Department of Health and Human Services

National Committee on Vital and Health Statistics

Wednesday, November 3, 1999

Holiday Inn, Georgetown
2101 Wisconsin Avenue, N.W.
Washington, DC 20007

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, VA 22030
(703) 352-0091

PARTICIPANTS:

Committee:

• John R. Lumpkin, M.D., M.P.H., Chair
• James Scanlon, HHS Executive Staff Director
• Marjorie S. Greenberg, Executive Secretary
• Jeffrey S. Blair, M.B.A.
• Simon P. Cohn, M.D., M.P.H., FACP
• Kathryn L. Coltin, M.P.H.
• Kathleen A. Frawley, J.D., M.S., R.R.A.
• Daniel Friedman, Ph.D.
• Kathleen Fyffe, M.H.A.
• Robert M. Gellman, J.D.
• Richard K. Harding, M.D.
• Lisa I. Iezzoni, M.D., M.S.
• Andrew Kramer, M.D.
• Clement Joseph McDonald, M.D.
• Paul Newacheck, Dr.P.H.
• Mark A. Rothstein, J.D.
• Barbara Starfield, M.D., M.P.H.
• M. Elizabeth Ward, M.N.
• Kepa Zubeldia, M.D.

Liaison Representatives:

• Gary G. Christoph, Ph.D., HCFA
• J. Michael Fitzmaurice, Ph.D., AHCPR

TABLE OF CONTENTS

Call to Order, Welcome and Introductions, Review of Agenda - Dr. Lumpkin

HIPAA Privacy NPRM - Mr. Claxton

Presentation of Medicaid Managed Care Report for Committee Approval - Dr. Iezzoni

Race and Ethnicity Data - Mr. D'Angelo

Committee Process for Preparing and Approving Comments on the Privacy NPRM - Dr. Lumpkin

Committee Process for Preparing and Approving Comments on the Claims Attachments NPRM - Dr. Cohn

Plans for the 50th Anniversary Symposium - Dr. Lumpkin

Discussion of HIPAA Privacy NPRM - Dr. Lumpkin

P R O C E E D I N G S (9:02 a.m.)

Agenda Item: Call to Order, Welcome and Introductions, Review of Agenda - Dr. Lumpkin

DR. LUMPKIN: We can convene this meeting. It certainly is a pleasure to have the Department appreciate the importance of this committee by publishing the rules on privacy, so that we could discuss them. We appreciate that timing.

I would like to remind everyone before we get started that we are going out live over the Internet. For those of you who have not been able to make meetings or part of the meetings, and have been able to listen to it -- assuming that your fire wall will let it through, which ours doesn't -- but for those who listen, you know it's very useful to have people introduce themselves. So we'll start off with introductions.

My name is John Lumpkin, and I am chair of the committee, and also director of the Illinois Department of Public Health. I would also ask that we do have a couple of new members. So when it gets around to you, if you would just give maybe a little bit longer introduction so the rest of us can get to learn and know a little bit about you. And we look forward to the opportunity to work with you in the future.

Marjorie.

MS. GREENBERG: I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and executive secretary to the committee.

MS. FRAWLEY: Kathleen Frawley of the American Health Information Management Association, and a member of the committee.

DR. KRAMER: I'm Andy Kramer. I'm professor of geriatric medicine at the University of Colorado, where I teach and used to conduct health services research until recently. We were shut down nationally in a way that many people may be aware of due through our institutional review board. But I serve on many different activities at the University of Colorado, and have been conducting national studies now for probably 15 years, most of the dealing with quality of care and outcomes of care for geriatric individuals.

DR. NEWACHECK: I'm Paul Newacheck with the University of California at San Francisco. I'm a member of the committee.

DR. COHN: I'm Simon Cohn with Kaiser Permanente and a member of the committee.

DR. ZUBELDIA: I'm Kepa Zubeldia with Envoy Corporation and a member of the committee.

MS. WARD: Elizabeth Ward, member of the committee, Health Information Institute.

MR. BLAIR: Jeff Blair with the Medical Records Institute and a member of the committee.

MR. ROTHSTEIN: I'm Mark Rothstein, one of the new members of the committee. I'm the director of the Health Law and Policy Institute at the University of Houston. I'm a law professor in my day job, but in my other life I do a lot of research in the area of genetics and medical privacy and confidentiality, occupational health and other areas.

MR. GELLMAN: Bob Gellman. I'm a privacy and information policy consultant, Washington, and a member of the committee.

MS. FYFFE: Kathleen Fyffe. I'm a member of the committee, and I work for the Health Insurance Association of America.

DR. FRIEDMAN: I'm Dan Friedman with the Massachusetts Department of Public Health and a member of the committee.

DR. IEZZONI: Lisa Iezzoni, a member of the committee at Beth Israel Deaconess Medical Center in Boston.

MR. SCANLON: I'm Jim Scanlon from HHS. I'm the executive staff director for the committee.

MR. CLAXTON: I'm Gary Claxton. I'm the deputy assistant secretary for health policy in ASPE at HHS.

DR. LUMPKIN: Thank you. At this point we are going to have the audience introduce themselves, and for those on the Internet, you won't be able to hear them. Except we will stop for a second and have Clem say good morning.

DR. MC DONALD: I'm Clem McDonald from Indiana University and Regenstrief Institute. Is that what you wanted?

DR. LUMPKIN: Yes, that was good.

[Additional introductions were made.]

DR. LUMPKIN: Great. Thank you.

The first item that we have is a review of the agenda. If anyone has any conflicts of interest with items on the agenda, now would be the appropriate time to give us notification of that.

[No items were raised.]

Okay, good. We have with us Gary Claxton from ASPE, who will talk a little bit about the new privacy NPRM, which we, as I hope everyone has been notified, since the NPRM is officially going to be published today, but pre-release copies have been available for review or whatever that that term -- they are on view. For those of you wondering what that big pile of stuff is, that's it.

That certainly is characteristic of a lot of our discussion. We will be spending some time this afternoon in an expanded Privacy and Confidentiality Subcommittee discussion. A little bit later this morning we will also have some discussion on the process. The deadline is somewhere around January 2, which I think is a Sunday.

MR. CLAXTON: It's going to be the Monday after that.

DR. LUMPKIN: It will be the Monday after that, because I think the Monday is the 3rd. At least that when our command post will be open, from the 1-3, just in case things don't go right with Y2K.

MR. CLAXTON: Of course we appreciate comments earlier. We'll be working on them.

DR. LUMPKIN: Yes, but will those comments be Y2K compatible.

MR. CLAXTON: We'll take paper.

Agenda Item: HIPAA Privacy NPRM - Gary Claxton, ASPE

MR. CLAXTON: Good morning everyone. My name is Gary Claxton, and my office, like John's office wrote a good deal of this, but with the input of a lot of other people from other parts of the federal government. I do want to thank you all, because obviously these were based on the secretary's recommendations, and your group had a lot of good input into what was in the secretary's recommendations.

So we think we have tried to put forward a proposed rule that was in the spirit of what we proposed two years ago. Obviously, some of the details change as you write details.

What I would like to do if it's okay with people is walk through some of the highlights, and then leave time for questions, because probably you guys know what's in it better than I do. But I'll try and give you a little context for it, and what we did, and then take questions. Does that work for people?

What I'm going to do is talk about: what's covered; who is covered; when stuff can be disclosed; a few comments on some of the general rules; the individual rights; the administrative procedures; preemption; and enforcement. I'll try and do that relatively quickly.

The what is covered, there is a long and really interesting, I think, discussion in the preamble about the regulatory authority here, and what it is we can cover. I think a lot of people in town expected that we would just limit the coverage of the rule to information that was electronic. We didn't think that would be effective, and really would leave us no reason to have a rule if we were going to cover information while it's in electronic form, but stop the protection when that information became paper, either by being printed out of the computer or otherwise.

So what we have done is proposed to cover information that has been maintained electronically or transmitted electronically. And then that information is protected in all of its manifestations, including paper manifestations when it is held by a covered entity, which I'll talk about next.

In that way, we certainly realize we're not getting all of the information that is out there, and we think that's a potential concern, but we do think it is consistent with what the HIPAA structure, which starts out with the administrative simplification and the electronic transmissions. And the privacy protections that are most attendant to the privacy concerns caused by the electronic transmission of protected health information.

So that was the approach we took. We have asked for comments on this issue, as well as virtually every other issue. We tried to set forth the pros and cons in the preamble. We do believe we have the regulatory authority to cover all paper records that are held by covered entities. We have asked for comment on that, and we'll seriously consider that for the final.

Should I take questions on each issue, or do you want me to walk through the whole thing?

DR. LUMPKIN: Why don't you walk through it.

MR. CLAXTON: The next is who is covered. The statute makes this pretty easy. It says who the standards apply to. I should say the privacy standards are standards under HIPAA. They are like the other standards. And so they apply as the other standards in HIPAA apply to all health plans. We have defined health plan very broadly.

They apply to all health care providers who conduct one of the electronic transmission standards under HIPAA. And you guys know those better than I do, actually, but they are the standards that are identified in the other HIPAA administrative simplification regulations.

And they apply to health care clearinghouses, which are defined in the statute as somebody who takes non-standard information and puts it into standard form. I should say that with respect to health care clearinghouses, we can't quite figure out why it is to treat them specially for privacy purposes. They don't seem to have a special place for privacy.

There are a lot of folks who do administrative procedures on behalf of plans and providers that don't involve turning stuff from non-standard to standard format, but have just as much potential to affect the privacy rights of an individual. So when we get into the general rules, I will sort of tell you how we treated clearinghouses and those other folks who we call business partners.

We protected health information can be used and disclosed -- there are essentially two times: when it is authorized by our rule, or when it is authorized by the individual. Our rule authorizes protected health information to be used and disclosed in several instances. One is for treatment, payment, and what we have called health care operations. If you have read the Jeffords bill, you are familiar with -- and some of the other legislation -- you are familiar with that term.

In the secretary's recommendations we had talked about treatment and payment, and then said that those things should be construed broadly to include the kinds of stuff you need to do to run the enterprises, to do treatment and payment. We think given the way the debate has gone over the last couple of years, it is just easier to call it health care operations, because other people do.

We have defined that -- I should say when we have done this, we have done this in the proposed rule. This is all proposed. I need to say that, or else the lawyers get mad at me.

We have proposed a definition that is similar to what's in some of the legislation on the Hill. It is more narrow in a couple of instances, particularly with respect to the use of the information for underwriting. There are also a set of public policy areas similar to the secretary's recommendations where we have said that the information can be used or disclosed without individual authorization.

Those include: research; public health; oversight; law enforcement; disclosures for next of kin; disclosures for facility directories; disclosures for the use in judicial and administrative proceedings; disclosures when otherwise required by law, for instance, required disclosures under workers compensation statutes would be an example. And there are a couple others that I always forget, but they are there.

Each of those has a set of rules attendant to them that are focused on that type of disclosure. For instance, research requires that a privacy board review the protocols, and make certain determinations before a use or disclosure can be made. All of the law enforcement has a set of rules under which when information can be disclosed to law enforcement.

Each of those have a verification requirement, so that you are required to know that the person you are disclosing to is who they say they are, and there are some steps you can take to at least verify that, and to verify their authority to get it. We have tried to make those not cumbersome, but they do require you to at least make an effort to make sure you are giving the information to someone who should be getting it. We can go into more questions on that if you want it.

And then in addition, information can be used or disclosed with the subject individual's authorization. We have set some requirements for what the authorization forms and authorization should look like. The requirements differ to some extent on whether or not the authorization is initiated by the individual or by the covered entity. They are for somewhat different purposes. I think the key rule associated with authorizations is that a covered entity cannot condition treatment or payment on obtaining an authorization for a non-related purpose like marketing or whatever.

Just to sort of underline a point here, in our rule we don't require any uses or disclosures with an exception I'll get to in a minute. These are all talking about instances when a covered entity may disclose or use information. This rule doesn't require any of those things to be true. So a provider does not have to make a disclosure for research if they don't want to unless some other law requires them to do so.

Our rule says when they can. It never says when they have to. There are two exceptions. Those two exceptions are: (1) when the individuals wants to look at his or her own information; and (2) when the secretary wants to look at the information for the purpose of enforcing this rule.

There are a number of general rules associated with the uses and disclosure I just talked about. I will briefly highlight I think three of them. One is a concept of minimum necessary information for uses and disclosures. There is a general requirement that when covered entities disclose information, that they disclose the minimum amount of information necessary to fulfill the purpose. It is not set as an absolute test. It is set as a reasonable test, and there are a number of things in the preamble that are suggested that one would balance in making these types of determinations.

We also recognize that in some cases an entity, a plan or a provider might not know the entire purpose for which they are being asked to make a disclosure that they want to make. We have said that they can reasonably rely on for instance a government official to be asking for the right amount of information for example for oversight purposes or for law enforcement purposes. Again, they don't have to rely on it, but they can rely on it.

We also have discussed the fact that different types of organizations may have different abilities to address or to delimit the information that is offered in a disclosure, because they may not have the resources. They may not have the staff. And that they should make some effort to think of ways to limit, but there is no essentially absolute requirements here.

I think this is an area where we will get a lot of comment. It's a hard concept, but it's an important concept, and we sort of look forward to working this through with people.

The second general rule is related to business partners. Business partners are the folk who do stuff for plans and providers to help them do their business. They are lawyers, they are accountants, they are third party administrators, they are accreditation organizations, and the like who perform services on behalf of a plan or provider.

They often need to get protected health information to perform those services. They may be doing billing, or they may be processing claims. They may be doing an audit of your claims system, so they need the information. There are lots of reasons for it. These are business relationship where we believe there is usually a contract in place between the two entities.

The problem with our authority is that we only have direct regulatory authority over health plans and providers and clearinghouses, who may or may not be business partners. But if we don't extend privacy protections to all of these folks who get information from plans and providers, we really don't have much of a rule.

So what we have done is require that plans and providers have contracts with their business partners; that those contracts have certain requirements attendant to them that say how the business partners are allowed to use the information, require some reporting of the business partners to the covered entity of breaches of the contract or problems with the use of the information.

And we hold covered entities responsible under the rule for the bad acts of their business partners to the extent they know about them or should have known about them, and did not take steps to try to mitigate the problem, and to correct the breach. It is not what we would say is the ideal way to address the problems of business partners. We would rather directly regulate them. But since we can't, this is the approach we have taken. We anticipate a lot of comment on this as well.

The third area I would like to highlight real quickly is the use of non-identified. We have created a term, for better or worse -- my guess is it's almost always worse when you create a term -- of de-identified information. De-identified information is protected health information from which you have removed a set of identifiers.

The folks in this room understand that that is really a difficult concept, because with enough energy and access to other publicly available data sets, you can reidentify virtually anything. We have tried to balance the encouragement of people to remove identifiers with the notion that just blindly removing four or five things often still leaves information sets able to be reidentified easily.

What we have done is taken I guess it's a three step approach. We have listed a set of identifiers in the rule. If you remove those identifiers, you are presumed to have created de-identified information. That presumption holds unless you know, or have reason to know that the people likely to get it can re-identify it.

So if you are relatively unsophisticated, I think there are 18 things. If you remove those 18 things, and you have no reason to know the person you are giving it to can re-identify it, you are presumed to have created de-identified information, and the rest of the rules don't apply to you. I should say they don't apply to you as long as you don't attempt to re-identify it. If you attempt to re-identify it, then the rules apply. You can't de-identify it, then re-identify it, and sort of start anew.

We also know that there are some fairly sophisticated folk, many around this table, who would know through a data set, through their own work, that they may be able to leave some of the listed identifiers on, but they have removed enough other things so that the information is non-identifiable. So we also said that entities who are statistically sophisticated can remove fewer than the identified items if they believe there is very little likelihood that the information could be re-identified.

In terms of implementing this, we have committed to having the Department provide guidance periodically on this issue of sort what it means to try to de-identify information; what the current state of knowledge is as to what types of identifiers have to be removed in order to have reasonably protected data.

We have also in our enforcement, we have said we intend to hold sophisticated entities to understanding the guidance that we put out, and the other literature in the field. So people who are sophisticated, who do a lot of creation of de-identified data sets, and who do a lot of releases to the public will be expected to have knowledge of what they are doing, and be held to a higher standard than to people who very rarely do disclosures, and who are doing their best by crossing off the 10 or 12 things that they think they need to cross off.

