[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 505A
200 Independence Avenue, SW
Washington, DC
Call to Order and Introductions - Ms. Frawley
Discussion of Work Plan - Next Steps
MS. FRAWLEY: Good morning. We're going to call the meeting the Subcommittee on Privacy and Confidentiality together. Kathleen Frawley, chair of the subcommittee. Welcome everybody, for our early morning session. We thank all of you for your participation.
What I'd like to do is first just make sure you do have before the agenda for the meeting. We are required to make sure that any of the committee identify whether or not there is a potential conflict of interest with any of the items on the agenda, and if so, declare that conflict. If anyone has any conflict of interest at this time, if they want to declare it.
Hearing none, what I'd like to do is just have everyone introduce themselves, to make sure that everyone knows everyone else, and also the audience. So Walter, if you want to start.
MR. STONE: Walter Stone. I'm with the Health Care Financing Administration.
DR. HARDING: Richard Harding. I'm a member of the committee and subcommittee from South Carolina.
MS. HORLICK: Gail Horlick from CDC, and staff to the committee.
DR. COHN: Simon Cohn, a member of the committee and subcommittee.
MS. WARD: Elizabeth Ward from the Washington State Department of Health, a member the committee and subcommittee.
MR. FANNING: John Fanning from the Office of the Assistant Secretary for Planning and Evaluation of HHS.
MS. FYFFE: Kathleen Fyffe, a member of the committee and subcommittee. I work for the Health Insurance Association of America.
MR. GELLMAN: Bob Gellman, privacy and information policy consultant.
[Additional introductions were made around the room.]
MS. FRAWLEY: Yes, Richard?
DR. HARDING: Madam Chairman, on the issue of disclosure, when we signed up, we filled out all those forms and so forth. But somebody yesterday said we had to renew them every year. I haven't gotten a form or anything. Is that coming? Gracie is shaking her head. That's been about a year and a half. I want to do my duty, but I haven't been reminded of that.
MS. FRAWLEY: Thank you. The Subcommittee on Populations has referred a document to us which was sent out to all of you via Federal Express for your review and comment, along with comments that Bob Gellman had put together on this document. For the purposes of our meeting this morning, the Subcommittee on Populations has asked that we provide feedback to them regarding the draft that we have before us.
This is a follow on to the document that we saw yesterday afternoon that was presented by Kathy Coltin, which is the Sample Purchasing Specifications. The section that we were asked to take a look at was the data and information collecting and reporting section. I think for the purposes of our discussion the easiest thing to do might be just to go page by page through the document to see if people have specific issues or concerns and handle it that way.
I'm not quite sure if there is any easier way to expedite the discussion other than to go page by page. Does anyone have any other suggestions? Page by page sounds fine to everyone?
DR. HARDING: It will be fine. I have just a thought for the preamble so to speak. It seems like this document should have something at the start of it that says kind of like principles or something. One of which seems to me to be along the lines aggregate or de- identified data should be used whenever possible, just as a kind of a general principle issue.
I think that would help a lot of the questions about some of the wording and so forth. That kind of a basic premise isn't stated in it.
MS. FRAWLEY: That's a great suggestion. If you look at page 3 of the whole overview, it doesn't really talk about privacy and confidentiality at all. Probably in addition to your comment, I think it would probably merit some additional language there on privacy and confidentiality, because I think what happens is you jump into this and very rarely at all do you see any reference to confidentiality and privacy.
I think that this is an important principle that we need to insure is carried forward. I think it probably would be useful in pages 3-9 of the introduction and overview if a more substantive discussion of privacy and confidentiality was added to that.
MR. FANNING: May I make a footnote to Dr. Harding's point. In such document, the substance of it should discuss whether information is needed in any particular context in identifiable form or aggregate form or microdata form or whatever. So it's a general principle. Then that ought to be covered specifically, of course subject to the general rule that it shouldn't be an identifiable form unless it's really needed. But it should be specified.
MS. FRAWLEY: Just in terms of the introduction and overview, are there any other general comments or recommendations or additions?
MR. GELLMAN: I'd like to make a comment. I haven't looked this stuff over for quite some time, and I hadn't seen the report when I read it. Basically, my own view on this thing is that the whole report is lousy. I will vote against the report. It's unjustified. It's unclear, and my view is that while the proponents of this have a case to make, and they make it.
The reason that we have no privacy protections today is because of the zillion little decisions just like this that have been made over the last 20 or 30 years that say this particular use of data is justified, and not withstanding all the privacy concerns. And I view it as time to say no to these things. So I basically reject the premise of the report.
As to these contract laws, what I said about this -- I went to the meeting of the Population Subcommittee to talk about this, and I said that these contract laws are the moral equivalent of helping the bank robber write the note on the way into the bank, because that's exactly what we are doing here. So my view is I don't want to correct this thing, I want to throw it out, for whatever that's worth.
MS. FRAWLEY: Other comments on the introduction and overview, of those pages 3-9? Hearing none, let's turn to page 10. The first section is the basic duty to collect and report data and information.
I'm just going to go through sections if I don't hear any comments.
DR. HARDING: I think in the 102.A, the contractor shall collect and report. I don't have Bob's thing exactly in front of me, but that was certainly collect and report what and to who? What is the collection? And to whom does it go, and for what purposes? Maybe this is a model thing that is meant to be kind of nebulous on purpose, but it's pretty nebulous.
MS. FRAWLEY: Well, I think the thing that we need to try to get as much as possible, I think we still have the issue of whether the report will be approved by the full committee. But in terms of some of these sections, they are ambiguous, and that's one of the problems that we have, is ambiguity is problematic. So I think that wherever we can just make the recommendations, or where there is something that we recommend should be deleted. Not necessarily all of these sections should be collected.
So 102.A, picking up from Bob's comments, we need to make sure we know exactly what data is collected, and for what purpose, and who the data is reported to.
DR. COHN: I was just going to comment, I really don't know what to do this generally. Let me say this. I don't feel quite as strongly as Bob does, but recognizing that we reviewed this without the accompanying document initially that explained what the whole point of this was. Now yesterday we spent about an hour dissecting out. One of the comments we made was that 102.A ought to be thrown out completely, was my memory of the discussion in terms of recommendations.
Since this really relates to reportable issues, basically the notifiable reportable diseases and all of this, I don't know whether we should comment on it, or just assume that it's being thrown out.
MS. FRAWLEY: I think we need to comment on it, and the 102.B. Did you talk about that yesterday?
MS. WARD: I was going to say, the committee has already removed that. There was a minority of people on the committee who had wanted the reportable disease part in, and we had already taken it out.
MR. FANNING: May I just say, you see an occasional regulation or contract or whatever that says whoever bound by this is obliged to comply with all federal, state, and local laws about everything. Well, there is probably no point in putting that. The obligation exists anyway. This is sort in the same category. If you are required to report things by law, you are required to report them. So good point about whether it's actually needed in this.
