[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705A
200 Independence Avenue, SW
Washington, D.C. 20201
Agenda Item: Call to Order, Welcome and Introductions
MR. REYNOLDS: Okay good morning. I would like to welcome everybody to the meeting of the Standards and Security Subcommittee of the National Committee on Vital and Health Statistics. NCVHS is a primary health policy advisory committee of Health and Human services. I would like to remind everyone that this meeting is being recorded and being heard over the Internet. I also ask everyone to please put your cell phones on mute, and for those of you around the table if you put a blackberry or a laptop near the microphone, that’s the clicking we’ll hear, if we could keep an eye on that. Also for members of the committee staff and anybody testifying, please speak into the microphone to allow all involved to hear. I am Harry Reynolds from Blue Cross Blue Shield of North Carolina and co-chair of the subcommittee along with Jeff Blair. I will now ask each member of the committee and staff to introduce themselves as well as those in the audience, and the members to state whether they have any conflicts of interest in today’s hearing. I have no conflicts.
Jeffery?
MR. BLAIR: I am Jeff Blair, Director of Health Informatics at Lovelace Clinic Foundation. I am not aware of any conflicts. Justine?
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee, and no conflicts.
MR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and Quality, liaison to the national committee, staff to the subcommittee on Standards and Security.
DR. COHN: This is Simon Cohn. I am Associate Executive Director for Health Information Policy for Kaiser Permanente, chair of the committee, and member of the subcommittee. No conflicts.
DR. WARREN: Judy Warren, University of Kansas School of Nursing, and member of the subcommittee. No conflicts.
MS. BUENNING: Denise Buenning, Centers for Medicare and Medicaid Services, lead staff to the subcommittee.
(Introductions around the room.)
MR. REYNOLDS: Okay let us just quickly look through the agenda this morning. We are going to be talking about the HIPAA process streamlining letter, and then Nancy Spector and Lynne Gilbertson are giving us the annual DSMO report, and then after the break we’ll go through our e-Prescribing Pilots Report, which is always good for us since we spent so much time in that in the past. It’s good to get a refresher on where that’s going. After lunch, an update on NPI and a discussion of the Contingency Guidance, and then after the break a discussion and update and review of the guidance for the security rigs. So, that would be our full day we have in front of us.
With that, I am going to ask — we’ve gone through
this letter a number of times, had a number of conference calls, and other things discussing it. So, I am going to ask Denise to read through this, a paragraph at a time. Purpose today is to approve this letter, and if anybody has any significant changes, we would work on those and definitely settle this tomorrow. We need to have this letter ready to go on to the executive committee and then on to full committee when we meet in June. We’ll proceed from there. Denise if you would please read the letter.
Agenda Item: Discussion of the HIPAA Process Streamlining Letter
MS. BUENNING: Thank you, Harry. This letter is addressed to the Honorable Michael O. Leavitt, Secretary, U.S. Department of Health and Human Services, Washington DC. Dear Secretary Leavitt, The National Committee on Vital and Health Statistics (NCVHS) is responsible for monitoring the implementation of standard transactions, code sets, and identifiers adopted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Section 1174 of the act permits the Secretary to make modifications to any established standard after the first year, but not more frequently than every 12 months. It permits the secretary to modify an initial standard at any time during the first year of adoption, if it is determined that the modification is necessary to permit compliance with the standard.
During the past several years, NCVHS has observed, and the industry has testified that the time required to update and receive federal approval of new versions of HIPAA transaction standards may take five or more years. The current process includes the following steps: 1) Development of new versions of health care information system standards by ANSI-accredited standards development organizations (estimated time: 1.5-2.5 years). 2) ANSI certification that a new version was developed in accordance with ANSI consensu-based process (estimated time: 0.75-1 year). 3) Review and approval of updates in open public forums such as NCVHS (estimated time: 0.5-1.5 years). 4) Initiation of process of promulgation through federal government’s Notice of Proposed Rulemaking (NPRM) process, including publication in the Federal Register with a 90-day window for written public comment and publication of a final rule (estimated time: 2.5-7+years).
MR. REYNOLDS: You should stop there for just a second. Does anybody have any questions or concerns or issues with anything so far? Okay, please continue.
MS. BUENNING: The resultant minimum five year timeline is inconsistent with the objective of accelerating the development, review, and adoption of health care information standards to improve health care quality and patient safety, and reduce health care costs. Further, the protracted timeline may result in unanticipated consequences including the development of interim proprietary solutions, which undermine the goal of interoperability.
On September 26, 2006, the NCVHS Subcommittee on Standards and Security hear testimony from Health Level 7, ASC X12N, and NCPDP—the three Standards Development Organization (SDO) members of the HIPAA Designated Standards Maintenance Organizations’ (DSMO) Steering Committee. DSMOs are organizations designated by the HIPAA regulations to coordinate the process of updating HIPAA transaction standards. The DSMO representatives presented a proposal to streamline the HIPAA process for approving new versions of existing transaction standards, while maintaining the essential opportunities for all sectors of the health care delivery system to review and comment on the standards. They observed that, based on the industry experience, the time from SDO approval to implementation is the major delay in the process. Their estimates suggest that from the time a health care organization requests changes to “HIPAA adopted” implementation specification, whether through the DSMO Change Request System or via the SDO’s data maintenance process, the minimum time to implementation is five years. Examples cited included: An NPRM for “claims attachments standards” under HIPAA was drafted in 1998, and finally published in late 2005. An NPRM expected to obtain public comments re: issues in the pharmacy industry for billing of supplies and professional pharmacy services first identified in 2001 had yet to be published.
MR REYNOLDS: Stop right there for a second. Any questions or comments? I have one. In the end of the last paragraph that you read, why have we bolded five years rather than just have it as a…?
MS. BUENNING: That was included in the drafts as we progressed. I think that was intended for emphasis.
MR. REYNOLDS: I do not see any--- I mean we talk about the five years earlier and I am not sure it’s pointed out there. Does anybody on the committee have a problem with that?
DR. CARR: I have a question here. I am just trying to relate. The sentence says “based on industry experience” at the top of page two. “The time from SDO approval to implementation is the major delay in the process”, and I wonder if we can relate that back to which steps we were talking about. Does that mean steps two, three, and four? Or which step?
MR. BLAIR: After the SDO has approved the particular update to a standard, and after it’s been approved by ANSI, and after it has gone through NCVHS reviews. From that point until the time when HHS has accepted it. That’s the area where there could be tremendous variations.
DR. CARR: So that is step four?
MR. BLAIR: That is step four.
DR. CARR: I would just, since we’ve outlined the process on step one—I mean page one—
MR. REYNOLDS: If we take what Jeff said, that is item four. In other words---
DR. CARR: Yes. Right. I am just saying the outline on the front is very helpful in structuring what we’re talking about and it would just be helpful to now redirect back to—here’s where the delay is, it’s called step four on page one.
MS. BUENNING: So Justine are you suggesting then that after the work implementation in that sentence, we put in parenthesis “Step 4”?
DR. CARR: Yes, wherever. Yes, that’s fine.
MR. REYNOLDS: Is everybody okay with referencing which of the four steps this deals with?
DR. WARREN: I guess I have no problems with it. I am just looking at how many times and how many places do we need to say the same thing? I guess my problem is we have laid out the issues where the delay is, and now we’re talking about the implications of that. So I do not see that we need to refer people back to the previous page. I am fine if we want to put a parenthetic to refer them back to page one, step four. It’s only like two paragraphs previous. It is a style issue.
MR. BLAIR: It sounds like not everybody needed it for clarification, but some people did. Maybe it’s slightly redundant for some folks, on the other hand it’s clarifying for others. My inclination would be to accept it for clarification.
MR. REYNOLDS: Any other comment on that? Let’s put it in and then we’ll read it again. We’ll look at it and make sure it does not hinder the flow at all. All right Denise, if you would continue please?
MS. BUENNING: Compounding the problem of the protracted timeline is the lack of predictability surrounding the timing of the process. The lack of predictability has led many health care delivery systems and vendors to develop proprietary solutions which can solve problems in a timely manner, but which undermine interoperability. This dysfunction may not be visible until there is a need to share health care information at a regional or national level.
MR. REYNOLDS: Let us stop there for a second. Mark, one thing—We have a life size picture over here we should put in a chair so that I remember that you’re on the phone. Do you have any comments up until now? If you do, through the rest of the hearing please just speak up that you have a question, and then I will get to you at the appropriate time.
DR. OVERHAGE: Well I am not shy.
MR. REYNOLDS: Okay, thank you.
MS. BUENNING: ON January 25, 2007, in response to the subcommittee feedback, the here SDOs presented the updated proposal to streamline the health care standards development review and approval process, which is enclosed with this letter. The updated proposal retains many existing process but offers a more efficient approach to several key areas where problems exist. The essence of these changes is that they encourage all interested parties in health care (including payers, providers, and vendors) to participate in the development of the standards at the SDO level by announcing SDO meetings in the Federal Register, shortening the time for NCVHS review and approval, and significantly shortening the time for the NPRM process. If accepted, this streamlined process could potentially cut three years or more from the current standards adoption process. Opportunities for input and participation are not eliminated, but the proposal encourages the expansion of the open public participation in the standards development process at the SDO level in a manner that would enable modification of the NPRM process and thereby minimize redundancy. The proposal also helps to make the process more predictable. At the January meeting, the Subcommittee considered this updated proposal and heard reactions to it from healthcare providers, payers, vendors and clearinghouses representing entities covered by HIPAA, and those supporting these entities. None was apposed to the proposal. However, testimony from representatives of the pharmaceutical industry expressed the desire that written testimony to HHS would still be permitted within the new proposal framework.
NCVHS endorses the proposal to streamline the HIPAA transaction process and recommends the HHS consider its adoption. As a precursor to adoption, NCVHS recommends that the proposal be evaluated by HHS legal counsel to determine how it could best be implemented in a manner that is consistent with Administrative Procedures Act. Sincerely, Simon Cohn, Chairman, National committee on Vital and Health Statistics.
MR. REYNOLDS: Anybody have comments? Michael?
MR. FITZMAURICE: A couple of suggestions since this is our final look through. I would, in this paragraph beginning “On January 25, 2007” on page two, I would put in italics the Federal Register since that is a publication, and on the last sentence, I would take out the word “would” so that it reads “However, testimony from representatives of the pharmaceutical industry expressed the desire that written testimony to HHS still be permitted within the new proposal framework.
DR. WARREN: You just put pharmaceutical industry in there. It is much more than just them.
MR. BLAIR: I think went back and it turned out that it was only individuals from the pharmaceutical industry.
DR. COHN: I guess I am just—I guess I do not know what written testimony the HHS means in terms of the process. I heard a wide variety of people wanting to make sure that there was the opportunity for written comment on things going forward. I do not know if that’s what we’re talking about or something different, which I think is very different than written testimony to HHS. That was, I think, really far beyond pharmaceutical industry representatives. So I do not know. Is this the same thing we’re referencing? Or is it something different?
MR. FITZMAURICE: What I remember hearing was that it was comment that they still want to be able to make written comment to what was proposed. So, I think you’re right Simon.
MR. REYNOLDS: Written comment as part of the process rather than saying to HHS?
MS. BUENNING: I thought the issues was taking out the word testimonial and using comment instead. However, testimony from representatives of the pharmaceutical industry express the desire that written comments to HHS still be permitted.
MR. FITZMAURICE: I would put “and others” after pharmaceutical industry.
DR. WARREN: I think we need to look at the rolls that the people from the pharmaceutical industry play because many of them were speaking on behalf of WEDI or DSMO which is more than pharmaceutical.
MS. BUENNING: If you want to broaden the scope then, are you making the recommendation that take out the word pharmaceutical and just say industry representatives?
MR. BLAIR: If we do say industry representatives, I think we should say some industry representatives.
MS. BUENNING: Testimony from some industry representatives.
DR. COHN: My memory was many, actually. Maybe I am mistaken.
MS. GREENSBERG: I guess, you know, go back to the transcripts, and perhaps you did it sounds like. I am sure I’ve heard more than one. I think some would be fine. I think comments would also be preferable. The additional issue I have though is that, written comments could still be permitted, but of course you could always send written comments on anything. I mean, there is no circumstance under which a letter would arrive and be returned to the sender. So, I think that somehow there’s something about that turn of phrase—I think it’s not just that written com—because you can always send written comments. They wanted that as part of the process. There are two issues. With an NPRM, that’s the part that isn’t completely clear to me as to what was being requested. But with an NPRM, written comments do not get individual responses, but a final rule does comment--- It does reflect on the written comment, and so there’s—It’s not that the written comments are received, but they have to be taken into account. You can still go ahead in contrary to the written comments, but you need to comment on them as it were. The question is whether that part of the process is still—People still feel the need for. Now, I realize that that could eliminate or at least reduce the value of the timeliness of the process if you still have to go and get written comments and then you have to review them, you have to comment on them. And maybe the testimony is clear on that and can be straightened out. The idea—The thing that HHS would still be permitted indicates that there is a circumstance that written comments are not permitted, and that just does not make sense to me.
MR. REYNOLDS: Michael?
MR. FITZMAURICE: I think the question might be in order to streamline the process, could the public submit written comments and be obliged if they want to have a say, submit written comments to the SDO process before it gets to the department. And so as far as the department’s consideration, it might consider that the comments have already come in, but they came in to the DSMO that thereby shortening the process. I do not know that that’s legal or not. That’s why if I wanted to have legal review in the office of the secretary as part of our recommendation
MS. GREENBERG: I think people actually send written comments to the department. They didn’t want all of their comments to have to be to SDO. That of course there was the opportunity though to comments to NCVHS. You know it’s like, the opportunities.
MR. FITZMAURICE: We wouldn’t turn anyone down, I do not think.
DR. CARR: With apologies to Judy, again in my concrete structured diagram the sentence approach, I would like to suggest that on the last paragraph on page two, that we do more of a crosswalk to what the interventions are and where they will change the process. So, toward that end, there is a sentence that begins “the essence of these changes is that they encourage”—and here I would add they “encourage earlier participation of all interested parties in healthcare in the development of the standards at the SDO level by announcing SDO meeting in the Federal Register (step 1) and then continuing on to say shortening the time for NCVHS (step 3) and then approval and significantly shortening the time for NPRM process (step 4)”.
MR. REYNOLDS: That’s very good.
DR. CARR: The sentence begins “The essence of these changes is that they encourage earlier participation of all interested parties in health care including payers, providers, and vendors. In the development of the standards at the SDO level by announcing SDO meetings in the Federal Register (Step 1), shortening the time for NCVHS review (Step 3), significantly shortening the time for NPRM process (step 4). I am trying to do the crosswalk. Did I miss something in ANSI? Are we proposing ANSI certification—
MR. FITZMAURICE: Step two remains unchanged, really.
DR. CARR: Yes, that’s the point I am trying to make.
DR. COHN: Well maybe this just goes along with my fresh eye after not looking at this for a little while. I was wondering where the DSMOs fit into the process, only because I thought that they were part of the process here, but I do not see them listed so I just wasn’t sure whether there—but I think they are somewhat different than any of the one, two, three, and four. I do not know if or how we want to recognize that. I guess the other questions I had were, and this is maybe my confusion. Did the three standards of organizations that composed the members of the DSMO present this as an independent proposal or was this something that was being brought forward by the DSMO representing all of the members of the DSMOs? Only because of the way it is written here. Because this sounds like it was just being brought forward by the three standards development organizations. You probably aught to get that clarified, it’s unclear if you read it. The final comment have, and this is just—and I do not know where to put it but we dive deeply very quickly in this letter. I just want to remind everybody that what I think we’re talking about is a predictable and timely process in that that’s really what we’re all striving for. The quoting from the section, I think, was the intent to develop that. Somehow, we almost say it but do not ever say that that’s the intent of what we’re really talking about, so we may want to put a sentence in there. I think that a little of wordsmithing unless somebody disagrees that that’s the intent of this whole letter.
MR. BLAIR: Although I may say it’s a more predictable way. It will never be completely predictable.
MS. GREENSBERG: I just had a suggestion for this last sentence that might kind of give us a little regal room. “However, testimony from some representatives of the health industry expressed the desire that the opportunity to submit written comments to HHS would still be part of the process. Exactly how they would present this process we can leave open for further review. Does that--?
MR. REYNOLDS: I believe that was the intent in what we heard. Lynne?
MS. GILBERTSON: In answer to Simon’s question, these were the three SDOs. This was not a testimony from the DSMO. So that really should be one of the clarifications we submit and the other—from the testimony in the last sentence that is being discussed, from what I recall the testifiers were discussing they want to be able to still submit policy comments to HHS. They recognize that technical comments could be sent in at the SDO processes, but they wanted to be able to submit policy questions related to the NPRM at some point of the process.
MS. GREENSBERG: I would have to say one person’s technical is another person’s policy.
MR. BLAIR: My recollection was, and I am not sure this is correct, but my recollection was that there was encouragement in the discussion that as much as possible technical in policy suggestions be included because a lot of the policy pieces, I guess that blurs, and maybe I wasn’t clear on this, but in terms of business practices that there was an effort to encourage that to be included within the standard’s development process because what I am worried about actually happening. Maybe we can clarify that because I am a little concerned that if we start to carve out a separate roll for comments at the HHS level rather than maintain the encouragement of both technical and policy issues or business practice issues at the SDO level. That is the intent is to encourage the involvement at the SDO level. So, maybe you have a thought on that Lynne or Marjorie or someone else?
MR. REYNOLDS: Let me make a comment before we ask that. So are we saying that we want to put in here that there will be comments available throughout the process or comments after the process?
MR. BLAIR: I think the wording we picked to try to accommodate that was that some representatives indicated that they wanted the ability to create comments but that it would be within the proposed framework that it’s going for which says—throughout the process.
MS. GREENSBERG: I had changed that wording and you are right. You should keep that.
MR. REYNOLDS: Okay so the process is what we’re talking about.
MS. GREENBERG: What I—The way I read this is that you are faithfully reporting that some representatives—industry representatives made a state of this. I do not think you go so far as to endorse it—I mean, to agree with it or to support it.
MR. REYNOLDS: Unless we choose to.
MS. GREENSBERG: And you can, but that way it is framed now is more a reporting of what you heard than saying, and we support this.
MR. BLAIR: It is so ambiguous that it is really hard to know. If their suggestion that they just wanted the ability to provide written comment, I do not think there is any problem with that. The concern was whether they wanted to continue making written comments at the HHS level and if that is done in a manner where it extends the timeframe at the HHS level, if they wait until then rather than try to bring those issues forward, especially business practice issues forward during the SDO process, then it unravels the objective of the streamlining process. So that—I think that they need to have the right to make written comment maybe wherever they wish to, but I think the intent of the streamlining process is we encourage them to do it during the SDO level.
MR. REYNOLDS: Michael?
MR. FITZMAURICE: It is possible that it could be streamlined and get most of the issues, maybe all of the issues settled through this streamline process at the SDO level. It comes up in NCVHS, looks at it, here’s testimony, says they have it pretty well, goes to the secretary, and the secretary says yes it looks like it is pretty final so let me put out a final rule “with comment”. So, you bypass the NPRM part of it if you think that it has widespread public review and comment, but you still provide the opportunity to give comment to the secretary, and since these things do not go into affect for at least six months after they get published as final, maybe longer. There is time to consider those comments and see if there is anything so important that the final rule aught to be changed, so you can put out a final rule “with comment”. Unless the comments are very strong and convincing, the effective date is still the effective date.
MR. REYNOLDS: Which kind of gets to both things that we heard. One, we want to streamline process, but other people still want to have the right to comment. In the current NPRM process, they feel there is more of an open comment period. Is that what, Simon—
DR. COHN: I am actually intrigued by what Michael is talking about. That the proposal from the three SDOs, obviously, had the initial intent of legislative remedy, and obviously we’re trying to figure out what can fit in to current non-regulatory processes. I am embarrassed that I do not know enough about final rule with comment and exactly what that means. It sounds intriguing as one way to help streamline the process. We never dealt with that particular methodology before. Can you describe any of the aspects of that? Is that something that should be represented as a tool?
MR. FITZMAURICE: Well it’s something I would leave to the judgment to the secretary, given our recommendation that we’ve strongly looked at this process and have the lawyers look at it. But the secretary can look at something and say, you know, we’ve received a lot of public input already and I judge that most all the public input that I can imagine has been received, I am going to skip the NPRM and put out a final rule “with comment”. So barring any comments that come in that were not anticipated that are such an importance that there should be changes. The date that is put in the final rule “with comment”.
MS. GILBERTSON: And part of that has to go with the steps that are part of the APA, the procedures act, and if the steps have been met, and they can skip down to the final rule that is perfectly possible as a step. We did not want to tell HHS how to go through, resolve the steps of the APA, but that is one of the options that could be invoked.
MR. REYNOLDS: How does the committee feel about Michael’s approach. Let us not go with the words yet, let us go with the approach. Which is to mention that this process--- We agree with this process and that at the end of this process there will be put out “with comment” allowing others who have shown an interest to make any further comments if necessary. I am not trying to wordsmith it, that’s for sure. I am trying to play off of his comment only to understand whereas a committee, we want to recognize this. If it’s like it is now, it’s part of the process. It just says comments to HHS. There is nowhere is that? Is it at the beginning? Is that the end? Is that the middle? Where is that? Whereas Michael, structure at least, says go through the process as was proposed and if somebody felt that they were not aware, did not get their just due and did not get their comment heard, then when that rule comes out “with comment” they would have the opportunity to do that. Some people were concerned the NPRM going away because all of the public comment goes away.
MR. BLAIR: I felt as if Michael struck a compromise whereby it encourages comments during the SDO level. It still allows comments at the later levels, but the impact of the comments at the last minute is clearly reduced and that’s the intent of what we wanted to achieve.
MR. FITZMAURICE: I would have our wording such that the Secretary is made aware that we are aware of this possible avenue, but it still remains the Secretary’s discretion whether he or she wants to go through NPRM process and then show final rule. So there is still a secretarial judgment and enough evidence has been submitted.
MR. REYNOLDS: And I like that rather than being overly prescriptive. That’s exactly how it will occur. Judy.
DR. WARREN: Do you think that this approach will add anymore time to what has been proposed in proposal?
MR. FITZMAURICE: I think if we propose that all of the comments come into the SDOs and nothing comes into HHS that we see it raises a concern among the testifiers. This is a way of possibly shortening it if the secretary judges that it can be shortened, and yet having people have their say and then weighing that say before the effective date or the compliance date goes into affect.
DR. WARREN: Then I need to ask a question because somehow I am not processing this. If we have comments coming in at the end, how is that different from the NPRM process?
MR. FITZMAURICE: With the NPRM Process you put out your tribalum(?), you get a lot of public comments, you address them, and then you put out a final with no comments. In this case, you’re bypassing the NPRM and putting out final rule with the ability for the public to make comments, and then you judge whether or not the final rule stays final, which it probably would unless there are some comments that were not considered beforehand and you think they were important enough to go back and withdrawal the final rule and reissue one.
DR. CARR: I am just trying to do the math on how much shorter it will be after these recommendations go. If I look again at the four steps, the first step development of the new versions by the SDOs currently takes 1.5 to 2.5 years. So, we are saying seek more input early on, and would we assume that it would still take 1.5 to 2.5 years given that more comments so it would be there? So, that would be one question. Second, ANSI certification looks to be a year and we have not made any recommendations on that. Third is NCVHS is 0.5 to 1.5 years and we’re recommending that that be shorter so maybe 0.5, and then initiation of the process through NPRM and that’s 2.5 to 7 years and we’re making—if we were to suggest final rule instead of NPRM, how long would that take? In other words we’re concerned that it takes five years, but I am trying to make sure that our revised process does not take five years.
Mr. BLAIR: Michael, with your recommendation, how much time would you estimate for that last, the fourth step?
MR. FITZMAURICE: I’ve never made any money in the government by estimating the time it would take to do anything. What I would say is that it provides a pathway to shortening the time, and given the will of the secretary, the will of the agencies that would have to review this final rule and also the will of the OMB, it could take a very short time or longer than a very short time. And I will stand by that.
MR. REYNOLDS: Lynne, did you have a comment?
MS. GILBERTSON: In the proposal that we submitted to the committee, we had the current timeframe and a proposed timeframe and the savings could be yours because NPRMs take a very, very long time to see the light of day usually. So, your in a factor of years. The other thing to point out is that step one and step two happen concurrently. When the SDO is bringing forth standards, they’re going through their ANSI processes at that same time.
