[This Transcript Is Unedited]
National Center for Health Statistics
3322 Toledo Road
Hyattsville , Maryland
DR. COHN: I think we should get started. I want to welcome everyone. I want to call this meeting to order. This is a meeting of the Ad Hoc Work Group on Secondary Uses Of Health Information of the National Committee on Vital and Health Statistics. The National Committee is a statutory public advisory committee to the U.S. Department of Health and Human Services on national health information policy. I am Simon Cohn. I am Associate Executive Director for Health Information Policy for Kaiser Permanente and Chair of the Committee.
I want to welcome committee members, HHS staff and others here in person. I understand we are being recorded, and we will know when we get onto the Internet. I want to remind everyone to speak clearly and into the microphone for recording purposes. As I said, we will let everyone know once the Internet connection is assured.
We do want to thank the National Center for Health Statistics for welcoming us into their space for our meetings. We appreciate their hospitality.
Let's now have introductions around the table and around the room. For those on the National Committee, I would ask, if you have any conflicts of interest related to any of the issues coming before us today, would you please so publicly indicate during your introduction. I want to begin by observing that I have no conflicts of interest.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, member of the committee, and no conflicts.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee and no conflicts.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, Executive Secretary to the committee. Welcome to NCHS.
MS. AMATAYAKUL: Margaret Amatayakul, contractor to the work group.
DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the subcommittee of the NCVHS.
MS. GRANT: Erin Grant, Booz Allen Hamilton, contract support.
MS. ANDERSON: I'm Kristen Martin Anderson from Booz Allen Hamilton, and we are contract support.
MR. MC DONALD: Clem McDonald, National Library of Medicine. I am now a fed so I have been purified. I can't have any conflicts.
MS. DIAMOND: I'm Carol Diamond with the Markle Foundation.
DR. SCANLON: Bill Scanlon from Health Policy R&D, member of the committee, no conflicts.
MR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, staff to the ad hoc work group and liaison to the full committee.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee, no conflicts.
DR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine, member of the committee, no conflicts.
MS. JACKSON: Betty Jackson, National Center for Health Statistics, committee staff.
(Whereupon, the remainder of the introductions were performed.)
DR. COHN: We will let everyone know as we get the Internet connection.
Agenda Item: Overview of Work Group Task
Before we move into the agenda review, let me make a couple of opening comments. We have been talking about this whole issue of secondary uses of health information, but today marks the first set of hearings for the ad hoc work group. We had a couple of preparatory conference calls. We are very excited about getting started on this activity.
Specifically, we have been asked, we the National Committee as well as this work group, have been asked by HHS and the Office of the National Coordinator to develop an overall conceptual and policy framework that addresses secondary uses of health information, including a taxonomy, describing types of uses and users of health data, definition of terms, as well as guiding principles, the balance, the risk, sensitivity, benefits, obligations and protection of various uses of health data.
We have also perhaps in a more substantive fashion been specifically asked to develop recommendations to HHS on needs for additional policy, guidance, regulation and/or public education related to expanded or proposed uses of health data in the context of the developing Nationwide Health Information Network.
This is a broad discussion. The initial consideration and focus is around the quality issues and how data can be used in the processing and management of data directly associated with quality measurement, reporting and quality improvement.
As you all know, I will be leading the work group. I want to thank Harry Reynolds and Justine Carr for their willingness to be co-chairs. As you know, I will be depending on them significantly, and they will be running much of the meetings over the next couple of days. I also want to thank members of the NCVHS who have agreed to be members of this ad hoc work group around the table. These include Paul Tang, Bill Scanlon, Marc Overhage, who hopefully we will see soon, Mark Rothstein, Kevin Vigilante, who we will expect to see shortly, for being willing to serve on the work group, and then all the other members of the NCVHS, all of whom have volunteered to be reviewers for this process. We do realize that this is going to be a fast-paced activity, and I think we are delighted that everyone from the NCVHS is willing to participate in one fashion or another as we dip into this area and begin to come up with perspectives as well as candidate recommendations, and can being them along.
I also want to take a minute and thank our liaisons as well as our ONC leads, Office of the National Coordinator leads, for their participation. We will be expecting hopefully to see John Loonsk later on today, but also Steve Steindel from the CDC, Mary Jo Deering from NIH, John White from AHRQ who is on the phone with us. I think Mary Beth Farquhar will be joining us later on today, and Debby Jackson from NCHS, Marjorie Greenberg, Kelly Cronin who may be joining us later today, a variety of liaisons, and we appreciate their involvement.
And of course, staff support, I have mentioned a number of the staff already, but without their work -- I just want to acknowledge them for a moment. This is another summer activity for the NCVHS, and without their involvement, leadership, support, we would not be able to have this hearing. We would not be able to move into the next set of hearings, which will be in early August and our final deliberations, scheduled for later August. So we want to thank them all for that work.
I also want to thank our lead consultant on the project, Margaret A, for joining us in her work, as well as Erin Grant and Kristin Martin Anderson, both from Booz Allen Hamilton. Thank you for your help in terms of all of this.
I will stop for a minute. I think I have probably forgotten someone in terms of people we ought to be thanking. I knew I had forgotten somebody. Cynthia, thank you very much.
In all we plan on somewhere between six and eight days of public hearings. I think we started out with the initial view that it would be now and at the end of July, early August. I think we are beginning to realize that probably we will need additional hearings later on in August, and coupling that with additional time for public discussion of draft recommendations and framework, with the idea that we will have an advance draft or maybe a final draft by the end of September to bring forward. As always, given our history, this would be a very open and inclusive process, and it is intended to be as we move forward.
Let me speak broadly of the agenda, both today and I think we will also see this playing out in August. The agenda is a combination. It is meant to allow us to go both from broad framework conversations, and we will sort those out momentarily, but also getting down into the specifics relating to the issues around quality, quality reporting, measurement and quality improvement, with the idea that we will be working on both at once, using the specifics of the quality issues to help around us as we talk about the high level framework issues, but also talking about the broad level framework issues to make sure that we are not missing anything as we delve into the quality issues.
So we are going to be maintaining this tension in our conversations in talking about both at once, occasionally disentangling them, but once again, the idea is to use this balance to help make sure that we are comprehensive as well as thoughtful in our deliberations.
As always, we ask all members to come to the hearings with open minds and to listen to the multiple different perspectives we will be hearing. The issues and questions that will come before us are high level conceptual issues, and some that we have been wrestling with certainly as long as I have been on the NCVHS, issues of privacy and the balance of privacy among others. That is going to be an important one.
But I think the other part of our discussion has to be around practical guidance and recommendations, tools, technologies, other things that we can recommend to the Secretary and HHS that may help minimize any issues or risks we identify.
So I would suggest to you that we are thinking about things in two different levels, broad level conceptual, but let's also be practical and come up with specific recommendations that are actionable by HHS. This is I think in keeping with who we are and given our history of doing this for the Secretary, broad level concepts, but also giving very specific recommendations that allow the Secretary and HHS to move forward in a way that is actually going to make a difference.
So I would have you all think as well as talk about this today and in succeeding days. As nice as it is to talk at the broad conceptual level, we need to tie it down to what exactly are we going to be recommending as next step items, and coming out of this whole conversation, not today but certainly by mid-August with specific things that are doable that HHS can do to help deal with some of the issues that we identify.
I should also comment on the agenda review. One of the ways we are setting up the conversation is to make sure that each day there is time for work group discussion on the issues. We recognize that if we wait until the end of the two and a half days to begin to get ideas and thoughts from the committee, we will have forgotten some of the good ideas in all of this. So we are setting this up so that today and in subsequent days there will be periods of time just for work group conversation and discussion. We are thankful that Margaret A. is here to put some of that together and keep track of that for us, as well as hopefully providing valuable input.
With that, let's talk very quickly about the agenda. Then I will turn it over to Harry to run the sessions today.
This morning we are going to be starting out with some overall framework conversation. We are really thankful to have Clem McDonald, who is not only one of our favorite people, but also is a former member of the National Committee. We do miss you, Clem. Even though he has been sanitized in the federal government, we don't believe that for one minute. We think he will bring some interesting perspectives to all of this. We are also very thankful to have Carol Diamond from Markle talking about some of the Markle perspectives in this whole area. Once again, we are trying to get ourselves to hear a variety of views at this high level framework conversation as we begin to drill down into the quality issues.
After our first break, we will talk more about these high level key opportunities and challenges with Lynn Etheredge, and then Janet Marchibroda will be talking for E-Health Initiative. We are going to be taking a late lunch, around 12:45. Even though the agenda says we are taking an hour and 45-minute lunch break, in reality it will be an hour and 15 minutes. We will come back at two o'clock for the first of will be a variety of conversations. Then this afternoon we move into the issues about clarity of current law, relative uses of health data. We are pleased to have Sue McAndrew from the Office for Civil Rights as well as Bill Braithwaite, who is now a private citizen, but was instrumental in the development of the HIPAA privacy law, and we are hoping some conversations around how HIPAA privacy thought about a lot of these issues, recognizing that many of these things were if not explicitly contemplated by HIPAA, at least there were some implicit views of how all of this should work as perceived in current legislation and regulation.
Finally, we end up the day with a conversation from the health information security and privacy collaboration, just to see the state of issues plugging into all of this, and then once again some conversation.
So anyway, that is going to be our plan for the day, plenty of conversation and hopefully plenty of time for interaction.
With that, I will stop. Harry, do you have any opening comments?
MR. REYNOLDS: No, you are right on time. It is 9:29, and we are ready to go. With that, as Simon mentioned, our first panel is Clem McDonald and Carol Diamond. So we will just go in order as it is listed on here. Clem, why don't you start us off?
Agenda Item: Key Opportunities and Challenges in Framing uses of Health Data
MR. MC DONALD: I appreciate the chance to return to my old home. I am fearing that NCVHS has been dispossessed, because the last time they were out at NIH and this time in Hyattsville, and what happened to the Humphrey Building, did you lose it.
Twenty minutes, is that the scheduled time? I better not discourse. Don't take me a being a representative of NLM. This is not sanctioned position necessarily. It is my thoughts and experience. I am going to cover a lot of subjects, some of which will reflect what I said at AMIA, and I will try to answer the questions at the end.
Some of the questions were, what are the sources of clinical data that are used for secondary purposes. There are lots of them, labs, medication orders, radiology reports, dictation, EKGs, lots more. The neat thing about it is, there is a lot of electronic data that is sitting there for the taking, and Carol and I have similar views on some of this, that it is a shame that we aren't using it more and better.
Administrative data, which I think is unfairly maligned from the researchers' point of view. They go, it is no good. Well, nothing is any good, depending on what you use it for. Oxygen is bad for you in too much quantities, and water if you drown in it is not so good. So I think it is a shell. It is very predictive under many circumstances, so it is good.
Tumor registries. There are 25 million records roughly in the U.S. around the country, cardiology database, ACC, ATS. Each of those databases, one is the bypass surgery, the other is catheterizations, has got two or three million records. In some states I think it is 70 or 80 percent of all the cases now going forward. Federal ESRD database, all the end stage renal disease has been meticulously recorded and measured for at least the last four or five years; I'm not sure how long it goes.
Outpatient medications. Pharmacy benefit managers have them all, just about all. Pathology, paraffin blocks, there is genetic data sitting around. That is good, not bad. I will come to that later.
Medicaid procedures and diagnosis, Medicare we all know about. Medicare is really getting to be like a medical record. It is not just administrative, with the drug data included and some of the additional stuff on the new Medicare patient being collected.
Social Security death tapes. It is not a lot of facts, but it is very important in predicting things. Death is the numero uno outcome. There are lots of special federal collection instruments. Oasis, disability, Medicare deducted exam, et cetera.
The uses. You are asking about secondary uses. Public health, this group probably doesn't need to hear more about that, but there are lots of good public health uses of this, collective quality and cost control, performance improvement, statistical feedback. Prospective feedback to clinicians to be sure they get the things done on the patients where we know what needs to be done.
Personal health records, lots of opportunities there. Commercial uses. I bring that up because it is the scary part of all this. In my thinking about what I saw about things, I say very strongly we should do X, Y and Z, but everything is set for selling the data, we get into tricky spaces there, bad, maybe dark side-ish, and fearsome to the population of patients. There is marketing, market access, feedback to physicians statistically. There is valid commercial uses, but I think we should cage them in some ways.
Research uses, epidemiology in general, early discovery of drug toxicities, Vioxx is the poster child that likely would have been detected with a sufficient database much earlier than it was. Cost benefit and variation; Windberg's work. Someday in the next ten years we are going to have to figure out what is really worth it of all the stuff we do at the trillions of dollars a year. It isn't all worth it. We know that now really, but we spend profligately. These databases would be a major help to that. The inverse of that is the value of new diagnostic and treatment technology. We could just follow some of this stuff and see how well it is doing. The coded stints that kill you earlier or save you longer, those kinds of issues can come out of that.
Recruitment of patients into studies. It is a shame we have such barriers to that with the databases that exist. These are free human beings who can say no if these things are done right, but we protect them even from the opportunity to be asked, the way I read it.
Longitudinal followup. There is a theory about clinical trials that is really appealing, that historically we spend gazillions of dollars per patient, do modest sized studies that don't product convincing results, whereas the large simple trial says, more or less, randomize the patients. You don't limit them in a whole lot of ways. Get a whole lot of them so you don't have to collect so much data to do adjustments, and see what happens. In the most extreme form you come to the pharmacy and randomize the drugs, and they would wait to see who lives and dies. This is maybe trivializing it, but there are some opportunities to do things like that on a large scale and really understand what we should be doing going forward.
Then the issues. We have a huge shortage of evidence for decision making. Clinicians are faced with zillions of decisions, and the research we have, the evidence we have, really just covers a smidgeon of them. Preventative decisions, some are cardiovascular interventions, some anticoagulation interventions. We have minimum help with special circumstances like aging, comorbidity, how one should change a decision based on those realities, little help with decisions about diagnostic testing, surgery, use of devices, and almost no help regarding cost benefits. Brian Ames and others have written about that. You need so much more data, you need large sample size to get those kinds of estimates. The studies say do or don't do, not how much it is worth.
In some ways we worry about the small stuff. We have this incredible interest and intensity in doing perfectly the five percent of care interventions we think we know how to do, so we make sure we do them the way we think we know how, and 95 percent just float and wander around, and we have no idea whether we even should do them. So somehow there is an imbalance there. These gaps could be filled in with the right population based data.
So the prime directive to me is to pull together the data that would let us take advantage of all the data that exists. This is not just for secondary uses. It would make life easier in primary use as well, if it wasn't such a struggle to get a whole net result, and know that the patient didn't pick up their drugs at the pharmacy, and on and on. So the separation -- it is important to emphasize the secondary uses, but we shouldn't forget it is almost the same kind of work we need to do to use them for both.
This could be used to assess the effect of the services we provide at so much cost to so many with so little benefit. That is my belief.
We have to overcome the usual wall of entropy to pull the data together. I started fiddling with the equation; you might be able to actually measure why it is so hard. That is, there are so many independent bodies and so much movement in each of those bodies. You could maybe convert it into an equation and quantify it. But the equation is really hard.
Regional is what we should be focusing on. I'm not going to argue for that now. Then all the things you could roll into it, the RIO model I believe as being the way that is most practical, but I come from that school.
Many of those who did the standardizing work in overcoming this entropy would get paid back and motivated if they could get easier life out of the other people doing that same standardizing and unifying.
Why is it hard? The same reason that houses and desks become messy if you don't work on them. There is an immense amount of entropy in the process. I couldn't prove that with this formula.
That is not right. Major points of disorder is not the right word. I have a new secretary. I didn't really mean to say that. But we have major things that we have to reorder or get better in order.
There is patient IDs across sources. Life would be a lot better if we had a universal patient ID, but that is not going to happen. We have to be aware that is a problem, knowing this number is the same person somewhere else, so that we can make this whole out of the parts.
We need a standardized data structure to know where to put things in the field and files. The solution is the standard data structures. I want to emphasize this staff data structure. I have been talking with Medicare and others; they don't know how to think about the standardization when they think about a group as being a field in a database, rather than as it is in most clinical systems.
There is an issue with that. They just don't know that there is this handle on the variable that itself goes to a master file and then a place where you have got to standardize things. It is an interesting discussion, and I think I am making progress with them.
The basic issues and problems don't vary with the use. There are some exceptions. When the use requires data elements that are not now available, so they want to declare a use space and they go, you have got all this data, but you might not have all the data you need for that particular application that is not now being collected. Or if it is collected, it is collected irregularly, and not entered into anyone's computer. It is scribbled on little pieces of paper.
We have to realize that that is an additional level of work to collect that and do that. It is not just, get them to do something different; it is, get them to do more work. It may be the right thing to do, it probably is, but we should be conscious that there often is extra work, and someone has to absorb the new data collection costs.
An example of this, office testing systems. When you think about performance measurement, a lot of the instruments are like a thermometer. They stick the blood on it and they read it just like you read a thermometer, and you write it down. There are no electronics in it to get anywhere else. Further, if you do the collection, you can't just get by with putting a number down, you have got to record the test, you have got to record the date and time, you have got to record who did it for the quality assurance stuff, you have got to record the patient ID. So there is a fair amount of labor in that, and we should focus on some of those things because they could be made easier.
The other exception is when the data is being sold. I really don't know how to think about that. I think it raises a lot of -- when I was in Indianapolis it raised a lot of terror in my mind, because it changes the whole dynamics in the collective thinking about it. All of a sudden the institutions start thinking, billions of dollars, and it changes everything in not necessarily a good way, I think in a bad way. Plus, it makes everybody suspicious, and maybe rightly so. If you say it is only going to be used for research and public health and those kinds of things, the whole business, the scariness tones down.
This is the flats versus stacks. I want to talk a little about this. Think bingo cards versus playing cards. Has everyone here played bingo? It may be an ancient sport. On the bingo cards are numbers and the information is all attached to one big block, one chunk. You can't shuffle the numbers on a bingo card. But when you get dealt playing cards, you can shuffle them, you can sort them, you can move them around in different ways.
In the flat structure the variables are defined as columns, flat data structure. This is the traditional way for research statistics and administrative, government databases. The stack structure, the variables are more like playing cards. On that card is the patient name, the date and the number and the value, and you can shuffle them around, you can mix them up in different ways.
That is the way all the clinical systems are built. And it has many advantages for flexibility and blending data and merging data. This would be the flat structure, where you have one record. This is one of the cardiology databases, some of the data that is in one of them, and this would be the stack structure. What is a field column in the stack structure now becomes a value in the table. This is maybe long, complicated and subtle and may not be a good thing to talk about today.
But if we think that way we get less confusion. If we clarify those distinctions, there is less confusion and discussions about standards and how to shift data around. I am praying that more of the large administrative things store the data that way, because in the research world they make up these data sets, and they change one element in the question, then they make up a new data set. Lo and behold, after awhile they have 25 data sets, most of which are the same and no one knows how they are different. Whereas, if you formally decide, this is the variable linked to a specific external thing, you can change one of them, and you still know what is all the same.
Now, linking patient identifiers across sources. Different sources randomly pick different identifiers, more or less. That is how it comes out. This is solvable with linkage strategies, at least within restricted scopes of time and space. Shorter periods of time, it is easier because people have moved, smaller geographic areas, it is easier because you have fewer people.
I would just say, don't make it worse. We could make it impossible to do linking if we get even worse on what fields can be moved and shipped around. I don't know if everyone knows which ones I am talking about, but the tighter we get on this, the more impossible we make it. Then if we get to a certain level it actually becomes evil for patient care. That is, you will make mistakes, you will get the wrong data being linked in, and you are going to think the wrong thing. Research can tolerate a little more error because you are making statistical decisions.
Then an action maybe for this committee in terms of HIPAA which I am going to defend -- I don't know if I was defending it if I was on the committee -- was to consider opening the way for one-way hashes. I can't give you the formulaic way to solve them. I don't know enough about all the issues, but the one-way hash more or less is the thing you stuff in the patient's ID and convert it into something and you can't reconvert it.
The advantage is, let's say you have a research database, collecting data at huge expense. The Women's Health Initiative would be a good example. You would like to make it cheaper. You would like to hook into Medicare data to find out the big outcomes. You can do that under IRBs and all the rest, and then you get all the registry data from both sides. You do a lot of work and you link them together, knowing all the facts about the registry data.
Going forward, if you could use hashing techniques, they could both independently do this hash. There would be no need to expose this data going forward. There are issues because you can't do nearness matches and things with hashes.
Now, we pleaded in the HIPAA process, letters came from five universities, arguing to allow hashes. The response was not only no, but damn, no. So it is in the regs that we can't do hashes, partly as a result of the fact that we asked for them. I apologize for that. But we ought to really explore that, because it could be less patient privacy risks with this kind of approach, trying to do the kind of research that would be valuable and less effort to do the linking if you could send around these unidentifiable things and link them back together. But there are issues, and I don't want to trivialize them.
Vanderbilt University has gotten permission to do some kind of a one way hash with a very large thing, doing some additional things. So I think it is doable in a way that everyone would be happy with.
An aside, this stuff about privacy, this is strictly Clem talking. Even if I am sanitized, I want to say this one thing. I think that we have gotten ridiculous about privacy at the edge. It might be possible, maybe someone might someday, but shoot, they drive a motorcycle without a helmet and they don't worry about that. People shouldn't be so darn selfish. This is going to help us all, at least in the research scope, and it is not useful if 20 percent pull out. We don't know who that 20 percent is. And everybody gets their health care paid for indirectly by the society, and we all get tax benefits on our commercial insurance. So someday, someone should say, hey, let's not be so me, and think about us. With little minuscule tiny risks, someone might think they know who you are, someone in a private office somewhere, but it doesn't seem to balance out against what the good should be from all of this.
There is a wonderful leader of the Genetic Alliance. I am probably quoting this wrong, but they argue more or less that everybody should get their genes up too, because we will all get cured that way faster, at least certainly those people who have genetic diseases. Enough said.
A second aside is, deciding what is right is much tougher for selling the data uses. I would like to carve that out, and say everything I say doesn't apply to that.
We have got to deliver information in a standard data structure. This problem is solved, as far as I'm concerned, for most clinical space. HL-7, NCPP, they are delivering this stuff in billions of messages a day. Empirically I actually was very critical of the messages, because in my job at Regenstrief, I had to review the bad messages and fix them. I thought, we are getting all these terrible messages. Empirically like 98.5 to 99.5 are good, so it is really a small percentage are bad, where you couldn't automatically flow them in. So the syntax is not the problem.
The bad stuff, they just stuff things in the wrong fields, and someone has got to make them do better. You guys could help that. Almost every clinical system has these things. Variables across sources. Variables are invented randomly. We need to have a code. LOINC is one for many of these purposes, and won't go into that too much. The slides are in your hands. I didn't do a handout, but they are on your machine.
What we should do, could do to make this life easier is encourage and incent the producers of data to make good messages. Don't encourage doctors to buy systems that collect bad data. Then they have to spend $15,000 per provider on consultants to make it right. It would be so much cheaper to get the senders and incent them in some way to make good data. Instrument vendors could stick LOINC codes into their instruments and emit them with the variables. They know what the variables are. It would be the easiest place to do it.
There is another set of issues. This was at HL-7, if someone doesn't know it. Medical records. The medical record is like a modular house. It is made up of a bunch of stuff. The message defines the structure of the module. We don't need a separate structure to define the module inside the record and outside the record. In fact, that would be bad. You are not going to get much if it doesn't come from the outside, and you have got to send it out to somebody else. So keep thinking modular, and don't keep finding gaps to invent still more standards, so we have even more to deal with. Just get on with it. Stop looking for the gaps.
We are almost done. We ought to squish CDSC and HL-7 together. There is another split developing in the research side versus the clinical side. I don't know how you do that, but something needs to be done there to get them squished.
Focus on the senders rather than the receivers. I have said this already.
DR. COHN: Clem, what does CDSC stand for?
MR. MC DONALD: CDSC is a fairly large and important and effective organization working primarily through pharma to standardize steps. They have got a lab message standard that is somewhat like HL-7, but it is different. They have got a transmission standard to FDA. NCI is very involved with them. But we are creating this separation -- I worked in an academic medical center for 35 years -- that is goofy. Research works here, but it is the same patients, same data, same labs.
DR. DEERING: It is a very bad acronym. CDISC stands for clinical data interchange standards consortium. In fact, in a few areas they are working very closely with HL-7, especially on modeling in some fundamental areas.
So in the area that they overlap, I think there is a lot of squish.
MR. MC DONALD: Well, it is not enough. I have been in this game a long time, and people always look like they are working together. They have got the head standard, that is another one. It is not really this, it is not really that. It is nobody's fault in some ways. It is just this entropy thing. There are good people on both sides. Enough said on that.
To answer your question regarding facilitating quality data gathering, I mean, gathering data about quality. We need to make it easier to gather the needed data, encourage data exchange. Too much work is required to gather it. Hand-held lab machines, I mentioned about that.
If they build LOINC codes as input they probably need little scanners to scan a barcoded patient ID, because the boxes won't necessarily accommodate a great big interchange engine. HL-7 outbound. If they printed the whole results of the 2D barcode, someone could scan into the medical record. Somebody had to think about this problem. There are tools and pieces around that make it a little bit easier without a lot more expense, I would think.
Current privacy regs. Administrators do over interpret HIPAA. They say HIPAA says no when it doesn't. We can't do that because of HIPAA. Well, you can. Despite my fussing about it at the edge, HIPAA really is useful, and it is well defined. You can figure it out. It is written down. There are a lot of people that know about it. There is a whole legal industry that has built up around it.
So leave it alone. That would be my strongest suggestion. I think we cannot make progress faster by major changes to HIPAA. So don't start over. There are just a couple of little things, but maybe if you open the box you are going to blow it all up. You don't need anything tighter for security.
I keep coming back to selling the data. One tweak to consider is the one-way hash; I mentioned that already. You could do this updating once you got to figure out who they were, and you could make a lot of research problems easier, I think. Use this where protections may be low.
When it is sold, things get complicated. I am assuming it can only be de-identified when it is sold, but I don't know about that. Even then, with complex data sets, we get this complicated balancing act. De-identified is not anonymized. Everybody accepts de-identified, the way the rules work. We have got to be pretty cautious about complex data sets, even when it is de-identified.
At NIH, for example, the DB gap, they are not going to give that out and put it public, even though it is de-identified, because who knows -- we are really young in this area. On the other hand, you don't want to declare that it is really identified data and have all the things you have to do with that. So there is an interesting balance.
But I do think we have to be cautious, researchers and users have to be cautious about de-identified data. It is very complex in its nature.
Special cases. For research we should make it easier. I said this already. There are great opportunities to help each other and our children by withholding our data. You get some fantasized risk in some cases. There are some risks. The risk is, the insurance company might find out. But people should read what they sign when they set up for life insurance. They tell them, you can get all my data, so nothing we do in privacy protection will help stop that. You have already given it away when you buy the insurance.
Employer business is another set of issues. There should be some laws there. We should not require consent for de-identified or limited data sets. If anybody is thinking about that, we might as well forget about secondary uses, it becomes so impossibly complex. As I said, all of health care is paid by a part of society, and we should be more generous about our data. As I said, we are just being greedy buggers by forbidding its use.
RIOs I think are the sine qua non for most secondary uses. I can't conceive of another structure of RIOs or some variant of RIOs to get all the data put in one place.
I don't think we should do a national database. First, it is too hard, secondly you don't need it, and thirdly there will be political eruptions about that.
