses patient rights. And in the draft legislation, you know, we have language in there that gives access to individuals to be able to see their own health information in the HIE and also requires them to get access to see all disclosures who view, basically, their records. So there will be audit trails of who’s viewed their data and also an ability, as I said before, to amend their record, but not directly to the HIE: through the provider participant. We thought it was very important, and the discussions to date have been that a patient just can’t sort of, you know, get in touch with HIE staff and say, “Change this.” The data came from a particular source. That source needs to be able to know about that and send that to the HIE. Again, policies we don’t ha I mean, the procedures we don’t have worked out, but that’s the general thinking to date.
And lastly, one other bullet that I didn’t put down here, which is referred to in the proposed legislation, is that patients would be notified in the event of a breach. And that would be legislatively stipulated that that would have to happen. Next slide, please.
So that’s just a little bit in terms of the high level of safeguards. With regard to data agreements, now, this isn’t necessarily spelled out in the draft legislation, but the way we’re approaching and thinking about data agreements is sort of thinking of it from the perspective of needing three agreements: A patient authorization form and the thinking to date, although we haven’t fully vetted this yet, is that that could include participation as well as disclosure. So there’s been some discussion about certainly, every patient would need to enroll and indicate that they want to opt in and participate in the HIE, and on that same process, however that process is it may not be online to start with; it’s likely going to be some sort of paper process initially would be able to identify who initially they want to be able to view their data or be able to potentially check off and say, “I want all my providers to see my data.” Then there’s a data-sharing agreement, which would be in place with the entities that would be sending data to the HIE. It would sort of include the BAA components and, you know, stipulate, from a RHIO HIE perspective, whatever those terms and conditions are. And then a user agreement so that the provider or facility accessing data would also have to sign something. Again, addressing the fact that they would adhere to the confidentiality policies and procedures and appropriate uses of data. Next slide, please.
So the policies and procedures that are under development that we’re trying to get our different workgroups to address right now, I’ve listed out here. And just to give you sort of a smattering of them, they include provider enrollment and authentication; matching around providers; consumer enrollment you know, how are we going to get these individuals to enroll patient authentication, when we go to enroll patients how are we going to determine, you know, that an individual is who they say they are; break-the-glass policies and procedures how will individuals be able to terminate their participation? What happens if organizations, data-sharing partners, or even user facilities violate their agreements? What are the processes and procedures around that? How do we handle complaint and grievances when somebody believes perhaps their data’s been breached or someone had access that shouldn’t have? handling of breaches, including notification to those individuals that may be affected; and also, you know, how the provider would amend the records, both if a patient notifies them and/or if they identify errors in that. Next slide.
So just to highlight some of the challenges that we have or are facing, the enrollment process is a very big challenge to think about how we’re going to get this rolled out and get a what are those actual process that we’ll put in place. You know, clearly, we believe that individuals hearing about this through their providers will be the most effective method, and we’ve learned that from our discussions with Massachusetts and others. But again, how do we physically get the data into the HIE without putting a burden on the providers is a challenge.
The other thing is the other big challenge, because where we’ve gone with our authorization model about the facility can’t send data to the HIE to be re-stored there or even, you know, made viewable until they know that the individual has consented. So this is a challenge technically, because we need to set up a system where, if a hospital is sending laboratory data on Amy Zimmerman, they know that Amy Zimmerman has is participating in the HIE. And we’ve made the decision based on the discussions in the community. Our data-sharing partners and hospitals and health care organizations don’t feel that they have the capability to sort of store the consent in their own systems. There’s a lot of changes that would be required to their own system.
The other thing I should say is, we’re not allowing patients to say, “Hospital A, I’m going to consent for their data to go in, but not Hospital B.” So the consent isn’t going to be captured every time they go to a facility, but the facility behind the scenes electronically has to know, “Can I send Amy’s data or not?” I hope I made that clear, but I’ll let you clarify in a minute, because this is the last slide.
The challenge with all of that is that, you know, we went down a road of developing policy, and we’re trying to make sure that we don’t develop policies that are inconsistent with technology. We certainly want the policy to drive where we go technically, but we need to make sure that, from an affordability and a feasibility point of view, we don’t establish policies that we can’t afford to implement technically.
And then we had a lot of and I think we still do challenges around educating the public about the pros and cons of legislation versus regulation versus policy. But we had a wonderful sort of fast-tracked process over the summer where, in 4 months, we got this legislation drafted. Now, that’s because we had a good 18 months to 2 years prior that of community conversations, specifically on the authorization policy and consent, that sort of allowed us to bring people to a state of readiness where people were able to sort of negotiate and understand the tradeoffs that they were making and what needed to go in some draft legislation and the tradeoffs between “Once you put something into law, it’s harder to change” versus regulation versus policy.
And then lastly, what we need to do as we move forward is to really understand, you know, what are absolutes, you know, once I don’t need to tell, you know, this Group that when you put something into a legislative process, the way it comes out is not usually the way it goes in, and there’s a lot of control that’s lost in there. So try to have an understanding of what are those understand what are the must-haves and what are the negotiable points is an area that we’ll be working towards.
So with that, I’m going to close. And I don’t know if you want to take questions now or at the end. But hopefully, I’ve addressed most of the questions that were sent out to us in an understandable manner.
>> Kirk Nahra:
All right, let’s do this. We do have several people on the panel, so I’d like to spend a little bit of time with some questions for Amy just so we don’t lose track of things, and then we’ll also try to save some time at the end of the Group.
So Amy, let me try to summarize a couple of things. The intention of this Group is to be I mean, originally, it’s a limited kind of information. It’s laboratory and medication history?
>> Amy Zimmerman:
Yes.
>> Kirk Nahra:
Okay.
>> Amy Zimmerman:
Yeah, but we’ll be rapidly expanding that. I mean, that’s just the first two data types we’re starting with. We will rapidly expand that. In fact, in our Medicaid transformation grant that we just received, there are there’s the expectation that we’ll expand beyond that.
>> Kirk Nahra:
Okay. And is that an expansion to include essentially everything? Or is that the radiology, prescription, etc.?
>> Amy Zimmerman:
It’s that particular grant calls for radiology reports and then some of Medicaid connecting to a Medicaid system that will sort of be a Medicaid HIE on social supports and case management type of data.
>> Kirk Nahra:
But can I take that as saying that there is not a current intention to have essentially, you know, all electronic medical records through here?
>> Amy Zimmerman:
No. I mean, our long-term intent is not to include things like subjective notes, but certainly to add more critical core data elements that are important, whether it be diagnosis, problem list, allergies those kinds of things.
>> Kirk Nahra:
Okay.
>> Amy Zimmerman:
We don’t have it fully defined yet, but I wouldn’t say it’s a complete, full electronic medical record with every note that goes along with a visit and every visit. But it will be sort of a CCR type most critical information that providers need to know when they’re treating a patient.
>> Kirk Nahra:
Okay. And do I understand that the idea is that this will be an exchange among providers, without any particular input from patients? I mean, it’s not intended to integrate with personal health records. I mean, you have an amendment piece, but it’s not it’s essentially sharing within the provider groups?
>> Amy Zimmerman:
Yes, but in our future scope, we do want to well, you know, people use “personal health record” in different ways, so let me clarify a little bit. We do intend to want to have a patient portal so that patients can access and see the data that’s in the health information exchange, you know, be able to view that and potentially be able to contribute to that. That part is, you know, again, a future scope.
>> Kirk Nahra:
Okay.
>> Amy Zimmerman:
Or to be able to pull out of it and put it into a personal health record if they have another one. But we see it more as sort of a patient portal to the HIE.
>> Kirk Nahra:
Right. Okay. And in terms of this legislation I mean, what do you get to a point where you guys stop until there’s legislation, or what’s the I mean, how does the legislation affect your moving forward? Or more concisely, presumably, it’s going to take awhile.
>> Amy Zimmerman:
Right. Excellent. We the approaches and the policies that we’ve put in place around authorization adhere to the most stringent state laws and go beyond current federal laws like HIPAA so that we can continue to develop and move the HIE along with our policies irregardless of what happens to the legislation. So it’s not going to cause us to stop or stand still, although it is desirable from the community’s perspective at large to actually put these safeguards in legislation. And in fact, there you know, we’ve had the ongoing debate, as many places had, about “Be careful about putting too much in law, because later on, when we get the trust of the community, when we see how things operate, we may want to move from, you know, a stringent opt-in to some other model. And it would be easier to do that if those kinds of policies are in regulation, or only in policy, and not in law.” So this doesn’t stop us from moving ahead, because again, we’re approaching it from a fairly stringent policy perspective.
>> Kirk Nahra:
Okay, so conversely, why is the legislation necessary?
>> Amy Zimmerman:
Because, you know, policy could change at any point in time. And there’s nothing to say that you know, 3 years from now, the RHIO could decide they want to sell this data, you know, to a pharmaceutical company. And so, to some extent, the legislation provides the overarching safeguard at a certain at a certain level.
>> Kirk Nahra:
I’m sorry. Maybe I misunderstood something you said earlier. You said that you had designed the consent authorization to comply with the existing law? Is that what I understood?
>> Amy Zimmerman:
Yeah, we designed it to comply with some interpretation of state mental health law.
>> Kirk Nahra:
Okay, but limited to that, okay.
>> Amy Zimmerman:
Yeah.
>> Kirk Nahra:
I mean, presumably, selling the data would be inconsistent with HIPAA anyway, so I guess that raises a question of “What is the HIPAA status of your organization?” Is it a BAA to all the providers? Business associate?
>> Amy Zimmerman:
Well, we’re I’m at the Department of Health, so is your question relative to the HIE?
>> Kirk Nahra:
Yes, I’m sorry, the HIE.
>> Amy Zimmerman:
We’re actually having those discussions now. I mean, our sense is and again, it’s a little tricky, because we’re the health department that’s starting this up that has the contract with the vendor, and we’ll get this going, but then we’ll transition it to the RHIO at some point in time. Our sense is, right now, that the Health Department will have BAAs with the data submitting partners, and then eventually that will shift and the Health Department will be a data-sharing partner, because our laboratory data will be going in, and we’ll have to have a BAA with the RHIO, who will have the BAA with the other data-sharing partners. But we may you know, there may be other data there may be other iterations that get put into that agreement that go beyond the current BAA requirements. Does that make sense?
>> Kirk Nahra:
Yeah. Other questions? We’ll have some time later, but just anything that’s on people’s minds right now in the room? Alison?
>> Alison Rein:
I actually had a couple of questions, so cut me off if this is going too long. One is on I think it’s on page 3 of your slide, so maybe it’s the third slide, the overview of your future scope. You’re talking about viewing their own clinical information and who’s accessed their data. And I was just wondering, at what level of granularity is that at the entity level that you’re still trying to parse out, or are you talking, you know, a specific piece of data?
>> Amy Zimmerman:
You mean on seeing their own clinical data?
>> Alison Rein:
Correct.
>> Amy Zimmerman:
We really get a future scope, and we haven’t gone to that level of detail about what data they can see and at what point and has a physician had to sign off on it first or not. So we really haven’t had those detailed discussions yet.
>> Alison Rein:
Okay.
>> Amy Zimmerman:
The general sense is that they could see, you know, their medication history and laboratory results and some, you know, reports and things like that.
>> Alison Rein:
Okay. Other question I had was, on that same slide, you talk about the creation of a clinical data repository, and I was just wondering: You mentioned public health, evaluation, and research as being the three areas where you would deem that appropriate. Do you have a committee looking at what constitutes those three things?
>> Amy Zimmerman:
We do not yet. And in fact, I mean, I think one of the through the whether the legislation passes or not, there’s a general sense that we should have a HIE policy advisory committee. And I should have said earlier, that’s specific to looking at the uses of the data. So in order to get this project off the you know, to start get it going, and in order to get community buy-in, initially we’ve had to really limit the scope of the uses of data to treatment purposes. And, you know, there’s been a lot so we’ve had to put those other potential uses on hold for now, and so, you know, we’ve had lots of discussion about them, but we haven’t formalized that yet, other than to say, “If the legislation passes, it will be legislatively mandated.” And if not, I think that the Quality Institute, as the state’s designated RHIO, still wants to move ahead and have put together a policy advisory commission on uses of data.
>> Alison Rein:
Okay, thanks.
>> Amy Zimmerman:
And those are the issues that they would be addressing.
>> Alison Rein:
I have one more quick question, if that’s okay with the Chair.
>> Kirk Nahra:
Okay, go ahead, Alison.
>> Alison Rein:
Okay. On a later slide, Disclosure Policy, you talk about the patient needs to authorize who can view their data, but you also said that, you know, once patients decide to participate in HIE, it’s all in or all out. Is there any level of granularity, when you talk about who? So, you know, you could say Oncologist X is allowed to see my records related to my oncology treatment? Or do they get to see everything in the system?
>> Amy Zimmerman:
The way it’s planned now is, they would be able to see everything in the system. There’s no filtering of data.
>> Alison Rein:
Okay.
>> Amy Zimmerman:
And you know, it’s an all-or-nothing type of approach that has been heavily debated, and that is why people felt so strongly that in order to allow a complete record to be viewed and to minimize patient risk of providers not having access to good information to treat the patient, they would rather the patient controlled who could see the data or choose not to be in the HIE than to sort of have some data in and some data out.
>> Alison Rein:
Okay. Thank you.
>> Kirk Nahra:
I guess, just in the interest of trying to get everyone in, let’s do this. If people could make notes about particular questions they have for Amy, we will definitely save some time to come back to this. And frankly, those of you who are looking at the agenda, I want to make sure we have plenty of time with the speakers. So if our discussion today ends up being cut short, that’s fine. I mean, I want to make sure we’ve got these people are good enough to come and participate on this call, and I want to make sure we can get as much with them as we can. So make notes about your questions that you have for Amy, and then we’ll move on. But if we could turn now to is Greg on the call?
>> Greg Farnum:
I’m here.
>> Kirk Nahra:
Greg, if you go ahead, could just give us a brief introduction of yourself and then go ahead and into your materials.
>> Greg Farnum:
Sure. And also Ann Cramer, counsel for VITL, is on the phone with me. So my name is Greg Farnum. I’m the President of Vermont Information Technology Leaders, also known as VITL. And we’re in the state of Vermont in Montpelier. We’ve been operational as a RHIO since July of 2005, and we’re similar we’re like a similar organization to the Quality Institute or the RHIO organization forming in Rhode Island: a private, nonprofit organization. We have a 22-member board of directors with stakeholders from payer organizations, quality organizations, hospitals. We have providers, consumers, state government on our board.
And today, I’m going to dive right into talking about our presc our pharmacy claims medication history project. And we are building a comprehensive exchange, but my focus today will be on talking about the medication history data service. I’m going to go through the first couple of slides that answer Question 1, and then I’m going to turn it over to Ann, who’s going to talk more about our contracting pieces, then I’ll wrap it up.
So I am addressing Question 1: The what types of data do we exchange? We are currently live and operational, have been since April, exchanging medication history data at two community hospital emergency departments: one in Rutland, VT; another in St. Johnsbury, VT. We process about 4,500 transactions a month, and they are the paid pharmacy claims data from consolidated from PDMs through RxHub. Our vendor, GE Healthcare, works collaboratively with RxHub to consolidate and deliver the data back to the emergency department emergency departments at the two community hospitals I mentioned. The insurers that are involved in Vermont include Blue Cross Blue Shield in Vermont, MVP Health Care in Vermont, Medicaid, all pulling their data all are providing their data to RxHub.
Now to the next slide. The way the exchange I am okay, the way the exchange works, the workflow, is that the patient presents at the ED. We have educational materials available to the patient to inform them about what they’re signing up for. We get go through a two-level consent process, where we ask the triage nurse asks the patient if they’re willing to participate and have their data queried from the network. And then again, as part of this opt-in model, during registration, the registration clerk asks the patient to actually sign a document saying that they do consent to having the information requested from the network.
GE Healthcare is our prime contractor, and they build all of our interfaces to the site. The transaction format history is fired off from the ADT or the registration system of the hospital. And through a coordinated transaction between RxHub and GE, the information is queried, and we leverage the master patient index of RxHub to consolidate the data and send it back through GE the arrows are a little tricky here, but through GE back to the hospitals, at the point of care. And then the provider uses the information, obviously, for 12 months’ worth of historical data on medication history, and we’re having great success with this project.
So I’m going to turn it over now, and I know we’re on Question 2, and Ann’s going to take over and talk a bit about contracts and agreements that have made this thing actually happen.
>> Ann Cramer:
Thanks, Greg. This is Ann Cramer. I’m legal counsel that’s outside of VITL, and I was brought in to early on in the process to help the organization both form as well as to kind of put together the web of relationships and work with the Confidentiality or the Privacy Advisory Group to VITL to both address patient consent as well as policies and procedures.
In accomplishing the startup for this level of exchange, one large piece of it, of course, was the contracting with GE, which serves as VITL’s business associate. The other set or web of contracts is with the actual sites and the insurers. And the insurers needed to be satisfied as to how the information was going to be used, what procedures were in place, what the level of patient consent was going to be, since we would be accessing all drug-related information, whether it had to do with a mental health treatment or with regard to perhaps treatment that was subject to 42 CFR, part 2. So we developed a consent that was satisfactory to everyone, and that consent requirement is in all of the documents. VITL serves as both the business associate for the insurer, in having permission to get information released and then acts as the business associate for the hospital in delivering that information to them, and having access to at least a certain level in order to be able to do an evaluation of how well this pilot is working.