MR. REYNOLDS: To me, as I sit and listen, it appears that we obviously have heard the process and we understand we agree with the process. We have this issue about comment. So, we have a number of options. First, we can just accept the process and just note that we heard testimony on the other end and let that be. Or second, we can endorse the fact that there need to be comments throughout, and then finally we get into a situation where we endorse the process but still leave it in the end, entirely an open capability for people to submit comments using the philosophy that Michael had.
So, the committee, I think, has to decide between those three structures, not the words yet, between those three structures as to what message we want to send forward or what we are actually concurring -- either referencing or concurring. That’s what it sounds like to me.
Dr. COHN: I guess I am listening to you, maybe thinking about it in a slightly perpendicular fashion, which at this hour of the morning is a good way to be thinking. Another question is also level of specificity. Are we being specific about x in terms of the nature of the comment period and x maybe be the proposal of the standards organizations or from Michael or from someone else, or are we staying on a little higher level where we are based on our testimony will we be encouraging the Secretary to investigate ways to both streamline the process as well as ensuring maximal input from the industry as things move forward?
I am not making the statement here, it’s more I am just bringing up the question or at least another way to think about this.
MR. REYNOLDS: That’s a great question. Okay, comments from the committee? I see some of you sitting back. You cannot sit back yet. Judy?
DR. WARREN: Back to the style issue that I raised previously. I think with some of the changes, we do need to put in parenthesis what step we’re referring to because then you can get lost pretty easily, especially in the paragraph of January 25th.
MR. REYNOLDS: Okay let us deal with—I put a couple structures on the table. Simon I thought I would ask an even better question which is level that we want to discuss. We need to do that because what I would recommend is if we can settle on that what message we are trying to craft. Then I would like to maybe have it taken offline, Denise, and we could start working with some wording and maybe bring it back before we adjourn today and see what everybody thinks about that message as long as we understand the message we’re trying to get to in the end here and the level. Work it, bring it back, and discuss it and then discuss it tomorrow if we have to so we can get this thing adjudicated.
I am not saying that in a way to be too forceful, but we’ve dealt with this letter now. I think we’ve got one subject that we’re struggling with. Again, time and distance is making us look at this. I think what we’re looking at is a good thing. I think the way we’re thinking about it is a good thing. I would like some feelings.
MR. BLAIR: I just didn’t know whether we gave you an answer to your question of do we want to report accurately—
MR. REYNOLDS: No. That was not my question. We do want to report accurately.
MR. BLAIR: Let me finish the sentence. Do we want to report accurately what the industry requested in terms of opportunities to comment or do we want to endorse their request and if I might indicate that I think it’s sort of half way in between. I think we want to recognize that that request is a reasonable request if it’s done in a reasonable way. Sometimes, we have had situations where certain sectors of the industry have waited until the last minute, and I think that part of the streamlining process is to recognize they have a right to do this at any time. I think that somehow we want to balance with whatever we could do to encourage that if they make comments, they do it early in the process rather than the last minute.
DR. CARR: I just want to make sure I understand the combination of your question and Simon’s. So Simon is saying, are we structuring at a micro or a macro level, and your question is are we summarizing what we heard or endorsing what we heard.
MR. REYNOLDS: That is correct.
DR. CARR: I mean, I think that this—It is important that we endorse either that we—I think that we should make a recommendation and we should—this is a complex area. We’ve assimilated a lot of exceptional thought process about it, and I think we should go ahead and endorse what we believe to be good. I think that being macro might prolong this process of our thinking. I am sort of inclined to be very specific, prescriptive, and backed up from what we heard and from whom we’ve heard.
MR. REYNOLDS: And what might that sound like?
DR. CARR: That here is the steps, here is the way we can shorten them and that includes Michael’s idea about the—instead of an NPRM process, the final rule with the comments. I think the responsibility for us is to say, the process right now can go up to 7.5 years. On average, it is 5 years. We’re going to take a half of a year out of here, and a one year out of here, and our goal is that it would just be no more than a three year process or less.
MR. FITZMAURICE: I just want to say I agree with Jeff that this is America and people have the right to make comments at any time. I would hope that the weight of public expectation is about this new process and the resulting oversight and the visibility of NCVHS is looking at this. I would encourage those segments of the industry who would be reluctant to come in and accept at the last moment. I hope it would encourage them to participate fully and up front with issues that they have so that it is a good process. It might be a little embarrassing to come in at the very end and say, well you know this needs more study. Well, everything we do in life needs more study, but we have to take action before we all die.
MR. REYNOLDS: So plan off of Justine’s comment?
MR. FITZMAURICE: I support what Justine said and I support what Jeff said as a humble staff member of the committee.
MR. BLAIR: I might even have a suggestion for some additional wording to that last sentence where we can make the statement accurately that some members of the industry requested that they be permitted to make comments at any time in the process, and if we have that statement, we can also make a statement that the NCF believes that this right should be protected, however the new process should do everything possible to encourage comments during the SDO level.
MR. REYNOLDS: Who is NCF?
MR. BLAIR: NCVHS. Did I not say that?
MR. REYNOLDS: You said NCF.
MR. BLAIR: I am getting too old.
MR. REYNOLDS: No that’s fine. We were making sure we heard testimony from them before we put it in—That wasn’t ringing a bell.
DR. COHN: I am obviously seeing here wordsmithing and some people have noted that my handwriting is—there’s a reason I have gotten an electronic— I am not sure whether we need to decide today if this may be a preparatory to a final conversation tomorrow. I am trying to find the right level of about how to move this thing forward because I think we’re all—I mean, I guess I am coming back to timely, predictable, streamline—I think we’re all in favor of it. We obviously can spend tremendous amounts of time being in the details or we let the department deal with the details. So, I am sort of wondering whether something around the idea of endorsing the spirit and intent of the proposal and asking the department to investigate how the proposal can be integrated into the HIPAA update process which is really what we’re talking about to ensure predictable and timely process while at the same time maximizing opportunities for public industry comment.
MR. REYNOLDS: You want to say maximizing?
DR. COHN: That’s what I said—I am just trying to figure out the right level of things are.
MR. REYNOLDS: Let me tell you why I like maximize. We adjudicate these situations one at a time, but we hear a lot of testimony. If you look further down our agenda when we’re going to be talking about NPI, and we heard testimony about people having trouble even communicating what their own people in their own industry and trying to get to everyone and trying to talk to everyone and trying to communicate to everyone. I cannot let that go in my head that if we do not allow using your term maximum comment, agree to a process, but allow comments along the way, we still have not grouped up as an entire group to communicate well to the whole sector. We have people that are here with us a lot and some of us do this in our day job and other things going on, but there is a whole industry out there that we are all struggling and we’ve heard testimony over and over again to communicate to. So, in streamlining the process, we still need to encourage those doors because if you look at the things we’re going to judicet later today, there are people waiting till the last minute. There are people looking at the last minute. It’s not because they’re necessarily not involved. It’s because the ability to communicate these complex changes, these complex situations that we’re dealing with is a struggle—we spend their days at that, let alone those that are going to affected by it in their day to day lives and do not have the resource, the time, or really the conduit right now to get that information. I cannot let the other testimony we hear on these other subjects go. So, I think what you said gets to that and the word maximum allows—to make sure that the secretary hears that we do feel that communication is still a real big part of this in every way that communication can be gotten. Through the process or whatever we can do is a good thing. I like your wording, but I wanted you to understand why that I do because this other stuff that is going on that we are going to be dealing with today and every other time and any other assignments we get. The industry does not communicate with itself well enough yet to just make only one way happen and then you know that’s all.
MR. FITZMAURICE: I like what Simon said and I would offer a sentence that might find its way in there somewhere. The sentence would be: with sufficient input from the public to the SDOs through this proposed streamline process. The secretary could consider issuing a final rule with comment rather than an NPRM. Just provide information that we know that there is an avenue and secretary would like you to consider it.
MR. REYNOLDS: Mark, do you have anything to say?
DR. OVERHAGE: I like the direction of trying to set up the goals and how we can get there. I think that really helps people understand what we’re trying to accomplish and helps lay out the plans. I think that’s the right direction.
MR. REYNOLDS: Okay, let us—
DR. COHN: I guess the question is, Michael explain to me what that additional comment gets us.
MR. FITZMAURICE: You mean the for or with comment? What that additional comment gets us?
DR. COHN: Yes, I am just trying to think in my own mind of—
MR. FITZMAURICE: All right first of all it get us compliance with the administrative procedures act. Secondly, it gives the public the right to comment even after the last moment. If the comment is witty enough, the secretary can make another judgment about the final rule. Thirdly, if there is sufficient public input to the SDOs, that’s where all these changes can take place and the SDO can give the technical solution to the public’s problems. So we want to encourage them to come into the SDOs as quickly and as often as we can. That’s what I think it gives us.
DR. COHN: I am not against the concept, I am just sort of wondering whether it’s more along the lines of as part of this evaluation, the administration should also explore the applicability of the use of what you’re describing.
MR. REYNOLDS: I think if we added that, your comment to your previous sentence then I think we might have it. I am a little bit where you’re coming from. Michael, yours might sound a little too prescriptive. I think Simon’s most recent comment opens the door and shows that we are aware of it and mentions it but does not necessarily recommend it.
MR. BLAIR: Simon, I am fine with the sentence that you suggested except there was one piece that was left out of the sentence, and whether it’s addressed either in Michael’s suggestion or some other way, and that is, the piece that was left out of it was encouraging comment during the SDO level. As long as we have that phrase in there, either in another sentence afterward or within the sentence, then I would feel perfectly comfortable with what you were suggesting.
MS. TRUDEL: I am trying to find a little bit of middle ground in terms of specificity, and it might be rather than specifying with final comment, just that the secretary should investigate all appropriate options under the administrative procedure act to streamline the time involved in the regulatory part of the process. In some cases, if there really is something controversial, a final would comment actually adds time because you get all your comments at the time. Then you have to start over again with an NPRM. So, there are times when that is not a good option.
DR. COHN: I think Jeff’s comment is clearly something we would want to emphasize to the secretary also in terms of it. I think we sort of say it here or at the end about whatever we’re doing, I think the intent—somebody should find all ways to ensure that the industry is providing input in as early a time into the process as possible. I think that’s an important philosophical piece that we probably want to emphasize.
MR. REYNOLDS: By not commenting, I had assumed that he agreed. That had been part of our discussion all along. I think it’s a good logical addition and I assumed that it would be included.
All right, let’s do this. I would like to recommend that we maybe have Denise and maybe Karen and we’ll work on a few sentences and later this afternoon we’ll bring them back and talk about this part again because we didn’t hear any major discussion on the rest of it. Justine, you made a comment on January 25th. So, if you have any comments—let’s come back this afternoon before we adjourn, we’ll talk about these sentences, we’ll know what we need to do and then we can move forward tomorrow. Thank you for the discussion. I think it’s exactly what we needed to do. Lynne, did you have any other comments? Thank you for joining us for clarification. With that, we’ll move on to our next agenda.
Agenda Item: DSMO Annual Report Presentation
MR. REYNOLDS: As part of our responsibilities we need to hear the annual DSMO report. Is Nancy Spector still here? Okay. Lynne you were listed here too. She’s back.
DR. COHN: I guess I should just make a comment since Nancy is presenting. I am not sure whether I am a member of NUCC at this point or not. I am on the distribution list. I thought I had left about a year and a half ago, but I just wanted—as a public comment, I have been a member of the NUCC. I just wanted everyone know. I guess I am a non-active member then.
MR. REYNOLDS: Simon, your pronouncement does not worry us that you would have any conflicts. With the level you appear to be involved, I think we’re safe. But we are glad we straightened that out.
Okay, Nancy, you have the floor.
MS. SPECTOR: Good morning, I am Nancy Spector, Director of Electronic Medical Systems at the American Medical Association, and chair of the National Uniform Claim Committee. I served as the 2006 chair of the DSMO Steering committee and I would like to thank the subcommittee for inviting me here today to present the DSMOs 2006 Annual Report. Their report has been provided to you so I will focus on the DSMO activities that are outlined in it. The DSMO Steering Committee continued its routine work since the previous report dated February 2006. Due to the timing of the annual reports, the reporting periods have varied in length. This report covers the 15-month period of monthly batches from October 2006 through December 2006. On Tale 1 on page 2 of the report is an overview of the change requests in each monthly batch. A total of 27 requests were submitted. Ten requests were withdrawn by the submitter prior to DSMO review. Three requests were withdrawn by the administrator, and for clarification the administrator is the website administrator and requests are withdrawn by the administrator when they are identified as a test or erroneous request.
Table 2 on page 3 of the report is an overview of the change request by each report period. During the current report period, 26 requests were submitted, which is an average of 1.8 requests per month. A total number of requests completed through the DSMO process was 14, for a monthly average of 0.9. There were no appeals handled during the report period.
The monthly average, as you can see, of change requests, both received and completed, has decreased significantly since the first DSMO annual report. The decline in requests has two potential causes. First, the current HIPAA standards have been in place since August 17th of 2000, so one could assume that the necessary immediate changes needed for the standard have been addressed within the seven-year period.
The second potential cause of the decrease in DSMO change request is the shift in requests being submitted directly to the standards development organizations. The SDOs are tracking changes made based on DSMO change requests and producing a summary of all changes made to an implementation guide, which is included in the final work product. As newer versions of HIPAA adopted implementation guides are brought forward, the DSMOs are paying specific attention to those changes in the guides that did not go through the DSMO approval process.
Table 3 on page 4 of the report provides more specific detail on the disposition of the completed change requests. Two of the change requests resulted in “maintenance”, which is category C. The Maintenance category indicates that the change requests do not impact the implementation of the transaction and require no further DSMO action. Fine change requests resulted in “no change” (category D). The No Change category means that the request is already accommodated in the implementation guide or a future version or further investigation may be needed prior to approving the request. The remaining seven change requests were recommendations for the adoption of new or modified HIPAA standards which is category I. The actual change request for this report period are in the Appendix, which begins on page 7, and along with additional information on the definitions for each category and a sample change request.
For other activities that took place in 2006, the DSMO began reviewing change requests for upgrading to the next version of the HIPAA adopted standards. In April 2006, I presented testimony to the subcommittee on the forecasted timetable for the DSMO to bring forward X12’s 005010 versions of the currently adopted HIPAA 004010 standards. The testimony outlined the anticipated dates for when X12 would be submitting a change request for each of the transactions. It was noted that the dates presented were subject to change based on X12’s finalization of the 005010 Technical Report 3s, formerly known as the implementation guides. The testimony also gave an update on the previously submitted change requests to adopt version 004050 of the Payment of a Health Care Claim or 835. At that time, X12 was considering withdrawing that request and submitting a change request for adopting version 005010, which was later done.
Between August and November 2006, X12 submitted change requests for a version upgrade from 004010 to 005010 for the following transactions: Payment of a Health Care Claim (835), Health Care Claim: Institutional (8371), Health Care Claim: Professional (837P), Health Care Claim: Dental (837D), Claim Status Request and Response (276/277), Referrals (278), and Enrollment in a Health Plan (834).
The individual DSMOs completed their reviews of these requests and the DSMO Steering committee completed their review of the responses at their January and March 2007 meetings. All seven change requests were approved by the DSMO.
In addition, the cost/benefit impact analysis for each transaction being completed by WEDI will be forwarded to NCVHS for its review and consideration. The work is currently underway on the surveys and analyses for each of these transactions.
In conjunction with our work on upgrading to the next version of HIPAA adopted standards, the DSMO has continued to work on a modified process through which adopted HIPAA standards can be updated. In December 2005, the SDOs (HL7, NCPDP, and X12) presented testimony to the subcommittee on the SDO perspective of updating to HIPAA standards.
Following the testimony, the SDOs worked together on a proposal for modifying the HIPAA adoption process. The SDOs shared their work with both the DSMO and WEDI during its development and incorporated feedback received. In October 2006, the SDOs presented testimony again to the subcommittee on their proposal titled: Proposal for the Modification of the HIPAA Transaction Implementation Specifications Adoption Process.
In January 2007, representatives from the SDOs presented an overview of the proposal and the subcommittee heard testimony from several organizations on their reaction to it. At this time the proposal is under consideration by the subcommittee as you were discussing this morning.
In addition to its own work on streamlining the modification process, the DSMO followed the activities surrounding H.R. 4157, the Health Information Technology Promotion Act of 2006. The bill included provisions for coordination, planning, and interoperability of health information technology, transaction standards, codes, and information, and promoting the use of using health information technology to better coordinate health care. Section 201 of the bill called for procedures to ensure timely updating of standards that enable electronic changes. The SDOs proposal to modify the HIPAA adoption process and H.R. 4157 were developed with similar time frames and were compatible. The DSMO also continues to await the NPRM from CMS on modifications and emergency processes for he HIPAA adoption process. The NPRM was previously reported as being expected to be released in 2007. As reported in prior annual reports, the DSMO provided input to CMS on these topics in 2004 and 2005.
Looking ahead for 2007, the DSMO will continue to process change requests as submitted. The change requests are anticipated to include the remaining X12 transactions for modifications from 004010 to 005010.
The DSMO will continue to coordinate with WEDI on the cost/benefit impact analyses for each transaction being put forward for modification or adoption. The SDOs will also continue to collaborate with the subcommittee on their work developing a streamline process for the adoption of modified HIPAA standards and the SDOs will be available to present any further clarifying information on it’s proposal to the subcommittee.
When the NPRM on modifications and emergency processes for HIPAA adoptions is released, the DSMO will review and make any necessary changes to its current change review process to meet any new requirements of the final regulation.
Finally, the DSMO will continue its work overall in assisting NCVHS and HHS on any matters related to HIPAA standards.
This report is a summary of the completed activities from 2006 and the ongoing efforts that will be subject of future reports at the NCVHS meetings. The DSMO, as a collaborative organization, continues to demonstrate its ability to merge both the business and technical perspectives of the transaction standards as well as the emergency change and modification processes. The DSMO remains well positioned to assist the NCVHS and HHS in recommending changes to the HIPAA adopted standards or new HIPAA standards not yet adopted.
The DSMO hopes that you have our report to be helpful to you related to the issues that it has covered. We look forward to continuing to work with you, and I would like to thank you again for the opportunity to present here today and I will be happy to answer any of your questions.
MR. Reynolds: Okay, thank you for your comprehensive report. Any comments?
MR. FITZMAURICE: Just maybe three questions of Nancy. The first one would be: how many changes to the original HIPAA Transactions and their implementation guides have been submitted by the DSMOs to NCVHS? The second question would be: how many have resulted in changes to the relevant HIPAA standards, and thirdly, how many are still pending action by the government?
MS. SPECTOR: So first, how many have been submitted—
MR. FITZMAURICE: Are there like one or two or…
MS. SPECTOR: Well, Michael the second piece of the testimony, which is the status, which is this chart. That will probably answer some of the questions of what has been submitted and where they stand.
MR. FITZMAURICE: Oh, it is a separate document?
MS. SPECTOR: Yes. My question was going to be what timeframe are you interested in?
MR. FITZMAURICE: The DSMOs were started in 2000, right? So here we are in 2007. That timeframe. Have we processed very many of them?
MS. SPECTOR: Actually, page 3 of the report does give an overview of all the change requests that have been submitted and by going back to the initial point, going back to the first change request that came in, and so you can see here the fourth row down, lists the total completed DSMO review. So you can see here how many have made it through the DSMO review process. I do not have in front of me or on hand how many have been submitted through NCVHS from that total number.
MR. FITZMAURICE: What is the total number? I do not have the table in front of me. Is it table 3?
MS. SPECTOR: Table 2.
MR. FITZMAURICE: Okay. So I am looking at 143 total submitted. Total completed as DSMO reviews one hundred two---
MS. SPECTOR: One hundred seventeen---
MR. FITZMAURICE: Roughly 250 if I have it all correct have been completed DSMO review. Have those been sent to the government for some kind of consideration?
MS. SPECTOR: In each of the annual reports, there has been a recommendation if there were any particular actions. I am trying to think. A couple of years ago we did bring forth…Hmm… I do not think anything has resulted in an NPRM though.
MR. FITZMAURICE: So my second question was how many of these changes have resulted in changes to the relevant HIPAA standards. The answer would be zero?
MS. SPECTOR: You wouldn’t go back and change the HIPAA standards that were named except through the addenda that was released in X12. That would have been the first year’s worth of fast track changes. Those were incorporated where they could be.
MR. FITZMAURICE: So maybe that 82?
MS. SPECTOR: Actually, if you switch to page 4 of the report, table 3, this shows the disposition of each of the requests in the different report period. Here you can see B is—It breaks up how each of the change requests were categorized. So you can see, just for example, the maintenance is cost items that do not impact the implementation of a transaction and require no further DSMO action. The “no change” category indicates that the guide already meets the needs of the request or it will be accommodated in a future version of the guide. So you can see how various change requests were categorized into those. Then the modifications category is classified as additions or deletions of data elements, internal core value, five segments, loops, and changes in usage. These are all changes that will need to be accommodated in a future version of the standard. So you can see how many of those—how many of the change requests over the time periods have fallen into that category.
MR. FITZMAURICE: So you are saying that some of these changes have resulted in changes to the relevant HIPAA standards.
MS. SPECTOR: They’ve resulted in changes to the guide. So, a future version of the guide—and I do not have all of this off the top of my head, but my understanding is that these changes that were flagged as needed for future versions most likely have been addressed in the versions that have come since 004010, so 005010 which is now coming through the change request process to be the next adopted version would accommodate these change requests.
MR. FITZMAURICE: So what I am getting at is, is there any backlog by the government or is the government still waiting for some things in order to take any action on the HIPAA standards?
MS. SPECTOR: It is my understanding what would be pending would be adopting the 005010 and the new NCPDP versions. That would accommodate all of these change requests that have been made that required a change.
MR. FITZMAURICE: So, I guess to cut to the chase, if they’re imbedded in the 005010, how long has it been since the government had a draft 005010 from the industry and then what is the time then the government has taken so far to review that and to consider coming out with an NPRM?
MS. SPECTOR: The process is that we receive reports from DSMOs to consider new versions of the standards. So, HHS is not received anything, we would be the first ones to my knowledge receiving recommendations.
MR. FITZMAURICE: So the point is there is not this big backlog and the length of time hasn’t started yet for the government.
MS. GILBERTSON: I am sort of — to my view depends on your definition of a backlog. The DSMOs have made recommendations for changes, which have never been acted on.
MR. FITZMAURICE: By NCVHS you’re---
MS. GILBERTSON: And indeed what we’re seeing is that all of these are now being, at least as I understand this, fumbled into the 005010 which of course is a subject for testimony.
MS. SPECTOR: The DSMO change request from a few years ago which was in the recommendation letter dealing with billing of supplies and professional pharmacy services. That’s a backlog item. It has gone all the way through the committee, gone to HHS as a recommendation letter, and there is no NPRM on that. Not a DSMO change request, but another item is the emergency change process, which is still backlog waiting for an NPRM. Past that, if the DSMO change requests that came in were not part of the fast track in the early 2000’s, every other change request that has been processed is in a future guide. Does that make sense?
MR. FITZMAURICE: It seems to make sense, but it is also painting a picture that things take longer in the government. The government may not have all the information it needs to take action. I am just trying to sort that out as to what could be streamlined and who is waiting on what. I am just not sure.
MS. SPECTOR: Right, well in part of what will now start is based on some of the information I am going to be giving you in a moment. That’s when the clock starts ticking, if you want, because there is the actual requests are coming forward now to the committee which would then go to HHS which would then start the APA process. So, that’s when we really do not want to wait five to seven to ten years.
MR. FITZMAURICE: So we really have a chance in front of us to do right and to do fast? Okay, thank you very much.
MR. REYNOLDS: Simon, did you have a comment? Okay let me ask a question before we go on. This chart. We have not covered this chart yet? Oh, well good. I will like to make one comment. Jeff had me covered earlier, but I would like to make one comment. We had planned for tomorrow to open our discussions on 005010. I think we are going to hear now that the process is still underway to get it ready to come to us. Okay? So, Simon, back to your earlier point. We were scheduled tomorrow to begin that, but I think we’ll hear more. I am saying we will not have discussion on 005010 then. That was pulled from the agenda. Lynne?
