[This Transcript is Unedited]
Hubert Humphrey Building
Room 405-A
200 Independence Avenue, S.W.
Washington, DC 20201
Welcome and Introduction - Mark Rothstein, J.D.
Discussion
MR. ROTHSTEIN: So Richard will not be here. Kepa I assume is coming and Stephanie I assume is coming. But assuming that they’re going to be wandering in at some point, let’s call the meeting to order, we only have 50 minutes this morning before the main meeting begins, so very briefly for the record we will introduce ourselves. I’m Mark Rothstein, the chair of the Subcommittee on Privacy and Confidentiality.
DR. COHN: I’m Simon Cohn, a member of the Committee and Subcommittee.
MR. FANNING: I’m John Fanning, privacy advocate of the Department.
MR. HOUSTON: John Houston, I’m a member of the Committee.
MS. GREENBERG: I’m Marjorie Greenberg, NCHS, CDC, executive secretary to the Committee.
DR. FITZMAURICE: Michael Fitzmaurice, senior science advisor for information technology at the Agency for Healthcare Research and Quality.
MS. SQUIRE: I’m Marietta Squire, I’m with CDC, NCHS, and staff to the Subcommittee.
MS. JACKSON: Debbie Jackson, NCHS, staff to the Committee.
MR. RODE: Dan Rode, American Health Information Management Association.
MS. BALDWIN: Shelly Baldwin, Unicorn Medical.
Agenda Item: Discussion - Subcommittee
MR. ROTHSTEIN: Well, welcome everyone, I’m glad you could make it. We have several things to do this morning and let me first distribute to you what I consider to be our main order of business this morning.
MS. GREENBERG: Actually, Mark, you got the folder didn’t you, like a week ago or two weeks ago, and the letter was in that folder.
MR. ROTHSTEIN: Correct.
MS. GREENBERG: Oh, ok, I thought you said you just saw it today.
MR. ROTHSTEIN: No, no, that was my first, and it seemed like a month after it got sent but --
MS. GREENBERG: I think it was not available until later in January but exactly why we couldn’t get a copy of it I’m not sure.
MR. ROTHSTEIN: So this is our opportunity to plan our spring activities and you’ll recall that an agenda item that has been approved by the Subcommittee as well as the Executive Committee was for us to take up the issue of the migration of medical records beyond clinical settings. And we had talked about certainly topic number one, health information in schools, and the second topic I added for possible discussion would be redisclosure of information following HIPAA authorization, and I’ll talk to you about that in just a second. So what we need to do I think initially is to discuss whether we are still in favor of hearings on these topics and then talk a little bit about when and how that might take place and suggestions for speakers and the like.
Let me just introduce the first topic, this was one that I know Richard is very interested in, there’s a great deal of information about children’s health in school records. The level of information is increasing all the time. Children’s health information includes not just who’s been immunized and so forth, but also increasingly diagnostic information with respect to behavioral problems, learning disabilities, etc., etc., etc., and there are very few limitations placed on how those records are stored, used, disclosed, etc., and it’s something that obviously HIPAA does not apply to, FRPA does apply to school records. There’s no private right of action under FRPA so that’s why you don’t see any real lawsuits challenging this.
And one of the things that personally I would like to get a handle on is the extent to which experts in the field think this really is a problem. I mean we can’t sort of make recommendations based on anecdotes and suspicion and clues, and so I just put together a list of some people off the top of my head that I thought would be possible witnesses. And I think clearly we ought to get the Academy involved, the APA, we need someone who is an expert on FRPA school law to tell us what the current legal status is. And then some advocates on behalf of children and privacy as well as someone representing the teachers and school administrators. But there are obviously many other people that could be involved in this if you think that this is in fact something that you want to pursue. So the floor is open.
DR. COHN: Can I talk about hearing three then? The question to me is --
MR. ROTHSTEIN: How about if we do this, Simon? We’ll take up number one to see if we want to do it in the abstract. Number two to see if we want to do it in the abstract, then other topics and then we can prioritize them. Is that fair?
DR. COHN: Ok. Sounds fair.
MR. ROTHSTEIN: So what I’d like to do for the next few minutes is to take your thoughts on whether topic number one is something that we think should be an area of further investigation for the Subcommittee and then ultimately the Committee.