On page 5, we are responding to the questions regarding public interaction. VITL has a toll-free, dedicated consumer health line set up so that if patients have queries we’ve also developed patient education materials that are on the Web site. We at this point, individuals can request an accounting of medication history disclosures from VITL. When VITL receives the request, they make their query through their business associate, GE Healthcare, to find out whether information was accessed and where it was sent. If there is confirmation the information was accessed, then the privacy officer at that hospital is notified and is given the information with regard to the disclosure and follows up with the patient.
So VITL itself and I’m on Slide 6 does not provide information directly to patients, but works through the privacy officers. Likewise, since it is not holding any of this information, it does not have any mechanism for individuals to change or amend information. So in that regard, they need to work through either their the hospital or make queries to the insurer that’s covering them.
We do as Greg has described, we’ve got an opt-in model, so that when a patient arrives in the emergency room, they are both orally and then by written consent having the program reviewed with them and getting their consent to proceed to access this data. At this point, our understanding is, the opt-in rate is about 90 percent. If somebody does not opt in, data’s not accessed, with the exception that we do have an implied consent in operation, where it’s an emergency case and the patient’s unconscious and there is not an appropriate representative with them. If the patient consents the way this information is delivered to the hospital, the hospital then makes it part of their medical record, however, they keep that, whether it be paper or electronic, and so that the actual there is no actual living document that is part of VITL’s operations at this point.
We have developed a privacy policy that was put in place before the first hospital went live. That is available on VITL’s Web site. And as we continue to work with hospitals and signing on new hospitals, there’s an ongoing review at the hospitals to make sure that they have the appropriate compliant policies in place.
I think this brings you me back to you, Greg, on Slide 9.
>> Greg Farnum:
Okay, thanks. And so I’m on to the last question, about what happens in the case of a security breach. Per our contracts with GE Healthcare and the sites, if there is a security breach at GE, GE then no is required to notify VITL. VITL plays a role of notifying the hospitals that are affected, and the event is evaluated to see if we need to do additional if additional steps need to be taken to notify individuals. So that’s sort of the short version of this. There is, I should mention, a video of how this whole thing works on our Web site. That’s vitl.net. And I’d be glad to take any questions.
>> Kirk Nahra:
All right. Let me just ask a couple. Then we’ll open it up for a little bit. I see what you’ve done on the security breach side, and that makes sense. I guess the question I have is, is there any other place in the system other than I mean, you’ve dealt with GE, but is there any other place in the system where you would have a relevant security breach?
>> Greg Farnum:
Can you give me an example?
>> Kirk Nahra:
I’m trying to think of it. You say the only information that could be improperly accessed is stuff is what GE has. There’s VITL doesn’t have anything. You wouldn’t consider a hospital breach involving that data to be a breach. I mean, is there no data anywhere else, other than held by GE? I mean, that leaves GE uncovered, but
>> Greg Farnum:
Yes, at this point for medication history, the data, you know, the transaction starts from the ADT system I was talking about, where it’s through GE to RxHub. And the only, you know, point that we would as the only point we’d have vulnerability for security breach is either RxHub or GE Healthcare.
>> Kirk Nahra:
So is there I mean, just using the RxHub example, is there a provision for how they get involved in a security breach, what they have to disclose?
>> Greg Farnum:
If you know, that BAA agreement’s handled through an agreement between GE and RxHub. I’m not privy to the policy in that. But I know our contracts are totally are harmonized, so I would guess they would pass that contractual requirement on through to their contractor.
>> Kirk Nahra:
Right. Okay. And then you said there’s a master contract signed with GE. That’s VITL is the other partner to that?
>> Ann Cramer:
Right, that’s VI yeah, because GE is VITL’s business associate.
>> Kirk Nahra:
Is VITL a HIPAA-covered entity?
>> Ann Cramer:
No, it is not a covered entity.
>> Kirk Nahra:
So...
>> Ann Cramer:
So VITL serves as a business associate, then, to the insurers. In essence, this is a sub-business associate agreement.
>> Kirk Nahra:
So the covered entities I mean, for HIPAA purposes, the covered entities who are controlling this ultimately are the insurers?
>> Ann Cramer:
Well, you have the insurers and the hospitals.
>> Ann Zimmerman:
And so you have the BAA agreement with the insurers and hospitals, and then you GE is your subcontractor of your of that agreement.
>> Ann Cramer:
Right.
>> Kirk Nahra:
All right, other questions in the room?
>> Deven McGraw:
Yeah, I have a question.
>> Kirk Nahra:
Go ahead.
>> Deven McGraw:
So this is right now confined to medication history. Are there plans to expand this, or are you really just focused at this point on getting more providers participating in it?
>> Greg Farnum:
No, we are developing a comprehensive HIE as well.
>> Ann Cramer:
One of the challenges that we have in our funding sources from the state of Vermont is that we’ve got buckets to do different things. And so we’ve got one bucket of funding to get this project up and going, and then there’s another set of projects that’s more global that will follow.
>> Deven McGraw:
So where is that in the pipeline, in terms of scoping that out? Can you make any predictions at all?
>> Greg Farnum:
Sure, yeah. We have you know, we’re scheduling a launch of a chronic disease information service, first part of next year.
>> Kirk Nahra:
All right, other questions in the room? Jill?
>> Jill Callahan Dennis:
Yes, if my understanding is that the opting in and consent process to participate is a one-time process, and then you’re in? Or are patients being queried at every transaction?
>> Ann Cramer:
They would be queried at every transaction, because this is because, you know, it’s a you’re getting information for one occasion. When they come back to the ER a week later, they would have to give consent again for a second query.
>> Jill Callahan Dennis:
Okay, so that would resolve the problem if your scope changes in terms of the types of data in the system. The consent can evolve as time passes to cover new types of data.
>> Ann Cramer:
Right. Right.
>> Jill Callahan Dennis:
Okay.
>> Kirk Nahra:
All right, other questions in typing in the room? Alison?
>> Alison Rein:
I had a question about sort of there’s a provision of information back to the patient in the event that there’s a breach. You explained that it goes through VITL, and then they ask the individual institutions’ privacy officers there to contact people. But I envision that if you’re trying to scale this beyond two institutions, at a certain point, that really becomes challenging for the patient in particular if they’re having to deal with 100, 150, 200 potentially different privacy officers. (Multiple speakers)
>> Ann Cramer:
You might be surprised at how small Vermont is. We have a total of 14 nonprofit regular hospitals, so that are geographically distributed such that, although you might have a patient has gone to one or two hospitals, not likely to have gone to five or six.
>> Alison Rein:
But you don’t envision this, then, going beyond hospitals?
>> Ann Cramer:
This you know, this type of project is different than how we would be working on the chronic disease model, as far as where the feedback will come from. And frankly, we’re in the process of thinking through, in the next level of exchange, where and how some of those issues will be dealt with.
>> Alison Rein:
Okay, so these issues de facto wouldn’t necessarily apply when you expand your scope.
>> Ann Cramer:
Correct.
>> Kirk Nahra:
Let me just Alison, let me just add up on that. I mean, do I assume the idea there is to send have the hospital that the patient’s actually have been dealing with be the one that contacts the patient, right?
>> Ann Cramer:
Yeah, if it’s where the relationship is, and there may be other issues also related to the hospital record that VITL would not be aware of.
>> Kirk Nahra:
So, I mean, the impact right now would be if a patient happened to have been at multiple hospitals, you might get multiple reports of one security breach, but that would essentially be dependent on somebody having been to the emergency room in multiple hospitals.
>> Ann Cramer:
Right.
>> Kirk Nahra:
All right, other questions in the room? We have a couple minutes. Are there questions from people on the phone?
>> Sue McAndrew:
This is Sue McAndrew.
>> Kirk Nahra:
Okay, Sue, go ahead.
>> Sue McAndrew:
I just wanted to ask, in terms of, on Slide 5, the request for an accounting, whether or not the system has actually had such requests.
>> Greg Farnum:
We have not yet had a request for accounting.
>> Kirk Nahra:
Is the idea there that the accounting would be anybody who accessed that data for whatever reason? It’s not intended to be a I mean, HIPAA accounting is only certainly limited kinds of disclosures. This is intended to be anybody who accessed?
>> Ann Cramer:
Well, because this is sort of a more focused stream of portals, I guess, there you know, it’s a little different than where you could have a lot of different people and positions.
>> Kirk Nahra:
Right. Right.
>> Ann Cramer:
So it really is looking at, “Okay, was information accessed by you know, was a request made that went through GE, and was information delivered, and then where did it go? Which institution?”
>> :
But then there’s only two.
>> Sue McAndrew:
Okay, so this really is just particular to this stream of data. It’s not a
>> Ann Cramer:
Right. Right.
>> Sue McAndrew:
It’s not who touches the data once it gets to the hospital or
>> Ann Cramer:
Right, and that’s in part why we have the hospital be the pri you know, the source of response to the patient, so that if there are more questions about what happened to that information at the hospital, the hospital manages that, as opposed to VITL.
>> Sue McAndrew:
And how does the patient know to contact VITL for these kinds of requests, as opposed to the provider?
>> Ann Cramer:
Well, they could contact the provider, and then the provider would contact VITL and get the query going. But if they contact VITL directly as a result of knowledge about the Web site or the educational materials, then we this is our mechanism for responding.
>> Sue McAndrew:
Okay, and in terms of the privacy policy that VITL has, on those referenced on the Web site, given that you really don’t hold any information for any period of time, this is all you only have this information while it’s in transmission. Is that right?
>> Ann Cramer:
Right. You know, arguably, there’s lots of you know, basically, the policy is both describing VITL’s role, but also describing the requirements at the participating hospitals who have contracted to be a part of this organization organization’s network.
>> Sue McAndrew:
So it’s more like the consent...?
>> Ann Cramer:
Well, yeah. It’s talking about the consent. It’s also talking about the representations the hospital makes as far as its own privacy policies, its disciplining its workforce, the you know, its own compliance is so that VITL can build off of its business associate parties to demonstrate that there’s a number of agreements and protections in place.
>> Sue McAndrew:
Okay.
>> Deven McGraw:
Can I ask a follow-up question to that? In talking about the accounting and how you haven’t really received any requests, is part of the process of signing folks up for this, finding out whether they’re opting in or not is that is the fact that they can get an accounting are they made aware of that? Is it on the forum, or is it discussed during the consent process?
>> Greg Farnum:
That’s I believe it’s in the both the educational material, and you know, obviously, they’re given the toll-free number. So I think between the two of those things, that would be you know, again, we’re in a pilot stage for this.
>> :
Right. Right.
>> Greg Farnum:
And we’re anticipating that requests are going to come in. We have been running, you know, for quite a while, but haven’t had any you know, any request for accounting disclosures. But it’s the likely event is, they would call us on our 800 number and start the process that way.
>> Paul Uhrig:
I this is Paul from SureScripts. Just a priority in my own mind, I mean, the context of yours is very different from Rhode Island, obviously. I mean, you’re usually in a situation someone’s presented to an emergency room, and the doctor says, “Can I get your med history?”, and they provide that consent, and it’s that one-time event, right?
>> Ann Cramer:
Right.
>> Kirk Nahra:
All right, why don’t we again, if people could make notes, save their questions for later on. And why don’t we move to our next presenter? Is Mr. Golden on the line?
>> James Golden:
I am.
>> Kirk Nahra:
Why don’t you go ahead, please? Thank you.
>> Jim Golden:
Thank you. I’d like to thank the CPS Workgroup for giving us the opportunity to come and talk with you. My name is Jim Golden. I am with the Minnesota Department of Health, and we are charged with the responsibility of leading our state’s Minnesota eHealth Initiative, including an advisory committee which is helping to organize the state’s collective effort around the implementation of health information technologies. The other thing that might be useful for background is that Minnesota has recently revised its privacy laws in order to ensure the appropriate electronic exchange of information while still trying to respect the patient’s rights to control their own information and protect their data.
What I’d like to do today is just discuss how these laws have impacted the structure and activities of one of our state’s exchanges. Next slide, please.
Basically, what I’ll be talking about today is the Minnesota Health Information Exchange, or MN-HIE. And this is a health information network that is working to connect up Minnesota’s health care organizations. One thing that I should probably give fair warning about is, we are still in development, so we will try to answer the questions that you have posed and answer them as fully as we can, although some of them are not fully worked out from our standpoint. The primary purpose of this is really for treatment and potentially payment. The initial functionality is really going to be around medication history, and we anticipate that MN-HIE will be able to connect providers to the medication histories of approximately 3 million Minnesotans, or about 60 percent of our population.
Next slide, please. The current status of where we are with MN-HIE is, the founding organizations announced their commitment along with Governor Pawlenty in September, and we are currently in the process of incorporating the organization as a nonprofit entity. Even though it was announced in September of 2007, there had been planning activities that began as early as the beginning of 2006. In early 2007, the Group completed a proof-of-concept test that showed that they were able to exchange medication histories. And also, in the 2007 legislative session, we took major we took action to do major revisions to our Minnesota health records act to be able to facilitate the electronic exchange of information through health information exchanges such as this. Next slide, please.
The model for the exchange the information initially will be medication history and hopefully, after that, formulary and eligibility information. The purpose is, at this point, just for treatment and payment. The participants are health care providers and payers. The funding partners of the exchange are some of the state’s largest providers systems and the larges health plans, including the state’s public programs and Medicaid agency. The model that we are using is a federated model. There is no central repository of the health information. The data, the medication histories, will remain at its original source and just be exchanged through transactions. And there will be some type of record locator system, which essentially will allow the identification of the location of a particular patient’s records.
Next slide, please. There will be a data-sharing agreement. That agreement is currently being developed within MN-HIE’s they have two working groups. One is a legal working group, and they also have a second privacy and security working group. They are currently working on developing what the exact data-sharing agreement is going to be.
At this point, I don’t think we’re ready to say that it is a business associate agreement. I think whether it is or not is an open question. But perhaps more importantly, whatever the exact agreement is, it will cover many of the same types of privacy and security issues that would otherwise be in a BAA. And so participants all participants, providers, and payers who might be connected to the system will need to sign some type of an agreement that includes these exact issues.
Next slide, please: Individual participation. During the initial implementation, it’s not anticipated that individuals will be able to access data directly. The exchange is really designed to connect up health care providers with health care payers who have the medication data. This may change in the future, although, at this point, we are still focused on medication history.
The other thing that is important to note is that Minnesota law is substantially more protective of patient privacy than are the HIPAA privacy regulations. In Minnesota, almost all release or disclosure of information does require the patient’s consent, including for treatment. So for any release or disclosure of information, you either need to have the patient’s consent or a law that specifically authorizes the disclosure of information. So for in Minnesota, we have had consent even for the exchange for treatment for a long time. So even within the health information exchange, any movement or exchange of patient data must be done with the patient’s consent.
Likewise, one of the changes that we made in the last legislative session i relates to a record locator service. Because many of our statutes were written prior to the idea of electronic exchange, it was a little unclear to understand how to best apply our consent requirements to this type of a concept. So what we did in the law was, we said that, well, Minnesota law allows a record locator to be constructed without the patient’s consent, where what’s being constructed is some way of uniquely identifying the patient and then simply a pointer to the health care payer or provider that is holding their health record. However, that record locator cannot be accessed without the patient’s consent. And this would be the patient’s consent at any provider that wants to access it. So providing consent for one provider does not provide consent for all providers to access the record locator.
Additionally, as I said, any information that would be exchanged also is required to have the patient’s consent. And if patients want to restrict some or all of their providers from accessing their information, they can simply do so by either withholding their consent or otherwise limiting their consent as to what information they might be consenting to be exchanged or released.
Next slide, please. The other thing is that all of the patient’s contact with the health information exchange would be through the participating health care providers who are actually treating the patient. As I said, the health information exchange does not maintain the patient’s records, so therefore, any access to their health information would continue to be through their the patient’s individual health care providers, who are maintaining that information as part of their health record. Any amendments to that information would be much as it is today. It would just go through the individual providers who are creating that information and who are treating the patients.
One of the other aspects about this is that, under Minnesota’s law, there is a consent required. However, we recognize that by far the easiest place to actually obtain the consent is at the treating provider. So the treating provider has the ability to obtain the patient’s consent for the disclosing provider to disclose the information and then communicate or represent to that disclosing provider that they have obtained the patient’s consent. When that type of a consent is used under Minnesota law, the law also requires a number of audit logs to be maintained related to that communication of obtaining the patient’s consent. And so, with these audit logs, a provider would be able to supply a patient the details of any information that the provider would have exchanged through this type of a health information exchange.
Next slide, please. The MN-HIE is not a covered entity and, as such, does not have a notice of privacy practices. It does not store or collect or otherwise use a patient’s health information. No information may be exchanged through it without the patient’s consent.
Another aspect where patients are informed of some of their rights would be, under Minnesota law, when a provider is requesting a patient’s consent to access a record locator service, they are required to provide the patient an opt-out mechanism that would allow the patient to totally opt out of a health information exchange’s record locator service. So that would notify them not only that it would be there, but also of their right to opt out of that.