MS. GILBERTSON: All right, I am Lynne Gilbertson, the DSMO secretary and reporting to you a status of the change requests that have been brought forward that are related to a recommendation for a new or adopted HIPAA standard. So now we have got some real action items to move forward on based on the industry process. These are included in your report from Nancy, the big thick report, except for a couple that we have just finished processing hot off the press. These are changes that the DSMO have gone through their process and recommended that need to be brought to NCVHS, which is what I am doing today, and then the next steps will start.
As I just go through the chart, the change requests that have come forward are the X12 005010 835, which has—
MR. REYNOLDS: Lynne, can I interrupt you? You say they have come through your process. This is the first time they were coming to us?
MS. GILBERTSON: Correct. So if you read row one of the table, change request 1042, this is for the 835 to move from the 004010 A1 to move to the 005010. It’s status, it has been published by the SDO. It has completed the DSMO process. A survey has been created working with WEDI. The survey was executed by WEDI, and we are now the checkmark of the DSMO requests brought to NCVHS. So, this is the formal request to ask for the 835 005010 to be brought through the HIPAA process. Okay?
Where some of the checkmarks do not exist, this is just us trying to keep track of where things are. This survey has been executed by WEDI. The report is not prepared yet. That would be something you would address with WEDI. We were just trying to keep track of what we knew of the major steps to be. We would assume that this survey would be brought forward to NCVHS at a time convenient and a recommendation created by NCVHS to HHS and then according to the process we’re under right now, the NPRM published. So you can see four of those boxes are left open because they have not been executed yet. Does that make sense before I go on through the chart? No. Okay.
MR. REYNOLDS: It does not make sense to me. We are getting a recommendation, we had tried to set up testimony to explain the 005010 to us and talk through it and that was told. I guess I am struggling as the chair a little bit that we couldn’t get the presentation on what 005010 was but we are getting recommendations that say do the 005010 and so I guess our next step is when will the industry be able to come in and talk to us about—in other words, there is a recommendation on the table and these recommendations if you read this long, lengthy wording here, that is pretty detailed.
MS. GILBERTSON: From what I understand, there was a lot of miscommunication about what—The DSMO hadn’t even brought their recommendation forward yet, so the DSMO would not present on the X12 005010 or on the NCPDP standards. There was some kind of miscommunication of what was supposed to be prepared for the committee, what kind of detail and no one wanted to read the 005010 guides so they were not quite sure what it was being requested to prepare. One of the recommendations is that the SDOs and the industry come back for testimony to actually discuss the use of the new guides and their interpretation.
MR. REYNOLDS: The recommendation part of this document?
MS. GILBERTSON: Yes. All right. So as you travel down the rows, these are the different guides that have been requested to come forward. The next change request is for the X12 837 institutional and professional and dental. You can see by the checkmarks, they are in various degrees. All of these are actually in the same mode of having a survey executed by WEDI. The request is being brought forward.
The 276/277 which is the claim status request and
response is change request 1051. The survey has been created, but at this point it has not been executed.
Page two, the 278, which is the request to review, and the response. We brought forward that. A survey has not been created from what I understand, yet.
Number 1054 is the 837 request, which is the benefit enrollment and maintenance.
Number 1055, switching gears, is a request to move the NCPDP 5.1 standard forward to the D.0 and its batch standard to go with it. The update on 1055 under the “Completed DSMO Process” that has now been completed. We just finished last week or the week before. So that has been done and the recommendation is being brought forward to NCVHS.
Number 1057 on page 3 is a new standard brought forward. This is one of our—we get to walk through the new process rather than a modification do existing. I am not so sure we want to be the guinea pig, but we will try it. This is for a Medicaid subrogation standard implantation guide. This also, under the column “Completed DSMO Process” this was completed last month as well, in April. That has a checkmark. I am sorry?
MR. BLAIR: Lynne, did you say that this is a new standard or that it is a new guide for the standard? I just want to make sure I understand.
MS. GILBERTSON: Well, it is a new—It is new to be named under HIPAA.
MR. BLAIR: It is a new transaction? It is a new transaction standard?
MS. GILBERTSON: New to HIPAA, yes.
MR. REYNOLDS: It is version 3.0, so it is not new, but it is new to HIPAA.
MS. GILBERTSON: Correct. I am not hesitating because I do not want to be confusing.
MR. FITZMAURICE: Lynne, is this the transaction between, let us say the Medicaid state payer and a third party that Medicaid is chasing to get paid something that that other third party was supposed to be covering?
MS. GILBERTSON: Yes. That is correct. It is the pay and chaser. The payer of last resort. Yes. Okay. On 1060 005010 guide of the 820 for payroll deducted in other group premium payment.
Number 1062 is the 005010 270/271 for health care eligibility benefit inquiry and response. These last two have just come forwards, so we wanted to give you that as a status. The DSMO will adjudicate 1060 in June and 1062 in July. They are not being brought forward as recommendations at this point because they’re not done yet.
If you turn to page 4, these are the requests from the DSMO. Change requests checked “DSMO requests brought to NCVHS” in those columns are ready to move through NCVHS and HHS to adoption for X12 and NCPDP TR3s or imp guides, whichever they refer to them as. The request is based on the Change Request Recommendation. This request is not based on the release of a survey or as a result of a survey nor industry rollout as these are outside the DSMO role.
We recommend hearings to determine how the industry prepares and recommends adoption of next versions. For example, do they want a bundled rollout approach verses all transactions implemented on the same date?
We recommend if WEDI is still willing to provide survey information and industry perspective to NCVHS as we have discussed in the past.
We request the SDO streamlining process begin immediately, and we request the modification rule be immediately published with outstanding items.
Those are some of our status list of things that we would like to request be completed. That is all. I realize there are lots of things to think about in here, but we wanted to provide you with status so that we could then move forward for the rest of the year.
MR. REYNOLDS: Okay a streamlining the process going forward. One of the reasons we had set up a discussion on 005010 today was to get us up to speed on 005010 because there is one thing about checking a column here that you are bringing it to us, but us being in context as to what it is—in other words, the first hearing, in my opinion we’re going to have after this. If our goal was to streamline a process is to get all of us up to speed on the 845 or number of changes. What is this really doing to what is already going on out there? Then your recommendation which is to talk about how the industry prepares, so once we come up to speed again on 005010, then I think we can start hearing from the industry, how to do it, what to do, and so on is at least key to me because these things are—you just said, a 0.0. Good. To us, we are still back on so if you had a claims transaction, what is this new version going to do to it, and what does that mean to everyone. Then, when you start talking about implementation which is what you recommend here under 2, we would be in a much better position to begin to make recommendations going forward to HHS with or without a survey or with or without anything. So, that’s our goal. I guess since we talked about the SDO process, I would like to make sure that for this committee, especially with the details of these things that we have concurrently with everything else going on, we have a warm-up period to learn the subject again. Although we hear that 005010 is a number that has been out there, but now the reality of 005010 is what we have to at least have a sense of before I think we start out. That will be a good way to keep the process going faster.
MS. GILBERTSON: I would request that not only the 005010 but perhaps—what the committee would like to hear, I mean, you do not want a 50 page change log of what on between NCPDP 5.1 and D.0 or 004010 and 0005010. So what is it that the organizations can provide to the committee that would be helpful at a high enough level and invitation to those organizations to come to a future session.
MR. REYNOLDS: Well minimally an executive level type discussion about what is the difference between a claim in 004010 and a claim in 005010 and what that might effect people or the same thing with—because again there is 845 changes. Are they minimal? Are they—which ones are the biggest? Which ones make the most impact? What might they do to the industry? In other words, help us understand how we can start building a structure and an understanding to recommend to the secretary and others what we need to do with what we have, and then we can take your specific recommendation and say yes. That is what I would like to make sure we do.
MS. Trudel: Would it be possible to use some of our planning time tomorrow to craft a plan for moving forward or how we would want to hear and to look and how we would want these presentations to look and at what level we would need them at, and then staff can after that go back and liaison with the DSMOs and standards script and WEDI and try to pull that information together so that we have a plan and a timeframe.
MR. REYNOLDS: Yes, I would very much like that because we are pretty action oriented committee and Lynne already put the check in our box. So back to Michael’s earlier point. Those checks gave us a backlog, Michael as far as what we have to do, and that is why we try to jump ahead of it, but now we will catch up as quickly as possible.
DR. COHN: Actually Karen stole some of my thunder, which was obviously a plan. I did want to just observe that obviously there is a conversation about the 005010. This is more than the 005010, and if I were Lynne, I might observe that are pharmacist who consider the NCPDP changes to be every bit as important and probably more important than the 005010 so we need to be—I mean, part of the question is all together or somehow self-belonged. We really are looking at a major upgrade sort of throughout the stand of all of the standards at this point. At least that is what is coming forward from the DSMOs. That is correct.
MR. REYNOLDS: I am sorry. I was not excluding that. I was just using one as an example. Thank you.
MS. GILBERTSON: The actual requests for the executive summary of changes from the SDOs can provide that level of detail. The DSMO recognized—I mean, we are only one step in the process of the change request has come forward, we are following the process of the due diligence and then the recommendation, but industry surveys, industry readiness, industry input, even things related to recommendations that came in from HIPAA one of let’s not do this again in the future kind of recommendations need to be looked at and determined what is the industry if the industry can have at least a voice, maybe two or three voices? What is it they want going forward? The SDOs have completed the work, and the membership have made the recommendations to bring the standards forward, but now we need industry involvement.
MR. REYNOLDS: We are more than prepared to—We understand who we need to talk to. We need to learn first. In the future, if there is any uncertainty on items, I would appreciate one of the chairs, co-chairs being contacted if necessary to do that. Jeffery you had a comment?
MR. BLAIR: Lynne you have testified to us frequently. You have prepared packages and educated us many times before and you have been very helpful. You really understand your needs really well, and this seems to be an array of updates and some new standards that I am wondering is there anything that we need to understand in terms of crafting about how we learn about this that is different than the others and the other times where we have gone through this process?
MS. GILBERTSON: One of my favorite expressions is “the wisdom of Solomon and the patience of Job” because the standards are prepared, changes come forward, business needs are beginning to be met because people can see here is how I do it in the new standard, but now we have the implementation questions and how to get a voice or two from the industry from what makes sense to move forward and do you make the same mistakes if they were mistakes in HIPAA 1 as you do in HIPAA 2 because that is the way it is just going to proceed. You cannot make everybody happy. Implementing, if you stagger, rollout some people are not going to be happy. If you throw it all on one date, some people are not going to be happy. That’s the part I am not real sure what the industry, if there is such thing, has a voice as what they want. Everybody wants change and nobody wants to change. So, how do you find that out from testimony as what are things that were actually not done as well as they could have in the first round of HIPAA that we can fix, and what are things that we just have to stop grumbling and move forward kind of action. So that is something that is going to be interesting to sort of tease out of testimony, and it may be by asking direct questions, asking people to submit responses ahead of time that you can look at, definitely working with WEDI and what they are trying to do with outreach to the industry and get these surveys. One of the things we are struggling with too now is you do a survey now in 2007 and one of the questions is: when can we start implementing these transactions?
In the pharmacy industry we have a lot of “changes” because of Medicare part D.
MR. BLAIR: Harry had made the suggestion that we probably need an executive overview and I—let me echo that because there is so many aspects of this. I think we are a little bit overwhelmed by trying to figure out how to put together in order to figure out the most efficient way to receive the proper testimony. I think that Simon and Karen had suggested that we take the plan in meeting to sort this out.
MR. REYNOLDS: We will touch more on this tomorrow. We are running a little bit behind, I would like to thank both of you for what you submitted and we will talk about this again, obviously, tomorrow. We will take a 15-minute break and start back at eleven o’clock. Thank you.
[The meeting has adjourned for a break.]
Agenda Item: e-Prescribing Pilots Report
MR. REYNOLDS: Okay, we have got a group of presenters and we need to move somebody over to the other side of the table. We will go with one person per chair. The subject is our e-Prescribing Pilots Report. Do you want to just go in the order that you are listed on the agenda, or is there some prescribed order? We will leave the five of you to do the prescribed order. How’s that?
DR. WHITE: That sounds perfect. Let me introduce myself to the group. My name is Jon White. We are here today to discuss the MMA mandated electronic prescribing standards pilots projects and evaluation and subsequent report to congress. We have quite a group assembled here to talk to you about that today. What arrived, the past two years have been amazing. We are—today is Mayday, but most appropriate because literally its two years to the day when we got a call from CMS saying, hey so can we talk to you about the pilot projects, and talking turned into doing. It has been a—for what we at AHRQ are used to as far as research and development, a fairly rapid cycle. I think there have been in addition to the subject specific discussion, I think there is a wonderful discussion to be had about some of the pros and cons of he process that happened. So I am looking forward to having a discussion with you about that today.
What you are going to hear from our powatears and our evaluators, I want you to hear knowing that I feel pride tempered with humility. A lot of folks have invested a lot of blood, sweat, tears, and hair follicles into what we have done here. I think that there is a lot of work to be proud of, and I think there is a lot more work yet ahead of us. I am looking forward to a fairly robust discussion of that.
As the group that started a lot of this work, and congress notwithstanding, I really invite your reflections, and I know we only have an hour to discuss this. We will try to do this relatively rapidly, but I am really hoping to get some thoughtful reflections from you all kind of end to end views of this process, and what you think worked well and what you didn’t and what you might recommend for the future. There are so many people to thank today. I am not going to be able to actually get to everybody, but what I would like to do is this: if in some way you are involved with these projects, I would like you to stand here in the room. In essence, there are about five you that did not stand.
MR. REYNOLDS: Some of us are tired.
DR. WHITE: The point is that there are an extraordinary spectrum of individuals, institutions, stake holders that were represented through these processes. I am not going to go painfully into detail about that now, but it just represents a fairly broad swath of work so I want to thank everybody that has been involved with that.
Who you are going to hear today does not represent the entirety of the piloters. There was simply not enough time to do that. In woo of that, we have selected Doug Bell who is going to present to you first. Doug was selected because although all the pilots focused on the standards. We kind of unanimously felt that the RAN project really did the best job of focusing on the standards and is one sample but you will hear more about the group’s discussion of the standards. Next, you will hear from Mike Bordelon and Shelly Grace who are involved with what we kind of refer to as the long-term care project. They were different than everybody else but had some real significant findings related to electronic prescribing and particularly in the long-term care setting, which I think are quite exciting. Representing the entire evaluation team from the national resource center is Chelle Wooley. She is here and is a shining example of what represents many different individuals who are involved with this. Finally, I will take the floor for a brief period of time and give you what I think are some observations related to what I think I have seem come out of the work, and then we would invite your reflections back on that. Before everybody starts, I just want to make it absolutely clear that CMS, although I am standing here talking to you as the prime instigator—no, our absolute partner funder soul mates in this and we are grateful for everybody’s efforts at CMS to make this move forward. There was significant mountain moving to make this happen. I have enjoyed every step of the way. With that, I will turn you over to the very capable Dr. Bell.
DR. BELL: I would like to thank the committee for inviting me here, and Jon, very much. What I wanted to do is just to go through each of the six initial standards that we were charged with evaluating and show you some of the results that I think would provide some depth to what is in the report that you already have from Secretary Leavitt. I think if you look at that report, there is one or two paragraphs of analysis on each standard that is really a great distillation. I have a tremendous amount of information. I would commend the report to you and commend the secretaries and the secretary’s office and Newark for distilling a tremendous amount if information.
With that, I am just going to skate through. I have 20 slides here. I am going to go kind of fast in the interest of time. First, just show you really quickly our coalition, and I can really only speak in detail to our own results. The New Jersey e-Prescribing Action Coalition is a group we put together for purposes of this pilot study that involved Horizon Blue Cross and Blue Shield and Care Mark among health plans and payers. We had the e-Prescribing vendors iScribe in all SCRIPT. We had both RxHub and SureScripts involved and then for the evaluation, ran the consulting firm point-of-care partners and UMDNJ. The physician participants were all participating in a preexisting e-Prescribing program that Horizon Blue Cross Blue Shield had started that actually installed, paid for installation and also paid an honorarium for physicians to use it. They had targeted 1,000 physicians. I just also wanted to mention to our conceptual model, and just to keep in mind thinking about how an information standard, which is a very low level thing can project effects on health care outcomes ultimately, but it is important to think about the steps by which that could happen. The structure of the standard has to some how change the information that is displayed in the encounter. That has to change work process and then it is only that in turn the changes outcomes.
This slide shows each of the six standards and the methods, which we use to evaluate these. I am not going to go through all of these different methods. We tried to tailor the evaluation of each standard for its level of current adoption. I just bolded a few of the things that I want to show you today. For the two standards that are really commonly in use already within our coalition, which is the medication history. I want to focus today on the expert panel results and claims data analysis and results from our web survey of physicians. For the Fill Status notification standard, that was not in use. We conducted focus groups among prescribers to look at how they would use the information that they get through fill status in a way that would be different than what they do—what the currently have available for medication history. I will also show you some extra panel results. For Prior Authorization, we built a working prototype of a Prior Authorization system for Horizon Drugs and I am going to focus especially on this sort of information level results that we have looking at the HL7 claims attachment, which is really the heart of where the clinical information is carried in the proposed Prior Authorization standards. I will look at how that compared with the forms that we had to deal with for Horizon. Then, we will talk about Rx Norm and the lab mapping analysis that we did and then the lab analysis that we did of the structured and codified SIG standard. So those are the six standards.
Diving right in: Medication history—
DR. OVERHAGE: Before you launch too far into it, one thing I hope that you comment on as you go forward is when you have expert panel review, one of the things we find in these standards are that the content turns out to be much more of a barrier than the structure. One of the challenges with expert panel review is that you are sort of looking at a “idealized” case in terms of content. I hope you will be able to comment as you go through on the limitations that you might have encountered in the evaluation in the situations where you had to rely on expert panel.
DR. WHITE: Doug has about five or six minutes left to present. That might be something that we would want him to comment more in the question answer period, but he might not necessarily want to take to much time during his presentation.
DR. BELL: Yes, Mark, I am sorry you do not have my slides actually. I will try to get those to you as soon as possible. The expert panel very much talked about the content, and not just the structure. We thought that the content and the current functioning of the system really is not even just the standard and the content, it is how well the system is linked up and functioning. That was all discussed by members of the panel. I do not have a slide about who is on the panel, but we had thirteen organizations that represented different points in the transactions so point of care vendors, the backend PBMs and the switches are Sub and SureScripts that we are passing information. So, we considered the organization to e the unit of participation on the panel so it wasn’t individual people. So just really quickly, highlighting a few of the issues for medication history that the expert panel brought up. There were technical problems that hindered its—especially that hindered reconciliation of medication history data that the pox are pulling in with the existing prescriptions. The key thing for being able to use medication history is that the downloaded data from the PBM for instance has to be reconciled with the prescriptions that have been generated out of the system. That is a difficult process because many of the fields in the standard are optional. They are often left empty in the medication history. So, things like the prescriber ID, the SIG, the quantity dispense, the pharmacy that dispensed it- we are often left empty, and this added to the challenge. Also, NDC Codes were pure drug identifiers and often the NDC Code could not be mapped to the internal code that the POX used because of the noise and the—you may be familiar with it, it exists in NDC Codes. Also, patient IDs had to be retrieved from the 270-271 eligibility transaction, and that transaction often fails because people just are not in RxHubs master patient index, although that is growing. The net result was that some vendors have given up on trying to reconcile medication history with their internal data, and that means they really drive alerts only from their internal data and they are not using medication history in the way that it could be. All panelists enthusiastically supported Rx Norm as an important improvement on NDC Codes for medication history.
We also conducted a prescriber survey of 411 physicians. In the end the respondents were 139 e-Prescribers and 89 non-E-prescribers who we recruited from the waiting list, but they had not yet turned on e-Prescribing. Just a few results, we asked them to rate the information that they have about medication history, and I am just showing you the percent that agree or strongly agree to the following to the following statements. They said the information I have about medication history enables identifying clinically important drug interactions. E-prescribers did agree to that more. 83% said that medication history helps versus 67%. 68% said it prevents callbacks for safety problems versus 54%. Of course these people, for the non-E-prescribers, the information they have is just whatever is in their chart. So, we wanted to set up a comparison that way. So, there was a statistically significant difference there, but there is no difference in identifying medications from other physicians, which is really what you would expect medication history to really help with. Actually, if you go on to the other finding I have up here, only 37% of the E-prescribers said that they were familiar with how to get out the medication history data in their system. Often, this feature to review the medication history that was downloaded from the PBM was buried to some extent inside the system, and only 37% of people said that they were familiar with how to get that information, and then only 16% of those said that they used it often or very often. Only 39% of those said that the data is complete for most patients. They also didn’t think—Those who did know how to get to it thought it wasn’t complete.
We think what is going on in these other questions is that people see the medication history that they have prescribed and they do not really distinguish that very well with the downloaded medication history. So at least the medication history that they have prescribed, they do see as providing some benefits. So that is the prescriber survey. Three minutes? Okay. I will just really have to go very fast.
We found technical issues with the Formulary and Benefit standard from the expert panel as well. Again, NDC Codes were an issue. Plan identifiers were an issue, and a big issue was the plan level coverage was not the same as group or patient level coverage so for Horizon, they only publish one formulary through formulary benefit standard, but actually there are a hundred or variations on that for different groups within Horizon. Another issue is that the different compliments are used to different extents. The formulary status list is used very widely, and I am showing you the number of downloads per month that are sub-serves. The alternatives list the coverage limitations and what I think is one of the most important is the co-pay list which will give you the most specific information that the physician aught to have is rarely used.
I am going to skip this except for to say that in the prescriber survey, we really didn’t see that they had any perceived effect of the Formulary and Benefit standard. This information was not giving them—they didn’t perceive that it was saving them time or reducing callbacks. When they rated—for among the e-prescribers we asked them, how much does the drug coverage information help you in these different ways? In general, there was a lot of neutrality and some degree of disagreement about whether it helps manage patient’s costs, reduce the need to change prescriptions, reduces calls, saves time, etc.
One other thing, for Formulary and Benefit is we did analyze claims to see whether there appeared to be any shift toward more generic drug use or toward more on formulary versus off formulary drug use, and we have about three million prescription claims from E-prescribers and controls, which are basically all of the non-E-prescribers who are Horizon providers with not the same inclusion criteria. I am not going to go through this in any detail except for to say that we focused in particular on new ace inhibitors starts to look for generic—whether e-Prescribing had influenced generic use. Throughout the period we were looking from 2003 to 2006. There were generic and brand options available in the ace inhibitor category.
We found that if you looked from pre to post activation among high users of the e-Prescribing system, there was a jump in their generic drug use for new ace inhibitors with an odds ratio of 2.3, but that only applied to 20% of prescribers who were in this high use category. For those who are medium users or low users, which we defined as up to 50 electronic prescriptions per month for Horizon patients. There was not a significant jump, although there was a strong overall secular trend toward greater generic use. I guess I am seeing some frowns, but I have very little time left so I will—
MR. REYNOLDS: We are willing to spend a little more time with you. This is a big deal. You have done a lot of great work. If there are things you need, please point them out as we go along, but we would really like to hear from you.
DR. COHN: A real quick question based on your stratification there. We are all trying how 50 users a month is a high user, and a medium user can be categorized as 12 to 50, which seems to me to be a low user. I just wondered.
DR. BELL: It is a fairly low user, but unfortunately we didn’t have, and we are actually trying to still get better data on this. All we had was the absolute count of electronic prescriptions per month. We didn’t have the ideal—at least on a month by month basis of the total number of claims so we are going back to look at that. It has been difficult even in their own analyses Horizon and Caremark to link an E-prescription from the system to a claim, and so they have been hesitant to report out what the percentage is. We have figured out ways of doing that, but basically the people in this group were almost all above 20% it looks like in the greater than 50 group. Almost all but 20% of their prescriptions being written electronically, which is still not a very high number. That means that probably 80% of the physicians were writing south of 30% of their prescriptions anyways through the system. The bottom line is there is a lot of paper prescribing still continuing and some people install the system and never use it at all. There is a pretty good proportion of that within the users that we have.
DR. WARREN: Yes, implicitly the e-Prescribing physicians, a lot of them still used paper even when they were in this trial?
DR. BELL: Correct.
DR. WARREN: You do not know what percentage or why they chose to E-prescribe and why they chose to do paper?