DR. HARDING: Madam Chairman, if the committee yesterday made significant changes to this, could we hear what those are, so we could --
MS. WARD: I thought staff were directed to present those. I had not been delegated to that. I apologize for that. Kathy had designated somebody to make sure that those revisions got put int.
MS. FRAWLEY: Even if staff has the document, it's kind of hard at this point to hand out a document right now with substantive changes.
MS. GREENBERG: Did they make changes to the specifications or to the report?
MS. FRAWLEY: The report.
DR. COHN: The specifications for the contract language.
MS. WARD: We reviewed the report and went over the parts that were differences of opinion on, took things out. That's going to take days to go back then and then take out of the contract specifications what we had. So we didn't even get into the contract specifications. What we looked at was in the report and what needed to be revised in that.
MS. FRAWLEY: I'm almost wondering if is worthwhile reviewing contract specifications if the report has changed. Then the other problem that you have as Simon pointed out, it was kind of hard to be reviewing the contract specifications without the report to put both pieces together.
So at this point I know that I feel very uncomfortable just about, like section 102, because based on our discussion yesterday afternoon about reporting communicable diseases and so forth, that is certainly not something that should be in a contract. A provider has a duty based on the state statute to report. That should not be part of this language.
So that's what I'm concerned about. If you have made substantive changes to the report, which would then directly influence some of these contract specifications, because your contractor now will have to take that back and remove the clauses.
MS. WARD: That's correct.
DR. COHN: What I was going to comment is I do think that probably at the level such as Richard Harding has commented about the need for -- and I guess John had also commented early when we were talking about the overview -- we still need to be specific about after they take things out, what else needs to be put in. And if there is anything other than what we have already stated.
I think that's probably the level that we need to review this at. I'm scratching my head only a little bit, because there is something wrong with this process. Maybe Elizabeth can comment. Is there a time line on this one?
MS. WARD: I think the chair was very anxious to try to finally get this behind her. I think there were things that came out at the last phone conference that did still surprise people. So it's just a matter of compression, of getting the report, reviewing. I think perhaps there was an unrealistic expectation that we were ready to vote on this.
But I think the part about the process that actually I think is a good one is that there will probably be more difficult reports the subcommittees do. I think there has actually been a real value in the process. It's too bad it was under the heading of please vote on this. But I think there has been a tremendous value for a subcommittee that spends a year and a half buried in the trees in an issue, talking to itself, of getting out of the trees, taking it back to the full committee, and having some new eyes, and some new debate, and some broader discussion and then taking it back and reworking it.
I was thinking about that last night, about the process. It's different for this than we've done in others. I think there has been a value for something as complicated, because it's not just the members of committee. We have some federal agencies that have been commenting and putting some of their interests on the table as part of where this public health reporting is going.
So we have had that kind of debate. And I think it's very healthy to have those kinds of debates also at the larger level before we go back and do a report. I'm not sure whether a page by page, line by line is going to be effective this morning. I think to hear more generally from this committee about the particular areas. I may be able to say to you yes, we, the subcommittee agreed with you, and we have already begun to repair that, because we are in the process of really doing another rethink of this. I think it is still valuable to have this committee's comments.
MS. FRAWLEY: Okay, thanks, Elizabeth.
So going back to how do people feel about going forward with any discussion on the document, or do we want to defer further work on this until it comes back to us, the entire report and specifications? I think we already have some comments that we can offer as a subcommittee in terms of the overview section.
I think our general principle about the fact that wherever possible aggregated or dis-identified data should be used. And also the fact that we find that a lot of the clauses do lack specificity in terms of what data is collected, and for what purpose, and to whom things are reported. Again, that wherever possible, confidentiality protections need to be explicitly spelled out. So I think we've got some general guidance there. I'm just concerned in terms of whether people still want to walk through this.
DR. COHN: I don't feel strongly that we should be walking through it. I think the things we described are really important, and obviously they reflect throughout the report. I'm reminded that one appendix in the back of the report observed that Iowa wasn't asking for a unique personal identifier, which in the context of this conversation is somewhat of an oxymoron, to sort of comment that they weren't asking for that.
I think the question is, is there any way that we can go through and uncover other principles that we need to make sure that they get? I think that's the level that I think we should probably view this.
MS. FRAWLEY: Okay. Yes, Bob?
MR. GELLMAN: I prepared something with response to this report. I don't know whether I'm planning to offer this at full committee as a motion or not, but I'll read it here. Basically what I wrote is a motion to recommit the report to the subcommittee with instructions, sort of like the House of Representatives voting to recommit a bill to committee with instructions to do something.
These are the instructions:
First, complete the report, including all appendices.
Second, include a specific discussion of and recommendations for increased use of anonymity, technologies of anonymity, and other privacy enhancing methodologies to accomplish the goals set out in the report. That is sort of what we just talked about.
Three, for each new data collection and data sharing activity recommended in the report, identify the specific risks to patient privacy, including the shortcomings of existing federal and state privacy laws, and explain why the benefits outweigh the risks.
Four, include a specific discussion of the secretary's recommendation that federal privacy legislation only preempts state laws to the extent those laws are less stringent or restrictive than the federal law, and if the relationship of that policy to the proposal for more federally imposed uniformity.
What I think basically is this report is unbalanced. It's incomplete. It doesn't make a case. It just totally ignores the privacy consequences. I think that if somebody went through this report piece by piece, looked at the recommendations and said, these are the privacy consequences of this, at least you would have an honest report. I don't mean that it's dishonest. You would have a complete report. That's a better word.
Maybe if the discussion of the issue were viewed completely with all sides of the issue considered, maybe some of proponents of the report would decided that some of the things they are recommending aren't such a good idea after all. And maybe not, but at least the report would have all the elements in it, and address all the issues that we're supposed to talk about.
MS. WARD: I think, and it may have been part of the problem of how the report was sort of introduced yesterday. The existing problem that we heard in the testimony from all the state Medicaid directors who attended is that their current problem is that they are being asked to send everything to HCFA.
What our subcommittee is trying to say to HCFA is justify that, or most importantly, tell us exactly what questions you are trying to answer. Therefore, couldn't you not please have a core set of data that all state agencies could send you that would not be everything? Because we had exactly the concern that Bob has. That's what is happening right now, is state Medicaid agencies, all those other entities under them are being overwhelmed with the amount of data that they are transmitting.
That's why when you look at the contract, it doesn't say. You are asking if Medicaid is getting from those people who provide care to Medicaid patients, are sending to their state Medicaid agency, who is sending to HCFA, everything that they can possibly get off the forms. We are driving HCFA to say what are the core data elements.
Everyone we talk to says we would be thrilled if we could get some sense of what is a core set of data. Then you could fill in that blank on the contract. And that's part of what we're getting at, is that you ought to have a more precise process in play between the federal agency, the state Medicaid agency, and the data contractors. That's a lot behind what we are trying to drive to.
MS. FRAWLEY: I think the problem that we have though is that doesn't come out in the body of the report.
MS. WARD: Right.