MR. HOUSTON: Is this an issue that, I’ve never heard this frankly as being an issue. How much press is this getting and how much, I mean is there a lot of discussion about this being an issue?
MR. ROTHSTEIN: Well in narrow circles it is.
DR. COHN: I think if you’re a child psychiatrist it probably is an issue.
MR. ROTHSTEIN: It’s too bad Richard isn’t here because he’s a child psychiatrist and he and I have talked about this and there’s a lot more information that’s available such as behavioral information and genetic information about children, children who are genetically predisposed to short stature disorder and who are predisposed to, or have diagnoses of fragilex(?) or dyslexia or a whole range of things, and just to have them stored with the attendance records and the grades in the school secretary’s office is really I think quite different from the kinds of standards that we’re seeing imposed all over the place. So that’s what caused us to put this on our list. Mike?
DR. FITZMAURICE: Does this go beyond the school, is there a fear, or maybe a realization, can employers come back and get access to any of this information? Can life or health insurance companies come back and get access to any of this information? How far does the circle go out?
MR. ROTHSTEIN: Well, that’s a good question. I don’t know of any reports although that certainly would be one of the questions we’d ask about the redisclosure of this information. I know a few years ago there was a major report and a problem associated with schools selling health information to commercial concerns, Genentech(?) was involved in this because Genentech produces the human growth hormone, and they paid schools to identify children who had short stature. And so the information on the children was then funneled to doctors who were hired by Genentech to promote human growth hormone. And that received a great deal of press coverage as you might suspect.
That’s the kind of thing that, schools are under the gun financially and somebody comes to you and says we’ll offer you $10,000 dollars and we’re going to help the children at the same time. If you’re a school administrator some where you might think that’s a good deal unless you realize that there’s another side to that issue. So Michael I think you put your finger on a problem and we don’t really know the extent to which this kind of stuff goes on except when it becomes a newspaper scandal of sorts.
MS. GREENBERG: Is there something Medicaid has had any experience or policy on or any issues? I know of young children covered by Medicaid.
MS. HANDRICH: In Medicaid we don’t actually keep medical records, the providers keep the medical records, so the information that we get from our claim system is of course confidential but I never heard a lot of discussion about this school records issue myself, so no, I don’t, but I think that school psychologists and school nurses and the people who actually try to manage the care of children with highly specialized needs in schools would be really interested in this topic, too.
MR. FANNING: I was once accosted at a meeting by someone who was concerned about the efforts of school systems to get some financial benefit on behalf of the children in connection with disability, I don’t know if it’s a subset of Medicaid, subset of a disability program, or some education thing. But there was a certain about of incentive to find kids disabled and my questioner was concerned about what happened to the information and the like.
MS. HANDRICH: In a lot of states, schools are obtaining Medicaid funding for case management for children with special health care needs. And to the extent schools can identify those children, they can claim Medicaid costs for services they’re otherwise obliged to provide, and provide local property tax relief, so I think that’s a very, very likely scenario.
MR. ROTHSTEIN: And there may be, depending on the state financing system, and correct me if I’m wrong, special ed money that’s allocated through the state through idea to local schools if they can identify children regardless of the setting they’re in and so there may be an incentive to generate additional data on the children and their disabilities. John?
MR. HOUSTON: I guess the question, the first question you have to ask is is there some law that already protects them? And it looks like what we’re saying is is that really somebody with that type of legal background needs to weigh in to say that’s a subject that’s covered by state law --
MR. ROTHSTEIN: Well, I can tell you that, I mean I have checked with this, on the legal status. The FRPA law was not designed to deal with health issues, it was designed to deal with school records and particular grades and things of that sort. And it doesn’t have any provisions for treating medical records differently from anything else. And I think it’s the absence of FRPA dealing with that, we may want to hear from the Department of Education people who are responsible for FRPA as well and see whether they think that’s --
MR. HOUSTON: The other part of it, though, too, just like HIPAA, pre-HIPAA, it was a hodge podge of state laws and it could be that maybe many states, few states, no states actually have gone the route of enacting laws to protect school records --
MR. ROTHSTEIN: There are a few states that protect the school records separately, I mean, or I would day concurrently with the federal FRPA, but none that I’ve been able to identify that have special provisions for health information about the children.
DR. ZUBELDIA: What authority will there be under HIPAA to protect those records?