Question six, collect for other uses. Yes. This is my experience when I was at Regenstrief. Mark can tell you better. Public health. We used it for research, for de-identified research across all the institutions, but we were not allowed to compare sources. There are other parties who have interests in the data than just the patient. One has to be cautious about what we might be doing to them and how they would cause eruptions if one did things to them. There are doctors, there are hospitals, there are lots of issues where you might invade their business interests which wouldn't be fair or right when they are giving you the data voluntarily.
We could do identified data research with probably IRBs from all of them, if they wanted to insist on that, or you really need only one. There is a magnificent performance project. Mark just got in; he probably can talk about that, involving payors, hospitals and office practices, where they all share the data in a limited way to achieve the goals of this. It is brilliant.
Uses of data for research, de-identified, you scrub the text and you remove the forbidden fields. Don't make it public. Only qualified researchers can look at this complex data set. Limited data sets are available that need a little more work, and I mentioned IRB. I think that is really all.
That is all I've got.
MR. REYNOLDS: Clem, thank you. We will move on. Carol, go ahead and present, and then we will open it for questions afterwards.
MR. DIAMOND: Thank you for inviting me. It is a pleasure to be here with you.
I am Carol Diamond. I am with the Markle Foundation. I am going to touch on some of the things that Clem raised, but also try to make some comments that I think you were looking for in the agenda in terms of context and framing for these issues. I think it is very critical to getting this right.
I have probably three key points to make, but I'm sure I'll stick in a few more. The first is, I think we have to reset our definitions and assumptions about health data. I want to try to encourage articulating a new set of working principles. I want to encourage the development of an information policy framework that broadly addresses both what the public wants and hopes for out of health care and also what they are concerned about.
Just a little bit of background on Markle and Connecting for Health. As many of you know, Connecting for Health was established in 2002. We have testified before this committee many times in the past, although it has been too long for me.
Our simple goal is to accelerate health information sharing environments that improve quality and cost effectiveness of care and bring together public, private and not-for-profit groups. Everything that we have published and worked on to date is available on our website.
We have had three historical areas of focus, technology and standards, policies for information use and the role of the consumer. We never uncouple these three in our work, because we think they are part of a piece, and they are all necessary.
For the last several years, at least for the early years of Connecting for Health, we developed a view of what information sharing looked like. In the road map that we wrote in 2004, we described it as a decentralized open standards based information network or network of networks, was the term we used. We proposed a common framework of both privacy and technology attributes that would accept and encourage local innovation while achieving interoperability and portability.
It is based on a framework of privacy and built on a model of trust, which can't be instilled in the system. It has to be built from a trusting place.
There is this other piece of the information sharing that we are looking for, which is to improve quality and safety in public health. So it is time now for Connecting for Health to start to turn to some of those issues.
We started this work by talking to people on the steering group, and asking them what they thought about the current state of public health research and quality was. I will share with you a couple of those comments, but in general there was a lot of concern that there wasn't a cohesive approach to how we handled public health data. When we started to talk to some of the people who actually hold clinical data, what they tried to impress upon us was that there are so many people now asking for that data in so many different ways -- a new quality initiative, a new P4P, a new public health requirement, a new reporting requirement, research being done at the institutions. In fact, it was coined the 800-knot problem, that there is no 800-pound gorilla anymore, but there are 800 knots, because every day somebody is asking for another slice or another cut for some purpose.
In our initial approach, we tried to think a lot about what that meant and how to improve it, and I will share with you how we evolved from there. But I do want to also say that for the steering group there is a shared vision, and we were able to solicit that. These were some of their comments. Again, our steering group is made up of some of the people in this room, and also a broad slice of public and private health care leaders.
Research should be a normative part of health care. Every intervention with a patient is a chance to learn something. The data must be incorporated with decision support and remeasurement, not an episodic hiccup of the data dump.
I have been saying this for 20 years, folks, where is the data feedback loop? The only way to improve the process is to extract the information from that process and send it back to the person.
What we got from these interviews was that clinical care is over here, and quality and public health and research is over there. There is a huge wall between the information that is used in the clinical setting and the information that is gathered for these other things, and a recognition that that gap is very detrimental to providing high quality care. It has been written about for two decades. I don't have to tell this committee about IOM reports or RAND studies or other people who have looked at these issues, and have pointed out not just that there are holes in the evidence base, but where we do have an evidence base we don't apply it all of the time.
The lost in translation term, this is from the 2003 New England Journal piece, but there are many pieces and people who have written about the mixed opportunity we have in taking information about lots of people and applying it to the point of care to make a better decision for that person.
Instead of trying to tackle the issue of the 800 knots, once we realized that we were probably trying to ameliorate a situation that wasn't ideal anyway, and just making it easier to send data to multiple sources wasn't really the objective, although we thought that for a short period of time, we tried to set out at least a shared vision of what it is we are trying to achieve with health data.
So we wrote these little vignettes that are meant to imply some idealized future state, as a way to say this is what we are shooting for, and as a way to shape our thinking toward that.
One of the vignettes which I am just going to share pieces of with you is about a physician in a small four-doctor internal medicine practice. He is seeing a patient who is coming to find out about whether or not she might be a candidate for switching to a new oral hypoglycemic. It has only been on the market about 18 months.
We tried to show an infrastructure that would be available to the physician that would allow him to look at not just what are the studies on this drug, but how is this patient's glucose control historically trended against patients like them, with the same characteristics, with the same risk factors, with the same attributes.
We tried to also suggest that for a learning opportunity at the point of care, the network might also help this physician look at themselves and their ability to achieve glycemic control against other physicians with similar patients.
This is a very different model from the static and somewhat historical and retrospective model we have today for quality for public health and for research, where we try to look at data historically, and then provide maybe sometimes, not always, some feedback back to the clinician about their care a year ago for a population of patients with a particular condition.
The upshot of this vignette is also that even for areas like public health, there are opportunities to think about the use of information from the decision maker's point of view. That is where information has the most value.
In this case, the patient also had an upper respiratory infection and although the literature told the physician that there was a particular antibiotic that was good for this bug, there was some community data available to the physician to suggest that there might be an alternative antibiotic that might be more suitable.
This kind of a system, where you are always finding and learning about what is working and what is best for patients, I think is really the goal of all of the uses of health information. We sometimes forget, and particularly in the last decade or so, that the purpose of research in public health and quality is not data collection or reporting. It is actually having an impact on someone at the point of care, on making a better decision than they would have otherwise. That is the point of it all. If it can't be used by someone who is in a decision making place at a point of time, then it doesn't achieve its full value.
We did similar vignettes for the consumer and for the policy makers, and these are all available and can be shared. I don't want to take the time to go into them. So I am going to suggest three points here about trying to reset the paradigm.
I recognize fully, having worked on some of these issues for the last five years intensively, and prior to that, that these are complicated issues, and there is a tendency to try to find quick and easy fixes. That is what everybody wants. So every time we engage in some of these conversations, there is a temptation to believe that there is a silver bullet that is going to fix all of this and make it all simple.
I am going to try to raise three points that hopefully can encourage some further conversation. The first is on primary versus secondary use. I don't know what definition the committee is using for primary and secondary use, I tried to poke around, but these are the two definitions that I found most prevalently used.
What I worry about is, in this definition of primary use it says data collected about and used for the direct care of an individual patient. My challenge is, is that really all you need for high quality care of an individual patient? Don't you need all the things that are referenced in what is here defined as secondary use to make a good decision?
That separation to me is something that I think is an artifact of an old paradigm. It is an artifact of a paper-based world. It is an artifact of not thinking in terms of networks and information mobility and agility, some of the points that Clem was raising. I don't think our policy discussion should perpetuate the historical gaps in knowledge that we have had in health care. I think we should really think about challenging this linear kind of thinking.
In my view anyway, health information should flow in a continuous and virtuous cycle. The policy process should not create camps between the simple value of data and the population value of information. The point is, if data collected for population health is valuable, it is valuable because somebody was in the position of making a decision and made a better decision because of that information.
I think the policy framework should protect the individual's rights and society's interests by articulating the appropriate and inappropriate uses in the context of notification and control. This framework has to achieve both the goals and the protections. I think that is really the challenge.
The second point that I want to talk about is consent, in the sense of, this is not a magic bullet. Very often, and I think historically, you hear very polarizing conversations about consent.
My two cents, having worked on this in Connecting for Health, is that the issue is not so much of only consent, but what is it that you are consenting to. That is really the critical question. The consent alone, we know, doesn't protect privacy. We believe there has to be a suite of interdependent tools. These are policy and technology options.
And consent is subject to real world limitations. I offer you two clear limitations. One is, because of the operational realities and the overworked health care system that we have, when consent is obtained, very often it is blanket in nature. We try to get consent for everything that we might need to do so that we don't have to go back and create yet another process.
The second is meaningful consent. The very nature of health care and the very nature of peoples' state when they interface with the system means that you don't always know exactly what you are signing when you get into that ER. Take it from me, an informed consumer, I understand a lot about policy, technology and health care. Yet, when it is a family member in the emergency room and you are consenting to a whole host of things, this isn't a time where you make always the same decisions you might make if you were sitting on your living room couch relaxing.
So I do think consent is an important issue. I would hate to see this committee perseverate on it in the absence of a broader set of issues that can when working together really create the framework that can protect privacy.
In Connecting for Health we developed a set of principles that guided our work. The technology principles here, I have mentioned some of them and I don't need to go into them.
These were our privacy principles. We didn't make these up necessarily. This was a hodgepodge of fair information practices and some of the OECD privacy principles. These principles, once we established them, helps us delve into policies. I want to make the distinction between principles and policy, just to elaborate some of these. On the principle side, purpose, specification and minimization. I am hoping I don't have to belabor openness and transparency. Specify the purpose for which you are collecting data, and make that purpose as narrow as possible based on what you need it for. Collection limitation; collect only what you need for that limitation. Use only the information you said you were going to use for the purpose you said you were going to use it.
All nine of these principles are part of the piece. If you overemphasize any one, like number five, individual participation and control or consent, in our deliberations we saw quickly how that can undermine everything else, because once you have consent, why worry about everything else. Yet, everything else is part of creating a substantive set of protections.
When we did the common framework, you will see here in this schematic of it that P1 is a set of principles, but we did not stop there. We used those principles to articulate policies for health information sharing, which is what we were focused on. We focused on things like the models, policies and procedures for an HIE, notification and consent, matching, authentication, patient access, audit, breaches, and even data quality, which is the technical column, the T column. But all of these issues need to work together.
If you boil down the common framework, there are essentially five attributes of the infrastructure it envisions. It is obviously decentralized and distributed; I have already mentioned that. The common framework dictates for policy reasons the separation of demographic from clinical data on the network. I'm not talking about what is an enterprise database, I am talking about what is on the network, what is wide and shared.
Maintain a flexible platform for innovation to enable interoperability. I think Clem said this in another way, but don't get so specific and design so many detailed specs and standards that you begin to thwart both participation and innovation.
Implement privacy through technology. I think this is a key opportunity in the information age. Clem mentioned one-way hashing. We had enjoyable and hysterical debates over one-way hashing over the years, but I think all of these tools have to be brought to bear in creating an environment that achieves both public expectations and addresses their concerns.
The third thing I want to talk about is the lockbox. This is another magic bullet conversation you tend to hear. That is, the only way to really protect the data is to lock it up somewhere and just give one person control over it, and that's it. I think this is again an artifact a little bit of papers, not mainframe thinking, which is what we are talking about in a network environment, in an electronic environment, is copies of information. These are always going to be copies. You can't source delete. Somebody in one of our committees said, don't take the little file icons on your PC literally. You cannot eliminate the source of that data. Just focusing on putting it somewhere or putting a copy of it somewhere doesn't address the broader health ecosystem in which the original sources live. I think that has to be contemplated.
Again, my message is not that there is an easy quick fix silver bullet. My message is to the contrary, that this requires a comprehensive set of work and that based on this committee's history, I know that is possible. I know this is a very thoughtful group, and you will give this due consideration.
In terms of where consumers are, I just pulled together some very brief data from surveys we have done and that others have done. Both of these pie charts are relevant, actually. Four in five -- when we asked them, would you allow medical experts to review millions of anonymous health records to determine what treatments work best for different diseases? This would allow your doctor to have the most up to date medical information, expand their knowledge about different treatments and diseases. Eighty-one percent of the total agreed. Similarly, when we asked about, do they think it would improve health care quality and reduce medical errors, 80 percent said yes.
But Americans recognize both the upside and the downside. I would say that is the positive in this, that they see both the positive and the downside. There has never been a survey on privacy and security of health information where somewhere between 80 and 90 percent haven't said, I am worried about privacy and security. We all know that, we have all seen those surveys.
Two pieces of data on the fear of misuses. One is from CHCF and the other from the public policy center survey. Fifty-two percent in the CHCF survey said that they believe the employer uses medical information to -- or would use medical information to effect personal or insurance benefits, and 85 percent believe if a genetic test result is known to insurers they would refuse policies or charge more. So these are some of the fears that people have about the misuses of information.
In our most recent survey from December, three-quarters of Americans said they would be willing to share their personal information to help public officials to look for disease outbreaks and research ways to improve quality of care.
I'll point you to one other very relevant study which comes from the VA. Actually Joy Priss pointed me to this study, and I would encourage the committee to take a look at it. They looked at the veterans' willingness to allow researchers to access their medical records, and what they found is summarized in these bullets. They are willing to share, but willingness to share doesn't mean they were completely willing to cede their control. They want a say in deciding how their medical records can be used in research.
They were most willing to share their records with VA researchers. They placed the highest level of trust in them. What that higher trust translated into was, they were willing to accept less stringent consent procedures. In other words, they said for VA researchers, maybe current policies and procedures didn't need to change.
I don't think this is the be-all and end-all on this issue, but I do think it is a really important study, since there aren't that many of this nature, and I think it is an important data point about peoples' attitudes toward the use of their information in social science and medicine.
We have been developing a set of first principles for population health. They are built in our historical work, the common framework, the visioning scenarios which I shared with you in part, some of our steering group interviews, and the road map.
The first is designing for decisions, that this is all about making a better decision. Clem touched on this as well; I won't belabor it. Design it for many. But the network should enable analytic tools to support consumers, families, health professionals, policy makers, public health officials, that everyone who touches the health ecosystem is a valid beneficiary of health information, and they have to meet all the diverse requirements.
They have to be shaped by public policy goals and values. So the public policies have to be made explicit, subject to public discussion, and then architected into this technology at the outset. You can't leave these policy decisions for later. That has been my soapbox anyway for a very long time, and I won't belabor it.
It does require change. The big change for us in talking about population health versus health information exchange is that we suddenly felt, uh-oh, this is not greenfields. When we started talking about health information exchange in 2000 and two, three, they were greenfields. Not many people were doing it except these two guys to my left here, so it was really greenfield, and it was a different conversation.
Once we started moving into these areas of population health, there is a lot of siloed infrastructure and a lot of legacy built into these areas. I think for the kind of information sharing and the kinds of benefits we are talking about, it is going to take a lot of leadership and a lot of commitment to a different approach.
The fifth is just that it has to be possible. This is certainly something Connecting for Health has always focused on.
The sixth is something we call distributed but queryable. Clem talked to this when he talked about linking information, not data, and not having to expose the data necessarily in order to do analyses with the one-way hashing. But these are the kinds of tools that we have to start thinking about. Rather than every time somebody needs to do some sort of an analysis, they have to collect all the data they need for that analysis.
What that has created for us is enormous redundancy, an enormous number of silos and an enormous number of different kinds of requests and requesters, and it is hugely inefficient.
Trust your safeguards and transparency. I won't belabor this because I have already talked about the importance to protect data. But the policy architecture needs to develop clear rules and guidelines, and the process of creating those policies should be inclusive and transparent.
But there are layers of protection. Layers of protection are meant to say that there are many classes of authorized users who might be able to use information garnered from data, but that the more you get to riskier levels of exposure, whether it is getting to partially identified or re-identifiable data or what have you, the more you need to factor in those protections.
Then finally, this good network citizenship. You can have all the policies in the world you want, people have to follow them. That is really the key to this piece.
So a starting point for you, and I know this is a complex test, but like I said, this committee has an enormous track record of very thoughtful, very meaningful work, is to consider resetting the terminology to support the desired paradigms, and not to perpetuate a paradigm that silos research and public health and quality over here, and doctors and clinical care over there. I really encourage you to think about the paradigms and the goals for a connected health care system, and set a paradigm that will achieve that.
Emphasize that health and health care improvement depends on information continuity and availability across health and health care in a climate of trust. We can't achieve a high performing health care system or a high quality health care system unless we continue to learn what works, what doesn't, and apply it to the point of care.
I would engage stakeholders as you do in a constructive forward looking process toward a shared vision that addresses both technology and policy. I encourage this committee not to focus only on policy. There are many, many technology options that can enforce and strengthen those policies.
There is definitely work to do in identifying risks and classes of information misuse and the classes of technology and policy protections that are available. I really urge that at the end of this process, once you make those recommendations, that the framework establish the policy and technical requirements that any federally sponsored work on population health must achieve. This is the same data we are talking about in quality, in research, in public health, in drug safety. This is the same data.
The example I have been using lately is, what is the difference between a cardiovascular event after Vioxx versus aspirin after an MI? This is the same data. We have to create an environment where everybody follows the same rules of engagement if we are going to stop the redundant building of these silos or masses of information and databases and have a network that is more in line with all that information technology has to offer.
Thank you.
DR. COHN: Harry, do you mind if I jump in for just a second before we do questions? First of all, I want to thank our presenters. I think it has been a great start. We do have two members who have come in since we did introductions. I do want them to introduce themselves, identify if there is any conflict of interest. I also want to afford an opportunity for the members, who none of them indicated any conflict of interest, to disclose their involvements with any of these activities that we will be hearing testimony on today as a matter of course at this point.
So Mark, do you want to start by introducing yourself?
DR. OVERHAGE: I am Marc Overhage at the Regenstrief Institute and the Indian Health Information Exchange, and member of the work group and the committee. I think I am conflicted on everything that you will hear in the next day, one way or another.
DR. VIGILANTE: My name is Kevin Vigilante, member of the committee, Booz Allen Hamilton. I don't believe I have any conflicts. However, I do want to point out that two of my colleagues from Booz Allen support the AHIC work group. I don't think there is any conflict, but I just want to state that up front, that if anybody is aware of any conflict that might create, please let me know.
DR. COHN: Any additional disclosures by any committee members?
DR. TANG: I can say that I am chair of AMIA, whose work is also represented in our discussions, and also a member of Markle's Connecting for Health program.
DR. COHN: Marc, before I proceed on to our Internet conversation, I do want to query you. It is very humorous in some ways to talk about conflicts, but if indeed there are real conflicts, you are going to be very quiet today, I suspect. Are you dealing with conflicts, or are you just involved --
DR. OVERHAGE: I think that is a very fair point. Involved in many. I don't feel conflicted.
DR. COHN: A final comment, and then I will give it back over to Harry. We are on the Internet at this point, and we want to welcome those listening in. This is a meeting of the National Committee on Vital and Health Statistics, the ad hoc group on secondary use of health data.
So, Harry?
MR. REYNOLDS: Carol and Clem, we put you up front to kick it off well, and you sure did. I think you gave us not just an overview and not just a primer, but some things to think about, and we appreciate that.
DR. CARR: Yes, thank you, this was fantastic. I think you give us pause. We have struggled with incorporating the term secondary use into even the title of the committee. I think your plea, Carol, to talk about all of the uses is very compelling.
But I look to Clem, because it seems like we will have all the uses except selling data. How does that fit in with this?
MR. MC DONALD: I think because people understand primary and secondary use, I don't think it is a term you necessarily want to throw away. I think you just want to keep planning that they are the same thing. It has meaning in peoples' heads.
But I am only saying that I can make passionate appeals to do certain things that I think there shouldn't be barriers to, given HIPAA definitions and how people should behave in those domains. I don't know if that same -- there is more complexity when it is sold, that is all I am saying. I would carve that out as it needs further detail and analysis.
It just gets more complicated. Just be sensitive to the complexities. When you can say the patient should give their data for the purpose of helping humankind with health care research, it might become different if they find out that the doctor is getting a hundred bucks per record. I guarantee you, it won't feel the same way to them. Everybody gets greedy. So it is just a real big caution, that's all. I don't have an answer or a solution.
DR. TANG: One more disclosure. Clem is the godfather of my dog. Having disclosed that, I can unabashedly say that I think these two speakers have absolutely captured and distilled the issues before the entire committee. I think that we can get a lot of expertise and advice from these two.
First, I got a lot of what Carol said in terms of primary and secondary. I think this is artifactual. It is just a way for us to sugar coat what we are trying to do, which is prevent malicious harm to patients through the use of their data.
MR. DIAMOND: I agree.
DR. TANG: We have tried to sugar coat this by calling it primary and secondary. But I think Carol had an eloquent way of saying there is no such thing when it comes to making individual care better. But we have tried to construct this to deal with what Clem has said right out there in front, this is the problem: The selling of data creates a lot of conflict and creates the potential for harm and misuse.
It is really the bad apple problem. So we are going to try to fix the bad apple by penalizing the entire lot, including the very people we are trying to help with the consumers and patients.
Instead, I think what we want to do as this work group and vetting it up to the committee is to find ways of controlling the potential harmful use so that we can basically unlock all of the vast good that both of these folks have talked about. So the only separation -- I mean, a key separation that matters is selling and not selling, because you create this tension and conflict in how you either gain by giving up data or how you may harm by misusing the data.
One way, and it goes partly to Carol's consent, which is another red herring, in the sense that there are so many ways to get around it and not really having consent or notification. One of the instruments we use in research, and it is not that it is executed perfectly, but the whole concept of IRBs is to look at your consent documents and your consent procedure, but also look at the fundamentals and say, is this going to do society more good than the harm to the individual?
In a sense, that is exactly what we are trying to assess. We need to find a policy and mechanisms that allow us as a society to assess that on behalf of society and individuals, rather than using all these artifacts and these artificial ways of separating.
I think it really focuses on how do you control the potential for misuse when there is selling going on. Let's focus attention on that, and try to prevent the harm and the bad apples, rather than shackle and tether all of the good uses of data. So I think their discussion beautifully framed our entire work.
DR. ROTHSTEIN: I want to thank Clem and Carol for such a wonderful overview. It gives us a lot of material to think about. But I was curious that in your overview, there was one major player that is going to have a very important role in all this that you didn't discuss at all, or very little, and that is the physician. Here is my question to you. It is not a question where I know the answer, it is a question that I am really asking for the answer.
What do you think the likely reaction would be of physicians in the following situation? To the extent that we get more granular information about patients -- we have got this information in closed systems for a long time, but now it is going to presumably include all encounters. We are going to be able to make some determinations about the outcomes in treatment for all sorts of conditions by particular providers. And there are legal, ethical, economic, professional, all sorts of implications of getting more information in a provider specific form.
So the question is, in your experience and in your predictions, do you think that such a system is likely to generate some opposition from physicians? Not that that should necessarily stop things dead in the tracks, but it is I think valuable to anticipate what might be coming down the road.
MR. DIAMOND: Just quickly here, this discussion has been going on for no less than 30 years, maybe longer. The thing I would say to you, and we are now working on a response to the AHRQ also on this very issue, the thing I would say to you is that we wrote into our future scenario the idealized state, which is that the physician becomes part of a system where their interests are aligned with what we want from a high performing physician. They use the network in order to achieve that.
Inherently, every one of us who have gone to medical school to become doctors went because we wanted to do the right thing and help people. I think if we get this right, the information system becomes a tool for the physician to achieve that.
Most of the physicians on our steering group have said many times that they would like the capacity to benchmark themselves against other physicians for certain conditions, to learn from that, to understand what they might do differently. We have heard that many, many times in our discussion.
I think the challenge that we have is also an artifact in the way we have gone about quality measurement and reporting. We shorthanded it in Connecting for Health as, you send your data to the mountain, and maybe the mountain tells you something back. In other words, your value from that process isn't quite there. If anything, you might feel like, uh-oh, if somebody gets my performance data I might get penalized for something. But the upside for the physician and the opportunity for the physician to use this as information from which to learn to provide better care, to know what other people are doing, particularly in the ambulatory environment, I think is the whole point of it. And I think most physicians recognize that.
But I do think because we have so focused on data collection and data reporting, and less on how to get that data back to the clinician so that it is of value to them and they can make better decisions, we have created an environment where it is all risk. That is how it is perceived, that it is maybe all risk, and what is the benefit to me.
I think both in terms of a research agenda and in terms of a policy framework, there is a real opportunity to start to understand how information about lots of patients like the one I am seeing today in my office can help me make a better decision. It is not just performance data obviously.
That is why I am encouraging the resetting of the paradigm this committee has done so well for so many years, resetting a paradigm that puts this in the context of achieving a better system, as opposed to enabling data reporting or data collecting, which is the path we have been down for many years. I think it is a missed opportunity.
MR. MC DONALD: I'd make two distinctions. There are two ways physicians will oppose some of this under some circumstances.
The first is when the population at large confuses delivery of data you now have electronically with a new data collection effort. It is very blended now, these discussions. The things that might be needed for some quality things aren't recorded or necessarily known to be recordable at a level that is adjudicable. So that is one set of things.
The other one is, we had this experiment. It was called CHINS. They said, give us your data and we will hit you over the head with it, and the guys never gave the data. So I think you can guarantee that if you set it up that way, you are going to have opposition, and maybe rightly so, because you have got sample size problems, you've got population differences that might not be measurable. We still don't know so many things. In an inner city you are going to have low usage, more than you do out in the suburbs. It all has to do with social beliefs. You can't get people to use vaccinations, they think there is something bad about them. So there are all kinds of issues.
So I would argue, don't do that part starting out. Do the part where it is clinical value and clinical purposes, and it wouldn't be used to do comparative stuff, at least until we understand the game of comparisons a whole lot better, understand what is really feasible. Otherwise you will get a repeat of the CHIN thing.
On the other hand, docs love data, they just love it, and getting more data about their patients and all the rest. But it really depends on who is using it to hit them over the head, and if they are just mean people that like to hit heads or if they are being correct about it.
DR. ROTHSTEIN: I think it is probably going to be hard to keep some payors and regulators and licensure groups, et cetera, from wanting data if it is out there. If it can be accumulated by these groups, then what is the effect likely to be on physicians.
MR. MC DONALD: There are issues. Mark has got this delicate balance where all the players are participating. But I think you have to be careful. We don't have anything now. We have nada, except for a couple of brilliant places. But let's not make it so hard.
You ought to probably talk to the people from Denmark. They have all kinds of databases. Ten or 15 years ago, the only way you could look at a database, you had to give up your first-born child as a hostage to the government for three years. Then you had to go to one room, and they would strip you of all your papers and pens, and you would go look at a terminal. But now it is very freely used.
I asked, how did you get to that point? Well, it worked, no one did any bad things, and good things came out of it. So any researcher can get to the 3,000 databases fairly easily now in Denmark, and they are doing quite interesting things.
So we have got to get an example out there that shows these benefits that gets us over that chemical barrier, and not set it up so that it can't work because we are trying to give everybody their access. I wouldn't give it access to everybody, for lots of reasons.
MR. REYNOLDS: We are scheduled for a break right now, but we are going to continue this questioning since we have a little more time at lunch. Kevin?
DR. VIGILANTE: Thanks for the great presentation. I had some thoughts about the separation of primary and secondary use and some of the other things on a philosophical level, but maybe I can get just a little more practical and granular for a second.