MS. FRAWLEY: Hearing you saying that, and knowing what I read, and looking at the contract specifications, you don't get that sense at all. And I think that's another problem with the report is it was very hard for me to figure out why the subcommittee did this report, what the intent was. I mean I think this is probably one of the most difficult things our subcommittee has been asked to discuss, because I feel like it's kind of like we're not really sure exactly what we are looking at, and for what purposes, and why.
I think that the report is going to need some work to really reflect that. Because if there is a problem, as you indicate, then the report really needs to reflect that. As Bob pointed out, if we are recommending certain data collection, then we really need to have a full discussion on the privacy and confidentiality piece. None of that seems to be -- I saw some references in the report to privacy and confidentiality, but not any major, substantive discussion.
MS. GREENBERG: I didn't go to Arizona. I only attended the meeting in Boston. I haven't been involved in the last parts of the process. But I think part of the reason this is so difficult is because the subcommittee heard a lot of different things. In addition to what you reported, I know they also heard -- I certainly heard this in Boston and at some meetings here -- that the Medicaid agencies and others did not have the information they needed to answer the questions that they had.
So on the one hand maybe they are getting too much data, or they are sending too much data to HCFA, although that part I'm not sure about, because I know there has never been a good national database for Medicaid.
But also I think there is an issue of not having the people who can mine the data, or who are able to maybe do some of the things that have been discussed this morning, anonymize it, use aggregate data, do creative analyses or whatever. But it seems like this was a predominant theme, that the payers, the policymakers, et cetera have questions, and issues, and they don't have the information to answer it. Now why is I think complicated.
MS. WARD: I think part of the report talks about that. They have gallons of data, and no information. And there isn't a connection between them. That's what I talked about it would be really useful then to have a core data set that then they could concentrate on.
MS. GREENBERG: Even the Medicaid agencies not just send to HCFA, but if they could just focus around a core.
MS. WARD: And have some dominant questions. We also talked about the fact we are also making a lot of suggestions about how they can find more analytical assistance. Part of what we heard is that any of that kind of analytic assistance has to either come out of their state Medicaid dollars, or steal from this very tiny federal amount of administrative data. So we made some more suggestions about how to try to help manage that.
MS. FRAWLEY: I've learned more in the past few minutes about this than I previously struggled to understand. Is there any way to put an introduction or an overview or a background or something on the very first page of the document? We're so overwhelmed with information in this committee that I think that would be helpful.
DR. COHN: I actually don't think the point of this subcommittee is to try to figure out why this thing was written and be briefed on the background necessarily. I think that's a responsibility of the Population Subcommittee to take back to the full committee in September. I think it's a question of going back up the mountain again.
I think that this is something that other subcommittees will also recognize. You just can't go away in a cave for a year, work on something, develop great understanding, and expect that everybody sort of understand it just because you understand it, without some background.
Certainly I know that Bob had presented I think a proposal. I don't know if it was actually submitted as a proposal?
MR. GELLMAN: No.
DR. COHN: Oh, you just brought it up as a set of issues?
MR. GELLMAN: I originally drafted it as a motion, although I don't necessarily intend to offer it. I'll see what the discussion of the full committee is. But the language is here if you want to use it for something.
DR. COHN: I think that there are probably some pieces of it that we may want to recommend, along with things that we have already put together. Certainly, one would observe that one of the nice things about lack of standardization is that it tends to afford a relatively high level of confidentiality. Just like when I do a medical record in my handwriting, it is absolutely confidential and private, sometimes even to me.
So as we increasingly standardize things, if we don't also put into process some safeguards on anonymity, suddenly we're making things very much less private. I think that case I wanted to say that it isn't just the simple issue of saying that there is confusion about standardization. Let's just standardize things. It's a little more complex than that.
MS. FRAWLEY: So am I hearing that we want to take some of Bob's language?
DR. COHN: I'd like to go through those again, point by point, and see if there are a couple of them that maybe we can agree to.
MR. GELLMAN: One was just complete the report with all the appendices. That one's easy. Two, include a specific discussion of and recommendation for increased use of anonymity, technologies of anonymity, and other privacy enhancing methodologies to accomplish the goals set out in the report.
Three, for each new data collection and data sharing activity recommended in the report, identify the specific risks to patient privacy, including the shortcomings of existing federal and state privacy laws, and explain why the benefits outweigh the risks.
DR. COHN: Could we talk about that one for just a second?
MR. GELLMAN: Basically, the idea here is there are all these recommendations for new data, new sharing. Some of the recommendations in the report, data goes from one person to another and to another and all over the place. And to identify in some way -- I'm not suggesting in saying this that there be a 50 state review of laws. That's a little bit much.
But there might be a couple of representative states that could be selected with good and bad laws, and to see what the consequences are of spreading this information around. And whether the information that might have a degree of protection on one hand, loses it when it goes to somebody else.
If the data goes from one player to another, and all of the sudden now it is accessible to the police, which is something that will happen, maybe this needs to be discussed and identified. I think if we are making recommendations of data sharing that have a direct impact on privacy, we should know what those consequences are.
DR. COHN: Can I discuss that for just a second? I guess the question I would have -- I think as far as you have stated is probably right. I was just trying to figure out, recognizing what is happening currently, recognizing we are not creating a new process, but we are trying to fix the current process.
The question I think I might have for Elizabeth, is there really any new data sharing as a result of this? As far as there is new data sharing, I agree with you. The question is, is there any new?
MS. WARD: I think the new data sharing would be around the area of enrollment data. The Medicaid agencies we heard from talked about the fact, because they can't and the providers cannot get the -- and it gets back to discussions we've had about other issues related to health care and health care insurance -- they would like to have language and race and ethnicity data so that they can better understand if their Medicaid programs are in fact reducing disparity.
But in the Medicaid system, in our state it's called a public assistance person, but those field offices who get a client at the door are determining what kinds of state programs, including state Medicaid, they are eligible for. That part of the government interviews the client and fills out all of that stuff. That lives in one part of the government. Then the other part of the government administers the actual health insurance program for those services.
Then those managed care organizations and provider groups and state Medicaid agencies are asked to report on whether they are giving quality of care, and being asked to say are you managing the disparity issue, and are you being culturally competent? They say back, if I can't get the race and ethnicity issues on some of my clients, and I can't evaluate that, and I can't tell you whether I've got people on board who can speak the language, because I can't find that information, I've got a problem. That was dilemma. That would be the different kind of data sharing.
DR. COHN: So there is new data sharing?
MS. WARD: Again, it is all government. And it is government contractors. It is all under the existing Medicaid laws that we're talking about. But that doesn't alter the fact that we ought to currently be concerned about how those data sharing would occur.
MR. GELLMAN: I think that the explanations that you have offered here make this whole thing look a lot more rational than it did from just looking at the report and looking at the contract clauses. It may make some of my concerns less sharp.
I'll make two points. One is that just because something is going on today, doesn't mean it's okay. Secondly, given the explanations, I understand even less why there are contract clauses that say give us all your data, and we own it. I think the legal work that was done that is reflected in here, as well as the policy work is rotten or incomplete may be a better word.
