[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C.
MS. FRAWLEY: Good morning to everyone. This is the meeting of the Subcommittee on Privacy and Confidentiality. I am Kathleen Frawley, Chair of the Subcommittee. What I would like to do is go around the table and introduce ourselves and then have the audience introduce themselves and then we can get started with our agenda.
MS. HORLICK: I am Gail Horlick from CDC, staff to the Subcommittee.
MR ZUBELIA: I am Kay Zubelia from Anwar Corporation and member of the subcommittee.
DR. COHN: Simon Cohn, National Director for Data Warehousing for Kaiser Permanente and member of the subcommittee.
MR. BLAIR: Jeff Blair, Medical Records Institute and member of the committee.
MR. SCANLON: Jim Scanlon, HHS Office of Planning and Evaluation, staff to the committee.
MR. FANNING: I am John Fanning, from the HHS Office of Planning and Evaluation.
MS. FRAWLEY: And if we could have the audience back here introduce themselves.
(Introductions of the audience.)
MS. FRAWLEY: Thank you. We are very pleased this morning to have John Fanning here to speak with us on a number of topics. Of great interest obviously to the subcommittee is the status of the privacy regulations and so John will give us a little bit of an update on that. And he will also be talking on the Eve Directive so that everyone here at the subcommittee knows the importance of that and really what the impact is on the United States and he has some other issues he will talk to us about so I am going to turn it over to John.
MR. FANNING: All right. Thank you. The great confidentiality regulation first. As you all know, Congress and the Health Insurance Affordability and Accountability Act asked the Secretary of HHS to make recommendations to the Congress for how health confidentiality should be protected and the Secretary sent up a report in September of 1997 recommending that Congress pass a law providing a national floor of health record confidentiality legislation.
Now, Congress has not taken action on that. The law said that if Congress didn’t take action by August 20 of this year, the August 20 that just passed, the Secretary was obliged to issue regulations covering the electronic and financial transactions that were envisioned within the scope of the administrative simplification part of HEPA. Well, we are now setting out to fulfill our statutory obligation. The last said that if Congress didn’t act, we had to public regulations covering that class of information by February 20 of next year.
So we are working on a Notice of Proposed Rulemaking which is, we formally promised to publish in the fall which started last week and ends around December 21. However, there is a very strong possibility that it will be published in the next month. It is very important to us to get this out and to have the necessary comment period and opportunity for rewriting and the like so that we can publish it in time to meet the statutory deadline.
What I would call to the committee’s attention is that we, in our consultations with you, especially seek the comments of the whole NCVHS on this Notice of Proposed Rulemaking and our counsel would be for the committee to plan to review it in the week of October 25. There is not an absolute guarantee that it will be out by then but there is a very strong possibility that it will be out by then. I think the committee would have to organize itself in such a way that it could comment productively on it.
Jim, do you have anything to add on that particular point?
MR. SCANLON: No, I think there is a meeting scheduled of the full committee November 3. It is a one day meeting in connection with the workshop and research council. Again, as you know with proposed rules, they have to make it through all the federal interagency review and you can never really pick a date as we learned with the Epidemia data standards so you can only plan on approximately when the process might be completed but I think that would probably, I mean, for that last week in October, if the subcommittee wanted to schedule a day to look over the proposed rule and make recommendations and comments, that might be a good time. It probably won’t be before then. It would just be hard or at least that would be a good time and that would allow for the full committee meeting in November.
Now, John, I think it is envisioned that it would be a 60-day comment period for the proposed rule. You have seen the proposed rules before in connection with the HEPA EDI standards. It lays out the rationale and options and then it actually proposed some regulatory language and you can comment on any or all aspects of the regulation.
Now, John, are you going to talk about the frame, the basis for regulation and where we started and so on?
MR. FANNING: Well, yes, we can do that briefly. It is quite straightforward. We did tell the Congress what we thought should be in a law to protect this information and we based our regulatory action on the substance of those recommendations. On the other hand, one cannot do by regulation the same kinds of things you can do by statute so there are the inevitable differences that derive from that fact and then in addition as you seek to apply a fairly general set of principles to organizations in the form of a regulation for immediate carrying out, there are little changes that you see where the original proposal doesn’t quite mesh with what you have learned since and so on. So there are some differences but people should understand that the basic framework is the recommendations of the Secretary. Anything else, John?
MR. SCANLON: No, I don’t think so. It will be familiar to you and obviously the NCVHS recommendations help form the basis for the Secretary’s recommendation so it will be quite familiar to you if it remains in the framework it is in now. So I think the one issue might be how this committee wants to -
DR. COHN: So I guess the key question is how we mobilize to respond and it can be anywhere from just getting together to write a letter for the committee to hold in, I guess, getting some input from the public and writing a letter. It would sort of be in that general range.
MS. FRAWLEY: Right, I think the biggest problem that we have got, as John pointed out, we don’t know when the NPRM is going to be published. I have a feeling that it is going to be probably after our committee meeting on November 3. We will probably have to work between meetings and probably what it would require is that everybody would have to review the NPRM individually and then probably have a conference call to work on the drafting of a letter and probably work that way. I know we approved a process.
DR. COHN: We are going to return to that today.
MS. FRAWLEY: Right, that is what we are voting on today but the process of working between meetings so that obviously whatever we come up with could go out to the full committee for approval and then could be submitted. But I think that right now it would be very hard to even plan a meeting since we have no idea when the notice is going to be published.
DR. COHN: I guess I was just trying to figure out the likelihood you mentioned last week about the last week of October. You mentioned the last week of October and I just wasn’t sure if that was where you were aiming as a public meeting date.
MR. FANNING: Well, my thought would be it would be prudent to schedule something during that time because I think there is sufficient likelihood that something will be published. Again, it is not a guarantee but it is certainly easier to plan a meeting to deal with it now than to try to organize one when it in fact comes out. It is easier to cancel it than to plan it.
MR. SCANLON: Okay, remember, we will put the proposed rule on the website just as we did with the EDI statement so the day we know it will appear in the Federal Register.
DR. COHN: I think the only question I had, I pulled out my calendar and was just sort of noticing that the day before the NCVHS meeting if we were to do something, and I don’t know if we need to do something or not. That is a whole other issue but if we were to have a meeting, that would be the most likely day only because we have a one day NCVHS meeting. Now, I don’t know if we need to have a meeting and I don’t know, we certainly have had a lot of public comment when we developed our recommendations previously as Kathleen, you had commented. What is your thought? Do you think we need to elicit a little more public comment if and when this things comes up?
MS. FRAWLEY: I am not sure we need to elicit public comment. I guess what I am concerned about is does the subcommittee have enough time to read the notice and then be able to work together to draft a letter to the Secretary which would go out for full approval, approval by the full committee so I see this more as a review and drafting process. And I guess in some ways I can see that that can be done outside the committee. I mean, that doesn’t necessarily mean people have to fly in for a meeting as much as people would have to review the notice and we could schedule a conference call to discuss it and obviously draft something and then have by e-mail a document being circulated and go out to the full committee. I think that would be the easiest way to do it.
MR. BLAIR: Is there any feeling for the magnitude of this document? Is this 100-page document? It is.