On the one hand, Carol, you are saying that we should view this data as all the same data, as expansive and connected and should be available and connected quite freely, because you don't want to separate, whether it is about antibiotics and pneumonia or cardiovascular disease.
On the other hand, the consent constraints you talk about are very targeted, limited, tailored. How do you reconcile those two objectives without having some sort of blanket consent or having to have so many consent interactions that it becomes eight million gnats buzzing around the patient and the doc? That is one group of questions.
Then, when you make the pitch to the patient to give consent to enter into this sharing, who makes that pitch? Is it the doc? Is it my doc who I go see every day, in whom I have the most trust, and is the person relinquishing the clinical data on my behalf? How do you envision that?
MR. DIAMOND: The reason I raised the consent issue is that I worry that it will become the issue, the only policy issue. I think if that happens, it might actually work against some of the other policies and technologies that could be enjoined to create a trusted environment. It almost gives an excuse. You have consent, you have obtained consent.
So I didn't raise it to say this is how you obtain consent for all these various uses. I raised it to say that consent is one issue that can help to protect the patient in the milieu of other policy issues, like limiting what is collected, like using only the data you said you were going to use for the purpose you were going to use it, like thinking about access.
DR. VIGILANTE: Can I interrupt you right there? So if I am saying I want to improve my clinical capabilities to serve you and other patients in this community better, how would I limit it? I want diabetes stuff, I want testing stuff. I don't know how I am going to use it.
MR. DIAMOND: I'm not saying you get access to the data. I am saying you get access to information. Clem was talking about one-way hashing as a way to link data without -- you were using the nurses health or Medicare data, I forget which one you used, women's heart study. If you want to link those two data sets, the way it is done now, as Clem said, you go to the IRB, you get approval, you write this big thing, you try to go through all the requirements, and then you move one big data source into your database and you do all the sorts to try to work it together.
What we are suggesting, and the frame I am trying to put out there is that in a networked environment, you don't necessarily always resort to moving the data. There are ways of linking information that don't require exposing the data. Much of what we need to know about what works and what doesn't can be done completely anonymized. If we had real information about those things, they could be applied to the point of care in a way that you don't get the data.
You are not looking at everybody's medical record, but you are getting the benefit of that information. You are getting the opportunity to apply what can be learned from other patients who might have had a similar course or a similar disease. Does that make sense?
DR. VIGILANTE: That makes sense to me, but I am trying to get to the point of where I come to see Mark as my doc. Now he is going to be collecting clinical data on his EHR on me and lots of other people. It is from that data that you are going to learn ultimately that this antibiotic B is better suited for this particular strain of bacterium than the one I would usually use for pneumonia. It is his information going into that data bank that is going to be used, whether that is diabetes care or whatever it is.
So that interaction about him sharing my data that is collected in my cubicle where he and I interact --
MR. DIAMOND: Which happens today. That is how we figure out what drugs work and don't work, or what public health worries you might need to have.
DR. VIGILANTE: But it is often in the context of a study that has gone through an IRB, as you alluded to before. That information stays in that doc's drawer today.
MR. DIAMOND: But if there is research being conducted on that data, --
DR. VIGILANTE: I'm saying, now there is not. Now it is just a matter of course that it is collected in its future imagined state. Who talks to me and makes the pitch to me that that is going to happen? I'm not saying this to be challenging. I am trying to understand how this works.
MR. DIAMOND: Who educates you about --
DR. VIGILANTE: And how do you comply with your objective to keep consent fairly tailored?
MR. DIAMOND: In our model, in the common framework, one of the reasons our network is decentralized is because we want to keep the data with the person who has the relationship with the patient, the identified personal data. That was the whole policy driver of decentralization. Not just because collecting all the data in a central database necessarily might create a larger privacy breach, but because as you said, the patient's trusted relationship is usually the person who collected that data about them.
So in our model, it is through that physician, through the person from whom your data was collected, that that conversation happens.
Now, in every system this works a little bit differently. Of course, the problem you have with health care is, you try to have one size fits all conversations. It is different for a doc in a small practice, versus if you come to a large integrated delivery system versus if you come to Regenstrief. It is different in all of these settings. So obviously you have to make those determinations.
But the opportunity to participate, and the opportunity to share even anonymized data, as we see in many of these surveys, is something that patients understand and want, and realize that there are benefits from. I think it is our job to create a structure and the policies and the framework that enables them to trust that that will happen the right way, and that it won't be misused.
MR. MC DONALD: There are a number of points here. Firstly, the current HIPAA rules are just right, and I worry that you are suggesting that we change those. You don't need consent for anonymized -- the other thing is, we know what deidentified data is. It is defined legally. I don't know what anonymized is, so I stay away from that word a little bit.
The second thing is, I hope also that we let a couple of flowers bloom, if not a million, and still allow centralized models in regions or locations, because you can make them work. Let's let them all work and see what works.
So I guess I would assume that you don't have to have consent to get into some pockets of this data sharing, if it is for clinical care, which would solve your problem of who does the selling.
I think also, if the providers have some say in the rules about what you get to do with the data, because they have interests as well as the patients, I think you would prevent some of the things that might go haywire.
MR. REYNOLDS: I think Justine has a followup to this discussion, and then it will be Simon and Steve, and we will cut it off.
DR. CARR: I just wanted to make the comment that the example you gave in the beginning of the VA patients who were comfortable with their physicians providing their information to the researchers, just underscores the trust. Similarly the experience in Denmark. I think trust is really a very key fundamental in that discussion.
MR. DIAMOND: Agreed. And they trusted the VA researchers more than other categories. We asked them about a lot of different categories.
MR. MC DONALD: The thing about the one-way hashing, the way I had it was not necessarily the same model. The one-way hashing is just a way to avoid having to move around the registry data. But typically, in the models I am talking about, both sides know who the patient is, so they end up inheriting knowledge and additional facts about the patient when they connect. But it does make life easier.
MR. DIAMOND: You need all the underlying granular data.
DR. COHN: I think like all the other members of the committee, I am very appreciative of the fact that you both have come and talked to us in our first session. I think it has been helpful and certainly very thoughtful.
Carol, one very quick question, and then some longer questions. I noted that the documentation you have describes this as draft. Can you clarify exactly where in draft? I think you had indicated draft framework.
MR. DIAMOND: Oh, this first principle?
DR. COHN: Yes.
MR. DIAMOND: This is a reflection of where we are with the steering group. We have had some discussion about them, but they are not final. We are still tweaking them. They will probably stay as these nine principles, but some of the underlying language and some of the concepts in them have either been suggested, we punctuate or edit or what have you.
So I just wanted to indicate that this isn't a final published set of principles. This is still in the feedback stage.
DR. COHN: So likely during the course of our deliberations over the next month or two, things may become final?
MR. DIAMOND: Yes.
DR. COHN: Okay, great. I had two connected questions. Number one, Carol, Clem almost asked you the question about, is HIPAA a good foundation, and if so are there some further clarifications or guidance or whatever that may need to come around HIPAA. So that is a first question for you.
The second question for both of you is this issue of trust. I agree with you about putting an emphasis on trust, since that seems to be what makes the world go around in this one. But how do we imbue the system with trust? You sit next to a person who did it in Indianapolis. I don't know whether it is a cult of personality or whether it is reproducible. Certainly I trust Clem and I trust Indiana University and I trust Regenstrief. I just don't know exactly how that moves beyond what I am seeing in Indiana. Despite all our conversations, most of these examples appear to be more in their infancy than they appear to be trustworthy institutions.
So the first question about HIPAA, and the other question about trust.
MR. DIAMOND: Can you say your specific question about HIPAA again?
DR. COHN: Clem indicated that he felt HIPAA was a good foundation. He would like to see a couple of further clarifications or guidances around it. I think you said -- I'm not sure exactly what you said in terms of whether that was your framework also or whether you felt there was a need to go back and do some fundamental rearchitecting. So I just wanted to better understand that.
MR. DIAMOND: In our work in Connecting for Health, we don't have the luxury of dreaming about setting new regulatory frameworks or laws. When we did our work, we said, HIPAA exists, let's assume it is there and implemented and enforced. We have state laws and they exist, and let's assume they are implemented and enforced.
When we developed the common framework we said, what is it that needs to be done. At least for the common framework, we felt the need to do two things. One is say very clearly -- actually, three things -- very clearly what the principles were that should drive information sharing. HIPAA was created in a time that we weren't envisioning a network of networks for health information. So we said, what are the principles that need to drive our thinking there. We developed that set of principles looking at sharing of information.
Then we said, what are the policies for information sharing that should be elaborated? Because HIPAA doesn't go into some of these issues, doesn't tell you about how to handle notification or how to handle policies for breaches or what they should be or what have you. So we said there are some policies that should be specified for health information exchange as a framework for thinking about these things.
The third thing we said was, again, maybe because we were coming from a place where we didn't envision having any authority, we said, if people agree to these policies for information sharing, they have to be bound by them. So in our model they are contractually enforced.
The entities who share information say we will agree to these policies and we will write them into a contract. So if someone in your system does something bad with my data, I know what is going to happen. That was our approach to saying, let's start with the world we have, as opposed to dream up a new one.
But I think there is no easy answer for this question. I think it is something the committee should seriously deliberate. Even in the existing environment of HIPAA and state laws, as I think has been said before in this committee, there is still a lot of confusion about what any of those things mean. I think the more this committee and others can elaborate models for implementing or placing those intended policies into practice, I think the more benefit there will be.
MR. REYNOLDS: Is that both your questions?
DR. COHN: I think I was looking to Clem to tell us whether the model of trust that he sees in Indiana, is it really Clem, and Mark having been mentored by Clem. Mark, I hope you don't take offense at that comment. What do you think in the world of trust?
MR. MC DONALD: If you live in it, maybe you don't know for sure, but if one thinks in terms of smallish, the organizations that are the major holders can find a way to live with each other and with their patients, I think that model could work out in a lot of settings.
I think Memphis is doing an analogous model. Ontario, all the pediatric hospitals and major pediatric practices are doing the same. They happen to be centralized databases also, those two or three that I know about.
So when you start saying we have got a federal this or a statewide this, it gets scary, because they didn't do so well with figuring out the real state taxes in Indiana this year. They doubled them. So we are going to try to pay you back in six months because we didn't mean to make them go that high. So that doesn't give you a good trust model. But when you have five hospital systems or ten hospital systems and that is where people go to get care, they cut them and stick needles in them, and they are used to living with that organization. They can agree on how it will operate. I think it has a good momentum.
So the idea of having model agreements is good. I think that Regenstrief has publicized their contracts.
MR. DIAMOND: Absolutely. In fact, our model agreement is based on taking the best of the pickings.
MR. MC DONALD: There are details. You do have to make sure if you give them their data, that that employee gets the same punishment as your employee. Otherwise you have got no agreement. But it isn't a HIPAA invasion. I hated that, when I read that 1500 pages when I was on the committee.
There was this network of networks proposed, the NCVHS proposal for sharing data. So I think there are ways to do it. It has got to be consenting adults, I guess.
MR. DIAMOND: We used the term in our work that the network is built on a radius of trust, which is to indicate that there has to be some starting radius of trusted participants, that you can't top down enclose it.
MR. REYNOLDS: Steve, last question, then we will take a break. The other thing I would mention to others, I know I had some questions and I'm sure others did, remember, we are going to be accumulating this. So everybody that speaks, we are talking about the same subject. So continuing to bring forward your thoughts and your questions as they build, so not so much we just get them to one set of people. I am having to keep that in mind also.
MR. STEINDEL: Harry, I'm going to be very brief. Two things that I have observed with NCVHS. First of all, when we get together and we think about who should address us, we picked two as we thought wonderful people to set the stage for this. Like everyone else, these were marvelous talks.
The second was going to be my question, but when you wind up last on the question list, it turns out that everybody has asked the question that you thought of. That question was centered around trust. I think we have heard that a lot around the room as a theme that we should start thinking about in this area. It extends into the relation of how we move this forward from a consent point of view to a trust point of view.
It even addresses some of Clem's comments on, the selling of data is bad. I think a lot of us would be willing to sell the data if it is used for good things. So it is a matter of trust. So I'm not going to ask my questions because I think everybody else did, and I thank the presenters for their wonderful stage setting.
MR. REYNOLDS: With that, thanks again, really excellently done. It kicks us off to where we needed to go. Now you get to leave and we get to stay. Thank you very much.
It is 11:05. Back at 11:20. Thanks.
(Brief recess.)
MR. REYNOLDS: In the second group of the morning we are going to hear from Lynn Etheredge and Janet Marchibroda is going to be sitting in for Emily Welebob. So Lynn, if you would go ahead and start? Thank you very much for joining us, and we look forward to your comments.
MR. ETHEREDGE: Thank you very much for the invitation. I think for those of us who have thought about data policy and its uses, this is a particularly exciting time to be holding this workshop.
Just to give you an example of how large data systems and their uses for public policy and clinical research are beginning to enter the policy arena, I point to the new FDA legislation, S. 1082, that passed the Senate 93 to one, that mandates FDA create a national data network of 100 million patient records for research on clinical safety issues.
I noticed just last week, the companion bill, H.R. 2900, passed the House of Representatives, 403-16. So that also has these large data system requirements. It also requires HHS not only to come up with a plan for how it is going to implement getting 100 patient record database contracted for, but requires HHS to develop plans for insuring the confidentiality of the individual patient records and reporting to Congress on it. So I think the base you are laying with this workshop over the next three days is going to be very important for the Department, but also for national policy.
That underscores the theme I want to talk about here, which is, we now have the technical capabilities Clem was talking about this morning to use patient records that are already in electronic form in ways to address a huge number of very important questions, 95 percent of which we could address now but we are not doing. I specifically want to talk about an architecture or a concept that essentially says we should get our act together and start doing this, and create a national data system for clinical research and talk about its development and some of its uses. I hope that will help serve the committee here, at least give you a background from someone like myself, who comes from health policy and Office of Management and Budget, to attempt to manage a number of government programs.
Specifically, I am going to try to address three subtopics here. One is this concept of a rapid learning health system. I won't say too much about it in specifics, but I did want to alert you, if you haven't seen it, to two recent reports, this one from a few weeks ago from the Institute of Medicine, the learning health care system, which is all about how to use clinical databases for research. It is a very important investment of expertise by the Institute of Medicine. It is just one of a series that will be coming out. Then the March-April issue of Health Affairs on a rapid learning system, which also addresses many of these issues about the uses of large databases and how we can use that to advance clinical research and for many other purposes, but particularly clinical research, in ways that we have never been able to do before with paper records and fragmentary data systems.
Secondly, I am going to talk more specifically about some of the uses for these large databases that people have been talking about. That is to give you more of a conceptual model of where one might need to go to individual records and where being able to deal with large data group averages or predictive models that use statistics based on large databases will work.
There is a whole series of uses that may need to be thought through, particularly with the FDA legislation. The FDA legislation for safety research, when you see a signal of a problem, you have got to go do some more research and find out just what was going on with those patients or what other factors might be going on. So there is going to be some need to go back and forth and develop risk mitigation strategies, which the FDA doesn't do now, it is either yes or no, but the requirements of the law are for risk mitigation strategies and use of prescriptions, and that requires a whole new realm of research and uses of data to find out who is at risk and for what.
Finally, I will wind up with a couple of slides that talk about this broader framework for how you might pull all this together into a national data system, because what we have right now is an explosive growth, I would call a spontaneous combustion. Pluralism would be too modest a word for the chaos that is developing. But as everyone gets electronic health records and does electronic health records databases, there are lots of uses and lots of things that are happening, and will continue to. So what I would think of as a system I think could use a mild amount of public policy as well as public support to try to get the most benefits from it.
When I am talking about a rapid learning health system, I am focusing more specifically for this discussion on thinking about a national process that uses the computerized EHR databases. There are other databases, but the EHR databases, to enable real time learning from tens of millions of patients annually. That is somewhat visionary, but as I want to show you, we are fairly close to that reality right now.
This would be a very high potential research environment. It is very different from the environment we have always had for clinical research. Clinical research has usually been held back because it is a very data poor environment. If you are a researcher, the first thing you have to do, if you have a question you have to apply for a grant. If you get the grant you spend three years collecting the data, or your research assistants do, or the lab does, and then you start to analyze the results. So there is a long lead time between idea and research data, and being able to find out whether what you are thinking about is true or not, or what insights you really have.
The biggest part is trying to get the data, and that is expense and time. With these large research databases of curated data that is already in place, one can see that research could be done quickly and inexpensively, maybe not at the speed of thought, but certainly before anyone who would invest five years and five million dollars to go do a randomized control trial, you would send a research assistant to look at the database of ten million records of people who already have conditions or reports on things you are interested in and see what could be learned from some of the databases, and what hypotheses you could test that way.
So if we are thinking about this as a national goal, a good system has to have a goal; one goal, one system. I would suggest that if we are thinking about a rapid learning health system, we could have a national goal of learning about the best uses of new technologies at the same rate that the health system produces new technologies. That may sound like a simple goal, but it certainly applies to everything you are going to be discussing in the next three days, and much more. It is a very different system than the one we have now.
In fact, today medical knowledge and technology is advancing much faster than the clinical evidence about how to make the best use of them. So while the advance of clinical basic research and products is fairly fast, advancing the evidence of clinical care is a relatively slow process, and expensive. That is unfortunate, because the technology use is our major cost driver.
One of the reasons is, we have had to rely on the randomized control trial, which is a very important powerful tool. It has been the gold standard and probably always will on some of the important research, but as the IOM says, it takes too much time, they are too expensive, and they fraught with questions of generalizability.
Are there ways in which we want to expand on it? One of the reasons we want to do that is because the current evidence base built around randomized control trials leaves a lot of inference gaps. This is Buzz Stewart's concept here; the inference gaps in the evidence base for clinical care. What he is referring to is, most of the randomized control trials are on younger populations carefully selected for a number of characteristics, single diagnosis, brief study periods.
They leave out the typical patient. The typical patient who comes to the physician's office doesn't look anything like the patient who is in the clinical trial. A lot of what doctors do mentally all the time is trying to figure out how to translate between the few studies they have and the actual patient in front of them. This is getting worse as the population ages, and it is increasingly a baby boom senior population with multiple diagnoses, multiple medications and so forth.
For public policy making, if I can put on my OMB hat for a moment, this is particularly a problem at the federal level, and some people are beginning to be aware of this. It is the Medicare and Medicaid populations that are largely excluded from the clinical trials databases. It would help if one paid for participation in clinical trials, I would say, but it is the aged, the disabled, kids, pregnant women, who are mostly 85 million enrollees who we have the weakest evidence base for. The federal expenditure on that group is $600 billion annually for Medicare and Medicaid, $3.5 trillion in the next five years, and eight trillion in the next decade with the prescription drug legislation. So it may be about time to invest a little more in finding out what works and what doesn't work about medical care and how to deal with these several hundred percent variations we find in the use of most procedures and the continued rapid growth in new technologies for which we aren't collecting much evidence.
So if you want to think about users, I would put in federal policy making is increasingly a group that we would like to have some answers for the clinical research databases.
Let me wind up this overview here about the needs with some things we have already mentioned. First is, and you will hear much more about the major areas of medical care like quality and outcome measures, evidence based guidelines and performance reporting. There are a host of groups that you will be hearing from that are trying to do this, but it is just an indication that we don't have those measures yet in much of medical care, of how hard it is to do good clinical research and pull our act together nationally to do things that are very important to do.
One of the major reasons that is addressed by these new databases that I'll mention is that today's clinical research databases are typically small, unique, specialized, very difficult to find, access and use. They are non-comparable and frequently proprietary. In fact, researchers build their whole careers by getting a grant, and it is their database and their use of it that is where their whole careers and labs are built around.
The problem here for an economist like myself is what we call the economics of the common, which is, if everyone acts that way it would not make sense for an individual research group to make all their data available publicly, because they would lose whatever advantage they have in getting grants from that, but they would get nothing back. However, everyone contributes to that in a common database, every researcher and research group gets back a hundred fold or more in terms of the data that they could use to advance their research. So from a system wide perspective, this requires a systems approach, even a public policy approach, to organize it. It is not something you can expect people to get to operating out of individual self interest.
The most discouraging part of today's system, the last point I would make here, is that much of what we could learn from individual experience of tens of millions of patients each year from our two trillion dollars expenditures is now lost. In contrast, one example would be pediatric oncology, which for years has recorded results of individual patients back to the professions, and has had enormous successes in advancing outcomes of treatment versus Medicare cancer care, where most of the cancers occur, but where most of the data that is there and could be mined for learning is lost, because no one ever collects it. It winds up at best in building records someplace or not even recorded.
But we are beginning to see well beyond the beginnings of a new national capacity for rapid learning of these kinds of databases. At the moment, it is focused in integrated delivery systems, Kaiser Permanente with about eight million patient records, and they will have ten years of records from bringing in some of the legacy systems and adding genetic information. Geisinger, also adding genetic information, three million patient records, and the VA, eight million records. So compared to the normal clinical trial of a few hundred patients or a few thousand patients, we have very large resources here that could be investigated.
It is not just the individual organizations that have research capacity, but these research networks or virtual research organizations as they are sometimes called. Most important right now is the HMO Research Network, which has 15 HMOs, about 20 million patient records. The federal government is already contracting with those research networks for studies across organization lines, most importantly, the cancer research network of the National Cancer Institute and the vaccine safety data link funded by CDC.
As you look forward, you can see a case to be made in sponsors and databases for a rapid learning system that would have lots of different ways of organizing it, all legitimate, by enrolled populations, by disease registries and health conditions, by new technologies or other technologies of interest, by geographic areas, by seniors, by kids and other age cohorts and by special populations like special needs kids and people with disabilities.
In the eventual world we are talking about, where everyone is using the same data standards, all these data can be interchanged, so it doesn't really matter where you initially collect the data or begin to organize it. You can mine or organize it in different ways.
So that is the broad concept of the base that is already starting to develop. Let me now mention a few things that have been happening mostly in the last few months that are really beginning to power a broad appreciation of what these potentials are and how they might be used.
I mentioned the FDA sentinel network legislation. H.R. 2900 passed the House 403-16 last Wednesday. If you want to know where the 100 million patient records comes from, maybe 25 million of that from the HMO Research Network. A lot of it would come from the commercial and Blue Cross databases. Most of these large insurers have databases that have diagnosis, prescription, lab test results, procedures. They may not have the doctor's notes, but on things like prescription drugs and adverse results, which is the way they would begin to be used, you have got a whole lot of data there that is being pulled together into large databases already and would probably be part of the FDA network.
AHRQ has a $15 million budget request for developing new rapid learning networks. A very important result I am particularly pleased with is Archimedes that David Eddy has developed as a predictive model. Robert Wood Johnson has decided to fund that as a national predictive model system to be available nationally. That would allow people to take their own databases on their own populations and feed these into a very rich biology based predictive model to see how different interventions would work with their populations.
You will soon in a few months have a American Heart Association study looking at 14 different interventions to prevent heart attacks in seniors. That is the kind of thing you can do in a predictive model that I think is going to be very important, and that will be announced in about two months.
One of the things that is very important about this model is that it brings clinical data and basic science together in very different ways. Medicine is almost unique in using the randomized control trial to advance science. Some very good sciences like physics and chemistry use predictive models built out of careful experiments, and then go and see how well that predicts their world. If it doesn't predict well, you go back and you try to do more experiments to figure out how you need to adjust your science base and your models.
What Archimedes and similar models allow us to do is bring that way of learning and advancing basic science into clinical research. So what David has done is built his models out of randomized clinical trials out of the hard science. He will then be able to take all these different large databases that we are developing and make predictions about what we should be seeing, and we can see if that works. If it doesn't, at least for some populations it may give us clues that there are some very important places to develop our understanding of basic science.
Increasingly, I think we will actually start doing research to fill in the gaps in our ability to predict these kinds of mathematical models. This happened in economics, which is my field. I came in when in the late '60s, early '70s, when we had the first major predictive model of the U.S. economy and the thousands of databases that the federal government built around economic statistics. Fairly quickly the discipline moved to saying whose model is right, because different models get different results, then you can start conceiving of what data or what research would tell you who had the better conceptualization of measures.
Finally, this is very important for those of us in health policy in historical terms, ways and means, how the first hearings in living memory on clinical comparative effectiveness studies a month ago, and both Medpac and CBO testified in favor of it. So there is beginning to be very high level awareness that we need to and can move forward to evaluate clinical issues much more for these issues.
I am going to speed up a little bit now in the interest of time. NIH has got a number of things going from the cancer research institute. CMS will soon make available, we hope, this new integrated research files with 45 million people with all of their patient level data for Part A, Part B and the new drug data. The EPIC users group has held a meeting recently with its user group federal agencies.
What makes a lot of this rapid development possible is that EPIC has about 50 million electronic health records users already, so not a lot of EHRs in patient offices, but in the large group practices, the HMOs, it is already a well established base. We can move ahead fairly quickly.
I think you can tell from what I have sketched out so far that many things could change quite rapidly about research and clinical research, methods, organization, financing, collaborations and users.
Here, I just laid out a range of uses that people talk about for these new databases, some of which evolved through researchers or government officials being able to go back on some cases from a de-identified database to look at the individual records. It is graded in that order. FDA wanted to go back to these firewalls and find out things about patients who have adverse effects and try to figure out risk mitigation strategies. Genetic research, integrated trials. You need to know things about subgroups of the population that have certain characteristics that predict they will have heart attacks or seven other different diseases for example that D-Code in U.K. have talked about in the last month.
Heterogeneity results is quite typical for most treatments. They have a wide variation of effectiveness. We don't know for most clinical trials who is benefiting and who isn't. Again, that requires a big database and being able to then go back and find subpopulations that are doing well and not doing well and try to understand their differences, and so on through predictive models.
We can get more into this if you want to, if it is of interest to you.
Let me wind up with three slides here on the idea of this national data system for clinical research. I think that is where all these pieces are adding up toward. They are all easily conceptualized. It is pieces of new data systems that allow us to advance clinical research in other related areas much faster than ever before, and it is useful for public policy to talk about this as our unique opportunity that we now have because of our technologies and out databases. This is where I think public policy can make a huge investment and big impact.
First of all, you can tell from the rapid learning paper and some of the discussions in the IOM, I would give one priority as developing a national system of rapid learning networks, however one wants to organize it that cover all diagnoses in patient subpopulations. A major gap right now is the Medicaid population. We can find statistics from Medicare at Kaiser, the VA has lots of senior citizens, chimerical insured populations, a lot of special needs populations at Medicaid are ones that we don't have good databases for yet, so that is something we particularly need to develop.
Obviously we need some standards for certified research databases and registries. AHRQ has just issued a report on that. We should use these for most clinical research and to develop the kinds of evidence based quality outcomes and measures that we are lacking in so much of medicine.
To support all the missions of HHS health agencies, each of the separate agencies in HHS have their own missions that could be facilitated by having data networks working with them. I think that is going to be a key component of thinking through federal policy.
National systems, comparative effectiveness studies of new technologies. Again, I think this is fairly easy to do over the kind of evidence development policy that Mark McClellan put in place at CMS. When a new technology comes to the market we could require reporting to EHR type databases, research databases, and then periodically reassess what we are learning about these technologies, so we learn as much as possible as soon as possible about their best use of real world data, and feed that back into requirements for more practical clinical trials and other research.