MS. WARD: I would add that we also heard from families. Even in the existing system we heard from families who are watching this debate at the national level. We do have some bright consumers out there, particularly parents of children with special needs. They talked about that they would like someone to be measuring quality, and they would like that information back. But they are also worried about who gets the information.
Even the parents and some of the consumer groups are in the same conflict that we are in about wanting the result that could be gained by having more information linked, but also worried about who is going to get access to that. And is someone going to get access to it to alter their eligibility to another part of the services that are available. So we heard from everybody. Unfortunately, we don't have the sort of divine answer for that.
DR. COHN: Would you read over what you had written there, Bob?
MR. GELLMAN: This is the third of four points. For each new data collection and data sharing activity recommended in the report, identify the specific risks to patient privacy, including the shortcomings of existing federal and state privacy law, and explain why the benefits outweigh the risks.
Sort of filling in the other side of this. The report, with Elizabeth's very useful explanation of what it is really trying to do says this is all a great thing. We need to do it. Well, okay, but what are the consequences? What are the risks? I think we just have to be honest and complete in saying this is what happens if we create a new pool of data, or we give data that we already have to a new player.
MS. WARD: How do people feel about that?
DR. COHN: I think a balance would certainly be worthy.
DR. HARDING: If I could just say a couple of things. This has been an interesting meeting. Not this one -- this one too. I've heard a couple of statements made that I hadn't heard before from people testifying and so forth. One was this increasing issue of respondent fatigue, or respondent burden. That is that people are getting overwhelmed by the stuff they have to fill out and send. I think it was in the first set of lectures.
DR. COHN: The performance measurement.
DR. HARDING: Right. Then I also heard the issue of that there is all this data being collected and sent, but without direction or well, protection. Somehow or other I get that image like I do when managed care asks for the entire chart from my practice. What in the world do they do with that? What do they do with a whole chart? Do they stack it somewhere? They can't be doing anything with it. They don't have the manpower to -- what are they doing?
I get that feeling a little bit, that there is this enormous amount of data, but what are we doing with it? Are we doing something really constructive and positive, making a difference for the public health and so forth? Or are we just getting a lot of data? You all know I have a bias, but I just worry that if they are going to collect it, it ought to say what good thing is going to come from that, because it's going to cost a bunch of money to collect it. So exactly what is it?
There has been this, I think, permissive feeling of well, data is good. Data will help us somehow in the long run. Well, come forward with that and say we need this identifiable data, because of this, and I would feel much better about all these processes. That's the same thing that was already said, but in a little bit different context. It worries me a little bit. I just have this feeling of massive data, with nothing being done with it.
MS. WARD: I would say that would reflect on one of our reactions to having heard the testimony at the hearings.
DR. COHN: I think if indeed that was the case, it certainly didn't come out in either the report or the contract specifications.
MS. FRAWLEY: Not at all. I think that's one of the things, that we are all feeling a little bit different about the report. It's kind of like filling in the blanks. The more we discuss the report, the more information we get. Again, the report is somewhat incomplete, because it doesn't come out.
Having read it, I was still struggling trying to find out who we were contracting with and for what purpose. And that's not clear at all. So when you are talking about state Medicaid agencies and reporting to HCFA, that puts it in somewhat of a different context. But I do think Richard's point is an important one, that we shouldn't just be saying here is like a laundry list of data elements. Go forth and collect.
I think the language that Bob was providing us is very good in terms of the risks versus the benefits. It really the case of why do you need this data element.
MS. WARD: Our committee doesn't want to go down the road of deciding what the data elements are. We just want to get entities that require data to go through a more thoughtful process about don't just give us your whole claim and then we'll store that data.
MS. FRAWLEY: One of the things I'm concerned about is does your subcommittee really think they need this contract language? Because as Bob pointed out, it is poorly drafted. What I'm worried about is somebody getting this report, and taking it and assuming that this is language that they can take and insert into a contract.
MR. GELLMAN: I think that's certainly a fair comments. It's like why are we giving legal advice? Why is that our responsibility?
MS. WARD: I'd have to defer that question.
DR. COHN: I actually would say that if there was good contractual language, it would be a great help. I don't think there is anything necessarily wrong with trying to help people that are really in the midst of it, to give them some guidance and help. And if we can help them improve their processes, provide more confidentiality and privacy in the context of all of this, and help them better do the right thing, then I think that's all for the good.
But not being a lawyer I can't comment, except that the contract language I found somewhat confusing. So if I look to the lawyers and they thought it was poor, it needs to be redrafted obviously.
MS. FRAWLEY: Bob, you had another point?
MR. GELLMAN: The other point, I'll read it again. Include a specific discussion of the secretary's recommendation that federal privacy legislation only preempts state laws to the extent those laws are less stringent or restrictive than the federal, and of a relationship of that policy to the proposal for more federally imposed uniformity.
It seems to me that you don't have to agree with the secretary on this, although I suspect we didn't really take a specific position on uniformity when we considered privacy rules. But the secretary obviously has, and there is clearly some interest in the department in having differences among states and higher standards at the state level if you can do it. And the thrust of this report is against that. It seems to me that this is an issue that ought to be discussed in the report.
And the committee can decide that the benefits of uniformity outweigh other concerns are not, but it seems to me that given the history on this issue, it ought to be considered, it ought to be discussed, and it ought to be confronted.
MS. FRAWLEY: Can you repeat it again? I just want to make sure I understand it.
MR. GELLMAN: The language?
MS. FRAWLEY: Yes.
MR. GELLMAN: Include a specific discussion of the secretary's recommendation that federal privacy legislation only preempts state laws to the extent that those laws are less stringent or restrictive than the federal law, and of the relationship of that policy to the proposal for more federally imposed uniformity.
DR. COHN: I was going to say I accept the first couple. I'm not sure that I think that this one is particularly relevant to what is going on. I like everything you said up until now in terms of accepting it, but I'm not what exactly the relevance of that piece is to this specific document.
MR. GELLMAN: The thing that struck me from reading the report is that things are done differently in different states. The Iowa point was the one that jumped out, that the report criticizes Iowa for not collecting identifiers. Well, I think that's a good thing. I don't think that's a bad thing.
DR. COHN: They actually have recipient ID in the list of identifiers. So they do have identifiers.
MR. GELLMAN: I didn't look at that. I just looked at the comment in the text. If the state decides that it wants to proceed, especially if we are talking about increasing the use of anonymous data or aggregate data or something else, then I don't see why if the state chooses to do something on an aggregate basis or on anonymous basis, and maybe have less precise or less complete data, or maybe not depending on what the function is, that's perfectly fine to me. Maybe we ought to recognize that.
Maybe instead of saying everyone should do it in a federally mandated way, that we ought to allow states to do things. We ought to recommend that states do things in other ways that create less of a problem with respect to privacy.
DR. COHN: Can I make a comment on that? Because I think that you are sort of cleaving between the issues of privacy and confidentiality, and increased state laws around that versus the issue of administrative simplification and data standardization. I think they are slightly different issues. I would say that it would be in the public interest.