MR. FANNING: It is big. The text of the regulations are relatively brief. They sort of read like the bold print type in our recommendations. The basic commands are there, however, there is very much explanation in the preamble.
MR. SCANLON: But it is clearly a large and complicated document.
MR. FANNING: It is something like 350 double spaced pages in its current draft form.
MR. SCANLON: In the Federal Register obviously that is condensed into the newspaper.
MR. FANNING: And again, much of it is preamble of course. The text which is what imposes the command is quite brief actually.
MR. SCANLON: So you are thinking that is a possibility.
MS. FRAWLEY: Well, I am throwing it out to the subcommittee, whether people want, I mean, if people want to have a meeting, I don’t have any problem with scheduling a meeting. I guess the uncertainty as John pointed out, exactly when it is going to be published but I think what we need to do, obviously people need time to read the notice and then be prepared to discuss it and work on a letter to the Secretary. I mean, I think that is what we are looking at doing.
Now, it can be done in person in a face-to-face meeting or it can be done as I indicated by conference call and e-mail so I am going to throw it out. It is the subcommittee’s decision.
MS. FYFFE: I don’t see the extra value in a face-to-face meeting. I think we can do the whole thing via a conference call, especially given that we don’t know when the proposed rule is going to be out. As soon as it comes out we can schedule conference calls and that still leaves us the option in a 60-day period that toward the end of that period we could have a face-to-face meeting but it is going to have to be conference calls for the most part.
MS. FRAWLEY: Jeff, what do you think?
MR. BLAIR: I agree. Now, I am breaking it down this way. This may now be correct. Correct me if my perceptions are not right but my thought is that the people with the greatest expertise with privacy are you, Bob Gelman and Richard Harding and I tend to think that the rest of us have a lesser depth of experience with privacy and we are probably good reviewers, good questioners, so I almost feel as if the three of you took the initiative to maybe frame the issues and maybe do a first draft of a letter of response where the rest of us could not only read the document but could begin to read which are the major issues you have selected and possibly a fresh draft of our NCVHS response. That might be the most expeditious way for us to do it and we could save time, frankly. It is five hours by plane with me and with Simon to fly in so if we could have that time to read the document and review your draft, and have a conference call, our time is better spent that way.
MS. FRAWLEY: Simon?
DR. COHN: Yes, I think I would probably agree with Jeff on the broad outline of what he was saying. I certainly would prefer not to have to fly in specially for a meeting. My preference would be to somehow tack it on as the afternoon, day before, something like that, of an already scheduled activity if we do need to.
I do presume that we will be asking for staff support to help us analyze the document and identify what we think are the pertinent issues. I wouldn’t look to you and Richard and Bob in your spare time to complete the analysis necessarily but if that becomes the beginnings, once we know when it is going to happen, I think we can schedule some conference calls at a minimum and Kathleen, I agree with you that we, this is an important enough issue, then we actually may need to have a face-to-face discussion on it but if there is some way to tack it on to something already happening that would be wonderful.
MR. SCANLON: I would point out, though, that it is, you want to look at it not just from the point of view of what privacy framework is there. You have to look at what would be the implication and the impact and information preparations.
MS. FRAWLEY: Yes, I was going to say how you operationalize it is probably the biggest piece because I think that I mean, if the concepts I don’t think that we know what the Secretary’s recommendations to Congress were so we understand the concepts that would be embodied in the notice but I think to me it would be just how people are supposed to implement this.
MR. SCANLON: Exactly, and whether these approaches, where they are the most optimal and that is where I think the full committee helps.
Now, Kathleen, the only requirement that the committee would have in sending recommendations in would be that there would be some deliberation. There would be a meeting where maybe the full committee gets to look over the full recommendations or the letter.
MS. FRAWLEY: We are not going to have, if, just for the sake of argument, the notice is published at the end of October, beginning of November, we won’t have a full committee meeting within that 60-day comment period so we would have to do it by whatever process we approve.
MR. SCANLON: Whatever process might be. After November 3, -
MS. FRAWLEY: We are talking about the privacy right.
MR. LUMPKIN: What we would be proposing today is we would figure out the procedure that we want to adopt at the November meeting and then use that for the NPR response.
MS. FRAWLEY: This definitely will be something that the committee will want to respond and comment on. And you know, we would fall in between meetings so it would be something we would have to do via e-mail or whatever process we outline.
DR. COHEN: I am sort of thinking here that this is obviously an extraordinary enough activity in recognizing that the process as I understand it says gee, will we have a chance to think about the process, we make it up as we go along which is sort of I think what the proposed process is.
Do we need to think about whether or not we believe the full committee can adequately consider the issues via conference call or whether there needs to be some other process that they are involved in. It may not be enough to spend everybody on a one hour conference call unless it turns out that this is relatively vanilla.
MS. FRAWLEY: Hard to know. All right, so our plan right now is that we are going to do this, the review, we are going to have a review of the document and then the subcommittee will meet via conference call to discuss a letter to the Secretary at which point once that document is completed, we would then refer it out to the full committee for approval.
That timeline is going to be pretty tight, just so everybody is aware because we would need to give the full committee some time and also leave adequate time in there to make sure that the letter gets submitted so once that notice is published, our time really kicks in and within a week after that notice is published, we probably would have to start with our first conference call and just start discussing some initial impressions. I would expect probably it might be that we would have to have a conference call each week over the course of a three to four week period with the expectation that the letter is finished within about a 30 to 40 day period so then it can be turned to the full committee for their review and approval.
So, tight timelines but we will do our best in terms of that review process.
John is going to continue on. He is going to talk to us about the European Union directive. Anything else on the privacy rec?
MR. FANNING: No, I think that is all we have from here on that.
MR. BLAIR: John, I was corrected a while, I put in a document of reference to the European directive and copies, reactions came back from you saying which one. So apparently there is more than one. Do you have a reference to which one it is?
MR. FANNING: I don’t have it here with me but I could provide that. Yes, I can understand why that happened. I guess I should give, just for background, a statement of what this directive is all about.
The European Union has a data protection directive which requires its member states to set up data protection regimens in their countries and it typically, it requires that there be a regulatory agency to make rules and a law, a national law which regulates the use of personal information.
There are other directives relating to things like telecommunications and so on that may have created the required, someone’s requirement to be specific, but the one we are talking about here is generically referred to as the data protection directive. It is of interest here because one of its requirements is the member states must have the procedures under which they don’t allow the export of data to countries that don’t have adequate protection so then the question is, does the United States have adequate protection?
The United States does not have a comprehensive regulatory scheme for privacy the way the European nations do, and here has been much discussion between the United States represented by the Department of Commerce and the staff of the European Union in Brussels over how information can flow to the United States from European countries in light of this directive. Understand that the directive covers personal information generally. Health data is just one subset of it. Common instances in which it presents problems is companies that operate in many nations, can information about the employees be sent to the headquarters in the United States and so on.