Finally, I would put out for discussion, I think there is a -- if you really want to advance clinical sciences as rapidly as possible, I think we need national databases for clinical research. That wouldn't necessarily be the whole country, but it would be a good size. I am thinking of the economic databases that we built for Commerce and Agriculture, thousands of databases, actually, that would draw from existing databases, from other sampling and from research. They would be like the Human Genome Project, and try to take advantage of that dynamic. We create an international true evidence base, not just Medline, the studies, but a real evidence base for clinical care, of well curated data, deidentified, that would invite anyone who wants to, all qualified researchers and others, to begin to use that and to see how many insights they can develop and to work together.
By open access, I don't mean access to individual patient records by anyone. You would set up this database that doesn't allow people to read individual records, doesn't allow you to download individual records. The search software doesn't product subgroups smaller than two for analysis or whatever that number is.
To conclude, I put that on the table. By looking at all these pieces that are coming together and what everyone is working on, that is what we are evolving toward. I think it is now time to start thinking about what are the missing pieces of that, how could we make all these resources work well together from that national systems level.
Finally, the final slide is missing, but in any event, I would just summarize by saying we have a lot of potential here, and we are going to have to have a lot of public and private collaboration to advance clinical care as rapidly as possible. That includes rapid learning networks for all diagnoses, a system of comparative effectiveness studies, and then these national databases for clinical research.
I am looking forward to the discussion and to what Janet has to say.
MR. REYNOLDS: Thank you. Janet?
MS. MARCHIBRODA: Good morning, almost good afternoon. Thanks for having us. We are pleased to be here. I applaud this committee's leadership and focus on secondary use of data.
You are probably expecting to see Emily Welebob. She plays a key role as project director in two projects I am going to reference today in providing some insights to you, one around the development of a blueprint. She in particular supports the blueprint committee on improving population health as well as a demonstration project that we are in the midst of launching as we speak around the use of clinical data for safety surveillance purposes. She had oral surgery yesterday. Is that a privacy violation? She asked me late yesterday to speak on our behalf, so here we go.
EHI, just some quick background information, is a nonprofit group. We are based here in Washington, D.C. We represent multiple stakeholders. These two slides about EHI I think are relevant to the testimony, in that we bring together physicians, health plans, employers, those responsible for public health, all the different consumers, actors in the health care system that have great interest in the issue upon which you are focusing both today and tomorrow.
In addition, recognizing that work around moving this agenda couldn't just happen inside the Beltway, that you really needed to get into the field, we made a very strategic decision about three years ago to reach out and build a coalition of communities, most of them multi stakeholder, collaboratives that are also thinking about mobilizing information not only to inform care delivery but also looking quite seriously at secondary data use for a whole host of issues around population health.
I am going to draw upon three particular projects in providing insights and answering the questions that you laid before us. The first is an annual survey that we conduct. The second is the blueprint that I referenced. The third is the collaboration that I will talk a little more about, that is going to do some learning on the ground about how one does this and how one does this appropriately. Draw upon particularly, as we think about the benefits and the trust, and some of the things that you talked about this morning, some research findings from our work around value and sustainability, particularly at the local level, some research we did with consumers, and then finally lots of conversations with folks on the ground that are trying to make this work. So those six things will feed into our insights.
I drilled down with one slide on each of those to give you some perspective on where they come from, et cetera.
The first is a survey. I am going to share with you some results from our 2006 survey. It touched upon 165 collaborative efforts in 39 states and the District of Columbia; D.C. was in there, too. Data just in. I am going to give you some 2007 early looks at the data, but know that they are not fully cleansed, and by the time that your work is done, I will be able to update those numbers and validate that those indeed will go in the final report.
We asked a lot of questions about, what are you doing, who are you doing it for, how are you getting paid and what are your policies for information sharing. So I am hoping this data will be very helpful to your committee as you conduct your work through October of this year.
The second, I think this was really important. We spent about six years, and we weren't ready. We checked in two years ago, are we ready to put a stake in the ground about how we see this world, how we see a transformed health care system using information and information technology. Our leadership decided in December 1 of 2006 that there was enough churn in the system, we had learned enough and we were ready.
So we launched a blueprint process. This will be released formally. I have provided some draft principles in this document that need to be approved formally by the organization and the board on September 11, and then can resubmit as a formal document.
It is led by our leadership council, again representing every stakeholder in health care. I want to say in particular, in going through all of this work, to comment groups like Connecting for Health and the AMIA project which you will hear about tomorrow, and the many works that are out there. We drew upon heavily that work. I think in the last six months or so, and even last year with the consensus conference or the expert panel that AMIA had, a lot of really helpful insights into our blueprint process and the work that we will do on the ground in the learning lab.
The blueprint is going to cover five areas. I thought I could just pull off one of them and give you the principles, but what I found in working with our chairs, and here is a list of the five areas covered by the blueprint, we tackle issues around trust and secondary use of data in nearly all of the blueprint committees. So I think as you complete your work, what we would like to do is submit all of the principles, because they are interrelated, whether it is about the consumer piece and the trust piece, improving population health clearly. Even on the incentive side, John Glasser and Alan Korn are grappling with their committee on financing as well as managing privacy, confidentiality and security. So this process is kicking off.
Then the final, and we are just in the beginnings of this, and I can give you some insights so far, on a cursory look at HIPAA, the privacy rule and some of the other regulations that we have looked at. We are kicking off a collaboration that we hope will inform your work and inform the policy dialogue, and help other communities across our country think about very carefully and thoughtfully the use of secondary data.
In this use case, we are going to take three safety related use cases and test them on the ground in two very advanced stage environments, and figure out questions like, is this feasible, is this better than what we do today, how we conduct -- and you addressed some of the FDA issues and the legislation; does this work better, is it more effective, is it more efficient, do we get better results.
One of the interesting components was how this connects with the clinician on the ground, I think one of the great interests of the FDA in moving forward.
The result of the project won't be just technical guides and interfaces, but we are spending a lot of time looking at the governance issues, the transparency issues, how do you do this both nationally and locally in a way that builds trust, leverages social capital on the ground, and enables this to happen in a way where all those are raised. We are also going to tackle -- I am thinking about your work, and we are building model agreements for how one would do this in different markets. All of this will be placed in the public domain as well as guidance documents about how you look at the different rules and regulations and apply them. So it is more of a practical on the ground initiative.
Here are some of our metrics of success. The public trust component is probably -- the technical part will be hard, the legal part will be hard, but it is the trust piece that is the most important and something that we really focus on throughout this project.
So answering your questions. We started out with a long slide deck and provided some data points giving where we are in our system, in our various work processes, that hopefully will inform your work.
The first is, now these aren't IDNs or hospitals, these are these collaboratives. I talked about the survey. Three years ago, most of them were just providing data to support care delivery, but clearly there is a movement -- again, the '07 data is draft, but more and more of them are looking at using the information through the exchange for areas other than direct patient care. I won't read these to you, but you can see particularly quality performance reporting and improvement, that is very much more on the radar screen, both nationally and locally, and continued focus on public health. The numbers are not going up. We are still analyzing the data and pulling together the findings.
The other thing we asked these multi stakeholder collaboratives is, what is hard. No surprises here; the sustainability issue is really hard. That relates to another finding I am going to share in a minute around secondary data use, but still addressing the privacy and confidentiality issues, are complex and difficult. It gets to some of the actions that I think are needed in response to the questions that you have laid out.
You can see that perhaps with addressing privacy and confidentiality, they are at a more advanced stage, and they are realizing how much more difficult this is, much more so than they would have answered in 2006.
Addressing your question around providing context, enablers, things that will facilitate restrictions. I just offer some of the work in our work under a shared services agreement with Bridges to Excellence. It looked pretty hard at 90 measures, developed a series of measures with the American Board of Internal Medicine, and through a study which was recently published analyzed both quality and economic impact of various performance measures.
Here is a short list. There is a longer report that you can access, but guess what? Measures with the highest clinical and economic value, we are not going to be able to get there unless the work of this group, the work of other groups and our movement towards grappling with the policy issues around secondary data use happened. As you can see from a number of these measures, they do require data that doesn't fit in claims databases, but actually emerges through the care delivery process and the record.
Speaking to your first question, and I touch on a lot of projects in a short period of time, you asked again about enablers, drivers and restrictions. We just finished a rather substantive project. It was funded by HHS, by HRSA, where we looked pretty closely at this notion of sustainability. Remember that was one of the biggest issues that we are grappling with the round in NHANE and the network of networks.
So we put together a group of economics experts, business financing and health care experts, and took a very close look at three communities, in Cincinnati, Indianapolis and Hudson Valley. This is what we found. I tried to take a 478-page report and put it into one slide, what is the upshot. The takeaway for you is, sustainability is possible, and we will get there in a subset of markets using the transactional models that made those three markets successful. But in order to have widespread sustainability of health information exchange across the country through an NHANES, with the data elements that are needed in order to transform the health care system, we are going to have to move to a stage two model for these initiatives. A stage two model will require secondary use of data.
So we have got to figure this out. I will tell you, many of these markets, the timing of this is really important, because some markets are moving ahead with data use agreements that will restrict the use of data for secondary use, because they are nervous, they are not sure how to interpret the rules. There is this whole need for education, conversion of this really hard stuff, and they perceive it as hard and complex and difficult in the guides that normal people on the ground understand.
In the absence of that, they are saying, we will think about it later. Let's just get this data flowing for delivery purposes. So I think this is going to be really important as we think about the U.S. health care system needing to make this secondary use work.
Some final points before I close, as I was thinking about enablers and restrictions. We did do some research, public opinion strategies down in the Gulf Coast. Conducted some focus groups with consumers, with employers and with physicians, and we also conducted a phone survey that we wanted to get a sense of, did health information exchange freaked people out, how do people feel about this notion of mobilizing data electronically and the use of their data for care delivery purposes and other purposes.
What we did find is, their response to the term -- and we can provide more background -- was relatively neutral, but when we shared more information about how the data would be protected and what it would be used for, we got a positive response across the board in all five Gulf states.
What we did hear loud and clear, and this echoes the research that you see coming from the Markle Foundation and others, Harris, Pew, that it was very important to address some of the questions that you are talking about, whether it is consent notice, how will my data be used, et cetera. So this research supports that.
Some final points, and I am watching my time. Policy enablers and restrictions. The multi stakeholder perspective across the board from the EHI blueprint process reveals that absolutely more clarity is needed through discussion and consensus on many aspects related to secondary data use which are outlined on the slide, accountability and oversight, disclosure, consent, access control, security, remedies, very important.
In fact, we through the privacy and confidentiality group -- and I emphasize that these are draft principles, not yet final, they haven't moved for about six to eight weeks. They are likely to stay the same, but we have a formal process for approval, that talks about some principles for which we were able to get consensus around the use of information.
They look a lot like what you are seeing from the other folks testifying through this meeting, around transparency. We should be clearly defining, visibly communicating how the information is used, that consumers have a right to know how their information is used. There shall be consent. Lots of confusion about consent, lots of confusion, so clarity is needed.
There was some conversation about this this morning. Our committee said that consumers and individuals should be able to limit when and with whom their information is shared. Security, no surprises there. The audit function was very, very important to this committee as they were thinking through enforcement and accountability and oversight, and then clearly remedies were extremely important.
Finally, you will see this very much in the Connecting for Health work, looking at technology in isolation without thinking through the policies for information sharing is a mistake. We see that on the ground every week, every day, as folks grapple with some of these issues.
Finally, while not in a survey, we worked with about 20 states in developing the road maps. We worked with our connecting community's membership and just talked informally with a number of groups on the ground that are grappling with privacy and confidentiality issues and the secondary use of data as part of that conversation.
Again, you have heard this, but I think there is a need for clarity and guidance, perhaps not changes in law or regulation, but how to interpret current law and how do we get to a code of conduct around how one handles these issues will be very, very important in the years ahead. There are concerns about privacy and confidentiality, and moving towards this need for building trust and consensus through very transparent processes, open, transparent processes on policies for information sharing is important.
In the interest of time, I didn't reference it too much, but that was one of the key findings out of the value and sustainability work that we did, was that social capital is the foundation upon which all of this relies, as you think about mobilizing data. That was really clear. I think in the early days, maybe some thought that if you build it, they will come, and we could build this big network. We could do this absent some of the conversation and the building trust at the local level, but where we are with our health care system, our current payment systems, where the data resides, that is not possible. This notion of building social capital is very important, not only for getting things going, but also for addressing these policies for information sharing that you are talking about, particularly with secondary use.
Then finally, a great need for public education and communication. Real voids in understanding there.
You asked whether current laws provide sufficient privacy and security protection. Currently, and through our processes, we are finding that no changes in laws or regulations are currently required at this point in time. We could answer more definitively post September 11, but clearly guidance is needed, guides, methods of interpretation, clarifications are needed.
You asked what would support greater understanding. More effective -- I have to tell you, our membership is pretty sophisticated. We follow all of this stuff. We give them detailed updates of all the policies every week. The people can't absorb all of the things that are going on, so translating this incredible policy work that is going on at multiple levels of the system and contracts into guides that people understand will be really important in terms of moving this agenda forward. Testing things through pilot projects, and then more collaboration among the organizations that are tackling these issues. There is a lot of collaboration, but you can never have enough of that.
Then I struggled with whether to put this in here, but I know that the name of the group is the ad hoc work group on secondary data use. We have a multi stakeholder leadership, there are about 45 of them, leaders across every sector of health care. We originally used that term with our blueprint committee and got a really negative response. They said no, no, you have got to take that word out.
I was talking with them about why that was, and I think it links to some of the insights that Carol Diamond had earlier around thinking that the data is health information, that separating primary versus secondary may not be the right path forward, placing the terms primary and secondary value of one versus the other. There isn't consensus that one is more valuable than the other.
Yet, you ask what is a better term, and we really struggled with that. So we ended up with data for population health, not good. We are still working on it, so by September 11. We look forward to contributing to your dialogue and your deliberations in the coming months in three particular areas, the learnings, the model agreements and the like coming out of the on the ground demonstration project, our consensus blueprint process, and then finally, the survey. There are a number of questions related to this. I was nervous about releasing them so early. The data people are still working on the questions, and I probably would have messed them up had I released them today.
That concludes our presentation.
MR. REYNOLDS: Thanks to both of you.
DR. CARR: Thank you, these are rich and very thought-provoking presentations. My question is, as you have heard the speakers earlier and heard each other, are there areas that you disagree with what anyone has said this morning, or areas that you would emphasize one more than another?
MR. ETHEREDGE: I don't think I would disagree. I think if I was listening, I would add probably two points to the major players. One was insurance companies. The paradigm many of the speakers were working through were the clinicians or the health care provider being the major source of data. Certainly the FDA legislation, that shifted; the major data source for their use is likely to be health plans, the HMOs, all of the large insurer databases. So I think the large insurers have an enormous amount of data, and they are going to be active players and need to be brought into this discussion. And of course, there are fewer of them than there are trying to deal with all the individual providers.
The other group that is emerging and may emerge as being very important are professional societies, largely stimulated by CMS in their ruling that for pay for performance they are willing to accept data from professional society organized registries. This has produced a lot of interest among almost all the specialty societies in thinking they could be the source of registries to advance clinical care and measure it. American College of Surgeons, for example, there has been discussion with ten surgical sub-specialties about creating a common surgical data file. That would provide something that has been missing, which is a professional reason for clinicians and health care institutions to take responsibility for the advancement of clinical care in their area.
So that could become an important factor in the next year or so.
DR. CARR: Just to follow up on that, in terms of what we heard earlier about the importance of trust of patients with their providers, what might you say about the relationship with the payors as the provider of data and that trust relationship?
MR. ETHEREDGE: I think that is a bigger issue. Unfortunately, I think people have a bad idea about their insurance company. They don't realize that almost all of the data would be -- they wouldn't want people to know about, it could be used for employment purposes or other things if the insurance company already has the diagnosed procedure or the prescriptions and the lab test results.
So there are a lot more huge databases and not very well paid employees and so forth. I think if I had to worry about one area that is going to be -- one has to worry about confidentiality, it would probably be more in the insurance databases than in the health world.
Trust. I think the basic rules we have are pretty good ones. I think there should be a basic principle that an individual has the right to not have their data disclosed, either parts of their data or all of their data. So I doubt that many people will actually do that, but I think that should be written into the system.
But as I was trying to lay out in terms of the uses of data, very few of those uses require anyone to have access to an individual patient's record. They are all statistical use -- almost all of them are statistical uses, and one can create a database that has rules that do not allow people to view individual records, particularly if these are systems that have well curated data.
What researchers often want to do at the primary level is, they want to look at every one of those data files to find out if they have outliers, and to find out what is going on. If you curated the data at another level, then there is very little justification for going back or any need to go back and look at it, for most clinical research purposes, to go back and look at individual patient files. You can build in those kinds of safeguards.
So I think we have a good basic structure of laws, but we need to make sure that we build those into the software, so most people can't get at the data through individual patient data.
MS. MARCHIBRODA: Can I say something about trust? We are seeing this on the ground quite a bit. The markets that have effectively navigated policies for information sharing have been neutral, they have been open. They have invited those who agree and disagree to the table to air differences. They have published the deliberations. They have been very transparent, and they have used process.
They have decided as a market, and it is not clear that one size fits all around where you will end up on your policies and your information sharing, but given the history of the market and the level of trust already built, they decide together with consumers at the table about how we are going to do this in our market.
It is not clear that changing regulations or legislating something is going to get you there, but so far, we haven't written a paper on this yet, but we are seeing that that is most affected. There are many examples of this. Memphis, Tennessee is one that did a lot of work leveraging the common framework of Connecting for Health to get there.
DR. COHN: First I want to thank all of you for some very interesting testimony. I had a set of questions for you, Janet, but I wanted to follow up on what you were commenting on first.
You had commented about markets, about markets that have dealt with the issues of privacy and confidentiality. When I first heard you, I was thinking of other types of industries. It sounds like what you are really talking about is localized environments in health care that have in your view successfully navigated the trust issue, is that correct? Or are you talking about other industries?
MS. MARCHIBRODA: Thank you. When I said markets, I meant geographic communities where information will be shared, both for care delivery and possibly other uses.
DR. COHN: Just following up on that before I ask my basic questions, do you have other examples of other -- taking markets how I first interpreted it, financial markets or other environments that have successful paradigms that you might be able to reference on this one?
MS. MARCHIBRODA: No, not at this time.
MR. ETHEREDGE: I think I would say that there are some things worth looking at in terms of other federal data systems, particularly economics statistics, where we spend several times what we do on health statistics. Some of them collect thousands if not tens of thousands of data series about everything in the economy with detailed questionnaires that disclose individual companies. But all of that is done with privacy. What emerges are huge federal databases on the price of AIDS in every market and thousands of other factors, wages and hours worked and productivity and so on, aggregated.
They are from individual reports, but there is confidentiality agreements. The only thing that then gets reported for researchers and for other uses are the level that they are legitimately used for understanding social trends and developing models.
I was just looking at agriculture statistics. There is $150 million in agriculture statistics collected by the federal government, more than we spend NCHS. We can track 99.5 billion eggs in the country at a level you would not believe, including where the breakage occurs and how much in the whole chain. So there are large areas of data where the federal government by using statistics, confidentiality, have been able to get a lot of individual level company and other reporting, but is then able to turn it into databases that are rich and very useful without violating security or the confidentiality agreements with which the data were contributed.
So I think there is a lot that has been worked through in these other areas. It may not be as sensitive to the corporations involved as much as the health information is for individuals. So there are models to look at.
DR. COHN: And you have come up with some other ideas also about other industries. I was just thinking of whether there were other industries to look at that had also used trust models and how does it all work, just so we could maybe reference them. If you come up with something later, let me know.
The question I was going to ask you though which I started out with actually had to do with your financial sustainability model. I wanted to find out a little more about stage one and stage two, stage one being the transaction model and stage two being the infomediary model.
Can you talk a little more about the characteristics of data use or exactly what the perception is that RIOs or HIEs or however we are describing them at this moment, the characteristics of their data use, or however this works in terms of secondary applications in both of those models?
MS. MARCHIBRODA: To reference your first question, what we struggled with in looking at different markets, health care is different. Maybe my money went to a different account, or someone knows how much money I have.
Let's take the financial services industry. I can figure that out. There are remedies, and I can get it back. But if I have HIV/AIDS or I have behavioral health problems and I lose that, what sort of remedies? I can never take it back. So I struggle personally, this is not an official statement of EHI, but I struggle personally with how we might look at other markets.
I really do think this is different. It takes not only rules and regulations, but a human element and figuring out how to navigate this path forward.
Your second question. We looked pretty hard at a number of markets, 11 markets, and then three in particular. There is progress being made by a handful of markets across our country around this notion of a transactional model.
Cincinnati Health Bridge and Indiana Health Information Exchange are two examples of that, are helping to reduce costs, whether it is for hospitals or laboratories of physician offices, around transmitting data that already gets transmitted through other means as part of normal health care delivery practices, whether it is clinical messaging or access to medication information and the like. But clinical messaging is one that is demonstrated ability to achieve a return on investment and break even, particularly in those two markets.
This notion of an infomediary is one which we are beginning to see some movement in different parts of the country. Mark is sitting two down from me, and probably one of the examples that I would point to is the work that Indiana is doing around public health surveillance and most recently around informing how one is doing from a quality standpoint, around quality performance, providing that data -- this is the beauty of doing this locally -- within these collaborative markets, providing how physician practices are doing and providing that information to those responsible for population health, those who pay for health care, but also feeding that data back for improvement purposes. So that would be an example of an infomediary model.
Your question was how -- does that answer the question?
DR. COHN: Yes, it begins to. I wanted to look a little further into the financial models to see, since you were indicating that people in stage one, the belief was that HIEs would not be successful until they moved to stage two. I was just trying to figure out where the financial transactions might occur or the sustainability, who is paying for what as you move into stage two.
One hears secondarily about people taking data and deriving some sort of financial benefit for secondary purposes. I was just trying to identify whether in stage two that was what was happening, or whether that is a different conversation.
MS. MARCHIBRODA: There are a number of ways that service delivery under both models convert into revenues that can sustain a health information exchange. In many instances for the transactional model, one pays through service fees or even transaction fees in some cases for the provision of that service.
The question is, how does the financial model change with the informediary model. Currently for those who are employing the infomediary model, I could give you factual data looking at the survey. Service fees are also charged for such services. Such service might be the development of a report card, the development of a service that feeds back data to a clinician on how he or she is doing on his or her diabetes patients, and the like. So the fees are similar.
I wanted to make a statement -- when you first asked your question, I wanted to be very clear and for the record that sustainability is indeed possible and actually occurs with a stage one transaction model, absolutely. But as we think about value based health care and where we want to move, in order to drive widespread sustainability across all markets in the U.S., all pockets that might otherwise be left behind, we believe that we will need to move to a stage two infomediary model.
MR. ETHEREDGE: If I could just add, I think the payors have a very big role here, if we decide as I think we should that these are national objectives, building this into their pay for performance or pay for reporting requirements. So there is a requirement for the data to be submitted and for a payment that reflects those costs. If you don't do that, you are not a preferred provider, which is a financial incentive for using hundreds of billions of dollars to participate in these kinds of networks.
So I agree with Janet, I think this will move much faster if we create a national set of economic incentives to move in this direction. I think the large payors, the insurance companies and government programs, actually have limited power to create the payment differentials and requirements to make the data that we need financially viable and attractive.
MR. STEINDEL: Thank you for your talk. Lynn, this is mostly addressed to you. I am very concerned about what seemed to me an overall premise of your discussion, in that large databases of convenience are good, and that we can derive information from them.
I was very pleased in your response to one of the questions that was asked of you when you pointed to NCHS and the type of statistics that they gather in the halls of this building. Also, if you will please note to Ed Sondik that he did note that they were vastly underfunded.
MR. ETHEREDGE: I will attest to that.
MR. STEINDEL: I think your point that you made was that if we spent the type of time and energy in focused statistical studies and collecting data on the health care system, we would probably be much better off than we are today.
You constantly compared this to the economics statistics gathering system. As Janet pointed out, it is a vastly different market. In the economic system we are dealing with business sectors that actually need this data to do what they need to do to move their companies or their products forward. Where in the health care industry, and we have talked about this a lot, it is basically a set of cottage industries. There are groups working together, they are uncoordinated, they are delivering the health care they were trained to deliver in medical school, and we are trying to move away from that model. So it is a totally different paradigm than what we are looking at in the economics model.
I think that is what is missing a little bit in this massive database idea. I can say that, and I don't know if I should say that. I am at CDC, and right now we probably have one of the largest massive databases, convenience data gathering going on with our biosense project. We are doing a marvelous job of every 15 minutes collecting real time data from over 350 hospital EHRs. We are doing a wonderful business for the disk drive manufacturers.
Now, having said that, one of the things that are constantly talked about, and one of the things that Congress is constantly asking us about, is what are you doing with the data. It is massive, it is large. Whenever we look at it, it is difficult to handle it is difficult to ask questions, it is difficult to get our hands around the answer.
Now I am hearing that we are talking about a collection of gathering 100 million records for drug studies. I know these exist. When CDC was approached several years ago, I sat in on several meetings on this from the clearinghouses, that are sitting there with this data right now. They have the medical claims, they have the drug claims, they have this information coming together, and we were interested in looking at it for looking at drug resistance in the community.
First of all, they wanted to charge us for the data, and we found out it was very expensive. Second of all, when we started looking at it, we found that it really wasn't that useful from that point of view, from looking for the needle in the haystack. So I am very concerned about this movement forward.
MR. ETHEREDGE: At one level I agree with you. We do have a lot of questions to be answered about which databases you can use for which purposes. I think where we are starting, the FDA is about right; you look for large databases and you look for things that are obvious like death, is Vioxx killing people. Those are things that should be very fine tuned differences between competing drugs you probably need randomized clinical trials for.
First of all, I think I would disagree with you on the economic data. I think it is very common. Most of the firms in the country are small, fragmented, et cetera, just like health care. That is one reason the federal government decided decades ago it needed to create a national data system in order to serve the entire community and all the industries and economic policy making. So I think it is very common.
This gets into technical details. I think just collecting data and putting into databases is nuts. People at NCVHS and CDC understand this. You really have got to decide why you are doing it, what the sample size is you need. If you need 10,000 patients, why collect 100 million records. You want to curate the data, you want it to be, as you do for economic statistics, carefully sampled so you have representative samples for what is going on.
So I certainly agree with you that just mushy data or buying data or selling data because it is data is not something I would support. It is a waste of an enormous amount of money, it creates a lot of garbage in the system. As you know, if you are not careful, you can produce error very quickly as well as truth with the big databases. So we have got a whole profession that has to develop -- and FDA is going to be wrestling with this mightily -- about what is a signal and what does it mean you have to do and so forth, and what database do you use, how do you go back on the basis of science and try to see if it is reasonable.
So I would not want to underestimate what you could do, but I wouldn't want to lose the real world experience. Ultimately we do want to be able to predict the basis of health care or any science, if you do A, B, or C, what will happen. We do need to be able to predict what will happen with real patients in the real world.
Again, the database of convenience, yes, I understand the database of convenience, but let's look at what we are contrasting this to compared to what we would have on patient safety. FDA has been using voluntary reports. It was getting 25 or 30 admissions a year to hospitals as a well of digoxin. They went back to the Medicare database, which included 98 percent of Medicare which is a pretty good sample size on 40 million people. It is subject to not a lot of adverse selection in terms of the total universe. They were finding tens of thousands of admissions per year easily found through the database.
So we are dealing with not a few percentages of differences. That is the level of ignorance. In most areas of health care, where we are starting is trying to understand several hundred percent variation and use of the procedures, not two percent or five percent or ten percent. We should be able to get some insights. I think it is worth checking these databases for sure to see if we can get some insights into whether all this amount of money that we are paying for actually is making a difference.