Another thing that we are working on in Minnesota is developing a standard patient consent form. We anticipate having that in January of next year. That will hopefully help to facilitate the process not only for MN-HIE but for other exchanges that might occur as well.
And then finally, organizations that might be participating in MN-HIE would certainly want to make sure that their organization’s notice of privacy practices would be appropriate for their participation in this entity. Next slide, please.
With regard to security breach notification, that is an area where the exact policies are currently under development. And so, at this point, I’m not sure I have a lot to be able to add to that. However, the likelihood of a risk I’m sorry the likelihood of a data breach is minimized, because, for the most part, MN-HIE does not maintain a patient’s health information. Any breach that would occur would be at the provider or health plan’s original data location, and that breach would be addressed and covered under those organizations’ existing policies with regard to notifying patients. And how we would notify other participants within the health information exchange with regard to any security breach that occurred, either through or as a result of the ability to access information through the health information exchange, is still being addressed but undoubtedly will be included in the data-sharing agreement.
That’s all I have. Be more than happy to take your questions.
>> Deven McGraw:
Yeah, I have a question for you. I think I’m confused about something here. You were pretty clear, I thought, about the stringency of the consent requirements in the state, and that each time you were to access the record locator service, you needed to get a patient’s consent for that. At least, that’s what I understood you to say. So then I don’t understand what the opt-out provision is supposed to capture or cover.
>> Greg Farnum:
Well, there are two things. It’s not each it’s not each time you access a record locator you need a consent. Each provider needs to obtain a patient’s consent in order to access it. That is actually a consent that doesn’t expire but may be revoked.
>> Deven McGraw:
Okay.
>> Greg Farnum:
The other thing about the opt-out is, because, under Minnesota law, there’s the capacity to essentially load a record locator or to create a master patient index, there were consumers there are consumers who believe that just even creating that is a problem, because it creates a footprint of where they may have received health services. And as a result, they would prefer to even be opted out of that, even though they may choose to not give their consent to even be to let anyone see it.
>> Deven McGraw:
Got it. That makes sense.
>> Kirk Nahra:
All right, any other questions from people in the room? Don?
>> Don Detmer:
Yeah. Very interesting. How do you plan to deal with unique identification?
>> Greg Farnum:
Of the individuals?
>> Don Detmer:
Yes, please.
>> Greg Farnum:
Essentially, there are a number of data elements that could be used: first name, last name, date of birth, gender, address, a variety of IDs that could be there, including the member ID.
>> Don Detmer:
So that’s still under consideration, basically.
>> Greg Farnum:
It’s under consideration, although we have had pretty good success with matching uniquely with those types of data elements.
>> Don Detmer:
Thanks.
>> Kirk Nahra:
Questions from anyone on the phone? (Pause) All right, well, why don’t, again, we make notes about other questions? Why don’t we at this point turn to Jac Davies?
>> Jac Davies:
Yes.
>> Kirk Nahra:
Go ahead, please. Thank you.
>> Jac Davies:
Okay. Thank you very much, and thanks to the Workgroup for the opportunity to testify this afternoon. My name is Jac Davies, and I’m with Inland Northwest Health Services or INHS, where I’m the Director of Program Development. I’m going to talk about the health information exchange services that we provide here in the Inland Northwest and also talk about some of the key confidentiality, privacy, and security practices that we’ve implemented to protect our patients’ information. Next slide, please.
I’d like to start out just by emphasizing that we are not, in fact, a health information exchange, at least not as people typically define them and as in comparison to the groups that have been talking earlier this afternoon. However, we do provide health information exchange services, and I’ll talk a little bit more about that distinction.
Our focus is shared services, leveraging a common infrastructure and resources to support a wide variety of organizations and programs. We’re a not-for-profit. We’re owned by competing hospital systems in Spokane, WA, which is on the very eastern edge of Washington State, so we provide services to health care organizations and residents across quite a large geographic range much of Washington, Oregon, and Montana and have also recently expanded our services to Southern California.
One of our service lines is called Information Resource Management, which is the group that operates the information systems for 38 primarily independent hospitals across the region that I just described. Instead of managing those 38 different systems, we have in fact implemented a common integrated hospital information system across all of those facilities. And that’s operated out from a centralized location. This standardized approach to hospital systems has really created a foundational system that gives us a support for a variety of programs and activities that promote patient safety and facilitate better patient care.
Our Information Resource Management Group also provides an electronic medical records service for physician offices, and it conducts health information exchange. So I’ll go into some more detail on that in a moment. Briefly, the rest of what we do in the shared services area is operate a large regional videoconferencing network, an inpatient rehabilitation hospital, we run the region’s air emergency medical service, we run an extensive health education and health promotion program, and finally we operate a regional fundraising program to collect money for children’s medical services.
Again, the common denominator across all of these programs is the shared services model. All the participating organizations have agreed to share resources so that the services can be delivered as effectively and efficiently as possible. Next slide, please.
Now, more specifically on health information exchange, a very significant number of organizations in our region are participating, and all participants are detailed on this slide. And you can see it’s really hospitals, physician offices, physician clinics, clinical laboratories, imaging centers, and amongst those clinics are the safety net providers in our area.
The mechanisms for sharing data differ. Some of the organizations, including all of the hospitals, have direct access as part of that their access to the integrated hospital information system. Others, such as the laboratories and imaging centers, route the data electronically into our shared system, and then it becomes available for the other organizations to access. All of the physicians and the clinics have the ability view the data through a variety of mechanisms, including a Web-based viewer, and they can also get it in the hospitals wirelessly via handheld devices like PDAs. So they use that information when they’re doing their rounds. A number of our clinics of the clinics that are utilizing this system also actually receive the data electronically via HL7 messaging. Those are ones that have already implemented an electronic medical record system, and they have the data dumped directly into the patient’s medical records. The data are used strictly for clinical care, and the data exchange and the data viewing is all related to specific episodes of patient care.
Access is role-based, so a nurse in a hospital can only see the data for the patients that he or she is assigned to care for. One physician cannot see the data for another physician’s patients unless that second physician grants permission. So the data is available for appropriate patient care. Next slide, please.
At the foundation of this system is really a common electronic medical record system that’s operating in the participating hospitals with a standardized approach to viewing the data, to the definitions in the data, and so forth. The data is largely inpatient data, but also includes some outpatient and some ambulatory care information, including data that comes into the system from the laboratories and the imaging centers that I mentioned.
The records are unified by a single master patient index, which allows tracking across organizations and time. And I heard the question for the prior speaker about identif patient identification. We use a process similar to what he described, taking elements from that are known about a patient, taking different data elements, and combining them to create an identifier that is unique to that patient. That’s an enterprise master patient index. Each facility has their own internal record number, but they are linked by the common regional master patient index.
Incoming data that comes from the laboratories or from the imaging centers are mapped to that MPI, so we make sure that the patient information gets into the right file. And there’s also a process involved where individuals can actually view potential matches and can make the right decisions. So there’s a fairly advanced process for making sure that we’ve got the right patient and are assigning the right number.
In addition to enhancing this patient access to patient information, this system really supports other kinds of health information technology initiatives, such as computerized physician order entry, that’s up and running in several of the hospitals on our system. Next slide, please.
This picture gives us a high-level view and gives a sense of the complexity of the kind of infrastructure that has been established here in the region. At its center is a series of databases that have been linked to form really a virtual clinical data repository. It’s Amy earlier used said that their system is developing a mixed architecture, and that’s certainly the case here as well. We have a group of different data sources, and we have mechanisms for moving the data and matching the patients between those data sources. These data sources include the laboratory and hospital information from within the hospitals that are on our network, as well as other hospital information systems, such as the pharmacy data from within the laboratory, and so on.
We also have, as I mentioned earlier, a centralized service for providing electronic medical record systems to physician offices. That’s the Centricity EMR that’s right in the middle of the central blue bubble. That’s an ASP model where physicians essentially subscribe to a service and can access their patients’ data remotely. The one of the benefits of that is that, again, it gives us a standardized data structure and really supports data exchange between those organizations. The and again, it’s all unified under a master patient index.
So wrapped around the central data sources are a variety of layers that really support security and physical and logical protection for the health information. Data are currently coming into this common infrastructure from external reference laboratories and imaging centers and, to a more limited extent, from physician offices. We really have just begun the bidirectional component from physician office EMRs and are still working to develop that.
Data, as I mentioned earlier, are viewed by a wide variety of organizations and are also exported electronically, either real time via HL7 messaging or in a batch format. And that’s the piece where we particularly get into relationships with public health agencies or potentially researchers, although that’s been pretty minimal so far. And we do that under an array of data-sharing agreements and are very careful about complying with our state privacy laws and with the federal privacy laws, and I’ll get into that more in a moment.
While we are not yet exchanging data with other health information exchange organizations, as implied by that Nationwide Health Information Network symbol at the top, we plan to do so. We have been in discussions with a variety of organizations. We have not yet had a patient care need to exchange data, and so our efforts have been largely regionally focused, but we’re certainly moving in that direction. Next slide.
Now, how does what is the underlying policy structure that supports all of this data exchange? What its real basis is a series of contracts that we have with all of our business partners, the formal contracts that, in part, encompass the services that we are providing to those organizations, but they also capture the all of the elements associated with protecting the data, with data use and limitations on providing access, and so forth. That’s all established as part of our contractual relationship.
In some cases, we do have data-sharing agreements separate from the contracts. And that’s been in situations where we’ve have had public health agencies that are looking to do a special study on some kind of population health issue that is really outside of the standard reportable disease framework for example, looking at the number of children who have come into the ER with head injuries who were not wearing helmets at the time of an accident on bicycles that kind of study.
And then sort of the third category are business associate agreements. And those are really the ones where we have are working with an entity that is not covered under HIPAA but has a business reason for access to our data, such as an external medical transcription service. Next slide.
From the consumer perspective, we really do not get in the way of the relationship between the patient and the provider. They do not work through us to obtain access to their health information. They have to work through their health care providers, just as they do with paper-based records. They also have to work through their health care provider to request changes or make any amendments to their record.
Each provider can grant access to health information that has been collected in that provider’s office but not to any other data in the system. However, where information has been exchanged so that it’s consolidated into one facility’s record, then all of that would be available. So for example, if a patient’s been seeing a specialist and has been hospitalized for a procedure, and all of the information from the hospital is available to go back to the specialist’s office if that specialist has an electronic medical record and as I said, a number of our physicians in town do have that then the hospital data as well as the physician’s data is incorporated into that physician’s office record. In that case, all that is available to the patients through the physician’s office.
We make it easier through INHS for participating hospitals and physicians offices to track who has accessed or viewed a patient’s information. Because of the way we have established our system. But if the patient wants to find out who has accessed the record, they have to go through their health care provider. They don’t come directly to us. If they did come to us for some reason, then we would just refer them back to their provider.
There is an opt-in, opt-out option for patients really, it’s opt-out rather than opt-in where they can refuse to have their records shared, whether their records are electronic or on paper, but they can’t make that distinction. It’s a total opt-out, in which case they’re saying they’re not going to share either paper or electronic records. If they do decide to opt out, then the provider has the option of not delivering care, unless it’s emergency care. Again, that opt-out decision is made at the point of registration at the provider’s office. Next slide, please.
Briefly, on privacy practices, there is a standard notice of practice that’s posted and managed by each provider. And patients are informed, again, at the time of registration. Next slide, please.
From the perspective of security breaches, part of our contractual arrangements with each of our organizations is to require that they have a designated HIPAA privacy officer. And that applies to whether it’s a solo physician practice or a 600-bed hospital. Everybody has to have a privacy officer. And they’re the ones who are required to respond when there’s any kind of if there is a potential security breach.
If INHS learns about a potential breach, then we notify the affected organizations through their HIPAA privacy officers. And we would only notify those organizations that we knew or suspected to be affected. Then it’s responsibility of each of those organizations to take the actions that need to be done, and we do follow up with them on this, but take any actions that need to be done to assure that the breach is taken care of and then to notify their patients if that’s necessary. Next slide, please.
So just briefly summarizing a few key points, health information exchange here at INHS is really just one element of a much larger collaboration. But pragmatically, we very strongly believe that that much larger collaboration and the infrastructure that’s been established makes health information exchange possible. INHS works in the background. We support the providers and the health care organizations. The provider is and really needs to be the key point of contact, and the point of control over patients regarding their health information. We believe that patient-provider relationship is critical and that we want our model for health information access to continue to reinforce that relationship.
As I’ve described, our processes for managing patient access and permissions really mirror the processes that are used for paper-based records. Accesses and permissions are all managed at the point of registration at the provider’s office.
In our current system and I’m using the term “system” sort of globally here a patient’s record consists of both electronic information and paper-based information. And from the standpoint of access or permissions, we don’t make a distinction. And we think that this is an important issue to notice, because certainly, in this community, like everywhere else in the country, we have a continuum of health care providers. Patients seek care with multiple providers, and all of those providers are at different stages of adopting health information technology.
So the reality is, we live in a mixed paper and electronic world. This community happens to be a little further along the spectrum toward electronic than others, but the paper is definitely still there. That’s likely to exist for some time to come. And so we believe that our current system, which allows us to support the patient access and the information rights and management around paper records as well as electronic records is a logical way to go. And it’s going to make it easier to transition to electronic information for both patients and providers. And then one more slide.
And just want to thank you again for this opportunity, and I’ll be happy to take any questions.
>> Kirk Nahra:
Questions for anyone in the room? From anyone in the room?
>> John Houston:
This is John Houston, and I apologize. This isn’t really a question so much as while I’m thinking about it, I think it would be really helpful, is for all these presentations, if it’s possible, to get copies of some of these sample agreements and notices, as well as maybe try to formulate a matrix of all the different things that are in place for these various organizations, you know, whether it be opt-in versus opt-out, and how they handle different things. Because when you start to try to compare them, it’s almost it all sort of blurs together.
>> Kirk Nahra:
All right, okay. Thanks. Questions from folks in the room?
>> Don Detmer:
Yeah I guess I was more as much fascinated as how they didn’t blur together in some respects, really pretty different models. And really fascinating to me that I think it’s been very helpful, and I thank the presenters.
>> Kirk Nahra:
Well, I mean, one thing we’re clearly going to have to think about is yeah, I’m sort of the same reaction as you did, which is, each one of these has its own unique you know, maybe we can find some common elements, but they seem to be more different than they are alike.
You know, not for good or bad, just each one’s got their own set of things. Are there particular questions for this presenter that we want to do at this point? Anyone on the phone with a question?
All right, why don’t we turn to our last presenter? We will hear her presentation, and then we’ll have some time for questions for the group as a whole. Vicki, could you go ahead?
>> Vicki Estrin:
Sure. My name is Vicki Estrin. I’m the Assistant Director for Regional Informatics for the Vanderbilt Center for Better Health and also the Chair of the Midsouth eHealth Alliance Operations Committee, which is the committee that handles all of these policy and security questions. I’d like to thank the committee for asking to hear our story and also thank our funders AHRQ in the state of Tennessee. Without their support, we wouldn’t be able to tell what we’re doing. By next slide.
By way of background, we are a very young exchange compared to, certainly, Jac’s that she just described. And I think the committee has already recognized, in just the brief comments, that if you’ve seen one HIE, you’ve probably seen one HIE. The Midsouth eHealth Alliance is a 501(c)(3) organization that serves citizens in the greater Memphis area. If you look at the slide, there’s an area in red that’s challenging for those of us that are needing glasses these days, but hopefully the red makes it pop. That is a three-county region that services approximately 1.1 million citizens. And of note, and one of the reasons this exchange has gotten such support both from the state and the local community, is that 25 percent of the citizens here are below at or below the poverty line. We have a heavy Medicaid population as well as a heavy uninsured population.
We began as a state-funded project in August of 2004 but were awarded an AHRQ State and Regional Demonstration Contract in September, along with Delaware, Rhode Island, Colorado, Utah, and Indiana. The total funding for us amounts to about $12 million. In addition to that, Vanderbilt’s role in this project is to provide the technology, so under that $12 million, Vanderbilt also provides support for the technology, and the system that you’re about to hear about actually is based on Vanderbilt’s own homegrown system that was developed about 19931994 under the leadership of Dr. Bill Stead.
Our board was founded in February of 2005, and I’ve listed the initial participants. Just of note, it represents all of the major health care providers and health systems who compete furiously and vigorously with one another, with the exception of this project. Christ Community Health Services is a federally qualified clinic, and then we also have Shelby County/Health Loop Clinics, which provide the public health for the at least the Shelby County region. We have UT Medical Group, which is a 400-plus-clinician practice, primarily specialists. And then we have one for-profit health system Tenet from Tenet Health Care, Saint Francis Hospital, and their hospital Saint Francis Bartlett. Next slide.
The participants, when we started this process, actually identified the data elements to be available and agreed to provide clinical and demographic information from all encounters, inpatient and outpatient, and emergency department. This was done in our initial 6-month planning period, and so, as we started the project, we decided we would be clinically focused and would get data as much data as we could about the patient. However, we are in no way, shape, or form, nor is our vision to ever become, a medical record. It is a supporting longitudinal record of clinical events that a patient would experience.