DR. BELL: We have some survey results on that actually. It’s a great segue because we did ask them. I think they did significantly over-reported if you look at the actual data versus what they said in the survey, but here is what they said in the survey. We asked, to what extent do you use the prescribing system? We gave them three options. These are the two participating vendors. They said—so iScribe users, 48% said I use the system to write all of my prescriptions except for schedule 2 which they cannot. 40% said I use the system to write some prescription, and 12% said I no longer use the system. For AllScripts it was actually a little bit shifted toward some use. The AllScripts group was quite a bit smaller. When we asked in followup, does your staff use—because we found the pattern in our site visits that the physicians sometimes the physicians stopped using it but the staff would still use the system to transmit prescriptions, which of course circumvent some of the alerting. Nobody admitted to having their staff use the system. Some of the nonusers did. We asked them why do they continue using paper prescriptions and here were the ratings they gave to each of these possible reasons. This is just the percentage. Patients not being in the PDA, cannot use the PDA because of technical problems, I get too busy were the top reasons. Pharmacies do not reliably receive and process the prescriptions, system interfered with my established office work flow- there was some agreement to that, the system takes too much of my time, the system takes too much of my staff’s time was actually less of a deal. We had more questions than that, but these are probably the key ones. That is all I was going to say about formulary benefit medication history.
On Fill Status, our expert panel brought up several issues. I guess this is just a technical issue that I put up here. The script reference number is really important to being able to reconcile again the data that you would pull in. This is data on a specific prescription that comes back. There aught to be a script reference number so you can reference that data back to the original prescription. Sometimes it is an optional field. For the few that had tried this, that was an issue that it comes back missing sometimes. The bigger issue was that there was no marketplace demand. People said things that even if a physician wants it, who is going to pay for it? The burden of handling a patient opt-in or opt-out could be significant. It seemed like that would be an important thing for patients to say, no I do not want data to come back on whether the medication is filled or not, but one panelist said the process of setting up and maintaining the opt-in and opt-out indicator would be significant. Numerous interfacing systems would need to change. Another panelist did say that something could be designed for it, and I think that having a patient opt-in or opt-out of this is probably something on which we should do more research. Another issue thought that the panelists raised is that if you have this opt-in or opt-out, you may not be able to rely on getting either a dispensed message or a not dispensed message. As you may know, the Fill Status has each of those options so the idea would be that after a certain amount of time is elapsed when you sent a prescription, you would get back a not dispensed message if it had never been filled. One panelist said if patients are opting in or opting out, then if the physician does not get a fill response, what does that physician know? Well maybe the patient opted out. They cannot really determine that it was filled, and they cannot determine wasn’t filled. There are some logistical and logical problems with Fill Status.
Now in the focus groups we did with providers, these were all AllScripts users and we presented storyboard prototypes that showed them what could be done with Fill Status that they couldn’t do with medication history in terms of adherence alerting. So basically alerting when a patient hasn’t picked something up or there may be an adherence problem. The providers had some significant concerns. Basically, these alerts imply the need for some kind of telephone followup because you would be getting them back in real time after some amount of time it elapsed, and this implied that there would be some new and probably unpaid work for physicians and staff in doing what these adherence problems as they crop up. They were also concerned—some of them were concerned about medical legal liability that could occur for nonadherence. So, if the patient had a heart attack and they were not taking their medications there would potentially be evidence in the chart or evidence that a transaction had been sent back telling the doctor that there had been nonadherence and they would be in trouble. There were possible mitigating factors that could make Fill Status work better. If the prescriber could control which medications are alerted and how long we need to elapse, that was something that might help if it could be a small subset of really important medications. If those alerts could be delivered during an actual followup visit then there would be a mechanism where a telephone call wouldn’t actually be required. That might be more acceptable. Of course, if you do wait for a followup visit medication history might be able to substitute for Fill Status transactions because the medication history is typically downloaded right before a patient’s scheduled visit, so you might be able to do some of the same information with that other transaction. That’s what we had on Fill Status.
Jus to move right along, Prior Authorization. In our surveys and site visits, we found a strong demand for electronic Prior Authorization and the processed improvements that could potentially come. 91% of surveys of physician surveys agreed or strongly agreed that the PA process is frustrating for them and for their patients. People said things like I hate Prior Authorization because of the time they take. Interesting that they also admitted readily that they stretched the truth in order to get Prior Authorization. They said things would basically have to say what the insurance people want to hear, and another person said I frequently lie, yell, or scream to get the drugs authorized. But when we looked at the data elements that had sort of been prescribed in the HL7 PA attachment and compared that with the data that we needed to collect to accomplish Prior Authorization for Horizon, there was very little correspondence. I will not go into any detail on that, but even most of the drugs, I believe only 2 out of the 7 drugs that HL7 had worked out PA data elements for had required Horizon Prior Authorization and Horizon of course required Prior Authorization for many drugs that the HL7 had not anticipated, so there is very little overlap even at that level. Then even when you looked within those drugs or the data elements, there was not a lot of correspondence. One of the points I wanted to make though was that Horizon and Caremark were very interested in the wording of the PA questions and that really, to my mind, means the wording of how you collect questions from a physician anyway influences the meaning of the data, but HL7’s approach was that they were not prescribing the wording of the questions, that they were collecting these sort of abstract data elements and it was up to the vendors to decide how they wanted to word questions to collect those data elements, so that was a mismatch right there. There are also some issues with ICD9 codes being inadequate. We did develop a working prototype module both within AllScripts and iScribe and we did role that out. There were eight to ten weeks for physicians to use it and there was very little use, which we had talked more about. We have very little evidence from actual use.
Moving on to Rx Norm. We did a lab study where First DataBank, Medisven, and us each independently took a large sample of prescriptions and new prescriptions and renewals and try to map them to Rx Norm SCDs. There should be one SCD for each drug concept, one Symantec clinical drug. That is the idea of Rx Norm really is to have one unique identifier for each clinical drug concept that you would prescribe. So here is how it turns out. We look for how many prescriptions will have no match. Basically, we exclude device prescriptions because that is explicitly outside the scope of Rx Norm. We had 9,700 non-device new prescriptions and 10,000 non-device renewal requests, and out of those only 1.5% of the news and 0.5% of the renewal requests had no matching SCD that any of the three independent matches could find, basically. Most actually had an SCD found by three out of three matching attempts. 91-97% basically had three out of three matches found. So Rx Norm was relatively complete although not absolutely complete. If you looked at what was missing from Rx Norm, 93% of the drug concepts that we are missing from Rx Norm were multivitamins, bowel preps, or drugs packaged in a drug delivery device. I will just mention that this drug delivery device thing is being include now in Rx Norm. We also looked at mismatches because it is important to have agreement of course if independent companies were to use Rx Norm and we found basically a mismatch rate around 5%. Around 5% of the time, when you took the same prescription two different companies got two different SCDs basically. We try to drill them. What are the root causes of that? Basically 20% of the time, there were two SCDs in Rx Norm. There were actually synonyms. It should have been eliminated essentially because the idea in Rx Norm is that one concept identifier. 20% of the time, those had already been identified, and at least one of the vendors was using an outdated version of Rx Norm. There were another 30% where the synonymy had not yet been recognized when we went over it with the National Library of Medicine. They flagged those right away and they are putting in place a process for people to identify synonymy and bring it to their attention. Then the rest of them were just outright errors in the mapping from the NDC Code to the SCD where basically erroneous NDC Codes are still floating around out there from previous versions. If you look at the NDC Codes that different sources have and that the FDA has. They do not always match up. There are errors out there. Rx Norm cannot really do anything about that. That is what I have on Rx Norm.
Finally, structuring codified SIG. We took a sample of 43 SIGs that we selected from 10,000 SIGs that we had. We selected these purposefully to try to represent the breadth of what we need to be represented in the SIGS. SIGS have this notion of repeats. So, out of the 42, only 15 had no repeats, and the repeats make it much more complicated. So we drilled in on the SIGs that didn’t have a repeat. A repeat would be if you have a prescription, say for Zithromax that you say two pills today and then one pill a day—That gets represented in a SIG standard is two separate repeats of the whole sequence. We just drilled in on those that did not have more than one repeat. There was very poor agreement among those 15. These are the 13 segments of the SIG standard. Out of—We had 3 reviewers for each one, so if all 3 agreed on a particular prescription’s SIG, the count is here. If 2 out of the 3 agreed it is here, and of none of the three agreed if they all three were different it is here. Basically, for this repeating SIG is not applicable, so I left that blank. For the dose segment, out of the 15 SIGs, only 3 of those SIGs were represented in the same way by all 3 reviewers. Ten had only 2 reviewers in agreement and two of those SIGS had no reviewers in agreement. You can kind of just look down at the rest of these segments and see how little agreement there was within each segment in the way that these 3 reviewers—these 3 reviewers were all people who had been involved, at least to some extent, in the standard development although some more than others. One of the reviewers we considered to be our gold standard reviewer and the other two were not the gold standard. There was still very little agreement within any of these segments on how it should be used. For the other 27, if you just looked at how many repeats people use, there wasn’t even very much agreement on that. It was from one to six iterations and it did very widely. That is all I will say about SIG.
Just in conclusion very quickly, for medication history and for formulary benefit, the standards are technically adequate. There are a lot of fields and ways to use it that work, but in general they are falling short of their promise because of the implementation primarily. For Fill Status there are significant concerns raised, not so much with the technical side, but with the value. It may have promise for focused uses for specific adherence programs for instance. For Prior Authorization, more research is really needed on how to represent the data that one needs to make a PA decision. For Rx Norm, here is a strong need to have Rx Norm available, and it seems to hold significant promise and there seems to be a path forward for NOM to complete it really and get that last 1.5% done. For SIG, we found that it was difficult to use consistently and our suggestion that somehow the standard be simplified. So that is it.
DR. WHITE: I am going to suggest two things. One, that we hold questions till the end. Two, I want to ask Harry for a time check. It is eleven forty-five.
MR. REYNOLDS: You have thirty minutes.
DR. WHITE: Thirty minutes. So we have two presentations remaining and then questions for the group. I just want to observe, by the way, that synonymy is illegal in most states except for New Jersey and Los Angeles. With that, we will turn to our colleagues from the Long-Term Care project.
MR. BORDELON: As Shelley is bringing this up, a little quick introduction for both of us. My name is Mike Bordelon. I was the original principal investigator for this project. I left Achieve Health Care, which is the company that we were doing the project through in October, but stayed involved with the project and Shelley took over as the principal investigator. I think we are officially co-pi’s or I am the co-pi and she is the pi or something like that, but basically we collaborated together to get the project done. I know we are short on time, but I want to do a quick note on just all the people that made this happen. CMS, NCVHS, Evaluation contractors, the additional money we got from the ASCP Foundation to study Prior Authorization. That was a huge biz for the project. NCPDP and their continual drive and excellence around getting these standards getting moved through the whole process.
A quick review of what happened last year. It was a real whirlwind for us. You have to remember we started with nothing. There was no infrastructure in place. There had never been a standard space to e-Prescribing implementation in Long-Term Care before. We first of all had to figure out what the heck these e-Prescribing standards were all about and then put together a study with providers and pharmacies and vendors and everybody to get all this built and studied in a pretty short period of time. I think the project was pretty successful in validating the e-Prescribing standards with how well they work in the LTC setting. Some of them are similar to Dr. Bell’s analysis worked well. Some of them still have opportunities for improvement. We personally believe that long-term care is a very important area of study for e-Prescribing as a huge opportunity for savings in the health care industry by applying Long-Term standards and the ability to study this in Long-Term Care last year is a great way for us to be able to show the impact that this is going to have.
One other little comment here, we didn’t study all of the standards. Last year, it was mostly time and financial constraints. We did study scripts, Formulary Benefits, the Telecom Standard, Fill Status, Electronic Prior Authorization, but we did not study medication history, Rx Norm or codified SIG. The things that we did study, they were full implementations in the real world environment with real users using them. We didn’t do any laboratory tests. I think that was real testament to the bullheadedness of the team to push the development work all the way out into the field, get it implemented so that we could really study it in a live environment.
MS. GRACE: And one note I want to make, because of the time constraints, we have actually provided you with a little bit more lengthy presentation that contains some information, and what we put together is just a truncated version because of time. The slides do not exactly match what you have on your paper.
MR. BORDELON: An important note about this project is that we, even before we implemented we knew that some of the standards were not going to survive through Long-Term Care, specifically SCRIPT 8.1 needed some work. At the time, I was the task group leader for the Long-Term Care e-Prescribing group at NCPDP and we pushed four new derfs through the process and those are all in varying stages of the NCPDP process. Some are already to ballot and I think are getting voted on this month. Some may take as long as out in August. By the end of the summer, all four of the standards should be certified and in version 10.1 and we should be in a position where we can say with 10.1 that all of the standards are adequate for supporting the Long-Term Care e-Prescribing.
This is a slide I presented last year. This is kind of a famous slide now. This is some work that was done at NCPDP, and it does show the complexity of what we are faced into in Long-Term Care. But it also implies there is also huge opportunity. One of the hardest things that we are faced into is the three TEARS of communications. The physician working through the nursing home, then communicating and coordinating to the pharmacy. That is a lot harder then just a direct from physician to pharmacy interaction that you see in the ambulatory space. It also is a—when you leverage electronic capabilities, you can get much more streamline workflow and communication and reduce a lot of errors. We actually have an order of magnitude more opportunity for problems. That was the before picture, and this is what we actually implemented. As I said earlier, we went all the way. Everything we implemented went out in the field and got tested by real users and by real pharmacists, nurses—now important note is that we didn’t have that big of a doctor adoption, but we did have every script in the two facilities that we studied went through the electronic prescribing process. It was either done by the nurses and agent, or by the nurse practitioners in the facility. The Nurse Practitioners were doing true e-Prescribing. We used Rx Hub as our switch. We connected back to Blue Cross Blue Shield in Minnesota for the Formulary and Benefits but also to get Prior Authorization. We implemented an unsolicited authorization model and all of this fed right into the Long-Term Care Pharmacy System without any duplicate entry. These were not faxes coming over and being retyped in. They came into cues and the pharmacist processed some, and it will all stay electronic. We also implemented an electronic—it really demonstrated an electronic refill process. 80% of the scripts that are filled in Long-Term Care are from refills of ongoing orders. We felt it was important to demonstrate that technology could be used to facilitate that process in addition to the new cancel and change scripts that go through the e-Prescribing process.
MS. GRACE: What we wanted to touch on briefly is really what were the impacts of Electronic Prescribing. Again, as Mike pointed out, we did this in an actual live facility with real residents. What we found is that in the facilities that we tested, many nursing homes use some from of physician’s orders. In many situations you will find that they are inputting some from of medical records so they know what to dispense to the residents. We found that because they were already used to inputting this type of information that it was not as disruptive as we thought. However, there was a significant benefit because in the past, they had never been presented with formulary or benefit information. They also were not presented with patient safety information. We found that being able to present that information up front, it did allow them to change and make critical decisions much earlier in the prescribing process. One of the things that we have found is that integration with the clinical system was critical. The adoption is very dependant upon a facility being able to use this in their workflow. In this case it was fully integrated. When you start trying to impose a system that has to have data in two places, you have reduced a lot of the proposed benefits to the facility. That was one real critical finding. Because in the past, even though many facilities used physician’s orders and med orders, they end up printing out the prescription and faxing it to the pharmacy, and that is where you get that what we call the spaghetti slide because there is so much re-work that has to be done with the order getting to the pharmacy and not understanding it. All those issues. So, by being able to present the information up front and electronically transmitted, they did find that there was quite a significant reduction in the re-work that had to happen with those orders once they arrived.
Prescriber adoption is critical. Again, as Mike
pointed out, the advantage we have in Long-Term Care is that we do have the nurses and agent model. However, the advantage of Formulary and Patient Safety is much higher if you are actually presenting it to the prescriber. One of the things that we keep touching on, we have been doing a number of subsequent pilots is trying to get the prescribers to actually participate because we are finding once they use the system, and they see the benefits, the adoption rate goes up. It is getting over that hurdle of getting them to do that.
On the pharmacy side, the efficiencies were that not only did the med information came over but the resident demographic information came over as well. So, there was significant amount of information that came directly into the pharmacy system. The pharmacists do not have to re-key all that information and a lot of the Formulary and Benefit information is there as well. For new orders, straight forward orders, discontinued orders, and readmissions that was very beneficial to the pharmacy because we were able to communicate if a resident was discontinuing orders. We could also communicate that they were planning to be readmitted so they might put them on hold, but not discontinue them completely. One point I want to make is Fill Status is something that may not seem as advantageous in the ambulatory market, but in Long-Term Care it is critical because often when a prescription gets to the pharmacy, the actual dispense is different. Right now, the only way to get that back in the resident record is manually to re-enter it. By using Fill Status for us, we were able to populate the resident record with the change which the facility found very beneficial. SO again, one of the key difference between the ambulatory market and the Long-Term Care market.
Some of the challenges we found, as Dr. Bell alluded to, because we didn’t test the codified SIG when you find combination orders which represent multiple orders in a facility, but one order to the pharmacy because they can only bill one time. We had to find work arounds. We are working on some options for that right now, and some subsequent releases. It is still one of the challenging pieces in the marketplace.
Transcription accuracy. Again, when you are using the nurses and agents, no matter how that prescription is communicating to that nurse, when you are using a prescriber, it is different, but with a nurse, you have to make sure that the workflow has the check and balance system, so that what was put into the system was what the prescriber meant. So, we have put some of those checks and balances in by making sure that if it is non-prescriber that there is an authorization step that has to happen to make sure that that med was exactly what the prescriber intended.
Timely transmission on admission orders, this is more of a workflow issue. In the facilities, when residents are admitted often there is a large group that are admitted at the end of the day. Hospitals tend to check residents out and they will all come in somewhere around the end of the day. They are so busy getting the residents in that often times getting the med orders in the system are not necessarily the first priority. So, working with the facilities to help them understand how they can adjust workflow is a really critical piece. So the pharmacy didn’t get those orders at too late in the end of their day. One of the critical findings here is that there do need to be workflow changes and we need to work with facility and pharmacy to make those changes.
I think that, just some real key points here. The nurses and agent, as we said, it does work technically. However, the more we can push prescriber adoption, the more safety that you are going to introduce into the system and the more benefit you are going to get.
Leadership is absolutely critical both in a
facility and pharmacy side. People do not like to change. We all know that. The more we have leadership from the top that said, yes, we are committed to this. We want to do this, the more the adoption was successful.
Formulary and benefit standards worked very well in this setting and we did prove, with some modifications, that these standards do work in Long-Term Care.
Prior Authorization is really critical if we are
going to get to an electronic health record because it is still one of the biggest challenges because so many of the meds in Long-Term Care require prior-op. Yet, there is a small set of data that most of the payers want. It is just that we have to get them to agree on what that set is and how do we transmit it in a way that makes it simpler.
What we see with prior-op is that the payers consensus and participation is the greatest challenge in that there is going to be a significant amount of leadership required from all sectors in order to move this forward. If we are going to get to an EHR, it is something we are going to need to do.
Closing thoughts, I will give you a couple and then Mike will do the same. The biggest challenge right now is making sure that we move forward on these standards. As we speak, there are many non-standard projects that underway in Long-Term Care because people are trying very hard to streamline this process.
MR. BORDELON: I think there is almost a myth in some ways that the industry is not able to make investments in this kind of really high tech type of capabilities, and LTC is making these investments. The big providers—if you go out in the field and talk to the big providers and the big pharmacies, they are all working on e-Mar systems, on electronic prescribing, all of these things. What we all need to really be conscious about—there was a lot of discussion about the timeframe it takes to get all of these things approved. In the intercom, the risk is that people are out there building proprietary solutions. There is going to be a reinvestment by the industry. Those investments are happening right now. We can get them aligned. It is going to save a lot of money and heartache over the long term.
MS. GRACE: Thanks, Mike. I agree. One of the other challenges with this very proprietary movement is both of the facilities and pharmacies get very confused about all of the competing solutions that are out there. So, the challenges are then they do nothing because they are afraid to adopt anything because they do not know whether it will be standard or not. If they are investing in technology that will not move forward, so you will not see adoption of this, and then you will not see the EHR come to fruition in the timeframe we would like. You also will not see some of the safety advantages if we can not get these standards in place.
Just a couple of other quick points. The advantage we have in Long-Term Care is that you have a much small group of vendors, both on the facility side and on the pharmacy side. As Mike pointed out, in this bullet point, there is basically five key Long-Term Care pharmacy software providers. By having those five agree to this standard, you have over 95% of the market. That is huge. It is significantly different than the ambulatory market. The same is really true on the front end. You have got, probably ten critical players in this market place, and there is a lot of consolidation. So again, just adoption of basic standards can really impact a lot of this market.
The last point I will make, and I will turn it again over to Mike, is that these standards really move us a long way towards the electronic health record and Long-Term Care. So, we cannot emphasize enough how important we think they are.
MR. BORDELON: I feel like we are getting on a soap box a little bit, but we have an opportunity so we are going to take it. E-Prescribing is a big part of EHR. Long-Term Care is not in the CCHIT Certification Realm yet, but it needs to move there quickly. It is just as important as any of the other sectors. Any prescribing, I think, should be a key part of that whole certification process. Again, as I mentioned earlier, time legislation is going to keep these nonproprietary solutions from evolving. Prior Authorization needs to continue to be an important focus for us here. That has a much opportunity to save money as a lot of the other things and save lives. We need to keep focus there.
Back to what Shelley was saying, because there are so few vendors here, some modest investment by the government whether that is the reimbursement or pay for performance or some process will really help accelerate what really should be a relatively modest investment for the return to Medicare and to the industry in general. I think that, in my opinion, there should be a sense of urgency about driving to that and helping accelerate some of these things as soon as possible.
MS. WOOLEY: I want to thank you for inviting me to participate today. I have had over a decade of involvement in health information exchange, electronic health information exchange, it was really a privilege to be part of this team, working with CMS and the opportunity to visit and observe what was going on with each of the pilots. I don’t consider myself an evaluator. I consider myself more of a reporter. The opportunity to see what was happening at thee individual pilot sites first hand and then to be able to compare and contrast across the five different pilot sites.
What I’m going to focus is not the standards part, which is what I focused on in the reporting, nut of the, what we call the other outcomes.
Each of five grantees participating e-Prescribing Pilots were all expected to test the six standard, initial standards as you have heard summarized, and Doug you did a great job at that. They were giving vast flexibility and latitude in testing what we call the other outcomes of e-Prescribing. Those are things such as the Prescriber Uptake, Satisfaction, Workflow Changes, Impacts on Callbacks between the Physicians, the pharmacies, and the PBMs. The use of e-Prescribing functions including Medication History, Change in Fill Status, Use of Unformulary or Generic Medications, and the Impact on Medication Errors.
The grantees had mostly completed their reporting of the standards part of their evaluation, of their pilot tests. However, at the time of the writing of our intern report, many of the grantees were still compiling and analyzing the results of their other outcomes. The other outcome results and the understanding the impact e-Prescribing has on areas outside of the standards themselves are really critical and truly focusing on a culture of acceptance and adoption by all stakeholders in this process. Like the lessons learned from other demonstrations of Electronic Health Information Exchange in order to have a sustainable environment for exchanging health information, putting the right information in thee hands of the right individuals at the right time. It is dependant on both the technological architecture and the adherence to the use of common standards as well as the policies, the business rules, and the culture of trust and collaboration between all of the different stake holders that need to drive those technological design decisions.
Nearly achieving success in the agreement of which standards to use for e-Prescribing is not going to necessarily move the information where it needs to be. That is, enables better care for patients, improved efficiency for the physician and the pharmacy. Without addressing the challenges that face the various stakeholders in the process in terms of workflow changes, additional requisite investments, establishment of trust and collaboration among the various players, we have only solved half of the equation. I want to talk about just two of the outcomes that impact physician adoption and long-term sustainability of e-Prescribing.