At any rate, it should be pointed out that there are other bases for transferring information to other countries than the recipient country having an adequate data protection scheme. There can be contractual arrangements, there can be unambiguous consent from the individual and so on. At any rate, the Commerce Department has come up with the idea of a set of principles which American countries could adhere to, and their adherence to them wold be a signal that there were adequate protections. They call them safe harbor principles, that can be found on the website of the Department of Commerce although it is quite difficult to find. I can’t give the citation offhand but it is under e-commerce under the International Trade Administration.
The European Union staff didn’t accept these at once. They came back with suggestions and proposals. So that process is still underway and I think the last public discussions of it were in late June. Meanwhile, to give more detailed meaning to these very general safe harbor principles, the Commerce Department has drafted a set of frequently asked questions which interpret the principles for particular areas of concern or for particular industries.
The one that we have been most involved in in this department has been the one for the pharmaceutical industry where the industry has certain goals in all this but we wanted to be sure that they didn’t make some rule that interfered with disclosure of information for research and that might include disclosure of identifiable information without individual consent and what we have proposed is that in any clinical trial, of course, you are in face to face contact with the person and can get the person’s agreement to whatever uses you envision of the information. However, we also do want to build in the principle that information may be disclosed for research. That is something that is envisioned by the EU directive and by the interpretive material if there are adequate safeguards and our idea of adequate safeguards is the type of protections found in the federal rules for protection of human research subjects. In other words, review by NIRB under the standards of that.
Now, these frequently asked questions are not sufficiently detailed to cover all of that, but we from this department are proposing that that be the standard and the pharmaceutical industry has been an active participant in these discussions with the Commerce Department. There has been less communication with the university sector on this, but NIH is looking into how this directive might affect international transfer of data and in addition the AAMC is beginning to focus on it.
I don’t know whether it would be wise for a university to sign on to the safe harbor principles. I think we need a better grip on the volume and character of the shipping of data across the Atlantic to see what the best protective mechanisms are. So watch the website and speak up. If the university community has particular concerns, I would be happy to discuss them and I think our department is the principle federal contact and I and the Food and Drug Administration and now NIH have worked closely with the Commerce Department in hammering these out.
MR. ZUBELIA: I understand the directive protects European citizens, not just the data. The data about European citizens. Do we have to be concerned about European citizens in the U.S. and how that would impact our existing data about them today?
MR. FANNING: I am not sure. I can’t answer that technically. What we are focused on here is the directive’s command about what information is shipped from Europe to the United States. Now, it covers any such information, including, by the way, information about Americans which might have come from a European data source. I guess my offhand analysis is that if the information didn’t come from a European country, the directive is not relevant.
Anything else? Well, stay tuned. If the people have concerns about this, please get in touch with me and our department is the contact for this type of issue with the Commerce Department.
A few other items. The world’s data protection commissioners met in Hong Kong two weeks ago for their annual meeting. The United States was represented on an observer basis by the new White House counselor for privacy, Peter Swier. There were some interesting and productive discussions of exactly the EU-US debate about how best to predict privacy and I haven’t conveyed in the earlier discussion all of the nuances of that debate but there was some interesting discussion of that.
I will give out, I do have here for giving out a statement of U.S. privacy activities that Peter Swier gave out to inform the nations of the world about what we were doing in this area. Most of it does not involve things of direct interest to us but every thoughtful citizen should be aware of these other issues. We can pass this out later.
The next item is just to announce that the Agency for Health Care Policy and Research with the assistance of our office, the Division of Data Policy and the Privacy Advocate, is planning a study of the regulatory and other controls on research using large data bases, records-based research using large data bases and will particularly look into how the institutional review boards review these projects and will come up with hopefully some good practices to be used in analyzing such research from the standpoint of protecting the privacy of the individuals.
It is, I think, fair to say that we have enough principles about how we protect private. We know what the result should be. What we need it a great deal more attention to the practical details. What are the rest? They are highly specialized in a project like this. They bear no relationship to interventional research and they do need their own study.
DR. COHN: And this is specifically related to the research use of very large data bases?
MR. FANNING: That is correct.
DR. COHN: As opposed to other uses and you define research from other uses as, I mean, is that by definition R and D approval?
MR. FANNING: No, I think they will look into that very question but it does mean research or statistical activities where the point of the activity is not to make some choice or decision about the individuals but to come up with an aggregate answer to use large volumes of data to derive answers about the population contained therein.
MR. BLAIR: Does research cover both clinical research and public health research?
MR. FANNING: I think they are going to define that but I think it will cover, well, you say clinical. This will not cover the kind of research where there is an intervention with the individual. It covers records based research.
MR. ZUBELIA: Does it cover the gathering of the data and the creation of a data base? Where is that coming from?
MR. FANNING: I think the way they formulated it, it will not cover surveys as such where you get information from individuals but it may well cover instances where information comes from a series of existing sources into a common rule.
MS. FYFFE: Is this individually identifiable records?
MR. FANNING: Again, that is part of the inquiry. If by definition what we are concerned about is individually identifiable information because that is what presents the hazards to individuals but I think they will probably address that. I think one of the other matters they might look into is what are better ways of doing this with known identified data. Again, it is being worked up.
MR. LUMPKIN: Jeff used a term that I really have not heard before, and I am a little concerned at the term public health research because it would seem to me there is either research or there is public health purposes like surveillance of disease monitoring to determine whether or not further interventions are required in a community will be dependent upon a couple of factors. You know, obviously for tuberculosis, we monitor because we want to make sure every case of tuberculosis is appropriately managed but we also want to know if we need to have interventions to prevent other people in the community from getting tuberculosis.
Same thing with vaccine-preventable diseases to monitor whether or not we need to have a campaign. I am not sure that that should be classified in the same arena as we research. I think it should stand on its own as public health purposes and there are times when public health does research but that should go through an IRB and so forth and in fact view research.
MR. FANNING: Yes, and I think this envisions the latter class.
MR. SCANLON: There is, as you know, sort of a boundary issue with respect to research just as there is with health care operations and everything else. When does a formally designed hypothesis testing study that clearly often is research but if Kaiser, for example, does a study that may result, based on its own clinical or claims records that may result in a publication, we just don’t know that at the beginning, is that research? Where do you, because you are looking at records and you are trying to develop generalizable conclusions, where is that boundary actually drawn and I guess they would look at that issue as well.
Same thing, as John said, in public health. There were clearly public health surveillance interventive issues but public health agencies do research as well, and when does that boundary, that threshold reached?
MR. LUMPKIN: This may be something that the committee is working toward because this came up when the hearings were done on privacy research and I remember the comment being made that everybody wants to say that they are different. We also have to be careful that people are not hiding behind the rubric of public health in order to do research without going through an IRB or whatever. To the extent that we can actually define what these things are that people do and get into the issue of quality assurance, when does quality assurance or QA go beyond just trying to assure the quality for all the people to actually cross the boundary into research. That may be something that would be of benefit because we are going to classify protections when you have to have clearly understood terms and clearly understood boundaries.
MS. FRAWLEY: That is probably the biggest problem we have with the Congress with the different confidentiality bills is it has been very, very difficult for people to understand what research is versus what is health care operations versus what is public health. They want to throw it all in the same pot and treat it the same way and so it is very difficult because that is an area where you realize that people don’t understand the distinctions and probably in some ways there is muddied waters anyway in some of these areas but I think the study will be very, very useful in really shedding some light on some of these areas.