MR. ROTHSTEIN: None. One of the things I was looking for was sort of a non-HIPAA project for us to get involved in, not that we don’t love HIPAA, but we need to restake our claim as a broader Subcommittee I think.
MS. GREENBERG: As a school nurse who might administer medications, allergy shots, whatever, she is really considered a provider.
MR. ROTHSTEIN: Correct.
MS. GREENBERG: I mean she is some kind of a provider, she may not get reimbursed.
MR. FANNING: That’s the connection. If they get reimbursed and submit the transactions electronically, they’re under HIPAA. But I suspect the vast majority don’t.
MS. GREENBERG: That would not usually be the scenario.
MR. HOUSTON: Not to morph this issue but interestingly enough in a university setting, one of the things that we went through with the University of Pittsburgh was to determine whether their student health services was covered by HIPAA, which it was not because they do not bill for any of their services. Yet you have a large body of student medical information in the college setting that now falls outside of HIPAA, not that there aren’t other laws potentially again applied, but suffice it to say this isn’t necessarily --
MR. ROTHSTEIN: That’s in fact one of the issues that our Subcommittee has looked at in the past in connection with our hearings, student health services, because there’s a possibility that should the student health service also treat faculty and staff and submit claims for that, then half of what they do would be under FRPA and half of what they do would be under HIPAA. And in fact we called on the Secretary to issue guidance specifically to address those questions. Simon?
DR. COHN: Not to talk this one to death but obviously my understanding is is that we’re trying to prioritize these as opposed to argue about them. It’s hard to know since we’re only talking about the first one what the priority is.
MR. ROTHSTEIN: Are we ready to move on?
DR. COHN: Yes, if we don’t move on we’re not going to have a chance to prioritize.
MS. KAMINSKY: Excuse me for having such HIPAA lenses, I can’t help it, but I don’t understand what the Subcommittee would ultimately do with that information given the fact that FRPA is a Department of Education regulation.
MR. ROTHSTEIN: I think it certainly would be reasonable for us to make recommendations that deal with Medicaid policy and it may touch on Medicaid policy. It certainly would be I think within our jurisdiction to recommend through the Secretary to Congress that new legislation needs to be enacted. The Department of Education may well take a position that they’re not responsible for health issues. I mean this is the kind of thing that really can get lost in the cracks.
DR. COHN: I guess a question, knowing that we have scarce staff support, I’m actually looking at her, and you have staff support for this topic?
MR. ROTHSTEIN: Well, let’s do the topics, then we’ll get to the priority.
The second issue involves, there are two aspects to the second issue. One, the idea of the migration of medical records beyond the clinical setting to other entities. So when you talk about employers, you’re really talking about sort of two aspects, either of which we could take up. One is the following. Under the ADA, after a conditional offer of employment in 48 of the 50 states, an employer can make as a condition of employment that an individual sign a complete release releasing all of their medical records in their individual medical files, and they’d go to the employer. Only Minnesota and California restrict those kinds of disclosures to employers, and they restrict to only job related matters. But that’s not the federal law. So the first issue at least in the employment setting is should all of that information in your individual clinicians medical record just be authorized and go to your employers as a condition of getting a job.
The second issue, and this will tie it to HIPAA, is once you’ve authorized the release of that information, let’s say to a prospective employer, and the employer gets a hold of it. The employer is not a covered entity, and the employer then is free to redisclose that information without any constraints placed on it by HIPAA. And the question is whether we should in some way study sort of the second use, the possible redisclosure of that information and make recommendations about whether HIPAA should stretch out further, or some other law stretch out further. And this would not only apply to employers but it would apply to insurance companies and marketers. So if you sign an authorization authorizing that your medical records go to marketer A, then marketer A can sell your information to B, C, and D and it’s gone.
MR. FANNING: A matter about the law. Does not the ADA require that it be kept confidential, there’s some not terribly specific requirement but isn’t there something of that sort?
MR. ROTHSTEIN: Well, the employment records, the provision of the ADA says that it has to be kept in files that are separate from the general personnel files, and kept as confidential. There are no regs --
MR. FANNING: What does that mean?
MR. ROTHSTEIN: So who knows what that means, there are no cases that I know of, and it’s one of these things where who would know if it were disclosed and that sort of thing. So that’s I think an issue, let me just frame it and then we’ll have discussion, an issue where we could address both the migration aspect as well as the redisclosure aspects that would have a HIPAA component.