The board identified the first point of access to be the emergency department. However, today we’re now expanding access so that we have a number of users that go beyond the emergency department. We get asked often why we don’t expand access more quickly, and frankly, the reason is concerns around privacy and confidentiality and security, to a lesser extent.
Our first emergency department began using the system on May 23, 2006. Today, we have five hospital emergency departments, with plans to implement the remaining nine emergency departments in the three counties between now and the first quarter of 2008. For example, we have two more emergency departments coming up in the next 4 weeks and one additional one about a week after that.
Hospitalists in three of the health systems, Baptist Memorial and Methodist Health Care and the Med, began using this in the inpatient setting as of September. And then also in September, we gave Christ Community Health Services and their four clinics their clinicians now have access to the system for the purposes of patient care and treatment. We do not allow the system to be used for any other situation, except for the purposes of treatment, and we restrict access to the point of care and the site where the patient has presented. So this is not a system where a physician could go home and log on, for example. We actually hard-code IP addresses into it so that no one can get in from the outside.
Next slide. I have given you some statistics and figures that I won’t read, but this gives you an idea of where we are, where we were one year after going live. We have approximately 350 users, 90 percent of those are clinicians. About 40 to 50 percent of our patients who present to the ED, which in May was the only point of access about 40 to 50 percent of those patients did have a record from a facility other than the facility that they were presenting from. So we know that in this our population, patients do move from one site to another. We have approximately 811,000 patients represented in the system, so about 75 percent of the patients we have some information about them. And then you can see the number of transactions that we receive on a monthly basis.
Our architecture next slide is centralized but separated into logical vaults. A key point is that the publisher of the data retains ownership and is responsible for the quality. We have two levels of access. The first is through a record locator service, which reveals a minimum amount of data information. The second access is to clinical information about specific patients. Access at to the record locator service can be granted to those who would be in support of the patient care delivery, such as a registrar, or in the outpatient setting, some of the other support staff that would be assisting the clinicians. The access to clinical information is, at this time, to clinicians only. And the facilities themselves identify and authorize who is a clinician and who isn’t, although, in our database, we do keep track of those by roll.
Data that are available today next slide includes information, as I said, from the inpatient, outpatient, and ED and also some claims or administrative data. We receive patient identification, demographics, lab results, encounter data that includes date of service, physician and reason for visit. We have some medication history through claims. We’re actually in the process of testing allergies or receive allergy data, but we don’t publish it at this time due to the fact we’re trying to understand with our Clinical Workgroup the best way to present that information. And then we also take dictated reports. We have imaging studies, although we don’t have images. We have cardiac studies, discharge summaries, op notes, ER summaries, history and physicals. We also have diagnostic codes and, again, medication histories.
So a wealth of data that’s presented for the patients. And again, the access points are limited. The amount of data comes in is not. If it’s a if the facility has the ability to send us additional data, then we work with them immediately and begin to populate from that point forward. Next slide.
The Midsouth eHealth Alliance has a number of legal agreements that are in place, and many of them this is going to sound a lot like a repeat of what you’ve already heard. We have a BAA between each of the participants and Vanderbilt, and Vanderbilt, in this case, really serves as a business associate. And in lieu of a vendor, that’s the way to think of about this: the IT solution.
We started here, and that was actually a really good place for us to start. The attorneys in all of the sites were comfortable sending the data to build the system. However, it took a long time for people to think through and chew on the fact that once we shared the data that that opens us up to a whole other set of issues.
We relied heavily on the Connecting for Health on policy framework and the model contract from the Markel Foundation. All the participants at this point must apply to be a member of the exchange. We have a registration application that, once it’s accepted and countersigned, becomes the agreement. That application says here’s that you assert what type of data you’re willing to provide. You also assert that you’re willing to give a patient the right to opt out. And you assert that you will follow all of our policies.
All participation all participants must also sign the participation agreement, which is what most people think of as the data-sharing contract. That agreement is much more broad. It also specifies that you must speak to you must follow all policies and procedures, but it also includes things around indemnification, liability, insurance requirements, etc. So it’s a much more stringent contract it looks much more like what most of us would think of as true contract language.
All participants have a voice/vote, on the operations committee. And so there’s really a three-legged stool for us. It’s the registration agreement, where somebody applies and is accepted; the participation agreement; and then the operations committee. The participation agreement and registration agreement both rely heavily and refer to policies. Those policies are made by the and approved made by the operations committee and approved by the board. And so, regardless of whether you’re on the board or not, all people who put data or use data from the system have a voice and vote on the operations committee. And it’s that committee that sets all of the direction.
You asked about a copy of the agreements, I’ve given you the Web site. All of our documents are publicly available, and I won’t read the Web site to you, but it is there.
Core concept that flows through everything is that data ownership is maintained by the publisher. In our mind, it’s irrelevant where it is stored. The publisher is responsible for the quality. And what is most important for everyone is how that data are used and by whom.
Another core concept that have I haven’t heard today that may exist: Any participant with the appropriate notice can leave with their data. So our exchange is balanced on a complete system of trust in many, many ways, as well as contracts behind it. But the contracts allow our participants to withdraw, take their data. If the data has been exposed or been used, the audit logs would maintain it, and that data would be kept in the system. However, it would be blocked from view and only be in an accounting disclosure or lawsuit would it be revealed. Next slide.
Our approach to privacy-consent notification I broke this down a little bit differently than the way the question was worded, but what you have on the right side of your screen and again, this is available on the Web site is a fact sheet. The fact sheet is our way the Midsouth eHealth Alliance’s way of educating both the people who are using the system and the patients who are participating, if you will, as patients in the system. Participants and when I say “participant,” I’m thinking about a health care organization, a provider, the managed care organization, public health. Participants in the Midsouth eHealth Alliance maintain their relationship with the patient, which I think has been a common theme, as I’ve listened to the other presenters. Participants control how the data will be used, they determine what data will be shared or not shared, and disclose this to all participants.
So let me clarify that. If a site doesn’t want to send us their labs for some reason and we haven’t had this happen, but if it were to happen, that’s okay. They just to have publicly disclose it. And when you log when a user logs onto the screen, they can see which sites send what kind of or publish what data. So it just has to be revealed publicly to all the participants. And then as we bring partici more users on, we incorporate that in the training so they’ll know what to expect or what not to expect.
Participants are responsible for authorizing all users. For us today, what’s important is, we know who our users are, and we have a pretty limited chain of command in terms of who is responsible for identifying that that person actually is who they say they are and they have the role that they said that they have.
Participants are required to notify patients through their notice of privacy practices or an acceptable alternative that their data will be shared. So we, as the Midsouth eHealth Alliance, don’t notify patients. We’re not a cover entity. However, all participants are required, somewhere in the notice of privacy practices, to have language and I didn’t put that in the slide, but I can certainly share it but language that states that the Midsouth eHealth Alliance exists, and that the patient’s information could potentially be shared, and that the patient has the right to opt out, which leads to the next requirement is, they must have a mechanism in place to respond to the patient’s request not to participate in data sharing. I’ve done my best, to at least on my slides, sanitize the word “opt-out,” because I think it gets confusing.
Participants also must coordinate and respond to patient’s request for information about who’s viewed their health care data within the participant setting and through the Midsouth eHealth Alliance. So in other words, saying that if there’s a request for accounting disclosure or just a patient who says you know, maybe not as formal, the participant is responsible for working with the Midsouth eHealth Alliance to prevent to provide the accounting and disclosure.
One of the things that happens is, we have audit logs that are very detailed. But as the Midsouth eHealth Alliance, we don’t know what was appropriate and what wasn’t appropriate. We just know what happened. And so we certainly can provide that in the accounting and disclosures, but if the appropriateness of a look-up is questioned, it is only the participants and it may be plural who can really do the digging to see what was appropriate and what wasn’t. So it has to be a collaborative effort. It is the Midsouth eHealth Alliance’s preference that it be done through a participant. However, if we were to receive the request at Midsouth, we would then look through the audit logs and, per our policy, pull the participants together and work on creating that log. And it would be a participant who would present the information back to the patient. Again, very similar to what you’ve heard already.
While we don’t have a notice of privacy practices, the Midsouth eHealth Alliance does post the fact sheet that you see on its Web site, and this is available not only on our Web site but all of our participants use this in various ways. Some post it. Some give it to patients. Some of the privacy officers use it as part of the education process when a patient requests an opt-out or has questions about opt-out. Or if a registrar because opt-out occurs usually at the point of registration in our process has a question about what an opt-out is, this is a document that the registrar’s been at least exposed to and educated about what its purpose is and can give that to the patient.
Next slide. Patients who receive care from the participants in the Midsouth are notified that their clinical data could be shared with the Midsouth eHealth Alliance. Each organization has a contact person to discuss concerns, and that’s who the patient would go to. The contacts are known to all participants and shared with the patients in the notice of privacy practice and the fact sheet. Patients have a right not to share their data from a specific institution.
We actually struggled with global opt-out, and this was, I think, polic Amy referred to policy-driving technology, but sometimes compromises have to be reached. And in our case, because of the way our matching algorithms work, we’re now at a 99.7 percent assurance of a patient match. But at that time, we weren’t that tight, and there’s still an error of margin of error. So a margin of error. So we said we could guarantee 100 percent of the time that if a site notified us that a patient wished to opt out from that site, we could honor it, no problems and honor it, I mean, from a technology perspective. There is a slight chance that, the way the algorithms work to match patients, somebody could slip through the cracks. And so the decision was made that a patient must opt out at the participant level. They can’t opt out at the Midsouth eHealth Alliance level. If a patient chooses to opt out, they have they’re informed of that, and per the bullet above, if they’ve been they’re at Methodist and now they’re at Baptist, they can be given the Baptist privacy health care or privacy officer’s number.
Patients in our case cannot amend their data through the exchange, but they can, through existing law and policies, work with participants to amend any health care information in their record that they choose. So again, it’s the relationship between the provider and the patient.
Patient data are either accessible or not accessible. It’s all or nothing. We don’t allow episodic or disease-specific opt out. One major exception to that is, we do not share mental health or substance abuse data, and sites are actually not allowed to send it to the exchange. And we monitor and audit for that, and if we see it, then we stop the feed until it’s fixed. Next slide.
We have a number of policies that their title may or may not be indicative of what occurs, but we have the operations committee that reviews these at least annually, and we’ve just gone through our second review of these, and then the first was the writing of them. And then we actually also will amend them as time goes by, based on situations that occur. Next slide.
We were specifically asked to comment about the event of a breach which occurs in our mitigation policy, which I’ve reflected on this slide. But essentially, if a breach occurs and a participant knows about the breach, it’s their obligation and responsibility to move forward with it. However, there is language in here, so if Midsouth eHealth Alliance were aware of a breach, we would work with the participant. However, if the participant did not, to the satisfaction of Midsouth eHealth Alliance, follow you know, notify the patients appropriately, the Midsouth has the right to step in and notify the patients directly. It’s the only place where the Midsouth actually has asserts a right to go straight to the patient, and that would be in the event of a breach.
Next slide. I think it’s I’m moving more into summary, but I think it’s important to note that we didn’t get to this approach easily or quickly. What you have there is a graphic that shows how long it took us to get the model contracts, and also, between March and May, we were working on policy. The other things that were happening in that time period is, all of the organizations had to change their own internal policies in terms of how they would notify patients, change their workflow around registration, etc. So it was not a quick and easy thing to do.
Our approach was based, again, on the Connecting for Health model contract language. The time spent, however, discussing and debating these issues was invaluable part of the process. So I think that in retrospect, all of the folks who were involved would say it made them much smarter and much more aware of what needs to be done, when you think about a health information exchange.
The other key to that is, when we were in the midst of this dialogue, if somebody heard about it, they were invited to the table to discuss. So we did not exclude. You didn’t have to be a participant to participate in the information. You just had to be willing to have healthy con be engaged in healthy conflict, which we had a lot of. The process created what I think is a priceless asset for us, and that’s trust. Next slide.
How we continue to navigate these is, again, we have the operations committee, one voice or a voice/vote, and the Midsouth eHealth Alliance also has a voice and vote, and that would be, “I actually represent the Midsouth eHealth Alliance.” The committee has become the forum for discussing all of the landscape, and they advise and educate the board and others in the Midsouth and in the Memphis region. So they expand past the participants. They review and recommend all policy changes. They review requests for different uses of the data. They review applications for participation and respond to specific agenda items, again, usually related to policy.
The we’re also involved in the expansion of scope. So when we started this, we were very tight. Purposes of treatment only, emergency department. We’ve expanded the access points a bit, and that’s been a good thing. But then there’s also been expansion of how else could we use it. And probably the use of the data is the most controversial. We’re right now talking about and working on changing the policies that I’ve just talked about to encompass public health reporting, which would include reportable diseases as well as deidentified, anonymized data for epidemiology studies at the state level and CDC level. And then another use separate from public health reporting is moving into the case management realm.
So we’ve been work those are work-in-progress discussions. We’ve actually been looking at the policies to say what would need to be changed. And probably the most significant thing about both of those is that each of the organizations is having to go back through and look at how they’re notifying and discussing or sharing with the patient how their information will be shared. It is very limited in the current language to just for the purposes of treatment. So we’re actually revising that notice of privacy practice language to be much more broad. We’re also revising the fact sheet to let the patient know that their data will be shared for the purposes of treatment, public health, and potential and case management. However, they can still opt out for the purposes of treatment, and probably for the purposes of case management. They can’t opt out of public health. So the languaging of that is still a work in progress, but that’s where we are today. Next slide.
We don’t pretend we know what the future is. We’re doing our best to continue to educate ourselves on what’s happening. For us, our experience has been that consensus at the local level is very important and actually much more expedient than waiting for consensus at a national level to be achieved. As we’ve said, if you’ve seen one HIE, you’ve seen possibly one. We don’t believe the decisions we’ve made today are permanent. However, we have the infrastructure in place to respond to changes in the future.
So that’s our approach is that we don’t think what I’ve told you today will stand and will be the same a year from now 2 years from now, but we do think we have the process and the approach to make the changes. And you can see the Midsouth eHealth Web site. That’s their home you’ve got displayed. And with that...
>> Kirk Nahra:
Thank you very much, Vicki. Let me ask one question, which applies to a number of the groups, but let me just focus on it with you. You talked about the treatment purpose.
>> Vicki Estrin:
Right.
>> Kirk Nahra:
And I think what you’re focusing on is, you could a provider could access information for treatment purposes. Is that right?
>> Vicki Estrin:
Yes.
>> Kirk Nahra:
Now, so they access information. They take information you know, pull it back to their hospital, for example.
>> Vicki Estrin:
Okay.
>> Kirk Nahra:
Is the idea that they can only continue to use it for treatment purposes?
>> Vicki Estrin:
Yes.
>> Kirk Nahra:
So does that require the hospital to essentially keep that data segregated from everything else?
>> Vicki Estrin:
What most of them do and we have a mixed bag, so a lot of our organizations may have electronic medical records, but they still the paper chart is still alive and well. And so they put it in the correspondence of correspondence part of the chart. And so if the patient is referred to another specialist and that correspondence is relevant to that referral, it goes, again, for the purposes of treatment and care, with that patient.
So it’s not it’s so in the paper world, it’s pretty easy. They’ve all come down to “We put it in our paper chart.” In their own charts, again, they would not be able to give this data to somebody for purposes of research and any other secondary use other than the purposes of treatment.
>> Kirk Nahra:
So let me push you a little bit around that. I can understand, I suppose, and accept the disclosure piece. But if I’m in a hospital and I’ve got information about, you know, my patient that came from another source, let’s say that I I alter my treatment regimen because of that, and I need to justify that to the insurance company to get paid. Am I not allowed to do that?
>> Vicki Estrin:
It would probably be a gray area to have that come up, but what you would do is go to the operations committee and say and we have a mechanism to do this quickly, so it’s not like you’re in La-La Land forever.
>> Kirk Nahra:
All right. Well, how about something that’s completely internal? They want to do a you know, they want to do a financial study of where they’re you know, which departments in the hospital are making money or not making money. They have to just carve that information out? They’re ’cause that’s not a treatment purpose.
>> Vicki Estrin:
I’m sorry; what? I couldn’t hear the other question.
>> Kirk Nahra:
Well, the other example was peer review. I mean, I guess what I’m struggling with is the idea that I mean, I understand that you can only check for treatment purposes. You can’t, you know
>> Vicki Estrin:
Once it’s all under so your question really is broader. Once it falls once this information’s been used internally in an organization, what are their rights in terms of their use of it?
>> Kirk Nahra:
Correct.
>> Vicki Estrin:
Okay, let me respond a little bit differently. Once it falls into those that data, those data are they tell us what they’re going to do with it.
>> Kirk Nahra:
They don’t know. I mean, presumably they brought it in
>> Vicki Estrin:
Well, no, they
>> Kirk Nahra:
for treatment purposes.
>> Vicki Estrin:
They basically give us some examples. They say, you know, it could be used in peer review. If it’s going to be used for billing, then it would actually have to come back to us. And that’s not in policy, that’s just what we’ve basically come to the agreement on. Probably should be in policy, now that I’m talking. But
>> Kirk Nahra:
But peer review isn’t treatment, is it?