MR. FANNING: Okay, Simon?
DR. COHN: And this study is starting and we will be able to have updates on this on a regular basis? I didn’t get a sense of how long the study was meant to take.
MR. FANNING: I am not at the moment familiar with the administrative details but they are giving it. Jim, I don’t think we know more than that.
MR. SCANLON: It will be an expert panel and then they will decide how they want to gather information but it is probably at least a year.
MS. FRAWLEY: I was going to say probably 18 months I would think, a typical IOM study.
MS. SCANLON: They want to have hearings, they may want to have a workshop. They may want to factor in a look at what is currently being done in the research areas so I am guessing probably about a year.
MR. ZUBELIA: It is led by AHCPR?
MR. SCANLON: With support from our office.
MR. FANNING : From our office and NIH. A related inquiry, the National Cancer Institute is planning a big meeting sometime next year to discuss again best confidentiality practices and related matters, largely with respect to clinical trials. The clinical trial business under their guidance is a whole lot more complicated than it used to be with assembling data from several trials and things like that and they are prudently looking at some of the special confidentiality problems and they will be, they have already published, actually, on their website, a document that analyzes some of the issues and sets up some of the questions. I do not have the citation at hand but we will make arrangements to send it to the committee.
A few other items. The Health Care Financing Administration has done a prudent and thoughtful and highly desirable thing. They have established a beneficiary confidentiality board to be an ongoing monitoring and review mechanism with respect to confidentiality issues in all of their activities. Again, we have plenty of principles. We all know how people should be treated with their information that is used for various purposes but it is quite another matter to make that operative down on the working level and one of the aspects of making it operative is having review mechanisms and formal ways of insuring that confidentiality is taken into account at an early stage, for example, in the design of systems and so on.
There are mechanisms for that but it is time to take a harder look at HCFA has established a beneficiary confidentiality board headed by Carol Kronin, the head of the Center for Beneficiary Services and I give out their fact sheet which describes this excellent new activity. Do you want to say anything else about it?
PARTICIPANT: It is a very new concept, it is working very well. They have had two meetings and they are looking for a lot of guidance from the different communities to make it work.
MR. FANNING: And we have offered to help them every way we can. I watched the last meeting over the closed circuit television and they were asking the right questions about new data uses and transfers to the states.
One thing we have to be wary of in the Federal Government, we don’t just collect data ourselves, we stimulate collection of it by a lot of other people so the Bolton Review of a Privacy Act system notice and so on doesn’t always exist so you have to have attempted mechanisms for this. And people can take the copy of the fact sheet.
One last announcement item. The great circular A-110 issue. As you know, Congress commanded the Office of Management and Budget to revise its grants management circular to, in effect, require that all information gathered in the course of activities supported under federal grants that the information be made available to the public in the same manner as federally held information is made available under the Freedom of Information Act. Now, I think this department has said and there is a general conclusion that it is highly desirable that the raw data used in coming up with research conclusions be made widely available but it is equally clear that the Freedom of Information Act applied to a mechanism like this really is not a terribly smooth way of doing it. So this department made extensive comments along those lines, responding to an OMB proposal in the Federal Register to revise the circular in a certain fashion.
Well, after they got comments from this department and from the research community and everyone else, they put out a new one which the research community and we certainly in the privacy world consider much better, there was, from the privacy standpoint, there was never a serious question that personal information would get given out under this. However, the more information is passed around and handled, the more risk there is of something going wrong and the way they have defined data in their new proposal results in the information not coming to a federal agency automatically for a determination as to its releasability. Data is defined as information that doesn’t include the personal information, the disclosure which would constitute clearly unwarranted information on personal privacy.
They have also narrowed the triggering event for this disclosure. The point of the Congress in passing this was to see that information used in federal rulemaking was available for re-analysis to be sure that the rule was sound and there was much question about what constitutes a federal action that would trigger this. Does the publication of dietary guidelines, for example, or some other recommendation type thing give rise to the right of the public to seek the underlying data.
They have defined federal action very narrowly as administrative procedure act rulemaking. So now in response to that this department and actually the research community has again responded, pointing out about praising what they see as improvements and still noting the unworkability of this in the long run, as a mechanism for wider review of data. Jim, do you want to say anything about overall movement in the direction of making data available? NIH had been addressing this.
MR. SCANLON: Well, apparently this law was prompted by an instance in which a federally supported research grant was used as the basis for some environmental protection regulation. The industry quite understandably asked for the data to be able to look at, assess the data itself and the university refused and there was some actual legal basis for a history of not turning over the data. Ultimately the information was made available through a third party arrangement. This obviously caused the problem and led to the enactment of this law which really was to provide the data to anyone who wants to look at it when data is used for research as the basis for regulation or a significant aspect of the regulation.
Now, HHS and other federal agencies in the National Science Foundation generally has a policy of making any data that is developed through a federally supported grant, in general, there is a policy of making that data available in whatever form is suitable for that field. There is anthropology and other aspects where the materials of that research are to differ from what they need to deal with statistical studies.
At any rate, there has been a long policy but the National Foundation for any of its social and economic research, requires that the data ultimately be made available and an archive of some kind or another suitable mechanism but clearly that is done on an imperfect basis and here at HHS we try to provide any data from our statistical surveys and large scale data bases through an archive or through the Department of Commerce where most information services and products are made available. But nevertheless that was imperfect and I think this bill was a reaction on the part of some members of Congress to insure that this is done on a more systematic basis.
At any rate, we are going to continue with our own approaches in terms of making the data available, particularly from the large surveys and data bases.
MR. FANNING: Okay, that is all I have, Kathleen.
MS. FRAWLEY: That was quite a bit. Thank you. I really appreciate it, John, that is very helpful. Any other questions or comments for John?
MR. ZUBIELA: John, do any of these privacy regulations have any security clauses that would be in conflict with the existing security regulations of HEPA?
MR. FANNING: No, as a matter of fact, they are being designed very carefully to match.
MS. FYFFE: Maybe this has been discussed before, but is the thought that perhaps the final regulations for security won’t come out until the comments have been received back for the proposed regs for privacy? Because to me, federal regulations for security and federal regulations for privacy have to mesh.
MR. FANNING: Yes, the plan is to make them mesh. I am not sure what the exact –
MR. FYFFE: To me the final regulations for security are marching along and you have got the, recently we have just found out since August 21 that we are going to have to have regulations for privacy and so I am wondering whether those two schedules are being considered.
DR. COHN: I need to comment on that. I was initially, I wasn’t quite sure what I was thinking, but actually it seems to me they ought to come out together as opposed to completely one waiting for the other because in a sense at its optimum they wouldn’t be part of the whole, the conceptual and then the implementation.
MR. SCANLON: We have actually heard both sides. We have heard this much interest in getting the final security rule out as soon as we can and not necessarily tied it up with the others but that issue is under consideration about what would be the best time.
MS. FRAWLEY: Okay, next item on the agenda, we have an addition. Hyman has asked that we discuss the, I am tno sure the correct name of the report, but it is the Medicaid Managed Care Data Collection and Reporting, it is the final report that we received with our agenda book last week that we will be taking action on later today at the full committee meeting.