We have said all along throughout the committee that the concept of administrative simplification, which would increase data standardization, having people agree on definitions, and have it be the way it is makes sense from a public policy perspective. Now that is different than the issues that each state may have a different level of privacy that they want to invoke on their piece.
I think that this actually needs to be cast in an administrative simplification vein. That's one of the comments I made yesterday was that we were off talking about the NCHS core data set, when really we should have been talking about all the administrative simplification things that have been going on and all of that. Now of those, what gets sent is another issue. But we don't want to necessarily have everybody defining and casting their own data elements in their own fashion.
MR. GELLMAN: I agree with that. I think that's a perfectly fair point. It's not what I was getting at in this, so maybe it's not clear. The question is if we are collecting the same data, we ought to have common standards. The question is should we be collecting the data at all, and should we be using it in certain ways and sharing it in certain ways. So I certainly agree with the standards point. I don't feel as strongly about this last point as I do about the other ones.
MS. FRAWLEY: I just struggling more with it to understand kind of the context of it.
DR. HARDING: This bill would certainly encourage preemption.
MS. GREENBERG: You mean the contract specifications?
DR. HARDING: Yes. And then the secretary may have a different opinion that we are doing something that is going against or that possibly is going against the HIPAA recommendations and Shalala's.
MR. GELLMAN: Well, the policy reflected in HIPAA, depending on what it means of course, as you said, and what the secretary said is diversity. Stronger state laws that remain in force. In reading this report and listening to this discussion yesterday I was struck by the push for more uniformity, more mandates from the federal government, exactly what should be done.
This is more of a substantive kind of issue than a sort of procedural one. So it is harder to deal with, and I'm less sure about what the result ought to be in the end. But it just seemed to me the issue ought to be discussed in those terms, that yes, we ought to have a uniform federal substantive policy here about what is and isn't collected. And this is a good thing, notwithstanding the fact that HIPAA says something else, and that the secretary has said something else, and here is the reason why.
I mean at least if that's going to be the recommendation, it ought to be discussed in those terms. And that was really what the point of this thing was, to say, okay, if this is what you want to do, say so.
DR. COHN: Can I make a comment? Maybe what I'm hearing from you is that some sort of common need in contractual language or in the overview or whatever, that obviously state laws related to privacy and confidentiality will obviously affect this contract, and would get sent back and forth. Is that sort of what you are saying?
MR. GELLMAN: That is a point, but I think that's kind of the point I made earlier about let's take a look at all the uses in the context of existing laws, and at least see what we are doing. And this point, yes, there are differences, but people have a lot of trouble with this point. I haven't gotten it across.
MS. FRAWLEY: I know what the secretary's report -- I'm still trying to figure out how do we take that piece that you are saying and translate it into the body of this report. That's what I'm struggling with. I'm trying to figure out what we are trying -- I know what the secretary says. I understand that this report would be requiring people to collect a data set or have more uniformity in data collection. What we are saying is that that is kind of contrary to the secretary's recommendations that stronger state laws should stand in terms of privacy.
So that's what I'm trying to get to, is where do we get that discussion, or where does this piece kind of come in? We're all struggling with it. I figure if I'm having difficult, and other people are, then we're obviously not --
MR. GELLMAN: I recognize that. I'm just willing to drop that point.
DR. COHN: Are we going to vote on these additional pieces? I would vote for the first ones, except this last one.
MR. GELLMAN: I'm not going to press for the fourth one. I haven't made it clear, so we can just leave it out.
MS. FRAWLEY: I think we agree that the whole discussion on anonymity and privacy enhancing technologies should be incorporated. We had already talked about that. Then I got the impression from at least this discussion around the table that also this was a direct recommendation for each new data collection activity or data sharing activity, that it should identify the specific rectification(?) of privacy.
And then there should be the analysis of federal and state statutes, and explain why the benefits outweigh the risks. The sense that I got from people is they felt comfortable with that recommendation. I guess what we are struggling with is this last one.
DR. COHN: Well, I think he's withdrawing it is what I heard. I was actually just going to add one that isn't quite necessarily our area, but somehow this needs to be cast in the sort of vein of administrative simplification. That somehow was not said very well previously, but this should be looked at as -- if it's going to work, it should be less of a burden than what is going on now. If it's not, then what's going on?
MS. GREENBERG: I think one that Bob clarified, and one thing that I think is probably important to include is that at least talking about an analysis of state and federal laws, the subcommittee is not suggesting a systematic study of all 50 states. You could read it that way. That wasn't your intent.
MR. GELLMAN: That's not my intent. I think the way to do this is the very stuff is very well known. It is not that hard to deal with. For the states, maybe one way to do this is to pick two states, one with a better confidentiality law, and one with a rotten one, and see what the consequences are.
There is no way to analyze all 50 state laws. I know Jan Laurie Goldman(?) over whatever organization it is at Georgetown is doing a state law project. It might be possible to go over and have a chat with her and get some ideas about how to do this in a fairly -- I think they probably already collected the laws, or I think that was the point of the project.
It may be possible using their resources to do this in a fairly compact, useful way, without having to reinvent the wheel, because reinventing the wheel is time consuming and expensive. And I am not suggesting a 50 state review at all.
MS. GREENBERG: I think that's very helpful.
MS. FRAWLEY: Other comments or points that we want to incorporate in our discussion that we can share with Lisa? So I can assume that we're finished with the discussion on this?
MR. FANNING: May I just make one overall observation that this is a very good example of designing data collection or transfer or whatever without working in privacy considerations from the beginning. We thought we had sensitized people to this, but this is a classic example of doing it poorly. It is shown visibly in the text.
At the end there is a Section 204, compliance with confidentiality protections. What it says in front of that is the following section sets forth illustrative language for purchasers that wish to identify matters relating to confidentiality in their purchasing specifications. Well, this is pretty basic. It should be number one, and it shouldn't be optional.
So I guess the signal it seems to me that needs to be sent by this committee to the full committee, and by the full committee to the secretary and the states and everyone else is that this really does have to be built in from the beginning. It is everybody's business, not the province of a few odd enthusiasts. It's still in the latter mode in many situations, although the formal presence of privacy people on the committee and the subcommittee are certainly steps in the right direction, but everybody has to tend to it. That's my sermon.
MS. FRAWLEY: Thank you, John. I think that is certainly consistent with the views of a number of people here. I think we all had the same concerns when we saw the document.
Then I thank you for your discussion on that. What we need to do now is turn to a discussion the work plan. If you look in your main agenda book under the work plans for all the subcommittees, our subcommittee has finished its work plan. Therefore, potentially as of this meeting, we have a clean slate in terms of where we want to move forward.
What I wanted to do this morning is spend a little time discussing what issues people thought we should be addressing, and how we would like to move forward. One of the things we did discuss yesterday afternoon at the Subcommittee on Standards and Security is whether any activities should go on in the area of unique identifier for individuals. And whether that would be something that the subcommittee would be involved in, along with the privacy and confidentiality subcommittee.