>> Vicki Estrin:
But peer but once it’s in their medical record, it becomes part of their own medical record policies. So it can be used. Again, it’s the secondary use outside of that organization that we’re most concerned about.
>> Kirk Nahra:
Okay, all right, but I’ll I’m trying to explore this, and I get the sense that I mean, I know it’s an issue for other groups as well, but you said they bring it into their electronic medical record, which is what I would expect normally
>> Vicki Estrin:
If they do. A lot of them don’t. They it’s we’re not interoperable, so this is a separate system.
>> Kirk Nahra:
Okay, okay, that’s a fair point, although presumably the idea is ultimately to be interoperable.
>> Vicki Estrin:
Sorry. I mean, you have to we’ve only got one system one health system that’s even close to this. So you’re I mean, it’s very hypothetical. And we’ve been asked a couple of questions about using that use of that data. And again, so I can give you sort of the decisionmaking that we’ve the decisions we’ve come to about certain specific instances.
However, in only one case could there potentially be and there, actually, because they’re in the middle of their own rollout of their EMR, they don’t want to muddy the water with the Midsouth eHealth Alliance coming into it. So we actually don’t have that situation right now. We are not a mission-critical system or a system that sits over to the side. And so typically, you will see us referred to either in their dictated notes with the paper chart, then they’ll print it off and put it in the correspondence part of the chart. And if it is used in the course of the treatment, they certainly can go back and ask for it for the purposes of peer review, as they would in their paper chart. And Jac made the point: We’re kind of in these two worlds here. So the paper rules in the hospital, pretty much.
>> Kirk Nahra:
Okay, well, let me ask try to step back from the examples and make a general statement and see if you agree with this, which is, the idea here is that the information that’s obtained through your entity is subject to specific rules, and the idea is that that data is not integrated with the rest of the information that the hospital has about it about that patient.
>> Vicki Estrin:
That is how it is today. Ultimately, we wish it to be integrated, but that’s not where we are.
>> Kirk Nahra:
But integrated in two ways. There’s integrated mechanically. Then there’s integrated meaning it would be subject to the rules that are relevant for all the rest of their data.
>> Vicki Estrin:
Right.
>> Kirk Nahra:
Which presumably are HIPAA rules.
>> Vicki Estrin:
Right.
>> Kirk Nahra:
The idea that I think you’re describing is you know, whether it’s integrated into the record or not, it’s not the purposes are not turned into HIPAA purposes. They’re kept the idea is to keep this as treatment only or whatever else you say is permitted, but it’s not just lumped with everything else.
>> Amy Zimmerman:
This is Amy. Can you hear me?
>> Kirk Nahra:
Yup.
>> Amy Zimmerman:
This was this general point has been you’re hitting on an excellent point, and it was sort of hotly debated as we were going through and drafting our proposed legislation. And we’ve sort of put this under secondary disclosure. And where we’ve come out, who knows where you know, whether it will get passed and changed again, but where we’ve come out is that the confidential health information obtained by the provider, you know, sort of from HIE could be further disclosed by the provider, with or without the authorization of the patient, to the same extent that the information could be disclosed pursuant to state and federal existing law.
So the issues that the providers had were exactly what you’re saying. If we put this into our medical record because we relied on it for decisionmaking, we can’t keep you know, just from a feasibility, practical point of view, we can’t keep it separate and then, when we go to send our records someplace else, have to start extracting it. That’s just too challenging. So we sort of have this carve-out, so to speak, under you know, under a phrase in our proposed legislation around secondary disclosure.
I don’t know if that helps thinking this through it all.
>> Kirk Nahra:
No, no, I mean, that’s just that’s a different I think that’s a different approach than what Vicki was describing.
>> Amy Zimmerman:
It is. I’m just sort of giving a counterpoint by saying that it’s a very legitimate concern that was debated heavily among our community as we were putting together the draft legislation here in Rhode Island.
>> Kirk Nahra:
Yeah, and that’s I mean, look, I am not there is not a right or wrong on this. We, I think, at this point, particularly today we are trying to understand, you know, using five examples, which isn’t the waterfront, but it’s, you know, a piece of the waterfront, what’s going on out there, what decisions have been made, what’s on the horizon. I mean, frankly, one of the other conclusions I get is that most of you describe organizations that are getting up and going, but your actual up-and-going right now is relatively limited. And so, you know, it’s just a lot of just still building this stuff.
So we’re again, we’re trying to understand it. It’s just that restriction on treatment. I was trying to understand the front end and then how it carried over to the back end, because one of the issues that we’re struggling with as a Workgroup is, you know, whether imposing some different kind of rules for this information (a) is necessary, and (b) if it is necessary, does that create its own set of problems by just creating a different set of rules for certain kinds of information? And I’m hearing that some of the groups have dealt with this in certain ways, and some of those issues have been thought through, and some of them that just haven’t arisen yet. So again, it’s a wide variety of efforts at this point.
Let me open to the folks in the room starting with the folks in the room questions for either a particular presenter, or to the Group as a whole. Questions for anyone? Alison?
>> Alison Rein:
I had a clarification for the last speaker on this notion of case management.
>> Vicki Estrin:
Yes.
>> Alison Rein:
I was wondering if you had if your Group had sort of begun to sort of define what would constitute case management, by what types of entities, et cetera.
>> Vicki Estrin:
Yes. (Laugh) And we’re not finished yet, so I can we’ve talked about case management both in the hospital setting, the ambulatory safety net clinic setting, and then also the payer setting: insurance companies. So we’ve looked at because each of them would argue case management and have a definition for it. So we’ve not come to a conclusion, but we’re looking at it and trying to understand exactly and by probably the only prediction I could make is that we will start very restrictive and then, as we begin to learn and understand, move past that. But it takes it’s a whole new world to look at. It sounds very simple, but it’s not.
>> Alison Rein:
Right. Well, no, I can appreciate that it’s not. And it sort of ties into this last part of the conversation, because, you know, regardless of what your current policy is, if, by chance, an institution did, you know, integrate the information into their medical record and then submit that as the claim, then inadvertently, you’ve given that
>> Vicki Estrin:
Right.
>> Alison Rein:
case management opportunity to this third party.
>> Vicki Estrin:
And that’s what we’ve and that’s actually what started the whole conversation
>> Alison Rein:
Okay.
>> Vicki Estrin:
was the identification of exactly that situation. And so we’re still struggling with it, and working through it. I can’t say we have an answer. I can just tell you that it’s literally front and center on our agenda right now.
>> Alison Rein:
Do you guys have a timeline for that, or is that not something you’re
>> Vicki Estrin:
Oh, our timeline hopefully it will be resolved in the next our board hopes it will be resolved in the next probably by January. February.
>> Alison Rein:
Thank you.
>> Kirk Nahra:
Other questions from folks in the room?
>> Deven McGraw:
Yeah, I have one. This is Deven McGraw. For a couple of you gave a sense of how the opt-in or opt-out policies that you’ve put in place have worked in your particular communities, but not all of you did. So I’m curious, for those of you who didn’t include information on your slide, about how that has ended up working out and whether it’s an exact percentage. I’m curious, really, about how this gets operationalized. Are people tending to opt in, or are they tending to opt out? I’m kind of curious if that’s at all been assessed. I’d be interested in hearing from those of you who didn’t.
And then the other thing that I’m really curious about is how the question of opt-in or opt-out came up in the first place, because it seems like all of the systems we’re talking to, both this conversation today as well as some others that we’ve looked at in different context, are definitely taking up the question. It’s not completely clear to us that it’s a question that’s necessitated by a legal requirement. So I’m just I’m interested to see how it comes up.
>> Vicki Estrin:
I can start. This is Vicki from the we have our opt-out experience in the urban environment is less than 2 percent, but it goes between 1 and 2 percent on a monthly basis. We’ve not had any patients ask to opt in, although our policies allow for an opt-back-in. In the suburban environment, it’s less than 1 percent. And we would have predicted that. We’re not surprised by it. Anecdotal comments from patients are much more suspicious, more conversations, lots more questions in the urban environment. In the suburban environment, we get more things like, “Oh, good, I’m glad you remembered, because I forgot.”
So there definitely is a demographic play in that. We are also we don’t collect information, and we don’t ask a patient to specify why they opted out, so we don’t have that information. And, you know, so the good news for us is that we do know people are at least some are understanding what their rights are, and we would be more worried if we had zero opt-outs. But all of our health systems have had some percentage of patients choose not to share their data with the Midsouth.
And for us, the issue is not a legal issue. It’s a you make a great observation, because when we started this and we were restricting it for the purposes of treatment only, it didn’t necessarily, to all of our committee members, seem like a relevant conversation. However, as we started talking about it and I’ll quote most of our members when I say they felt like it was an ethical decision. So they handled it from that perspective, not a legal perspective.
>> Amy Zimmerman:
This is Amy in Rhode Island. And we don’t have any data to give, because we haven’t started enrolling consumers yet, but addressing where and how it came up, you know, I think we positioned early on that we saw the benefits of health information exchange and health information exchange system for the purposes of direct patient care, as well as for the purposes for broader quality improvement purposes. And I think that, for good or for ill, that did beg the question of how would the data be used.
But in addition to that, although there’s no legal basis to be asking the question, I agree with Vicki, it’s an ethical one, because there’s a di when individuals think about all their information being available or viewable in an integrated sort of manner, whatever that may be and however that means, and in an electronic format, the angst goes up. Whether it’s real or valid or legitimate, it goes up. It’s different than knowing that I’ve got, you know, medical information on paper in 12 different places. And I think that it’s that it’s as much perception and fear as anything else that has caused the conversation to come up in a variety of settings, and the concern and a growing knowledge that, you know, whether you know it or not, your data is used for a lot of other things.
It’s sort of juxtap you know, on the one hand, patients expect and are surprised when they hear their physicians don’t have the data when they need it. On the other hand, they’re very concerned about where it’s going to go and what’s going to happen to it and will it fall in the wrong hands. Can it be used for purposes that will harm them? Because it’s easier to get, and the perception is, it’s easier to get in an integrated manner. Is it going to affect my employment, my mortgage insurance, my life insurance? Because there’s only one place, even in you know, even in a legal case. And we’ve actually stipulated in the legislation, if it were to pass as is, that the HIE is not the primary source of data and should not be subpoenaed for that purpose.
So again, a lot about perception and just the sense that, in an electronic world and in an area where data is could be gotten more easily all at one time, there are greater concerns than otherwise. That’s our experience.
>> Kirk Nahra:
Well, does that let me just follow up on that a little bit, which is, do your to the extent that and I realize that you haven’t started rolling yet, but I mean, to the extent that the figures are 98, 99 percent, is that a I mean, how realistic do we think that is? Is that just a discussion item that people once it’s discussed, they aren’t worried about it?
>> Amy Zimmerman:
I think well, I think, again I mean, I think, with sound justification, those numbers are all the numbers that have been experienced in Massachusetts through the EMass health collaborative and others, so I think that, explained in the proper setting by providers, individuals you know, we keep hearing over and over again, heard today from some of my, you know, colleagues that, you know, individuals trust their providers. If this is endorsed by their providers, you know, if they know about it and they’re aware and they have the right to choose, it goes a longer way than them feeling like someone is pulling a fast one on them and they didn’t know about it.
So we’re hopeful that we can achieve that same kind of opt-in rate, and we’re certainly going to work very hard to do that, but we also believe there’s in order to build the trust Vicki was talking about, there needs to be some transparency, and that if we tried to do this in another way and actually, we did. We’ve done a couple of turns on where we started. We started on all data goes to the HIE, and you only get to see it you know, the patient gets to control at the viewing level, and that didn’t fly. So we actually tried, in our case, to start in a different place and, over many months, had to back off on those approaches and move to more patient-controlled type of approaches.
>> Kirk Nahra:
Other questions from people in the room? Questions for Workgroup members on the telephone?
>> Tom Wilder:
Yeah, this is Tom Wilder with America’s Health Insurance Plans, and I’ve got a couple of questions if I could. The first one is for Jim Golden, and I noticed you when you talked about your data-sharing agreement, you said that it may or may not be a HIPAA business associate agreement. And I guess that kind of surprised me, because I had assumed it was. But I was curious as to what your thinking was on that.
>> Jim Golden:
Well, I think that there are some that think that it will be. I think that it’s still being discussed. I think there’s a question of whether or not any data is actually being shared from the covered entity to the HIE. I think it depends a little bit on the exact structure of the record locator. I think if the record locator obviously contains patient identifying information that links them with the facility, it’s much more likely that it would be.
>> Don Detmer:
So in other words, you’re just viewing yourselves as more as a conduit or pass-through, and you’re not actually touching any data or doing anything with it, other than routing it to the right place.
>> Jim Golden:
I think that is one possibil that is yes.
>> Don Detmer:
Okay. Okay. And my second question is for Vicki, and I think you had indicated that there were certain classes of data or information having to do with behavioral health
>> Vicki Estrin:
Yes.
>> Don Detmer:
and substance abuse treatment. And how do you actually figure out what that data is? And I’m I guess my example would be, are there not certain classes of prescription drugs
>> Vicki Estrin:
Yes, and so, for clarification, we don’t expect we do not accept any information from substance abuse and/or mental health/behavioral health clinics or inpatient units. So
>> Don Detmer:
Well
>> Vicki Estrin:
Well, let me finish. Under our Tennessee state law, we are allowed to share the medication list, and it can include those drugs. So it’s in the context of a medication history. It’s not in connection to an encounter. So that is we are, under state law, allowed to do that. We also the analysis of the attorneys that we work with in the Midsouth eHealth Alliance also just recently said if there were an ICD9 diagnosis code that was reflective of perhaps an ED visit, if the patient were not referred to or admitted to a mental health or behavioral health or substance abuse site, actually disclose that ICD9 code. That’s been those are they’re on the edge, they’re on the bubble of that information, but and we don’t disclose any claims that are related to mental health, substance abuse, behavioral health.
>> Don Detmer:
Okay, I that’s helpful. And I guess if I could, I’m going to ask one other question, and I’m just going to
>> Vicki Estrin:
Sure.
>> Don Detmer:
I’d open it up to anybody who wants to respond. I notice, for most folks, the patient consent was really seen as kind of an all-or-nothing proposition. You’re either in the system or out. I’m just curious, just in general, kind of the pros and cons that were discussed in terms of having a more granular level of consent, either on you know, as to specific providers getting or not getting information, or as to specific information not being shared.
>> Amy Zimmerman:
I’ll start that a little bit. It’s Amy, again, in Rhode Island. Again, from the Rhode Island perspective, patients will be able to say they want certain providers to see their data or not. But at the data granularity level, it’s not a technology issue, because actually the technology we’re implementing could do that. It’s a policy issue. And it’s been the sense of the community that and the providers felt strongly about this that it would really not help improve quality and safety for patients if there was missing information and providers were not aware of it, or even if they were aware of it and didn’t know it.
And that also, from although, you know, technically, you could put on fields to block certain data, you know, there is information, whether it’s medications that, you know, may be known as an antidepressant but used for some other purpose, and that a sort of choppy medical record just was not in the best interest of giving high-quality space, cost-effective care. And that drove our decision to say that you can that a patient can choose who can see their data or at a, maybe, practice level or however we define that level but they can control, to some extent, who sees their data. But if they’re going to give that access permission to see their data, they then have the right to see everything about that patient, because otherwise, it’s too difficult to provide them good-quality care.
>> Vicki Estrin:
And this is Vicki. Just to add to that, it’s not technically impossible in terms of ICD9 codes or electronic documentation, but in our case, we take dictated reports. So if there were a particular disease process or something some information that you maybe said, “I don’t want informa I want everything about me except that,” the fact is that any of that information we could scrub it with all kinds of natural language processing things, etc., but again, it’s that margin of error. And so, you know, if in fact you know, it could even be a radiology report, CT scan with contrast. The radiologist may dictate in there specific things, and it would not be inappropriate.
So we’re that was the other piece for us is that we felt like it was impossible to guarantee a patient that level of granularity, and so we said it’s either all or nothing.
>> Amy Zimmerman:
The other thing this is Amy again. Thank you, Vicki. You spurred one more thought. You know, we had a number of individuals on our consumer advisory committee that really, you know, pointed out that sensitive information is different for different people. So it may be, you know, medication for someone who’s got some mental health issues, but to a victim of domestic violence, a broken rib or broken bones may be just as sensitive. And so even a definition how to filter out what and what would be considered sensitive, and trying to think about business rules around that was, again, very challenging for all the reasons I said and that Vicki said.
>> Don Detmer:
Great. That’s thankful. I see back the balance of my time. Thank you.
>> Kirk Nahra:
You have no balance, Don. (Laughter) Jodi?
>> Jodi Daniel:
This is Jodi Daniel. I have a question. A couple of folks have talked about consumers being able to find out who has accessed their data, or you know, it wasn’t clear. Some people talked about accounting disclosures, though it wasn’t clear. Some folks were talking about audit trails. I was just wondering how you know, sort of at what level folks are doing that, any technical issues with providing that kind of level of data to consumers. Just looking for some more insight as to how that works or how you anticipate that working.
>> Vicki Estrin:
I’ll start. This is Vicki in Memphis. We have not been asked. So don’t know how much work we would actually respond to either a patient’s (inaudible) or just appropriateness of lookup access to the audit log and/or accounting full accounting of disclosure through the participant. So that’s how our policies are reviewed.