DR. COHN: I actually just wanted to bring up, as you know, I unfortunately didn’t have the opportunity to review it until last night, the most recent version and I think we were asked to provide any comments to the other subcommittee by almost a half an hour ago.
As I was reviewing it last night, I was sort of struck by, I just wanted to get the input of the other members of the subcommittee that while we had brought up many significant issues at our last meeting about this that there hadn’t been much change in the report, at least the best I can tell. The report looked much improved. I thought it was a much better report than what I had read previously but I could find only a couple of references to privacy and confidentiality, mostly stuck in the recommendations section after a comma where it said da, da, da, da, and of course we will observe whether privacy and confidentiality regulations exist or whatever and I was just curious of what the other views of the subcommittee members were. As I said, we have some mixed feelings because I didn’t want to have to review this entire work again.
Am I the only one who observed, other than those who are apparently not a member of the subcommittee at this point. Am I the only one who observed this issue and are there other thoughts or concerns from the subcommittee on this particular work?
MS. FRAWLEY: At our last meeting we spent a lot of time talking about the actual list of member core data elements. That is what we were focusing on at our meeting in June. We didn’t spend as much time on the report. We discussed the report in the full committee. That is where the discussion took place. What we did in the subcommittee was remember to, remember we had the document which was a list of all the different data elements and the requirements which we recommended that they, number one, eliminate from the report to keep that separate and also expressed concerns about the use of, you know, the list of data elements so most of the discussion on that document took place in the full committee and I don’t remember that there was a lot of discussion on the privacy and confidentiality piece. We noted that was inadequate, the discussion and it still is. I am not sure at this point what we do.
DR. COHN: That is why I brought it up as an agenda issue because I thought that as I reviewed this, it seemed to me that the subcommittee needed to discuss and see if they have a particular recommendation or comment about this report that might help enlighten the other subcommittee so I guess I looked at this it seemed to me that there needed to be, I mean, probably a section or at least something that was bulleted that specifically addressed some privacy and confidentiality concerns. I mean, I can go and make that comment as a member of the committee to the other subcommittee but I thought it might make more sense for us to discuss it and see if that is what our recommendation was or if we had another something else in this document that needed to be changed.
MS. FYFFE: Well, does this subcommittee need to spend the time to go through this report and gather it? I hate to say that but we brought up some very good issues yesterday. We have a responsibility to do that. Give it another evaluation?
MR. LUMPKIN: Let me ask this question. Do you consider this to be a show stopper? In other words, is it fixable within the context of what we are going to be doing this afternoon?
DR. COHN: That is why I wanted to bring it up for discussion. I don’t know. I didn’t think it actually probably is.
MS. FYFFE: No, we can’t go on. We can’t just approve this thing until there are some fundamental changes to it.
DR. COHN: Yes, now, as I read it, I don’t think that it needs to be rewritten from the ground up. I just think there needs to be some things added to it that are beyond the comma and, of course, are consistent with privacy and confidentiality. That is basically what happened at the last meeting. That is waht I could tell as I reviewed the document other than the fact that the document is much improved. The substance of it is actually good at this point but this is really what I wanted to bring up to the subcommittee because I think it deserves some discussion. I guess we, do you think we need to go through and redline it?
MR. LUMPKIN: Well, I think that if there is concern that there, that it is a show stopper so obviously we are not going to approve that at today’s meeting, then we need to develop a mechanism to fix that and I think the response from the populations committee is that we have tried this two or three times and have done the best we can so if you want us to fix it, we are going to need some help.
MS. FYFFE: Well, I mean, I think the ball is in our court now. It is beyond just wanting something.
MR. LUMPKIN: So I think that perhaps maybe the mechanism that would allow us to know that that is the feeling, then what I would propose if the majority feels it is not ready for prime time that we ask maybe one or two people from this committee to work with that committee to do the next iteration of this report.
MS. FRAWLEY: What do you think?
DR. COHN: Well, I brought the issue up but my plate is pretty full right now so I am not sure I am the person to volunteer. Of course, this has been prepared by a contractor so it seems to me that the question of providing the appropriate direction to that contractor saying that this is not appropriate in this direction.
MS. FRAWLEY: Well, I will be happy to take the responsibility of working with the contractor or with the subcommittee. I mean, if that is what this subcommittee wants, I just want to make sure that that is, that the processes that John had outlined seem reasonable to everyone. Jeff?
MR. BLAIR: Agree.
MS. FRAWLEY: Kathleen?
MS. FYFFE: Fine.
MS. FRAWLEY: Okay, well, then, what I will do is I will communicate with Lisa so she knows our discussion this morning and what we would like to do and I will take the responsibility of working on that process.
DR. COHN: I guess what would be really desirable is to wait for the contractor to do some work on it relatively quickly and so it can be reviewed.
MS. FYFFE: We may not have that luxury.
DR. COHN: Yes, considering the fact we have another meeting coming up in November.
MS. FRAWLEY: If the contractor can work on it, that would be great because the contractor is here in Washington. I mean, it is not that it would be difficult to expediate that process but it means it could be done so that this report could then be signed off at our next meeting. That would seem to be the best approach.
MS. FYFFE: It would be nice if it could be signed off at the next meeting but if other crises intervene so it is proposed to privacy, that just makes it possible. I mean, we will try for the next meeting. If not, it will have to be the next meeting after that. That is just the way it is.
MS. FRAWLEY: Right. I mean, I don’t think the committee wants to publish anything that is not well done. It is better if we need to add a section and make sure the discussion is thorough, then that needs to be done as opposed to just some gratuitous remarks in the body of the report.
MS. FYFFE: Thanks for offering to do that.
MS. FRAWLEY: Oh, no problem. The next thing we want to do is talk a little bit about our work plan. What I have then I am going to pass around is the list of issues we identified at our last meeting and also some additional issues. Jeff, I will go over it for you. I just want to make sure everybody gets a copy. There is copies here.
At our meeting on June 24, we identified a number of issues that we thought the subcommittee might want to investigate to have one of their working sessions focus on one of these topics. One topic we talked about is the use of the Internet for health data to actually study companies and their privacy policies. One of the companies we were talking about was Healthion(?). So that was one suggestion we had. The next was on Smartcards. If you remember, we did have a presentation at our June meeting on Smartcards and there was a suggestion that potentially we would want to do something there.
The next topic was unique health identifier for individuals, activity that is going on at the state level linking health information, to spend some time exploring that. Briefing on HHS privacy regulations we had this morning and obviously we will follow that activity as it moves forward.
The other next topic is privacy issues, how they are being handled in the various agencies and what we were looking at was within the department, the Social Security Administration, the Veterans’ Administration, HCFA, really to understand what is going on in terms of their privacy activities.
The next one was the issue of identifiability. We have spent a lot of time talking about identifiable and non-identifiable data and the issue here is examples, lessons, methods of protection and then to continue up on a topic that we had started before which was employer access to health information. The suggestion was to focus on employees, occupational medicine and employee assistance programs so those were all the topics that we discussed at our June 24 meeting.