So I would agree with your aspersions about databases of convenience I would subscribe to. It is why I do think, although we can't get into it very far here, I think we need a national data policy for clinical research that is going to begin to shape for the public and all the users the kinds of databases, the kinds of well constructed registries that are going to be useful, the kinds of networks that are going to be useful. CDC has done that with the vaccine safety data link, NCI has done that with the cancer research network. There have been hundreds of studies out of the HMO research network. So I think it can done. I don't want to minimize the work or suggest that it take place without a national policy or without a lot of professional input on the structures that would be useful.
MR. STEINDEL: I thank you. Those clarifying remarks help a lot.
DR. DEERING: Thank you very much, both of you. I wanted to ask for a little bit of perspective from each of you around the issues of, on one hand the perceived proprietary value of information from the side of the various health care organizations who own it, and on the other hand the intellectual capital value of data from the side of the researchers who may happen to have it.
This derives from the experience, that everybody loves the idea of what you can do with more data. The vision that everyone has pointed to, they say, oh yes, I want more data, but does that mean I actually have to put something in.
Just to remind us of how bad it is, there is an individual who shall remain blessedly nameless, who is now very active in this area, very proactive and positive in this area, and whose organization is very active in many of the groups that are represented around here, who back in 1999 or 2000 at a meeting specifically said, there is no way we would ever give your data out to the people across the geographic area. This is our bottom line. CAB came relatively late to the population health activities, and it was a population health researcher who said you will get my data when you pry it out of my cold, dead hands.
So the question to the two of you, clearly we have begun to make some progress in the health care provider space. Indianapolis certainly paved the way in terms of overcoming the proprietary value concept of the data. So I want to ask both questions before either of you answer. The question to Janet would be, based on talking with your communities that you looked at, can you say specifically whether there are any particular practices, incentives, et cetera, that helped overcome their perceived or real proprietary interest in their data.
For Lynn, in the cancer research network, I happen to know they don't actually share their data, they just structure it similarly, and if you want to do research, you send a query to one of your fellow partners and they do the research for you and send back the answer, or something very close to that. So it is not a true data sharing. It is because of these perceived privacy and industrial intellectual capital issues.
So the question to you, if you are putting up the HMO research network up there as this major source of data, what do you think, or have you already observed practices and policies that have helped pry a little bit of that loose. Strike that, not pry it loose, but encourage them, enable them, to make it available.
MS. MARCHIBRODA: It is best captured in the slide. One of the major findings of the report was that -- the economic problem of health information exchange is that given our current payment system, may militate against this notion of a patient centric point of care data collection and use. And because of the way we pay for health care in our reimbursement systems, it fragments the data and it gives payors and providers a reason as you said to silo and hold close information, and not work together.
So given where we are with the current health care system, you asked about strategies to overcome that, which is why we talk about the need for aided with national standards and policies around an NHIN this really needs to move from the ground up, because given the current system and the silos you mentioned, you need to build social capital to find that latent demand and market for exchanging information, whether it is from a transactional basis or looking at a stage two model.
So strategies are good old-fashioned reaching out, walking in your customer's shoes, building trust, thinking about the community's good as opposed to my own good. This is very, very difficult, and there are many challenges in communities across the U.S. around this issue today.
In addition to social capital, which is a necessary element, what we are finding is the human capital side, where having business acumen and being able to convert value that emerges from the social capital foundational process into real pro formas and business plans that actually deliver value and give you enough funding to sustain something that really works against how our health care system operates today.
DR. DEERING: Just one small addition. It seems to me that what has been accomplished through the government paying people to collaborate is that it has probably also begun to build up a demonstration that you are not harmed by doing it. In other words, there has been no experience of harm -- that is a negative finding, but negative findings are good in science -- in any of these areas.
Now, there may not be a positive benefit as you have said, because the sustainability issue is still very difficult. But at least there has not been overt harm experienced by those who have tried it.
MS. MARCHIBRODA: Over the long term, and I failed to say this, we really need to change the way that we pay for health care, and that ultimately will line benefits and costs up around our system. That has to happen in order for there to be widespread proliferation of this.
MR. ETHEREDGE: Mary Jo, great questions. On shared data, I think you are right, most of the networks we have now do not share data. It is why I was emphasizing that we do need a -- I do think everyone would benefit from a national database that is shared data. But I think the federal government needs to create that federally and do it right for everyone to use.
At the moment, everyone who has got their own database wants to keep that for themselves and contract to do the studies themselves. The common research that is done is -- my understanding is the same as yours -- is that there will be a common protocol that is negotiated among the HMO research network, for example. The data is run to that common software, because most of them use the EPIC system, and then summary statistics are reported back to the principal researcher. But for privacy reasons as well as proprietariness of data, the patient records never leave the individual institution.
Aside from all the other reasons, there are also some legal issues involved with that, that came up with vaccine safety data link, as I understand it. Originally the vaccine safety data link data worked the other way with ongoing computers, but there were threatened lawsuits because that is used to make decisions about insurance and compensation, and the drug industry wanted that. So the data has been moved back to where it resides in the individual plans behind the HIPAA firewall. So there are legal issues that come up there.
That is why I am drawing the distinction and saying if we really want to move forward with a national data set, like the Human Genome Project, we need to build that. FDA is going to find this. They are not going to be able to buy the data. They don't even have a mainframe at FDA. They want to contract out all of this, so it is not such a big problem for them.
In terms of the researchers, I think you have captured the essence of how researchers view sharing data. I think that is the problem. That is why I mentioned the economics of the commons. The commons are used to this. But it is insane for you guys not to share data among yourselves, because you will all be so much better off if you had all these data.
So I think the government either creates an actual database, which is the easiest way around this, or it steps in and says, you guys are all funded by NIH; part of the conditions of your getting public funding for your research is that not just your journals articles, which go into a common database, but all of your data within two years after you finish it, you get to publish off it, your data to EHR or CDISK standards goes into what is literally an NIH evidence database. The reason to do that is, that is the most carefully collected data that we have. Professional researchers are doing it, they are careful with the data. There is a lot of data.
In my view, that should be a requirement of NIH funding, that the data gets reported. That is consistent with good science which is, your whole database ought to be open to other researchers to look at, not just your published research summary statistics.
This goes back to what we were talking about a little earlier, which is CDISK. Technically, what is holding that back is, NIH and FDA as I understand it decided they wanted to work with the pharmaceutical committee on a separate set of data that they call CDISK, that overlaps what is on the electronic health records, but would be useful mainly for all these clinical trial data that pharmaceutical companies have to submit to FDA, but also every other regulatory agency in the world. Talk about negotiating standards; this is a very difficult process.
So I think public policy needs to face up to the fact that we need to get the research community on electronic health record standards, CDISK or whatever merger that is. That needs to be recorded to public databases after you give a couple of years for people to publish off it themselves. FDA needs that. There are still boxcars almost of data, of paper, that comes to FDA. They need this on a disk that says here is the clinical trial data, and then they can use sophisticated software.
Plus, now when you try to look at a dozen studies that have been done or two dozen studies on any drug, there is no evidence base to put together. You have these summary statistics from each of the different studies, and one needs to meld together, think how you put apples and oranges. If we did this right, we would have a common accumulated database of clinical data that goes into a real database on each of these new drugs, and then can be progressively analyzed.
So again, that relates to the CDISK standards. I think it is an enormous benefit. The quality and quantity of careful research level data for clinical purposes, not ad hoc collected as some other data is, if we can get the NIH and the FDA, the HHS to start to require that.
You set me off. Sorry.
DR. OVERHAGE: I guess this is primarily directed at Lynn. One of the challenges that I see among many is, you talked about for example submitting data. So the immediate question that comes to mind for me is, which data are those to be submitted to be collected, to be standardized.
In fact, it is almost a challenge. I don't think that is feasible, having tried to use routinely collected data for clinical research for many years, to anticipate what the important pieces of data for any particular purpose are going to be, even when it is pretty well circumscribed. So how do you reconcile the dynamic learning network kind of approach with a circumscribed set of data in standard format? Or maybe I misunderstood.
MR. ETHEREDGE: It depends what the purpose is. If I put my OMB hat back on, we have huge issues that need to be solved with public policy about variations of hundreds of percent in heart disease, cancer, diabetes, high blood pressure. We actually have good measures for those in databases that get recorded.
There are a lot of things we could look at. We have a lot of drugs that are supposed to be used for those. We discovered when you look at the Medicare data, there are huge variations in the use of drugs in Medicare for all these different kinds of common conditions. We are going to want to know if there is a difference in the effectiveness of these drugs in different populations.
So I think we do have a number of cases where we have good measures of what we would like to look at where we don't need new data. Where we will need new data is on new technologies. There we do need a national system of deciding a research program for new technologies, of what data need to be collected, we think need to be collected, who is going to collect it, how is it going to be recorded, the kinds of things that Medicare deals with in coverage of evidence development. Then we look at that periodically and decide if we are collecting the right data or if we need more data.
DR. OVERHAGE: If I can follow up on that because I would like to clarify, you used the example of hypertension and treatment and even reference to Part D data that may become available through Medicare at some point. But the information may not be there.
First of all, as Janet outlined, clinical measures aren't there routinely and are not available in very many of these large databases. So even simple measures like what is the systolic blood pressure are not routinely collected and available.
But even if those were, the thing I was trying to get at is, even for the quote-unquote simple thing, what other data about the patients would be relevant to help decide what the optimal choices are. For example, it might turn out to be a particular genetic characteristic of the individual and their ability to metabolize a drug. It might turn out to be the fact that they are on other drugs. It might turn out to be -- the list is endless of data elements that you might need in order to do that simple question of how do we eliminate variation in treatment of hypertension if we don't understand the details of why one individual responds and another doesn't for a particular therapeutic regimen. I don't know how you bound the data.
MR. ETHEREDGE: I think those are excellent questions. One implication of that it is one thing to have a national health data policy, a sophisticated one to begin to address these issues. I think it is not feasible to say we are going to change the standard for all electronic health records in the country to collect the following 25 new elements for each hypertensive patient. Those become enormous burdens, and it is very controversial.
To my mind, I see these general use electronic health records but then, I would like to see a whole development of specialized rapid learning networks with registries, so the physicians who treat hypertensive patients, there would be a registry just as there is for bypass surgery right now, or cardiology.
You probably know much more about this than I do, there are always problems with those. But I do think that we need to be thinking about a network of registries and data systems rather than try to think that every electronic health record or Kaiser or Geisinger are all going to be collecting all the data that we need.
But there are some areas that just cry out for it. I mentioned cancer, where we are losing huge amounts of data. Pediatrics; I have been talking to people about a rapid learning system for children's health. A lot of drug use is off label, so there are gaps in data. There are lots of special needs kids. Most pediatric practices, even pediatric practices, are small. They don't have a large enough database to do good research on their own. Even the EPIC users group with Childrens Hospital in Philadelphia, which is a genetics database for their patients with Kaiser and Geisinger, all of whom are getting genetic databases. You would have an ability to do very sophisticated research in organizations that would have leading edge data.
DR. VIGILANTE: A couple of things. Awhile ago, Simon said something about trust models from other industries. Yes, there are some interesting trust models in medicine. Christine shared a paper with me last year by David Tome. He looks at trust in physicians, in measuring it; he has a scale.
There are three elements of it. One is competency, are you capable of operating on my brain or not; agency, whose side are you really on, are you limiting my care because you are working for the HMO or are you really my agent, and the third was communication, do you communicate with me in a way that engenders trust and gives me the information that I need.
He has applied this not only to individual physicians, but to institutions as well. It struck me as an interesting construct with some analogs in what we are doing here. If you were to say competency is your capability of protecting my information and being the appropriate steward of my information in a way that doesn't put that information at risk, whether it is through policy, procedures, technical capabilities, audit capabilities, whatever they may be, that is the competency leg.
The agency leg is really very important. Whose side are you on? Are you doing this for profit, or are you doing this to get your name on a paper so you can promote it and get tenure? What are your motivations for collecting and sharing this data? So the agency question is central.
And communication. I think what we have heard is, people really don't understand what our motivations are or what we mean by consent, or how this data is going to be used, or whether you are going to be at risk or not. The manner in which you communicate that either can engender or undermine trust.
I haven't really thought this through, but it is a tantalizing model to think about in addressing what is a fundamental issue in this whole environment.
Getting back to your presentation, like Mark, I think you could think of tons and tons of barriers as to why this would be a challenge.
MR. ETHEREDGE: I knew you guys are the toughest audience.
DR. VIGILANTE: No, no. You talk about data issues; I think there are cultural issues. The randomized control trials have been called one of the five greatest scientific contributions of the 20th century. A whole generation of people were raised on it. We can't even absorb that information. Now we are going to be churning out information much more quickly. How are we going to say who is going to be the arbitrator as to what is good and what is bad.
But that all said, I do think it is a good thing. I think it is a way that we need to move. I think the speed with which we provide evidence on which we base our decisions today is much too slow, and it is not based on generalizable populations.
So it occurred to me that what this really is about is not just a national data set. Maybe it is more about patient centered research. This notion of patient centered care; maybe this is really about research that emanates from patients that are more representative of your patients rather than being filtered through exclusion and inclusion criteria, and then is available more rapidly for the treatment of patients through real practitioners.
It is just a random thought, not fully thought through, but something to contemplate.
MR. ETHEREDGE: I think that is excellent. It is what I think, and some other people, mainly people who build predictive models think the same way, because I have seen them used in economics. People are getting overwhelmed by data that is so complicated that they can't process it, and now there is a lot more coming up.
We need to move toward useful predictive models that help people make decisions. Ultimately it isn't about our data, it is about turning it into predictive models and decision assistance, so that at the point of decision by the doctor and the patient, we have a tool that encapsulizes the best available science and data in a useful way that they can use it at that point in time.
So yes, I think it is not about the data. It is about finding ways to make it useful.
DR. SCANLON: I'd like to go back to what Mark and Lynn were talking about earlier. I want to go there in part because I want to draw up some boundaries for what we are doing, and also because I think maybe it involves mixing some of the old world and the new world.
The Medicare database, when we add Part D, is going to be an incredible improvement in the Medicare database, but it is still kind of old world. I don't like the term administrative data. This happens to be clinical data, but it is submitted with a claim, is what it really is. There is richer clinical data elsewhere, but still, there is a lot of clinical information that is in there.
But I would like to know how much further you envision these databases that are going to be built in terms of going beyond what the Medicare databases are. When you talk about a Kaiser or a Geisinger, it is very easy to say they have got electronic health records and they are a single entity, and every time some information comes into the electronic health record it is available to them for research within the organization. That is an easy concept to grasp.
Now, when the FDA goes to put together something to comply with if this law passes, they are potentially back into the administrative data. They are almost like that person you described getting a research grant, going out and collecting information. They are going to have to go solicit data that is going to come in. It is going to become for the moment a fixed database, and then it can be updated. But it is a whole lot less in terms of potential than a Kaiser or a Geisinger, where you have got this rich electronic health record.
So do you see us moving beyond the old world on a national basis? If we do, I think this comes back to the first panel discussion, then what about the issue of consent and trust? It is a whole different thing when we say to you, I am treating you and I am passing along everything to some other entity that they are going to use in a variety of ways, which we don't know what they all involve today.
MR. ETHEREDGE: I think those are wonderful questions. I think I would just stop with your questions. Literally up until two weeks ago, I was talking about rapid learning networks, and I said, you know what I think this really is, when I got the invitation to speak here? I think this discussion needs to be about a much broader longer term enterprise, which is, what is the national data system for clinical research, how do we develop it and how do we use it.
So I don't know where I am going to be in another couple of weeks, but I invite you and the committee to answer the questions. I would love to see your answers.
DR. TANG: I really liked Janet's social capital. I think in a sense that is what Clem and Mark did for over a decade, and you can't replace that. You can't even buy it. So I think it goes back to the trust thing.
The other one is, you get what you pay for, to address Lynn. It ties with Mark and Bill's question. Just like we say multiple data doesn't make information, numbers don't make even data. I worry about the billing data because just aggregating more of it, you said it yourself, we will just make mistakes faster. I truly worry about that. We will come up with false conclusions and harm patients, absolutely.
MR. ETHEREDGE: That is why I particularly talked about using electronic health record databases. I have tried for decades to use the Medicare claims data, which is why I think this is maybe -- EHR may be the 21st century database.
DR. TANG: But it seems we have to always qualify our statements about the value of all this practical experience and all this free -- you get what you pay for. Even Mark's example of the hypertension drugs, you don't even know what the drug is being used for, on label or off label, let alone all the other contexts. So I am a little nervous about having a free range discussion about value of large data sets without the qualifiers, that's all.
MR. REYNOLDS: That's all the questions. I'd like to make one comment. Simon, you mentioned earlier what are the markets and other things. As you listen to this discussion, we always tend to talk about health data differently.
If you think of those of us who give speeches, you ask a number of people in the room that do Internet buying, where as long as that screen comes up and says that it is a secure network, you are willing to give them anything. Everybody uses a Kroger card or something else, and everybody calls an 800 number to buy something and give them all the information.
So I think in this world that we are dealing with, as all the speakers this morning have said where are we going, and you have set us on a journey. There is inherent trust for some reason in buying on the Internet, but nobody signed anything, nobody said anything to each other, but yet, Americans are giving up their data hand over fist. The Home Shopping Network, the senior citizens getting on the Internet or talking about their health care are buying stuff like crazy given an 800 number.
So we also have to keep in mind that this whole discussion of trust we get ourselves wrapped up in, how can those same people lose it, and as long as that screen comes up that says you are entering a secure network, give up a bunch of data.
So I'm just asking that we make sure we take every paradigm that is out in this current world, and as we think about how trust is getting afforded, because the Internet in many ways may be the most dangerous place you could do your personal business. But on the other hand, people do it without hesitation, the same people that won't put their hand up when I am making a speech about whether they want any of the health data.
So as we look at this, there is a world out there now that is acting in many different ways, and at least we have to think about it as a filter, so that we don't get stuck in the same paradigms that we have always been in before. That trust has almost been automatic and with no concern. On the other hand, we get really freaked out on some other stuff.
So it is something to think about, because it is the actual person that is giving the trust to somebody they don't have a clue. As we talk about a network of networks, and we talk about privacy, this whole idea of where is the data going, it could be stopping in other countries and you don't even know about your data, but for some reason we have bought in.
So just a thought, not anything other than a thought.
With that, it is 1:12. We are scheduled to be back at 2:30, so I will see everybody then. Thank you.
(The meeting recessed for lunch at 1:15 p.m., to reconvene at 2:35 p.m.)
Agenda Item: Clarity of Current Law Relative to Uses of Health Data
MS. MC ANDREW: We are being rebellious here, and we are going to let Dr. HIPAA start us off.
DR. BRAITHWAITE: There is always one rebel in the crowd. What we are going to do is tell you what we are going to tell you, tell you what we told you, and then really tell you what we told you, because you now have three people here at the two-seat panel session. I am going to try and give them our philosophical overview, and Sue is going to get down into the HHS position on some of these issues, and then Julie is going to focus down on research as a subtopic that we are working on here.
Almost every time I talk about HIPAA I have to say this. You heard this several different times in different ways, that the concept of privacy is based on the principles of fair information practice, which were generated by the U.S. government, it turned out, in 1973, used as a basis for the Privacy Act of 1974, and thereafter used as a basis for virtually every privacy law that was passed in other countries, but never ours, since then.
So these are not exactly word for word of what you heard before, but this is my personal distillation of what these principles of fair information practice are after the many years I have been working on this. They are basically three, with a couple of supportive ones.
The first idea of notice is that the existence and purpose of recordkeeping systems must be known to the subjects of the information in those databases, the choices involved, that information can be collected only with the knowledge and permission of the subject, used only in ways relevant to the purpose for which the data was collected, and disclosed only with the permission of the subject, or some overriding legal authority like a public health law that balances the individual's privacy versus the public good.
The third and last of these is, individual rights to see the records and to go through some due process that assures the quality, by which I mean the accuracy, completeness and timeliness of the information in that database, is assured.
None of those three things can be maintained unless you also have security, by which I mean reasonable safeguards for confidentiality, integrity and availability of the information in the databases, and enforcement of both the confidentiality principles and the security principle that result, where violations result and reasonable penalties and some mitigation.
So that is the basis. These principles in fact are the basis on which the HIPAA privacy rule was written. It is not written down anywhere like this that I remember, but Congress told HHS, do a privacy rule because we can't pass a law. After three years of trying they couldn't do it. So we did it. We wrote these rules based on those five principles.
At the highest level, it is important to understand that there are only two cases where HIPAA requires disclosure, when the individual wants their record and when HHS wants to investigate the record to determine compliance.
Everything else under HIPAA is permissive. This is both a good thing and a bad thing. The bad part of that is that covered entities can and do provide greater protections if they want, preventing uses and disclosures that HIPAA allows. Not only can they do that, they often blame HIPAA for the restrictions. So it is a double edged sword in that respect.
Not in the slides but important to notice is that what is protected here is individually identifiable health information in the hands of a covered entity, someone who is covered by HIPAA, or their business associates. This does not include people who are not covered entities, and it does not include information that is not individually identifiable. So if you deidentify personal health information, it is no longer covered by HIPAA. If you buy Tylenol in the Safeway store and check out at the cashier, that is not protected health information. But if you buy the same bottle of Tylenol in the pharmacy which is a covered entity, it is. So there are some nuances there that have to be kept in mind.
So in addition to that permissiveness, HIPAA only allows, only gives permission for disclosure in four cases. It is that simple. Sue is laughing, because of course none of the four cases are simple, but there are of course implications.
The first is for treatment, payment and health care operations. If you notify the patient what you are going to do with their information, it is assumed that if they show up for treatment that they understand and are giving permission in an implied sense to use the information about them to treat them, to get paid for doing that, and for doing other things that allow them to stay in business, because without those things they would lose their license and they wouldn't be able to provide care. That is the underlying concept of TPO.
The second area is uses and disclosures that involve the individual's care or directory assistance. These are more casual uses of information for the good of the patient. But those cases require that the patient get an opportunity to either agree or object to those uses. If they object, you can't do it.
There are specific public policy exceptions, where the public through their legal process usually has made a decision that this is more important than the patient's privacy, so you can do that. Everything else needs a specific authorization from the individual patient.
Every one of these four things has a complex set of procedural requirements, based on which use or disclosure we are talking about, which is why Sue was laughing. When you apply the five very simple principles through these four very simple mechanisms to the most complex human endeavor in history, you end up with a complex set of rules. So let's try and go one more layer deep to talk about these four mechanisms, and a little bit about where it gets more complex.
I have talked about the implied permission. The notice of privacy practices is an attempt by HIPAA to make sure to make sure the patient knows or can know if they bother to read it, about what is going to be done with their information, what is implied by coming to the provider and getting care, and what is going to be done with their information.
Making a good faith effort to get a written acknowledgement is a little extra thing added on after the draft was first written to put a little hammer in front of the patient to say, really pay attention because you have got to sign something when you have gotten this. Acknowledgement is not required if there is no interaction with the patient. So health plans, clearinghouses, indirect treatment providers like labs and so on don't need it.
Health care operations. Are these secondary uses? It is a question that everybody raises. In fact, HIPAA makes no distinction about what is a primary use and what is a secondary. You could maybe read into the language that TPO is the primary use and everything else is secondary, but HIPAA doesn't make any distinction there. It takes all of the uses and puts them into these four categories, and then gets very specific about what the restrictions are or what the process is for using it in each of these cases.
You can read the examples for yourself. They are the kinds of things like accreditation and certification and licensing that every institution has to participate in, or they can't continue to practice.
The opportunity to agree and object is simple things like telling your spouse or your significant other about your condition so they can help with your care, posting the fact that you are in the hospital and your condition is stable in the hospital directory, that sort of thing.
There is also a third one, which is the disaster relief services. Information can be released to the Red Cross for disaster relief purposes. Is that a secondary use? I'm not sure. I would think the first two of those three are almost subsets of the primary use.
The public policy exceptions. There is a long list of them, each of which have specific processes you go through, usually pass a law or go through a legal process to make these kinds of things happen. These are I presume secondary uses, but they have been judged by some public process to be for the public good, and we will get into more details about what each of these things involve.
Then authorizations. Covered entities have to obtain an individual's authorization before using or disclosure their PHI for purposes other than TPO and the other, a couple of minor things. Most uses and disclosures such as therapy notes have to require authorization, even though some people think that should be part of the TPO. It is unique and separated by HIPAA, and some marketing and fundraising might require authorization, depending on how that works.
So virtually all other secondary uses that haven't been explicitly labeled in HIPAA require an authorization from the patient. Business associates can only do under contract what the covered entity could do, with one exception. That is, they can collect identifiable information from more than one contractee or contractor under their business associate agreements, and aggregate that information for TPO purposes. A covered entity could not do this itself because it involves getting access to protected health information from other covered entities without the patient's permission. It is not used for treatment, and it can't be used.
The outsourcing paradigm of using business associate contracts essentially must follow the same rules, with that one exception.
Just as an example, because I know we are going to focus deeper on this, I wanted to point out that there are seven ways under HIPAA that you can use protected health information for research purposes. You can deidentify it in three different ways. You can get an authorization through three different mechanisms, or you can get the authorization directly from the patient. Plus, there are other things being done with this patient's information that are exactly the same as what you would do if you were doing research that is not meant for generalizable knowledge distribution, and those things happen under health care operations, public health and sometimes things required by law like registries and reportable diseases and so on. So it is just getting more and more complex as we go deeper and deeper.
But I have come up with a rule of thumb, and I use this rule of thumb when I talk to people about, what does HIPAA really mean and when do we have to worry about whether it fits one of these categories of things we are allowed to do or not. The basic rule is, don't surprise the patient. If you use or disclose information in a way that the patient doesn't expect or shouldn't know to expect, then they might be upset, and it violates the principles of the patient knowing about all the things that could be done with their information.
So to make sure that this rule is followed, you have to tell the patient about all the uses and disclosures that are part of the normal operations of your organization. You have to give them the opportunity to object to limited disclosures that are in common practice for the good of the patient but which are not included in those things you have to do to stay in business. You can follow the procedures for the public policy exceptions, and because they have been discussed in the public in some form by lawmakers or whatever, they should know about this, like the reporting of contagious diseases, or you get their explicit permission, in which case they know about it. So that is my personal simple rule of thumb that applies HIPAA to everything else.
So my conclusions from my personal perspective on going through this process is that uses and disclosures come in many flavors, and labeling some as primary and some as secondary I think is a bad approach, because everybody thinks about those terms differently and it is going to lead people astray and cause a lot of arguments that are unnecessary.
The HIPAA privacy rule is in its intent to protect individual privacy while allowing most current practices to continue with transparency, because many of the health care practices that have been going on in the past were not transparent and the patient didn't know about it. Although in writing the rule, we judged that most of those practices are in fact beneficial to the patient either primarily or secondarily, not to confuse the issue, but that they were poorly understood by the patient, which is why transparency was emphasized.
At this level of detail at least, the HIPAA rule is very clear. The complexity of the health care environment however, and the diversity of the desired secondary uses makes it difficult to take these simple rules and apply them. People are confused, and they use HIPAA as an excuse for all kinds of stuff that is going on out there.