We’ve talked about it at a high level what it would take, and from the auditing perspective and giving access or publishing the audit log to a patient to see that that’s not we don’t anticipate that to be a significant burden, but it would not be easy. Especially with full accounting of disclosure, we all agree that it will not it can be done. We know how to do it. Do we think it will be easy? No.
>> Jodi Daniel:
Vicki, just to follow up on that, is do you think providing that audit log to consumers have you had any feedback? It sound like there hasn’t been a request yet
>> Vicki Estrin:
Right.
>> Jodi Daniel:
But whether or not the information that is printed on an audit log is understandable and is actually useful to consumers to try and understand the level of the data and the detail and whether or not it’s reflective of what consumers are looking for?
>> Vicki Estrin:
At this point, honestly, no, I don’t think it would be understandable to a consumer. I think if a consumer were to ask for that information, we’d be working on creating the first example of something that would be understandable to the consumer. So we would not hand them our audit logs as they exist today. They are only they are fairly developed and defined for the participant, using the process of matching it to their own audit logs, so that they can check for appropriateness of use. And we would all work very hard to very quickly create the first draft of the consumer version of that.
>> Jim Golden:
This is Jim Golden. You know, we had a lot of discussion on that as we were thinking not so much about MN-HIE, but as we were looking at revising our privacy law. And because, in Minnesota, exchanges generally require consent, at the disclosing provider, if a patient gives consent today in a paper world, the provider would take that consent and put it into the paper file or, you know, otherwise make it electronic and put it into the EHR.
What the law what we were doing with the audit logs was really to say, when the consent is not provided at the disclosing provider, but rather it’s provided at the treating provider and communicated to the disclosing provider, that disclosing provider really needs to document four pieces of information: who requested the health records, who was the patient, what records are requested, and the date of the request. And because there is liability associated because of private right of action in Minnesota, there is most providers would be expected, obviously, to follow the law and maintain those records.
The discussion in general around people requesting it for the most part, not a lot of people are expected to request that kind of information, and that the bulk of those would come when there is a complaint investigation, that someone is concerned that there may have been an inappropriate disclosure. And that would have to be reasonably processed in order to be given to the patient in some kind of meaningful fashion.
>> Deven McGraw:
This is Deven following up on Jodi’s question. I’m wondering Jac, you had some information on your consumer participation slide about access and viewing information being tracked through the INHS system, but only made available to consumers through the health care providers. It sounds like, to me, that information is relevant to this issue, and I’m wondering if you can just make sure we’re clear on how that works in your system.
>> Jac Davies:
Yes, and it’s really an audit-tracking process through the software that we use, particularly the hospital information system, so every access to a patient’s record is recorded: time, the individual who was logged on, who accessed the information, and so on. And then so if a hospital has a request for information on who has accessed a patient’s file, they can pull this information up very quickly out of the information system.
>> Kirk Nahra:
Let me jump in for a second. We are way past time. We were due for a break. I want to see whether if people exist, tell me quickly I’ll do first in the room and then on the phone if you have other questions, so we get a sense of whether we should are there people in the room that have other questions? Are there people on the phone that have other questions for a panelist?
>> :
I have a question for Vicki Estrin, a follow-up on the issue about not reporting or receiving substance abuse and mental health information.
>> Kirk Nahra:
Yes.
>> :
You talked about that you’re starting your implementation with a lot of emergency departments and, in a lot of places, people with mental health and substance use issues are a big percentage of ED presenters. So I’m wondering whether you’re looking at, maybe in the future, something about sharing that information, or if you’re keeping track of how many people you might be missing sharing valuable information by not sharing that.
>> Vicki Estrin:
It’s a tricky question, and I mean, not that you’ve asked, but that we deal with. So the majority if the patient if it’s known, then the patient actually goes we actually have a psychiatric ED with the med. So none of that data actually will ever come to us. That’s never going to come to us, because just that’s the decision we’ve made for right now. And that could change, as well as change about patient consent and such, but for right now, that’s the decision we’ve made. It’s as I said, nothing is we could change everything tomorrow based on different pressure points.
If the emergency department codes the patient, does not admit the patient to a subs or refer the patient to substance abuse or mental health or behavioral health type, we actually can take the ICD9 codes and that particular part of the history.
But so we do take some information, but not all, and we’ve just recently started accepting the ICD9 codes. The med lists, we are working on as a whole. So if it’s in the we haven’t started publishing the medication history that some of the other folks on the that presented have. But that’s but we plan to. That’s how we plan to handle it for right now.
The other piece of this that we’re working on or (inaudible) piece I think is an important piece, is that when those patients present in a behavioral health or substance abuse setting, there’s a medical screening that’s required. And so one of the things that I think is very important is that it’s not you have to provide in order to use. So there is an opportunity to use the Midsouth eHealth Alliance data to really improve the quality of care, at that point of care, by giving them access to the other data that they are missing now. So it’s the reverse of what’s been talked about in most settings, but I think it’s actually an important piece to think about as we move forward.
So it’s not just there’s bidirectional exchange of information, and there’s some information that it may be very difficult for us to obtain, at least in the beginning as we’re trying to work out all the bugs. That doesn’t mean we couldn’t provide access to that information. So that’s that’s a third area, and it’s not high on the priority list, but it is something we’re talking about.
>> :
Thank you.
>> Kirk Nahra:
Are there I’m interested in sort of a verbal show of hands at this point. Are there other people on the phone that have questions that they want to ask?
>> :
No. (Laugh)
>> Kirk Nahra:
Anyone who does have questions at this point?
All right. Why don’t we do this, then? Let me thank all of the panelists. That was a very helpful discussion. I appreciate the conciseness and appropriateness of the comments and really focusing on the questions we asked, which was very much appreciated. Very helpful information. You’re all you’re obviously welcome to stay on. We’re going to have a little break, and then probably 45 minutes or so of discussion. But at this point, it is looks to me like 3:35. Why don’t we take be back here at 3:45? We could start up again. Thank you.
(General thank-you statements)
(Break)
>> Kirk Nahra:
We get the call back?
We are back online, and we’ll spend the next, you know, half an hour, 45 minutes or so getting folks’ reactions, impressions, etc., trying to start thinking about where we go with the information we heard today. Deven, do you want to start?
>> Deven McGraw:
Yeah, we actually could get some of us who hung around in the room during the break started sharing some comments. I think there’s some sort of commonalties which we should talk about. But for the most part, what struck a lot of us was just how different each of these systems is in terms of the scope of what they’re doing, both now and what they anticipate being able to do in the near future, versus aspirationally in the long term. But you know, and so, to the extent that we’re trying to make some recommendations with respect to what does or doesn’t need to happen to HIPAA in an HIE environment, given the wide variety of models that we’ve had today, makes the task probably a bit more challenging. But I think it would be helpful, actually, to talk about whether there were some common elements.
>> :
Well, one common thing at least I thought I was hearing was that and I mean, these are expressive people, and goodness knows whether the general quality of that would help hold across the whole country. At least I was impressed with the stature and quality and savviness of these folks. And it was very apparent to me that they weren’t really waiting, necessarily sometimes some of them had state law that they were dealing with, but they really weren’t I mean, they seemed to be saying, “What makes sense for the people of our region, and what’s the right thing to do?” Not necessarily, you know, “I’m reading HIPAA very carefully to decide should I do this, this, this.” I think they were really trying to say, “We clearly want to meet the laws and rules of the road, but we’re going to do some things that we think are good practice and are good policy with patient care, with public health, and so forth.” I mean, there’s generally a sense that, well, if we don’t legislate something regulate something from Washington, it’s not going to happen. I was really pretty impressed with the sophistication with which they were approaching it. I don’t know if others of you that was one thing at least I took out of it.
>> Tom Wilder:
This is Tom Wilder. I guess my impression was, there was a lot of lot of commonalty, notwithstanding the fact that they had, you know, some different setups and different things they were trying to accomplish. And I was really first of all, I want to compliment the staff on putting together a very good panel, but I thought, you know, all of these groups have put in a lot of thought and time into looking at the you know, balancing the patient’s right to confidentiality with the practical needs of the end users who wanted to get access to the data, based on, you know, in some cases, their kind of state environment with respect to some state laws that they had to follow. And I thought, you know, we could probably draw together some recommendations for the full AHIC on how HIPAA works or might be improved in the environment of these health information exchanges.
>> Deven McGraw:
And, like, for example?
>> Tom Wilder:
Oh, good gosh, you’re going to put me on the spot here.
>> Deven McGraw:
I’m sorry, Tom. (Laugh)
>> Tom Wilder:
No, no, that’s all right. I opened my mouth. I deserved that.
I’m thinking out loud here, which is always a danger, but for example, I think I guess one recommendation is that, you know, we think that all of the you know, we’ve said in the past that all of the components of this health information exchange ought to be covered by HIPAA. I don’t think there’s anything of this discussion that really changes that dynamic. I think we may want to think about how we would classify the exchange itself. Is it a a covered entity or business associate, or is it something something different? I mean, do we want to, for example, suggest that HIPAA explicitly recognize and define what a health information exchange is, in all this process, and look at and define whether, if it is you know, is it a business associate, and therefore this is what has to happen, or do we think it’s a covered entity and, you know, when would that happen or not happen?
>> Kirk Nahra:
Hey, Tom, this is Kirk. Could I just jump in for a second there? I mean, one of the things that did strike me was, a couple of the arrangements were based on a contractual entanglement where the key the key contractual entanglement was a, you know, business associate subcontractor agreement, which highlights one of the issues we’ve dealt with before, which is, these contracting arrangements don’t fit very well. I mean, how do you apply the idea of a covered entity controlling the business associate, when what we’re really talking about is a business associate of all of these covered entities dealing with a downstream subcontractor? And so I took everything that was said today, with that being just one example, as not only not inconsistent with what we’ve said before but dramatically reinforcing our earlier recommendation that says, “We’ve got to get all of these people subject to the same rules.” I mean
>> :
Kirk? I would be willing to say that there were a number of things, and what I took away how they were so different was because they seem to be struggling with some of the same things we’ve been discussing.
>> Kirk Nahra:
If our recommendation was in place, this would have been a lot easier.
>> :
Yeah, right, issues related to who is going to contact the patient in the event of an incident, all these same things. They all dealt with them differently because the solution is so convoluted.
>> Kirk Nahra:
I’m sorry, Tom. Go ahead. You had some other thoughts, I think. Or may or did I save you from Deven? (Laugh)
>> Deven McGraw:
I think you ought to be grateful for the interruption. (Laugh)
>> Tom Wilder:
I think that was a timely interruption. (Laugh)
>> Kirk Nahra:
Now, just for next comments, we do want to encourage discussion, so please ignore Deven’s efforts to put you on the spot. I mean, we don’t want anyone to be discouraged from comments by the fact of having to follow up.
>> Deven McGraw:
I think we’re on to something. I was just, you know, opening the door a little wider. (Laugh)
>> Kirk Nahra:
Other people on the phone? Thoughts? (Pause) No one else is on the phone.
>> John Houston:
Hi, this is John Houston. I’m just listening.
>> Kirk Nahra:
John, you’ve got to have some opinions.
>> John Houston:
Well, I have many opinions. I just, you know, I thought I agree with the premise that there is an enormous amount of thought that’s gone into each one of these, and I am impressed by the maturity of thought, and that’s gone that we see here. But I don’t agree I mean, I you know, I’ve heard people say both that, yeah, there’s a lot of commonalty, and there isn’t as much. I’m sort of in the camp of “There’s not so much commonalty as I would have thought, in some ways.” And I think that, unfortunately, you know, if part of our responsibility is to try to come up with some standard way of thinking about these things I don’t know, maybe that isn’t our responsibility, but I think it probably is at some level what can we glean in terms of commonalty that we can make into recommendations to help further you know, progress this? And I think it’s worthwhile to try to put those on paper.
>> Sue McAndrew:
This is Sue McAndrew. I guess I would second what John was saying. And what I found particularly confounding, I guess, are the very different approaches taken with regard to how much how the opt-out, opt-in works and at with what level of granularity it works in these various systems, as well as the that a lot of these systems seem to be making some entry-level decisions based on the very limited scope of what they’re trying to bring up immediately and just a sense that some of the things that they are deciding to do now, I think, really become will become burdensome or even inoperable if you were trying to take that policy and apply it to a fully blown, integrated EHR system. So a lot of these systems who are describing themselves as some sort of, you know, sidebar notes, even, and not even approaching an integrated EHR and it’s troublesome, I guess, to see how we get from what they’re piloting, to where to the kinds of policies that we are faced with developing.
>> Kirk Nahra:
Yeah, Sue, this is Kirk. Let me just add one point to this, which is, I was struck in the discussion of, you know, secondary uses that one of the solutions that seemed to be being proposed was dropping stuff to paper so you could keep it separate.
>> Sue McAndrew:
Right.
>> Kirk Nahra:
I mean, that just I was floored by that. I understand why they’re talking about that, but
>> Sue McAndrew:
But that doesn’t I mean, that’s not going to be helpful for us.
>> Kirk Nahra:
Yeah. So I agree with that. A couple other thoughts things that your comments brought to mind: It was interesting that almost everybody seemed to talk about mental health and substance abuse information. Everybody seemed to have a consent to get into the to participate at some level, but they also didn’t seem to give you any particular way to consent for mental health and substance abuse. They just said, “We’re not taking it. We don’t want it. It’s too complicated.” So that was an interesting fact.
I also was intrigued that no one mentioned any diseases, diagnosis, anything like that other than substance abuse and mental health information. I mean, you know, that was just interesting, because there obviously are other laws in other states that in some states, I don’t know offhand whether any of the states we were talking about today have them, but didn’t mention those other some of the other situations. And again, I don’t know whether that just didn’t come up, or whatever, but that was also striking. And it’s striking how each one of them had a different you know, is going to have a different set of things that are coming in and not coming in. You know, that was where I really saw the difference. I’m not we can have commonalities in terms of saying there were restrictions on the kinds of information they will take or there were difference you know, different variations in patient consent. But within those categories, there were four or five different approaches to each of those topics. And so that’s where I really saw the differences being much more substantial. You know, they addressed a similar set of topics, but they address them in very different ways.
Other folks on the phone who have thoughts? (Pause) All right, in the room?
>> Jill Callahan Dennis:
Well, yeah. One thing we were talking about at the break is you know, the on the relevance discussion we’ve been having. All of them, I think, pretty much regardless of their business model, said that the interface with the patient and those decisionmaking processes belong at the provider, as opposed to at the health information exchange level. And I thought that was kind of our gut reaction after a couple of calls ago. But that was confirmed, I think, through these conversations.
>> :
I was going to point out that point as well, although I have a slightly different take, which is that even though that’s the case for the explicit purpose that’s currently being described by these exchanges, if you extrapolate out 5 or 10 years and sort of imagine what you might want that entity to be doing, it might make it far more problematic from a patient perspective, in order to access that information. And if you do look at it as eventually evolving into a fully integrated health information exchange, then you would want to be flexible enough in your thinking to accommodate that.
So I thought it was interesting that everybody you know, certain exchanges more than others were really, really restrictive in what they were tackling right now. And they were only thinking about operationalizing that within their state or just two hospitals.
>> Kirk Nahra:
Just two hospitals or throughout the (inaudible) region.
>> :
Right, and it’s nothing about how this all fits into the NHIN, except for the one presentation from the from Jac in Spokane.
>> Kirk Nahra:
Basically said that it’s on the charts, but we’re not dealing with it. (Laugh)
>> :
Right, yeah, although but they did exchange data between, you know, California and Idaho and Washington, although she referenced that they use state law to make those determinations.
>> Kirk Nahra:
Well, they do (inaudible). Her chart I mean, and when she listed the participating entities, all of them seemed to be in Spokane.
>> :
Oh, okay.
>> Kirk Nahra:
I mean, she did say at one point, “But the ones that are actually doing it now”
>> :
The exchange are all in Spokane. Okay.
>> :
I think they envision themselves ready to move to other
(Multiple speakers until Kirk Nahra’s next line)
>> :
Oh, they don’t have a lot of complexities that the others are dealing with, because they’ve got medical records software in the same software. I don’t know how they did that. That’s a great idea.
>> Kirk Nahra:
The other thing that I mean, this goes back to something else that was said a minute ago. I mean and I think it’s an issue we really have to think about, and I don’t know how to I’m not sure how to deal with it. But I think we’ve all had, in our own minds, this vision of, you know, whether the NHIN is the end goal or not. We’ve all had this vision I mean, we’ve been talking about personal health records. Nobody mentioned anything to do with personal health records today. So we’ve been talking about personal health records, and EHRs, and everybody you know, putting stuff into this big integrated system. And no one on the phone today is 1 percent of the way there. They are you know, they’re doing small geography, small sets of providers, often limited information, often very limited purposes. And, you know, they’re moving along on that. They’re moving along, some faster than others. I you know, obviously they’re giving it lots of thought. It’s important to give it lots of thought. You know, you do get of a sense
I mean, I was very concerned, listening to the Rhode Island presentation, that they’ve put all this thought into it, then they’re going to throw it into a, you know, state legislative hopper, which, you know, we’ve all dealt with state legislatures. I mean, that’s just a mess, you know, just as a generic. I mean, nothing but I mean, the way it comes out who knows what’s going to come out of there.