The first is medication history. A key example is related to the utilization of the features and functions enabled by the standards for e-Prescribing and Dr. Bell did talk and show you some examples of the implementation. Overall, the pilot’s findings demonstrated poor adoption of dissfunctionality even though this transaction has been implemented by a vast majority of the e-Prescribing technology vendors over the last several years. The availability of patients’ medication history can enable prescribers and pharmacists to prevent medication errors by checking for duplication of existing drugs or therapeutic class and potential drug-drug interactions. Three of the pilot sites specifically tracked how frequently prescribers access medication history information via the e-Prescribing system and overall data quality as ability and completeness of the standard. There was agreement that medication history data errors are rare, but given the flexibility as Dr. Bell mentioned, in naming important data elements as optional in the data transaction specification, some key information may be missing including prescriber’s identity, the SIG, the quantity dispensed, and the name of the dispensing pharmacy.
Another contributor to the low-adoption rate is that each application uses a different reference to identify this feature in the software. So, physicians weren’t necessarily sure where that information, or how to access the medication history, even though it was available within the application that they were using. But for the physicians who were using e-Prescribing medication history function prior to and during the pilot testing, they found this information useful.
Some of the positive comments from physicians surveyed during the pilot testing related to accessibility of the information, ability to view medications across multiple prescribers, ability to track potential drug abuse and doctor shopping, assistance with medical decision making, and the ability to review a more comprehensive list with their patients. So, they use this as a tool to engage in a more high quality dialogue with their patient around their medication use.
Traditional inpatient CPO systems have shown that when prescribers have a unified view of active prescriptions, there is a decrease in the overall number of prescribed medications. Overall this is considered an improvement in the quality of care as medications become more coordinated and drug-drug interactions are less likely to occur.
This is also an infamous workflow model. The point I want to talk about here is physician workflow. Our hope for e-Prescribing is that it would improve workflow for both prescribers and pharmacists. Widespread adoption of e-Prescribing is going to require that prescribers realize these improvements in workflow or other proceed benefits of e-Prescribing are large enough to counteract any negative impact on workflow. What we found in these pilot evaluation is not only is it important to focus on the physician workflow, most importantly it is also—we need to focus on the pharmacy workflow. It is not enough a physician to be using electronic tools to send prescriptions electronically to the pharmacy if the pharmacies are not ready and up and running to accept those electronically.
Pharmacy workflow was impacted negatively in several pharmacy chains. Despite current thinking, the vast majority of pharmacy chains, stores, and one of the pilot areas did not carry out true e-Prescribing. In this case, the pharmacies had the capability, but in reality reported that they generally printed out the prescriptions they received electronically, subsequently, and then re-entered them into their pharmacy system introducing yet another potential error point. One of the most important findings of the pilots was the high rate of surrogate based e-Prescribing. We talked about that earlier. Engaging surrogates around e-Prescribing appeared to be a remarkably winning strategy for driving practice option. If the surrogate based workflow makes sense for a practice in the beginning of an implementation that it worked for a specific reason intended to persist exhibiting a long-term sustainable change.
Implementation of e-Prescribing does have the potential to dramatically change prescriber and pharmacy workflow also with positive impacts but some negative consequences may occur as well. Additional long-term successful adoption and acceptance of e-Prescribing is going to require a commitment to upfront training and education of all key stake holders. I want to say that the success of adoption of e-Prescribing is going to rely on the commitment or training and education upfront of all the stake holders in the e-Prescribing process.
Striving for a streamline end-to-end interoperable flow of information in real time requires careful coordination, collaboration, and ongoing education amongst these stakeholders. We are at a turning point yet not quite all the way where we need to be. CMS continues to have a critical role to play to make sure that we reach our final destination. The result will be better patient care, improved efficiencies in both prescriber and pharmacy workflow, and the reduced cost of healthcare delivery and healthier Americans. A set of goals I think are worthy of pursuing. Thank you for your time.
DR. WHITE: I am going to talk for about two minutes. You just heard several person years of work. Several thousand pages of results summarized for you in about an hour’s period of time. It does not do justice to everything that has been done. The results already speak for themselves. There are a couple of key points that I want to probably reinforce that have already been made. Some of the standards are deemed technically acceptable. Those standards that were not deemed technically acceptable are still really critical to moving us forward. You’ve heard that, I just wanted to put a bow on it, that those standards must be moved forward if we are to achieve some of the promise that we hope for. I think I would point out that there were some constraints placed on us through the legislation and through some kind of key decisions about how these had to be funded through cooperative agreements which are grants. I think there were some benefits too that have left a lot of good work on the table, and I think had constrained us. I think some of the folks here around the table have suffered because of that. That is not terribly pleasing to me, but I think that as we move forward, we all look at ways to address some of those issues. I think that a really great infrastructure has been built. By that, this is a real neat example of federal industry stakeholder collaboration. While not perfect, they really majorly moved us forward in a way that I had not necessarily seen before. I would love to see that continue. The final think I would like to leave you with is that beneath this intimidating bureaucratic exterior lurks the heart of a clinician and a family doctor, and while I really like standards, I mean, standards are a means to an end and bring a quality of care. I really remain committed to e-Prescribing as a means to move that forward. I think there is a lot of work to address, and I’ll leave it at that.
MR. REYNOLDS: Great job all of you. Jeff you have a question and then if anybody has a necessary question.
MR. BLAIR: I’m just going to be as fast as I can. I am interested in how we accelerate the adoption of Rx Norm. You indicated the pretty good shape, even the mapping had only 1.5 percent that did not map. What are your recommendations for what are our next steps with Rx Norm to accelerate adoption?
DR. BELL: I think the National Library of Medicine is moving ahead with addressing some of the shortcomings that were found, but I think the industry really needs to be alerted to the value. When I talked about doing subsequent studies with people in the industry, there is still a low level of awareness of the value of Rx Norm and I think some more pilot studies of actual implementation would help to demonstrate the benefits. For instance, even just looking at a Formulary and Benefit, the Formulary and Benefits files as they exist today are humongous and potentially using Rx Norm could drastically reduce the size of those files, make them more manageable, and then hopefully enable more detail to be distributed. That would potentially be a lab study that could be done.
MR. BLAIR: Other than a pilots, are there any specific incentives or—it sounded like the impediments in terms of completion of Rx Norm or mapping. That is getting down to a very low level. That is not much of a barrier anymore. I’m just wondering if there is anything you see in terms of overcoming some other impediments. You said education and awareness. Is there an incentive to accelerate that?
DR. BELL: That is a good question. The standards already have fields for Rx Norm so the standards don’t actually have to be changed for Rx Norm to start being used. It just would have to start getting used. There would need to be enough critical mass within the industry. So how that would be incentives, you would think that once the industry saw the advantages that it would just be lower cost for them to use it, that maybe there wouldn’t some additional insensitive or guard rails put up even.
DR. WHITE: I guess what I would say is that, given the pilots found Rx Norm almost but not quite technically acceptable yet. I think that there aught to be a clearer statement of what needs to be done to make it technically acceptable based on what has happened in the pilots and then make that happen and then propose it for adoption.
DR. BELL: I think demonstrating really how it would be used in a live environment is probably necessary.
MR. REYNOLDS: Okay, Judy, you have a comment? Then Michael you have the last question.
DR. WARREN: Based on this, one of the things that I am struck by is when you start looking at the research on EHR failures. You come up with the same three key pieces that were identified in these studies. There are areas that we really don’t know much about and I would love to see more research. What we did prove is the standards were a good start. There are only a couple of places where they seemed to fail. What comes out key for this is no one really looked at the human computer interface because people could not find things within the applications so they did not know how to use them. Two, workflow has got to be considered before you can integrate any kind of electronic information management in clinical care, so we really need to look at, do we just change the current paperwork flow or do we do something that is really innovative and turn it around? Finally, it is the issue of training and commitment. Having personally been involved in training and commitment, trying to get people to those sessions and getting them there, all the stakeholders, you will have other certain categories that only will come kicking and screaming and some of them not even them, that we need to do some research about how to get commitment and training to use these systems, or all the work in developing standards—all of the work in evolving electronic systems, the software innovations that we have made are really not going to get us anywhere until we can handle those three issues. So, I would love to see some grant things coming out of addressing those as kind of a followup to some of this.
MR. REYNOLDS: Michael.
MR. FITZMAURICE: I have some of the same thoughts as Judy had. Two points. One is that for Rx Norm, I would suggest that maybe Rx Norm is being used as a rollup of the NDC Codes and maybe there needs to be an industry developed or maybe in partnership with NLM, classification of Rx Norm to rule up so you can order—show me the list of all beta-blockers, show me the list of all ace-inhibitors. Those might be two suggestions.
My comment is—or my comment question is that we have seen a very good framework, good collaboration, and a lot of good hypothesis that have been developed but not enough sample size or time for collaboration to test those hypotheses. I am talking about things other than just the standards themselves, although the standards themselves need more time. Are there any plans to find this pilot, or new pilot to show the efficiency, the quality of care, the patient safety, and patient outcomes perhaps with federal partners. I’ll address that to Jon but anybody else can answer it. Jon is probably the biggest federal partner. I would also say that this framework and collaboration have come up because a CMS approach to AHRQ and AHRQ contributed gladly of its expertise. Without that partnership right up front, it would not have happened. The two people I see, Jon and Karen here, have been remarkable at making this happen.
DR. WHITE: Briefly, we had some pending funding opportunities and grants. Applications have been received and are going to go through review and may before the end of the fiscal year. We did not specifically ask for follow on work to the e-Prescribing work because we did not know what was going to be said at the time that we wrote the FOAs. There will probably be future opportunities for us to design funding opportunities, but they will come for fiscal year ’08 or later. Hopefully we will get some good work in under what we have currently got. That is as far as I am going to go without committing myself to future funding streams. Anybody else?
MS. TRUDEL: I am just going to grab the chance to thank AHRQ and everybody who participated in the pilots and NRC and say that there really are three things we need to do in the future. One is to push forward with potentially proposed rule for additional standards. Two, is to work on the non-selected standards and see what we can do sure up their shortcomings, and three is to use what we learned in the pilots to start addressing some of the implementation challenges in the part d environment. Some of those things we can do internally to CMS. In other cases we would need to partner and we are looking around to find all sources within HHS to start to address some of those things whether it be working AHRQ, whether it be partnering with a QIOs, etc.
DR. CARR: I just wanted to make a brief observation. First, I want to compliment the fantastic work. It is just tremendously exciting giant step. I think, putting my physician hat on, as we look at electron health records, I think one of the things that is striking is the clinical 15-minute with the patient has now been compressed because physicians have new responsibilities of things they have to do. These things might often be done at the end of the day or work-arounds and sort of multitasking. But now the electronic interaction forces them in the moment so I think that is something that we have to think about. Also, doctors are giving work to nurses, nurses to doctors to pharmacists. Everybody is giving somebody else a new job. All of which is merging into the new environment, but I second what Judy was saying that we have to pay attention to this, because when you hear about what is available, but the resistance. We have got to make that user friendly so the doctor is not losing his opportunity to talk to the patient.
MR. REYNOLDS: Michael, I would like to make one comment. You were asking about adoption. I think there is a lot of other work being done around the country on this and I think that as people are doing it in individual areas, figuring better ways to group up so there is more adoption across a wider spectrum. So if Medicaid is doing something in an area, then everybody else gets involved, or if Medicare is doing it then payers get involved. I know we are seeing that in our state. I think getting a ground swell because the second and third and fourth person in—it is a whole lot cheaper for them to get in than the first person that paid for the technology, the infrastructure, and the implementation, and so those are things I think we need to take advantage of other than just the pilots which you have done a marvelous job. But I think playing off of that is going to make adoption happen a lot faster than just waiting for a particular entity to come up forward with some money and say let us make this go.
MR. FITZMAURICE: That is a good point. Maybe we should talk about that in our planning retreat and bring some of those others in.
MR. REYNOLDS: No question about that.
MS. WOOLEY: I agree with you and I commend CMS for having a strong requirement for physicians who are doing e-Prescribing to follow the standards. My point would be that physicians are not going to do one thing for their Medicare part d patients and do something else for their non-Medicare patients. If we can train, get that commitment, educate physicians—it should not impact workflow. It should not require additional work for the physician or staff. It should actually expedite and create better relationships and better opportunities to interact with their patients for providing high quality care. If done right, it think that there is a win for all the stakeholders.
MR. REYNOLDS: Okay, we are going to break for lunch and be back at 1:30. Prior to that, I think this group would definitely need a round of applause. Thank you for what you did. All right, we will be back at 1:30, and we will try to do the NPI in an hour and fifteen minutes since we are familiar with that subject.
[The meeting has adjourned for lunch.]
MR. REYNOLDS: Okay starting this afternoon, it is an update on NPI and a discussion of the Contingency Guidance and we have Karen Trudel, by popular demand, and Mike Ubl who will be representing WEDI. Karen, I understand you are going first and then Mike if you would go ahead and introduce yourself once you get prepared to make your statement. So, Karen?
Agenda Item: Update on NPI and Discussion of Contingency Guidance
MS. TRUDEL: I do not actually have very much to communicate except to do a brief update of the Contingency Planning guidance that has gone out. We did release the general Contingency Guidance, and it applies to all covered entities and shortly thereafter released Medicare’s Contingency Plan. We had one free audio conference on the Contingency guidance in general where we had over 7,000 locations register in advance. We will be doing, I believe next, another audio conference on the Medicare Contingency Fee For Service plan specifically. We are continuing to reach out to the industry directly, and in partnership with WEDI and others to send out messages, we still do have just a little over 2 million providers enumerated and are continuing to get lots of questions about what the Contingency Guidance and the Medicare Contingency Plan means. We are rolling out information as quickly as we can on our website and have generally heard a lot of positive feedback that HHS did go ahead and provide the ability for Contingency Planning and that really does give the industry a fair amount of time to move ahead and do what they need to do.
MR. FITZMAURICE: I was very favorable when CMS went out with a First Contingency Plan for transactions and code sets, and you had a measure that—we have got 90% compliance, 95% compliance, 99% compliance. We think that everybody should be able to do it now. Here is the end of our Contingency Plan. Do you have a similar kind of metric whereby you can measure how close you think the industry is to meeting the requirements of the National Provider Identifier and being able to use it so that at some point, you say this measure has gotten large enough, I think that we can chop off the legacy IDs and insist just on the NPI.
MS. TRUDEL: CMS never did measure compliance in terms of the transactions and code sets industry wide. We did that for our own Medicare for service line of business and we will continue to do that for NPI, and that will be one of the indicators that we will be looking at periodically as we said in the guidance that we will be assessing that periodically to make a decision. First of all, when to require that claims must have an NPI on them, and then whenever the decision is appropriate to cease the Contingency Plan all together.
MR. REYNOLDS: I thought that the guidance I read pretty much had set a hard stop for Medicare of May of ’08. In other words, it talked about a transition from the old number to the old and new number and then the guidance I was going through said as of May of ’08, it would have to be the NPI.
MS. TRUDEL: The Contingency Guidance in general puts that hard stop of May ’08. It does permit covered entities to cease part or all of their contingency operations at any point earlier than that. One of the things we are most interested in is providers obtaining their NPIs and being able to use them. That will be one of the first things that we will be looking at.
MR. REYNOLDS: If somebody is a Medicare Contractor, they still could go all the way to May of ’08 because that is what the guidance was, right?
MS. TRUDEL: The Medicare contractors, the decision to end the paper service contingency would be made across the board for all Medicare contractors, not on a contractor by contractor basis.
MR. REYNOLDS: Okay, Mike.
MR. UBL: Good afternoon everyone. I represent WEDI and I am going to try to give you some contextual information on kind of what we have been doing and I am going to also kind of give you some information about some surveys and some work that we have done.
You should have a transcript of my testimony. I am going to kind of go through this. I will probably make a couple comments along the way. We can open up for questions at the end.
Chairpersons and members of the subcommittee, I am Mike Ubl. I am the Director of eHealth and IT Strategy with Blue Cross Blue Shield of Minnesota (the largest health plan in Minnesota). I also serve in the WEDI Board of Directors. Also, part of my job at Blue Cross is all about HIPAA. I have been involved with running the HIPAA flipper program office since 2000. I kind of have been living through this journey, if you will, much like most of you I suspect.
At the request of NCVHS, WEDI recently conducted its fourth National Provider ID Readiness Assessment survey so we can report on industry readiness. The survey was conducted between April 2nd and April 13th. I would like to thank you for the opportunity to present testimony on behalf of WEDI concerning the findings from this survey. As a point of reference, WEDI’s four NPI Readiness Assessment surveys were conducted during the following periods. We have actually been very involved in trying to monitor progress in the industry, over the last year in particular. Our first major survey was administered in May of ’06. We followed that up with one in October of ’06, one in January, and then most recently the one now in April.
WEDI provided testimony to NCVHS on this topic back on January 24, 2007. At that time, WEDI provided its assessment of NPI readiness across the industry based upon the results from the second survey, which actually was conducted in October. The information I want to share with you today will focus on the progress made by the industry in just the past three months. So it is going to be looking at the information from the third survey in January to the most recent survey now in April.
Under the Summary of Survey Findings, I am pleased to say that we are starting to see some progress and variety of areas while at the same time the data continues to confirm that many within the industry will not be ready to fully implement the use of NPIs by May 23rd of this year. From a demographic perspective, there were fewer returned surveys in April, about 840 versus 1,100 in January. Most of the decrease actually was centered in the healthcare providers area. We saw some increases in the health plan and clearinghouse respondents. There were 866 provider survey and responses in January as opposed to 560 in April. The number of health plan respondents increased from 156 to 181. The drop in responses from the healthcare providers could be attributed to a shorter timeframe, this was a couple days shorter than the last one so we had a little shorter length of time. One thing we did run into is just overlap a lot with Easter and Spring Break so we ran into a lot of situations where people just weren’t available. I can vouch for that. Even at Blue Cross we had a lot of people out at the particular timeframe. Bad time I guess in some cases. But that is what it is. The mix of participants are similar in each survey. Due to limitations in the survey tool used by WEDI, any given survey responder has the option of skipping individual questions. Hence, the information provided is going to be presented in terms of percentages, reflecting the results of those who responded to an individual survey topic.
The table on the following page provides some perspective on industry progress over the past three months. I want to emphasize that WEDI believes survey participants represent, what I’m going to call the more diligent part of the industry. Those organizations that are probably more focused on NPI, they have a thorough understanding, they have had a game plan in place and they are executing against it, and as a result, I think the information viewed here should be considered more of a more optimistic scenario.
The number of providers in the survey that obtained their NPI improved from 95% to 97% of respondents. One can expect the last couple of steps in reaching 100% to be the most arduous. I think this is a very positive step in that we are really starting to see wrap-up in terms of number of NPIs being issued and providers giving out their IDs. There are certainly going to be stragglers and I think we are at that straggler phase right now.
The number of providers that have shared their NPIs with health plans showed a significant increase from 25% to 49%. Certainly good progress but still far short of where we need to be. It is kind of interesting when you look at 97% of the providers have got their ID number, but only half of them have been passing to trading partner. I think that is a pretty important note at this point.
Provider capability to support NPI transaction processing has jumped considerably. Some examples would be providers able to submit claims with dual-identifiers improved from 25% to 52%. Providers able to submit claims with NPI only improved from 4% to 19%. Providers able to accept a remittance with NPI only jumped 7% to 26%.
On the other hand, health plans have also seen some significant results, I think, in this past three months. Health plans are now able to accept claims of dual-identifiers is up to 75%.
Health plans able to accept claims with NPI only almost tripled from 13% to 34%, and health plans able to send a remittance with NPI only improved from 4% to 21%.
I think the thing, if we look at this survey, when you look at what has happened, we are sort of viewing this thing in terms of individual organization capability. The industry has demonstrated real progress. So, each individual organization, when you look at the work that has got to be done inside, we are seeing progress. They are getting work done. They are getting their NPIs. They are starting to share that information. Health plans are getting cross-walked and tables and so on put together. However, when you look at the actual transaction volume, where you are actually interchanging data, between a provider and a health plan, the volume of claims where you see an NPI is still pretty darn small. So there is work being done internal, much progress being made, but we haven’t shipped them significantly with a significant effort for the next stage of actually starting to move that data back and forth on the transaction.
As you can see here 78% of the health plans reported that 25% or less of their incoming electronic claims contain an NPI. That is pretty large. A number of those is probably less than 5% or 10%. The decrease is an improvement of only 7%, so back in January, 85% of the health plan said 25% had claims with 25% or less with claims of an NPI on it. We are seeing a little bit of a shift. We are starting to see more NPIs and their claims, but not the dramatic increases that we need to start seeing here going forward.
The table itself has a number of different categories, things that we are trying to track on the survey. We could talk about that in detail later. There are other specific attributes that the committee might like to have tracked, we could certainly discuss that and we can incorporate that into future surveys. When we look at all of this though, there are some key outstanding issues that I want to sort of bring to the committee for some discussion. In the past 12 months there has been really a difficult time for the industry with regard to NPI Implementation. I think we can all agree with that. WEDI commends NCVHS for its leadership role in bringing together a wide variety of industry groups and listening to the challenges based by healthcare organizations across the country. It is certainly no small task in what has turned out to be an incredibly complex issue, in our industry. For your efforts, I want to express my appreciation on behalf of WEDI and the organization that it represents. The Contingency guidance announced by CMS back on April 2nd was certainly welcome news. I want to assure you that WEDI and its members do not take the NPI situation lightly. Recent discussion with my colleagues in the industry indicate there is no letup on the work efforts right now. I think we are at a tipping point where things are starting to wrap-up. There is a lot of work happening. Also, people are starting to see where the real problems are. I think that’s important. The information provided today confirms we have a long uphill battle ahead. We will continue with our education and outreach efforts within WEDI. There are several issues I would like to bring to your attention as we prepare for the Contingency Period after May 23rd.
Here are sort of the key items. The first one is NPPES Dissemination. This is certainly an ongoing problem. No surprise to anyone. I understand the final regulatory language is currently under review by OMB. However, lack of access to a central course for NPI information is a significant problem. Providers do not always have a clear understand about, how, and to whom they should share an NPI. Labs and pharmacies face a similar problems without access to NPPES, there is not a way for may labs and pharmacies to generate a payable claim because referring, ordering, and prescribing providers are required on claims going forward.
As a result, I think when we look at the CMS must provide an operational system that supports timely access to NPPES data for industry constituents. Our recommendations are as follows: CMS published the NPPES Dissemination notice as quickly as possible. We also believe the CMS should also establish a thirty day time period for public comment. WEDI is positioned and ready to partner with CMS on this item. With our industry presence, WEDI can quickly convene representatives from across the health industry to review and provide feedback on the proposed process, I think in a very timely fashion. Thirdly, we believe that NPPES should provide a system solution with electronic access to NPI data no later than 120 days after the publication of the NPI Dissemination notice. It might be a little bit of a tight timeline, but I think we need to move quickly on this to try and move things forward. I don’t think this is slowing down healthcare organizations from testing and working with one another. It certainly is a barrier to turn in the switch and getting into a production mode, and people want to make sure they have crosswalks built and complete with all the information they need. That is one big item.
The second one has to do with UPIN numbers. CMS
has announced that UPIN numbers will no longer be issued after May 23, 2007. In addition, access to the UPIN file will be discontinued by June 2007. This creates a serious problem for providers/health plans that currently use the UPIN as a legacy number for claim adjudication and payment. I could speak for Minnesota that we have some large healthcare providers who use UPIN for this purpose. Based on a recent listserv activity, I can safely conclude that Minnesota is not the only sate facing this particular problem.
Therefore, WEDI would recommend that CMS implement
the following: continue issuing UPIN numbers beyond May 23, 2007, constant with the NPI Contingency Guidance announced on April 2nd. Given that this is a number widely utilized by the industry (beyond Medicare), issuance should continue until May 23, 2008. Providers that use UPIN as their legacy number, will not migrate to business operational use of NPIs until sometime after May 23, 2007, will need an ability to acquire UPIN number for new service providers that they add to their staff.
Second, continue to maintain and make available the subscription UPIN database through the Contingency Period and ensure that the UPIN online registry capability continues through the full contingency period also.
Implementation of these steps will prevent the potential for business interruptions during the contingency period, and allow healthcare organizations to focus their resources on a primary goal of NPI compliance by May 23, 2008.
The third issue has to do with variations in the duration of individual Contingency Plans. The CMS contingency guidance states that entities may elect to end their contingency plan priors to May 23, 2008. In principle, this is sound rational thinking. However, entities should exercise discretion in discontinuing the contingency plan unilaterally if it pulls a significant risk to business operations with some if its business ends on those partners during the contingency period. As an industry, we need to adopt a goal of getting through NPI compliance—an NPI contingency period with all entities compliant, while not disrupting business operations. Business continuity should be viewed as a high priority and not just simply NPI compliance during the contingency period.