What we didn't want to do was create a situation where no one would bother to de-identify information, because it was just so darn difficult, and they never knew for sure. Because we think in most instances it is better to remove identifiers. We want to keep that encouragement there, but we also want to encourage sophisticated entities to use the sort of best knowledge available to do their best. And again, I think we expect a lot of comment on that particular issue.

I'll run through the others pretty quickly. We have created a set of individual rights under the rule. You have the right to see your own information, to make copies of it. You have the right to ask that if there is a problem, if the information is incomplete or incorrect I think it is, that you have a right to have a notation made in the record that would correct that record. I'm sorry, inaccurate or incomplete. And this is pretty similar to what you have seen in most of the legislation on the Hill.

You also have a right to make a complaint to a covered entity and to the secretary.

In terms of how this is carried out, we have a set of administrative procedures to carry out this rule. Probably the most important of which is that covered entities would have to provide a notice to individuals or to patients and enrollees basically. And that notice would have to describe what their rights are under the law. It would have to talk about how the covered entity actually intends to use or disclose their information.

It differs from some of the provisions in the Hill which just say that the notice should describe what you can do under the law. What we have asked is that the covered entity actually describe what they intend to do with respect to the permissive disclosures that are listed in the rule. The ones that they reasonably intend on doing.

If you have are a small provider and you have never had a law enforcement issue, you might not address that in your notice, but if you have had or do anticipate having to deal with oversight or researchers or whatever, you should say what you do.

Covered entities are bound by their notice. They can change their information practices, and therefore change their notice. When they change their notice, they can treat all the information they hold according to the new notice. If you are plan, you have to try to provide a copy of the new notice to all your existing enrollees.

We do realize that that means that some people will get a notice that will in the future not describe what the organization's practices are, because they will change those practices. The notice has to say that the organization can change its practices, and that you should sort of keep up if you are terribly concerned about that.

What we were trying to do there was balance having a notice that actually told you what was going to happen to your information with the fact that organizations do need to change their practices from time to time. Again, an area where we expect to have comment.

Organizations or covered entities have to document their privacy practices. They have to have a privacy official who is a designated employee, who is in charge of this stuff. They have to have keep track of complaints. They have to create a sanctions policy whereby they sanction employees and business partners who misuse information. We're not very prescriptive about how those things have to be, but they have to be.

Two other quick things. One is under HIPAA, we are not permitted, and I'm not sure we would have even if we were allowed to, but this proposed rule does not preempt state laws or federal laws or tribal laws that are more protective of privacy. So this is a federal floor, but there are state laws and tribal laws and federal laws which provide additional protections in certain places. Those laws do apply.

With respect to enforcement, the statute sets forth the penalties, both civil and criminal penalties. We have established a complaint procedure in the regulation. The complaints and the enforcement is going to be handled by our Office of Civil Rights.

I think that's all I particularly have to say. But questions would be great.

DR. LUMPKIN: At this point we'll go to questions. I just will remind everyone that we will have a good chunk of time in the afternoon to have a discussion. So we'll try to limit our questions to questions, although it's always tough, because everybody wants to discuss such a momentous document.

Can I ask my question first? Can you just review what a covered entity is?

MR. CLAXTON: I'm sorry. A covered entity is a health plan, a health care provider that engages in one of the HIPAA electronic transmissions -- claims, billing, and such -- and a health care clearinghouse.

DR. LUMPKIN: If, through an authorized process, a covered entity gives identifiable data to a non-covered entity, do the restrictions on further giving this stuff up reside with the entity or reside with the information?

MR. CLAXTON: If they go to a non-covered entity, with the exception of business partners, we unfortunately have very little in rule to say about that. That's one of the areas, if you looked at the press release that came out with this, where we have expressed our dismay with the limitations of our authority.

For instance, when this information goes to a research institution -- let's say it's a research institution that is not a provider for a minute, so there is no question of it being a covered entity. We cannot deal with the further use or disclosure of that information by the researcher. We have asked for comment as to whether or not research disclosures should be made only in the content of a contract with that researcher, which tries to control how they use that information.

You can kind of see how it works for research. You don't see as well how it works for certain other things like next of kin, which maybe you don't care about, or law enforcement, which maybe there are other protections. There's a lot of sort of gray area here where we could try to provide more protections in some areas, but probably not all of them where reuse would be used.

If it's a disclosure to a business partner, someone who is doing work on your behalf, that is not directly regulated, because we can't, but do require a contractual relationship, and we require that that contract essentially be enforced, or else the covered entity itself would be held responsible.

DR. LUMPKIN: Thank you. I'm going to start around this way. Paul?

DR. NEWACHECK: Presumably, there are going to be many hundreds, if not thousands of comments that you are going to get in the next couple of months. Can you tell us a little bit about the process by which you will review those comments and make decisions about changes?

MR. CLAXTON: I'm sure it will be in complete accordance with the APA. Our office doesn't normally do regulations, so our goal is to the extent possible, to have as many discussions with people as we can have. When people make recommendations to us, we have to note those for the comment record, and we'll do that. But we want to have an interactive process to the extent physically possible and humanly possible.

We'll also look at the comments. We have some required consultations, such as with you all. Others are with the states and tribes, and there are just a couple of other organizations which will also I assume we'll also have more interactive comments or engagement with.

We sort of view this as -- I'm true this is true of all HHS regulations -- we want to get this right. We don't think we know everything about this, but are charged with doing it. We are happy to work with people to get stuff right. What we really like are comments that are thoughtful of course, but we also like to know where things don't work on the ground, because a lot of those you can fix.

Sometimes we will disagree on theory and we'll disagree on fundamental principles, and you may not be able to fix those. One way or the other, we're going to have a principle, and we're going to figure out how to do it potentially. But a lot of the details we can figure out how to make work for people, and that's what we would like to do.

DR. MC DONALD: I didn't think I had my hand up, but I did have a question. You must read my mind.

First I would like to comment that -- I've been browsing it as you have been speaking, and this is really very nicely written. And the really attractive part is you give explanations of why you did and didn't do things, which you don't always see in these things. So it seems much more reasoned than maybe some other proposals.

But the question was about research issues. Does this change anything practically at a university setting that is already using the common rule in IRBs to review data research requests?

And the second question is if a university or an organization has a document that can be signed separate or together with the consent form, it says we will be using your data. It's okay to use your data and your tissues, which many universities do. Does that help any?

MR. CLAXTON: To do the second one first, we allowed that. And it is certainly always useful to explain to the individual what you are going to do with their information. We specifically allow with respect to a trial or a research project that you condition the participation in the research on getting their consent to do so.

DR. MC DONALD: I'm not talking about a research project. I'm talking a common situation I think in many university settings where it's a teaching university. You'll have students maybe examining you. We would expect to use your tissues in some circumstances. It's probably still approved. I think it's still IRB-approved, but there is usually an announcement of that sort of thing in the admission forms, things where they admit to the hospital, not to the research project, without knowing what the research projects would be.

MR. CLAXTON: I don't think that's a problem, but I'll note it, and we'll think about it.

DR. MC DONALD: And the tissue specimen thing gets kind of tangled, because it's not literal information, but it's implied information. And a whole lot of things have been gone back and looked at 20 years later and find out for example that a given virus has really been prevalent in a community.

MR. CLAXTON: No, I get it. I don't think it's a problem, but I do think that we need to make sure that it's not a problem. If there are any issues, raise them and deal with them. But I don't think it's a problem.

To your first question, I don't think it's much different from a university who is already essentially following the common rules. There are some additional things that need to be thought about with respect to whether or not non-identified information can be used. So there are a couple of other things that the IRB has to ask itself. But in terms of the process, I don't think it's any different. It's not intended to be any different.

DR. ZUBELDIA: I have a couple of questions that I think will be easy to answer. First of all, what is the implementation timeframe for this? Is it the same as the other standards, three years and three years for small plans?

MR. CLAXTON: Yes.

DR. ZUBELDIA: Because now there are some small plans with the new definitions.

MR. CLAXTON: There are probably some, but there are not very -- yes, I agree with you. I think in almost all cases it's going to be two years after the final is published.

DR. ZUBELDIA: And then on the issue of notice, does the patient need to have notice before the information can be de-identified?

MR. CLAXTON: No. You get the notice essentially the first time you see a doctor, and when you sign up for a health plan. Then you might get it again when they change their practices. If you have information, and then you de-identify it, you are allowed to do that, and then none of the other rules really apply, because that information is not considered identifiable at that point.

DR. LUMPKIN: Bob?

MR. GELLMAN: I have a couple of comments and questions. First of all, I think this is a really good faith effort at producing a set of rules. There always are lots of disagreements on all sides. One of the reasons Congress hasn't been able to do anything is there is no consensus. So you guys are going to get it from all sides, and it doesn't matter what you say.

I have read the rules. I have not read the novel that goes with it, however. I will eventually. I think this is better than I expected, and it's better than some of the Senate bills, although that latter standard is not a tough one to meet.

I do want to make a couple of comments about some of the things in here that I found sort of the most disturbing. We had an experience that happened earlier last year in Maine where they passed a very strong privacy bill, and it put a very high standard on the disclosure of directory information. And it was so disruptive that the legislature came back and essentially repealed it. The put it on hold, and they totally rewrote the bill. It was totally disruptive to the flow of information that people expect in a hospital.

I think you guys have done exactly what Maine did in the first cut, and I don't think you learned anything from the Maine experience, and that's what is bothersome.

MR. CLAXTON: We didn't think we did, but we'll look into it.

MR. GELLMAN: I think what it says is in order to disclose directory information, you need written consent from patients.

MR. CLAXTON: Actually, it doesn't.

MR. GELLMAN: It doesn't say written, but in other places where it allows for consent, in some places it says verbal consent. And here it doesn't say verbal consent, so it has to mean written consent. But in any event --

MR. CLAXTON: The preamble makes it clear that you don't need it -- the preamble makes it clear that it is verbal consent. If we made a mistake in the rules, we'll fix it.

MR. GELLMAN: I didn't read the preamble. Secondly, one of the most disturbing things to me is in the definition of treatment you use the term 'disease management.' Disease management is not a defined term as far as I can tell. And this is another example where something has happened out in the real world that patients have reacted to, and I'm not sure you learned the lesson. And the thing that happened is the Giant Food/CVS Pharmacy disclosures.

Those were justified as disease management, and under the scheme in this rule if a pharmacy or a hospital or a plan wants to do exactly what CVS did in sharing information, a patient can object, and the hospital can say, go away, we're going to do it anyway, notwithstanding the fact that you have an objection.

I think this is very troublesome in that it will allow the transfer of information, even over patient objections, to direct marketers and employers. And I think what is needed here -- I'm not dismissing all of disease management as unnecessary. There are things that are disease management that probably should be covered, but this thing basically authorizes the abuse that people objected to.

MR. CLAXTON: I think there is a question as to whether or not we want to have further definition of terms like 'disease management' in the rule, or whether we want to do that through sort of enforcement guidance, which we would promulgate. One of the problems with doing things in the HIPAA rules is it takes two years to put them in place. And then it takes a year to change them.

To the extent that we can use, as we do through a lot of other HCFA rules, guidance to tell people what we mean by things and how we are going to enforce it, that might be more flexible. I appreciate the comment, and I hope you make that so we can deal with it in the regulation.

We get the point. I worry about how broad treatment and payment is. And then I worry that we don't do enough, and that we lock down stuff for two years that would actually be beneficial to people, and we have to figure out how to deal with that.

MR. GELLMAN: I recognize the need for flexibility and all this. I think that there are a variety of ways. I think this is a term that is going to have to be defined, or at least there are going to have to be some exclusions. It may be that disease management cannot include disclosure to employers, disclosure to police, disclosure to marketers for example.

MR. CLAXTON: We did that for health operations. You didn't read the preamble, but we have a list of things that it's not. So maybe we need to do some --

MR. GELLMAN: I think one of the things that is good in the rules is --

MR. CLAXTON: I'm just clarifying your comment. During a comment period I can't agree with anything that you say.

MR. GELLMAN: You don't have to, not yet. I think one of the things that is useful in the rules is a definition of health care operations is narrower than in some of the Senate bills. And I think that is very helpful.

One of the other things that is a little bit disturbing here is there are really broad exemptions here for basically the federal government. The State Department, DOD, they are basically exempt from this thing one way or another. Public schools are exempt. There is broad access by intelligence agencies, by the Secret Service. The only exemption that I thought was sort of well qualified was the one for the VA, which was fairly narrow.

I think that there is just a problem in that the government says here are a bunch of rules that everybody else has to follow, and we're not going to follow them. Now HHS isn't exempt, so I recognize that. But I just think that this is a threshold kind of a problem, and I think you will be criticized for all of the exemptions.

MR. CLAXTON: We discussed that a lot. We tried to limit the other departments' exemptions to things that had to do with national security or with the placement of intelligence officers. The duty-ready issues with DOD I think will get a lot of comment.

MR. GELLMAN: I'm not saying there shouldn't be any recognize of the special role of DOD. I just think it's too broad. I think that the access and correction rules actually have so many loop holes, as to make them almost useless, and I think that needs to be clarified.

I think in particular since the only remedy that exists is to appeal to the secretary, and since the secretary will only consider procedural problems, that effectively people have no remedies if a provider decides to say I'm not giving anyone access, because I decided that in each case giving access to records would be harmful to the patient. There is no appeal from that, because as long as the procedures have been followed, there is nothing you can do.

And the correction part, similarly, information that came from another source, you don't have to consider a correction for, which means essentially that all insurance companies are exempt from correction, because all the information they get comes from somebody else. Even though they are making decisions based on the information they have, they have no obligation to even consider a correct.

I'm not saying that they have to make a correction, or even that they should take action necessarily without talking to the person who provided the information. But there has got to be an obligation there to correct information.

I think that the other really major problem here, and I'm not going to go into it in detail is the law enforcement stuff. Basically, the provision as written allows any cop to walk into a hospital, flash a badge, not even provide a piece of paper that says who they are or why they want records, and get access.

I know there are a lot of people that want to see warrants. I wouldn't object to that. I think that's probably too high a standard, and I know there are a lot of tensions here. I will say, however, it's a major problem, but I think it's better than what was suggested in a 1997 secretary statement, so I think you guys have made some progress. I know it hasn't been easy, so you get credit for that.

So after all of that, I do have a question. My question is this is going out for comment. You are going to get comment in January. I suspect that you will get tens of thousands of comments, and possibly hundreds of thousands of comments. I know that you raised a lot of issues, and you have specifically asked for comment. The questions is what do you think the likelihood is that you will revise the rules and then put them out for a second round of comments?

MR. CLAXTON: At this point I have no other anticipation other than publishing a final rule by February 21.

MR. GELLMAN: Okay.

MR. CLAXTON: That's our goal. Our goal has been to meet the deadline all along. We're doing the best we can.

MR. GELLMAN: Okay. You won't even read all the comments by February 21, but I won't press you.

MR. CLAXTON: We will do our very best to read and deal with the comments as we can. No one has said we'd get it published, even the NPRM published before February, so we are ahead of a lot of people's expectations.

MS. FYFFE: Just to clarify and follow-up on something Bob said, even though organizations like schools and universities and life insurers maintain individually identifiable information about people, those organizations are exempt from this rule?

MR. CLAXTON: They are, because they are not covered entities. The issue with respect to schools is they may or may not be covered entities, because they often have clinics and stuff, and how you define that is difficult. After a lot of discussion with people in that area, we came to the conclusion that we would propose that we not deal with the school setting, because the privacy protections that are in whatever that -- there is a name of this act, and now I've forgotten.

MR. GELLMAN: The Family Education Right to Privacy Act.

MR. CLAXTON: Yes, and were sufficient, and that we would be doing potentially a lot of disservice by trying to deal with it; FERPA.

MR. GELLMAN: Family Education Right to Privacy.

MR. CLAXTON: Right. That we would be doing damage if we tried to intrude there. To put it bluntly, if you think about the situation of the clinic within a school, and how that fits into the school setting, and then the clinic within an employment establishment, and how that fits in the employment setting. And in fact you may want different things to occur in those two places with respect to the information, or you might not.

There are a lot of really interesting issues there which we grappled with for a while, and we expect through our comment period to grapple with a lot more. But those are tough issues, particularly given our jurisdiction. And that's why we made the decision we made on schools. Actually, what I wanted to come back to is some of things we recognized that other protections were in place.