After our meeting, Bob Gelman identified some additional issues that the subcommittee could possibly consider. One was review of the HHS certificate of confidentiality program. Two is study of the existing alcohol drug abuse regulation; three, is state mental health confidentiality laws; four is state privilege laws and five is direct marketing industry’s collection and use of health information. So those were five additional topics that were added to the list.
What I would like to do this morning is we need to make a decision for our February meeting, what topic we want to focus on next so that Gayle will have adequate time, obviously to work with me in terms of identifying potential speakers or witnesses, depending on what the topic or the approach we choose to take so I just want to throw it open for discussion or if it be something that is not on this list so we don’t need to be held to this list either. If there is something else that somebody has as a burning desire.
DR. COHN: Can I make two comments? I am being very verbal for this early in the morning. I mean, first of all as I look at this I am sort of struck that there is this other sort of quick thing that we have to deal with which is the privacy and PRMs. That is obviously the main thing on the plate until somehow that gets moved away and I don’t know if it is going to be moved away by February or not but it looks pretty big right at this moment.
The other thing that I was just, I am taking a little bit of liberty as the chair of the subcommittee on security, on standards and security and just note that in the letter to the Secretary that we are going to be considering later on this morning talking about patient medical record information, we had indicated that one of the focus areas had to do with privacy and confidentiality as well as security and patient medical record information and as I think both your group on computer based patient record and the chair of the subcommittee mulled about this one, we really felt that we needed the help of this subcommittee and we would ask for their assistance, specifically around the privacy and confidentiality areas as we sort of work towards trying to prepare a set of recommendations and report for the Secretary and I guess I was going to make that official request for this meeting and Kathleen, I know you wear many hats but if we look at it, we sort of felt that the actual subcommittee could be of great assistance in terms of both reviewing and helping in that part of the document presentation. Do you have any thoughts on that?
MS. FRAWLEY: Well, just in terms of timing, I don’t know, because we are talking about our February meeting where we would be in terms of our report.
DR. COHN: You’re right. It probably needs to be done by that time.
MS. FRAWLEY: That is what I am concerned about because what we are talking about is our February meeting of the full committee and the subcommittee meeting and I think in terms of our time frame for our report, unless I am wrong, shouldn’t we be further along at that point?
DR. COHN: Yes, you are probably right about that. I think it is a way to get that reviewed by everyone and discussed.
MS. FRAWLEY: I think that circulating something for review and comment or having a conference call might work in terms of that approach. It is just that I am not sure that we could wait until our meeting in February to provide input on that document.
MR. SCANLON: I think what Simon is asking raises another issue which is a bigger issue for the working committee and that is the tendency to take privacy and confidentiality as well, now we have done the work, let’s end up by using confidentiality and to what extent can we use this subcommittee to get this more integrated into the development of the work products. The Medicaid managed care is a good example. We are two or three iterations down the road in this document and now we will wait, privacy and confidentiality when we really should be building that in from the beginning.
So with that document and another issue which is the work around NHII and Richard is on that committee so I think there is a more natural relationship there but to what extent can we, as a manner of working, assure that we address these issues much earlier in the process.
MS. FRAWLEY: That might be useful in that discussion in the full committee so that we don’t have these problems with reports being generated from the subcommittee and then being asked to review it or asked to review as a member of the full committee and realizing that the discussion is inadequate. It might be better that we just kind of have, in terms of our work plan, an understanding that where possible it dovetails into the subcommittee. I mean, I think that is important because almost every one of the reports that we do we really do need to make sure we are addressing the privacy of these.
MR. LUMPKIN: And it is easier on the left brain stuff which is the standards because there is such an overlap between the committees than the right brain stuff which is in the populations and health statistics for the 21st century, there is not an overlap and so that means that we really need to do it much more consciously.
MS. SCANLON: Well, it actually is an overlap but it just lets, even those discussions I think the privacy and confidentiality would be a limiting factor but virtually all of the issues under discussion by the full committee involve some aspect of privacy and confidentiality.
MS. FRAWLEY: Jeff, just going back to the timeline for our report, I know we are meeting and as part of our December meeting, we will be framing some of the issues.
MR. BLAIR: Uh, recommendations.
MS. FRAWLEY: Okay, recommendations. I know we will be discussing issues in October. Issues in October, recommendations in December and when is the actual report going to be written?
MR. BLAIR: Think of it in two stages. We want to have a draft, a first draft of our recommendations ready by the end of February to review with the full committee because the full committee meets I think it is February 23 and 24 so that we can get critiques and have time to adjust to either different directions or changes or omissions or whatever. The full committee is only going to meet once more after that before August which is going to be in June so we are going to use the time from the end of February to June to update the report from the critiques in February and review it with other, and the phrase I have used is other interested parties within the Department of Health and Human Services so that will probably be the data council, it will probably be other government agencies and it might be other entities that we haven’t identified yet. Integrate that in and then come back to the full committee by June for final approval.
MS. FRAWLEY: So under that time frame you were just discussing, we would be getting a draft copy of the report as a member, for the full committee for review at the February meeting?
MR. BLAIR: Yes, and as the full committee, in fact the reason for the meeting January 1 and 1st is for the CPR work group to finalize that first draft of the recommendations for the report.
MS. FRAWLEY: Okay, what I am getting at is if the report is going to be discussed at the February full committee meeting, should we consider at our subcommittee meeting focusing just on that report?
MR. BLAIR: In you mean January 31?
MS. FRAWLEY: No, I am talking the Subcommittee on Privacy and Confidentiality.
DR. COHN: That could be very helpful. I mean, it is a question of how much input we have been able to provide into it on an ongoing basis.
MR. BLAIR: I think with the new addition, we have one other item that was, that we added which was the confidentiality items so I think that we need to have some recommendations on confidentiality during the December-January time frame.
MS. FRAWLEY: Sure. Some of that could be incorporated from our report to the Secretary.
MR. BLAIR: Oh, I see what you are saying. You are integrating –
MS. FRAWLEY: I mean, Margaret could get a copy of the report from Seth which is the original report we made to the Secretary on privacy.
MR. BLAIR: Right.
MS. FRAWLEY: I mean, that was sent by the full committee to the Secretary. That could be incorporated into the document. That to me would be a way of making sure we bridge back to work we have done previously but I guess what I am trying to get a sense of is how this subcommittee can be helpful in terms of your report, you know, keeping in mind that one of the focus areas that we added to the report is privacy and confidentiality.
MR. BLAIR: And in this case it is with respect to standards for patient medical record information.
MS. FRAWLEY: Right.
MR. BLAIR: I think we are going to just have to maybe spend a little bit of time in December and January to wind up saying which things are especially relevant to patient medical record information in those standards.
MS. FRAWLEY: But you don’t think the subcommittee needs to do anything at its February meeting? The Subcommittee o Privacy and Confidentiality.
MR. BLAIR: I don’t know. You know, you probably, after our December meeting, that may become a lot clearer. As we start to look at those issues it may trigger a number of areas that relate to topics in privacy and confidentiality that you would say we will handle that in the privacy and confidentiality subcommittee. Does that make sense?