DR. ZUBELDIA: The initial disclosure is between the employee and the employer.
MR. ROTHSTEIN: Correct.
DR. ZUBELDIA: So that’s not covered by HIPAA.
MR. ROTHSTEIN: Well, it is because if the information is in the providers’ office, and the provider is a covered entity, the provider won’t release it unless there is a valid authorization under HIPAA. And that gives the provider the right to send it to the employer. Now once it hits the employer HIPAA is out of the picture.
DR. ZUBELDIA: You’re assuming the disclosure between the provider and the employer. I’m talking about disclosure between the employee and the employer. If the employer says you need to bring your medical records, don’t have the provider send them, you need to bring your medical records, or whatever, it’s no longer HIPAA coverage.
MR. ROTHSTEIN: Correct, that’s right. HIPAA would only come into play if a covered entity got into the picture.
DR. FITZMAURICE: So maybe a problem beyond HIPAA.
MR. ROTHSTEIN: Oh, for sure, but there’s a little HIPAA hook if you are sort of, Stephanie asked and need your HIPAA attachment to focus.
MS. KAMINSKY: For whatever it’s worth, I would have to say that having worked as hard as I have in the last year on the privacy rule, I feel that these shortcomings of HIPAA, the way the statute was originally drafted, these holes, these gaps that are inherent to it, in some respects undermine a lot of the incredible effort that is going into walling off the flow of health information in covered entities. I really feel like these holes ultimately, when it goes out the door and a medical information bureau insurance database can get it and it can go all over the world, after all this effort, after all these regulatory provisions, after all the stress and strain, it’s out there.
MR. ROTHSTEIN: And let me add another thing, that according to the rule and the interpretation, etc., there need not be any accounting of disclosures made pursuant to an authorization, because in theory, at least the theory is by signing authorization you know what’s going to be done with it, when that may or may not be the reality for individuals who sign an authorization, maybe you don’t think about it. And then they receive no further notice that it’s gone to ABC Marketing Company, let alone what ABC does with it down the road.
Ok, so this is the second one, and before we prioritize, I’d like to ask Simon to describe a possible joint work with the Security Subcommittee.
DR. COHN: And Stephanie, we haven’t talked about this one, I’m presuming that privacy is as interested in this issue as CMS, OCR, as CMS, but it’s the issue of the enforcement piece of all of this. And knowing that people are beginning to, I guess there’s been somebody now appointed in CMS to start working on an enforcement rule, it seemed to me that their, once again this has not been a long discussion I’ve had either with Karen or with you or anyone, but it seems to make sense that before something hits the street that it might make sense for at least some public hearing to elicit comments on what sort of enforcement issues, what sort of enforcement rule, ought to be coming out.
And so that was, once again I’ve not had extensive discussion, it just seemed sort of an obvious issue, it’s been on the Standards and Security plate for a while. We haven’t done anything about it, but it seemed to make sense to do some joint hearings, but to make any sense they would have to be sooner rather than later, and I don’t know, I just don’t know the CMS timeline on this. But I’m sure there’s going to have to be communication between OCR and CMS in terms of that enforcement rule. So anyway the logic was let’s try to timely put together at least a one day session on that issue with maybe one of these other issues being day two. That was sort of my logic but I’m yet to decide if there’s logic to that.
MR. HOUSTON: I think you could tie that up with what I think is probably part of a bigger pressing issue in my mind is this post April 14th. I think there’s going to be substantial issues related simply to HIPAA, whether it be everything from enforcement to private right of action and whether there’s actually, is actually occurring. I know we all know that there’s not supposed to be but yet under state laws everybody’s theorizing it’s going to occur, that there’s going to be practical issues, once April 14 has come and passed people are going to say oh, my God, in theory what we thought was going to work, it ain’t working. And I think there’s probably a great need to go and sort of get a barometer of what issues have arisen vis-à-vis HIPAA privacy, and everybody’s attempts to comply.
Then I think another component of this has to be what level of compliance actually occurred. Because I’m hearing that depending on the circles you work in that there’s zero compliance to pretty good compliance, everything from the small single physician offices who really aren’t doing anything up to the big providers doing a lot, and I think there’s, as you go from big to small I think there’s probably, you could pretty closely correlate that to people’s attempts to comply. And so I guess my thought is is that we should be trying to figure out whether something needs to be done with the rule, if there are issues, and maybe again, maybe there need to be further modifications to the rule or further guidance or something, some other type of outreach to make HIPAA effective, because that’s the end goal.