MS. FYFFE: I have another comment to make sure that I understand something. If a rural physician, solo practice, submits a claim on paper to the Medicare program for a Medicare patient, and then the Medicare program takes that information and puts it into electronic form for processing --

MR. CLAXTON: That doesn't make that provider a covered entity. If that provider uses a billing service that then submits the information to Medicare, then that provider is a covered entity. I'm sorry, the billing service makes it electronic and then submits it to Medicare electronically. So if someone on your behalf, it's not quite your agent, but someone who is acting on your behalf submits a claim electronically for you, then you are a covered entity.

MS. FYFFE: So again, this is a bit of stretch, but if the doctors don't want to be covered entities, then they might be inclined not to use a billing service, but to submit the claims on paper?

MR. CLAXTON: They might be if they think this is so onerous that it undoes the advantages of electronic -- that's possible.

MS. FYFFE: Okay, thank you.

DR. FRIEDMAN: I have a couple of questions, both relating to de-identified data. The first being how and who will determine what agencies or what data sets do not need to meet the de-identified standard that is laid out in here? The entities with appropriate statistical experience and expertise. Who will make that determination?

MR. CLAXTON: The way it's proposed, I actually believe that it's up to the entity itself to make that determination. But it's essentially going at risk, so if you don't remove all those identifiers, you release a data set and it is quickly identified, and then our enforcement people knock on your door. You might have to explain why you are so sophisticated that you screwed up that badly.

I think it's the entity itself. But we had a lot of internal comment on that. I anticipate getting comment on that, and it might be the thing where we want to provide guidelines or guidance about think twice before you act on a thing.

DR. FRIEDMAN: Then the second question, which is related is also under de-identified. And this relates to covered entities. Because we can only regulate health care providers, health plans, and health care clearinghouses, we cannot prohibit other recipients of de-identified information from attempting to re-identify it.

MR. CLAXTON: Unfortunately, if the information is rightfully and righteously sent to a research institution, and someone in that institutions gets it in their head that they want to go get the voting records and 15 other data sets from a state and they do re-identify some of it, we cannot hold that research institution accountable, because they are not a covered entity. We cannot apply a penalty to them. Under the statute we can apply penalties to plans and providers and clearinghouses.

If the covered entity knew that that person existed in the research institution, and that they were going to do this with it, then that is a violation for the covered entity. So if the provider or plan who disclosed the information to researcher knew the research entity was going to try to re-identify it, that is a violation for the covered entity.

But if they didn't know it, but it happens, there is nothing we can do about it. That's why in many places even in our preamble we call for federal legislation so that we can sort of follow the information as far as it goes within the system. We prefer to be able to deal with that, we just can't.

DR. MC DONALD: One comment about the mechanics of this document. If you do a reprint, I notice your table of contents doesn't give page numbers.

MR. CLAXTON: The Federal Register doesn't allow us to put page numbers in, because the way they format it is differently than what we do with it. Whether or not what goes up on the Web can have page numbers, I can change.

DR. MC DONALD: There was a second item with that. The different way of numbering, 1., 2., 3 would be easier to find the sections, because as it is now you start one each time over again, and you don't know which one you are on.

MR. CLAXTON: There is a whole world of this stuff that you don't want to know.

DR. MC DONALD: The second question related to some of the mechanics of this, and maybe if I just read it closely enough I would understand it. But say a researcher at a university wants to figure out whether there are enough cases to submit a grant application. And the care institution has these records on record and they can do that search and then give them a number.

I presume that wouldn't be necessary, since there is no information about individual patients' past. It wouldn't be covered by this? Again, the computer system is looking at individuals, but this transferred information is summary numbers.

MR. CLAXTON: I think that's right, but I have to think about it. There are a number of issues, and we have asked for comment on it related to use, and research use particularly where when people are preparing a project for an IRB, you could get to an endless loop where you have to actually get IRB approval to prepare a project to give it to the IRB. And there are issues about clarifying that, which I think we have asked for comment on, and are appropriate issues to talk about.

DR. MC DONALD: The other part of this is that in the IRB there are additional requirements as I read this, then from what we currently have to do, and additional criteria that have to be met, some of which are fairly vaguely stated.

Given the terror in some quarters of legal assault, and the stress under which health institutions are now operating, I think a very common approach might be, screw it, we're not giving anything to anybody. I don't know this, but one could have a chilling effect on some of the research.

MR. CLAXTON: We have heard that from people informally when the first copy of the rule leaked. We anticipate hearing it more, and we would like comment. I think we asked for comment on the additional criteria, particularly the balancing criteria, which there are people who would -- John, for instance -- would argue is very fundamental for privacy consideration. There are others who think that it will lead to endless debate within IRBs, particularly in those settings where people seem to have endless time to spend on IRBs.

I think those are both valid points. I can't say enough that we are sincere when we ask for comment on how some of this stuff will work, because we are trying to get it right, but this is new stuff, and Congress obviously gave us three sentences worth of guidance.

DR. MC DONALD: You explain why you can't do it, but put the burden on the researcher so that the providers aren't so terrified of what's in it for them anyway, so why should they bother? All it's going to do is cause them problems.

MR. CLAXTON: Right, I understand.

MS. FRAWLEY: My understanding is that electronic health information that is maintained or transmitted is covered under the definition of protected health information. And that if the information is printed out, that the paper record then becomes covered?

MR. CLAXTON: Right. Well, actually the information is covered, and any other paper record that exists in it as well. It's not just in the particular computer printout.

MS. FRAWLEY: So the actual medical record itself would be considered protected?

MR. CLAXTON: If the information within that medical record that has been electronic is protected.

MS. FRAWLEY: Now supposing we have a medical record, and then we enter information electronically, so we are creating information for one of the specified transactions. The electronic information is covered?

MR. CLAXTON: And so is the information in the source document that became electronic. If there are notes in the source document that have never become electronic, they are not protected. And that leads to some confusion. The way to get around the difficulty is treat everything as if it is protected.

MS. FRAWLEY: Right. That would make the most sense. I just wanted to make sure I understood.

MR. CLAXTON: Yes. And we have asked for comment on that. We have asked for comment as to whether we should just make an attempt to cover all paper records in covered entities period.

DR. LUMPKIN: Richard?

DR. HARDING: Mr. Chairman, I apologize for coming in late, and I didn't hear the rules, so to speak. Are we going to be talking this afternoon more in depth about these, and so this is just questions and brief comments?

DR. LUMPKIN: Yes.

DR. HARDING: Thank you. Let me rethink here, and come back to me in a minute.

DR. LUMPKIN: We don't usually allow new members to speak at their first session.

DR. KRAMER: I was just curious, are there any distinctions made between the type of entity and the rules that apply to types of entities? For example, are they different for a large insurance company, and their ability to access information, as opposed to a single hospital or a university?

MR. CLAXTON: There is a lot of discussion in this about what we call scalability. We didn't invent that, but it's another rule which does express the idea that the amount of effort and expense that is anticipated to comply with the rules does vary with the sophistication and the experience and the size and the resources of the organization.

So you would expect a large, sophisticated entity to have much more structure in place to protect against misuse, and entities which do a lot more electronically, which disclose more should attend more to the potential problems than a small physician's office where they very rarely ever do this kind of stuff. If they do a research disclosure, it is usually someone coming in and abstracting some files and crossing stuff out.

They are obviously going to have different stuff, and we anticipate that. What we are looking for is people to think about what they are doing, and to make some effort to reduce privacy risks. At least that's what is stated in the proposed rule, and we're getting comment on that like everything else.

DR. COHN: Gary, I apologize. I was actually just trying to pull up my copy of the administrative simplification legislation to review it. I was trying to figure out the relationship between the entities covered by the proposed rule for the privacy versus the security provisions. My memory was -- and once again, I was just trying to refresh my memory, was that security covered all identifiable information maintained electronically. Am I correct on that?

MR. CLAXTON: No, I believe you are incorrect. I believe that the security regulations made all individually identifiable information maintained by the entity. I believe the security regulation does not talk about the word 'electronic.' And if you go much beyond this, I'll have to get a lawyer.

DR. COHN: The reason I was asking had to do with, at least as I look at the abstract, you talk about scope. Maybe it's covered by the proposed rule, health care providers who transmit health information electronically, as opposed to health care providers that maintain health information electronically. I was curious about if there was a distinction there? This has major ramifications for the implementation.

MR. CLAXTON: I understand the question, and I don't remember the legal basis for the distinction, so I'm not going to speculate on it. I think we explained in the applicability section why the rule is applied the way it is, and asked for comment whether or not it should be applied different. I guess I think you should probably read that. In the preamble I think it's very well stated.

I think there is a provision in HIPAA that straight up says who covered entities are. There is a provision that says the standards in this rule apply to these three things. And I think it says all health plans, health care clearinghouses, and then it says health care providers who do something with electrons. I don't remember what the exact phrases. In my copy it's kind on the bottom right-hand corner of about the third page in administrative simplification. I can't think of the -- section something 74 comes to mind; 1174A maybe? Oh, 1172A.

DR. LUMPKIN: I've got a question, and maybe it's because it's hard for me to figure out with all these dos and de, and is exactly what applies to what. On what we were handed out today on page 290, which covers disclosures and uses for judicial and administrative procedures, which is under 164.510. Item 1 says in response to an order of a court or administrative tribunal. That seems to be fairly broad.

MR. CLAXTON: This section deals with when information is subject to lawsuit, or subject to an administrative proceeding, and it might be part of the evidence. If you think about lots of lawsuits for instance have discovery attached to them where one side or the other wants protected health information as a part of the evidence that would be available in the lawsuit.

Actually, in the secretary's recommendations we had not suggested much here. In what we have proposed is more similar, although as I understand it, we didn't get it all right if we were trying to copy Jeffords. I'm not sure we were.

It requires a court to find that protected health information is relevant to the proceeding before that can be gotten as part of a discovery order, either administrative or judicial. Or it requires that the health of one of the parties to the suit be at issue in the suit, is essentially how it is addressed.

DR. LUMPKIN: I guess the reason why I'm confused is because the second item in there is more restrictive, where it talks about someone being a party to the proceedings, that their medical condition or history is at issue.

MR. CLAXTON: If you think about lawsuits against a hospital for instance, one litigant might contend that there have been a number of other cases where this same malpractice has occurred. I do not know if that stuff is discoverable or not, but I know a party would certainly try to do that.

We would not allow that to happen under just a normal request for discovery unless a court had decided that protected health information was relevant to the case, and that could be part of discovery. And the court could then limit it anyway it wanted to. However, if you are having a lawsuit where an auto insurer is in the litigation with one of its policyholders over whether or not someone was injured in a car accident. The person says they were injured a lot. The auto insurer doesn't agree to it.

That person has put his or her medical condition at issue, and discovery could occur with respect to that person's medical condition. That is what it is meant to address. Now whether or not it is focused as well as it should be, we have tried to, but again, we appreciate comments on getting it better.

DR. IEZZONI: A lot of health plans are now required to survey patients. For example, the MCOs through Medicare have to conduct various surveys, for example the Health of Seniors Survey to look at quality of care issues. And that information presumably is put into some sort of electronic form, although it is obviously not in the administrative transaction source of electronic forms. Is that kind of information collected directly from consumers covered by any of this?

MR. CLAXTON: Yes, to the extent it is held by a plan or provider, it would be protected health information. And if it's the type of stuff -- yes, it is. And they really should not disclose it as authorized by the rule, or even use it except as authorized by the rule.

DR. HARDING: I'm Richard Harding. I'm a psychiatrist. That's my informed consent to you. And an orthopedic patient.

I first wanted to congratulate you on this. I think that you put a tremendous amount of work into an impossible topic. I think as Bob had mentioned, this is a very good start, and I wanted to congratulate you, especially on the issues of preemption and incentives for de-identification of data. There was one more, minimum amount necessary for particular purpose release. I think I want to really congratulate you on those. I think those are moving in a good direction.

There are a couple of questions, and I'll just comment, because I know this afternoon we're going to go talk further. But one of my comments would be on the basic thinking behind the fundamental change going from informed consent over to more presumed consent for treatment, payment, and then health care operations. That of course is a change.

It's something that we have discussed around this table for years. It's been discussed in many places, but this is kind of the first regulation that has clearly stated that. That there is a sea change there. Maybe this afternoon we could talk more about that. But philosophically that was determined on the basis of? What kind of led to that?

MR. CLAXTON: There are a couple of reasons. Again, it is a proposed rule, and this is an area where we anticipate a lot of discussion. What concerned us is that a lot of the consents that obtained today for treatment and payment and the like are not really voluntary consents in the sense that you sign them. I actually went back to my files to see if I could look at a few, and I realized I don't even get it. No one offers a copy of it to you. So we were concerned about the course of nature of the consents.

And in thinking about some of the legislation that is proceeding on this, we are also concerned about a lot of the logistics. I understand that principles should not be governed by logistics. I'm not suggesting that it should be. The coercion part is the strongest argument to me.

The others though are when you enter the system now, you go see a lot of different people. I don't know if you should be getting a consent from every one of those sort of major points. I'm not assuming that the technician who draws your blood, you need a consent, but when you go from one doctor and you go to the specialist, and you maybe go down the hall and see somebody else, I don't know how each of those persons is supposed to know what you have consented to in the first instance.

Also, another set of questions, and these are things that we would like comments to tell us how to work out actually. I anticipate engaging a lot with the organization that represents maybe you and other psychiatrists and lots of other folks.

If the plan and the provider ask for different type of consents for treatment, payment, and operations, how do you reconcile those? If we require in the rule that they say the same thing, and that everyone has to get them, then we haven't done anything more than what we have already done. So if they don't get to be different, I don't know what advantage they have. And if they do get to be different, I don't know how they work. I'm just saying I don't know, meaning I don't know. The fact that I don't know actually wasn't relevant. It's that we didn't know as a group.

In a lot of these there is the right to revoke a consent. I don't know what you do with that, because again, you might revoke the consent with the sort of entry point, but then there are a lot of other people who have relied on that consent, or may not even know about it. Whose responsibility is it to sort notify all those people that the consent has been modified or revoked?

To me, these are really hard things to get at. And I don't know what we get out -- I understand it's a change philosophically, but a little bit of me believes it's a change philosophically, but most of the protection that comes from current consents is actually for the provider, and not for the patient, because the provider can always point to a paper and say see, you said I could do this.

And I would be less interested in keeping it for that purpose than for keeping it if there was some true protection of patients that we were giving up here. What we really want to understand is are patients really worse off under this system? How do we get them into the best position we can?

DR. HARDING: I would feel better if it was a help to patients consent or their privacy, as opposed to it just being on the basis of efficiency.

MR. CLAXTON: If we can make those other things work, and if the burden is acceptable to the people who have to undertake that burden, I'm sure that we would want to seriously consider improving the privacy protection here if the burden is manageable and acceptable to the people who have to undertake it, and if it really does protect the individuals more.

DR. HARDING: I won't go on because of this afternoon, but just two other things this afternoon that I would like to talk about. One is the employee/supervisor access. That's something that we had lots of testimony on, a great deal of concern. And the other would be law enforcement of course, which has been brought up several times.

Thank you.

DR. LUMPKIN: Last question, Paul?

DR. NEWACHECK: I have two questions regarding enforcement. First, can you tell us which agency or agencies within the Department will be responsible?

MR. CLAXTON: The Office of Civil Rights.

DR. NEWACHECK: Are there going to be new funds allocated for monitoring and enforcement?

MR. CLAXTON: We certainly anticipate requesting additional funding, yes.

DR. NEWACHECK: My second question concerns the statement in your summary that there is no statutory authority for a private right of action for individuals to enforce their privacy rights, which I presume means that individuals are not permitted to sue, or not given the right to sue an entity that violates --

MR. CLAXTON: Our regulations cannot extend a right to sue. Whether or not the duties created in our regulations would in any way create a common law or other state law right of suit is a matter of state law.

MR. BLAIR: Could you repeat that answer? I'm afraid there was some noise in the background and I could hear you.

MR. CLAXTON: I said our regulations do not extend the private right of action. Our regulations create duties with respect to covered entities to individuals. Whether that is that the stuff that could have a lawsuit be based on it under state law is a matter of state law. I don't know one way or the other. But we certainly duties between individuals and covered entities, and in some cases those might be actionable; I don't know. We cannot extend one though in this regulation.

In terms of the administration and stepping away from the regulation, we support a private right of action as part of a privacy law, which we would like to see enacted.