As a last point, it is important to make the point that HIPAA is a privacy rule, but the reason that people are concerned about their privacy in this country has a lot more to do than their concept and sense about their confidentiality. It has to do with discrimination mostly, I think. They are afraid they will be discriminated against if somebody at their job finds out about their health status. They will be discriminated financially because they won't get a raise or they won't get a job improvement or they won't get a loan or their mothers will be called. Lots of rumors about what has actually happened out there in these areas. They are worried about their reputation because they might be discriminated against.
There are a very, very small number of people who are worried about the intellectual property of information about them that they would like to profit from if somebody else is selling it. But that turned out to be a relatively minor concern based on the feedback we have gotten.
Thank you very much. We will turn it over to Sue.
MS. MC ANDREW: I am happy that Bill went first. This is the way we planned it. I won't repeat, and some of the material in the slides I will not go over; it will just be there for your reference if you need more detail about how HIPAA works. But I would like to pose a couple of questions in terms of the scope of the issues before this work group, talk a little bit about how HIPAA approached the problem of secondary uses or primary uses or all uses in disclosures, as it turned out, and what from that might be useful to your consideration in this forum. I will probably not go through the individual crosswalk of how HIPAA would treat some of the secondary uses, although I may point out a few things. I would like to build on some of the things that Bill went over in terms of which of the current areas of HIPAA may fall within this vague concept of it as a secondary use, so you know at least where the HIPAA marker may be as you consider these things. Then I will just make a brief comment on pre-emption. There may be much more about what privacy looks like from the state perspective later on today.
The first scope question that came to mind as I was putting this together is how you are defining the what, what is a secondary use. I was a few weeks ago at the AMIA discussion about secondary uses, and there some of the bleeding began in terms of what the concept of secondary uses really was. Elemental I suppose is this concept of a primary use, direct care, treatment. Some of the comments here today would challenge whether or not even that is a definable concept.
On one level, yes, you can think about primary care, direct treatment uses of the information, the purposes for which it is collected, translate that into a health plan, it becomes a different conversation. Then what is a secondary use. If you aren't quite sure what a primary use is, you are really going to have a hard time on the secondary use. But even assuming you think you know what a primary use is, then the secondary use questions are -- is everything else a secondary use? Is it really just these close to but not quite treatment related stuff that is going on, like payment and quality assessments and improvements and patient safety and research? Or are you going to go to the law enforcement areas and the judicial and administrative proceedings and all of the uses that the individual can prescribe an authorization for, which is boundless. So if you want to take it all on, you have more energy than I do.
Somewhat out of that conversation at AMIA that I have been hearing from other sources, maybe some things fall out of secondary use because they are hyper important, or there is a sense that there is more required and embedded in the practice than one would want in terms of what may appear to be a more discretionary consumer controlled permission to go into secondary use.
The examples usually come up in the area of public health. It is not clear to me from some of these conversations whether they are focusing on that portion of -- that they will take public health out of this conversation because it is required by law in some cases. Is that the only time you take it out? If you are going to take public health out because it is required by law, are there ranges of other disclosures that are required by law, so are you taking required by law out of the conversation about what is a secondary use.
So it seems to me that it is important for this group to spend some time in identifying exactly what is the what.
In addition, in talking about this, the question is, why are you having this conversation now. The balance was struck in HIPAA in terms of legislation not all that long ago. It was only 2000 when it was first regulated, and has only been in operation since 2003. That is not a long history as things go. So whether we are here revisiting secondary uses because of workability problems, need for greater clarity, if so is this a general conversation or is it just about a few aspects of HIPAA.
I think it was encouraging both this morning as well as in other conversations around this issue that there is a great deal of acceptance of HIPAA as the baseline, that there is little point in going back and starting from scratch and trying to reinvent all of this over. So energy would be best served by starting with HIPAA and trying to focus in on what may need a little tweaking.
But why would you even tweak it at this point? Is it that the NHIN may be giving you pathways to achieve some of the things that HIPAA started out to achieve? So where the markers went down in 2000 may be moving somewhat because of the technology and the capabilities of the technology, and is that a reason for going back and deciding what the rules ought to be about secondary uses.
If that is the case, then it seems to me that some of the hard questions that we have been dealing with on different topics but for the same reasons around the NHIN in the privacy context, is, what are those unique factors about the NHIN and the exchange of information that causes one to want to reconsider where the privacy balances and tradeoffs are.
I would like to spend some time talking about how we came to the original HIPAA balances. As Bill said, HIPAA does not have primary and secondary uses. We were charged with coming up with them all, so we did. We built our little buckets and poured in as much as we could find.
So we didn't come up with primary and secondary classes of information, but we did come somewhat close to that in terms of the concept of core functions, treatment, payment and health care operations. Even within those, treatment being clearly the primary core function, the rule does as little as possible in terms of regulating treatment and treatment exchanges of information.
We spend more time, we do put more conditions on payment, although we do consider payment to be also a core function. Health care operations is even more regulated than payment, because it is another step away from treatment. So even within the core functions there are shadings of importance.
So from the discussions, it would be that if treatment is equivalent to a primary use in this context, then payment and health care operations could be seen as secondary uses. On the other hand, if you are looking at core functions, I think all TPO from the privacy rule would be the first primary uses of the information.
The public policy uses and disclosures are the true secondary uses. Some of them, because we dealt with a whole range of them, may actually even be beyond what for this group are secondary uses, if you are going beyond the quality of care, public health, research, internal operations as the entity dynamic.
But when we were trying to figure out how to regulate for privacy that allowed for these uses and disclosures, we were in the business of trying to balance and maximize actually individual control of the information, versus the feasibility and the need for the information within the entities and the people that were reliant on the information, as well as the feasibility of administering any kind of regulatory regime to guarantee individual control.
So we tried to be value neutral with regards to the disclosure. If we required an authorization, it wasn't because we thought that was a bad use. You weren't being punished because your use required an authorization. It was simply that the case was not made that your use was so important and so compelling, and the ability of getting individual authorization for that use was so impracticable, that we had to give you a regulatory permission to use that information about the individual having a say in it.
So that was the balance. Whenever it was feasible to do so, whenever there was a sufficient opportunity to obtain individuals' information, whenever there wasn't a compelling need to do otherwise, we would put that in the authorization. So the public policy balances were lining up with the research uses and disclosures, the health care oversight uses, all the places where the entity was -- where there was some public purpose for the information, and it would just be impracticable to get the individual's consent. In lieu of that, we relied on the notice of privacy practices to generally inform the individual about what was going to happen.
So to recap briefly, in TPO there is no consent, no authorization required. The one exception would be marketing, which may require authorization in some cases. Treatment would line up generally with primary uses and would not generally be the subject on the table today. The secondary uses even within our core would be payment and some of the health care operations, analysis, patient safety measures, quality improvement activities, provider certification, accreditation, and then marketing and other business or commercial uses of the information.
I don't think we need -- this just tells you what the rule includes under payment, and health care operations. I think the only thing to point out in health care operations is that there is a limit in terms of the ability of two covered entities to share information for the health care operations of the other. That is, we do ask that they both have a relationship with the individual.
Where that does not occur, but there is still some need for the exchange of information for the health care operations of the other, this is one of the areas where we provide for the use of a limited data set, where information can go to another covered entity with the direct identifiers removed, but more rich patient data.
DR. COHN: Sue, I apologize. Maybe you will explain it further. I find myself getting a little confused by the last -- is there further discussion on that second bullet? Are we talking about a patient or are we talking about an institution or a provider? What are we talking about?
MS. MC ANDREW: What HIPAA permits is for hospital A to disclose information about its patients with hospital B, provided that the patients about whom they are sharing information have a relationship with both hospitals. So clearly, if I am following up with the patient that has transferred to another hospital, or that may come up in the occasion of being transferred to a long term care facility or some other, there is this common relationship. It is not a general ability to give your identifiable patient data over to some other covered entity simply for that entity's health care operations.
So that clearly can happen for treatment purposes. So this is purely where this is just for the operations of the other. This comes up a lot in terms of sharing quality care information.
The part of health care operations that lined up with some of the areas most often talked about as secondary uses is the quality or the patient safety activities that is in the first paragraph of the definition of health care operations, the accrediting and certification of providers that is in paragraph B. Some disclosures that were talked about in terms of quality, particularly when it is reporting to a governmental oversight agency or to the states, that is covered not so much by health care operations as it is a permissible disclosure for health oversight purposes when it is going to a government oversight entity.
MR. REYNOLDS: Sue, could I ask you a question on that? Again for clarification, in the first bullet, is that secondary use within the covered entity amongst covered entities and business associates or anybody?
MS. MC ANDREW: It runs the gamut. This is just within the definition of what is a health care operation. So it is a health care operation to use information for quality or patient safety activities. It would be a use if it is done within the facility. If it is being disclosed for a health care operation purpose, then it can go for quality and patient safety. You can hire business associates to do your quality assessments. You can share, subject to the limits we have talked about, with another entity for quality purpose. You may be sharing with a state hospital association information. As Bill mentioned, it may be a business associate relationship that is doing some aggregation across hospitals to come up with quality benchmarks and things like that.
I presume from the point of view of the topic that you will be doing, whether it is done within the entity or being shared with a public authority or within or amongst a private consortium, that it would still all be a secondary use of information.
In addition, there has been some focus on commercial or commercial-like uses. This comes up again within the definition of health care operations in our business planning as well as business and administrative activities of the entity. This is where what would be -- it is a little unclear what was meant by a true commercial use of the information, but to the extent it is used commercially within the entity to run its business, that would be a permissible health care operation.
DR. CARR: Sue, another question. I think we are finding it helpful when you are giving us examples. I think what will help keep some of us grounded is, as you get to each of your points, if you would say, here is an example of something that is permitted, here is an example of something that is not covered or not permitted. I think that will help us keep us -- thanks.
MS. MC ANDREW: Marketing was an area where we come close in HIPAA to a concept of commercial use. This is where the communication is about trying to tell a product or service to the individual. It also includes those arrangements where a covered entity is disclosing personal health information to a third entity so that that entity can market to the client, to the patients of the covered entity or the beneficiaries, if it is a health plan.
The marketing definition does try to draw a line between what we would view as a commercial use, the selling of information or the giving of information for the pure commercial use of another, and communications that the entity would be having with the individual about its own products or services, or about alternative treatments or other treatment-like communications. This was a hard line to draw, but we didn't want a hospital not to be able to tell a patient about care that it was able to deliver. We didn't want a health plan not to be able to describe its products and what docs are in the plan to the beneficiaries. They had to be able to talk about the health services that they were providing.
So that was all carved out of the definition of marketing. At the same time, we didn't want providers selling patient lists to pharmaceutical companies or others, so that those drugs or those products could be marketed directly to the individual. So this is the line we were trying to draw between what we viewed as marketing or commercial use and what would be okay within an entity and individual communication.
I think this has greatly simplified the earlier definition of marketing. I'm not sure that -- there is a commercial element about this that has troubled many people. It is not clear to what extent any of that commercial use of information even for the entity's own commerce would be looked at in this context as a secondary use. But if it is marketing, it does require an individual to sign a valid authorization before the entity can use it, and the authorization must disclose that the entity is being paid for that use of the individual's information.
That was the best lineup we could do with what has been talked about on secondary uses in the commercial context.
As to public uses, I won't try to go through our entire list of permissible disclosures. The primary public purposes that come up in this conversation include research and public health. Julie will talk about research, and Bill has gone through the pathways in HIPAA that allow the information to flow for research, so I will not dwell on that unless there are any particular questions. But it can be done with patient permission, if there is an informed consent for the research purpose. It can be done with a waiver through an IRB or a privacy board. Then there are a couple of exceptions, limited exceptions, for when you don't have to have either a waiver from the privacy board or the IRB or a patient's permission.
With public health, I think there are only a couple of things to point to. One is, as I said, there is some discussion in the public health realm that either ought not to be in the same discussions with other secondary uses because it is so important, or maybe that is only because so much of it is compelled by law and therefore falls outside of what we would consider to be subject to patient control or agreement.
But I think before it is excluded from the conversation, one needs to -- one thing about primary use, you think you know what public health is, but you don't want to quote too deeply, because it turns out to be one of those concepts that can include just about anything. It is hard to cabin what is truly public health and what is not.
We have tried to do so by pointing to types of situations in which information can be shared. Our public health disclosures are limited to those that are to public health agencies. It can be to the FDA, it can be about child abuse, which is kind of an anomaly of the legislation. It can be two individuals when they are at risk of exposure to a communicable disease, and it can be in an employer work force surveillance type of environment.
DR. DEERING: I'm sorry to interrupt, but could you give me an example of what you mean by being given to an employer for work force surveillance?
MS. MC ANDREW: This is, the employer is responsible for reporting to OSHA or -- I'm forgetting the initials of the other guy. There are some governmental required reporting regimes. These are often done through occupational health services provided at the employer. There are other conditions on this, including a special notice to the individual about what happens with this information if it is using one of these occupational health advisors.
MR. REYNOLDS: Sue, I notice you have got about five or six slides left. I want to be sure we give Julie enough time. I know there are going to be a lot of questions.
MS. MC ANDREW: Yes. This is a list of some other non-direct care disclosures that are usually part of this conversation, but you may want to consider them. I also included a list of other disclosures that seemed to be outside of peoples' general conception of what a secondary use is, unless you are doing the HIPAA thing and you are including everything else.
Just a word about pre-emption, in terms of looking at what law you need to look at. That is of course a reminder that HIPAA only pre-empts state law that is not as stringent as HIPAA. So where there is a more stringent state law, a more protective state law, that would need to be considered. Most of these are in particular specialized treatment areas. We do permit as required by law, where there is a state law that may require a particular disclosure, and we often get involved with state law in other determinations like parental rights.
Just a quick note. This is a short list of other federal law that may come into the privacy conversation, and through which HIPAA has room to live side by side with.
And our usual logo.
MR. REYNOLDS: Thank you. Julie?
MS. KANESHIRO: Thank you. I am going to switch gears a little bit here and talk about a different federal regulation that can pertain to the secondary use of data as well, and that is the Department of Health and Human Services regulations for the protection of human subjects.
I have been asked to give you a pretty broad overview of the regulations, but focusing specifically on how they pertain to the secondary use of data.
These are the six topics that I wanted to cover with you in our brief time this afternoon. First, to give you a sense of what the U.S. federal regulations are that pertain in this area as they relate specifically to research, what the scope is of the common rule, and I'll tell you more about what the common rule is, for those of you who don't know, how the Department of Health and Human Services regulations, which are codified for our Department at 45 CFR Part 46, relate to the common rule. Also how an institution or an investigator goes about determining how or if the common rule applies to their particular activity. Then to focus specifically on some of the informed consent provisions under the regulation, and then a waiver of informed consent is permissible, since I know that has been a topic of interest to some of you.
These are the three key federal regulations that can pertain to the research use of information. The HIPAA privacy rule you have already heard a lot about from Bill and Sue. There is also the FDA regulations that we are not going to talk directly about today, but they also can be pertinent to the discussion, and then the common rule, which is the set of regulations that I am going to focus in on in my minutes with you.
So in terms of the applicability of the common rule, the common rule applies to what is called human subjects research that is either conducted or supported by a federal department or agency that has adopted the regulations. So this would be research that is either funded or supported by CDC, by NIH, by AHRQ, just to give you some examples, or even human subjects research that is conducted by those agencies.
Another way in which our regulations can apply is if an institution voluntarily elects to apply these regulations to any human subjects research conducted at their institution, regardless of the source of support. So even a human subjects research study might be purely privately funded can have these regulations apply if they voluntarily elect to do so via what is called their assurance of compliance that they develop and submit to our office for approval.
What if the regulations are determined to apply? There are essentially three core protections that the regulations provide. They require what is called an institutional assurance of compliance. This is the assurance that I have already referenced. Another core requirement is reviewed by an institutional review board, which is a body that is convened to look at the ethics of a study and determine whether it is approvable given certain criteria under our regulations. Then the third prong of protections is the requirement for informed consent, unless the requirements that permit a waiver of informed consent have been met.
This is what the common rule landscape looks like. There are 19 federal departments and agencies that have adopted the common rule. You will see here that I have highlighted our Department of Health and Human Services. The office that I work within, the Office for Human Research Protections, is the office that implements and enforces the HHS' codification of the common rule, but there are 18 other departments and agencies that have also adopted this regulation.
In addition though, I wanted to note that our Department has adopted three other subparts, as we refer to them, that pertain specifically to vulnerable populations, so-called vulnerable populations. This is in addition to the core protections that I have mentioned of the federal-wide assurance, IRB review and informed consent. These requirements pertain to research involving pregnant women, fetuses and neonates as well as to prisoners and children. They require that the research meet additional conditions or fall into certain categories in order to be approvable by the institutional review board.
How do these regulations apply? There are three threshold questions to consider in determining whether the HHS human subject protection regulations apply. The first is, does the activity involve research. Secondly, does the research activity involve human subjects. If you have answered affirmatively to the first two questions, that yes, you do have an activity that involves research and human subjects, the final question to ask is whether the human subjects research activity nevertheless is exempt under the regulations. What exemption means is that even though it is a human subjects research activity, if the research meets one of six exemptions under our regulations, the requirements of our regulations essentially are not applicable.
What is research? This is one of those terms in our regulations that is so fundamental and yet causes a lot of discussion and debate. Research under our regulations is defined the same way as it is under the privacy regulations, defined as a systematic investigation included in research, development, testing and evaluation that is designed to develop or contribute to generalizable knowledge.
Now, there is a lot of interpretation that is required in these words of the definition. Our office is in the process of developing a draft guidance document on this very definition, and we are hoping that it will go out for public comment sometime in the next year.
One thing I did want to note about the definition, because I know this is an issue that your committee may decide to grapple with, is this overlapping of activities that might be called non-research. They might be called quality improvement, they might be called registry type of activities, they might be called public health. But the way that our office interprets our definition is that the consideration of whether an activity meets the definition of research should not be looked at by the label on the activity. You have to look at how the activity is designed. It is our office's view that even some activities that might be called quality improvement or quality assurance might actually be designed in such a way that they would also meet our regulatory definition of research.
These activities with a dual purpose perhaps, or maybe even a primary and secondary purpose of research being one, but also maybe quality improvement or public health being another, if it is designed in such a way that it is a systematic investigation designed to develop or contribute to generalizable knowledge, then we would say that meets our regulatory definition of research.
So the second threshold question that I mentioned is whether the activity involves human subjects. Under our regulations there are two ways in which someone becomes a human subject. The first is through some kind of investigative interaction, intervention with a living individual for a research purpose. This might be the administration of a survey or the administration of an investigational therapeutic as part of a clinical trial.
The second I think is probably the most pertinent to your committee's work. That is the obtaining by the investigator of individually identifiable private information.
What does individually identifiable mean under our regulations? The definition of human subject goes on to elaborate on this point, and says that the identity of the individual subject either is or may be readily ascertained by the investigator or associated with the information.
Note that this is a different standard of identifiability that exists under the privacy rule. This is a readily identifiable kind of standard to the investigator.
I wanted to say a few words more about this. We believe our definition relates to the use of coded information or specimens. Oftentimes researchers will need access to coded information, but not necessarily individually identifiable information as defined under our regulation.
Our office's view is that in general, coded information should be considered to be individually identifiable information under our regulatory definition. However, there are exceptions, and they are important to note.
The first thing to keep in mind is that you can have a research use of coded information and have it not be considered human subjects research, if the private information or specimens were not collected for the specific research purpose, meaning they were either collected for a clinical purpose or public health purpose or even another research study, but not this specific one that I am now contemplating. Also, that the investigator is not able to readily ascertain the identity of the individual to whom the information pertains.
One way in which some institutions have gone about putting this interpretation of our offices into practice is to say that if there is a written agreement between the provider of the coded information and the recipient investigator, in which the recipient investigator agrees never to have access to the key to the code that would enable him or her to re-identify individuals to whom information pertains. We would say that the information is not individually identifiable to the recipient investigator and therefore, provided there hadn't been the interaction or intervention to get the information from the study in the first place, that this is a research activity that would not meet our definition of human subjects, and would fall outside our regulatory purview.
Our office issued a guidance document that discusses this issue in much greater detail in 2004, and you can find this on our website, because the issues are rather nuanced.
Just a few words about how the creation or use of a research repository or database can constitute human subjects research under our regulatory definition. It can be done either by creating a research database through intervention or interaction with individuals. This would be purposely for a research purpose going out and collecting data about individuals to populate a research database.
Secondly, another way in which you might be conducting human subjects research is creating a research database pulling from other sources of individually identifiable information, information that is already pre-existing, but now you are gathering it all in one place to facilitate research uses of that information. That might constitute a secondary use of the data that you are contemplating.
Then thirdly, the obtaining of individually identifiable private information from one of these research repositories or databases, is a third way in which an investigator might be conducting human subjects research.
As I mentioned, there are three questions to consider. The third one here is only asked if you have determined that you do have in fact a human subjects research study. This is a question of exemption.
I just wanted to mention one of our exemptions in our regulations, because I think it is the one most on point for your consideration. That is exemption four. What exemption four says is that the research would not fall under our regulations requirements if the research involves the collection or study of existing data, documents, records, pathological specimens or diagnostic specimens if either one of two conditions are met, either that that existing information is publicly available or that it is recorded by the investigators in such a manner that the individuals to whom the information pertains cannot be identified either directly or indirectly by the investigator.
What is meant by existing? Existing means that the information ought to be created or existing at the time the research study is proposed for a determination of exemption. Meaning that all the information should have been collected respectively before an investigator is proposing a study to the institutional official that proposes to use that data.
The idea here behind the intent of this segment of the provision is that it is trying to prevent investigators from being able to manipulate the collection of information prospectively that they know they are going to use secondarily. The idea is that the requirement that the data be existing would prohibit that kind of manipulation of the system. That is the rationale behind that provision.
By publicly available, remember, this is one of the conditions under which this exemption can be used. OHRP generally interprets this to mean available without restriction, but we do think that that could include a fee.
I am skipping quickly because I want to leave time for discussion.
In terms of what is meant by the recording of the information in such a way that the investigator can't identify either directly or indirectly the identity of the subject, keep in mind that this actually precludes an investigator from recording the information in a coded fashion and having to still meet the exemption for requirements.
Finally, I wanted to focus now on one of these core protections, the informed consent piece of the protections of the regulations. Under our regulations, informed consent is generally required if the research study involves human subjects, unless the waiver of informed consent provisions that exist under our regulations have been met.
If informed consent is indeed required, these are the basic elements of informed consent that need to be included. The purpose, duration, procedures of the research activity, the risks, benefits, alternatives, confidentiality provisions, the compensation for injury, whom to contact and the right to refuse or withdraw without penalty or loss of benefits to the individual.
In addition, there are some other required elements if the IRB investigator determines that they are pertinent to a research study.
One thing to point out about our informed consent requirement is that there can be under our regulations informed consent for the establishment of a research resource such as a repository or database, even where it is not known prospectively what the specific studies will be that will access this research resource in the future. But there certainly can be this broad general informed consent under our regulations for this kind of a research activity.
One thing to keep in mind though is that the less specific the informed consent document is, the less likely it is that that informed consent document is going to remain valid for the future research studies that become specified down the road that now want to use this research resource to conduct specific studies.
So it is somewhat of a double edged sword. You want to have an informed consent document for the creation of these research resources, but oftentimes it is not knowable what specific studies will be conducted utilizing this data.
Keep in mind though that informed consent can be waived under our regulations as well. I have only put out this one provision for the waiver of informed consent that I think is most relevant to this type of research that is the subject of your considerations. That is the provision under 45 CFR 46.116D.
This is the provision for the waiver of informed consent that is the most similar to the waiver of authorization provision under the privacy rule. That was intentional. The Department, in considering what the waiver provision should be or authorization, looked closely at the common rule's provision and tried to model the waiver provision on the common rule. The research can't be any greater than minimal risk, waiver alteration won't adversely affect the rights and welfare of the subjects, the research could not practicably be conducted without the waiver of informed consent and finally, when appropriate, subjects will be informed or debriefed after their participation.
One thing I wanted to mention about the FDA's regulations, even though I have not focused at all on them, is to mention that the FDA's requirements don't include a comparable waiver of informed consent provision. So if you have a research study that is regulated by the FDA's set of human subject regulations, this waiver provision is not an option.
With that, I will just end. I have left you with some resources on where to get additional information and the specific website for some of the guidance documents that I thought might be most relevant to your group.
MR. REYNOLDS: Thanks to all of you. I am going to start the questioning. If we could all stay focused on not redoing privacy, trying to ask questions that relate to our task at hand as we go forward. Simon, you start first.
DR. COHN: I would jump in here and say, first of all, I want to thank the three of you. It has been a very expansive review of privacy. I kept looking at Mark Rothstein; I know he lives and breathes all of this. Bill Braithwaite and I were together during the period of time where this HIPAA reg came to be. It has been awhile since we have gone through this, so I think it is helpful.
I do think that probably our time is best spent talking -- this is an area where we probably do want to drill more into the quality aspects of all of this, as opposed to completely reconsidering the entire privacy rule.
I have two questions. One of them has to do with the issues around quality improvement and the relationship between research and operations. Some people told us that this is a little unclear. For me it is a little unclear. If there is to be as much about what department you are in and what your title is, or -- I don't know, and I am asking the question, or is it that you at the get-go indicating that you are going to be publishing an article. Is this where the definition is here? Would there be some value if we could somehow sharpen this up or make the definition a little more precise. I'll ask the three of you, and then one followup question.
MS. KANESHIRO: I'll take the first crack. You are absolutely right, this is a definition that we are grappling with currently in my office. We are trying to provide some clarity around the definition through this draft guidance document that we are developing.
But the reason why we want to put it out for public comment before we finalize it is to get input from those who are currently operationalizing the definition, and getting some feedback from the research community and the quality improvement/quality assurance communities and others, to see whether we are drawing the lines properly.
I can say that our office doesn't think that an intent to publish is a reliable indicator of whether or not an activity meets our regulatory definition. First of all, it is hard to know prospectively sometimes in the absence of knowing what you will find, whether it is publishable. Also, many research activities are not published for proprietary reasons or others, and so we just find that to be a faulty indicator.
What we are trying to do in our guidance document is to focus on all the key terms in the regulatory definition, what constitutes a systematic investigation, what does it mean to be designed to develop or contribute to generalizable knowledge, what is generalizable, what does that mean. Does it mean generalizable just within an institution? Does it mean generalizable to all of mankind? Or somewhere in the middle?
Also, the final piece that we are grappling with is what kind of knowledge it is that we think meets the regulatory definition, because arguably, any information could be considered knowledge, but is any kind of new information the kind of information that our regulatory definition ought to capture.
So it is a good question. We are hoping to put out something that would stimulate public discussion about this, and hopefully inform our own interpreted efforts.
MS. MC ANDREW: I would only add that from the HIPAA perspective, we were aware when we were doing the regs about this slippery slope or area of overlap and clarity between what was a study or a quality endeavor which we would consider a health care operation, and what was a research project that would need to go through a much more stringent either IRB review and waiver or with individual consent for the use of that information.
We decided to take the path of least resistance at the time, which was to not make the HIPAA rule the driver of what became research. So by and large, we would consider most of these endeavors, quality studies, to be within the more generous realm of health care operations.
In the preamble we had a discussion of this in the course of developing the study. The light bulb went on and said, I've got something that is really generalizable here, or it has somehow segued into a research endeavor that you could at that point go and get your research authority, but you didn't have to go back and try to get them retroactively for the activities you had legitimately started as a health care operation. We figured that that way, we wouldn't be forcing things down the research path if the institute didn't itself identify it as research, but it wouldn't preclude anyone from taking that more rigorous research path, if that is what they wanted.