WEDI would recommend the following. CMS issue and FAQ or additional guidance that advises caution on unilateral ending of contingency periods. Unilateral ending places undue business continuity burdens on those trading partners who are still dealing with third parties who are not ending contingency periods. So whether from the perspective of accepting 837s or accepting 835s or both, it is advisable that key trading partners collaborate around the timing for discontinuation.
Second, health plans should communicate their contingency plans to their trading partners as quickly as possible. WEDI wants to recognize the action taken by CMS Medicare on this subject. On April 20, 2007, CMS published its NPI Contingency Plan for Medicare Fee For Service. WEDI applauds CMS for its leadership role in communicating its own contingency plan, and encourages health plans to follow this example of CMS. Early communication of contingency plan in a clear and concise manner will insure a smooth transition to NPI compliance.
Third, CMS collaborate with National Provider Outreach Initiative (NPIOI) on creating an NPI Transition Plan that provides guidance to the industry on achieve NPI compliance.
In conclusion, I want to assure NCVHS that the industry is making progress. WEDI intends to continue with its NPI Readiness Assessment surveys every quarter through May 2008. We will monitor and update both CMS and NCVHS on our survey innings as well as escalate important issues as they arise. Thank you fro your time today. WEDI looks forward to working closely with CMS and completing the long journey to NPI industry compliance during the contingency period between May 23, 2007 and May 23, 2008. Thank you.
MR. REYNOLDS: Before I turn it over to Jeff, Jeff wants to start the questioning. One of the things I would like the committee to think about is we appreciate the concise testimony and we have got a good forty-five minutes to discuss this, which is good as we think about it if we need that much. But also, the WEDI letter has some recommendations and one of the things that we stated as we sent our last letter forward to the secretary is that we would continue to hold hearings and forward guidance as we felt necessary. I think it is important as we do this next forty-five minutes of discussion that we figure out whether or not there is anything out of what we heard today that warrants us to put something together because we would want whatever we did to be probably the full committee in June. It sure isn’t going to help in September. It is something that we need to do, so that obviously puts a timeframe in front of us that is aggressive, but I think that this is a subject that we are well enough versed on that doing what we need to do could happen. I would like everybody as you do your questioning, as you think through this, this subject, that we need to promptly today know whether or not we feel there is anything else we need to say further than we have already set forward and that is already in the guidance that has come out on the contingency and so on as a group. I wanted to put that out there so that we make sure that our questions and our discussion gets us to that point so we don’t walk out of here and go whoops, we should have done something. Okay? So with that, Jeff, please start the questioning.
MR. BLAIR: Michael thank you for very helpful information. I would like a little bit of help or guidance knowing that you could help me with a level of confidence that I’ve had with certain of the numbers. The 97% of providers that have IDs, do you feel like that was representative in particular? Were you able to get physicians in small or rural practices to respond to that number, or should we have a little bit of a mental adjustment on that piece.
MR. UBL: We did see a good cross-section of providers from large hospitals systems to small providers from large hospital systems to smaller providers and so on and so forth. My experience with this survey process is that most of the entities that have responded have the normally aggressive players in terms of moving towards NPI Compliance. I think there is a certain segment of the industry that has not moved that quickly. So hence, I think that 95%, 97% is a somewhat optimistic view. It is based upon just the data we got from the respondent from the surveys.
MR. BLAIR: Let me ask the corollary of this is some of the numbers that at least appeared to me a little bit low, with respect to payers, maybe that understates the actual coverage because maybe the larger payers might be ready and some of the smaller ones might—what level of confidence should I have in those numbers?
MR. UBL: I would say that there is probably a higher level of confidence there simply because one, there is not as many health plans as there are providers across the country. We did have 180 plus health plans that responded. I would say that, from a health plan standpoint, it is fairly representative of what the industry looks like.
MR. BLAIR: Thank you.
MR. REYNOLDS: Mike, to help along that line, as far as in a state, what is the highest you have seen as WEDI has looked at it, not necessarily a survey, of the amount of numbers in a particular state, the providers that have gotten their numbers. What has been the highest do you think?
MR. UBL: I don’t have that by state. We are probably at about 75% maybe 80%. We have been tracking it month by month and it keeps going up.
MR. REYNOLDS: And how about percent of claims?
MR. UBL: Less than 20, though it is small.
MR. REYNOLDS: The second number, the percent of claims is pretty well consistent across the country even though other people may not have as many numbers.
MR. UBL: That is what I am seeing from our personal standpoint at Blue Cross and talking to some organizations. We did not go through that statistically in our surveys.
MR. REYNOLDS: Okay. I have a couple more questions. I think, when you talk about the contingency, I couldn’t get a sense where you talk about the timing of the contingencies coming off, and you said that there needs to be prudence and thought. In other words, if CMS pulls it off earlier than someone else, what does that do? If CMS pulls it off later than others do, what does—I couldn’t get a sense whether WEDI was recommending that there should be a—different than the other HIPAA that we did. Should there be a singular date where anybody goes to NPI?
MR. UBL: I think that where we are at in our position on this is that, because everybody is operating on different schedules right now. I really don’t think we are going to see everybody march to the beat of a single drum date-by-date. The emphasis that we want to make here in this contingency planning is that we ask that healthcare organizations pay due diligence in taking a look at the trading partners that they are doing business with and not sort of decree an end to their contingency plan in a way that could potentially disrupt business operations for their training partners. That was really the part—
MR. REYNOLDS: But different from the transactions? Do the providers really have a capability to send some people the NPI and others not? Are the systems out there and the real capabilities that sophisticated. In the past, when we did the transactions you could have two different streams. I’m sending the whole transaction this way or the whole transaction that way. Now you are talking about individual pieces of data.
MR. UBL: That is part of the struggle.
MR. REYNOLDS: That is why I’m asking this question.
MR. UBL: I think it was addressed already in the Fee For Service contingency program when they were identifying primary providers versus secondary providers. That part of the process that needs to be addressed so when organizations are declaring end of the contingency plan, those types of activities need to be kept in mind moving forward. Organizations may end up going to a point of sort of saying by a certain date, I want to say all the primary care providers needs to be NPI. That is fair game. Every organization should be able to sort of declare their contingency plan. I think one of the things we said in here is that the industry needs to follow the lead that CMS has done and get their contingency plan documented and communicated so they know where their trading partners need to be working towards. If that is not going to get done, than shame on us. Those are just basic communications that need to be in place. Then, I think once that is done, trading partners need to sort of work with each other and arrive at a common date, if you will, where they will reach NPI compliance. Obviously, you made May 23, 2008 end of the show. It could happen sooner, but let us make sure we have contingency plans documented and we are communicating with one another without someone unilaterally pulling a plug and in putting people in jeopardy.
MR. REYNOLDS: Any other hands? To both of you, you and Karen, on the UPIN, the recommendation here is that if somebody has not completely implemented their NPI, then they would need to continue to use UPIN to do business. That is what I think this is saying, and I there is a hard stop. I understand where WEDI is coming from, but Karen, I guess any insight you could give us and not speaking only on the subject not necessarily answering for CMS. I was just really trying to understand, because with that twelve months, there is still business that has to be conducted and that is what contingencies are all about.
MS. TRUDEL: I am really not familiar with the UPIN continuation plans.
MR. REYNOLDS: That would seem to me to be one recommendation out of this testimony that we have to give serious consideration to from WEDI’s survey as to whether or not—at least send that forward for serious consideration because if a new doctor—well, whatever occurs, if UPIN has been the mode of doing business, the reason you do contingencies is to sustain the current mode of doing business. Not promote it, sustain it. Two different words. That may be a recommendation that we might consider unless somebody around the table knows a significant issue with that because it sounds like a logical argument. Michael?
MR. FITZMAURICE: I guess I see it as two points. One as if we were to be the Czar or whatever, how are we to know when it is time to end the contingency plan? Secondly, do we end at the same for everybody, large plans, small plans, large providers, small providers or not?
MR. REYNOLDS: Let us drill on the discussion of UPIN. We could be in a situation that when at the latest of May of 2008, UPIN is gone because anybody between now and then aught to be able to get an NPI, aught to be able to get ready. The contingencies are out there so I wouldn’t be at all concerned about setting that as an end date. If you are going to leave UPIN alive, if you don’t put a hard stop on when it is going away then people can say I am staying in contingency forever. I think that may be a consideration. If we were to make a recommendation going forward that we do think about a hard stop. Now back to your point Michael, and the reason I was asking the question earlier. The sophistication of systems, especially as you get to the smaller ones is going to decide whether or not they can do it two different ways. I don’t see the sophistication in some of those office practice management systems that is going to be able to pull that off. If one or the other stops the contingency before that group is ready, it is going to be interesting—
MR. FITZMAURICE: I suppose I am practice and I take in a new doc, and I do it in July, and that new doc can not get a UPIN anymore and my system has to handle the NPI. So, I see push coming to shove, much before from this coming May.
MR. REYNOLDS: No I agree, it happens May 23 of this year. What Mike is saying in the end of June, it goes away completely. If somebody is hired as a new doctor in July 1 and they’re not NPI ready, they got a problem. That is what I think your testimony was saying. It is not good or bad, that is just what I thought the testimony was saying.
MR. FITZMAURICE: I think it is probably a matter of fact at this point. Do we recommend that CMS extend the time period for giving a new UPIN. No, because that is a driving factor in doing all of this. Do they fill it with 99999 and say this our 999 doctor and create their own contingency. The industry will work something out, bit eventually vendors will have to find a way to get NPIs in a system before they get UPINs. They have had some time to do it. This gives them some more time to do it, and in the short term you have some workarounds, and the longer term, you have got to get the NPI in there.
MR. REYNOLDS: We have three sets of recommendations from WEDI. Under the NPPES, we are on record a number of times about that the dissemination notice should be put out as quickly as possible. I’m not sure as a committee that that is a necessary addition to another letter. I think we have said plenty unless—I am throwing that out as a physician. I am not directing anything. There is a whole group around the table. Everybody needs to jump in. I’m trying to look at these three recommendations and say what do we say? What don’t we say? Which do we step away from? Which ones we do not step away from? I am asking a question.
MR. FITZMAURICE: I was going to suggest that it might be very mild as of the state. We noticed that the NPPES is available, but we have every confidence that it will be available shortly.
MR. REYNOLDS: I hope you never get mad at me.
MR. FITZMAURICE: But we told the secretary, so just a recognition of this as of this state, but we are still looking forward to it.
MR. REYNOLDS: Well, the whole reason I threw out what I threw out was to keep this conversation. Jeff, you had a comment.
MR. BLAIR: Yes, and prior to my making my comment, let me ask Michael to clarify slightly—Michael Ubl. Michael, when WEDI made that recommendation and chose the wording that it did, behind that wording was there any assumption in WEDI as to when the NPPES would be ready? I am not trying to lead you yes or no, I am just saying was there any assumption?
DR. UBL: No, we did not pick a—we were not assuming a particular timeframe. I think the emphasis was we needed it ASAP.
MR. BLAIR: Then that gives me latitude with what I would say. Even though we have encouraged that the NPPES be available as soon as possible, I would say that we should still include even though it is a reiteration in our next recommendation letter because I don’t want it to be assumed that we don’t consider it an issue anymore.
MR. REYNOLDS: Judy?
DR. WARREN: Looking at their recommendations, I can not remember our last NPI letter, but did we specify a number of days that the NPPES should be available after the notice? I noticed that WEDI did for 120. We might want to followup on that. I mean six months seems reasonable to me to have it available.
MS. TRUDEL: I think what the previous letters said was that there should be at least a clear six months availabity of data before the contingency plan would end. We didn’t draw a line between the data dissemination notice and the availability. It was between the end of the availability and the end of the contingency period.
MR. REYNOLDS: If we took WEDI’s recommendation that would put it right there pretty quick. That would say you have to do it now. If you are going to leave thirty days for comment and then you are going to leave 120 days for some other things and that is five months. If you are going to have six months available, you have between now and next month to get it out.
DR. UBL: I would agree and I think when we were discussing this within WEDI, I think the one thing we wanted to try and make clear in this particular recommendation is that publishing the policies and procedures is not enough. We have got to get the thing in action. We have to have access to the information, and that is why we recommended a timeframe.
MR. REYNOLDS: So rather being a prescriptive plan off of Karen’s comment. So Karen, your plan comment is if we stayed with our previous recommendation, which was that it be available—the dissemination notice be put out as quickly as possible and that that data be made available for a good six months before the contingency is pulled off. I haven’t heard anything today. I don’t know if anybody else has that would necessarily change that recommendation.
DR. WARREN: I am just trying to clarify the timeline here. I agree with the clarification that we need to keep—to not close down the contingency before we have this up, but I am wondering if we don’t have something new from the dissemination notice, I think that is something new that we should ask or maybe put in a letter to the secretary that might show urgency a little bit more that we really tell this is up and we have had 120 days after the dissemination notice. It almost disconnects a little bit from the contingency plan that this has to be up within a certain timeframe, otherwise it is going to keep drifting until it is available. It could be 300 days before it is available and we still would be then with the contingency plan in place, unless I am reading this wrong.
DR. UBL: I think it is a good point. It recognizes that there is a time lapse between the actual publication of the policy procedures to the time it is executable and people can start using it. We don’t want that to sort of mushroom and just sort of drag on.
DR. WARREN: I think that is where we heard a lot of the testimony was until they had this available they weren’t able to populate and do a lot of their testing until it was available so they don’t know whether or not they can comply with NPI.
MR. REYNOLDS: I sensed WEDI tempering their position on that state. Your comment earlier was that it would not keep people from implementing.
DR. UBL: No, it will not keep people from testing. It will keep people from implementing.
MR. REYNOLDS: No, I wanted to make sure I heard it correct.
MR. FITZMAURICE: Harry, I wonder if I might ask a point of clarification. I noticed in Michael’s testimony that he says that he understand the final regulatory languages is currently under review by the Office of Management and Budget. I wonder if we know that that is true. Are you able to comment Karen on whether you know if that is true or not? I don’t know if that is true.
MS. TRUDEL: It is a federal register notice and it is still being reviewed by OMB.
MR. REYNOLDS: Okay, so I guess the committee feels that that on the first set of recommendations that we should in fact reiterate forward that it needs to be out as soon as possible. It is important. We should be out there the six months like we have before. To do so, this looks like a plausible timeline and maybe the only plausible timeline to have that happen within the contingency plan that has been executed for May of 2008. Is that a fair statement?
MR. BLAIR: Karen, I am supporting totally what Harry has just said, but I am trying to think here. CMS wants to get this out as soon as possible. There are some realities in the way the government works. Would it be constructive or not for us to add to those recommendations anything about whether we feel that there is a need for comment or not comment in the process that goes forward? Can we be helpful by expressing that we feel that this is something that does not need public comment to go forward to release the NPPES?
MR. REYNOLDS: Jeff, for the record, you have finally stumped Karen.
MR. BLAIR: I don’t think we stumped her, I think maybe I asked a question that she doesn’t feel she could answer.
MS. TRUDEL: No, I feel as though you are putting me in a position where I am saying where I need to respond that guidance at the NCVHS might want to give the secretary is not going to be useful, and I don’t want to say that. I think what you are saying though is that the availability of the data—it is not necessarily the process of the data dissemination notice or whether there is or isn’t a comment period is as germane as the fact that it is just a screaming need that the industry has got to actually have this data for a period of time. However the subcommittee feels that they want to— I don’t think there is any reason why that comment couldn’t be made.
MR. REYNOLDS: Another thing is different than I think anything I have seen. This system is already in production. That is different. Everything else we have been talking about get this out so that could be done. This is the first time we have had one where it is there. When somebody calls to get an NPI and they are given an NPI, it is put in that system in production. It is there. It is real. If you want to change your NPI, you go into that same system. Never before, I don’t think any before that I have seen, where we were actually talking about a red going out on something that is in production in use and you have 2 million numbers in it that are active, live, and being done. I think our comment along that line could use that as a bit of a backdrop. In other words, this is done. Thy system is done. It is in production. It has got 2 million numbers in it. Everybody that is implementing would like to have those numbers whether or not they have an extensive comment period is not going to change the 2 million numbers and not going to change the structure of the 2 million numbers that are out there which is what the people are really after. This just seems real different.
MR. BLAIR: Is wording like that going to be helpful?
MS. TRUDEL: I think any wording that is going to inform the decision makers of what the real world needs and requirements are would be very useful.
MR. REYNOLDS: Does the group concur with the way I had positioned—
DR. UBL: Can I have a comment? I would concur that the system is there, that the numbers are in the system and they are what they are so nothing is going to change there. What I think we are talking about is a system function in the setup processes that support accessing and recording on the information and that we haven’t seen. So, that is the part that—
MR. REYNOLDS: --needs to comment. So the numbers are part one. The way to get to them and the rules around getting to them is number two.
It would appear that we need to put some language together. So does the committee concur that recommendation one, we need to put forward a letter at least with recommendation one? Is everybody in concurrence with that? Okay.
All right let us go to UPIN. Second one. Any comments on UPIN whether or not we in fact--?
MR. BLAIR: Right now WEDI’s recommendation to us on UPIN is simply that—well WEDI really didn’t make a recommendation on UPIN. It was a statement, I believe, by CMS that it would be available until June. Is that correct?
MR. REYNOLDS: No, they made a recommendation.
MR. BLAIR: I’m sorry. Could you re-read the WEDI recommendation on UPIN?
DR. UBL: For the recommendation made by WEDI with regard to UPIN include the following, continue issuing UPIN numbers beyond May 23, 2007 and make it consistent with the NPI Contingency Guidance announced on April 2nd. Given that this a number widely utilized by the industry, issuance should continue until May 23, 2008. Providers that use UPIN as their legacy number but will not migrate to business operational use of NPI until some time after May 23, 2007 will need an ability to acquire UPIN numbers or new service providers.
Second, continue to maintain and make available the subscription and database through the full Contingency Period.
Third, insure that the UPIN online registry capability continues through the full contingency period. So in essence, we are asking for it to continue through the whole contingency period rather than over the next 60 days.
MR. REYNOLDS: Allow current business practice through the end of the contingency. Committee support? Jeff?
MR. BLAIR: If the rest of the committee supports it—I guess I am in balance mode again. I think that having access to the UPIN numbers up through the end of May 2008. I think that makes sense. On the other hand whether new UPIN numbers should be issued, I think we can not have to give another year for UPIN numbers to be issued. I think we can have that much shorter.
DR. WARREN: I think the use case for continuing to issue though is the use case of new providers coming into the system and going in to work for places that are not ready to use the NPI yet because it would really be putting new providers at a very disadvantage of getting jobs and employment back to business case again.
MR. BLAIR: I heard her make a statement, but I didn’t hear it as a different proposal.
DR. WARREN: No, I am agreeing with the proposal that WEDI put out and I am giving you a reason why we need to keep issuing UPINs.
MR. BLAIR: All the way for another twelve months?
DR. WARREN: Yes, and it has to do with the new providers coming in to the system during that time.
MR. BLAIR: If the end of the contingency period is May 2008, you would be willing to issue new UPIN numbers even up to a month before the contingency period ends?
MR. REYNOLDS: If the organization that they join is not NPI ready, they will be unable—remember I said regular business as usual. Until that institution that they joined is NPI ready, the only way to do business is possibly on a UPIN.
MR. BLAIR: I probably have a different feeling about it, but I would yield to the majority rule, whatever it is.
MR. FITZMAURICE: I am thinking if their billing service can not handle the NPI after one, two, three, I don’t know how many years that their billing service had a chance to do it—extending it for a year is just going to give them a year without having to do anything and then you come in this time next year and say, well now we know it is really serious. We thought it was serious, but now we know it is really serious and we are thinking about doing something about it. If their own electronic system can not handle the new provider identifier, they can go to a billing service just for those who need the NPI and it gives them a year to say, this is serious. Maybe I will have to change my own vendor system or maybe I have to move to a billing system permanently. I think every billing service would be able to handle the NPI.
MR. REYNOLDS: The contingency as it is set right now runs through May of 2008.
MR. FITZMAURICE: No problem with that. I would just caution that letting people get new UPINs doesn’t change anything until this time next year. There is no driving force then.
MR. REYNOLDS: I know, but the other thing is we allow the contingency for people that didn’t get their NPI. We are talking about business as usual for people that are in UPIN. I am just trying to understand whether we want to become more draconian on people then we have been able to in the past. I don’t care either way. I just want to make sure that as a committee, we agree.
MR. FITZMAURICE: I just don’t see it as being very draconian that they have to go to a billing service for a new provider that has the NPI if they chose not to push their vendor to allow them to have that capability. I think we said something fairly tough in the last letter to the secretary about, this is not going to last forever. We got a little bit tough.
MR. REYNOLDS: So what would be your end date? Are you against using UPINs at all after May of 2007?
MR. FITZMAURICE: I would go with the contingency as it is, that is, you can use UPINs if you have them. You get new providers or you have a need for a new number then go with the NPI. I’m just making this as a suggestion to the committee. I am not trying to exert my will on anybody. I am looking for incentives and driving forces to let people ease into it, and this is pretty easy I think.
Mr. BLAIR: To me it seem. I understand that for those folks that have UPINs and they are in an organizations which haven’t been able to make the transition that we are giving them a contingency period that goes till May 2008 in terms of looking up—still continuing to use a UPIN that they already have. I am okay with that. The piece that I feel uncomfortable with is if somebody is going to need a new provider identifier number. To allow them to do that with a UPIN for 12 months, I don’t feel comfortable with that. I think it is reasonable that maybe after the end of the September, October timeframe if that ends or maybe earlier. I guess July or August I would like to say that ends. We are going to give them a couple of months grace, but if they need a new UPIN, they need to do it then otherwise—I kind of feel like it is an incentive for the transition for those that don’t have an identifier yet.
DR. CARR: If we think that in May 23, 2008 then you won’t be able to do a transaction unless you’re NPI. That will happen. I am not sure why we would put an arbitrary additional incentive in with the possibility that there might be unintended consequences. I would favor making UPIN availability through May 23, 2008.
MR. REYNOLDS: The recommendation as it stands is all it is basically saying is business as usual until whenever anybody takes the contingency off. That is what that recommendation is all about. We are getting focused on a particular number. That is really what this recommendation is. Allowing business as usual until the contingency comes off. Whomever takes it off and whenever they take it off.
DR. WARREN: Another way to look at this is the complexity of enforcing this. If UPIN is going to be available for use, it should be available for use, which means new ones as well as using the system. If it is just using the system and we quit having new applications, now we have added a whole other layer of your bureaucracy to make sure that that recommendation gets enforced and handled, which I am not sure that I want to do. I guess I am always in favor of keeping the cost down as low as possible on some of this stuff.
MS. TRUDEL: I just have a point of clarification. It appears that the recommendation is saying that there are plans and providers out there that use UPIN as a billing number and I know that Medicare, for instance, does not use the UPIN as the billing number. We use it for referring and ordering physicians, and we require a different actual billing number in either the performing or the rendering or the billing physician fields, and those will be replaced by the NPI. In cases of ordering and referring, there is an ability in UPIN to provide what we call a surrogate number, which is basically a fill if the ordering or rendering physician didn’t have a UPIN. I guess I want to clarify that you have found that there are actually people—plans that are using the UPIN as a billing number as opposed to a number to identify ordering or referring and rendering ordering.
DR. UBL: I can safely say that in Minnesota we have some large provider systems at Blue Cross Minnesota deals with where the UPIN is the legacy number that drives the whole blank plain adjudication and payment process.
MR. REYNOLDS: Lynne, did you have a comment?
MS. GILBERTSON: I just wanted to make sure we are aware that the contingency plan can be invoked by the providers and the payers. If the payer is still under contingency plan and wants to see the UPIN and the provider can not obtain a UPIN, the provider is stuck and the other aspect is the UPIN is being used as one of the fields in the crosswalk, and until everyone gets a copy of the file to start looking at it to do the cross walking to their internal systems, not having an UPIN might have a hole in the crosswalk.
MR. REYNOLDS: Reiterating business as usual. So we need to send something forward on that. Everyone agree on that?
Okay, let us go to the last one and then we will take a break.
DR. WARREN: So we are saying we need to re-work their number one, but are number two and three okay the way they are?