Yes, do you have a comment on that?
MS. GREENBERG: No, actually I had a different comment.
MS. FRAWLEY: What we did yesterday in the standards and security group was look at the work plan in 1999-2000, and obviously in this subcommittee we need to think about our work plan for 1999-2000. So I did not have any list of recommendations or to bring forward, because obviously most of the things that we have identified, we have covered.
So I just wanted to throw this open. This is very informal, this part of the meeting, just to get a sense from people of what they think we need to be doing.
Yes, you can go first.
MS. GREENBERG: What I wanted to ask in relationship your having completed the activities in the work plan is on some of the last few hearings on pharmacy benefit management, and then on employer access there was some discussion that perhaps more information needed to be obtained on the area of employer access. That not all the different parties or all the different stakeholders had been identified. So I know that is an outstanding thing that at least should be discussed.
Then the next question I had was whether anything is going to be forthcoming from the subcommittee on those topics. The letter to the Data Council of the secretary had been discussed; perhaps just maybe not. Maybe you will decide there is nothing more you want to do in that area. But I think at least that has to be resolved, whether there is going to be any action by the subcommittee based on those hearings.
MR. GELLMAN: Just a couple of comments on what we have discussed. I think the patient identifier certainly for the immediate future is an issue best left untouched and possibly undiscussed.
MS. FRAWLEY: We would get a big crowd.
MR. GELLMAN: You get the appropriations police coming. I think that may be something to be reassessed at intervals in the future, but certainly not before October. One of the questions is going to be whether the prohibition in the appropriation bill gets extended into the future. You never know whether these things get dropped after one year or get continued. I have no intelligence on that whatsoever, but I wouldn't be surprised if it got continued, especially if there has been no progress on a federal privacy bill.
On the issues that we have already discussed, I don't think we have done enough on employers to have anything to say on it. As Marjorie said, there are other perspectives that haven't been considered. Even then we may not have anything to say, because it's a really hard issue.
The PBMs, I'm not sure that we have anything to add to that. Somebody else may, but I don't see anything we have to add to that. That issue is sort of before the Congress. One of the problems here with active or inactive, we don't know which, legislation before the Hill, it is hard to figure out what to get involved and what not to, because it may just get totally undercut by whatever goes on, on Capitol Hill.
I think in terms of new issues, I have two suggestions. One of them is there are all these activities going on, on the Internet with respect to health data. I think that those could be looked at in a useful way to find out who is doing what. I'm not talking about any kind of treatment activities. I'm not talking about claims processing on the Net.
I'm talking about all the Internet sites that are offering some -- again, I'm not talking about health advice -- but people that are offering to collect health data from individuals, store it, use it, make it available, that sort of thing. I think that's worth a look. This did come up in some other committee event.
I can't remember who it was. We were in a discussion at one of the other subcommittee or work group meetings where somebody talked about some of these sites. I think make an effort to find them. See what they do. See what kind of privacy policies they have. And get the people that are doing this to come up and talk about it, because I think there are a lot of problems there.
And it's an activity that falls I suspect for the most part, completely outside the scope of any proposed legislation, because you are not dealing with data that comes in the treatment or payment process. This is data voluntarily disclosed I think for the most part by individuals to people who are service providers of one sort or another on the Net.
MS. FRAWLEY: Who would be --
DR. HARDING: Healthion(?). Is that what you are talking about?
MR. GELLMAN: I don't any of the specific ones.
DR. HARDING: Where they are collecting data and storing it, and then will make it available to anybody.
MR. GELLMAN: They will make it available to you or to your doctor or whatever, outside the scope of any legal protections, as far as I know, because you are voluntarily disclosing your data to somebody who is providing you with some kind of service. There are no rules, and I suspect some of these sites either don't have privacy policies at all, or they have inadequate privacy policies. Or maybe they have good policies.
Whatever the result is, it's worth a look to see what is happening, what they are doing, what their policies are, and put this issue into play.
DR. COHN: So you are basically talking about patients, or the public directly dealing with these Websites and supplying information to the Website?
MS. FRAWLEY: You're talking about me deciding to contact one of these service providers and give them information?
MR. GELLMAN: Yes. But whether there is data coming to these sites, I don't know whether anyone is saying I give my doctor permission to share my data with the Website so there is more complete record. I don't know if that's going on. But whatever is going on, on the Web in that context I think needs at least a look. Then once you look at it and see what the scope is, you may be able to boil it down, or it may be broader, I don't know. I wouldn't put a limit on it up front. But whatever is going on out there, I think is a little scary.
MS. FRAWLEY: You had a second idea?
MR. GELLMAN: My second idea is sort of the smart card stuff. And I didn't realize when I thought about this that it was on the schedule today, and see what happens today. There may be more to this issue than comes out today, and there may not be. I'm not sure.
MS. GREENBERG: Can I say something about that? I was at the Executive Subcommittee -- as the agenda was developed, this individual who had writing Dr. Detmer and had also been in touch with Barbara Starfield, et cetera, to present about smart card. Then a few other people were suggested, and I also was asked to bring in the privacy perspective.
I had a great deal of difficulty identifying, finding somebody who could speak from the consumer point of view of what the issues are, risks and benefits related to privacy. The bottom line is that I do have somebody coming, but started to find some people right towards the end. This is just this one hour presentation, and they weren't available.
I think it was a challenge, but I think we're not going to hear all that you could hear from the privacy community at today's presentation. I did have a great deal of difficulty identifying anyone to do this.
MR. GELLMAN: That may be a factor in making a decision about whether there is more here or not, and I will see what happens this afternoon. It seems to me that there are plenty of smart card activities. I know it's a big deal in Europe.
I'm not interested in hearing from the privacy people so much as hearing from the vendors. I saw something recently which I did not save that had to do with some kind of -- and maybe that's going to come up today -- some kind of test that is going on with some kind of health care smart card. I want to know what's going on out there with stuff. Who is using it? I'm not worried about the privacy stuff. Find out what the vendors are doing, and the privacy issues jump off the page at you.
MS. GREENBERG: I think you will get a fair amount of information on that.
DR. HARDING: We'll get information on those demonstration projects in North Dakota and Nevada, the WIC cards, Western governors? That isn't going to be covered today is it?
MS. GREENBERG: The people who are presenting are certainly familiar with those projects. I don't have someone directly -- that was another point. As I was developing this and other types of like bringing the Western governors, but we just weren't able to expand it to that. So it's a possible area where you could expand it. There were three or four additional experts who were suggested, but we decided we really weren't prepared to make this into like a two hour presentation. So there certainly will be more to hear than what you hear today, but I think this will be a good introduction.
MR. FANNING: May I just ask a question? Back to the subjects on which you have already had hearings, employers, pharmacy benefit managers. Does the committee see as part of its role simply marshalling information and making clear what is going on? It seems to me that one of the problems in the pharmacy benefit management area is that we don't have a good overview of how these people are doing their work, and therefore have trouble evaluating the risks.