But I do wonder, at this point I mean, I think we’ve got to think about stepping back a little bit and maybe trying to focus our recommendations, whatever they’re going to be, on something that’s really not happening right now. It’s something that we’re envisioning down the road. But I just you know, the kinds of things that I think are envisioned by the reason we’re sitting around this table is, you know, a nationally integrated, interoperable system no one here is anywhere near no one we’ve heard from. Maybe there’s somebody else out there that’s doing a whole lot more, but I sort of assume not that much. It’s just a whole different world. And I mean, we can think of it so we’re talking about I don’t know whether we’re talking about 10 years or 20 years or 30 years, but we’re not talking about next year. We’re not talking about a couple of years, even.
>> :
I think that was the most unsettling thing for me, in hearing this, was that this is so infantile. You know, where it is on the ground is really very
>> Kirk Nahra:
In its infancy, maybe. (Laughter)
>> :
Although there’s still a lot of risk. Like, I was really concerned. And not to be I mean, it’s not that I don’t trust what they’re doing and trying to achieve, but I can’t believe that the people who are partners in this are not then transacting that information for billing and other purposes.
>> :
How could you not?
>> :
I just don’t believe they’re separating it in their record, unless it’s all paper
>> Kirk Nahra:
And I agree with that, but I also had I mean, and my guess is, you’re going to have a different view on this, but I’m not sure why once they get the information in and there’s been whatever consent up front, why it wouldn’t be yeah, why you need to draw that line at that point. I mean, it’s not I mean, I understand that they can’t sell it to the drug company, but there are lots of other reasons why they can’t sell it to the drug company. There you know, they’d be violating the current laws if they started selling it to the drug companies.
So why do you have a medical file? You could use three-quarters of the medical record for all of these purposes, but this one quarter can’t be used, because you happened to get it in from a different source. We’ve sort of dealt the idea was to try to deal with that with whatever permission you’re going to get on the front end. I’m not sure why you have that back-end problem.
>> Deven McGraw:
In part because of the level of granularity that these people are not allowing in their system. I mean, I think that’s a very real part of it. So it may just mean we can disagree to disagree and have this conversation offline, which is fine. But I think, you know, there’s a lot of information that’s going to be out there that is, you know, in no way necessarily relevant from that individual’s perspective to get back to the payer. And, you know, then if it’s starting to be used for case management, and the payer contracts out to a third part I mean
>> Kirk Nahra:
You know, I mean, that’s a fair point. But I guess that’s where I get to you know, today, when they walk into the doctor’s office, the doctor can do all kinds of things with the information, that if we gave them the right to say, “Check one from column A, check one from column B,” they wouldn’t check column B for a lot of those things, or they’d pick you know. And they don’t get it for the rest of their record, so and if the doctor called up and says, “Hey, could you email this to me, or can you make a paper copy and I can put it in? I can then do everything with it,” that’s, I guess, where I get back to that core idea of the differences, which is but again, I just struggle with I had exactly the same reaction, which is, I can’t imagine that the hospitals I mean, and not in any in not in any
>> Deven McGraw:
Not (inaudible).
>> Kirk Nahra:
Yeah, I don’t know how they could practically do that at the end of the day. I can’t imagine them saying, “You know what? We won’t get paid for what we did here, because we’re not allowed to give the rationale to the insurance company, because the rationale was the treatment they got last month somewhere else.”
>> :
Or the first malpractice claim. (Laugh)
>> Kirk Nahra:
Yeah, whatever it is. I’m not sure I see the reason to distinguish it, but I also can’t see designing a system with that being the premise, particularly where the way they envision enforcing it is dropping everything to paper and sticking it into different files.
>> Deven McGraw:
On the flip side, though, I have a really hard time and maybe it’s because I’m very naive with respect to the technology believing that you can’t, when you send data to another person, flag it in such a way that that information is flagged and retained in somebody else’s system. Again, this could be just complete data ignorance, but this is a technical question that I
>> Kirk Nahra:
I think it’s a and several people said it: It’s all theoretically possible. It’s just not what they’re doing now. And they’re not you know, and it’s not it doesn’t seem to be even within the realm of what they’re really thinking about doing right now, either. You know, they’re not I mean, again, one of the things this goes a little different direction, but I’ve been talking in a number of other contexts to some of the big technology companies that are starting to get involved in this, whether it’s Microsoft or Google or Yahoo, you know, a bunch of those companies who aren’t starting from the health care industry. They’re building whatever it is they’re building, and I won’t pretend to understand I know exactly what it is they’re building, but they’re building all these things from a technology perspective.
Maybe we need a hearing to hear what they’re doing to see sort of how much of this stuff can get matched up. I mean, part of the issue is that, you know, you look at some of these companies, you know Microsoft doesn’t have any concerns about where their next funding level is coming from on the state department of mental health. All these people we talked about today I mean, I think all of them were really driven by state grants and a couple of you know, a couple of partnerships. So they’re trying to move forward on things that are, you know, in its infancy but still getting the stuff started. And just some of those extra technology bells and whistles, even ones that we might think are very important, aren’t what they’re trying to get off the ground.
>> Deven McGraw:
Well, they’re not specified in the CCHIT criteria, I think is part of it. So they’re not being acquired now, they haven’t been acquired, and they likely won’t be acquired. And so the types of criteria become imbedded in the process. But that’s I mean, that’s a different discussion, but I think that’s part of what’s driving it.
>> :
I think that hearing will just highlight even more what seems to be the intention we have, which is a national approach versus a very local approach, because those companies are going to have and I know one in particular at least. The vision was they weren’t going to roll it out unless it was absolutely national in scope.
To me, that seems to be a fundamental intention that we have now. I understand where these things are starting at a very local to your point, you have to crawl before you walk. Ultimately, you do have some exchanges did I say that right? Yeah some exchanges that are national. I mean, pharmacy exchange that’s a national exchange that plugs into some of these local ones. So I’d be concerned about just sort of coming to the conclusion that it’s going to be local, so we don’t have a role in the national health
>> Kirk Nahra:
You know, I mean, even the premise a lot of the examples that you see of why we want this is, you’re on vacation in Florida, and you’re in a car accident, and you’re in you know. None of these things are going to help in that scenario. None of the things we’ve talked about are going to help in that scenario at all.
>> :
The frequency with which those things actually happen relative to the need in the system is you know.
(Multiple overlapping speakers during next two paragraphs)
>> :
Yeah, most care is local, unless you’re a snowbird or someone who travels a lot. But that’s that percentage of the population is pretty small. So there is something some of these local solutions percolate, in creating an environment
>> David McDaniel:
Yeah, although but doesn’t that create a need to let those local things happen, but also build in some sort of mechanism to be able to transfer say I’m in California. I want to take that information that happened to me in California and get it back to that local solution (inaudible) usual care.
>> Kirk Nahra:
Well, even more than that, David. I think your point is right, Deven, that care is local, but we also have a very transient population, so your local move. And so it may not mean that you’re on vacation in a car accident, but that you lived in Detroit last year and now you live in Pittsburgh. There’s a lot of that. I mean, that’s a pretty significant percentage, I think, of our population. So it is that it just it’s interesting that we’re looking you know, the reality right now is, you know, isolated little pockets. Very important, very hard working, moving in the right direction, isolated little pockets, but they’re isolated little pockets nonetheless. And I don’t know how for example, I read I don’t know anything about the Microsoft stuff more than I’ve read in the paper, particularly, but, you know, they’ve been involved with a couple of very aggressive privacy folks and say that they’re whatever they’re developing is, you know I’d be real curious what that looks like. Now maybe it’s because it’s solely on the PHR side, but again, I can’t imagine that they’re developing something that would never link and has no intention of linking up with all the other stuff. Maybe they are, but
>> Deven McGraw:
Well, it would be everybody would push into them, and it would only, you know, get pushed back with the express.
>> Kirk Nahra:
Everybody I’m just providers would push
>> Deven McGraw:
Yes, exactly, or the other entities that we don’t traditionally think of when we talk about health information exchange, such as your gem or your cell phone or, you know, whatever it is. But I mean I think that’s the model that as I understand it.
>> Don Detmer:
And the other the other thing, too, is that, with regards to Microsoft, they’re not burdened by having to deal with the limitations and the vulgarities associated with any of the individual electronic health records systems. I mean, there’s some real limitations in some of these designs and real issues with integration and sharing of information and every and matching patients. So there’s I think a lot of that limitations are sort of being percolated up through these designs that we see.
>> Kirk Nahra:
All right. Well, what do we do with this?
>> Deven McGraw:
Well, some of the my sense is that some of the scenarios that we went that we’ve started going through, we didn’t feel like we could come to closure on, because we didn’t feel like we had information about what was happening with data exchanges. Now we have a little bit better picture based on this somewhat random sampling that, I think, can enable us to go back and look at where those open questions were, and see if we can resolve them, one, and if we can’t, you know, having an articulable reason why not, like “It’s too early to decide this,” “There’s too much variation in the field,” “It needs to percolate for awhile”....
>> :
“It needs to mature.”
>> :
Yeah. And if indeed the direction that the world is going right now is in these small pockets of localized care, and trying to stand these up, is there a need to discuss how standardized guidance might make them more interoperable in the future? Because right now, everybody as you can see from these groups, everybody is out doing their own thing, and it’s not the same. And so it becomes even more important to say, “If you’re going to do this locally, if you’re going to try and incubate this little rascal and get it to go, can’t you do it at least in a similar way so that when it does grow up, it can interact with this one across the country?”
>> Kirk Nahra:
But one of the ideas is that the states serve a lot of times as the state laboratories. And what we have now is states doing their own things or states or locale you know, regions, doing their own things, you know, in their environment, with their population, and you know, I don’t know the methods people were talking about. They already have disparities even within their small group between urban and suburban. You know, Vermont’s got a particular range. They have 14 hospitals. And Rhode Island’s obviously not a big state, you know.
So we’ve got each of their own situations. Maybe it’s better to let a bunch of you know, let 50 individual things percolate a while before you come up and try to figure out what’s working. I means, for example, if it turns out that I don’t know which one was what, the one that was just getting prescription information, basically medication information?
>> Multiple speakers in unison:
Vermont.
>> Kirk Nahra:
Yeah, they find that that’s not making any difference on quality of care, or it’s not you know, that that’s just not enough. All right, then that’s a model you say you know, again, they may find it’s great. They may find a relatively simple thing like that is a huge improvement. I don’t know. I don’t have any idea what the answer to that would be.
>> :
That sounds like an awfully Darwinian way to go about this is to let survival of fittest
>> Kirk Nahra:
I don’t mean survival of fittest. Just figure out what’s working or not. I mean
>> :
It’s also their they all view this as a progression, so it would be hard to evaluate sort of where they are now, because all of them, even the Vermont folks, express that they see it as growing into more really quickly.
>> :
I worry, though, that they are building things into their if I heard them right, I think they’re building things into their agreement and their contracts that are going to limit their ability to grow. And maybe that’s kind of the germ of your idea is that, are there things that could be recommended in terms of not being limiting down the road, whether that’s in their agreements or model design, where they’re not just assuming that it’s always only going to be prescription data, and you know what I mean?
>> :
Well, they said that actually when they were going to this new bigger model, that all of the things they assume for prescriptions wouldn’t necessarily hold, that they just haven’t had those conversations yet. So you know, I don’t know where that leaves us, but I think someone raised the point earlier of wanting to sort of document, you know, the commonalities and the differences, and I think that it could be an interesting exercise to look at the differences and then have some experts come in and talk about which of those differences are really, you know, like showstoppers, in terms of, you know, expanding beyond your state boundaries or growing beyond a certain point.
>> :
I don’t know offhand, you know, (inaudible) are more critical than others or more rate limiting than others.
>> :
You don’t have to expand growing outside of particular boundaries, if there was some sort of overarching mechanism that allowed them to share the information across pockets so that the pockets wouldn’t have to be the same, but the availability of information to move as people move would be able to happen. I mean, you know, maybe we’re asking for something that just isn’t going to happen in 100 years.
>> :
It may be that Microsoft is the solution for being the NHIN, because it’s only at the person level that you can actually exchange all that information. It’s conceivable, you know.
>> Kirk Nahra:
Well, I mean, let’s go with (inaudible). Do we want to have a hearing in January or something where we bring in Microsoft and Google and IBM to learn something now we don’t know?
>> Deven McGraw:
I don’t.
>> Kirk Nahra:
Well, why? Why?
>> Deven McGraw:
Because I think I mean, my sense is that we’re kind of opening way too many doors here without and we have a possibility, I think, of coming to some resolution of some issues that we’ve already got open and on the table as opposed to all of those are PHR models. They’re PHR vendors. They may I mean, that’s the major product they’re putting on the marketplace. I don’t feel like it’s consistent with the direction that we’ve been heading in. And I hate to go off on another one just because it would be interesting to find out, without it fitting into some other frame you know, some sort of bigger framework as to how we’re going to deal with all these issues. I also don’t know to what extent what the testimony would be, you know, more “Aren’t we great?” sales pitch versus, you know, “Oh, look at us.” You know, what are they going to say in a public forum? So
>> Kirk Nahra:
Oh, but I mean, for example, the question the kinds of questions that we asked today of these people you know, “What information are you taking in? What access rights? What do” I mean, they all they have answers to that presumably, or they don’t. So we could get I take your point. That’s not an answer to your point, but I think there is a lot of relevant connections there. I mean, if they’re able to say, “We’ll do consent,” you can say who, you can say what, you can code it 57 different ways with 57 different kinds of access, that means there’s a technology available that’s reasonable. And there you know, I assume there are I don’t know what I don’t know how they make their money comes in on it, whether it’s selling it to people or something. But maybe we should be pushing them together. If the people in Vermont could do all these things and I’m not picking on Vermont. I mean, if one of those people could benefit from this technology and, through that, could get 57 different kinds of options, and they’re not thinking about it now
>> :
I think the problem is then how that relates back, though, to the provider institution. It’s the luxury of being a Microsoft or a Google or any other PHR in this state is that you do not have at this point to deal with them, except to be able to extract and send data with them. And that’s something that they can probably figure out. But it doesn’t require them to, you know, sort of deal with all of their own homegrown systems. And I think that all of the exchanges we heard from, the challenges are with, you know, integrating information from all of these different systems and figuring out the rules for, you know, governing that.
One other thing that I thought was interesting was that there I mean, especially with the Rhode Island example juxtaposed to everyone else and perhaps Tennessee was in this category, too, but I liked how Rhode Island broke out, you know, legislative policy versus regulatory. And they also seemed to have a sort of “buck stops here” structure and a board that made decisions like that. And Tennessee, I think, is the only other entity that sounded like that. Everybody else it was all a very confusing paper trail of business associate agreements, I think. I may just not be remembering correctly.
>> Kirk Nahra:
Well, those are two different points, I think. Well, the decisionmaking structure and the contractual structure are both going on. And, I think that both Rhode Island and Tennessee still had the confusing contractual structure.
>> :
Right, except the content of the contract, I think, was dependent on the input from those organizing entities, I thought. Maybe
>> Kirk Nahra:
I’m not sure.
>> :
No. So anyway, just sort of how they structure maybe there’s some lessons or recommendations that can come out of that.
>> Steve Posnack:
So this is Steve. I have a quick question that builds a little off of Kirk’s point, and this is just more for everyone to think about, probably, more reactive. It sounds to me like we need to focus on what type of recommendations we’d like to make, obviously, and then in what future point in time we’d like them to apply.
I think Kirk’s already, you know, stated the fact that we can’t come out with recommendations and have them apply for tomorrow. Maybe it’s next year. I’m trying to tease out what future point in time where we’d like to visualize, even if we’re looking towards this larger integrated everything, and what ends up being the NHIN, this abstract concept, or if we’re going to try to be a little bit more focused at a nearer-term, 2- or 3-year-type aspect and extrapolate where we think they may be or where we think others may be further down the road.
>> Kirk Nahra:
I guess I would say it a little different. I mean, I think we have to keep that we have to keep that time frame idea in mind with each of our recommendations. There are clearly recom I mean, for example, the recommendation we already made: Everyone should be covered. You know, I think that’s a current rec you know, that’s relevant whether it’s baby steps or bigger steps. If we were going to say something that mainly had relevance for a completely integrated national model where everyone was on the same system, we’d have to recognize that’s not where we are today.
So, you know so I just think we have to keep that I don’t know that we have to say we’re only making a recommendation for now or 3 years or 10 years, but we’ve got to keep that, you know, where things are today and where they’re realistically going to go in mind, with the future recommendations that we’re doing. I mean, for example, we could very easily say that I mean, you know, I’m thinking I’m throwing this out as an example; I’m not in any way suggesting it now we could very easily say that there should be no formulation of national standards for at least the next 5 years to let these things grow. That’s a recommendation today that, you know okay, we’re you know, we disband and come back in 5 years. I could see something like that that you know, I don’t know if that’s a good idea or not, but that would be a rec you know, could we make a recommendation that also says, today, “We want these five things to be issues that everyone decides or you need to have an answer on these five issues”? That’s also something we could do today without where I get most nervous at this point is saying, “The answer today needs to be X,” because I don’t think we have a basis, or I haven’t heard much of anything where I would feel very comfortable, you know, saying, “It’s got to be updated, it’s got to be data, it’s got to be everyone, it’s got to be” you know. I just I would struggle with that.