DR. LUMPKIN: Well, Gary, thank you very much for coming. Despite your claims of not being a lawyer, you certainly answered these questions with aplomb.

I just have one final point of curiosity, and maybe I can ask you later, but who did you really get upset so that you got this assignment?

MR. CLAXTON: We volunteered.

DR. LUMPKIN: Certainly from the comments of the committee, we all think that you did a very good job with a very difficult subject. And we don't envy you the task of going through all the comments.

MR. CLAXTON: Well, thank you very much, and I look forward to more discussion as appropriate under the APA, and working with folks to try to get this regulation right in the final. That's what our goal is. Thanks.

DR. LUMPKIN: And speaking of assignments, Lisa.

Agenda Item: Presentation of Medicaid Managed Care Report for Committee Approval - Dr. Iezzoni

DR. IEZZONI: We're back. Medicaid managed care report, people should have gotten by Federal Express a couple of weeks ago the final version of the Medicaid managed care report. Just to remind people what happened in September, in September we reintroduced the report to you, and proposed adding two paragraphs, or two topics regardless of how many paragraphs they took.

The first was kind of overarching context, in which we pursued the Medicaid managed care project. And the second one was looking at the fact that our project did not directly focus on the confidentiality implications of the data collection and reporting that we were discussing.

Kathleen Frawley very kindly and in a timely way drafted some language that she and I went back and forth about a tiny, tiny bit. You will see that on the second page that we proposed. Carolyn Rimes drafted language about the context that she and I went back and forth about a little bit, and you will see that one the second page as well.

On the first page are a few kind of minor editorial changes that we made based on comments from a variety of people. You will not see in this document the executive summary. Carolyn Rimes was actually quite sick for two weeks. She is fine now. But she really, because of her illness, did not have a chance to write the executive summary. However, let me assure you that the executive summary will be basically lifting entire blocks of text without changing any words, and just putting it someplace that has executive summary as the title.

So I guess what I'm proposing right now is that we see if we can approve this language for those two topic areas, and see if we can get approval from the full committee to move this report out.

DR. LUMPKIN: Is there a second?

DR. COHN: Second.

DR. LUMPKIN: It has been moved and seconded. Is there discussion? Kepa?

DR. ZUBELDIA: I have a small editorial comment on the next to the last line on the second paragraph. It says along, and it should be alone.

DR. IEZZONI: Thank you. That's very good. I like people to find typos.

DR. KRAMER: I just noticed on the last sentence under this context, it refers to developing and improving information. It seemed that most of it was about information collection. So I would just suggest adding the word 'collection' in there.

DR. IEZZONI: I'm not sure the committee would agree that that's what this is about. I think information collection certainly is part of it, but certainly in our hearing we mostly focused on what people wanted to know, which was information. We didn't really focus on exactly how you would collect it.

MR. GELLMAN: I had raised some objections to this report on the privacy basis of its failure to deal with privacy. And at some of the language that has been proposed to address it is language that I originally gave to Kathleen Frawley. There is a paragraph that I proposed that is not here, and I want to read it.

"The lack of any substantive discussion of privacy is nevertheless a shortcoming here. It would have been valuable to explore the privacy consequences of the recommendations, to consider technical solutions that allow use of non-identifiable patient data, and to weigh privacy interests more expressly and more carefully against the needs identified here for more use of patient data. The committee hopes to more carefully incorporate privacy issues in future reports."

This sort of all got boiled down to a sentence or two. I'm not going to quibble over that. I am going to vote no on the report, because I think it is fundamentally flawed in that it did not consider privacy in its conception. There is nothing we can do about that now. The report is done, and at least there is some recognition here that the report doesn't address an important issue. And I am at least encouraged by the reaction of the committee in putting this off, that perhaps this won't happen again.

DR. IEZZONI: Let me respond to that. You're right that we didn't formally ask for specific privacy experts to speak to us. However, we did go back to the questions -- we have written documentation to the questions that we did ask for everybody who spoke to us at the hearings, and we did specifically ask if they had any comments about privacy and confidentiality. And we have documentation of that. So that was at least a question that was asked to the people who spoke to us in the hearings.

DR. FRIEDMAN: I have what I hope is a trivial editorial comment, which is in the second paragraph, reviewing and adjusting information practices. Just for the sake of clarity, I would suggest adding something such as focusing on privacy for the managed care part of Medicaid alone will be challenging. At least when I first read that sentence, it took me a couple of re-readings and going back to earlier sentences to really quite understand what it was referring to, or what I think it is referring to.

DR. IEZZONI: Kathleen, does that seem okay?

MS. FRAWLEY: Yes, that's great.

DR. IEZZONI: Can I just ask a process measure? Is somebody, Kathy or somebody taking notes of this, because I actually can't take notes very well. So is somebody recording these editorial suggestions?

DR. ZUBELDIA: The gentleman in the back raised his hand. He is taping it.

DR. IEZZONI: We're just going to need this sooner than they are probably going to have the transcript, to try to get this out.

DR. MC DONALD: Why we suggest that those who made them, submit them to you in writing?

DR. LUMPKIN: If could just mark on the page.

DR. IEZZONI: Okay, because I just don't write quickly.

DR. COHN: First of all, Lisa, you have my sympathies. I do understand you are trying to get this off the subcommittee docket and passed. I actually had a couple of questions. Number one, I'm actually fine with the wording as it is, especially as it's been modified. But I do have questions about where some of the stuff is stuck, since it's just sort of sitting here. You have language about confidentiality, and you have language about historical context, and I wasn't able -- is this already in the report?

DR. IEZZONI: That's actually a really good question. The context paragraphs come right at the very beginning. And that's a good question. I'm not sure where Carolyn put the privacy language, but obviously it would be at the end of the introduction or someplace right up front of what we did. It certainly wouldn't go in the background.

DR. MC DONALD: Wasn't that going to go in an appendix?

DR. IEZZONI: I don't think so. Why don't we say that it should go at the end of the introduction and purpose? That would highlight the fact that it's a limitation. That would be the last sentence of the introduction.

DR. COHN: So what's seeing on page 2 would be introduction, and probably also I presume, parts of it would be in the executive summary?

DR. IEZZONI: Yes, probably both of those things would be entirely reproduced.

DR. COHN: Now I had one other question having to do with some of the appendices, since none of them are included. Most of them are relatively straightforward. Most of them I understand what they are, although I was curious about Tab C, which is described as a focused study of Medicaid managed care contracts, which I am trying to remember if I have seen in previous iterations. I remember there were some issues if indeed that is the same document that I remember. What is that study?

DR. IEZZONI: You mean under --

DR. COHN: It says Tab A, Tab B, Tab C, and in the back here --

DR. IEZZONI: Appendix Table C.

DR. COHN: No, it says Tab C. Is it Table C? I'm looking at the list of appendices that are included with the report.

DR. IEZZONI: I think it means Table C. So if you turn to the back, you will see a page that says appendices. And then turn to the next page that says Table C.

DR. COHN: Well, actually what I saw was at the very end a blank page that says Tab A, with nothing included, a blank page that says Tab B, with nothing included, a blank page that says Tab C, with included, and a blank page that says Tab D, with nothing included. Now I may be mistaken. Maybe this is really tables, but I had presumed it was that area that we referred.

Table C is described as the federal legal framework governing data collection and reporting.

DR. IEZZONI: Right, and that's what it says, overview of federal reporting requirements.

DR. COHN: What is it?

DR. IEZZONI: Focused study of Medicaid managed care contracts. It's what our subcontractor did looking at the Medicaid managed care contracts, pulling out the language relating to the data reporting. It's a very lengthy document that -- has the committee seen it before? I don't know whether you saw it in June or something. It's just directly going through all the texts of all the Medicaid managed care contracts that the contractor has in their database, and just pulling out the language.

I mean certainly I'm sure that -- again, I wasn't at the June meeting, but I think that the whole report was provided at that June meeting, and that that would have been included in that.

DR. COHN: I think the reason I'm asking, and once again, I'm trying to remember back to June. I will apologize. My long-term memory may be fading at this point. But I remember that this actually used to be I believe, part of the report. And I think there were some questions about it, and so it was --

DR. IEZZONI: No, the thing that was part of the report about which there were questions was a draft contract language. The draft contract language has been totally removed from anything around this report.

DR. COHN: Maybe that's what I was thinking of looking at this.

DR. IEZZONI: This is just a factual review of what language is in existing contracts with states with their Medicaid agencies around data reporting.

DR. LUMPKIN: Wasn't this the one that had particularly critical comments about a large staff model HMO on the West Coast.

DR. IEZZONI: Again, I wasn't at the June meeting, so I'm not going to comment about that. But I heard about that.

DR. NEWACHECK: One comment on the title page, and we talked about this in the subcommittee. It says that this was prepared for the subcommittee by the George Washington University Medical Center. It appears by reading that, that this is like a contractor report. I think it really reflects the subcommittee's views and thinking and all that, rather than the contractor's view. They helped us with it. I'm wondering if we can change that to say something like prepared with the assistance of or something like that.

DR. IEZZONI: That's a great idea. You know we did talk about that at the September meeting. We have our title up at the top, but it kind of loses it by the formatting of the page. So I think that that's absolutely right, because the recommendations really came from the subcommittee. They were not drafted by the subcontractor.

DR. LUMPKIN: Okay, so that change is there. Any other comments? Are we ready to go to a vote?

DR. IEZZONI: And, John, remember, this has to go off to the secretary under your signature. So you might want to just pause and see if anybody has any more questions.

DR. COHN: Overall, I think it's a fine report, and I'm happy to support it. I'm just a little uncomfortable with the fact that it isn't completely together. We're still talking about where paragraphs go. We don't have an executive summary. So I'm to support it and vote for it. I'm just trying to think of how we look at that before providing comment.

DR. IEZZONI: Why don't we ask the executive subcommittee at their December to approve the final version of it? That would be my proposal, because quite frankly, we send out huge stacks of this stuff, and we don't back that many comments from folks until we get here. So there have been a number of trees that have sacrificed their lives over this.

DR. MC DONALD: This is procedural. I thought we had a motion on the floor to approve it, and I would like to basically say we vote for that motion, or maybe amend it to say that the details will be double-checked by the executive committee. I think we have had adequate time to review it, and we have gotten these things, and we have said where they are going to go.

DR. LUMPKIN: So when we have the final thing, it will go out to the members before it is released and signed?

DR. IEZZONI: No.

DR. MC DONALD: We are voting to approve it, and with the specific caveat that the executive committee will make sure things are in the right place.

MR. GELLMAN: Can I suggest some Capitol Hill language?

DR. LUMPKIN: Please.

MR. GELLMAN: When things are approved, committees ask somebody on a committee has unanimous consent that the staff be permitted to make technical conforming changes to the report to the legislation just approved, and we could do the same thing here. Let the executive committee make technical and conforming changes.

DR. LUMPKIN: So the motion is to approve this document, enabling the executive committee to make technical and conforming changes.

MR. BLAIR: Now does that really cover the fact that this will be the first time anybody sees the executive summary? I would just simply hope that the executive committee would have the opportunity to read and carefully consider whether the executive summary has the balance and message.

DR. IEZZONI: I think the executive summary will probably consist of the introduction and the recommendations. It's going to be entire portions. It won't be a sentence from here and a sentence from there. It will entire segments.

DR. LUMPKIN: If there are any members who would like to see the document at the same time as the executive committee, please let staff know, and they will have an opportunity then to have input.

DR. MC DONALD: Call the question.

DR. LUMPKIN: Actually, I was recognizing Kepa before we called the question.

DR. ZUBELDIA: Can I suggest that the executive summary be circulated by e-mail for information purposes only? And if anybody has any special need that be reflected to the executive committee.

DR. IEZZONI: Fine, no problem. Kathy and Patrice, as soon as Carolyn has the executive summary, that's basically the introduction and the recommendations, that it be circulated electronically to committee members.

DR. LUMPKIN: And the executive committee. Okay, so we've got the motion. Are we ready to vote? All those in favor say aye. Opposed? Any abstentions? One abstention.

[Whereupon, the motion was passed with one abstention and one member opposed.]

DR. IEZZONI: Is this the last we have to hear of this? Nothing in life is a promise. Thank you everybody.

DR. LUMPKIN: Thank you. We're scheduled to take a brief break.

[Brief recess.]

DR. LUMPKIN: Tony D'Angelo is the co-chairperson of the HHS Data Council Working Group on Race and Ethnicity. He will be presenting to us on race and ethnicity data.

Thank you, Tony. Welcome.

Agenda Item: Race and Ethnicity Data - Tony D'Angelo, Co-chairperson, HHS Data Council Working Group on Race and Ethnicity

MR. D'ANGELO: Good morning everyone. I'm going to be talking about the Department's plan to improve the collection and use of racial and ethnic data. This is actually a product of two work groups. One is the working group to the Data Council, which is the Working Group on Racial and Ethnic Data. The other is a group tied to the Department's initiative to eliminate racial and ethic disparities in health.

The data group was charged with coming up with a report dealing with the data issues and the disparities. When we started preparing this report there was a lot of background information from previous reports, because this is not a new issue. This has been addressed in various reports.

[Technical difficulties with the slides.]

You do have a handout that has all of these slides.

DR. LUMPKIN: So we can go through these. The folks on the Internet can't see these things anyway so. It's good that you're prepared with the handouts just in case technology fails.

MR. D'ANGELO: We can continue while they are working on it. I was saying that this is an issue that has been studied quite a bit in the Department. Unfortunately, there is a lot of documented recommendations, but not too many of them have been carried out. So we hope to change that with this report.

What we are trying to do is come up with an overall strategy for the Department. But what we have had to do, because this is a joint report, and we are tied in with the disparities of the initiative, we are also incorporating the recommendations that came from the six focus areas that were part of the disparities initiative. But the final part of the report is a specific action plan for the department with key recommendations on how to improve racial and ethnic data in the Department.

This is basically the table of contents of the report. We discuss contributing factors to racial and ethnic gaps. We look at the disparities that were identified in the focus reports. We look at measures of racial and ethnic discrimination, the data issues tied to that. We look at what has been documented in the previous reports, and Healthy People 2010. We discuss how racial and ethnic data are used. And then the real meat of the report is the Section 7 that the detailed plan with all the recommendations.

This report is draft right now. That's why I can't share it with you. But I have extracted the key recommendations, so at least you will be able to see the recommendations.

In the section dealing with the contributing factors, basically what that section says is that race is much more than a biological concept. That there are many social and cultural factors involved. Genetics alone can't explain the differences. You have to look at things like income, perceived discrimination. Many social and cultural issues come into play.

When we looked at the focus reports from the disparities initiative, each of the groups came up with their own report dealing with their issue like infant mortality or diabetes. And we looked at in those reports, any data issues that they brought up, and their recommendations. And we brought those forward into our report.

The recommendations in each of the six focus reports are typical of what we would have expected. And so we were already building those recommendations into our report anyway. But they deal with the need to collect more racial and ethnic data; increasing accessibility of existing data; encouraging analysis; making sure that the racial and ethnic groups are represented on key data committees; and promoting geocoding.

Now the discrimination initiative is something that is just coming down the pike. The president has charged five departments with coming up with looking at data and how discrimination is affecting health care. What we need to do is we need to look at how intentional or unintentional biases may restrict access, and result in differential quality of care.

What we are first doing in the Department is looking at our current data systems to see how well we can measure discrimination with the current data systems, or if we need to modify those systems. Or what the gaps are, and therefore come up with new ways of measuring discrimination.

But the Department is just starting to deal with this particular initiative. So because it's in the early stages, our report doesn't really go too far into the discrimination initiative. So it just touches it lightly. But as the department gets more into this, then there will need to be a separate report that deals more with the data needs tied to the discrimination initiative.

When we looked at Healthy People 2010 and all the testimony that was done at the various meetings across the country, and we looked at the previous reports, we pulled a lot of recommendations from that testimony and from those previous reports, and we have carried them forward into our report.

There is also a section that talks basically about how racial and ethnic data are used, not only in the government, but in the private sector. It is the typical reasons that you would expect: monitoring patterns of disease and treatment; planning programs; allocation of money; advocating for racial and ethnic programs; formulating policy evaluations; and in the private sector; and marketing.

As I said, Section 7 of our report is the detailed plan. In that Section 7 we have 10 major overarching recommendations. And then we have divided the other recommendations into four main categories: data collection; data analysis and interpretation; data dissemination and use; and data research and maintenance.