It seems to me that you gather testimony now. Is there any value in writing a factual report? I think there is some value. I guess the question is does the committee see this as a proper task for itself, or is that too ministerial?
DR. COHN: Gosh, I don't know whether I would use the term "ministerial" but just based on our last hearing, I'm not sure personally that I felt that we had enough information to create a report or a letter or anything. I think from the pharmacy benefit managers, I think that we heard from the pharmacy benefit managers and heard very little from anybody downstream, be it patients or otherwise, or even for that matter most of the provider community that are being affected by them.
I think before we start writing letters, I think it would be useful hearing from other groups that are affected by the pharmacy benefit managers. So I think that there is actually more work that needs to be done in that area if we indeed want to write a letter or make a comment.
In relationship to the employer piece, I think the same issues apply, and that is I think as Bob had commented, a very complex area. But certainly I think we were aware that especially as you move into workers comp and some of the more problematic areas, to talk about workers comp and not have employees and workers testifying makes it difficult to make any sorts of conclusions whatsoever.
MS. FRAWLEY: I just want to let you know for the last hearing, the amount of time that Gail has spent trying to get people to even agree to testify. That's one of the problems. While they certainly may not have been inclusive or representative of all of the different groups you wanted to hear from, the problem that we had is that people that we approached had no interest in coming before the subcommittee and offering any comments.
I think that is one of the things that we struggle with. Almost every meeting we have, we spend an awful lot of time trying to identify individuals who are willing to come and discuss issues. It's almost as if it's like a warning bell, and people are like, I don't want to come anywhere near this group.
I don't know if that's the experience of other subcommittees, but I think that we just seem to have a great amount of difficulty of getting anyone to come forward to participate in a panel discussion and provide information.
MS. HORLICK: Kathleen, that is certainly true. I mean you get people and you say, and we'd really like to hear about your policies or are there policies? And yes, yes, we'll get back to you and we'll try to get someone, and it doesn't happen. But at the same time I think there were sort of groups of people that, for whatever reason, I didn't approach the right people, or I didn't even make contacts with the appropriate group.
Jim Ellenberger ended up from the AFL-CIO, coming and I hadn't contacted him beforehand, and then he had to leave. And he gave me his card and said call me. He said, we would have liked to participate. He wasn't someone that I tried to reach that turned me down.
So maybe what would certainly be helpful to me, I mean Kathleen and I put our heads together here and there, at the Executive Subcommittee, and with a couple of the members we sort of one-on-one talked, but maybe if we are going to have another series of hearings, the subcommittee should say okay, how do we want to approach this issue? What kinds of people do we want to try to approach. Then if we don't get them, we don't. But we might get a fuller panel.
DR. COHN: Let me just make an observation about these sorts of hearings. Bob, I think has a lot more experience than I do. But as I was talking to Gail in terms of planning this last hearing, my observation was that people are a lot more reticent to talk about themselves than they are to talk about somebody else or something else that is bothering them.
So if one goes into every set of hearing with tell us about what you are doing, people may be reticent. If you go into it with well, what's bothering you about what other people are doing, you may find people a lot more willing to testify. It's just sort of a thought on that one.
MS. HORLICK: We were able to get two people from IBM because I contacted them and said we had someone on our subcommittee that told us you had excellent policies, and we'd really like to hear about them. Well, that was easy, but it doesn't work that way all the time.
DR. COHN: Can I make a comment about the unique identifier? Bob, you are probably right that that should not be on for fiscal year 2000, but maybe after that. But I think the only point I would make about that, and it was a point that I actually made to Kathleen Frawley was that we actually are allowed to look and take testimony on things. And one would observe that even on the federal level there is virtually nothing happening around a unique health identifier as we should be without privacy and confidentiality.
There is a tremendous amount of activity, at least that I've been observing at the state level around people banding together, trying to identify best practices, trying to figure out how to link information. To me, that may be the actual place, if we were to even look at something, that we would want to identify what is going on at the state level, and what are best practices, and all that.
Once again, it may not even be appropriate for the year 2000, but if we were to take it, that would be the only way that I would consider it being reasonable.
MR. GELLMAN: Actually, I think that makes some sense. I wouldn't talk about identifiers at all. But if you want to talk about linking of medical records in various contexts, that sounds to me like it might be useful.
DR. COHN: Yes.
MR. FANNING: May I make an observation in that regard? I think it would be unfortunate if the command not to produce an identifier leads to a situation where the identifier gets produced by all the people that Simon just made reference to, without any full, open consideration of the privacy issues. One of the dangers of not doing it in an overall comprehensive way is that the broader public issues involved like privacy may be ignored.
MS. FRAWLEY: John, I have a question for you in terms of the department, and in terms of privacy regulations, which obviously the secretary has mandated under HIPAA to promulgate if Congress fails to adopt legislation. Do you see any role for the subcommittee in terms of commenting on the regulations? And is there any time line that the department is looking at?
MR. FANNING: I'm not familiar with the technical details of the time line, but the idea is if Congress doesn't act by August 20, we will be proceeding, and there will be certainly a notice of proposed rulemaking. We haven't really considered the question you asked. And we can certainly look into that. We obviously value all the comment and help we can get.
MR. GELLMAN: Can I ask the question a different way? I think that in terms of a work plan, whether there is legislation or regulation in the near future, we are going to spend time looking at it, so that probably belongs on the plan. If the regulation goes ahead according to the current schedule, assuming that there is no legislation, there will probably be something out in the fall, probably shortly after the deadline I would suspect.
But there is all this speculation about the deadline being extended, and I assume the regulations would be put back. In which case, the question is for the people drafting the regulations, assuming that they have another year or year and a half before they really have to produce this, what are some of the sticking points, what are some of the problems, what are some of the issues that are being reviewed that could benefit from the kind of attention that we could give it, that the administrative process can't?
You may want to go back to people and ask that question. And we may want to have sort of a contingent work plan, if this happens, that, and if something else happens, then we'll do something else.
MR. FANNING: Yes, I think that's a very useful suggestion. I'm not prepared to outline the issues here or discuss them.
MS. FRAWLEY: Perhaps for the September meeting, John if that would be possible?
MR. FANNING: Yes.
MS. FRAWLEY: It probably would be even helpful maybe -- I don't know who the lead person is within the department, but certainly if we could get some input in terms of process and what the key issues are.
MR. FANNING: It's Gary Claxston(?). I will convey this to him. The hearings that the subcommittee held two or three years ago were very helpful to us as a source of information in developing our recommendations to the Congress. And one could imagine the committee being equally helpful not in responding to a particular text, but in getting public input and committee deliberation on issues where there is a strong link between the policy and the technical, and where it is heavily controverted. I think we value that.
MS. FRAWLEY: Well, how do people feel then about extending an invitation to Gary to come for our next subcommittee meeting to talk about what's going on within the department, and also to identify some issues that the subcommittee could be helpful on?