MR. REYNOLDS: Why would you think we need to re-work?
DR. WARREN: Because you just said we are looking at language.
MR. REYNOLDS: No, I was just saying we have to produce a letter. More than likely we will use a lot of the working out of here, I’m just saying we need to actually bring forward a letter that has wording in it. I wasn’t necessarily pointing or not pointing. I think that is a great question.
Okay, third one. Again, we are talking about frequently asked questions and then we are talking about health plans communicate their contingency plans, their trading partners and that CMS collaborate with the National Provider Identifier Outreach. I think those are comments more than recommendations that we would expect the secretary to turn around and do something. Those are statements of collaboration and fact. I’m not sure—we could add them to a letter, but I’m not sure they are going to make or break—from our standpoint they are what we would consider a recommendation that the secretary would do something.
DR. WARREN: You see I really like number three on that one. I’m not sure we really spoke—
MR. BLAIR: Could you tell me what they are because I can’t—
DR. WARREN: CMS collaborate with the National Provider Identifier Outreach initiative on creating an NPI transition plan that provides guidance to the industry achieving NPI compliance. The stuff before then really talks about some of the actual work of doing that compliance with FAQs and stuff like that.
MR. REYNOLDS: My question to you is you are doing significant outreach. That was your testimony pretty much. Other than the fact that you would collaborate with this group, does your outreach change and does your outreach already include these kinds of things that they already list here in this recommendation?
MS. TRUDEL: In terms of duration of the contingency plan?
MR. REYNOLDS: No, they have three items under—
MS. TRUDEL: At this point our message has been that each plan determines when its contingency period ends and I think that is consistent with this. I think that is sort of another point of consideration for plans when they make that analysis and make that decision.
MR. REYNOLDS: I just can’t turn this into a recommendation. I can’t sit here and think of how I would turn this into a recommendation to the secretary and the HHS aught to consider. I think it is a prudent discussion about how it should happen and the industry needs to collaborate including CMS because I don’t think this is a CMS issue. This is an issue that if any large health plan pulls a contingency in the state and the others aren’t in that situation, you are going to create the same thing.
DR. UBL: I would concur with both comments. I just want to context I guess in the standpoint of the first two, I think, are more definitive and concrete. You can outline specific things people could do. I think the third one is a little bit more sort of a soft touch type thing. What we wanted to bring forward, because we have heard of organizations arbitrarily establishing sort of the end time of their contingency period. They certainly have every right to do that. What we wanted to bring forward at this point is that rather than just making an arbitrary decision when an organization would end their contingency period to, at a minium, take in the consideration where all your trading partners are at and put emphasis on business continuity during this transition period.
MR. REYNOLDS: I guess where I look at this and I want the rest of the committee—this seems like something that WEDI and CMS could discuss and work on without us writing a letter to the secretary saying, will you have these two groups work together? That is what I am saying. As we forward things we want some action on, that could be a collaboration that could be done tomorrow as a discussion point, not necessarily something that we can come to the secretary and his staff to come down. Anybody disagree with that?
With that, we will start drafting a letter based on the first two sets of recommendations and try to get something out quickly. We may have to have a conference call in advance or the June full committee to have something put together to take to the full committee and we will proceed through there.
It is 2:48, we will be back at 3:05.
(The meeting has adjourned for a short break.)
Agenda Item: Security: Review of guidance/Current remote access and ongoing security issues
MR. REYNOLDS: Okay our wrap-up testimony for today is based on some of the review of the security guidance. We are going to have Lorraine Doo, Sue Miller, Mike Ubl, and Linda Dimitropoulos, and Matthew Scholl. Do you want to go in that order? IS that they way you want go or do you have a prescribed order? Okay, let us just go down the agenda then.
MS. DOO: Thank you very much. I am Lorraine Doo. I assume you all can hear me. I am trying to lean forward like everybody else. I want to say that I am going to be talking about security rule and sort of remind you. I realize that we are between you and probably a double scotch so we will try to be as entertaining as we can be. We are going to bring you back up to speed on what the security rule does. Some statistics on complaints and enforcement and talk a little bit about remote access, and I was very fortunate to have a prop today which is this little flash drive, which frankly saved our lives on the presentation because we were actually able to download it from an email because it had not made it here the other way. This is one of the devices that we will be talking about a little bit later today so you can actually—
MR. REYNOLDS: Our question would be how is that secured?
MS. DOO: And that is a private question. So just to go back to many years ago, the final security rule to make sure that we are all clear, applies to electronic protected health information. So the privacy rule covered all information. Security rule was written very specifically related to electronic protected information that was either stored, created, maintained, or transmitted by the covered entities primarily to protect confidentiality. The right people are seeing the information. The integrity of the information is accurate and availability that the right people can see it when they need to see it.
Covered entities, not that we don’t all know this, the covered entities are health plans, health care clearing houses, and covered health care providers who are those that transmit the transactions electronically that have been adopted under HIPAA. The security rule they have to protect the information against reasonably anticipated threats or hazards to the security or integrity of the information and protect against inappropriate uses or disclosers related to that, and very importantly is to ensure compliance of the workforce through policies and procedures and training, which we will talk a little bit about.
The security rule had—and there is a couple of very key things related to the rule. The first was this concept of scale ability and flexibility based on an organizations size, the complexity, their technical capabilities. As you know, we have a range of covered entities from small providers to huge health systems to health plans. They all have different capabilities and the class of implementing those are pretty significant and we accommodated that by the flexibility issue. Tied to that was the concept of being technology neutral, so we were not prescriptive in the final rule. Some people wanted that. Other people were not as supportive because they felt that the needed to have more guidance on specifically what they needed to do. It is technologically neutral, and that helped drive the whole cost factor.
The way that regulation is organized is based on standards and implementation specifications. The specifications are essentially the guiding principles for how you would comply with a standard. A standard is required, and the implementation specification is either required or addressable. Occurrence of the addressable has been under considerable debate and the first thing to remember is it does not mean optional. It means that the organization has to determine how it applies to their infrastructure, make decisions about what they need to implement or how they need to implement something in order to meet that standard. It didn’t mean not to do it if you didn’t think it applied. It meant to either document what you were doing to at least meet the specification and the standard.
The security rule was made up of several categories: administrative, physical, technical, organizational, and then the policies and procedures. Administrative had to do with things like the risk management, risk mitigation, training, contingency planning, and all of the operational things that you would do. The physical safeguards are obviously things that how you are going to protect your facilities where the data is, where it is set, and how it is stored. The technical safeguards had to do with the technology of it. Things like the secure socket layer for example or encryption. The things that people in the policy world may not be as comfortable talking about, but it is the key driver obviously. Organizational requirements tied in with the privacy rule and it partly addressed the business associate agreements and how you had your downstream partners also required to protect the information. Then obviously coming to what is key, which are the policies, procedures, and documentation. Without documentation, should anything happen, there wouldn’t be any way to protect the organization to say we actually did have all of these things in place. Those documented policies and procedures and the training that accompany them are very, very key to this.
What we advise covered entities and a lot of the guidance papers that we already do have on the website, we talk about risk analysis being the most important driver because that is how you will determine what it is you need to do to meet the required or addressable specifications and standards. It will tell you where your vulnerabilities are so the risk management is really critical because based on that, you will develop your policies and your procedures. Obviously, implement them, train the work force, and then conduct periodic evaluations. It is pretty straightforward or it seems to be straightforward, but every organization is going to be doing this differently.
We assume events have happened and will happen
that affect a company’s ability to comply even if they had made every effort up to a certain point. We have a security enforcement process in place. It is complaint driven. We do not go out during random surprise audits. If we see something happen in the industry, we will file a complaint ourselves. So for example, if we hear that a hospital has lost data, we will actually file a complaint which gives us the authority to then investigate. So, we are not just waiting for the phone to ring. We are being aware of what is going on in the industry. The focus is clearly on helping covered entities achieve compliance and because security is so tightly tied to privacy that typically the complaints come to us, in fact, because it has been a privacy concern that work very closely with the Office for Civil Rights on those complaints that come in. As you will see by the statistics, in fact, most of the complaints that come in are driven through the privacy process. These are current statistics, and I don’t know if you will be surprised by the number in terms of thinking it will be too high or too low. With the total number, so I the past two years of complaints that we have received is 177. Of those, we have closed 102. There are still 75 remaining open.
Let me just talk briefly on this issue of a closed. It means that either the covered entity was found to be compliant in fact and had the documentation and could support what they had done and be able to resolve it, or they submitted a corrective action plan that said we are going to be executing additional training. We have done this policy now. We rectified this situation with an employee. There was a corrective action plan. We monitored it. We checked on it, and we have been able to close that case. So now going back to this issue of the combined privacy and security complaints of the total 177, 99 have been privacy and security combined. That is not just a security issue. As I said, we have 75 cases that are open. Of the 75, 64 are related to privacy and came in through privacy. There are only 11 of the 75 open complaints that have a strict security related issue. So, OCR is leading the charge on the ones that have a privacy security duality, and we work with specially designated people in the regional office in evaluating and resolving those complaints.
Now the complaint reasons that we get. The lion(?) share actually the first and third, which is actually unauthorized access to electronic protected health information and an alligation of insufficient access controls. It might be things like I know someone else looked at my data. I know that my wife looked at my data and she doesn’t have the right to do that. It’s those kinds of things. You didn’t protect me properly enough and somebody else got into your system and was able to see.
Then of course the second item bulleted here is the loss or theft of devices, and that is beginning to have more prominence. People are much more aware of it, and it is unfortunate because of these very public pronouncements of a laptop that has been stolen. I think we have two people in the room that may be related to one of those. That because very scary because it is hundreds of thousands or millions of records that are a risk, even though the person may have just taken a laptop for the laptop purpose. It is a tremendous risk for individuals.
As we heard more and more about these kinds of incidents and they became prominent, we realized that data is going to continue to be at risk in a whole new set of ways as health IT activities and we move forwards with a lot of these initiatives that employees are working outside of the workplace. They are using devices like this flash drive to do work. They are working off site. They are working remotely at homes. The data is much more mobile and therefore at a whole different level of risk. We talked about the flash drives, CDs, PDAs which is not public displays of affection, laptops, smart phones, and all of those other devices. As I said before, these high incident profiles that are starting to come about. The security rule covers all electronic protected information no matter where it is. We still felt that we need to publish additional guidance to the industry to reiterate what is implicit in the security rule very specifically to remote access. We published a document December 28, which I’m sure you all have read. And again, it reiterates the requirements of the security rule, but what we did is provided some recommended strategies that could span the range of small to large entities. We couldn’t give examples for every single type of organization, but we wanted to say sort of from the simplest thing to a much more complex technology that you could implement.
Here are some ideas for each of the categories
that we addressed. When we focused on the risk assessment, are you vulnerable? If you are not doing any remote access, you don’t have a vulnerability but be aware that it may be relevant. Develop and implement the policies and obviously most importantly is train your people on those policies. Don’t develop a policy and keep it in a legal office. It has got to be communicated to the staff and documenting that they understand that. The guidance, as I said, was a set of tables for each of the categories and it listed risks and then it listed mitigations. For example, on the one you all may or may not be able to read this, but this one was on data storage. The risk was a laptop or other portable device is lost or stolen resulting in potential unauthorized use. Then the mitigation strategies went from identifying a type of hardware that you are using in your company. Implement a process from maintaining a record of where it is going and what the movement is required to use the lock-down mechanisms. Use password protected files. Password protect the devices themselves and require that the devices have encryption technologies. There was a gamet of recommendations that were not meant to be exclusive but were—see, whoever you are, if you are using these kinds of devices there is still an opportunity for you to see one, are you already doing it and if not here are some recommendations.
What we are going to do next is actually consider publication of an NPRM that might incorporate this guidance document, even though the security rule is clearly implicitly includes anywhere EPHI is. We know we need to work the NCVHS to pursue publication of a rule. We are working with WEDI. We will continue to work with them on issues related to security so that when there are conferences and educational opportunities and white papers, we will work with WEDI on additional guidance that we may need to be doing.
We are participating in a number of other
national workgroups that are also addressing issues related to privacy and security because of health IT and that includes the confidentiality, privacy, and security workgroup under America’s Health Information Community which is also now looking at requirements for privacy and security. One of the things we don’t want to do is have all of these groups off working on their own coming up with recommendations but rather make sure we are all collaborating to deliver the same kind of message or to support and enhance what each of the organizations is attempting to do. That is the update on the rule in our guidance. I guess we will hold questions until the rest of the gang has spoken. Is that correct?
MR. REYNOLDS: Yes.
MS. DOO: Who is next?
MR. REYNOLDS: Sue or Mike?
MS. MILLER: I am. I am Sue Miller. All I have is written testimony which is on the table.
So Chairpersons and members of he sub-committee, I am Susan A. Miller. I am a founding Co-chair of the WEDI Strategic Implementation Process Security and Privacy Workgroup and I have a national HIPAA and healthcare legal and consulting practice. I work with and for HIPAA providers, clearinghouses, health plans, trade associations, and state and federal agencies.
On behalf of WEDI, thank you for the opportunity to present testimony concerning the HIPAA security rule, including remote access issues and how the industry is dealing with security requirements: what is working, what is not, and why.
My three Security and Privacy Workgroup co-chairs, Leslie Berkeyheiser who is here with us today, David Ginsberg, and Mark Cone, assisted me in preparing me for this testimony. I am going to present general observations about how the industry is dealing with HIPAA security requirements, and then discuss remote access and its issues.
WEDI is in the process of deploying a comprehensive plan to address many topics regarding HIPAA Security Rule and its implications. Our activities are in the planning or early development stages. With this in mind and the fairly limited time to respond to the request for testimony, I want to emphasize that the information WEDI has available is limited to anecdotal information from a small segment of WEDI’s membership. This is an initial step in our process to examine industry status regarding HIPAA security implementation and compliance. We cannot draw specific conclusions or make sustentative recommendations at this time as our work is not complete. A near term activity will include a formal survey to gather more comprehensive data across he entire industry. WEDI intends to approach for collaboration and support on developing a survey tool to address this topic.
At this point, WEDI has collected anecdotal reports that demonstrate misunderstanding the under-implementation of the Security Rule and related compliance issues in the industry.
The Privacy Rule implementation requires tangible steps that tend to be similar across covered entities. For example, every provider with a direct treatment relationship with patients is required to have a Privacy Notice and to make it available. In contrast, the Security Rule implementation is much more flexible. Entities are expected to customize implementation. The Security Rule also includes a compilation of best practices. Under those practices, an entity would perform a comprehensive risk analysis including consideration of what standards apply to its unique organization. The application of addressable implementation specifications is left to be determined based on risk analysis findings and documentation of the approach taken. There is no formal guidance about whether or how to conduct, interpret or apply a risk analysis.
The flexibility built into the security rule provides entities with the ability to tailor security protections to best meet their business and operational needs based on their unique threats. It would be useful, however, if the Centers for Medicare and Medicaid Services (CMS) could provide additional educate and guidance to help some covered entities reach an understand of how best to implement the security rule.
Now some entities might be a code word for the smaller end of the environment in some senses of the word. We have tripped across some basic problems in key areas to focus upon.
Frequently, the co-chairs, meaning the security and privacy co-chairs, observe simple and fixable problems at their client organizations; they observe behaviors that are in conflict with organizational policy. Many of these are in the areas of administrative safeguards. For example: Conversations involving patient care and treatment conducted via speaker phones in offices with doors open. PHI data posted on bulletin boards to enhance training and workforce communication and sometimes we find social security numbers as well. Lack of organizational policies and procedures, workforce members aware, or aware of others using some of the newer portable devices such as jump drives, for media storage; such tools often may not meet an organization’s security controls. Organizations not conducting inventories of remote deices and storage media and technology changes and hardware changes are happening all the time. Passwords posted near computers or passwords shared by multiple workforce members. Paper with PHI on it placed in confidential areas or recycle bins and contents left for days or weeks before shredding. They have two containers. One for regular trash and one for confidential trash, and nobody is picking it up. It is available for people to use. Un-logged, unsupervised open visitor access where PHI is available. Lack of, incomplete, or out of date disaster plan recovery. Lack of formal audit process or program, and lack of regular, periodic, security risk assessments, and security risk analysis with new tools or new focus within an environment.
The industry and CMS should promote ongoing risk analysis, risk management, auditing, and self-monitoring. These are all in the rule, but we find that they are not necessarily happening. Compliance reminders and best practices could be disseminated periodically. We have three areas that we think are important. Organizations should consistently monitor HIPAA policy training of new workforce, and existing workforce members should be provided regular updated or refresher training. Organizations should track the length of time it takes to remove system access for workforce members who leave he organization. Organizations should develop routine reporting mechanisms for alerting senior management about security incidents and effectiveness of sanctions.
The security rule defines a security incident as an attempted or successful unauthorized access or use. When coupled with the requirement of security incident reporting, it creates a perceived or actual need to report potentially thousands of unsuccessful access attempts most organizations face on a daily basis that are prevented by the use of intrusion detection and prevention software. Redefining a security incident to exclude unsuccessful attempts would simplify implementation of these parts of the rule.
WEDI can assist CMS in developing sample forms, checklists, and various metrics so that covered entities can monitor their security compliance.
In the next section of the document we have a table more specifically outlines some of the things that we think might be able to be considered as we go into an area where we might get more guidance or perhaps a new NPRM, and I am not going into those in effort of keeping myself to a certain timeframe here, but I am more than willing to discuss. So I am on page four.
Privacy and Security can overlap within organizations. However, just as HHS separates oversight of these Rules, many covered entity organizations address Privacy and Security in distinct environments. For example, many hospitals assign Privacy to the Privacy Officer or Compliance Officer, while the Security becomes the responsibility of Information Technology. WEDI has consistently suggested that organizations implement one set of policies and procedures to cover all forms of PHI (electronic, paper and spoken information). WEDI would like to investigate how the Security Rule requirements can be correlated to and integrated with the Privacy Rule requirements. Doing so could make both sets of requirement and their procedures more understandable of the staff members doing the work.
Now as to the guidance document. WEDI regards the CMS guidance on safeguarding PHI that is accessed remotely, published in December 2006, as an important resource on the Security Rule and its requirements. The WEDI SNIP Security and Privacy Workgroup has begun drafting a white paper on the CMS Guidance to be released on May 16, 2007 at the WEDI Annual Meeting in Baltimore. We are going to have a breakout session to discuss this white paper and the guidance. We have invited CMS to join our presentation and they have accepted.
Covered entities have reported that they like the list of standards included in the initial security notice of proposed rule making. The Security and Privacy Workgroup has drafted a crosswalk from the Guidance requirements to the Security Rule requirements for the white paper. The Privacy and Security Workgroup supports such tables and information as a way to further educate and help the industry.
There has also been concern expressed from members of the industry about the OIG intention to audit a Georgia hospital regarding HIPAA Security compliance unrelated to an underling complaint or to a fraud and abuse review.
Now, I want to talk a little bit about HISPC. Linda is here. She is going to talk a little bit more about it. I have had the good fortune—perhaps not to be on two of these projects.
The Health Information Security and Privacy Collaborative projects have focused on the variations of state law relating to the HIPAA Security and Privacy Rules and on the efforts to implement electronic health records, reinforcing the importance of basic security to the healthcare industry. Areas covered in the initial HIPAA Security Rule such as standards for access, authorization, authentication and audit trails could be expanded and addressed within the Guidance Document. You are going to hear more about this from Linda. Further clarification and/or assistance in some of these areas to the industry greatly assist overall Health Information Exchange.
WEDI acknowledges that there are still many issues and questions in security that remain to be addressed. WEDI is willing and able to leverage its knowledge, industry expertise and resources to work in partnership with CMS to address the challenges in security.
These are the following WEDI recommendations in this area. WEDI is prepared to assist CMS in getting the word out about the Guidance document. We have the following activities planned to support this outreach: A CMS HIPAA Security Guidance white paper is scheduled for release at May 2007 Annual WEDI meeting in Baltimore. A session scheduled at our May 2007 national conference titled ‘What does the CMS HIPAA Security Guidance for Remote Access Really Say?’ An audio conference series in the late summer this year about the CMS HIPAA Security Guidance document and its recommended implementation is also scheduled. We don’t have a date for that. There will be a security pre-conference to be held at the WEDI November 2007 meetings that are going to be in Orlando, Florida. WEDI is willing to hold a HIPAA Security hearing in order to further assess the industry since on these issues. The WEDI Board will send the HHS Secretary its findings from such hearings. WEDI understands that the guidance will shortly become an NPRM or there may be an NPRM about other security issues. When it is released, WEDI would hold a policy advisory group meeting and the WEDI Board will send the HHS Secretary its findings from the PAG. WEDI is willing to collaborate with CMS in surveying the industry and HIPAA Security implementation and remote access issues. WEDI is willing to assist CMS in developing sample forms, checklists, and various metrics so that covered entities can monitor their compliance. Thank you.
MR. REYNOLDS: Thank you Susan. Matthew?
Agenda Item: Health Information Security & Privacy Collaborative
MR. SCHOLL: My name is Matthew Scholl. I am an Information Security Specialist in the National Institute of Standards and Technology. I have been asked to come and discuss a quick overview of remote access, specifically secure remote access, what it means and what the issues are behind it. I have slides which basically I’m going to use as talking points. I have left no written testimony therefore I will leave no data remnants behind.
I want to start off with just some general definitions. One of the biggest problems in the security world is generally we all start talking the same things using different languages or we are talking different languages about the same things and as such often we find people in violent agreements, so I just want to set the landscape with some things here.
This is kind of what we are talking about as far
as remote access goes. Access by users (or information systems). One thing to note here is that remote access does not necessarily limited to a remote person of the workforce dialing in but as often as not it is machines or others doing this automatically either for synchronizations purposes, scanning purposes, or active polling purposes. This is an external entity connecting to a system security perimeter by a security perimeter. By a security perimeter, what I am talking about generally is a defined, discreet, known architecture that is govenered by a common policies, procedures, work instructions, and configurations from a security setting. So we are talking something outside talking to the perimeter.
This is why we do it. Lorraine said it earlier, the main things we want to focus on are confidentiality, integrity, and availability of this point of data. It is important as we look at security and secure remote access that you follow the data. It is all about the information and the information you are trying to protect.
There are a lot of ways to do it and a lot of people do it in a lot of different ways, and a lot of people do it in a lot of different ways very effectively. That’s okay. Generally, the drivers that will decide the type of remote access to use are the mission in needs of the organization. Basically, what are you trying to do in order to support your mission? Is the access you are trying to do remotely data intensive? Are you passing gigabytes down across the wire? Are you just viewing data? Are you conducting database accesses where you are actually going to conduct operations move, add, updates or changes? Or you are just kind of viewing. Or you are just kind of viewing? Or you are just doing emails back and forth outside the perimeter. Depending on the needs and how those needs support the mission, generally will shape the type of remote access and then the security restraints that need to be applied to that access. Again, the availability of resources—when we say resources generally we think of technology and dollars. This also has to do with people. The heavy side to remote access dollar wise is not the establishment of the technologies but the maintenance of it because of the diffuse set of technologies, which can go on the far end, the end outside the perimeter. Often the support aspects for your remote access can drive costs up. You have to support everything from Apple OS10 to Windows 98. These things can get expensive. Again, it has all been driven by what your tolerance for risk is. What do you need to do to support your mission to get that information to the remote force versus what is the extra risk that is going to be exposed by doing this remotely and what are the benefits versus the trade offs for that mission enhancement versus the exposure to the additional risk?
So with remote access, basically you are talking about three basic things. Your communication capabilities, your networking, and your end points.
Communication capabilities are pretty straight up. However you connect to them on the other end. The physical access connection again will drive some of the technology decisions for the application of the remote access. You’re talking cable, DSL, Satellite, Dial Up, Power Line, Home Wireless. A lot of people think specifically about that physical machine or node connection to that perimeter, but as discussed earlier, there are many other things which now constitute remote access. Wireless phones, cell phones, Blackberries, PDAs, Smart Phones, etc. People at home, working out of a home office, using their 900 to 1200 gigahertz wireless phone are susceptible to what I like to call the baby monitor attack. That is just accidental. If someone actually has bought a commercial, available, and legal scanner, they can dial in and listen all you like. I’m often telling my wife when she is discussing certain things to get off that phone and get on the princess phone depending on my tolerance for risk for what she is discussing with her mother-in-law. This is especially true now considering the mobility of the workforce and the devices that are being used as discussed with Blackberry, Smartphone, PDAs, Mobile memory devices such as the memory stick I have here, which by the way is encrypted. Email, just because you are at home and sending email, many people think that is secure. Email is not necessarily secure because it leaves one node and pops up in another node, but email can be read, retrieved, and actually modified at any point that it is sent in transit. Therefore, decisions need to be made about email and how it is used whether or not encryption or more secure messaging is appropriate or not. Remote access is not just that VPN, but it is all these other things.