These are the ten major recommendations:

Number one, we believe there is a need to develop a long-term schedule for the periodic targeting of racial and ethnic groups in the national surveys. Right now, for example American Indians, when the Health Interview Survey is conducted, there is really not enough American Indians picked up in the primary sampling units to come up with reliable estimates. And the only way you are going to be able to do that is really not to oversample in the existing PSUs, but actually set up new PSUs to target the American Indian population.

Now to do a national survey on American Indians would be quite expensive, and perhaps would not even be feasible. So what we are leaning towards is more targeting particular groups. Like if we decide that we want to target Indians in the year 2003 in the Health Interview Survey, and there is going to be a supplement dealing with smoking. And smoking is a problem in the Northwest, then we just may target Northwest Indians in that particular health interview survey.

And of course it would be done in conjunction with the Indian leaders in that particular area so that we come up with a sample and modified questions if necessary, that would meet their particular needs. What we plan to do, the idea is that rather than do this haphazardly, the Department, working with the agencies and the various racial and ethnic groups would come up with a schedule over 10 to 20 years that says Indians are oversamples or special sampled in 2003 in the HIS. That Asian and Pacific Islanders are looked at in 2004, and so on and so on.

And that it wouldn't just be special sampling for the sake of special sampling. We would try to tie it to meeting particular information needs of those groups. But unless we come up with some type of schedule, we feel that these groups continue to fall through the cracks. So that's why we think it's important that the Department actually put this in writing and come up with a long-term schedule.

The second recommendation has to do with the HIPAA standards. We want to make sure that the racial and ethnic identifiers are included in the HIPAA standards.

The third one deals with Healthy People 2010. That there are many non-developmental objectives where there are not sufficient data for the racial and ethnic groups. So the priority would be to fill those data gaps for the disparities initiative first, because that's a key initiative for the Department. So we would focus on those initiatives first, and then go to the other data gaps.

The fourth one has to do with expanding or establishing new registries for the chronic conditions, again focusing on the disparities initiative.

We also think it's important to produce state level data as feasible, especially in those states where there are high concentrations of the various racial and ethnic groups.

It's also important to support analysis of the existing data, and to encourage minority researchers wherever possible.

I think it's important to develop aggressive public use data release programs, and support these with contracts and grants, and periodic data user conferences. Also to publish the racial and ethnic data in national reports on a periodic basis.

Training is also very important to improve the collection of racial and ethnic items, looking at programs to train registrars, funeral directors, and physicians and hospital personnel in completion of administrative records.

And the tenth major recommendation has to do with making sure that the findings go back to the communities where the data is collected. Here we are talking about the targeted studies. If we are targeting Hispanics in Los Angeles, to make sure that group gets back the results of that particular study.

These are the other recommendations in the data collection area. There are actually more than I'm going to show you. These are the ones that are in the executive summary. There are more recommendations in the main part of the report.

Geocoding -- we think geocoding is important, so we're saying that there should be feasibility studies dealing with geocoding. And that geocoding should be part of national data systems.

In terms of the discrimination initiative, we want to make sure that we want to take a look at our existing data systems to see whether we can measure discrimination in our existing data collection systems, and modify or come up with new systems as appropriate. Our initial assessment is that our data systems right now really don't do a very good job in terms of measuring discrimination. We are probably talking about modifications or new systems for discrimination.

We also are recommending that we look at the impact of program interventions to see what is working, so therefore we can develop our best strategies for addressing disparities.

We think the Department should advocate for the inclusion of racial and ethnic data on administrative records, and in particular this ties back to HIPAA and the enrollment transactions.

We also think there is a need to conduct a forum to improve the coordination of racial and ethnic data collection, analysis, and dissemination. This would be a forum in conjunction with the states. And we think that the federal government and the states need to determine ways how they can best collaborate in meeting these needs.

Because we talked earlier about the fact that race is much more than a biological construct, we think it's important that social-cultural data elements be collected in surveys, research, and administrative records. It's also important to wherever possible, employ culturally and linguistically appropriate interviewing techniques, and of course consultant communities on cultural factors.

We need to insure that future patient record systems meet public health and clinical needs especially for the racial and ethnic groups. We think it's also important to expand existing health databases in Puerto Rico and the territories.

Also, when we are doing analysis, make sure that it's culturally appropriate, and involving persons that are familiar with the cultural factors, and are sensitive to these factors.

It's also important when you are working with racial and ethnic data that you account for any reporting bias that you might have. For example, physicians may be less likely to report certain conditions for racial and ethnic patients than public clinics. So you need to take that into account. Also in analysis, using the social and cultural data to better understand the factors that underlie the disparities.

Because of the fact that there is racial and ethnic misreporting or miscoding on death certificates -- I worked for Indian Health Service, so I know this is a big problem with Indian death certificates that the further we move away from the Reservations, there is a tendency for funeral directors to code American Indians that perhaps don't look Indian in the sense that they would normally think, they tend to code them as white or another race. So unless we adjust for that, we have a big undercount of Indian deaths.

One way of adjusting for that is to use the linked birth-infant death file, which is very good, and also to use results of studies that try to come up with the extent of this miscoding. We have done studies with the National Death Index that give us a good handle on the degree of miscoding by geographic area.

The National Center for Health Statistics is implementing the new age adjustment factor for death rates based on the 2000 population. They have done some studies to see the effect on the black population. We think they need to do studies also to look at how this new adjustment factor will affect the other racial and ethnic groups.

The OMB racial and ethnic categories are being implemented in the year 2000 census, and the federal agencies have to implement these new racial and ethnic standards by the year 2003. So it's important that we bridge the data collected under the old standards to the data collected under the new standards.

Also, ICD-10 is being implemented for both mortality and morbidity, and we need to evaluate the impact of that on the racial and ethnic groups.

The Department has various data retrieval systems such as WONDER. And we believe that there is a need to expand some of those systems so that racial and ethnic data is available at lower levels of geography.

It's also important that we have regional data centers to make this data more accessible, and to provide technical assistance in its use.

There is race and health initiative Website, and we want to make sure that the various agency Websites have links to that Website so it's easier to get to it.

In terms of research, we think it's important to study the issues related to the measurement of race and ethnicity in surveys, censuses, and research. We think it's important to look at how to improve reporting on administrative and medical records. Also looking at the feasibility of using telephone interviews to increase racial and ethnic examples.

Now there are various problems with using telephone interviews. In some of the communities, for example on -- I keep on using the Indians, because that's what I'm familiar with -- but we know that on the Navajo Reservation there is little coverage of phones on the Navajo Reservation. So we are looking at studies that will tell us whether there is a bias when we use households with phones versus households without phones, and how to capture those households without phones, perhaps by giving them cell phones for the purposes of the survey.

We also think it's important to look at not only better sampling techniques, but better questionnaire design.

As I said before about the misreporting or miscoding of race on death certificates, there need be more studies that are done to determine how much miscoding and misreporting there is, and where it's occurring, so that we can develop adjustment factors.

We also would like to look into methods for matching various government data sets, and make sure that we have the appropriate legislation to support that matching.

We need to work with the Census for producing post-censal racial and ethnic population estimates by age and gender, and especially coming up with socio-economic status estimates at the state level and below. It's also important to develop improved measures of income, which is an important social-cultural factor when looking at the disparities.

So those are the key recommendations. Those aren't the only recommendations in the report. As I said, the report is draft right now. It has gone to the Data Council, and we've gotten back comments from the Council. We have revised the report. We are working with an editor right now to fine tune it, and then it will be submitted back to the Data Council for final approval.

It's the Data Council's report, but we are going to recommend that it get widely circulated. Because we think it's an important report, we want people to be able to access that report. But it is up to the Data Council what happens to the report next.

The other thing we would plan to do in conjunction with the Data Council is to develop a detailed action plan, because don't want this to be another report that just sits on the shelf. As I said, this has been the history of the previous reports that have dealt with this issue. We want to make this different. The council has indicated to us that they too want to make this different.

I think the time is right for action in this area, and so the idea would be to come up with this detailed action plan, and to have perhaps I would assume the Data Council be responsible for coordinating the implementation of that action plan.

I'm open for questions.

DR. FRIEDMAN: Just a couple of quick comments and a question. The first comment is that as you obviously know, ethnic variation between health status and health outcomes sort of often overwhelms the race variation. And I think HHS and CDC in the year 2010 objectives have done a really increasingly good job of emphasizing that.

In addition to that, as I'm sure you also know, the generational effects and just length of time in the U.S. also is something that can have a huge impact on health status and health outcomes. Often in some really kind of surprising and disturbing ways. And I think that anything that can be done as well to emphasize that would be especially helpful, especially to the extent that there were groups for whom the longer they are in the U.S. and individuals, the worse the health status and health outcomes. That's the first comment.

A second is on this intercensal race estimates. And that's really essential if we are going to be producing population-based data at the state level, below the state level, and anything that could be done to sort of kick those loose, and help folks at the state level with that would be really helpful. We in Massachusetts produce them, but I think that's really quite unusual, and that would be very helpful.

Then finally in terms of geocoding, geocoding can mean a lot of different things to a lot of different folks. I was wondering if you might be able to just very quickly say -- when you are talking about the importance of doing more geocoding, what you mean, and specifically whether or not it would be attaching actual geocodes at the census or block group level for example, or just attaching census information at the tract or block group level to the, for example, survey data?

MR. D'ANGELO: The report doesn't really get into that level of specificity. It says that we need to study it. Let me introduce Olivia Carter-Pokras, who is actually the co-chair on the working group on racial and ethnic data. She was going to help me in answering questions.

Olivia, do you have any thoughts on that?

DR. CARTER-POKRAS: Actually, the Data Council spent considerable time discussing this. Dr. Nicole Luri(?), our principal deputy assistant secretary for health would like to have geographic identifiable information collected and added to our data systems, particularly regarding grants that we give out for instance. And this is something that we currently are not routinely doing.

In some cases we are collecting geographic identifiable information for some of our national survey, and we are starting to use that information to link to other databases such as the census. So the idea is to be able to expand our ability to do this linkage with other databases. So again, the technical issues are not including it, but this is where we are moving towards.

MS. WARD: My first question was the geocoding, and I think you have answered that as much as you can. I think from practical experience, I like the fact that you have identified the training issue. What we have found in Washington, a lot of the training leads to a practical script or handout that a funeral director can hand to the family that says this is why you need to give this information, and this is how it is used.

That's where they become really stuck, is explaining why when their relative is dead, and what they are dealing with is why do I have to tell you what my relative's race and ethnicity is. They are desperate for the officials, the people who want that data to explain it to them, and even give them something.

So I would just recommend that that part of your training is to look at something that is really sensitive, and really practical for those folks you can train forever, and they will understand why it is practical. But that doesn't help them actually request that information from the families that are with them.

That's true of hospital personnel. When you look at folks who are doing admission in a hospital for someone who is sick. They are saying, and please tell us what your race and ethnicity is. They are desperately uncomfortable, and they are desperate for something that they can answer the question that says why.

And the feasibilities with the geocoding, I'll just ask one other question. What is it that you are testing when you say there is a feasibility study related to geocoding? What is it that you want to know is or is not feasible?

DR. CARTER-POKRAS: Well, this is a compromise. As you know, developing recommendations and action plans are compromises. And here is the need, that we need to get a better handle on how we are spending our dollars, and what the outcomes are of that. That may require linkage to other data systems, which is part of the reason for getting the geographic identifiable information.

But also recognizing that there is a cost involved. And there are also some of these issues that have to be thrashed out. For instance, at the level you are going to be collecting this information. So because of that, there were several who felt that it was premature to make across the board requirement for grant programs to be collecting this geographic identifiable information until we could have a better idea of what the best approach should be for that. So this is an intermediate step.

MR. BLAIR: Help me understand a little bit the scope of what you are doing. From what I was able to understand, you were primarily focusing on discrimination once an individual has access to health care through a provider, which is very important. The thing that I have a concern about is that while there may be discrimination in that area that needs to be addressed, there may be a greater level of discrimination that is systemic of those who don't have access.

From what I understand, there are 44 million people in the United States that don't have access to health care right now. They tend to be referred to as the working poor. If that turns out to be very highly correlated with certain racial or ethnic groups, then in a sense that may be systemic discrimination. Will your report be able to pick up and quantify that type of information?

MR. D'ANGELO: As I indicated, actually our report doesn't really get in very much into the discrimination initiative. That's because the Department is just deciding how best to address the discrimination initiative. So it's in the very early stages.

What you are talking about will be discussed I'm sure, and the Department will need to determine how it defines discrimination, what areas it's going to look at, what types of data collections it's going to need, what types of studies it's going to need. So all this is really premature, though I'm sure what you are bringing up is going to be discussed and addressed by the Department.

DR. ZUBELDIA: In your report, you are looking at combining race and ethnicity, and health information and income. And I think that's kind of an explosive mix. Is it feasible to do this kind of study on a de-identified basis? We heard this morning about the identification of private information. How feasible is it to do it de-identified?

And I understand that geocoding and zip code are some of the things that you need to remove from the data to consider it de-identified, but given your statistical savviness and resources, could you still do it maintaining geocodes and zip codes, but de-identify it?

MR. D'ANGELO: I'm not quite sure what you are getting at. Income is just one of the factors that we are recommending that be looked at in terms of the social-cultural area. Are you concerned about privacy?

DR. ZUBELDIA: Yes, I'm concerned about privacy. I'm concerned about people actually revealing their income when they know it's going to be associated with the race and ethnicity.

MR. D'ANGELO: Yes, it's not an easy thing to collect. It obviously won't be collected on all types of surveys or administrative records. It's collected in the census, and I imagine a lot of this analysis would be tied in with the census. But I know that for example in the Indian Health Service they would not allow us to collect income data at our system. The Indians would view it as means testing, for one thing.

So it's a touchy subject, and we probably in many cases would have to use existing databases that already have income. And only in certain new data collections would be able to pick up income.

Olivia, do you have any comments?

DR. CARTER-POKRAS: Yes, actually this is part of the difficulty in developing recommendations for the Department, because we have such a wide range of data systems. We identified over 180 data systems in the Department that routinely make their data available to the public. As you can imagine, we've got data systems that are based on mean tested programs, where they routinely collect this information, as well as data systems such as the National Health Interview Survey, where we ask questions of individuals.

But because of that, that was one of the reasons why we looked at geocoding as an approach to link to other data systems that perhaps may not give us the individual level data, but may give us information about the community say that folks are living in; some indication of socio-economic status.

But we also have a wealth of data that are already collected, that are not routinely analyzed. For instance, we routinely present data by race and ethnicity, or by poverty status, but we rarely present it crossed. It is to encourage the analysts in the Department, as well as those who use our data as secondary data analysis to go beyond the simplistic presentation of data by race/ethnicity.

DR. ZUBELDIA: Going back to my question, is it possible to do all this in a de-identified basis?

DR. CARTER-POKRAS: Actually, yes. The National Center for Health Statistics has a program that it makes it data available stripping off the identifiers, but getting specific enough geographic information that it can be used for linkage with say census data. You have to of course sign agreements of confidentiality and privacy, but that's one example in the Department where that linkage is done to expand our ability to do this kind of analysis.

DR. COHN: I guess I just have a question following up on what Elizabeth Ward was talking about. First of all, I think this is very good and I want to congratulate you on really trying to approach a very difficult subject. To me, the biggest issue in all of this has to do with trying to encourage people to actually do it, regardless of what administrative transaction it's on, the enrollment, claims transaction or whatever, but it's a hard thing to do.

I was sort of struck as I was looking at your recommendations that at least to me one of the really high priority items is some sort of a public outreach, to really publicize, educate, inform. The closest thing I see here in terms of a recommendation around that has to with evolving, developing training. I'm just wondering is that out of the scope of the authority of HHS? Is this not something that HHS would consider?

MR. D'ANGELO: I believe we do have a recommendation along those lines in the full body of the report.

DR. COHN: Okay.

DR. CARTER-POKRAS: I guess we also need some clarification of what you mean by 'public.' Do you mean the folks who are actually analyzing the data, or are you talking about the individuals who are going to be responding to questions on say an interview survey or something like that?

DR. COHN: I think the public is a large group. It certainly included them that have to complete the records, but it also includes the people that are being asked. So it's a larger, like why are you asking me this is sort of the barrier we need to begin to break down. I think that's really a public issue.