So that is how HIPAA has dealt with it. We have been participating in some of the discussions with the research community in terms of where this definition needs to go.
DR. ROTHSTEIN: Keeping in mind your expectation to focus on secondary uses, I want to violate that very briefly, not so much for the record but for our own plan of going forward with this work group.
We heard this morning and again this afternoon statements to the effect that, why should we be considering other models or other approaches when HIPAA is sort of dandy. I don't think that is the view of the committee or the work group. It is certainly not my view. There are five years worth of letters from the NCVHS to the Secretary to that effect, in which we pointed out dozens of areas in our judgment where the privacy rule needed to be either rewritten or reinterpreted or enforced differently or what have you. That is especially the case with the NHIN.
So last month in our letter to the Secretary, we pointed out all the areas in which changing the scope and the scale and the mechanism of the NHIN would put unsustainable pressure on the privacy rule, mostly because of the limited definition of covered entities in the statute, something for which the Department has no fault in. It is not a question of finger pointing, it is a question of, this is the reality, and the statute simply doesn't cover many of the new entities that are being created for health information exchange, as well as entities that are going to be receiving information. That is why we have in 2006 as well as 2007 in our June letters pointed that out.
I don't want to go through the array of this, but I just want to make sure that the work group members and others realize that we are in effect on record as suggesting that the current regime is just not adequate.
Another example would be, in our 2006 letter in June, we suggested that individuals should have the opportunity to exercise a choice as to whether they wanted their records available and disclosed by the NHIN. That is inconsistent with the privacy rule's position, where there is merely a notice of proposed privacy practices and acknowledgement where there is a direct treatment relationship.
So I just want to get my views out there so that people understand this. It is not a criticism of people or rules that anybody has drafted so much as a statement to bring the history of the statute, where it came from and what it was intended to do, and my view of the need for thinking about new approaches.
MR. REYNOLDS: I had put my name on the list. I had a quick question. We have de-identified, we have PHI, but we hear continually anonymized, pseudo anonymized, fully de-identified this morning. Do you still stand behind -- playing off Mark's comment, do you stand behind that it is either de-identified or it is PHI?
MS. MC ANDREW: Bill may have an additional perspective, but that is where the rule is. I will say if the information is de-identified through a statistical method or through what we call the safe harbor, stripping of potentially identifiable information, the rule would not protect it.
This is an area that really is the subject of much debate, not all of which I have fully kept up with, mostly because I tend to glaze at certain of these statistical discussions. But I think there is a sliding scale, and everyone uses a slightly different nomenclature to get at this same idea. But I do think there was testimony this morning, and it certainly has been part of these secondary uses debates. Whether you use the HIPAA de-identified standard or some other standard in the community of de-identification or anonymization, there needs to be a way of measuring at what point you have a reasonable confidence that the information can be given out publicly without fear of the individual who is harmed by it. I think all of the quality uses and much of the research uses do rely on the ability to disseminate statistical analysis and other kinds of data aggregation and analyses in the public forum.
I think there is a great fear that an overly strict standard for anonymization or de-identification is going to make it either economically impossible to produce this kind of data or analysis and share it, or it will never be met. So there needs to be some agreed upon tolerance that allows this information to be flowed in the public domain for these good purposes.
The HIPAA stab at that was considered at the time to be the most specific articulation of what it took to anonymize the data. I have no doubt that the science has moved on.
DR. BRAITHWAITE: I could just add, because I am the person who did the research and the writing for that section of the rule, that it was a compromise in several directions.
First of all, I invented the term de-identified to distinguish it from anonymized, with the assumption that anonymized meant that nobody could figure out who this was. De-identified was uniquely labeled because we knew that it wasn't anonymous. De-identified is taking enough of the identifiers out to make it generally usable with the probability of someone being identified to be small.
When I tried to quantify how small is small and what are the statistics to go with that, I found a bunch of different answers. From this building I got the answer that every individual should not be distinguishable from a population of 100,000 people. But when you try and say is size of zip code, how many people are there in a zip code or how many people are there in a three-digit zip code, it turned out that there were even zip codes that had populations of less than 20,000, just using the three-digit zip code.
Well, could we go to a two-digit zip code? Nobody knows what that means and nobody uses it. And a lot of decisions like that, some political, some science based and some just pulled out of the air as being the best we could do at this point in time, with the understanding that the technology for identifying people, given just traces of information about them, especially when we get to DNA, is going to overwhelm this totally, but the technology for getting closer to anonymous data that is actually useful for analysis are going to increase, such as those databases that can take queries that modify the ability of the database to answer a query based on previous queries so that you can't over time figure out who the people are. Those kinds of technologies are coming and will come.
So I expect that these rules will have to change to accommodate as those things bubble up.
DR. TANG: One quick clarification from Sue. You said if it starts out as a QI and then turns into research, I didn't get the punchline, unfortunately.
MS. MC ANDREW: It's okay.
DR. TANG: You would then go back and apply for a limited data set use or what?
MS. MC ANDREW: It depends. By and large, at the point that you conceive of what you are doing as research, going forward with the use or disclosure of that information, you would then have to comply with the research permission. But we didn't require that you go back and undo what you did under health care operations and apply research retroactively.
DR. TANG: So here is where it fits in with the quality. I don't know that you have the answer, and I think you all said you don't have the answer to this research definition thing. I have seen it both ways. One is the health care operation will strip the research limited data sets, et cetera, by calling it QI. Then I have also seen third party non-covered entities try to call what they do generalizable research, meaning they can sell it to any customer in the world and call it research. Therefore, they can take your limited data set and go off and resell it.
What you said is, we don't have the answer for that, because that is the secondary use for resale, and that is one of our real troubling areas. That is probably a common way that third parties try to give out -- and they probably convince a number of organizations to do that because they have bought into that argument and they cite the section, et cetera.
So possibly your silence is saying that there is no current law, whether it is HIPAA or the common rule, that would preclude that, or even offer the covered entity a defense, to say no, we actually can't do that.
MS. MC ANDREW: Julie may have a take on this from the research side. I think there is another aspect of this that goes to in part the covered entity limitations in HIPAA that Mark had referenced. That is, in HIPAA the protections don't follow the data. The protections go to the entity that is the keeper of the data and that entity has to be covered for those rules to apply.
So to the extent the rules would permit the disclosure of the information for research, and it goes to a third party that is not covered by HIPAA, then the covered entity hasn't done anything wrong if they have abided by the research permissions in the rule to give out the data. Then HIPAA stops.
So what the recipient of that data if it is not a covered entity can do is, from HIPAA's point of view, somebody else's problem. I don't know from the researcher's point of view if there is any other obligation externally imposed or internally imposed that would prevent somebody coming in for commercial.
MS. KANESHIRO: From our regulatory requirements, we would not just look at the label but the activity. So even if it cast as a quality improvement or quality assurance activity, it might still well meet our regulatory definition, but the devil is in the details there. We have to talk about specific activities in order to give you a definitive answer as to whether it really meets the research definition under the regulation.
Of course, remember, our regulations also talk about human subjects, so it also has to be research involving human subjects, and the research has to be non-exempt.
DR. TANG: Obviously it is going to have identifiable information, so it automatically gets approval in human subjects review.
MS. KANESHIRO: There was another point I was going to make, and I just lost it. Oh, the other point I was going to make was in terms of regulatory scope. In that respect, the considerations are similar to the ones that Sue mentioned, in that our regulations only pertain if it is HHS conducted or supported or if an institution has voluntarily elected to apply the regulations to all the human subjects research conducted at their institutions. So I imagine that some of the activities that you are talking about are not HHS supported and are likely being conducted at institutions either who never get HHS support or even if they do for certain studies, they are not extending their assurance.
DR. SCANLON: Paul's question confused me more, but I'll go back to my question, which was triggered by one of Bill's slides which made the distinction between guidelines and research, and talking about research being generalizable.
Concerning me was the idea, are good guidelines generalizable. If I know this drug works better than the other drugs and I know the physiology is the same among people with a certain condition, wouldn't they always want to use this drug.
That leaves me in a situation of, can I argue that all things that involve interventions, drugs, procedures, imaging, et cetera, are those things all part of operations, even though once I learn them that is generalizable. But then Sue complicated it by saying that after we find out that something is generalizable, then maybe it becomes research at that point.
So I'm not sure where to draw a line here when it comes to things that involve health care, and health care is all these different interventions, and are they all under operations of some sort or another, or is that not a useful case to make.
DR. BRAITHWAITE: It is another restatement though of the same problem. Let me take a stab at it from the HIPAA intent perspective. We couldn't define what was research and what wasn't, and we awaited the thing that Julie's department is working on for a definitive answer to that.
So we took a very philosophical perspective, which was, if you are doing this, and it is research, for purposes of improving the quality or the efficiency of your own institution, then it is health care operations. The minute you decide to use that to improve the quality of efficiency of somebody else's institution.
DR. TANG: Now organizations that want to combine data from different groups, they call that TPO. Is your definition codified clearly in HIPAA?
DR. BRAITHWAITE: No. I think that was the original intent on how to divide this baby, because there is virtually no way to write language on the reality of it, and so we have three years and four years of study. I think the exception you brought up very clearly was that multiple covered entities can hire a third party, who can aggregate the information from all of those parties and then feed back to them information for their own improvement.
But it is done under operations. It is done under a business associate contract, which says that that third party except for the aggregation part, can't do anything with that information that the original covered entity couldn't do.
DR. TANG: Except for what Sue mentioned, which is, once it is out of the hands of a covered entity, they have their interpretation of what they can and can't do with what has been derived from the information they got as a B.A., and it goes on and on and on.
DR. BRAITHWAITE: And I might point out that there are several bills on the Hill right now that add classes of covered entities to HIPAA. The rules that currently exist for the different classes of covered entities under HIPAA don't apply to these folks. So a whole set of new rules would have to be/ written. If you have health information exchanges as a new kind of covered entity, there is going to have to be a totally new set of rules written for them, because nothing that is currently there makes any sense except in the general philosophical perspective. But maybe Sue is already working on it.
MR. REYNOLDS: Simon, you have got the last question.
DR. COHN: I think it is probably good that I am asking this question after Paul. I think a number of the issues you are bringing up, some of which I understand, some of which I don't understand, to be quite honest. I'm glad that Margaret is here to capture them all, so we can look through them and identify them.
I will first of all say that this is probably not the last privacy conversation we are going to have, but maybe going to a simpler question, which was going to be my follow-on before I suddenly realized how difficult it was based on Paul's comment.
When you talk about quality, and when we talk about this issue of moving to this future which Paul was describing and I think we are all contemplating, in the world of quality measurement, quality reporting, maybe quality improvement, in the world of more data, the NHIN, much beyond what I think was initially envisioned by HIPAA.
The question is, and Sue, maybe this is a question I have for you, is are there areas that -- Paul can argue about whether things are being handled right or wrong, but are there areas of ambiguity based on our current regulation or guidance that has been supplied around the regulation about how some of this data is handled? Or is it that we really have the answers, we may just not like them all?
MS. MC ANDREW: It is D, all of the above. I do think there are a number of questions that exist around the edges of some of this information sharing even today, in terms of the involvement of -- how can groups of covered entities come together in some sort of consortium to share information for their mutual benefit. The rule is a little cumbersome in that kind of environment. Even where you wind up with these endeavors that are going forward on a public-private partnership role, I think when the rule was written, we made ample provision for government oversight, the government role in public health, role for private parties to the extent that they were agents or under contract with these public authorities to do these activities, but less comfortable with private parties acting in these areas without that kind of directed agency or contract with a public authority.
So the extent there are more private actors today in the quality arena or in an information management arena in the RIO setting, I think you do come up with situations where it is cumbersome to make the rule work. I am not prepared to say it can't work, but clearly it is not the most efficient mechanism, not the most elegant mechanism in some of these broader collaborative kinds of endeavors, particularly those that are dominated by private parties.
So hence, our heavy involvement with ONC and AHIC in terms of working through these issues. In that arena we are partnering more and more with AHRQ and CMS in terms of some of the quality issues. Whether there is a solution under the current rule or it is going to take a change, I would say the jury is still out.
There is clearly also the other edge of this, again coming back to what to do with the entities that are just totally outside of any conceptualization of a business associate relationship or a covered entity status. How do you enforce against them, how do you control what they are doing, what is the hook which you can get to their activities if you wanted to control them, that is going to be much more problematic.
MR. REYNOLDS: Paul has a followup comment.
DR. TANG: Thank you, Mr. Chair. This actually is a very -- because we have three of them in the room. We and others have proposed that the protections follow the data. Would your life be easier if that were true?
I think that is the right question to ask this group, because we are saying, what do you have for us?
MR. REYNOLDS: You have asked, so they can answer.
MS. MC ANDREW: Yes and no. In a way it would take away the relatively artificial barrier in terms of where the protections are. I think the downside of it however is dealing with identifying the legitimate uses of the information held by what would now be anybody at large, and what would be their rules, because their need for the information, or the intended use, or even if it was given over to them with the authorization of the individual, what does all that mean in terms of what they then can do, what are their obligations with respect to that data, and how do we conceptualize the purposes for which the permission was given to them, or the data was given to them.
HIPAA struggled as it is in trying to identify health care operations and permissible uses, conceivable uses, within one context as broad and complex as it is, the health care industry. Now, are we writing a privacy rule for police, are we writing a privacy rule for courts, are we writing a privacy rule for newspapers, are we writing a privacy rule for banks and drugstores and neighbors. Everybody who has this information, to whom can this information legitimately be given? What do we want those people to do with it and not do with it? So that is the downside.
MS. KANESHIRO: It is something that certainly Congress has grappled with in the past in regard to our regulations, because of the limited purview. There are gaps in coverage currently. Research can be conducted in a completely unregulated environment currently. We don't know the scope of the problem, but we know it occurs. But it has been difficult to get bills like that passed through Congress. It depends what the metric is.
Certainly we couldn't do it with our current office. It would have to be certainly an expanded office. I think there would be difficulties in trying to figure out what the hook would be in terms of the scope of any such new law that would authorize overarching regulation. I think it is doable. It is always a balancing in terms of the benefits of this kind of activity.
Many other bodies have recommended that there be such a national law. The Institute of Medicine has said it many times. The President's National Bioethics Advisory Commission said it. I know there have been many others, but it has just been difficult to make happen for a variety of reasons, politically as well as the difficulty practically of implementing such a thing.
MR. REYNOLDS: Thank you. Excellent discussion, and we needed to make sure we got all those questions in.
The next panel will start in five minutes, so please return. Thank you.
(Brief recess.)
Agenda Item: Health Information Security and Privacy Collaboration (HISPC) Findings
MR. REYNOLDS: We want to really respect the time of the people who are going to be presenting to us since we have delayed them somewhat. Our next group is on health information security and privacy collaboration. The first is going to be Steve Posnack. Then we will have Linda Dimitropoulos and then William O'Byrne.
So Steve, welcome. You've got the floor.
MR. POSNACK: Thanks. I guess we are on -- I wouldn't say typical NCVHS time, but I realize that we are a little bit behind, and we will do our best to try to keep everything at the five o'clock deadline.
My name is Steve Posnack. I work in the Office of the National Coordinator in the Office of Policy and Research under Jodie Daniel. I am the project officer for the privacy and security solutions for interoperable health information exchange contract. John White, who is on the docket tomorrow, is my counterpart at AHRQ in terms of the co-project management of this initiative.
Just a brief summary of the contract. Many of you know about the contract. It has been going on for quite some time. We started in the fall of 2005. It was originally slated to form the health information security and privacy collaboration. That in turn yielded 34 state subcontracts. I should clarify, it is 33 states and Puerto Rico, although collectively we just refer to them as states. They were recognized by their governor, so there is an endorsement by the state for their participation, whether it is through the actual state's public health or any other part of the state health department or another entity recognized by the governor in the state.
Another myth that I would like to try and dispel while I have an opportunity publicly is that it wasn't a study of state law, but rather an assessment of variation at an organizational level of business practices and policies and the underlying state laws that made those business practices and policies take place.
That was a first step of the 34 states assignment. The second step was to identify and propose practical solutions to the identified variations that came about in their state, an the third was to develop a detailed implementation plan to better address and implement some of those solutions.
So that gets us to where we are today. As many of you know, a lot of the final deliverables from RTI are coming up. I am happy after reading many of them and reviewing them and redlining them with Linda, and she is on the phone and can attest to this, they are going to be publicly available very shortly. She is going to come and present on the 31st at AHIC, and we are also planning on having a couple of states present as well. So there will be three reports available, the final assessment of variation and solutions report, the final implementation plans report, and a nationwide summary report.
The other additional note about where we are today. We awarded RTI an extension to the end of 2007 to do two tasks. That is pretty much my last bullet, which is where we are going.
For the next six months, give or take a couple of weeks, the states will be implementing a foundational component of their implementation plan, so we increased the funding in the RTI contract to give states a jumpstart on the activities that they propose in their implementation plan. Then the second step, which is a jump through a new phase, is to foster the formation of multi-state and regional collaboration to develop solutions for these multi-state or regional collaborations.
The idea is -- and one of the constructive criticisms that we heard our of the work that has been done to date is, I want to know how to exchange information, and Bill is here from New Jersey, with New York. I want to know how to exchange information with Connecticut. If I have snowbirds going down from New York, I want to be able to exchange information with Florida, and how do we get that to happen.
So the next phase of this contract development is, RTI is going to be preparing the multi-state and regional collaborations. It gets to the states as laboratories. There are going to be a bunch of states forming together to propose a couple of solutions that they want to address as a collaborative. In calendar '08 we plan on funding those initiatives. The idea is that if three or four states can get a solution that works right for them, maybe it will work right for a lot of them.
It is not going to be uniform solution for all of them, but I would say that two or three answers that everyone can agree to is better than no answers. So there are going to be a lot of potential avenues to get these collaborative solutions out.
I have had a lot of discussions with John Lumpkin. We are going to continue in terms of the interaction with the Nationwide Health Information Network trials and how best those collaborative solutions can inform those. We are a little off timing wise, so they may be an auctioneer type exercise. Obviously, how the AH successor organization pans out, and the role that solutions can be fed to that organization, and finally the State Alliance for E-Health, which is under a contract that we have with the National Governors Association.
I will then turn it over to Linda now, and Bill will follow. I am going to be driving the slides while she speaks. Linda, are you there?
MS. DIMITROPOULOS: Yes, I am, thank you, Steve. Steve, if I might add one bit to that, the collaborative work group will be involved, representations from the states that have not been part of the project thus far, so the outreach will be to all 56 states and territories.
MR. POSNACK: That is a great point that I missed. Thank you, Linda.
MS. DIMITROPOULOS: I will try to skip some of the earlier slides and get to what we can offer this committee. I think I will preface this with, many of the states we have worked with are pretty advanced in their thinking, and have been working on these issues for awhile, but many of the others have not. So some of the conversations as they started in the states were at the level of discussing expansion of information for patient care, and really did not get into discussion so much about secondary uses.
So with that in mind, I would just like to walk through briefly some of the -- a couple of the assumptions underlying the methodologies for those who are not as familiar with the project and the process that the 33 states and Puerto Rico followed.
The basic assumptions underlying the project methodology was that decisions about protecting privacy and security needed to be made at the local level, and that discussions needed to take place at that community level to understand the current landscape of where things stood.
So in many states where we were opening these discussions and talking about electronic health information exchange, some of the stakeholders would say, we have nothing to add to this conversation, because all of our business practices are on paper. So the discussion would be, but even if you are exchanging information on paper, you are doing it based on your practices and policies protecting the privacy of that paper, so you need to think through those issues and what element of those policies you want to move forward and are relevant for electronic exchange. So we are talking about getting to some very basic discussions in many of the states.
In terms of the process, it really was a community based research model, where the states worked with their own stakeholders to own the issues and raise them, to raise the discussion and discuss the outcomes. They were cast as engaging a broad range of stakeholders within their states to work through these issues. We will have numbers coming out in the report, but there are thousands of people who have actually contributed to these work groups in working on these decisions.
All the state privacy teams followed basically a core methodology to frame the discussion. So for that, we used a series of 18 scenarios and framed those discussions in terms of the nine domains of privacy and security which are on the next slide.
The nine domains are provided to focus the discussion as key areas that needed to be addressed. But the teams weren't limited to these nine, but these were offered so that we could be sure that at least these nine areas were discussed as the state teams worked through the scenarios.
The next slide provides an overview list of scenarios. There were 18 altogether that were developed by AHIMA, to be relevant to a broad range of stakeholder organizations and groups, and based on the 11 practices that you see on the next slide. They were selected because they were most likely to surface and engage discussion of systems and policies that state laws that may be underlying those policies.
The focus overall was, the discussions focused on primary uses in patient care, to some extent the payment scenario focused on how do you limit the information that you provide for payment, but the discussion did not get into deeper areas and discussion about secondary uses.
There were public health scenarios that we used, including contagious disease or biosurveillance, newborn screening, but we didn't consider the public health scenarios as secondary uses. In most of the conversation around those were pretty clear, in that pretty much all of the state schemes, the guidelines around public health and notification for communicable diseases was pretty straightforward for them. So they didn't have a lot of discussion around the public health scenarios.
So if we look at the next slide, the next few slides that you have, some of the information from the state discussions around a couple of the other scenarios. There was a real scenario that involved a regional health information organization that requested to access patient identifiable data from all the participating organizations and their patients to model the incidence and management of diabetic patients. The RIO also intended to monitor participating providers to rank them for the provision of preventive services to diabetic patients.
In response to the scenario, all of the states, all 33 and Puerto Rico, agreed that sharing de-identified data with the RIO for disease surveillance was fine, but they felt that IRB approval was necessary for identifiable data, as would be informed consent. The hospitals and the participating entities would need to have appropriate agreements in place with the RIO before they would send any data.
Some of the states in fact were unsure about the function of the health information exchange, especially related to data collection and research. They were unsure about the legal status, so the conversations again didn't get very deep. It was clear that there wasn't a lot of understanding about that.
The next slide, Steve, is the scenario around the research data uses and state government oversight. The research data use scenario involved a research project with children under age 13 to test an ADD/ADHD drug. The researchers at the medical center had IRB approval, but were asked by another researcher to use the data. They wanted to extend the tracking period by six months, and then further analysis that would be part of the original protocol. Again, all of the states felt that the IRB had control over this and that approval was necessary for the additional study, and informed consent if the researchers were going to use identifiable data.
Overall, when the state teams discussed research they reported that if a project could get approval from an IRB, then they didn't see it as an issue with using data for research purposes.
The next one involved a law enforcement scenario that involved a 19-year-old brought into an ER after an auto accident. They ran blood alcohol and drug screens, and the law enforcement agency came in to investigate the accident and asked for the records. The parents came in and asked for the records, a complex scenario here. Most of the states in discussing this agreed that the hospitals needed to receive a formal service of a subpoena or some other document before they could release the blood alcohol information.
But there were a couple of states that said they were aware that there is some variation in hospitals complying with the requests. There were a few organizations who said that depending on the incident, you might see information from law enforcement on a verbal request, but there seemed to be some variation around how providers and law enforcement understood what the rules were of exchanging information with law enforcement.
All states agreed that no information would be provided to the parents of the patient, since the patient was over 18, although one state in their discussions did note that the parents were likely receive an explanation of benefits from their insurance that would probably provide them with some information about it.
A couple of other relevants there were the health care operations and marketing. There were two of these, and these I'll admit got more reaction from folks, although not a lot of focused discussion. One of the scenarios involved a hospital marketing department request for identifiable data on all deliveries, including mothers' demographic information and birth outcomes, to insure that they made contact only with deliveries that resulted in healthy live births. So the marketing department could use the patient information to provide information on the hospital's needs, pediatric services, and solicit registration for the hospital's parenting classes. Then there was an additional service to sell the data to local diaper company using marketing services directly to parents.
The second scenario involved a request from an integrated health delivery system that had critical access hospitals, and asked them to submit monthly reports containing patient identifiable data to be analyzed for patient encounters and trends for three rehab diagnoses and procedures. They also were requesting the same information along with individual patients' demographic information to be provided to the marketing department. The marketing department plans to distribute it to the individuals highlighting the new rehab centers.
Eight of the states reported some pretty lengthy discussions about the exchanges, although the stakeholders primarily agreed that using the data for quality improvement which they considered internal operations, would be permissible use of the data. Other stakeholders from the same states said they wouldn't exchange data given the circumstances of either of the scenarios. Others felt that quality improvement could be accomplished with de-identified data.
Then most of the state teams were certain that using identifiable data for marketing purposes wasn't permitted at all without some sort to patient authorization. Then there were four states that explicitly stated that they would never sell data for third party marketing, and that doing so was unethical.
As we have been going through these masses of data that we have gotten from the state teams, trying to get the main reports out, as Steve was noting, it has been a pretty aggressive, huge task in a short time period. I think that we do have the opportunity to go back and look into some of these areas in a little more depth.
I think that the biggest takeaway from looking across the state teams was that the use of patient data for purposes other than direct patient care and public health is really not well understood. I think that raises a number of issues certainly.
I think there are a couple of things going forward that the HISPC states and the collaborative work groups can do. I think they can continue their discussion with regard to the secondary use of data. I think that it is also going to be important as they develop the various programs in education. We have a number of states working on programs of education and outreach that they work to increase public awareness and discussion of the benefits and the challenges.
The secondary use of data I think agaIn is not well understood. The reactions of some of the stakeholders to some of these that are in practice now were pretty remarkable and pretty strong. So although it was a fairly small group, the reaction was notable.
On the last slide I put the links to where you can find more information as it rolls out from the project.
So with that, I'd like to turn it over to Bill, who is working on some excellent projects in New Jersey. He may even talk about some of the work they are going to do with New York.
MR. O'BYRNE: Thanks. My name is Bill O'Byrne. I am the coordinator for electronic health record technology and development for the state of New Jersey. It is a pleasure to be with you today.
The last time I was before this group, the NCVHS, was in 2000. We were talking about transactions and code sets, and the fact that somehow we had to make 837s and 835s, and we did it. It is hard to realize that by 2003 a lot of that was really happening when we were looking at it in 2000. So I am encouraged by the fact that we achieved something very spectacular in the transaction and code sets, and I feel given some time and effort we will do the same thing with electronic health records.
What I was called upon to do was to enter a proposal. I brought along with me the final result, and I will present it to this committee for your consideration. This is the binder that we have assembled, which contains our final implementation plan report and the final assessment of variations analysis and solutions report. It basically blueprints a way forward in New Jersey. I only brought one, because as you can see, it is rather heavy. But I also will tell you that you will find that the contents of this and these reports are at my website, which is listed at the end of my PowerPoint presentation, so you can always get this that way as well. So I will leave this for your consideration.
I wanted to tell you also that coming at the end of a long day, I feel a little bit like the caboose. You are probably glad to see it coming but you can't wait to see it roll by. I'm not going to take too long. I told people in the beginning that I could do this in either 40 minutes or seven minutes, and that it depended on how much time I had. So I will try to be brief, but yet cover the most significant points.
New Jersey is blessed because we have a state law which is called HINT, the health information network technology act, which gives New Jersey state government a role in how to make these things happen on a state level. It designated my department, DOBI, which is the Department of Banking and Insurance, as the lead agency for transactions and code sets and for creating of electronic health records.
Incidentally, you may wonder why; it is because when we speak we can bring the players to the table, and the professional board is not able to do that. The health and senior services can't, and human services necessarily can't bring the private payors to the table, but when we invite them they show up and they bring their checkbooks, so that has always been quite an inducement to get a lot of activity on things that we undertake, which has been very valuable for New Jersey.