MR. ROTHSTEIN: Well, in our hearings, and in the letter, in particular the November letter that we sent to the Secretary, we went into excruciating detail as to all the areas in which we think there are problems, and precisely address that issue. We heard from small providers from around the country and got the zero, five percent figure and all the statements from the rural providers, so we’re on top of that. I think we need to assume that we’re going to have to have some hearings to follow-up to assess the level of implementation, I’m not sure that scheduling them in the spring is necessary. I’m thinking perhaps next winter would be more appropriate because if we have the hearing May 1st, I mean what are we going to find out, you know what I’m saying?
MR. HOUSTON: No, I hear you, I just think there’s has to be the companion sort of testimony to what occurred before. I read the letter and I agree that there are a lot of issues and I think it behooves this Committee actually to go back and maybe say ok, we thought these were issues, should have gauged whether they were issues, and whether they maybe bigger than anybody thought, or what are some of the other practical recommendations.
MR. ROTHSTEIN: Right, and in fact should we have a hearing let’s say a year from now or the end of this calendar year, one of the things that I would ask the witnesses that we find to address is take a look at the letter, we identified these problems, have these been solved from your standpoint, is home health care in better shape than we thought it was going to be, are public health clinics doing ok, etc. And I think we absolutely have to do that, so I agree with you.
DR. COHN: I was going to sort of comment that, first of all I’m observing because I myself have already set three or four things towards the end of the year, it’s going to be a very busy end of the year for this Committee. But having said that, it seems that what John is talking about is going to inevitably come up in any sort of enforcement discussion, and so I’m not sure that we have to handle that specifically, but when you think about it, if you’re coming forward to talk about enforcement you might say geez, we can’t have anything very strict because 80 percent of the providers aren’t in compliance. That’s an extreme example but that might be part of your discussion about all that, or geez, don’t set up enforcement for a year because people are still getting ready or whatever, they need a grace period, which may be once again one of the other suggestions. Just a thought about how all that might come together, even without specifically focusing on that.
MR. ROTHSTEIN: I’m sorry, Jeff, welcome.
MR. BLAIR: Party crasher here I guess. Aside from somebody reporting a privacy violation, when you talk about enforcement, are there any criteria’s for the privacy regs or the security regs being complied with?
MR. ROTHSTEIN: You mean are there any sort of benchmarks and reporting built into the rule?
MR. BLAIR: I haven’t seen them but I don’t know, so I’m wondering.
MR. ROTHSTEIN: There’s nothing that I know of that’s built into the rule, although in our letter to the Secretary, one of the things that we recommended was ongoing research and evaluation to see how the rule was working and that’s one of the issues that’s not been addressed yet but --
MR. BLAIR: That’s what prompted my question, is to see how the rule is working compared to what criteria. Do we have or should we create a set of criteria to wind up saying if these things have been done, then we consider that compliance is in a good state versus a medium state or a poor state?
DR. ZUBELDIA: Try to establish some metrics that can be used to track compliance.
MR. BLAIR: Or degree of compliance, I don’t know if anybody’s ever going to say it’s black and white, but we might wind up having a good medium or poor, or high risk/low risk or something.
DR. COHN: Sort of how stringing occurred, yes or no.
MS. GREENBERG: Well, obviously there’s a responsibility of the Committee to report annually on the implementation of HIPAA and this is part of it, so I think it’s something the Committee’s going to have to do. Although we’ve heard that enforcement will be for transactions and privacy, and I guess security for everything will be basically complaint driven, so there’s not going to sort of be the HIPAA police going out there assessing. I think the idea of some type of metrics is a good one, it’s sort of like what we were, it’s a different topic but what we were talking about yesterday at the end of the NHII meeting, how do you know that you’re there, or that you’re making progress, in actually implementing the NHII.