MR. D'ANGELO: That was one of the comments that we did receive, and I built in a new recommendation to address educating the public on why we need to collect data, why it's important.

DR. CARTER-POKRAS: I should point you -- if you are not aware of it, of a report that just came out during the last couple of weeks from the US Commission on Civil Rights that has some very strong language that we need to do a better job of monitoring and enforcing our anti-discrimination laws. They have a lot of recommendations that look at data. And so there is a lot of that discussion about the need to educate the public about the need for the data so we have the tools that we can monitor and enforce the anti-discrimination laws.

DR. FRIEDMAN: A couple of quick follow-up points. One of which is Australia has actually had what I think is a very aggressive campaign, both for data providers, as well as for individuals, informing them of the need to provide race and ethnic data, as well as essentially warning data providers not to take their own guesses.

For example, they've got a poster which shows three or four folks, some of whom are very fair skinned with straight hair, et cetera, et cetera, some of who are not, which says something like can you guess which one of these is an Aborigine, and all they all are. I think something like that for the hospitals, for the funeral homes, et cetera, et cetera, would be really helpful.

Second, in terms of geocoding and the privacy concerns, it does seem that there are some pretty straightforward solutions to maintaining, to lessening the likelihood -- it's not even a likelihood -- lessening the possibility that an individual could be identified through putting a geocode on the data. Which would be prior to for example, NCHS releasing the data, NCHS doing the linkage with the census data at the block group or whatever level. And then taking off a specific geocoded identifier.

DR. CARTER-POKRAS: Actually, that is something that they do, prepare special data tapes.

MR. SCANLON: A couple of things. Part of this public outreach I think will occur in the context of the decennial census, because race/ethnicity information is collected as part of the census. And as that whole ramp up occurs, if anyone participates, there will be a public education effort to try to explain why some of this information is collected. Of course that serves as the denominator as well.

I want to say a little bit about the discrimination initiative. Actually, it's a discrimination measurement initiative, in addition to all of the other anti-discrimination measures. The White House initiative that Tony mentioned I think I briefed the committee on at our previous meeting. It is to look at how specifically we can improve the capability to track and measure and identify discrimination statistically, through measurement and statistics and so on. Then there are a number of policies to actually prevent and enforce those laws.

So HHS is one of five agencies that is looking at this. HHS has been asked to look at the health care setting. What we have done so far is besides the working group looking at the potential of our current data systems to provide some measures here.

We have asked Comte LaViste(?) a former member of this committee to look at the literature and the best practices from the health care area, as well as some other areas that we could learn from, and to come forward with sort of a state-of-the-art report on data and measures, and some research recommendations about how we could proceed. So we're trying to get a framework and kind of a platform, and then we can see a little bit better about how to proceed on the health care setting. The other areas are housing, employment, education, I think criminal justice.

And finally about geocoding, this is an issue virtually all of our surveys have the capacity to provide geocodes literally down to the block level, but there is an issue. We do have guidelines in terms of confidentiality protections, in terms of the threshold for even making that information available.

And NCHS now has a program as Olivia described, where researchers can go to NCHS, use the data for analysis, but never really see the actual local information or identifying information. And you mentioned two approaches, Dan. One is where you attach context profiles in terms of community and so on to the records already in a survey or research study. The other is where you simply code, whether it is zip code, census block or tract or so on.

With NCHS you can at least do an analysis based on this under highly protected circumstances. You can't walk away with any of the individual record data, but you could take away your statistical analysis. That can be done both on site in the data center, or remote access for approved studies. So there is a development now in the statistical programs to allow this sort of analysis while still protecting the confidentiality for certain population thresholds.

DR. LUMPKIN: We're really out of time. I think this is an issue where we are going to be very interested as a committee in following this particular effort. And I would like to thank both of you for coming, and for all your hard work. And I would appreciate some updates. So Tony, if you could come back next year -- well, I guess not.

For those of you who don't know, Tony is retiring at the end of this year. He's retiring. That's the reason why when the machine wasn't working, he seemed to be nonplused about it. So to put things in their proper perspective.

But we did want to take this opportunity to thank you for all your hard work, Tony, in this area, and what you have done with the Indian Health Service in relationship to the data of racial and ethnic minorities in American Indians in particular. Certainly this is something that we intend to follow-up. Thank you very much for coming.

Agenda Item: Committee Process for Preparing and Approving Comments on the Privacy NPRM - Dr. Lumpkin, Ms. Frawley

The next item on the agenda is to -- this item was placed on the agenda in the event that the privacy NPRMs would be issued. Since they have in actuality, we need to establish a mechanism for rapidly getting a committee position to comment upon these particular NPRMs.

I would also want to note that individual members certainly as private citizens, have the right and I'm sure HHS would appreciate their individual comments as part of this process.

We need to make a decision as a committee to move something forward probably by Christmas or the week thereafter. So I don't know if you have any thoughts on how the committee would?

MS. FRAWLEY: My thought would be that we would have a draft letter to the committee for their review and comment no later than December 8, which would give them two weeks to review, which would bring us up to December 22, which would give us enough time to make any changes to the letter, and then have it into the HHS to meet the deadline, and accounting for the holidays.

So the subcommittee would have to begin its process sooner. So the expectation would be that the subcommittee members would have to review the entire notice. And then we would set up a conference call, discuss the notice, and to come up with comments. At which point I would draft a letter, circulate it to the subcommittee. Once they have signed off, have it to the full committee.

So the target date I'm looking for, for the full committee would be December 8. Now I don't know if we need to have a conference call with the full committee.

DR. LUMPKIN: My guess is that we would. So if we have the draft letter available by December 8, then somewhere in the neighborhood of ten days or so after that, we can schedule a conference call. The technology would figure out whether it would be that we have extra lines for the public to call in, or whether or not we would, for the Washington-based folks, have a room at the Humphrey Building with a conference phone. But we will certainly assure that there is ability for public involvement. Then we will try to schedule something in the late teens or early twenties of December.

MR. BLAIR: I think that that procedure is fine. The area that I guess I have some concern about is I think many of the committee members observed when we heard the report on the NPRM this morning, that it was well done, and done under difficult circumstances, and we're dealing in a political environment as well.

And I know that I have some concerns, but I feel as if the concerns I have may be more reflecting the limitations of what can be done with the regulation versus federal law. So the question that I would like to ask to the chair and to the committee is whether it would be appropriate for us to also identify those topic areas which would not involve rewording of the NPRM, which might be as well as can be done within the political environment that we are dealing with, but other issues where we really feel that Congress needs to address those.

DR. LUMPKIN: My understanding is that in what Bob referred to as the novel that was attached with the rules, and from what was said earlier, that there is probably some indication that HHS has also expressed that as being a concern. So I suspect reinforcing that, or identifying other areas, for the committee would be an appropriate role. We are asked through the secretary to advise Congress on these issues, and I think that that would be appropriate in our letter to do so.

DR. IEZZONI: Some of us aren't on the privacy committee, but I thought that there is some content expertise around the table that we might want to harness to focus on specific areas. Andy, are you planning to start research again any time soon? Because I think that there are a number of researchers around the table who maybe, Kathleen, you could call on to really spend more time looking at the issues around research.

There may be public health people around the table who might be able to help -- who aren't a member of your subcommittee, who might be able to help think about the public health issues. So maybe we could identify a couple of content areas where some of us could volunteer to make an extra effort to look at the rules.

DR. LUMPKIN: And perhaps since Andy has not been assigned to any committees yet, we may give him a temporary assignment.

DR. IEZZONI: Don't you dare take him away from my subcommittee, John.

DR. LUMPKIN: Okay, well, never mind.

MR. GELLMAN: I think the idea of people preparing comments, and providing them to the privacy subcommittee is perfectly good. I think that we also have to recognize that now that we have gotten down to more detailed set of rules, detailed focus on the area than when we went over this a couple of years ago, there are sure to be disagreements among people. And we're going to have to be prepared and figure out either to skip those issues, or to reflect different points of view at the same time, or whatever.

There may be some things, depending on what they are and how you want to proceed, on which the committee may take a vote; the committee favors this position. And then there will be another point of view presumably expressed by dissenting members, but you need to be prepared for that.

DR. LUMPKIN: My guess would be that if I were to be in the shoes of the individuals who are having to respond to these comments, and given the role of this committee, that this would probably be some benefit that if there are issues which the committee has made a decision, but for which there was some significant disagreement, I think that's probably something that ought to be in our letter.

But I also think it will be useful that we do at least take a vote on these issues, so at least they can know where the committee prevailed, even though we have a substantial discussion of what the other position was.

MS. GREENBERG: I was going to note, and maybe Kathleen factored this in, but the executive subcommittee is meeting on December 7, which of course will be an open meeting. And you had mentioned December 8. So it's possible that the executive subcommittee, which of course includes the chairs of all the subcommittees, might be able to kind of give a look to the draft before it actually goes out to the full committee. And that would be an appropriate time for it. It seems like it would work out.

DR. LUMPKIN: The so the process will be is that the committee will hold its discussions and make a recommendation by conference call. That will then be made available for discussion at the executive committee meeting, and then subsequently sent to the full committee, which will be ratified at a conference call in the late teens or early twenties of December.

MS. GREENBERG: I just wanted to clarify one thing. You were talking about having a conference call of the full committee to discuss their comments?

DR. LUMPKIN: No.

MS. GREENBERG: Or the comments will be sent by e-mail?

DR. LUMPKIN: The comments should be sent by e-mail in the period of time between the 7th or 8th, when it is sent to the full committee. So that when the report goes to the conference call, it should be a revised letter, if the committee so chooses.

MS. GREENBERG: For a vote, for deliberation?

DR. LUMPKIN: For a vote, because we will need to vote and move it out on that conference call.

Is there a motion to that effect?

MS. WARD: So moved.

DR. MC DONALD: Second.

DR. LUMPKIN: It has been moved and seconded. Is there discussion on adopting this as a process? All those in favor say aye. Opposed say nay. Abstentions?

[Whereupon, the motion was unanimously adopted.]

Thank you. We have a process.

Agenda Item: Committee Process for Preparing and Approving Comments on the Claims Attachments NPRM - Dr. Lumpkin, Dr. Cohn

DR. LUMPKIN: The second item is the NPRM for claims attachments. Simon?

DR. COHN: We have no idea when the NPRM on claims attachments is going to come out. Having said that, the Subcommittee on Standards and Security does have meeting in early December, and then in late January, where depending on the timing of the publication of that NPRM, the subcommittee will review, discuss a letter, hopefully at one of those meetings, finalize a draft letter that can then be circulated to the committee.

Depending on the timing of the release of this NPRM, it may be something that can come up at our February meeting for final discussion and agreement. That would assume that the NPRM is released after I think it's the 25th of December. If it is before that, then there will have to be a conference call for consideration and hopefully approval.

MS. GREENBERG: When are the subcommittee meetings scheduled for?

DR. COHN: There is a subcommittee meeting scheduled for December 9-10. And then in January --

MR. BLAIR: January 31 and February 1.

MS. GREENBERG: This is the full subcommittee, not just the work group.

DR. COHN: Well, in December one day is reserved for the work of the subcommittee. In January, right now it is a work group meeting, but if this becomes an issue, it will evolve into a subcommittee meeting also. I think we have some flexibility there.

DR. LUMPKIN: Is this a possibility that we need to concern ourselves with the process before our February meeting, do you think? Best guess on claims attachments? Do you think so?

So Simon's motion was that the process of claims attachments, should they be released prior to the 25th, that the committee will have a face-to-face meeting, since one is already scheduled in a timely fashion. And then it will be submitted with an appropriate timeframe for there to be electronic discussion. And then we'll proceed to a conference call of the full committee.

Is there a second?

MS. WARD: Second.

DR. LUMPKIN: Discussion? All those in favor of that process say aye. Opposed say nay. Abstentions.

[Whereupon, the motion was unanimously adopted.]

Great. Any other business before lunch?

DR. ZUBELDIA: Let me ask you about the plan identifier. Isn't the NPRM for the plan identifier supposed to come out within the next weeks?

MR. SCANLON: No, it won't be in the next few weeks.

DR. LUMPKIN: Will it before the December 25th? Which I think is kind of our --

MR. SCANLON: I'm just not thinking it's at that stage yet.

DR. LUMPKIN: Okay, no.

MR. SCANLON: It hasn't come through departmental review or the Data Standards Committee yet, so that takes a while.

DR. LUMPKIN: Okay, then we'll have lunch. We're scheduled to start at 1:15 p.m.

[Whereupon, the meeting was recessed for lunch at 12:00 p.m., to reconvene at 1:15 p.m.]

A F T E R N O O N S E S S I O N (1:15 p.m.)

Agenda Item: Plans for 50th Anniversary Symposium - Dr. Lumpkin

DR. LUMPKIN: Before our discussion on the privacy NPRM, we have an update item on our plans for the 50th anniversary symposium.

MS. GREENBERG: Thank you. If you go to page 3 under Tab D, number 6, this reflects the discussion that was held at the executive subcommittee conference call last month on October 13.

DR. LUMPKIN: As you know, the year 2000 will be the 50th anniversary of the committee. Is that right?

MS. GREENBERG: Well, the committee was established in 1949, so this is its 50th year.

DR. LUMPKIN: It will have completed 50 years of service in the year 2000. This has taken three senior public health officials to come up with that conclusion here.

MS. GREENBERG: And a state official.

DR. LUMPKIN: Yes, I included myself. We do do public health at the state level.

At this point, we are looking really for two major activities at that event. Recognizing the 50th anniversary is the key purpose, but to be the focus of that will be unveiling both the status of where we are with the NHII, the National Health Information Infrastructure, and the 21st century vision for health statistics.

Both of those work groups are gearing themselves up to have their documents prepared for unveiling at that meeting. Of course I think we are scheduled to have a full committee meeting prior to that session. So that will be the real unveiling unveiling, but the presentations will be at that. Then that will be followed a reception.

We will also be updating the report that was made on the 45th anniversary. We will be updating that to include the full 50 years of activity.

We're encouraging all members to plan to attend that session. And we will be attempting to see if we have budget to bring in former chairs of the committee participate.

MS. GREENBERG: We'll probably invite maybe some recent members as well, but not have the budget probably to travel them. But we will certainly try to bring in the former chairs, or at least hear from them.

DR. LUMPKIN: Anything else I need to report on that?

MS. GREENBERG: I don't think so. I think what was agreed to was that the two respective work groups would kind of develop their part of the agenda, working with the executive subcommittee.

MR. SCANLON: The symposium itself will be at the National Academy of Sciences main building on Constitution Avenue, around 20th and Constitution. We'll probably be able to use the main lecture hall, and then the reception following.

DR. FRIEDMAN: You modified the NHII part on saying the status of where we are. If you would add that as a modifier to the 21st century vision, that would relieve some immediate anxiety. I'm sure we'll have plenty to talk about and plenty to present, but I don't think we'll have a final document.

DR. LUMPKIN: Let me clarify this. This will be part of the process of finalizing these documents. We expect to have a working document for unveiling, that we can then begin the public discussion process of these particular documents. Both of them are under development. As you know, we are having a symposium over the next two days with the Academy of Sciences, and the NHII is actively being discussed on the list serve. For any of you who would like to participate, that is also turning its way into fruition. So we can present that at the meeting on the 20th of June, and then subsequently at the symposium.

That's the plan. Of course if there are any comments or thoughts on that, we would appreciate any input from the full committee or approval from the full committee.

Agenda Item: Discussion of HIPAA Privacy NPRM - Dr. Lumpkin, Ms. Frawley

DR. LUMPKIN: Good, we'll move forward. The HIPAA privacy NPRM. Kathleen, do you have any how we can best use this time? I think we all have some areas in which we may want to comment. Any areas that we might want to prioritize for discussion? Then let's just kind of work our way through.

At your place is the novel. I read a fair bit of science fiction when I'm not studying for my boards. I always like those novels where you have the novel, and then in the appendix, like in the Tolkien ones, and they have like the chronology of events, and they explain all the characters that you've been trying to figure out throughout the novel.

Well, starting on page 272 is really the actual text. I suspect that it will be useful for the committee process, for those on the committee and those intending to comment, there are a number of questions which are being posed in the NPRM in what we'll call the novel portion of it, for lack of a more novel approach. And certainly we would want to address those, but I think that today we may just focus on any of the issues raised in the text of the NPRM itself, the proposed regulation.

MS. FYFFE: I have a question.

DR. LUMPKIN: Yes?