MS. FRAWLEY: Why don’t we do this? We are going to tentatively plan that at least part of our agenda at the February meeting will be devoted to that report so that we will at least tentatively plan that and I guess the next thing we need to do is figure out in terms of the list of potential topics we have what topic we should also focus on for our February meeting so that Gayle can start planning.
MS. FYFFE: We have quite a few issues here. I mean, we could take the next two years so I am wondering if maybe we should have a sense of priorities of which of these would be the most important over the next six months that we could hear about and I do have a question in that regard. What is the HHS certificate of confidentiality program?
MR. FANNING: Under the Publish Health Service Act, the Secretary has authority to grant the kind of immunization against compulsory legal process for personally identifiable information gathered in the course of research. This is something that dates from the drug wars of the 1970s –
MS. FYFFE: The drug wars? Do you mean illegal or legal drug wars?
MR. FANNING: The war against illegal drugs. When it was thought necessary to know what motivated people to take drugs, what was the true extent of the problem, that sort of thing, and people were not going to volunteer or to answer those questions unless they could be assured that the information would not be used against them.
So Congress passed this law saying the Secretary may authorize persons who gather information in the course of this research to withhold it from anyone not connected with the research.
In 1988, the Congress expanded it to health research more generally. The protection is currently given out on a project by project basis upon application in the form of a thing called the certificate of confidentiality. It may be given out in other ways. In the past it has been given by regulation to the particular classes of project.
This is one legal mechanism for protecting information gathered for research. There is pretty general agreement among the public policy and people in the, the philosophers of this topic that information that is gathered for research shouldn’t be used for anything else with some very limited circumstances to prevent some terrible harm, for example, if the subject telling you is going to kill somebody. It is really things in that category but in all other situations it should be kept confidential.
There is not general health record confidentiality, research confidentiality statute. There is this that gives it case by case. The Agency for Health Care Policy and Research has a statute that protects their information as does NCHS as does the Justice Department’s program for research on justice matters.
So this program was, when it was expanded, was run for a while out of the office of the assistant secretary for health and now it is managed by NIH and the certificates are given by some of the centrally, some of them by individual institutes so the point of a discussion I guess would be to raise the broader issue perhaps of what the, how we ought to approach protection of research data.
MS. FYFFE: I am curious. How many certificates have been issued in the past 10 years? Are we talking a handful or maybe 40-50?
MR. FANNING: Oh, hundreds. Not thousands. Hundreds.
DR. COHN: I was actually going to follow up, I mean, I was not going to follow up further on that question, it is okay. I was just going to observe that I think the Internet issues around health data I thought were actually a pretty compelling issue for next year for the subcommittee. I do think it sort of melts into the security and privacy question, so what is going on technically and what indications are there for privacy. I would observe that we have a number on the committee that knows a fair amount about that and it may be the communal operative and probably what needs to be done by that time.
MR. ZUBELDIA: But the department is working only on the security component, not the privacy.
DR. COHN: That is right, but I don’t think that they are, what you come into is we know that you want privacy but you can only do so much from a technical component which is what security is all about. And I think it begins to, I mean, we sort of have a view of what privacy really means in this area. The question is, technically how close can we get based on what we know about security activities on the Internet and where are the world’s problems. I think that that privacy area is an area that we should be looking at and probably February would be a good time.
MS. FYFFE: I agree with that. In terms of another potential hot issue that I seem to hear about all the time, I read about in the press is direct marketing industries’ collection and use of health information. I mean, if I have heard it once I have heard it 100 times and people who have new babies come home from the hospital and see a free box of Pampers on their doorstep and they want to know how did this happen. The stork.
MR. FANNING: They actually signed a form somewhere in the hospital when they were not paying attention.
MS. FYFFE: Oh, is that what it is?
MR. FANNING: That seems to be what goes on.
MS. FYFFE: So anyway that is food for thought as to another hot issue.
MR. FANNING: Can I give my view? I think the certificate of confidentiality is all very interesting but I agree with Simon that the Internet business is crucial. I don’t know if John is interested in that. The AAAS had a session on the Internet and research recently. I don’t know exactly what transpired but people want to do surveys over the Internet and there are many ways. This is a very good example of where the new technology requires a new look at the privacy and confidentiality side and I think the committee can break ground there.
MR. GELLMAN: Can I make a couple comments on this? I think that the Internet issues are really sort of hot issues and really do need some attention so I don’t disagree with that comment at all. I think the direct marketing stuff in some ways is very related, not necessarily conceptually but there is a real overlap because of lot of what is going on in the Internet is really marketing based. A lot of these health programs that are offering services, information, storing records, the real concern here is that all the information is going to leak into the marketing system because there are no rules or no laws and people don’t have any clear understanding of what happens if they put information up on this website or store their recoreds somewhere else. Those two really overlap, and I think they are both very timely and very important.
I do want to say a word about the certificate of confidentiality thing. I don’t think it rises to the same level. I still think it is important and I think John made a, unwittingly I suspect, made a point about the other government programs that have some comparability and I think they all might be looked at in the same way at the same time in the sense that we have a series of different programs, all more or less for the same purpose but the procedures and processes are different. The scope is different and I think the programs sound better when they are described than they really are because they afford very limited protection from the patient’s point of view and they actually pose an actual serious threat to researchers who either do or don’t get certificates of confidentiality or are at risk for either doing it or not doing it as the case may be and there are things that may be true in other programs.
I think that may be something that sort of the issue needs to be broadened. I am not suggesting that it is more important than the Internet and direct marketing stuff. It is the kind of solution to a problem that may have some merit ultimately on whatever is done more generally to the privacy rules. It is the kind of solution that people may at some point seek to dip into and no one has really looked at it for a long time and so there may be some value in doing that. The timing in terms of regulations or legislation is really hard and whatever we do, whether we do it in February or later probably doesn’t make any difference for that purpose but it is worth looking at.
MR. FANNING: I might just put you on your guard that the breast cancer coalition and the genetics people wrote an article that appeared in Science about a month ago suggesting that there ought to be better confidentiality controls for data gathered solely for research and suggesting other things that I think were less worthy and desirable.
MS. FRAWLEY: Jeff, you haven’t weighed in on the topics.
MR. BLAIR: I have so many thoughts I am afraid. I guess I resonated to so many of those topics I felt the issue of the boundary for patient identifiable information is one that somebody has to get work done on that somewhere along the lines and so you know, I feel like that is important. I do agree, I do very much agree that privacy and confidentiality areas over the Internet is a very high, if not the highest priority.
Let me just say that I generally agree with the direction of our conversation here that if we focus on that it is going to pick up and overlap several of the other issues so I feel comfortable with it. We don’t have funds and resources and staff to be able to pursue them all. We have got to be able to choose so we just have to wind up saying what is our highest priority and try to go after that.
MR. ZUBELIA: I think we also need to take a look at some point at the barrier of employers and how to establish the barrier between their medical records and the rest of the company as an employer. I am not sure that we know how that works yet and there has been a lot of issues with workers compensation and other fields where the employer has access to all this medical identifiable information and unless the employer has established procedures like we saw I think it was the Mayo Clinic that has established very good procedures, most employers will know how handle that data appropriately. That is a very important issue.