I just want to mention another issue though that we were talking about briefly last night, and that is some kind of joint work between this Subcommittee and the Subcommittee on Standards and Security on implementation of the security rule, because I think there was a good reason why Security was put with the Standards Subcommittee rather than with the Privacy, rather than with this Subcommittee, because first of all, we had some discussion --
DR. COHN: I think you could argue any sort of different ways, it doesn’t fit well anywhere --
MS. GREENBERG: Well, I think partly, and particularly as it evolved, with OCR having responsibility for privacy and CMS having responsibility for the transactions and security, etc., but at the same time I think in tracking then just as how people are beginning to implement the security rules, and it’s important that these two Subcommittee’s do that together because it was obviously, as Karen told us yesterday, a big effort to try to get the two aligned and they are very related, so I think that would be something that should be done jointly.
DR. DANAHER: Jeff, to your point, and Marjorie to your point in terms of setting up criteria so that people can, organizations can see how well they’re doing or what it is, whether they’re in compliance or not, the professional societies, URAC(?), NCQA, to a lesser extent, and then I believe JACO(?), are moving in those directions, URAC has put in for, NCQA has done it for business associates, URAC has done it for covered entities in the areas of I know in privacy and I think also in security. So I guess, I’m always a big believer in public/private partnerships. Let’s invite them in and let’s kind of have a discussion, the folks from JACO, etc., what they’re using, what they’re going to be doing their audits based upon, let’s have an active discussion with them whether we think it’s stringent enough or overly stringent, etc., and then if we could jointly support their efforts.
MR. ROTHSTEIN: Ok, so we’re going to move now to the priority scores.
DR. COHN: Should we raise our hands?
MR. ROTHSTEIN: We’ll come up with a way of doing it. Let me just review for you the three broad areas. The first one was the health information school records. The second one the disclosure and redisclosure of information to non-covered entities. And the third one is a joint hearing with the Subcommittee on Standards and Security on some combination of these issues implementing the security rule, checking on enforcement, evaluating levels of compliance, etc., etc., etc., as we just discussed. So, Mike?
DR. FITZMAURICE: Could I toss just quickly out a possible fourth one and that is with the advent of homeland security, there are trade-offs between civil liberties and being secure, and that might be some area that you want to address.
MR. ROTHSTEIN: That’s interesting.
DR. FITZMAURICE: Or maybe you don’t want to address it.
MR. ROTHSTEIN: John Fanning and I were talking about that yesterday, I think that’s an excellent topic for the series of 12 hearings --
MR. HOUSTON: Is that more of a security issue though than a privacy issue? Or maybe I’m missing something.
MR. ROTHSTEIN: No, because in security policy there is a role for health information in trying to determine when there has been an incident of bioterrorism, etc., etc. And so there is a health information privacy component clearly to the homeland security aspect. Ok, I’ll take John and Dan and then we’ve got to make a decision.
DR. DANAHER: Just kind of making sure that the agency’s positioned really, did anyone here participate in the Atlanta HIPAA OCR meeting?
MR. ROTHSTEIN: Yes. I was there.
DR. DANAHER: Supposedly Secretary Thompson called in.
MR. ROTHSTEIN: No. Claude Allen.
DR. DANAHER: Claude Allen called in? Because what I had heard was that he had something to the extent that what we’re doing for HIPAA we also need to be doing in the area of bioterrorism. Am I getting that reporter’s story correctly?
MS. KAMINSKY: Actually I didn’t listen to the luncheon conference so I don’t know, I’m sorry. I saw --
MR. ROTHSTEIN: I did. He may have mentioned that in passing, but that certainly was not the emphasis of his talk.
DR. DANAHER: Ok, anyway, my point being is I very much agree with you. I think that when you start thinking about areas such as cyber terrorism, when you start thinking about some of the most egregious things that have happened, the Tricare(?) vendor in Arizona that had the 350,000 medical records off the hard drive stolen, so I guess what I’m getting at is I’m very supportive of your idea because I think that it really does mesh very closely with homeland security issues.
MR. ROTHSTEIN: Sure, and the Defense Department initiative that was put on hold by Congress to use health records and establish its own database, etc., I think those are very important issues. There are a couple people who wanted to talk, Dan?
DAN: I just wanted to make the point since it fits with this Committee and the full Committee. As we’ve begun to work with the infrastructure piece, this is becoming a crucial issue. This Committee well knows the public’s feeling about privacy and some of the backlashes that came over the last seven or eight years, a major concern that an infrastructure that doesn’t have a privacy component, that could allow for government investigation of any database or information transferring is beginning to come up in some of our meetings, so I would urge you to think about that in light of also the efforts for the NHII.