MS. FYFFE: Given that The Federal Register edition was issued on the Internet today, when we are having conference calls and so forth, can we use that format and page numbers instead of this thing? Do you see what I'm saying?

MR. GELLMAN: Are you going to get Federal Register reprints of this document?

DR. LUMPKIN: I think we could.

MR. GELLMAN: Well, if you do, we should get them. That would be more convenient than this.

MR. SCANLON: We'll have to standardize the pages and the references when you are making comments on the sections as well.

DR. LUMPKIN: So the standardized nomenclature, we'll call this terminology two, the standardized nomenclature for reference to items for which we are going to comment on will be that contained in The Federal Register document.

John and Gail, would you like to maybe join us at the table for this discussion?

I'm trying to figure out if we should go with the regulation itself or walk through the summary of the items to discuss. I just got through the regulation today. We'll just use these for discussion. The general provisions, entities covered by the proposed rule; I think we have had some discussion on that already today. Basically, we have had an explanation about the concern that it is restricted to what HIPAA talked about.

DR. MC DONALD: John, just a tactical question. Most people haven't read the whole thing. Who had read the whole thing?

MR. GELLMAN: I read the rules.

DR. LUMPKIN: We're just going through the rules.

DR. MC DONALD: Have enough people read the rules that we have something to talk about or worry about? What I mean is we'll go, um, um. I guess those who have questions should get them out.

DR. LUMPKIN: John, do you have a better suggestion? What we are doing is we're essentially trying to get some input that can be useful to the committee in their deliberations. If you have a suggestion that may allow us to hit some of the points, because even those of us who haven't read the rules, I think there are issues for which we would want to weigh in on.

Some of those were ones that we brought up earlier today. Most of those were posed as questions, but we can begin to get a feel for example, do we want to make a comment saying that we would strongly urge Congress to consider expanding these rules to all medical records other than just those listed under the scope.

That would be the kind of thing I think we would try to get out of here, as opposed to specific language changes.

MR. FANNING: Well, on the last item I think the committee agreed this morning that that was a proper action. If that was your choice, it's procedurally perfectly proper. I think on the substance, some of the questions that came up this morning, and that Gary identified as issues on which we wanted special attention would be a proper basis for proceeding.

DR. LUMPKIN: Jeff?

MR. BLAIR: Let me describe my understanding here. And I'd like a little bit of guidance or advice, because I'm not sure that I understand it crisply and clearly enough to formulate a proper recommendation or suggestion. It gets to my perception that one of the driving forces behind the need for privacy and confidentiality of health care information is to reassure the public, so that they won't have anxiety about sharing information with a care giver.

And one of the major areas of concern is that that information will in one form or another, directly or indirectly be communicated to their employer or prevent their ability to switch employment. And my understanding, because I really am very positive the fact that the administration has gone forward and crafted this NPRM. I'm very much in support of it.

I feel as if there probably are some things that maybe they wanted to do that they couldn't because the legislation wasn't there. This is my understanding. Maybe you could help me to clarify it and understand it better is that this NPRM could not go to the point of indicating that an employer would not have access to the information. It wound up I believe indicating that if an employer wanted that information, they would have to request authorization from the individual.

Well, that of course is one step, and that's constructive. However, if somebody is switching employment, they may not have any choice except to sign that authorization, otherwise they probably won't get employment someplace else. So my concern here is that this is more than a loop hole. It is a major limitation in trying to achieve the objectives of privacy in health care information.

The other piece is that from what I understand of the way laws work right now, even if that individual did not sign, their pre-existing health care information is available through insurance companies in the MIV database. And that insurance companies are able to share that information. So an employer could literally go to their insurance company and wind up saying, should I hire this person or not based on their pre-existing conditions? They don't even have to have access to the record.

The employee never knows. There is no way for the employee to get any protection. They just simply would not receive employment. So in short there is an indirect way. The employer doesn't even have to actually secure the record or look at the record, or even have a quotation from the record. They just need a judgment from an insurance that they are working with. That alone could deny employment to people, and undermine one of the major objectives of the NPRM, and the whole effort towards privacy of health care information.

Is my understanding correct?

MR. FANNING: Your understanding is correct that the more general issue with employers getting information is not addressed directly here. And we, I think, could not address it. However, we do have the authority to control health care plans and health care providers. And the one thing that would bear on this is that health care plans and providers may not condition their services upon an individual's consent to disclose information for unrelated purposes.

However, that doesn't get to the employer. And I think that's something that simply was not covered here. There may be other laws that apply, and particular the Americans with Disabilities Act. I would let others who are more familiar with that, address that.

MR. BLAIR: I'm guessing the reason that it's not in the NPRM is because there was probably a legal judgment saying it was beyond the scope of what we could put in the NPRM. And so maybe this would fall into the category of where the NCVHS committee, if the rest of the committee felt this way, could wind up saying this is an area which would require federal legislation through Congress. Is this correct?

MR. FANNING: Yes, I think so.

MR. ROTHSTEIN: I wanted to see if I could clarify some of the issues that Jeff raised. I think he is quite right in pointing out that this proposal should not be confused with comprehensive medical privacy legislation. This is legislation or regulation to implement legislation that deals with a much narrower focus.

And it is only a slight exaggeration to say that it deals primarily with the unauthorized disclosure of medical information. And the question that Jeff raises goes to the issue of when is it permissible to require authorization by an individual as a condition in his example employment, but you could attach life insurance or a whole variety of other things to it; mortgage.

I do believe first of all that doing so would be beyond the scope of HIPAA. And secondly, the reason that it hasn't been done is because it gets very quickly beyond a privacy issue, into a substantive issue as to who ought to have access to what, and who can use lawfully, certain information. And that becomes quite complicated.

The Americans with Disabilities Act offers protection against discrimination. So that if an employer refused to hire an individual because of information in that individual's medical record, that theoretically could violate the ADA. But the ADA does not prevent employers from lawfully getting access to that information. Many individuals are reluctant to undergo certain kinds of medical procedures and tests because they know that their employer will have access to it, even though theoretically if the employer used it, it might be unlawful.

Under the ADA, there is no requirement for an employer to indicate why a conditional offer of employment has been withdrawn. So individuals would not necessarily know that employers would have access to this information.

So I apologize for a long answer, but the issue of who are these third party users is a very important privacy issue, but it is something that I don't think we can properly take up.

DR. LUMPKIN: Kepa.

DR. ZUBELDIA: On a different but related issue of the scope as to who is covered under HIPAA. In this NPRM I think it reflects the language that was in the law itself, where it says a health plan, a clearinghouse, and a health care provider who transmits any health information in electronic form.

However, the security NPRM I believe is going beyond that and saying any provider who transmits or maintains any information. I think the NPRM talks about maintaining the information, not just transmitting the information. But the security I believe went to the extent that if any of the transaction related information, and of the information in the specified transactions was maintained electronically, the system had to be secured.

Whether it was transmitted or not, it didn't matter, as long as you maintained claim information in a computer, you have to secure it. However, in the privacy it looks like we are seeing again a departure from that. And specifically, the definition in the rule says transmits health information. So we get into a situation where the health information may be stored electronically in a computer, but I don't know whether that is protected by privacy or not until I find out if that provider actually transmits EDI or not.

And I think a recommendation from the committee should be that if the information is maintained electronically, and could be transmitted in one of the standard transactions, then it should be subject to privacy, whether it is in fact transmitted or not. Because it will be impossible to know whether that provider is in fact doing EDI or not. And the patient normally doesn't know that.

MR. FANNING: I call your attention to the definition of protected health information, which is "individually identifiable health information" --

MS. FYFFE: What page are you on, John?

MR. FANNING: It's page 282 of the single spaced printout. "Individually identifiable health information that is or has been electronically transmitted or electronically maintained." So I think, but I'm not sure -- it may be a little broader than the reading you just gave it. Again, I can't speak authoritatively on that.

DR. ZUBELDIA: So from my reading, all the electronically maintained information at a provider that does EDI would be protected. But if a provider does not do EDI even though they still maintain electronic health information, would that provider that doesn't do EDI fall outside of the scope of HIPAA completely? And how would the patient know that?

DR. LUMPKIN: Because they wouldn't be a covered entity. So if the provider conducts any of their business electronically, then they become a covered entity. And then they would have to maintain their records some way electronically. So if they did some transactions, and some of their records were maintained electronically, and some were not, so their progress notes generally are not transmitted, nor do they become part of the medical record except until we have the claims attachments entered.

So if they have a progress note, that would not be a covered medical record. Whereas the diagnosis page and problem list might be.

DR. ZUBELDIA: John, my reading on that is that if the provider does EDI, then the provider is covered. As a covered provider, they will have to go and get the authorization and do disclosures and do everything that a covered provider has to do. Whether the specific progress notes or specific chart or something is covered or not, the provider would still have to get the authorization from the patient.

But the question is, how does the patient know that this provider does EDI or doesn't do EDI?

DR. LUMPKIN: I'm not sure if your statement is true. It seems to me like there is a hierarchy. The first question is, is the provider covered? The second question, is the health information covered? So you can have a covered provider who has non-covered health information. That's how I see that definition kicking in. Is that how you interpret that?

MS. HORLICK: I think it's a question that I don't know, but I think it could be interpreted both ways.

MR. GELLMAN: The issue here is I think it becomes a question of fact. What exactly is being done with information? You can have a covered provider who has information that is either electronically maintained or not electronically maintained. Depending on how this information flowed from one format to another, it could either be covered. It could not be covered. You have to know factually how the information flowed.

If I had transmitted a diagnosis electronically, then the diagnosis on a printed piece of paper is covered. It is now covered by the electronically transmitted rule. If I'm just looking at the piece of paper, I don't know whether it is covered or not, because I don't know what happened to that information in other ways. Is that right?

MS. HORLICK: Are you saying that it was transmitted in connection with one of those nine or ten specified -- that was my understanding.

MR. GELLMAN: Then it's covered.

MS. HORLICK: The list.

MR. GELLMAN: Just looking at a piece of paper.

DR. LUMPKIN: Let me just use as an example back in the old days when I worked in the emergency department, we would fill out an emergency department chart. And basically this was a paper chart. Now we would abstract off of that the diagnosis, and maybe some codes that may modify the diagnosis because of certain risk factors or acuity.

So that would mean that on that paper record, because of it had been transmitted electronically, those fields on that record that were transmitted electronically would be covered. And those fields that were not transmitted electronically, because it is a paper document only kept in paper, would not be covered. So you could have a single document which would have covered information and non-covered information.

DR. ZUBELDIA: Let me add a little to that. If that document is entered into an electronic system, then it would be covered. But if that document is faxed to the attending physician, or to another physician that is seeing that patient, how does that physician know that it is being faxed through a fax machine, or coming directly from a computer, how does that physician know whether the faxer engages in EDI or not?

We are getting into such a disintegration of what's covered and what's not, that I don't think that this is enforceable.

DR. LUMPKIN: The first question is we're all pretty much clear on how confused this is. So I don't think we need to necessarily come to a resolution on this today, but this is obviously an issue to which we need to speak to.

Anything else under scope?

MS. FYFFE: Do we know what 'electronically maintained' means? Okay. Can we just talk about that?

DR. LUMPKIN: I think it's an electronically neutral solution. But keep it from deteriorating.

MS. FYFFE: If a physician dictates notes into one of these little tape recorders, is that electronically maintained?

DR. LUMPKIN: Can the information be retrieved by a computer? Because it says --

MR. GELLMAN: What's a computer?

MS. FYFFE: Did I get an answer?

MR. FANNING: I think there is no answer. Bob Gellman and I have an old joke about this which would say is the machine analog or digital.

MR. ROTHSTEIN: I have a question. An authorization to say by regulation that any covered entity that uses any electronic medical records at all would be covered, and would have to comply with the regulations as to all of their medical records, whether electronic or paper. Did you view your mandate as not being that broad?

MR. FANNING: I think that is discussed in the preamble, and I think that question may be raised in the preamble. I can't address it authoritatively. I'm sorry. But I rather suspect it was considered, and the public is asked how would you feel about that extension. Is that correct, Jim?

MR. SCANLON: I think so. There is comment requested on whether HHS should use other authorities available to cover all the records that would be covered under these, what medium or form they might be in. But that's a question for comment.

MR. BLAIR: I just want to get back to, Mark, you clearly have a good deal of legal knowledge here. You made the comment that you felt as if for us to address the issue of access to health care employers was beyond the scope. And it wasn't clear to me when you were responding. I think that it certainly is beyond the scope of HIPAA, the way HIPAA was defined.

In terms of the NCVHS commenting on the adequacy of the NPRM to accomplish the objectives which we seek, which is to insure public confidence that the health care records in the electronic health record systems who not violate their confidentiality where we would recommend additional congressional legislation to accomplish that goal.

I thought our scope was broad enough that we could recommend additional legislation to do that. Now are you saying that even that is beyond our scope? And if so, help me understand why.

MR. ROTHSTEIN: I'm not an expert on the scope of this body, having been here about six hours. I certainly agree with your thinking that we ought to, if we can, make a statement to the effect that we recognize that these regulations and this enabling legislation is not sufficient to protect medical privacy of all individuals in all circumstances.

Correct me if I'm wrong, I think that would be fair game for the committee. And I think that's very valuable for the public, and it's also very valuable for Congress to hear that so that they don't think that they don't need to do anything, because the issue has been taken care of.

MR. BLAIR: Thank you. If we were to make a statement like that, would it also be appropriate for us to maybe reference two or three examples of where it does fall short of what we think is needed?

MR. ROTHSTEIN: I think that would be fine. I think it would be difficult to limit the examples to two or three.

MR. BLAIR: Thank you, Mark.

MR. SCANLON: Recall when the committee sent in recommendations initially a couple of years ago on privacy, this very issue was raised. And the committee did, in addition to specific recommendations relating to privacy legislation, did raise the issues of the need for anti-discrimination measures as well. Certainly that could be part of the context that the committee sends its comments in.

In addition, in terms of the scope, if the committee feels that a federal law is still a comprehensive health information privacy law is still desirable, whatever progress may be made on the regulation, you should make that point as well. And you may want to point out the limitations of this proposed rule goes as far as it can. It doesn't mean that it's as comprehensive as a new federal law would be.

So you have already gone on record, and you certainly have a precedent for conveying the framework issues in your recommendation.

MR. GELLMAN: I agree with what Jim just said. I am sympathetic, Jeff, to the sentiments you express. It's just not that simple. You just can't talk about employers sort of in one breath. Employers are employers. Employers are payers of health coverage, purchasers of health coverage, providers of health coverage, overseers. They play a lot of roles.

You just simply can't say we have to deal with employers in one way. We have to recognize that employers play a lot of different roles. That just makes it that much more complicated to deal with, and makes it really hard to craft a solution that precisely allows what you want to allow, and doesn't allow other things. Because when you start talking about uses, they also overlap. So that's one thing.

The second thing, and this may just be a matter of rhetoric, I don't want to press the point, but you talked about assure patients that their records are confidential. There is absolutely nothing we can do to assure patients of that. And all you have to do is look at this regulation or any of the bills. No matter how strong they are from a privacy perspective, they all authorize large numbers of institutions and individuals to see records. Nothing is going to change that.

And the notion that somehow anyone is going to do anything anymore to create any reasonable sense of confidentiality in health records is just impossible. My old point, which I made before, is we can't promise people privacy. All we can do is promise them fair information practices. That their records will be used according to a set of rules, and at least they will know what the rules are.

DR. MC DONALD: A small question of fact. They mentioned this morning that 18 fields would be taken out to de-identify the record. I can't find any such list in this document.

MR. SCANLON: It's confidential. It's on page 284. But recall one of these items is the residual category that says any other characteristic. It's all direct identifiers, as well as a residual category that if there is any other characteristic that the holder of the record believes could lead to the identification, that would be included as well.

Then there is a whole other approach for relatively sophisticated statistical units, where you can actually use other disclosure avoidance techniques. I think the idea here was to give guidance both to those who wouldn't have that statistical expertise, as well those that would. But these are the 18 or so.

DR. MC DONALD: Some of them are not necessarily very specific identifiers I mean any more than certain kinds of lab tests, birth date. We have over 2,000 people in Indianapolis with the same birth date on average. One of the major purposes of taking so-called de-identified information and making it available for other purposes is to be able to statistically link, like we were talking about with the geocodes.

Now geocode gets very, very specific, but some of these things are pretty lumpy. The cushion I guess really is, is this sort of the list? Where are the boundaries?