I agree with the Internet. It is a pretty hot topic.
MS. FRAWLEY: Well just from everyone’s comments on this I am assuming we are going to go with the Internet topic but what our plan will be is to leave some time on that agenda for a discussion of the report from the work group on computerized patient records in terms of the privacy and confidentiality component. What I can do, Jeff is, we can work with Margaret who is going to be writing the report and make sure she has the report that the subcommittee generated that went out from the full committee to the Secretary and probably work with her a little bit beforehand so that as the report is being drafted we are getting the privacy and confidentiality piece into it so I think that will be the best approach and Margaret certainly is very familiar with the topic so I think that can work as opposed to us getting a document and then having to go back to her and asking her to add stuff then.
So I think if that is a good strategy, that is the approach we will take if that is good with everyone. Yes, Bob?
MR. GELLMAN: Does the subcommittee have a day in February? Is that the schedule?
MS. FRAWLEY: Our usual breakout which is –
MR. GELLMAN: The usual.
MS. FRAWLEY: Yes, this is our usual spot.
MR. GELLMAN: So you are going to handle both of those issues?
MS. FRAWLEY: You can’t do it in two hours.
MR. BLAIR: We might be able to deal with the Internet issue. I was going to suggest, and I sort of assume from the discussion that there was a day. The Internet issue may be something done in two gulps because when you do it the first time, you are going to find it very difficult to find people to come forward and then after you do it, you get to come back a second time, you will find more people interested because once you have raised awareness on this issue, you just think of something to be done over a period of time. I am not suggesting that it necessarily requires, say, two full days, but it may require a half a day here and a half a day later and it may be useful to think about it in those terms.
MS. FRAWLEY: We may consider having another day somewhere along the way but I do know someone who could be the computer contact.
MR. GELLMAN: There are a ton of companies doing health stuff on the net and you have to find someone who is either a good or bad player and want to come forward about what they are doing as well as get some outside views.
MS. FRAWLEY: A company who wants to come and talk to us.
MR. GELMAN: Right. The industry HS been criticized. Other people will come forward. That is why I suggested sort of a two part thing. That has happened in the past.
MR. BLAIR: One thing. We had testimony from I think it was Hy Feldlum(?) and she was excellent. One of the things I really appreciated was that she was the first person to be able to articulate a balance between the need to protect privacy and the need for access for information. Let me leave that as a separate subject. You were indicating we have difficulty getting people to testify. I just felt that she might be somebody in the future that might be able to help us again.
MR. LUMPKIN: I think given the difficulty of the subject that we are trying to tackle, and I think it is important to tackle it, it is the kind of thing that is forward looking that the committee ought to be doing, a strong consideration for not trying to deal with in the context of meeting a day at the full committee but having a day or so of hearings and I think two stages, maybe one day here and one day later I think would be probably the best way to handle this.
MS. FYFFE: We might also get considerations in one day here and one day in California.
MR. GELLMAN: If I could make another suggestion, if you look at having two days, it may depend how it works out, you may want to deal with two different topics.
MS. HORLICK: I think what would be helpful would be to bat some names around in e-mails but just from the last panel where we were trying to get people to talk about policies. Well, if you call IBM and IBM has wonderful policies, they are very willing to come and talk about them but you know, what are the areas we want to get to and what is the best way to sort of approach it because if you are asking people do they have confidentiality policies in place, they all put, not all but many of them put these statements on the Internet and that is not what we are looking for. We don’t want to hear we have this great written policy and it is flashed on the Internet. What would be the best way to try to get at the information and what type of person do we want form these companies?
DR. COHN: Well, I think that in my experience it has always been difficult to ask people to come and testify and then tell them, ask them what they are doing wrong. Usually it is not something that makes somebody come across the country and have their employer pay their way. Sometimes if you take the, tell us in an open hearing what problems you are having. Sometimes if one takes the tack of what are you doing right and what are risks that others are having and sometimes it creates a better response and it just has a better approach.
MR. LUMPKIN: Actually, you know, in Illinois we are having a very small invitational meeting on the Internet. It is a legal program where we are inviting about 25 folks from different parts of industry in kind of a neutral setting to discuss the issues so we have invited John to attend and that may provide some material that the committee, because the intent is to provide a summary afterwards, sort of a neutral, not attributed to anybody, some of the legal staff and some of the local organizations and entities. It is in November, November 12.
DR. COHN: That is a good place to audition witnesses.
MR. LUMPKIN: Again, it is intended to be very small so maybe someone, we can get some feedback from that.
MR. SCANLON: We might want to see if the FTC is working on anything as well and the other way of sort of getting around that assignment is not to ask the industry but ask an observer or a something like that.
MR. ZUBELIA: And there are some companies that specialize in data mining but these companies have given away free PCs if you give them your life record and how they deal with the information or is there any information, any privacy, any issues they made up.
MS. HORLICK: Would we be talking about, if we are not going to do this at the February meeting, do this, like, --
MS. FRAWLEY: We are going to have to try and see if we can schedule an add-on day, see if people are willing to come the day before or the day after so we will have to do a, I mean, I don’t know if everybody has their calendars but we can circulate by e-mail. Why don’t we do that and see what we can come up with in terms of a date. But if we could build around the February meeting so there is only one trip for Jack and Simon as opposed to two trips.
MR. LUMPKIN: My only thought on this is that it is a sexy enough title which you probably learned from our experience in Chicago. I mean, if you identify it. The media will become enamored with what we are meeting and discussing.
MS. FRAWLEY: Other items for the agenda that people want to bring up?
MR. SCANLON: Is the committee interested in a briefing from the Georgetown project on the state service plans or should we just get the documentation?
MS. FRAWLEY: They have two reports. Their best principles and also the state report. I don’t know. I mean, I don’t know if people are familiar with the fact that Georgetown did a study on state laws on patient access, some of the other laws in terms of record retention and found that obviously the laws that are out there are inadequate except for the statutes that are for specially protected conditions so I don’t know if there is any interest in hearing about that report.
MR. FANNING: Frankly, I am not sure that a summary type discussion of that would be that helpful. I mean, you have just described --
MS. FRAWLEY: I just went through a briefing last week on that report and it is kind of hard to convey the findings.
MR. FANNING: Actually, what I find more useful is to look at the laws of one state and that really displays the complexity of the situation. I am not sure how helpful that would be.
DR. COHN: I guess I can do what might be very interesting after we have looked at the NPRM and over the next couple of months whatever Congress decides to do. Some of that may be rendered a little, it might not be moot but it would certainly look a little different after we have gone through that, especially, I mean, not knowing what the NPRM is, it could even just apply to administrative and financial transactions or it could take a wider view and certainly have some implication for providing us some more underneath all this.
MS. HORLICK: I would just ask if people have, if they could e-mail me if they have suggestions about who to contact for this February meeting. If you think about it, that would be very helpful.
MS. FRAWLEY: You can follow up with John after your November meeting and see who some of the stars are.
Well, then I will adjourn the meeting and we will reconvene upstairs at 10:15.
(Whereupon the meeting was adjourned at 9:48 a.m.)