We are deeply involved in electronic health records, as you can probably tell from my involvement. I am going to slide through these so we don't get bogged down on any particular one. We have been involved in national provider identification numbers. We use our involvement to try to encourage an eclectic group of people in the business of health care, whether they are payors, providers, clinics, clearinghouses, vendors, whoever it happens to be. We bring them all together, put them into a melting pot and try to come up with some good answers.
That is what we did, by the way, when we were awarded the contract for HISPC. I immediately reassembled the group that I had created for the transaction and code sets and for the NPI implementation, and I brought them all together so I had a cross section of academics, payors, providers, hospitals, the medical society, vendors, clearinghouses, everyone that you could possible name, they were all at a table like this, and we launched upon an investigation of how we could complete our work under HISPC.
We looked at it as a business opportunity, because it was going to allow us to study the business barriers that were created which would interfere with the flow of electronic health information. We dropped quickly the word electronic, because we found out that there were a lot of barriers to paper transactions as well.
So we started looking at the barriers that existed, and that took us all over the state, from Northern Bergen County, where there are very high income suburban living people there that work in New York and they have extremely high incomes, to lower income families in very disadvantaged urban areas, to non-English people down in South Jersey, to retired people that live along the shore. We went to all of them.
We went to their institutions and we presented the scenarios that Linda talked about. These groups looked at those scenarios and gave us their feedback. I used Rutgers Center for State Health Information Policy to record their responses, and we reduced all of that to reports that we submitted that became part of those binders that you see. There is another one that we assembled for the interim reports that is equally as large as that one.
We distilled all of that information, and we were able to arrive at those things that were interfering with the flow of information. One of the things that we found out was this idea of consent management, how do you know whether the consent that you get by way of a fax is an accurate consent. If I check in for treatment while I am down here in Washington, how does my doctor know in New Jersey to release my information.
All of these issues came up in the consideration of the scenarios. One of the big questions that we faced was consent management. One of the other areas was resolving the issue of misunderstanding and mis-application of HIPAA. I sat back and listened for the last hour and a half prior to my coming up here about discussions you were having. I really admire the degree of quality assessment and the high level that you were able to give to this subject.
That is not what happens unfortunately on the operational level of how health care is provided to people. It is just not happens. What happens in the emergency room, what I found out is that all the rules pretty much go out the window, and they are more looking at what do we need to do to treat the patient, and these elaborate concerns and rules regarding what is permitted and what is not permitted may not necessarily be applied if it interferes with the high quality of care that is being demanded by a particular patient.
I'm not sure if that is right or wrong, but that is what happens. You find that the doctors out there, they want to help people, and they spend a great deal of time -- not that you don't, but they spend a great deal of time trying to figure out how to give care to people who need it.
I also found out from our studies that a lot of people make up rules as they go along. I don't know how to tell you, but we would ask people in clinics and in hospitals, why do you have people sign that form sending the information from one place to the other, when it really has to do with the payment of a claim, or has to do with the treatment. The answer is, I don't know, we always do it. So what you have is a giant mischegas of misunderstanding, mis-application and it is unfortunate. But it gets done, so I'm not sure whether it is working right or wrong, but no one has been deprived quality health care because of the application of the rules as I saw it. So I don't know if it is right or wrong, but at least people are getting treated and they are getting good quality care.
Identification of patients, one of the big issues. There is a reticence to get involved in master patient indexes. What we are trying to work on now is a probablistic match in which we create large sections of information about people, and then use that as a way to get into a pigeonhole of information where an electronic health record is stored, rather than just jumping into a master patient index.
One of my pet concerns is identification cards. Unfortunately, identification cards don't have a bar code on them, and they don't have a picture on them, and they don't have any really usable information other than a bunch of numbers. What normally happens is, you walk into the doctor, they photocopy this thing and then somebody has to type it out, and invariably they screw up the numbers or they mis-spell the name.
I got an ELB where it was rejected because my daughter's name, who is Margaret Ann O'Byrne, became Rita Able O'Byrne, or some strange name. It was completely transposed. I don't know why we don't do it the way they do in the VA. I am a disabled veteran, and this is what they do in the VA. They should have higher education cards that look like this, in my estimation. That is what I am going to advocate in New Jersey, one that has a barcode on it and has the electronic information on it, and you don't have to go through this process of photocopying and relying on somebody typing and plinking in the information. You can just run it through a scanner, and you have got everything you need.
So there are better ways of doing things that are quick fixes that we intend to introduce in New Jersey.
One of the things that I am most encouraged about is this. HISPC just didn't die when that report was issued. HISPC is still alive and well. We are calling it HISPC-2 now. What it has evolved into is an interim period now from July 1 through to the end of the year in which we are going to be meeting in groups to look at how to actually take some of the plans that are in that report that we circulated and make them happen.
One of the things that I am doing is working very closely with New York State and New York City. On June 1 we have already met with New York City and New York State. It started because of a meeting at a national conference we had in Bethesda at the end of HISPC, in which we found out that they wanted to encourage regional groups to emerge.
So I grabbed the representative from New York State and I said, we really have a lot in common here; what can we work on, what can we develop between New York and New Jersey that will help the people that we are trying to service.
We thought about it for awhile, and we finally agreed to meet on June 1, and we did meet on June 1. We focused on initially the public health registry. Why that? New Jersey has an eliminate reporting public health registry. First of all, we have an immunization registry, but we have eight or nine of them, and this information is coming in routinely. It is very good information, it is all electronic.
New York State has exactly the same information coming into New York State, and New York City has exactly that same information coming into New York City. We also found out that 47,000 men went from New Jersey and were immunized in New York. So there is this great population that is going back and forth across the Hudson River. Unfortunately, their information doesn't travel across the Hudson River as easily as they can.
So what we are focusing on right now is trying to figure out ways to harmonize the electronic public health registries. We are meeting again on July 25. We already have a draft charter and draft plan of operation which we put together. So we are making concrete steps to move this forward.
Now, are we going to stop there? One of the things that I intend to do next is to assemble people from Pennsylvania, because we have the Delaware River, and a lot of people go from New Jersey to Pennsylvania, Delaware, Connecticut, Florida who I have already met with, and Puerto Rico.
You might say, why in the world would we go to those other two places, because we have a huge Hispanic population that travels from South Jersey back to Puerto Rico. They come up and back either for migratory jobs in the farming industry or they come in for vacations. So they do need an electronic health record or at least immunization and vaccination that will go back and forth electronically.
We are doing the same thing for Connecticut and Florida and New Jersey and New York and New York City. So that is one of the very real benefits that is coming out of HISPC, the project that I am involved in, which is to harmonize these public health registries and to expand it to other states and regions.
I can also tell you that there is another group from NISPC working on a national consent form. I can't speak as directly to that because I am not on that committee. However, I am hoping that they will come up with a national consent form and that it will address the fact that some things should take place no matter what.
For instance, a release executed in Maryland should be recognized to release information in other states, in my estimation. If I am driving a car in Maryland, I am subject to the laws of the state of Maryland, and therefore I would expect that if I signed a release in Maryland to have my medical records transferred back to New Jersey because I had been seen here, that it would be honored. I would also expect that there are certain kinds of protected health information such as drug and alcohol abuse, such as SGDs, mental and emotional health that may be controlled by the state where those treatments are rendered, will be control by that state's laws and they will never become part of an electronic health record.
So there are different ways that these issues are being looked at from the practical point of view. I don't mean to suggest that these are not things that you should be doing, but I am letting you know that we are also looking at them from an operational practical point of view.
Is there anything else that I wanted to talk about? Oh, the last thing that I want to tell you is that HISPC is an ideal opportunity for my state to use as a jumping off point to start legislation rolling to create a statewide electronic health record structure.
There is a bill that passed the Assembly. It will be modified slightly, and reintroduced in the Senate and the Assembly. You may see at the end of this year some legislation regarding an electronic health record structure that will be linked to the payment of claims in New Jersey. We are very proud of that process. I think that all of it will be because of having assembled the people from all over the state to work on the HISPC project.
So that is all I have. I told you the caboose would fly by before you knew it. But I have covered everything, I hope.
There is the website where you can find these reports at the top. Just put in HISPC. That is my name, that is my e-mail address, and that is my phone number. I am always available for you if you need me.
MR. REYNOLDS: You need to write down mischgas or whatever you said.
MR. O'BYRNE: Mischegas.
MR. REYNOLDS: And what it means so I can use it at home.
MR. O'BYRNE: A giant mischegas is something that I learned when I was in the Marine Corp. I don't know what it means. It might be very bad.
MR. REYNOLDS: Questions from the group?
DR. COHN: I don't really have a question, but I just wanted to state my appreciation for your testimony. I remember your testimony back in the year 2000, and I remember specifically that New Jersey was a can-do state. You were at that point coming forward and saying you were going to do HIPAA a number of years before the formal implementation date.
MR. O'BYRNE: I can tell you, I talked to Horizon Blue Cross Blue Shield about a week ago in preparation for this, and I found out that they do not receive any paper claims anymore. They are totally electronic; they only receive 837s. So I guess we are doing the right thing.
DR. COHN: Well, my congratulations.
MR. O'BYRNE: Thank you.
DR. CARR: I would also like to say a wonderful presentation and terrific work.
I am wondering, as you have met with different states, what are the features that you have in New Jersey besides you and the other features that make it work so efficiently and so productively, and what could other states learn from you.
MR. O'BYRNE: I always advise -- and I don't know why other states don't do this -- but you will find that there is a dynamic involved here. Departments of insurance have the ability to regulate what the payment of claims look like, medical claims. That is not a function of the department of health, not a function of Medicaid. It is totally a function of the National Association of Insurance Commissioners.
What New Jersey did was, in 1998, we passed a law called HINT, health information network technology act, which I referenced in my presentation. What that did was, it said that my department, which has authority over what clean claims look like, can say that a clean claim will be one that looks like and is an 837 claim. So now you had a linkage between what a clean claim is and the federal standards.
We have always assiduously followed the principle that if it is a federally recognized claim, then that is a clean claim in the state of New Jersey. As a clean claim, it is entitled to be paid in a more efficient and faster way.
So that immediately got the attention of the hospitals and the providers, because they found out that we would say to payors, if you get an 837 claim in the front door, electronic claim, you must pay it in five days. I put another hook on it. I added a 277 acknowledgement of receipt. We adopted the 277, and Bill will tell you this, back in 2001. I don't think the feds have even adopted it yet.
The 277 was the thing that made this whole thing work, because what it said was, here you are as a doctor sending your claims in, and one of the biggest complaints I ever heard was, I never know. I send these complaints in the mail, I never know whether they got them or not. Then I wait a month, I didn't get paid, so I figured they didn't get it, I send it again.
Well, the 277 is an automatic electronic form that is automatically sent back by the system, not by the operation of the payor, and basically says, we got a claim and it appears to be a clean claim.
So what you had was, January 1, Dr. Carr sends in a claim, January 1, Horizon Blue Cross Blue Shield got that claim and they took it in the door and a 277 came flying back. Now Dr. Carr has proof that they got the claim. They have to pay it in a timely fashion. If they don't, they are assessed an interest charge on the outstanding balance of unpaid claims. And we make them pay.
So there are ways to do this, but it is a business function. Everybody has looked at this as a health care issue. We tend to look at it as a business function, and frankly, every rule that I have written over the years, I always look at it as a business function and what the economic imperative is for all sides. That is how I view it.
MR. REYNOLDS: Any other questions? Linda, did you have any comments? We can't see if you had your hand raised up or anything.
MS. DIMITROPOULOS: No.
MS. JACKSON: You mentioned the business function and that you are solidly based on the terminology of that. You are talking head to head with New Jersey and all. How do you transfer that with these other states and Puerto Rico, Delaware and Florida, where they may not come at it with that same kind of strength and intensity that you set up for your core?
MR. O'BYRNE: I come at it because I have the help of the federal government. I come at it because I appeal to the other states and I say, you know what, the only way we are going to get AHRQ and the National Coordinator interested in us, defend our efforts to help us out here, the only way we are going to do that is if we join together. They have told us in no uncertain terms, they will help us if we join together in regional efforts.
So I spent at least one day a week reaching out to other states. I just finally got a contact in Pennsylvania. They are not a HISPC state. I reached out to Governor Rendell's office and finally got a contact in Pennsylvania. I sent it off to Linda yesterday, correct, Linda?
MS. DIMITROPOULOS: That's right.
MR. O'BYRNE: My point is that I know what they want, meaning the feds, and I know what I need to do to get it. I go out and I find other states that will work with us, that's all.
MR. REYNOLDS: Thanks to all of you. Excellent presentation. What we are going to do now is spend the rest of the time with some open discussion amongst the committee. So with that, the floor is open.
Agenda Item: Work Group Discussion
DR. COHN: While we await Margaret figuring it all out, we will give you to our second hearing tomorrow to figure it all out, I do just want to observe -- and this is going back to our earlier conversation, beginning to have people think about a structure to the work we are doing as well as recommendations.
I do want to recognize that today, we talked about issues related to an overall conceptual framework. Without making a decision on this one, I do want to observe that at least we heard a fair number of people describing alternative frameworks about how we ought to describe all of this, people wondering whether even secondary uses are the right way for us to be describing some of the areas of discussion that we have had.
I think we need to hear more before we reach a conclusion about how we want to frame it. The name of the ad hoc work group is the name of the ad hoc work group, but how we frame all of these things is something that we will need to be thinking about as we hear additional testifiers, and figuring out what we are framing all of this is most useful. So I do want to note that.
I do want to also talk about the nature of our recommendations a little bit. I think our charge is to try to once again advocate for a framework that helps create understanding. We are a little bit early in terms of figuring that one out. That is really the purpose of the framework.
But beyond that we are asked to be giving guidance to HHS on issues related to policy, guidance, possible regulation and/or public education efforts in this area. I would also suggest based on things that for example Mark had commented on, there may be a need for us to be suggesting that the Secretary and HHS advocate for certain potential types of new laws.
As I say all of this stuff, we need our own minds to be clear about which of our recommendations are which. Indeed, given that we do have a reputation for actionable recommendations, we just need to be aware that if we are advocating for the Secretary or HHS advocating for new legislation or new legislative authority, we don't want to hang our hat on something like that just because that is typically much longer term, and given the Congress' track record on privacy legislation, it is a little less likely to happen as a near term activity. That may be something that we decide to do, but we need to be aware that there is in all of this going to be opportunities and perhaps suggestions for public education as well as that there are things that we can do either around guidance to regulation or potential clarification around the edges of legislation. Obviously that becomes much more doable by the Secretary and might be much more applicable in the near term.
So I'm not saying what it is we should be recommending out of all of this, but at least to begin to stratify and clump some of our recommendations as we begin to identify them.
DR. CARR: I just had a couple of comments of themes that I think came through today very powerfully. I think that the whole issue of what is primary and a much broader definition of what is primary, and the way we think about quality, the theme came through where it used to be something that somebody outside of clinical care was in charge of, and now we are hearing very much how it is a part of what we do. It can be incentivized through these decision support -- that quality is not an external entity, it is part of the fabric of what we do.
I am impressed, how many permutations of trust we heard about today in every single thing. The success stories always began with trust and with appropriate transparency, accountability, with attention to de-identification issues.
Then when we got to the regulations, I think we find that there is still confusion, and that it doesn't go as easily. Somehow the stories that began with trust seemed to be moving ahead and moving very successfully, and the stories that began with regulations are still struggling on definitions. I think that is an important lesson.
I also think further on that line, the story of what is research and what is quality improvement is a very important topic for us to understand and to rethink and redefine. It gets back to primary and secondary as well.
Then finally, the financial incentives that we just heard about and that link to collaboration, another theme that we have heard. It was interesting to me that the success stories resonated through everyone's story and the stumbling blocks seemed to reappear repeatedly as well.
DR. TANG: I agree with Justine. Going back to my always simple approach, I think the messages were very clear and started off from the first panel. We basically want to do good and achieve and maintain public trust, so that is our mission.
The other caveat is to say, explain it to everybody and have them understand it and act like adults. I don't think we can expect, when it takes us so much background and experience to even fathom the stuff that is being talked about with regard to use of an individual's information, that it is part of the public good that we, this body, make recommendations for how to adjust this problem on a systemic basis rather than let every consumer fend for himself. So that is another piece of it.
We also heard today and in the past that consumers and patients trust their doc. They trust the researchers that work with their information. They trust the government. There is a lot of trust already built in at the default position. I think we need to just cut to the chase like our first two presenters talked about, and go after where it is clear-cut people have lack of trust, and that is around the payment for their data. We need to build the protections that are necessary without each individual having to study the issue themselves that would prohibit the default that folks can acquire the data by a passage of funds and do whatever they want with it. We have heard from the legal folks that right now, there is no clear-cut law or regulation that would prevent that once it gets outside the HIPAA covered entity.
So in some sense, I think we are dealing with trust. I think we do have to watch out for the public good by creating regulations that deal with the specific areas. That is how it gets simple that the public is most concerned about, that is, the exchange of data for exchange of funds.
It isn't so much about controlling research in public health, because that has not been either a concern among the public and it is quite well protected by the existing regs.
So that is my upshot of what we heard today.
MR. STEINDEL: We hear about regulations and the confusion coming in, and also the problems between when it is quality, TPO and operations and when is it research and differentiating between them. I think we need to explore that.
What I don't resonate with, Paul, I'm sorry, is the absolute bad about the sale of data. I don't know if we have people that are talking about various ways.
Harry made a very good point earlier about how many of you buy things on the Internet. People are willing, if they get proper compensation -- and in this case on the Internet it is an easy way to buy things. Sometimes you don't pay sales tax and you don't have to go anywhere to get something. So you are willing to give up a chance that your data may be misused.
The same thing is true with how many people have various types of marketing cards, like with the groceries and stuff like that. For some type of reimbursement you are willing to give up some information. I don't think we have explored that.
So I don't think we can say blindly that the sale of data is bad. I think what we have to do is explore what type of constructs should we put around the sale of data.
DR. TANG: That was my point. In other words, focus our attention on just the area of concern. I didn't say it was all bad, but that is where the area of concern is. That will limit our scope and perhaps get us closer to coming up with concrete recommendations.
DR. VIGILANTE: I generally share the perspective about being simple. I think the research issue is not simplistic. I think that there are well documented perspectives on research, particularly among different racial and ethnic groups and socioeconomic groups that have varying levels of trust of research and researchers, and it influences recruitment to clinical trials on a fairly consistent basis.
I think that when you think about this concept of agency, what you are going to do for the data, there is the perception among some people and there is the reality in other cases that the goals of research are often driven by egocentric motivations to promote and publish.
So I do think while there are levels of scrutiny that different activities deserve, commercial being the highest, I do think research itself is not a -- I don't think everybody embraces it as something completely low risk or no risk.
The other thing I would say is that I agree with the perspective that all this data is the data, this holistic view of, whether you are talking about getting the patient taken care of or whether you are talking about whether they are on aspirin or Vioxx or something, and that there is no distinction between primary and secondary data per se.
I don't know that I share that perspective so completely. I do think that there is something very special about the perspectives of the patient. When you close the door, there is just the doc and the patient or the nurse and the patient talking about what their issues are. That data is being collected, and that patient has a sense of where that data is going to reside. It is different than the data that gets aggregated among many, many patients.
While I understand that the distinction is maybe artificial and rooted in the past on certain levels, peoples' perspectives are rooted in their past. I don't think we can discount that as being irrelevant.
MR. REYNOLDS: As I have looked at this today, I think there is no question that in many cases the rhetoric alone is creating significant confusion everywhere, because one person's consent or one person's anonymization or one person's de-identification.
So I think one thing the committee could really help do is drill down on some things and set some clear definitions and discussions about what is really what. As we sit in here and listen to these words bandied around, picture the public. They are still trying to deal with HIPAA, and some of them haven't even gotten as far as de-identified as far as how their data is going. So I think trying to make that simpler.
I think the word secondary probably continues from a number of the testifiers to be a lightening round, as possibly a situation where, is it just the data and what is secondary and what is primary, and what does that mean and how do we deal with it. If we use the word secondary, then how we deal with it and what we clearly state it to be as part of what we are trying to help directly get done.
The other thing I was intrigued with was, during the more in-depth discussion of the privacy law, and I thought I was fairly familiar with it, but I got a brand new education today. I was surprised to see that the word quality was kind of almost taken care of in there, a little more than I thought it was, as far as how it was defined.
Again, we are looking at a cross section of everything that is going to happen. But as we drill down in quality, it may be in there a little more than I thought it was, as far as a consideration, which is news to me. I'm not trying to sell anybody; I'm just saying that was a different look to me when I saw those slides and heard that discussion today.
The idea of keeping track of an end game. We need to be looking at the current and we need to be looking out a little bit, because working on the HIPAA privacy law, that was quite awhile ago in terms of how fast things are moving, not in numbers of years, but in how fast things are moving and the number of RFPs that are going out on HIEs and everything else. So we have got to make sure we keep that end game in mind pragmatically.
So those are some of the things that seemed to hit me today.
DR. DEERING: Actually that was a very good segue. I wanted to address issues related to communication and say that since from the very beginning of our conversations, since the conflict of communicating all these issues has been something that we have talked about, I wanted to be very precise about a few areas where communication considerations might or might not be used by the work group in reaching whatever decisions it reaches.
The first, to pick up on what everybody has said about secondary, I think I would go so far as to say it is almost as if secondary is the equivalent of the word amnesty in the immigration policy debate. So from a public policy point of view, it may actually be counterproductive.
DR. TANG: Would you state that again? We didn't hear it. What word did you use? Amnesty?
DR. DEERING: Amnesty, in the sense that it is a very loaded term that is used by people on -- or it could be. I'm just throwing that out as one possibility, that it could conceivably be a counterproductive term. We can go there later if we want to.
The other has to do with the word sale, the sale of our data. That is an extremely loaded term. I do think that in some of our testimony in August we will hear from those people who might be accused to selling it, but they would call it a business case.
If you are going to analyze it, it is a service. Somebody else said that there is a fee for service that someone will contract out. Yes, I would like you to analyze my data. They are not going to do that for free. There is going to be a business relationship. So I think that calling something a sale, do you want them to sell your data, might not be as helpful from a communication point of view. What we do with it may come later.
A third area was, we have often talked about trust beginning with the doctor-patient. I think we ought to realize that one of the problems with the health care system that we have today is that decreasingly, the doctor and the patient are actually having time to talk. So I think that requiring that doctor-patient encounter to be the vessel within which all of this meaningful exchange and explanation takes place is decreasingly likely to happen, especially as more and more of it migrates to the Internet. So again, that is just a construct.
The fourth was something that I think I only shared with Margaret. Visuals can be very helpful. I know that NCVHS deals in words to the Secretary. I have now joined an organization that is entirely visual. As Kevin knows, everything is by PowerPoint. I understand that one of the faults of the training for the war in Iraq was that it was apparently planned at the PowerPoint level.
I think some of us hark back to that wonderful graphic about the valley of interoperability. I think there are ways to depict things in quasi-cartoonish ways that are very effective. I was suggesting to Margaret that we might consider, if we had the skill or knew how to do it, is the path of a piece of data from the point of collection -- maybe two or three scenarios, here is where it starts, here is where we would like it to end up. Some are good, some are nefarious, and at each point along the continuum, maybe the current laws either enable, permit, preclude for better or worse something happening, and what is the actual step that needs to happen in order to bring it to the next step. That is in the current world.
Well, is that ideal? Does it actually get it there, or has this data that you wanted to get there gone over there, or as it gotten there and you didn't want it to go there just because there was a loophole? In the future vision, what would happen to that point of data along the way?
I think it would be a fun exercise. I was just thinking about a case that you have been talking about. If we could capture that visually, I think it would help a lot of people understand the significance of what we are trying to deal with.
So those are some communication perspectives.
MR. REYNOLDS: Before I turn it over to you, one other word. We heard sale, and I think employer fits in there, too, as part of the whole trust scenario, which came out this morning in some of the surveys. It is not only that somebody might sell my data, but will my employer get it and will it affect my employment status.
DR. ROTHSTEIN: Just a couple of quick observations. One of the things that I think we ought to consider including in our report and recommendations is some discussion of what we mean by quality improvement analysis. If we don't do that, then we are going to be falling in line with all the people who have been using words that nobody knows what they mean by them.
What are the kinds of things we are talking about? Are we talking about outcomes research, are we talking about utilization review, are we talking about procedures that are being analyzed, and so forth.
Next, I think we need to recognize that a system that we have designed to facilitate quality improvement analysis could very easily be used for other purposes. I tried to raise that point this morning, about how that information might be used by regulators or licensing boards, et cetera, for controlling physician privileges and so forth. There are other uses that come to mind, such as the ability of pharmaceutical companies to engage in tailored marketing to physicians based on analyzing the data, you are not prescribing this as much as that. There is state legislation as you all know that has been enacted specifically to deal with that.
One can imagine very granular kinds of report cards that can be developed on individual physicians and institutions that may or may not be valuable to consumers, but nevertheless could be developed from this.
Another point I want to raise very quickly is that we have heard today about the desire for removing identifiers, the thought being, if it is anonymous or de-identified, whatever you want to cal it, either it is not research or it is not subject to the privacy rule or whatever.
I think we need to recognize that even data in its most anonymized state are not necessarily risk free in terms of harms to individuals. This is certainly the case with root based harms from genetic research and all sorts of other environmental studies.
DR. TANG: Could you elaborate on that?
DR. ROTHSTEIN: Yes. I am a researcher, and I don't have the names of anybody who I analyze, but one of my findings is that people of XYZ national origin are much more likely to have mental illness or alcoholism or whatever. So now there is a whole group stigma.
Finally, the last quick point is that as we go forward with this, I think it would be a really good idea for us to keep in mind some of the other studies, documents, recommendations that NCVHS already has put out. Our NHII document, our 2006 privacy letter, and to the extent that we can tie our recommendations with regard to these uses that we are talking about in this project to the other things that we have already outlined, I think it would make our recommendations more logical and stronger and more likely to survive.
MR. STEINDEL: I just wanted to react to Mary Jo's comment about the visuals. I would like us to be very cautious in that area.
For one thing, Carol Diamond showed us that very cute cartoon that she had about the one case, and it had multiple cartoons in their report. They had the text for each one of those simultaneous with the report, and I found the text much more absorbable.
Another comment. They say one picture is worth a thousand words. Sometimes it takes 10,000 words to get something across, which may be one of the problems with the Iraq war. So I think we need to be very judicious and careful when we start thinking about it. If it does help the report and helps get the information across, definitely, but I think our reports have been very effective in the past, and they have textual, basically.
MR. REYNOLDS: I am a little bit where Mary Jo is. There is the whole reason we did the axis of interest and a few other things, that it helps frame some thinking. I don't think it will be the end product, but I think we need to use every capability we have and every opportunity we have.
With that, I know that we are holding staff to be with us. Is there anything else that anybody wants to cover today before we close?
MS. JACKSON: We are not on the Web tomorrow, if there is anyone who is listening and expecting to call in, unfortunately. There is a telephone number for the NCVHS staff. Leave your name and number and we will try to plug you in on a telephone line.
MR. REYNOLDS: Anything else today? We are starting tomorrow again at nine. Thanks for everybody keeping up your energy and listening. We wanted to kick this thing off on the first day, and I think we did. Thanks a lot, everybody.
(Whereupon, the meeting was adjourned at 5:45 p.m.)