STEVE: I just realized a minute or two ago that I’m Gail Pollack right now because this is now going out on the internet and I’ve got to report back to her. With regard to health information in school records, obviously of course to Gail’s organization, immunization records are very critical. They’ve been trying to establish a relatively free flow of those types of records to and from the provider to the education systems, and I just want to make sure that that’s a consideration when you do discuss this.
MR. ROTHSTEIN: Ok, thank you Gail. John, last point.
MR. HOUSTON: Just to get back to the comment about the homeland security, published the cyber security, I don’t know what you want to call it, the national strategy for security cyber space, and one of the threats they do talk about, HHS, I don’t know if there’s a tie or whether we should be trying to tie some of the activities NCVHS to some of the priorities in here or whether it’s effective, but I just realized that this was just published --
MR. ROTHSTEIN: I think the stronger tie if we go that route is through CDC, because of all the work that CDC is doing in bioterrorism, and given where our Committee is located and so on, as well as HHS has an --
MR. HOUSTON: But I think the concern of this group was that we need to keep our infrastructure secure so that critical services can be delivered, where the bioterrorism component of it is is obviously we need to go to combative bioterrorism event --
MR. ROTHSTEIN: Well, maybe, security is a little beyond us, it’s more in Simon’s bailiwick, maybe that would be --
DR. COHN: For three minutes at the end we’ll talk about it.
MR. ROTHSTEIN: That might be another related issue.
MR. HOUSTON: I just wanted to bring it up in light of the earlier --
MR. ROTHSTEIN: Ok, can we get some decision now? We’ve got four issues and the slate of nominations is closed, so how about if we do it this way? I’ll just take a show of hands that rates each one as your top priority. So we’ll now vote on which one of the Subcommittee members think of these four should be the top priority. So how many people think school records should be the top priority? [None.] How many people think redisclosure of information, number two, should be the top priority?
MS. GREENBERG: Are just the members voting?
MR. ROTHSTEIN: I think so, but if you want to sort of weigh in under the table that’s fine. Ok, so we’re now on number two, the redisclosure of information. [None.] Number three, the joint hearing with Standards and Security on implementation, the enforcement issue. [Four.] Alright, that’s the winner.
MS. GREENBERG: So that’s enforcement of privacy not having to do with --
DR. COHN: No, everything. That’s why we’re doing that jointly.
MR. ROTHSTEIN: Now we’re going to vote for, and homeland security. So now we’re going to vote for second choice, assuming that we do more than one. And clearly we’ve got to be thinking a year ahead or at least six months ahead. How many people would make as your second priority health information in schools? [None.] How many would make as your second priority redisclosure? [Four.] So that’s got four. And how many homeland security? [None.] Alright so our second priority will be what is currently listed as hearing number two. And we’ll just stop at that for the time being, and with the consent of the Subcommittee Simon and I will sit down with our lead staff and try to figure out the timing, etc.
There’s one other thing I need to announce to you before we adjourn, and that is I spoke with John Lumpkin yesterday. I am due to give a report of the Subcommittee I guess at noon today and I asked him for a few extra minutes to go beyond what we mentioned here, and what our plans are, so that at least I personally could comment on Secretary Thompson’s letter of response to the NCVHS in light of our November 25th letter. We don’t have time as a Subcommittee to vote or really even discuss this here, part of it results from the timing, so what I had planned to do was to give some prepared remarks about as chair of the Subcommittee my response to the Secretary’s letter that reflect only my personal views, then obviously other people can chime in and say well he’s all wrong or I want to second what he said, or I want to partially dissent, or whatever the case may be. But I think it’s important that the Subcommittee go on record in responding to the Secretary’s letter to us given the fact that we spent so much time on these hearings and the letters and went into such detail, I think we would be remiss not to have our comments on the record.
DR. COHN: It depends on what you’re saying, I mean if they are private comments by you as a member of the Committee.
MR. ROTHSTEIN: Correct. These are, I am responding just as a citizen and a member of the Committee.
DR. DANAHER: It sounds like you’re forewarning us --
MR. ROTHSTEIN: Well, you might want to disassociate yourself with what I say, so I’m giving you that opportunity.