>> :
I guess that’s what I was asking with the first part of my question, which is the type and where we could provide some type of guidance-like recommendation from our vantage point here, you know, as an AHIC workgroup, to provide that out for everyone else. Their jobs to think about. (Laugh)
>> :
Well, I mean, I think to Jill’s point earlier, though, I think there might be things if we really dug deep, there might be things that we could say at a real high level, not proscriptive kinds of things, but more the kinds of things that would keep people from wasting energy going down a path that would lock us in. And I think that that’s doable.
>> Kirk Nahra:
I agree with you. The other thing and I don’t know if there’s a way to do this, but I came away from today’s testimony thinking that our earlier recommendation was even more important and that right now, it’s an actual stumbling block of sorts. People are having to spend a lot of time and effort thinking about some of these organizational structure issues, because people have different status under the current law.
Now, I don’t know again, we can’t pass that as a law, but I don’t know whether saying, “Look, this is real. You know, not only do we think it’s a good idea, but it needs to be taken care of” I could see that being again, I’m not sure what that means. It’s a little extra emphasis to what we’ve already said. But it’s I came away thinking that it’s too bad that people have to spend a lot of time on those some of those issues, because they’re in different you know. And we had the one group I don’t remember which one it was that didn’t even know if it was I mean, I don’t know how they could justify it not being a business (inaudible).
>> :
No, I think they were advised by their attorneys not to label it as such.
(Multiple speakers)
>> Kirk Nahra:
But that’s just interesting. And you know, I just assume they’re not you know, they’ve got a limited amount of money for lawyers. Don’t have them spend time on that. Have them spend time on stuff that’s actually going to advance the ball.
>> :
But I think even if it did kind of verify in our minds the worthiness, the validity of our initial recommendation, even when you presented that recommendation, the immediate question afterwards from some of the members of AHIC: “Well, which HIPAA requirements?” And that’s what we’re that and, you know, the relevant HIPAA requirements that are supposed to apply, because we got a lot of testimony today about how none of them are providing privacy notices, because they’ve all decided it’s better done by their providers. They’re not, you know, keeping audit, you know, or they are, but the relationship to the patient remains with the provider. So it just it almost the questions that we have teed up for ourselves push that initial recommendations are in fact
>> Kirk Nahra:
Well, the relevance yeah, I don’t have any problem pursuing the relevance issue, although and I think we can make a recommendation on that. I don’t have a sense that that advances the ball very much, but we can certainly we can go forward on that, close that loop. I have no problem with that at all.
I mean, I think we’ve all I think we all had the sense, when we were making that decision earlier on, that the RHIO the traditional RHIO, if there is such thing, is very much essentially a middleman. The patients would have no direct interaction with them, and that there wasn’t a real incentive to having privacy laws. I’m okay with that. Maybe we I’m not sure that we really if you make a list of the 37 requirements of HIPAA and I’m making up that number, you know, but whatever the number is, I’m not sure we’ve really gone down the list and say, “Yes, yes, no, no.” Privacy notice maybe is no, although presumably it’s no unless you have addressed relationships with them.
>> :
That would be I mean, that would be Rhode Island. If they’re proposing to have a patient portal, they’ve got a direct relationship at that point now.
>> :
Well, it depends on
>> Kirk Nahra:
Well, I don’t mind that I mean, the question is
>> :
It’s with their health information exchange.
>> Kirk Nahra:
I heard what they said a little differently. Most of the companies seemed to have a notice. I don’t doesn’t mean they’re sending it out to people the same way. And a lot of it seems to a couple of them seemed to be, “Our notice is basically telling you how little we’re doing.” I mean, the portal I mean, the reason for that is, essentially, they could say, “You guys are (inaudible) to us, but not our information, and we’re not doing anything with it.” That’s a perfectly appropriate notice to give. It’s mainly a comfort. I mean, that’s part of the trust and comfort issue. So I think that so if we want to push down that relevance front, I think we’ve got to really focus on that and get a list of the requirements and see what we want in and want out. I’m not sure we’re there yet.
>> :
Well, part of it might be, too, that, as we’re looking at that relevance discussion, going down through that list, we may find that something may not be relevant to them directly, but it might be relative to them indirectly, and that they would have to be able to empower the existing covered entity to be able to do that thing. So whether it be providing information to them or pushing, you know, some sort of capability to that covered entity so that the covered entity could meet that need and wouldn’t necessarily have to be directly applicable to them. So for example, it might be accounting for disclosures. Maybe they don’t have to account for disclosures, but they have to make sure that the covered entities that they serve can account for disclosures.
>> Kirk Nahra:
Yeah, although I suppose in the context of saying, “You, the RHIO, are now a covered entity,” we would say essentially, “The obligation to comply with the accounting requirement is not one that is imposed directly on you, the RHIO, but today the hospital does have it, or whoever has it.”
>> :
Right.
>> Kirk Nahra:
But the little it’s not just a question of saying, “Accounting’s not on the list.” We’d have to figure out how to word that. Well, again, I don’t have any problem with it if you want to move down that line. I just think you ought to
>> :
No, I wasn’t actually suggesting a detour.
>> Kirk Nahra:
It’s not a detour. It is a list we carved out or an issue we carved out for ourselves.
>> Deven McGraw:
We carved an issue out, and then we carved you know, if there were things beyond HIPAA that needed to be done, and the whole raison d’etre for this hearing was came out of our discussions about what is different about this new environment that might require either a modification of some sort of policy guidance, if we decided to go in that direction and I feel like we need to assess where those open questions were with some of the scenarios that we had already laid on the table that gave rise to these questions and see if we can’t come up with some
>> Kirk Nahra:
Again, I’m fine with that. I’m not sure I heard information today that tells me that there are things that are different such that we would make specific recommendations. So
>> :
Well, there I think one issue that came up for me, in listening to all of them, was that they had some of them had pretty radically different approaches to getting patient authorization for information flow to occur. And that’s pretty fundamental to the privacy of their system. I mean, some were doing it on a per-transaction basis. Some were doing it on a universal “you’re in, you’re out for all time” kind of basis. (Laugh) And those are radically different approaches. So I mean, is there a best practice there?
>> Kirk Nahra:
Well, that’s something I look to that yes, they are all different approaches. They’re all voluntarily taking different approaches than HIPAA currently requires. Some of them had that approach, like Minnesota seemed to have that approach driven by a I mean, I don’t know the particular law they reference. They seem to say that today you need consent for anything other than treatment in Minnesota. So I mean, that’s a driving force for that. But I don’t know that I can listen to that information today and say our recommendation is anything about saying it has to be more than I mean, everyone seemed to have something that was somewhat more than HIPAA.
>> :
But I wouldn’t agree with that when it came to the authorization, because if you’re talking about
(Multiple overlapping speakers for the next several lines)
>> Kirk Nahra:
I think they were mixing consent and authorization. I don’t think they were
>> :
Well, they were terminology there. But the idea of, you know, I’ve signed this authorization and it’s good for time immemorial really isn’t
>> Kirk Nahra:
I don’t hear them saying that.
>> :
I thought there was one model
>> :
I got that
>> Kirk Nahra:
Well, what I think they said was different. I think they said, “You’re you make a one-time agreement to have your data put into this RHIO. It doesn’t expire, but you can withdraw it.” They all said you could withdraw it. So what happens is, it’s not an automatic expiration. Your data it’s like the Do Not Call List. It doesn’t dump out after 5 years and you have to agree to put it back in. But if you want to take it out, you could take it out, is what I heard. So it’s a little different than and I would say it’s not that’s not less than HIPAA, because it’s a situation that under HIPAA today, you wouldn’t need any consent at all to keep it forever. But I view that a little differently, but I’m not
(Multiple overlapping speakers for the next several lines)
>> :
You have to have an expiration date to opt in.
>> Kirk Nahra:
On the authorization, but I don’t think what we’re talking about is something that requires an authorization. That’s the thing: I don’t view it as an authorization, so that’s why
>> :
You’re seeing it as a consent to participate in the RHIO, not as an authorization.
>> Kirk Nahra:
Right, it’s not something that HIPAA requires an authorization. HIPAA permits it without any HIPAA today would permit it without any permission of any kind.
>> :
Yeah, see, so you just
>> Kirk Nahra:
But again, that’s an example. I’m not sure what conclusion to draw from the fact that there were five different permission scenarios. Let me use that as a potentially vague word. I don’t know what to make about that. I don’t want to pick one of them. I’m not even sure I want to say you have to have one of them.
Now, we can clearly explore that, and I don’t have a problem exploring that. I’m just not sure what I would conclude from hearing today that would lend itself to you know, we could make a recommendation that says every health information exchange needs to develop its own consent and permission scenario, but, I mean, I don’t know how much that I’m not sure what that does. So that’s what I’m struggling with at this point is, yeah, lots of interesting options. I saw valid reasons for all of them to have the options that they were picking up. I listened to some and I thought, “That one’s going to be a problem; that one might work,” you know. I don’t know if they’re going to work or not, and I don’t know what which is better, and I’m not sure what to recommend out of that.
So if we’re going to go down that direction, we’ve got to figure out now, am I alone in that? Did other people come away thinking I know what the answer is? I know what I would recommend as a result of that? Okay, so how do we get there?
>> Deven McGraw:
No, I didn’t come away with certainty, but I did come away feeling as though there was a lot more meat on the table to inform the discussion.
>> Kirk Nahra:
I agree with that. I’m just not sure okay
>> Deven McGraw:
We kept getting stopped by the fact that we didn’t know what was actually going on. Now we have a little better idea. And I think, to some extent, it depends on how specific we think our recommendation needs to be. And that’s a question that’s still open, in my own mind, because I you know, I actually get encouraged when I hear about more of these systems sitting down and making decisions about how they’re going to structure the participation, not of the providers, but how the patients get in, get you know, are not in, how that’s all going to work, because they never had to have those discussions. But they are, anyway. And so does that does that mean if we sit back and just let this happen, it’s all happening just fine?
>> Kirk Nahra:
Well, I yeah, I’m not at all sure I draw that conclusion (laugh), which is, we’re going to get in the way of this more than I mean, the recommendation gets in the way more than anything else.
>> Deven McGraw:
I think it depends on what it looks like.
>> Kirk Nahra:
Yeah. Well, again, so that’s an issue, this sort of permission side. And we can do as a Workgroup, we can do two kinds of things. We can discuss and try to come up to a consensus. We can say we want certain additional kinds of information. I’m not there may be some, I’m not sure what those are. So people should think about that.
The other category that we heard a lot about today was the sort of individual right component. Again, we heard lots of different models, both in terms of what information might be available because several of the people today really didn’t create any new information. It was all it was more locator pieces that it was directing.
I’m not sure what the recommendation is there. They seem to be essentially leaving everything with the providers. Maybe our recommendation is, our rules are fine on that. You know, patients need to be told to get you know, their source is their original provider. Maybe they don’t need any more than that. That’s a potential conclusion. But that’s another category is the individual rights that are afforded to individuals.
>> Sue McAndrew:
Well, and that assumes, too, that they’re not doing anything additional with the information other than sort of recycling it for treatment and perhaps some payment purposes. But if they got into the business of supplying data for (inaudible) study, things like that
>> Kirk Nahra:
Maybe they do.
>> Sue McAndrew:
- exchange, yeah, then you have more to talk about.
>> Kirk Nahra:
Well, but none but I didn’t hear I mean, two points. I didn’t hear any exchange I mean, we talked about public health, I guess. But again, they’re permitted to do that today as business associates. So there’s a question as to whether we heard anything today that has those entities doing anything different than what they’re allowed to do today. In fact, all of them, all of them are doing far less than they’re permitted to do as a business associate today.
But again, I just that’s a category we should think about what the recommendation might be, if there are things we still need you know, same issues that we’re dealing with. Is there some conclusion we want to draw from this? Are there additional pieces of information that we’d want to gather before we can draw that?
So I would be interested in you know, and these can be sort of one-offs, just general comments filtering in to Steve or Deven and me, which is, if you have themes for a recommendation, you have topics, you have directions you want to go, you have conclusions you’ve drawn yourself I mean, I think we’ve got to start trying to make these more concrete, in a sense. I’m struggling with how to do that, personally.
And you know, again, if part of where I go is, if I’m struggling to see how a particular concrete recommendation would advance the ball, we may you know, that leads me, to some extent, to a recommendation of no recommendation or letting it you know, whatever. If you say something about that, we don’t say it’s an open issue forever. But I think we really have to start thinking about those steps and trying and that’s tough.
>> Tom Wilder:
Well, you know, maybe one possible approach is to sketch out what are all of the questions that people have been trying to answer and then, under each question, think about how what are the different approaches we’ve seen through this testimony and what is the law. You know, what does HIPAA say? So one question is, do you need do you need to have the patient’s consent before you do before you access the information? Or what level of patient consent do you need?
And one approach that some people have taken is, they’ve said, you know, “We get their consent up front the first time, and that’s it.” Others have said, “We get their consent specifically for each health care provider.” Another may say, “Well, we, you know, get their consent not only for the provider, but we may have to get their consent based on the kind of information.” And then say, “You know, under HIPAA, you can do this,” and we can decide, “Okay, is HIPAA sufficient? Does it meet the needs? Or is one of these other approaches better?”
>> Kirk Nahra:
I think, Tom, what you’re saying that is Tom, right? Okay. I think what I hear you saying is sort of taking today’s testimony and, you know, imprinting it over the scenarios we’re talking I mean, we what you’re describing some of those scenarios that we talked about in our last meeting. We just we tried to do what HIPAA says and raised the other issues. Part of the goal today was to put some facts on what else is going on. So maybe it is sort of superimposing those you know, we’ve already got, I think, for the scenarios, what HIPAA says. We’re now adding on here’s what people are doing. I could see that. I think we have to try and this was something I think John Houston suggested earlier, too we’ve got to try to take the information today and turn it into a useful document or piece of paper that does categorize these things.
>> Tom Wilder:
So what if we were to recommend some sort of idea clearinghouse, sort of like with electronic transactions, how they pointed people in the direction of Radian, and people started using that as a way to start thinking through some of their issues and coming up with some standards ways of doing it and taking advantage of each others’ school-of-hard-knocks kinds of experiences, and having a place where you could have dialogue but let the dialogue happen with the people who are on the ground trying these things out, and yet maybe come out with some bigger solutions from that. Let the people continue with the ideas, because whoever is starting out there might be the one with the solution that ends up being our national solution. So let’s don’t squelch that, but give them a place to start exchanging that and sharing it with one another.
>> :
Well, isn’t that what that RTI was about was to kind of exchange information on how they are approaching this issue and looking across state lines that way? There is a forum for that. I don’t know if everyone’s hooked into it.
>> Tom Wilder:
Right.
>> Kirk Nahra:
All right, we need to do we need to take a break for public comment. Who is handling that?
>> :
I don’t know who is on the line running the
>> Chris Weaver:
Yeah, sorry. This is Chris. We can do that in a second.
For those of you who are following along on the Web, you’ll see a slide up there now that gives you the instructions on how to ask a question. If you’ve been on the phone all along, all you need to do is press star-1 to ask a question. And if you guys want to make your wrapping-up comments while we’re waiting for that, go ahead.
>> Kirk Nahra:
We’re waiting for a second, so Deven’s going to talk a little bit about our next meeting.
>> Deven McGraw:
No, we have a call scheduled.
>> Kirk Nahra:
So we will be thinking about next steps for our next public meeting will be sometime in January.
>> :
January 24, if I’m not mistaken.
>> Kirk Nahra:
And we will be getting out to people yeah, it is a while. Well, we’ve got a couple of things going on before then.
>> :
Couple holidays in the middle.
>> :
Yeah, we have January 5 or something.
>> Kirk Nahra:
So we will be getting trying to pull some of this together and figure out what we can do between now and then.
>> :
Yeah.
>> Kirk Nahra:
Are there folks on the call I’m sorry I mean, folks on the line for public comment?
>> Chris Weaver:
There’s no one yet.
>> Kirk Nahra:
All right, we’ll give them another minute, but I think at that point any other questions or comments from the group for today? Any questions or comments from anyone on the phone? (Pause) Steve?
>> Steve Posnack:
I guess I just have a logistics question, and people can probably get back to me via email so that when Deven and Kirk and I talk next this week, if there’s an interest in getting more people to come and talk, or if we want January to be primarily for discussion, it’s probably going to largely depend on the amount of work that gets done from now until then. So if you have some ideas of you know, if you need other information, let me know so we can start thinking about because we’ve got a number of months you know, weeks now just to get people in to come and testify. So it’s an advantageous time period to start sending some invites out before the holidays.
>> Kirk Nahra:
All right, any people on the telephone line?
>> Chris Weaver:
We have no one on the line.
>> Kirk Nahra:
Okay. All right, why don’t at this point, why don’t we adjourn for the day? Thank you very much to those of you who were on the phone. Thank you even more to people who are here in person. And we will speak to you all shortly. Thank you very much.
>> :
Thank you.