MR. GELLMAN: I think it's a good idea, but I think you're going to have to decide when you are going to do that, because you don't want him to come at an indelicate time in terms of what's cooking. So you may want to negotiate with him when is the appropriate time.
MS. FRAWLEY: Well, then we'll work with Gary on that.
MR. FANNING: Let me explore it with him, and then get back to you, Kathleen.
MS. FRAWLEY: Thanks. Other suggestions that people have in terms of activities for the work plan?
DR. HARDING: I had just a comment. The two things, one that John brought up about Section 204 in the draft, this much about privacy and confidentiality.
Again, yesterday was an interesting day. I was a little bit shaken by the director of HCFA. How do you pronounce her last name, is it Pindepearl? Pindepaul. I was a little bit shaken that she was blinded by OASIS and had no idea that that would cause a problem.
Now somehow or other we are not getting the word out or something. Is there a process for us to help get the word out about the importance early on in policy decisions and so forth? And certainly as she said, that started back in 1989, and there were differences then and so forth. And I understand what she was saying.
But somehow or other we need to get the word out. And we need to get incentives I think out for people who come and talk to us. I think that if we have individuals who come and testify, and they are the IBMs that have good policies or something like that, they ought to get a letter or some kind of incentive for this kinds of best practices and so forth, so that people aren't going to be -- I would have to think twice about coming if there was no positive benefit for me, and there was the potential for me misstating something and getting it blown up in my face.
We need to think about incentives in some way for those people coming. Just two comments. And getting the word out somehow.
MS. FRAWLEY: Any comments? Other suggestions? Yes, Bob?
MR. GELLMAN: I would kind of like to broaden on what Richard has suggested. This is hard, because there is no sort of simple, easy, natural way to do this. But there is kind of a small, but more visible privacy establishment in the federal government. We have a privacy counselor at OMB, Peter Squirer. We already have John Fanning here, one of the two I think, privacy advocates in the federal agencies, the other one being IRS.
And you can look at other agencies that have very significant pools of data and privacy issues, and the two that come to mind off hand are the VA and SSA. I don't know whether they would be willing to come and talk, but I could see the possibility of having a discussion among all of these people to talk about to what extent privacy issues are getting considered.
There might be other components of HHS. In John we have a privacy advocate here at HHS, but John doesn't have the resources to cover all the issues that come up. The question is how are these issues being raised and considered in agencies? We can just obviously focus more on health data than others. But there is not that much to pick from in the federal government. I think maybe beating the bushes a little bit might identify some other places. Maybe they would be willing to come and talk about the problems of how do you get privacy considered into the administrative process? Maybe HCFA should come. I don't know.
Anyway, as a topic it might be an interesting one to look at, and it might be one that would lend itself perhaps to recommendations. If that is the conclusion that there ought to be more attention paid, there ought to be more of a structure, that John Fanning ought to have more staff or something like that. That was my idea; he didn't tell me to say that.
MR. FANNING: I think that the recent OASIS experience has focused people's attention. But the trick now is to institutionalize mechanisms that do this work. But that's a difficult task, what you set up. HCFA has focused on it much more, realizing that they have a huge volume of data. Walter may want to describe it, but I think the administrator has committed herself to having a council for example.
MR. STONE: Not only that, they have committed themselves to review all of the data sets and the systems of records, and to revise them and to update them with respect to the lessons learned from OASIS. And yes, much more emphasis is being placed on it, probably more than anyone ever imaged, and it's kind of caught, as the administrator said, by surprise, because we didn't have the resources and the forethought that it would this sort of effect.
MR. GELLMAN: Walter, can you describe what the council is?
MR. STONE: In a very simple sense, it's to more or less centralize all the privacy and confidentiality concerns that affect the agencies and different components within the agencies, and have it addressed at the administrator's level or at the executive council's level before it actually hits the public, or hits outside entities.
So they are coming up with a privacy review board that will address all these issues. It's still in the paper work phase, but it is moving very fast. The idea about maybe Peter Squire(?) and people at that level coming to address these points might be a very good approach to it.
MR. FANNING: May I go on to another one? Identifiability might be worth another look. This committee had a very valuable day of discussion on it, but I think we are faced with a situation where the bills in Congress did advance the analysis and discussion a bit. At least I think they did, and possibly at some point another look at identifiability with possibly the bringing together of examples and lessons and methods of protection and so on.
MR. GELLMAN: In that regard, just a factual thing that occurred that relates a little. I don't think it's something we can pursue or should. In England there was just a decision by the court that the collection of anonymous prescription data is illegal. It violates privacy. All the anonymous collection, even that -- and the case is going to be appealed, so we'll see what comes out.
DR. HARDING: Because of the possibility of relinkage?
MR. GELLMAN: I haven't read the opinion. I just read news accounts.
MR. FANNING: I haven't read the opinion either. I figured it's too early to derive any lesson from this. I think some of this all relates to some internal political dispute and so on. So it's hard to evaluate at this point, but we'll get the opinion and read it, and see what we can make of it, and then of course see what happens on appeal.
MR. GELLMAN: I do think your guess is a reason. Things are never anonymous. There is always the point that you can do linking. That was the point we have discussed to some extent, and it's just somebody has carried it another step. I don't know whether it makes sense or not, but it's there.
DR. COHN: We have a lot on our plate.
MS. FRAWLEY: That's right. Any other suggestions or comments? Going back to the earlier question that Marjorie raised, and that Gail also alluded to, pharmacy benefit management, do we want to do anything more there? Or do people feel there is nothing more to do?
DR. COHN: Based on what I have seen so far, I think if we are to do any more, it needs not to be more from the pharmacy benefit managers, as from other people who may have issues about it. I think hearing more testimony from them would not be productive. The question is are there other groups that we might want to query, patients or otherwise?
MR. FANNING: I certainly agree that needs to be pursued.
MS. FRAWLEY: What about employers' use of health information? We talked about the fact of the employee perspective was one that we needed to bring forward. Other thoughts?
DR. HARDING: In the past we have had occupational nurse testimony that was very helpful in clarifying.
MR. GELLMAN: There is plenty in the occupational doctor, nurse, whatever that we could hear from. There are also the employee assistance programs that have a whole snootful of problems. That's also worth looking at.
MS. FRAWLEY: Okay, well I think then we've got our work cut out for us. I will follow-up with John obviously, as far as Gary Claxston and who in the department is available. What I will do is work on putting this together in a chart form, and then I'll have it distributed it out via e-mail to the subcommittee members so you can take a look at it. Hopefully, at our September meeting we can just finalize it in terms of moving forward.
Other issues that people want to bring up? Other business? None? Marjorie?
MS. GREENBERG: At this point you're not expecting to have any meetings before the September? I just want to know for planning.
MS. FRAWLEY: This group would shoot me if I announced we were going to have any meetings. I think we're all ready for a little break over the summer.
Well, then hearing nothing else, the meeting is adjourned. Just keep in mind the full committee will convene at 10:00 a.m. in this room.
[Whereupon, the meeting was adjourned at 9:34 a.m.]