MS. KAMINSKY: For whatever it’s worth on that same topic as follow-up from yesterday’s discussion, I just wanted to report that we currently have 23 people throughout the country working on privacy and that includes administrative staff and we’re going to be bulking up to 40 total throughout the country.
DR. COHN: May I make a 30 second comment on the subject of security, which I had to have discussed today, but appears not to have been included in the agenda. Basically we are trying to figure out how to handle the issues of security related to the new rule. John has brought this one up, I think, and the question really is is what are the Privacy Subcommittee, how it wants to be involved, what sort of leadership it might want to take, how maybe individual members, and I know John for example, another John, John W., is I think also interested in the issues of security. This I think at the end of the day will be an issue the Executive Subcommittee needs to figure out whether it remains in the Subcommittee on Standards and Security or whether there’s a separate workgroup, or sort of how we need to sort of structure for this.
I need input from everyone that is interested in all of this. I think Mark probably needs input also, because I think we have a fair amount of flexibility in how we handle this moving forward. And the issues are not only how we structure but sort of what needs to be done, and I’m hearing a fair range of different views about how urgent, whether something in the next six months, or whether something over the next year, or what. We don’t have time in the agenda today but I really do want to solicit views from any member who is interested in this area so we can figure out how to structure the activity and what we need to do.
MR. ROTHSTEIN: And without objection from any of the members, we will put this on the agenda for the next meeting of the Subcommittee in June, this is not an issue that’s going to go away.
DR. FITZMAURICE: Is one of the issues whether or not the Privacy Subcommittee would welcome the chance to also have security as part of its mandate? I think that’s one of the options and one of the issues.
DR. COHN: That’s probably one of the issues.
DR. FITZMAURICE: The Committee, the Subcommittee may want to rule it out, be open to it, or actively campaign for it --
MR. ROTHSTEIN: Well, I think that’s one of the options. I think one of the things that maybe we can do in advance of the actual Subcommittee meeting in June is for Simon and I to work together to come up with different options to present to your Subcommittee as well as mine, and one of those would be as you described.
DR. COHN: And given there’s considerable overlap in these Committees it’s not a big issue.
MS. GREENBERG: I assume we will definitely schedule, not a meeting, probably a conference call, of the Executive Subcommittee could certainly be on the agenda for that.
MR. ROTHSTEIN: I think that would certainly be --
DR. COHN: An appropriate topic.
DR. FITZMAURICE: Marjorie, how soon would that happen so that the people around the table who want to give input to Mark and to Simon and do that in advance of the Executive Subcommittee. Are we talking a month?
DR. COHN: I’m sure it’s probably not going to be in the next month.
MS. GREENBERG: No, probably would be in April, I think that’s generally when the Executive Subcommittee has a conference call.
MR. FANNING: Just a few announcements so people can be informed. I just want to tell people that there has been produced with money from us two reports that are meant to add to the literature of privacy and decisions. One is a report on privacy and confidentiality issues in telemedicine. The other is a study of the issue of what information do managed care organizations need when managing mental health and substance abuse services. Now these are, it doesn’t come up with any answers, but it assembles the knowledge that exists about it and so on and both of them can be found on the web-site of the HHS Privacy Committee, which you can reach by going to your own page, the Committee page, and then clicking at the bottom on the HHS Data Council, and that can lead you to the HHS Privacy Committee.
Two other items. The President has signed the E-Government Act of 2002 and there are two things of interest there. One is a requirement that new government data systems be accompanied by a privacy impact assessment, so there’s a command to do a systematic formal study of the privacy impact of doing data collections. The Office of Management and Budget is supposed to issue guidance on that. There is a body of knowledge and experience about privacy impact assessments, particularly in Canada and New Zealand and Australia.
The other feature of that law that is of perhaps some interest is a statistical confidentiality law which provides essential, well not essential but absolute protection for information collected for statistical purposes. And this is useful to agencies other than the shall we say recognized statistical agencies, which have their own protection census, the National Center for Health Statistics, the AHRQ, and Don Goldstone in SAMSA, this would make it possible for an outfit like CMS to make a subset of its organization, say it’s a statistical outfit, and anything flowing into there is protected by this law. It applies not only to information about natural persons but information about businesses.
MR. ROTHSTEIN: Ok, well thank you for that update, and just so we don’t get in trouble with the full Committee, we stand adjourned.
[Whereupon, at 8:55 a.m., the meeting was adjourned.]