I am going very fast, I know that. Okay, VPNs, this is the heart and soul that a lot of people think of as remote access. This is Virtual Private Network. I think many people here are familiar with VPN. Basically, it is the establish of kind of a private network but virtually. Hence the phrase Virtual Private Network. What we are doing is through encryption methods establishing a secure tunnel between that endpoint and that secure perimeter. Basically, there are three ways to do it. Gateway-Gateway, Host-Gateway, and Host-Host. I will quickly touch on these three.
On a Gateway-Gateway, what you are doing is you are talking securely in that virtual network privately to the exterior of the perimeter to a gateway device to another perimeter’s gateway device and establishing a secure tunnel for the duration of that transmission. Think of it as a perimeter to perimeter transmission. The information or the data that is transmitted within the perimeter is not necessarily secure. This is most common in enterprise to enterprise communications. These devices are often called VPN Concentrators.
Host-Gateway is when an individual, a laptop, has a VPN application onboard and this host talks to an enterprise at the perimeter. It is the laptop talking to that VPN concentrator, a firewall, at the perimeter of an organization and establishing a secure tunnel.
The last way is Host-Host whereupon two individual hosts, a workstation to workstation, both of which perhaps using application level VPN technology to talk to each other securely. For example, you send a secure digitally signed email to a friend who then has your key to open it and read it, that might be an example of a host-to-host VPN.
There are lots of different ways to do a VPN. From the lowest level all the way up to the highest level of an application level VPN. You are most familiar with this when you go to Amazon and you buy a book and you get the little lock in the side and it has the S and the HTTPS and that makes you feel warm and fuzzy. That is an application level VPN that you are establishing to a gateway at Amazon when you make that secure order, hopefully.
I have encryption there at the bottom. Encryption is generally the method through which these Virtual Private Networks are established. In reality, you are not building a dedicated circuit and locking down your own private tunnel from you to the enterprise. What you are really doing is through a method of encryption, sharing secrets with the sender and the sendee that allows for a virtual private network. Really, these are done through different public, yet very secure methods of encryption. These VPNs as well as the use of encryption beyond VPNs allow for that earlier tenant of confidentiality of data to be shared. It facilitates the availability of data to that remote workforce and it ensures the integrity of the information by protecting it against certain types of attacks such as replay, man in the middle attacks, and it also allows data to be signed or hashed which allows for the integrity of the data on the receiving end to be evaluated so you know that that data is correct, at least from the sender’s point of view.
The issue with remote access not only is the fact that it is not just the tunnel or the VPN anymore, but it is the endpoint. It really comes down to securing the node. You can secure the transmission. You can secure the link between the node and the perimeter. The question is what kind of node are you going to allow to your perimeter? This is a list of things which are generally good things on those endpoint nodes. The level of fidelity you find within the home user or the home office varies depending on who it is. If my brother-in-law who lives on my couch is gambling online at 2:00 AM, the fidelity of the machine that he is using probably should not be used for establishing a VPN to a secure workforce. It all depends again on the level of trust and the tolerance for risk of the enterprise.
Who is using these machines? Are your children using them? What are they doing with them when they do use them? What do they download? How many of you have Skipe, that nice little Internet phone technology at home? Are you aware of what that does to your machines? Is your anti-virus up to date? Do you have anit-spyware onboard. These are all considerations that need to be taken on the node. How many of us have used a hotel kiosk to access a VPN? How many of us have used a wireless point, perhaps off of Starbucks? As was discussed earlier with EPHI being discussed openly—are you surfing it or looking at in a public forum where other people can show their surf? These are all considerations, which need to be done as you look at the security of the node in remote access.
Issues. A lot of these have been discussed. This is a fast evolving technology as this is seen as a large market space for many providers. Again, training, the biggest thing on the other end is the users. You may make the availabity of VPNs, but whether or not they are established correctly is a whole other issue. Awareness, are they using it correctly and where are they using it from? Again, are you doing it in Starbucks or are you doing it at home in your home office? I talked about solution report. Can it be supported? Generally, your endpoints are the weakest link because they are the items of or which you have the least control.
These are future trends. Expanding report as well as expanding usage. I am going to hit on the third bullet really quickly. Increasing usage of two-factor authentication and I want to make sure this is clear. When I talk about two-factor authentication, I don’t mean using a password a second time. That is single factor being used twice. I am talking about a password and then something else being biometric like a fingerprint or a token, like a smartcard. Something you know or something you have or something you are, one or two of those three items for multifactor authentication. Refer the committee to memorandum. OMB’s memorandum MO616 which came out from OMB which was specific guidance to federal agencies on conducting remote access whereas the federal government is now requiring multifactor authentication for all federal agencies who are accessing what they call sensitive information remotely. Multifactor authentication is coming hard and fast as well as the federal initiative for Personal Identifiable Verification known as PIV Cards, which are currently being deployed across the federal US force which is that token based second item which is being deployed. The last bullet also is remote access is being seen not only as being able to expand the mission to a geographically dispersed workforce, but it is also being leveraged for disaster recovery and business continuity planning. When assets and information is consolidated, it is inherently vulnerable to physical threats. As such, remote access is an effective—can be an effective method for mitigating certain threats to businesses and assist in business continuity during disaster situations.
There are a couple references. If you could click on those, it would take you through them, but you can’t. You may find all of these on CSRC.NIST.GOV if you wish to look them up. I spoke very quickly and it was a lot of information and at the end I will entertain any questions that aren’t too hard. Thank you.
MR. REYNOLDS: Okay, thank you. Linda?
MS. DIMITROPOULOS: Good afternoon. I’m very happy to be here today to talk about the privacy and security contract. There are a number of people in the room who are perhaps even more intermittently familiar with the contract than I am. Jeff Blair certainly with the New Mexico group, Sue with Massachusetts and New Jersey, Walter Suarez is around and he is part of our technical advisory panel, and I am sure there are probably others I am omitting. In any case, the goal today is just to provide a very brief overview of the current status of the project along with a few highlights of some of the issues the state teams are working on. Perhaps if we have time, an example from one of the states. We also want to touch on some of the key areas related to security that the teams plan to begin to implement this year.
Current status: the 34 teams have submitted final reports in the past couple of weeks. One is the assessment of Variation and Analysis of Solutions, and the other is a Final Implementation Plan. We are in the process of creating a summary and an analysis of those reports. It is some 10,000 pages of information that needs to be analyzed and summarized. You can forgive me if I am a little scattered. It is a massive undertaking. The final reports are due—the summaries are due to AHRQ and ONC on May 15th. We have a final nationwide summary that is due at the end of June that will include all of the information and then some.
One of the initial tasks, the information here is really from the interm assessments. We are still working through the final reports. One of the purposes of the project was to conduct an assessment of variation of business practices and policies and state laws that create barriers to interoperability, and along with finding many sources of variation that need to be harmonized, we also found that many organizations are just beginning to think about the practices and policies that need to be in place for widespread inter organizational exchange. There is ample opportunity here to bring those organizations together, and while they are making those decisions, moving forward and perhaps reduce variation or eliminate it going forward. Mitigate it. In terms of variation, the HIPAA—the flexibility built in. Variation is a natural outcome. The organizations need to work through and come to some common agreement on some of that. The HIPAA Privacy Rule, we have been talking about quite a bit, and in fact most of the states focused on the HIPAA Privacy Rule, but the Security Rule suffers from the same limitations on applicability as the Privacy Rule. IN addition, I should mention that it only applies to electronic information. It is just the variation and the applicability of it because of the flexibility built in. So it is kind of a double-edge thing going on. The majority of state teams that addressed security as an issue focused primarily on technical and physical security and very little emphasis was placed on administrative security issues. Many of the teams expressed a lack of knowledge and significant concern related to the technologies that are available and the associated administrative processes and liabilities.
Nearly all of the state teams raised issues related to State Privacy Law, but not so much related to State Security Law. About three quarters of the state team was reported that it is a lack of a common method for authenticating individuals that created mistrust between the organizations and reduced a comfort level with other organization standards and policies regarding who may authorize access. Consumers are primarily wary of the system. Providers, liability, it’s from a mixed bag. In terms of cultural issues, a number of states reported that the concern about liability for incidental or inappropriate disclosures causes many of their organizations to take a conservative approach to the development of their practice in policy and a number of the state teams, including Minnesota, reported that their state’s patient consent requirements placed responsibility and liability for the appropriate release of information on the healthcare provider that is releasing the information and no responsibility at all on the healthcare providers that are requesting the information. Minnesota is working on—they have legislation and committee to kind of even out the balance there. Stakeholders are also reporting that they are concerned about policies that govern their rights to access and control of the data. There is a tension between who has what rights and control between the healthcare providers, the hospitals, and the patients.
As we look—We looked through the Enter of Analysis of Solutions Reports we found that the solutions really fall into four major categories. Those that address changes to practice and policy, to facilitate inter organizational operability. As an example, state teams are looking at uniform consent policies. It is one of the highest priority items. This is also the bucket where we have categorized state teams plans to develop comon policies procedures and contracts with business associates and to build trust related to security. The next major category is legal and regulatory changes. There are some proposals to modify state statues. The state teams are proposing changes to state laws. For example, permitting digital signatures. Once again, patient consent for treatment, some say it is proposing to modify state statutes to resolve differences regarding when and how patient consent is obtained and documented. In terms of technology and standards, the third bucket, and again using consent as an example, the state teams are working to describe the mechanisms needed to communicate permissions provided with the consent to access use, collect, or disclose healthcare information which includes consideration such as the variation of state consent laws and also the special protections for sensitive data. The state teams also recognized the need for standard data format that would support segregation of sensitive data. The fourth bucket is education and outreach. Continual education of staff and training, but it is also—is this process is cartelized a lot of discussions among stakeholders in states who haven’t even had these discussions before. They are just beginning. There is a recognition that in order to get by in a concensus that they need to continue that outreach through education of those they need to get by and from so there is a lot of emphasis on education.
Walter Suarez, part of our team, pulled together a table for us to just give a sense of sort of a broad cut of the number of states who are working on any given piece of this puzzle. You will see education is at the top of the list with 25 states proposed plans for education and outreach programs. These tables are ordered by frequency from high to low rather than by topic. You can see we have 24 states working on some aspect of the 4 A’s. We have got 18 state teams working on patient identification issues. On the next slide we have 16 teams working on governance and leadership. Primarily those are states who are really getting started in recognizing that they need a central coordinating body and some leadership within their state. We have 15 teams focusing on legal and regulatory issues at the state level and 14 states that are working through issues related to federal regulations and 12 states are planning to work on issues related to protecting sensitive data. I mention Connecticut because they are working on establishing a uniform statewide electronic process for patient authorization to access and disclose health information which includes mechanisms for determining data content sensitivity when sensitive content are imbedded in textual content are implied by data values.
This slide we have 12 states who are looking at differences between HIPAA privacy rules and state law and trying to make some sense there of what is going on and to some extent develop policies to work through some of that. We have 11 states working on a variety of issues. We have 9 states working on issues related to exchanging Medicaid data, 7 states that are working through issues related to access to data by law enforcement and 4 states that have recommended the creation of an interstate leadership group, which since the recommendation was made in parallel with a launching of the state Health Alliance, I think we have that one resolved.
On this slide we have a quick look across the final implementation plans that were submitted by the states. It shows that the following areas are going to be a focus of at least half of the participating states as we move into implementation. Patient identification is a big one. New Jersey has plans to implement a standard patient identifier using a master patient index. New Jersey is also moving ahead on defining standard set of VHR elements.
Again, the four A’s are going to be the focus of about 70% of the state teams, and a subset of those will tackle issues related to access and management of sensitive data. Stakeholders have identified current inadequacies in existing applications used to manage data including EHRs and data repositories that require them to print out copies of the record and redact the sensitive information manually because they weren’t able to segregate it. That is part of what is sort of driving that focus on sensitive information. Several state teams have also indicated that nonexistent or poor audit problems were a challenge and that is going to be the focus of their work.
I did include an example of an approach that one of the states is using here. It is from Minnesota. They have approached this work in a very systematic way that brings their stakeholder organizations together into workgroups that are developing the policy framework or statewide health information exchange and they have identified two key barriers that they plan to implement. One is the need to clarify when and how patient consent needs to be collected. They have some very strict state laws with their guard to consent. The second is again the 4 A’s as defined in this slide.
Their workgroup charge is to develop a conceptual solution that describes the characteristics and requirements for a solution for each of the 4 A’s. Identify specific policies and procedures and mechanisms or technologies that meet the characteristics or requirements and develop action plans to implement those policies or mechanisms. What is guiding their work is a set of principals. They have developed a set of principals for authorizing and authenticating individuals and setting access controls and auditing in a health information exchange. Their principles need to be agnostic with regard to specific technologies and architectures. Time and variant to avoid obsolescence and scalable to accommodate small and large models. They also have charted workgroups and provided some mechanisms for pulling in information that is being gathered from lessons learned and best practices from others going through this process. Paying attention to what HIE is doing. In some of the states that we work with HIE was a big what? This is an important piece of this. The goal is to share this information broadly across the state teams as they move into implementation so that we don’t have any of them sort of recreating or creating more variation out there. We really like to sort of harmonize that.
They have a set of 19 principles they have developed. There are four including in these slides, but for the sake of time I am not going to read through those. I would just like to go through the moving forward slide and just sort of close out with—this project we have catalyzed a lot of discussions across the country and not just among industry insiders, but across a wide range of stakeholder groups who frankly haven’t talked about this before who are now engaged in lively debate and are slogging their way through this. We are hoping to be able to pair them up and we have got—states are just starting out involved in this. We have got states who are in the middle who are really doing a great job. We have got states who have been doing this for a long time. So by bringing them all together, we have an opportunity to leapfrog the ones that are starting up forward. I think we can make some real progress. There is more information at both of sites. At the AHR site and if you are interested in more on that Minnesota report that I borrowed, then that is located there.
Agenda Item: Wrap up and Adjournment
MR. REYNOLDS: I would like to commend you as a team. A very few times do you have a security presentation that is understandable, concise, focused, and you are a wonderful self-monitoring panel. You actually got done on time, which leaves us almost twenty minutes for questions. That in itself is a brand new event for us.
MR. BLAIR: Let me wait.
MR. FITZMAURICE: I guess I will address one to Matthew and one to Linda. The one to Matthew is quick. You mentioned three factors, something I know I have where I am. Are there other factors, or does that pretty much cover it?
MR. SCHOLL: That pretty much covers it.
MR. FITZMAURICE: Four Linda, I went to the conference where the states were all brought in and they get up and the presented. It was a state run conference and a good partnership between AHRQ and the Office of the National Coordinator. Linda really made that run well. I was amazed by how much of this cross-dialogue had not taken place in the five to ten years since then. It was like opening up a vacuum and letting groups come together with common problems and work toward common solutions. When is your contract over and are there any plans to continue this collaboration with the states, or is that not being pushed HIE?
MS. DIMITROPOULOS: The plan right now is for the work to move forward. We have just extended the states contracts by two months. The Office of the National Coordinator has announced funding to fund a foundational piece of these implementations for about six months. We were able to extend these states contracts right now so they could focus on a piece of what they submitted as a six-month plan. We are now waiting in the paperwork.
MR. FITZMAURICE: The states are to look at the policies, the practices, and the laws that they have within state flow of information. Are those reports due in June from the states?
MS. DIMITROPOULOS: The reports from the states have come in. We are working on creating the summaries which are due to AHRQ in the middle of May and end of June.
MR. REYNOLDS: Lorraine, you started us off. What do you need from us?
MS. DOO: Ideally, if you believe that a modification or additional rule making on security to address issues that are coming up with health IT that this body would consider that and make such a recommendation as it is part of the regulatory process. SO if you deemed it appropriate given what is going on in the industry not just from the enforcement standpoint but from the changes that we need to be more explicit. That is what would be more helpful.
MR. REYNOLDS: Is that the general feeling of the
whole panel?
MS. MILLER: I think the industry needs at least some more guidance as was put out in December. I think you heard us say that there are specific areas of the rule that WEDI would support changing, but that is a policy issue and I am going to defer to Mike on that.
DR. UBL: I’m not here to talk about any policy. I think it is more about what you heard today. There are issues there I think that need to be worked through and policies developed.
MR. BLAIR: I want to chime in behind Harry what it is we can do for you and let me offer a few areas which might be areas so that you can maybe react to it. One of the areas that appeared to not be clear when we went through HIE privacy and security project was whether health information exchange networks were covered entities or not. That is one question. I am going to give you to or three and you can tell me whether any of these are areas that are important to you. Another is whether personal health records are covered entities or not and whether that is an important issue. A third area that maybe you feel NCVHS should focus on in terms of recommendations are centralized or shared authentication for a community-wide consistent, standardized, authentication procedure relative to a health information exchange network. I have given you a few, so you can sort of see where I am priming the pump here because a lot of our privacy and security focus has been on individual institutions, but when you start to go health information exchange networks it raises other issues. That is where I am wondering if you have areas where you feel that NCVHS should focus?
MS. DOO: I’m sure everyone has a comment on that, but I will at least start off. The issue of health information exchanges and PHRs being covered entities is in fact going under pretty significant discussion with our consumer empowerment workgroup and the confidentiality privacy and security workgroup because one could easily off the cuff say, if the tool is offered to buy a covered entity such as a health plan or a provider, therefore as a covered entity that tool is responsible for meeting the requirements of the privacy and security rules. The health information exchanges get more complicated because they are not necessarily run by a covered entity and yet they are operating with covered entities who have obligations. What our workgroups are trying to do is to literally make a matrix of where does the data start? Where is it going? Who has what responsibilities? Then to determine what policies are we going to need to put in place? There is significant debate going on related to that. The Office of Civil Rights is involved and obviously the Office of the National Coordinator as well. Your concerns are well founded and it is not unrecognized.
The issue of centralized and shared authentication, again at this health information exchange level, but this shared credential is something that these groups are trying to sort out and come up with appropriate polices that would cover these very highbred entities. Who owns? What is the source of the data and these entities? Under whose laws do they come? Where is the jurisdiction going to be? It is bad enough that it is federal and state. That is also under debate. If NCVHS wanted to have additional hearings on that kind of topic and have more of the detail, that probably would be of interest to you.
MR. SCHOLL: My survival generally depends on my violent avoidance of policy questions and as such I will avoid question one and two. The federal government in this has done a lot of work in central federated authentication architectures. This is also a space where you see not just the healthcare history but industry as a whole moving very quickly, especially in web technologies and service-oriented architectures. When you look at health exchanges. That system to system, it really smells a lot like a web based service oriented type architecture in which case there is a need for trust federations to be established to allow for that kind of cross-credentialing and access control and authentication. There are a lot of technologically feasible ways to establish that. Decisions need to be made at a policy level in order to enable those technical implementations. The people who have most strides in this area, believe it or not, are DOD. They have done some significant work in service-oriented architectures and trust federations and they might be an appropriate model to look at.
MR. BLAIR: I really echo Harry’s appreciation for everybody’s testimony. There is one individual that I work with and Linda Dimitropoulos has headed that up. It has been tough. She has had a number of parents to be able to be accountable to, and above that, some oversight, it has been extremely difficult. I would like to make a special commendation for the way, after all these difficulties, Linda you have lead this project to a point where it is coming out with a set of recommendations that are implementable that will be useful and I just wanted to compliment you.
MR. REYNOLDS: Michael?
MR. FITZMAURICE: I have another question from our expert from NIST. One of the things you said was email may not be secure. My understanding of rudimentary email is that I type an email to Simon, I am here and he is California. It goes and gets broken packets and they get collected back over where Simon is. Now, could somebody be sitting at St. Louis and put a tap across the middle of it and collect those packets? I know it is easier to do it when I send it or when Simon receives it. Can you do something in the middle?
MR. SCHOLL: Yes.
MR. FITZMAURICE: What is it you can do?
MR. SCHOLL: As those packets travel, there is
generally unless there is unusual circumstances, set or known routes, main routers, major DNSs through which traffic will pass. The packets as they travel are also marked. Even though they are split up, they are marked as far certain things within the data header to identify where they are coming and where they are going. The middle points to where they are being transmitted. As such, it is possible to capture and reconstitute them. It is depending on the threat doing it, but the threats these days are significant and have significant resources and sometimes are operating at nation state level. If they are perhaps passing through another country, they are perhaps being collected, reassembled, and read. Another even more significant and even more real threat is that that email you are sending, are we sure that it is really from you? It is quite simple to spoof your email and send it out whereupon the integrity of the message could be in question. That is an even more direct threat. Without encryption it can perhaps put email in jeopardy.
MR. FITZMAURICE: I hate to go home scared.
MR. REYNOLDS: Again, thank you to all of you. Tomorrow is part of our deliberation. We will discuss this as what our next steps are.
DR. WARREN: It is going to take me a while to process what everyone said, but if while you are thinking about what our committee does, if there are specific things that you would like us to consider, could you send those to us? I guess I didn’t hear any specific stuff today. It was mainly reports of what has happened.
MR. REYNOLDS: Before we adjourn, we are going to put the last couple of sentences of the letter we discussed earlier today. We have redone those. We are going to put them up on the screen. We will take a quick look at those to make sure we are heading the right direction and then by tomorrow we can have another finalized letter and move forward.
DR. OVERHAGE: Mark Overhage has to drop off. I will see you all personally in the morning. Thank you very much.
MR. REYNOLDS: Okay, if everyone will turn your attention to the screen please. Denise, why don’t you put us in context as to where this information is going to go please?
MS. BUENNING: This paragraph would basically replace the last paragraph before the sign off which starts NCVHS endorses the proposal. This is a compilation of comments from a variety of the staff and the subcommittee members that was submitted to me earlier today. I’ll read it.
The NCVHS endorses the spirit and intent of the proposal and asks that the department investigates how the proposal could be integrated into the HIPAA updating process. This would ensure a predictable and timely process, while at the same time maximizing opportunities for public/industry input. The department should investigate all appropriate options under the APA to shorten the time for the regulatory process.
MR. BLAIR: One is I think we should be specific in saying this relates to the HIPAA transaction standards. Is that okay to add that?
DR. COHN: I guess it would be the HIPAA transaction standard updating process.
MR. BLAIR: The second one was that was there some reason why we have chosen not to indicate that we want to encourage comment at that standards development level?
MR. REYNOLDS: By endorsing the proposal—because the proposal includes a significant discussion on input throughout that process from the public and others.
MS. BUENNING: The NCVHS endorses the spirit and intent of the proposal.
MR. BLAIR: I would feel more comfortable saying endorses the public—
MS. BUENNING: Is there a reason to add that in?
DR. COHN: I actually wanted to stay out of the specifics because I think you will be excited. We really want to get into the specifics. I fully endorse the spirit and intent of the proposal which is the streamline, produce, predictable, and timely process. If we want to get into debate every paragraph of the actual proposal. I was going to move up a level. Recognize that the department needs to identify what they can do and what they can’t do.
MR. REYNOLDS: The proposal itself is very specific about what it wants to do and with the APA laid over top of it, the department could come out with an approach. Any other changes to this? You will see the letter in the morning looking very much like this.
MS. BUENNING: There were some additional changes that were submitted by Justine with regarding to the numbering on the first page of the process steps. She had made the recommendation that instead of having step one and step two, that we make one 1A and two 1B and then 2 and 3 follow after that.
MR. REYNOLDS: Are you comfortable with how that flows? Okay, then what we would like to do—we will give everyone a new draft in the morning and adjudicate it then. That will be good.
Simon, to catch you up quickly, we had the NPI testimony while you were gone and the committee did recommend that we will be sending a letter forward and try to get it done for the June full committee on two of the recommendations that are in there. We will go through those with you in length.
Is there any other business for today? If not, we are adjourned.
[Whereupon, at 4:35 p.m., the subcommittee meeting was concluded.]