MR. GELLMAN: Can I comment on this? I think that the provision that is here on de-identification is probably a little better than most. But this is almost a possible admission of the notion that there is non-identifiable personal information, especially health information. It may not exist. There may be no such thing anymore.

We did some events earlier in the subcommittee on privacy a couple of years ago. We had like LaTanya Sweeney -- I don't know how many people are familiar with her. John and I were at an event at the National Academy a couple of weeks ago, and she talked about some of her work.

In one instance she took an entire record from a cancer registry that was non-identifiable, and she said she was able to identify 98 percent of the names. The ones she couldn't identify were like identical twins, and she couldn't tell which one was which, but she knew who they were. She hasn't produced the paper on this yet, so I don't have the details. She said her records were more accurate than the cancer registries.

She also reported on an instance where someone challenged her and gave her a very short period of time to identify patients, and the only information she had was diagnosis, encounter date, and five digit zip code. She was able to identify everybody.

It all depends on what you know always. And there is so much information about people. It's not at all clear that we can regulate the world. I agree with the thrust of this that the fewer identifiers that you share, and the less information that you share, the better off you are. And I'm not sure that we don't need to approach this problem in somewhat of a different way in terms of first of all, restricting information minimum necessary to accomplish the purpose where you can do that.

There are other things you can do with identifiers. If you don't need to know the birth date, just give a month or a year or whatever. Those things are all help. They are not necessarily guaranteed. And it may be that for some functions you need to control this not simply by dividing the information into a regulated category of identifiable information, and an unregulated category of de-identified information.

But you have to recognize that there are risks here, and you may have to control this in the same way that you control information when it is given under these rules to business partners. You have to say, you have to follow these rules. This is a contractual matter. If you want to share data that has any potential to be identified, which may be all data, or almost all data, because there is probably some stuff that isn't, that there have to be agreements in terms of here is the data.

You can use it for this purpose, and you have to agree, subject to penalty, that you will attempt to re-identify the data. And what you need here is not a bright line in the sand, but you need a process, a procedure that tries to protect the data from being misused, and that penalizes someone who gets the data, and then misuses it.

I think that this approach in here is sort of fundamentally flawed in the sense that there may not be such a thing as de-identified data, although this is getting sort of -- this is more detailed than any of the other proposals on this point that have floated around, so it's better.

DR. MC DONALD: Well, you are trying to get a sense of how absolute is it if you call it the identified -- because I think it really boils down to what is the smallest pool of people that you can limit it. It's a hashing algorithm process. So if you get a little tiny pool of maybe two people in Wyoming who could have had a birth date of that date, because there are only a couple hundred thousand in Wyoming, or whatever, it's a different story.

So the cross-product of these things is what gets you down to very narrow pools where you can start to pick out who the who is.

MR. GELLMAN: Yes, but it depends on what kind of data you have, and how you are aggregating it. If you just take a public use data tape, it may be you take anybody's public use data tape and give it to a LaTanya Sweeney, she may be able to identify some or all of those people. You may be able to remove various elements of it that are useful to people, and she may be able to identify it.

DR. LUMPKIN: But I think the issue here of this list, and what I see as being useful in the process of dealing with this issue, and we gave LaTanya three items, zip code, type of cancer, date of onset. We restricted her only to publicly available databases, not to ones that she could get from people and purchase. They identified half of the individuals that were given to her.

We gave her the information and she told us who she thought it was, and then we checked with our records on our cancer registry. So what this does is really establishes those ones which have a higher potential for being able to identify an individual. Because you have to remember that you are not just talking about these items, but you are talking about other medical information. So if you have birth date, and you have type of cancer, and you have some other information, which may be admittance date to the hospital, you have pretty much narrowed down those 3,000 people in Indianapolis pretty quickly.

So a lot has to do with effort. What you want to do is you want to raise the cost of trying to identify somebody to the point where either somebody is going to be seriously interested in bad will, in which case no matter what you do, they are going to go after this individual. Or the cost of engaging in a fishing expedition becomes so high that it will become prohibitive. And then the third thing that you want to do is if they get caught, they are going to be fined or penalized in some sort of way.

DR. MC DONALD: Maybe this is not an important point. I was only trying to point out that there is a number on the bottom of this. If you give them enough low level keys that they can narrow down a subset. So it has to do with distribution. So if you are dealing with big, lumpy things like the city of New York -- I don't mean to criticize anyone from New York or common diseases, you have a different dynamic.

It's the cross-product of all the variables. A birth date by itself isn't very predictive, but birth date plus zip code gets to be very predictive, especially if there are very few old people or very young people. You could write the regulations potentially though in saying whatever pooling you do couldn't be less than 1,000 people in it.

DR. LUMPKIN: You just need be a little bit more discriminate in your use of the term 'lumpy.'

MR. SCANLON: It's that very reason that this list is not absolute, and there probably is not list that is absolute. That is why there is variation on those plans and providers and so on that are familiar with sophisticated statistical techniques. You can actually provide date of birth while masking some other area. That provides more flexibility for them as well.

So it's kind of a combination of whatever could be absolute versus the more sophisticated data disclosure avoidance techniques.

MR. ROTHSTEIN: I have a question. This morning Gary said that one of the principles behind the notice was that there would be disclosure of medical information of as limited a scope as possible.

MR. SCANLON: Minimal disclosure.

MR. ROTHSTEIN: That's a paraphrase. And also that there was some degree of encouragement for users to de-identify information, and to go to a less identifiable form. Yet there is no requirement in the proposal that would require medical records to be stored, used, or transmitted in the least identifiable form consistent with its purpose.

My question is whether -- and I apologize, I have not read all this. But I tried to find something. I couldn't find anything in there so far to indicate why such an approach was not even raised for comment.

MR. GELLMAN: Can you explain again what you are looking for?

MR. ROTHSTEIN: Let me give you an example of what I'm looking for. In the situation where you have let's say self-insured employers. They get the information about their employees directly from the providers often, or from a third party administrator, and it will often contain the specific names of the individuals, and what treatment they had, what their diagnosis was, et cetera.

Those records then go to the company, and depending on the size of the company, will dictate whether it goes to the office, the benefits office, or some other location, where security is often not as good as it could be, and individuals often report major problems where their personal medical record is revealed, their diagnoses to their co-workers and to their employers.

There are some companies that presently have systems where they never get the individual name when bills come through. Each individual has a discrete medical identification number. So the payer submits a claim for patient 657 and then it has to match up with what that 657 is eligible for this benefit, and no individual names are used, and there are computer programs that will do this rather easily.

Now it may be too expensive for small companies, and I'm willing to grant all of that. But it's an approach that I think would be profitable to look into. This is has been a hobby horse of mine for years. I gave a speech one time to a group, and I can't even remember what the group was, and during the question period one woman from the back said, I'm the director of employee benefits at such and such Fortune 500 company. And I thought she was going to say, you're crazy. I was ready for that.

She said, the worst thing is when my health claims come in, because they are then read by all the people who work for me, and it's not very easy to keep a secret from the people who would love to know what's wrong with you.

So I'm just inquiring as to whether these sorts of approaches had at least been looked into, or whether comments are being solicited in that area?

MR. FANNING: Let me just indicate that in theory that comes under the minimum necessary standard. A covered entity must make all reason efforts not to use or disclose more than the minimum amount of health information necessary to accomplish the intended purpose of the use of the disclosure. It doesn't seem to be any more detailed than that with respect to the type of situation that you have just described.

MR. ROTHSTEIN: Minimum necessary I take it to mean if there is a claim regarding somebody's broken arm, you don't send their psychiatric records.

MR. FANNING: I don't know.

MR. GELLMAN: Can I raise a question about this? If in the circumstance that Mark just talked about, the employer didn't need the name of the person, then the minimum rule would prevent its disclosure. But if the employer had a legitimate need to link records, to say determine eligibility or to review it, but didn't need to know the name, but just needed to have a linking mechanism, the minimum necessary rule doesn't say that you have to code the name.

If the linking device happens to be the name, then you can say that's the minimum necessary. It doesn't really get to the next stage of saying -- I'm not sure how you phrase a rule like this -- of saying if you need the minimum information to accomplish the function. And that means changing or de-identifying records to some extent.

MR. FANNING: That might be something the committee could comment on. Let me introduce one of the staff members who worked hard on this. This is Suzanne Bruns, who may be able to shed some light on it.

MS. BRUNS: The minimum necessary principle does not specifically address taking names off of claims documents. We would encourage that to happen, and we have allowed for that, and even used that in our list of identifiers on de-identified information that should be considered. We haven't explicitly said in the minimum necessary that names should be taken off if at all possible. It's a valid comment.

DR. MC DONALD: I work these computers, and we're hearing a lot about how there are two sides to the problem. And how do we keep the system going. Unfortunately, when regulations are written, they are almost the same degree of complexity, if not more, than a very large program for something that would fly a plane. These are a very, very complicated set of rules if made explicit.

We never run over the tasks that we require to run through programs. That's my fear. One of the things we talk about, getting rid of the names, is we now do get transmissions for health care reasons of information. The patients have numbers on them, and they are screwed up a lot. And so you can really cause a great deal of harm to a patient if you put someone else's results into their record because the numbers are off by one digit.

And we desperately need the patient's name and the birth date in this context to verify that these numbers aren't screwed up. And there is a zillion little traps like this that we have to be careful not to assume aren't there without having some -- you wonder if we really had like a year's test of these rules in three states before they were finally made active to shake out the bugs.

DR. LUMPKIN: And I'd like to volunteer Indiana.

DR. ZUBELDIA: Clem, when you said minimum necessary, if you do need the name, that is part of the minimum necessary set.

DR. MC DONALD: Well, the problem when written this way, the people who decide here you've got three communicating -- an organizational flow is very complex nowadays as you know. There is this one providing this kind of care. They are sending lab results to this one. There are different sources of information needed to care for the patient. There are different corporations.

I have never seen an administrator who read things non-conservatively. That is, they are going to say minimum necessary -- I'm not giving them squat. I'm going to give them one field. They don't want to give anything anyway, because all that's going to happen to them is something bad, because they're getting in trouble for it. So there is a huge tendency to take this very conservatively.

Then the problem is as you figured out. You've got the programs. You've got a smart computer. Figure out if these numbers are right.

So I just want to keep those on the table anyway, so that we don't screw up patient care by plugging in a perfectly normal result when someone has a bad one or vice versa, where decisions can be made incorrectly.

DR. ZUBELDIA: But I think the comment was the minimum identity necessary.

DR. MC DONALD: No, I think the basic rule makes sense. Don't send stuff out that they don't need. I mean why float it around there? We have to be careful about saying that means don't ever send the name, for example.

DR. ZUBELDIA: I think that the rule could have a comment or something that says that if a process can be done with de-identified data, that you should not do it with fully identifiable information.

DR. MC DONALD: Who decides that?

DR. ZUBELDIA: If you can do it with de-identified data.

DR. LUMPKIN: Andy?

DR. KRAMER: I think part of this comes back to this issue of sort of scalability that they were referring to, that at different levels of the providers, they are suggesting that these things be more and more rigid. And I think that's a valid concept to go with, this notion. I guess I'm curious as to how often that is sort of set up as a principle.

That you basically say that we've got these three categories. We've got health care providers out there that are actually in the business of trying to provide care. We've got clearinghouses of information. And we've got health plans that are on the insurance side. And they all have different needs for information. We're going to group them all together and call them all the -- they are all the groups to which this applies.

And we're going to just give one general standard which says each one should use the minimal necessary degree of identification. And I'm just not sure whether it is not more appropriate to try to separate them a little bit and say that we recognize that there are different levels of information that are appropriate for these different types of entities.

Because I think there has already been an awful lot of outcry and will continue to be about what it's going to do to the difficulties of trying to provide care if some of the constraints are carried too far on just simple transactions within a health care provider. And it may be that at that next level beyond the health care providers, one argues that here is a more limited set of minimal necessary information. And at another level it's a further limitation on it.

MR. GELLMAN: But I think you have a point, but that's what the rule says. It's the minimum necessary to accomplish the purpose for which the records are being disclosed. And the purposes vary, depending on who is disclosing what to whom, and what they are trying to accomplish. And that floats on theory at least, how you know exactly what it is, is hard to tell. But it floats.

And so if you are a plan, and you are exchanging information with another plan, you are going to have one level of purpose test, because you have a specific purpose. If you are a provider talking to another provider, you may be disclosing lots of identifiable information for the reasons Clem talked about, and others.

DR. KRAMER: Are you comfortable with it being done that way, as opposed to defining certain purposes of the information, and within those purposes, giving more guidance as to what is minimum necessary I guess is where I'm going. The example that Mark brought up about benefits offices and there is no need for names in those situations.

And yet at the level of individual treatment, yes, there is a need for name, because you've got to make sure it's the appropriate individual that you are treating and matching diseases. So my question is rather than leaving it broad like that, which I understand is the intent of it, to give more structure to it where you provide very specific purposes for the information, and within those give some examples of what might be appropriate.

MR. GELLMAN: Yes, I think that's a very good thing. I think there are a lot of routine exchanges of information that could be not defined in a formal sense, but through informal guidance of whatever sort the Department is planning to put out that says in this context here is an example of what it means, and in another context, and give a series of examples to try and clarify for people exactly what it is they should or shouldn't do. And I think that's exactly the right way to do it.

DR. LUMPKIN: One of the things that becomes apparent from this discussion is we need to in some way reconcile what we have done with the transaction standards, which certainly are not consistent with minimally necessary, but is a set of information that if you want to get paid on time, if you have completed the claims transaction, then you have to be paid. But if you don't complete the form, so you leave out some information that might fit within a context of minimally necessary, you might not get paid.

So we actually have some conflicting recommendations if we want to ride the horse of minimally necessary. And we have to do some subsequent reconciliation with the various transactions that we have approved prior in the work of the committee.

DR. MC DONALD: To follow-up on the thing, I think the general principle is the sensible. I really actually would worry about going into more detail, because I don't think we can. I don't think we know until we get some experience.

The question I worry about though is who decides that? Is it the reluctant sender, who is going to cut it to the bone? What happens to you when you don't do it that way? What is going to be the real dynamic when we have this very gray scale of what gets sent?

Actually, in truth I think the insurance person is named just as much. They don't need it on the desk. We should be talking a little bit about what can be displayed. I think there is very little need for the name outside of patient care to be shown to someone. You assume you need to check on things with these automatic processes.

So we just have to work through a lot of this, but it would be nice to have some indications though about who decides and how and when and what happens to you if you error in someone else's opinion that it's not minimally necessary?

DR. CHRISTOPH: As somebody who processes a lot of claims, and deals with making sure that they get paid correctly. And I think it's even more severe when you are actually doing treatment, and making sure that you have correctly identified the individual. The information that you use on the claim is -- there may not be a minimum set in order to do things correctly.

There is redundant information there. And we use that to cross-check things, because if somebody has copied a social security number incorrectly, the name very often recorded in a medical record might be a nickname or a variation of the spelling of a given name. There are all kinds of things like that that can happen. And you use that redundant information to try and identify the individuals so you can process things correctly.

So just as a caution, if you get down to what is the theoretical minimum, you may end up, as Kepa said, you could cause more damage, because you may limit yourself to a number. And if somebody makes a mistake in that number, then a whole bunch of things could fail as a consequence.

So I think we have to be very careful in talking about minimum data, because operationally there is a tendency, especially when you start going to numbers instead of recognizable sets of characters, that it's very easy to make mistakes, transpositions of the numbers, or missing numbers, or incorrect copying of numbers that causes some significant difficulties.

So you have to keep sight on the fact that yes, we are trying to protect privacy, but there is also a balance that we have to strike between operationally getting the job done. This is part of the reason we go through this whole process of questions and answers. But please bear in mind that minimum is a very difficult theoretical idea to practically implement.

DR. LUMPKIN: Okay, are there any other issues under scope?

DR. ZUBELDIA: Yes, I would like to ask a question and see where the answer fits. In the case of for instance an immunization registry. That the state health department maintains an immunization registry, and it is accessed by the schools. And the data that comes to the immunization registry is coming from pediatricians, some of which maintain it electronically. Some of which also do EDI.

Is the expectation that the immunization registry would have to flag those records from the pediatricians that do EDI? Or that the entire immunization registry is covered? Or that none of it is covered?

MR. FANNING: To the extent that the immunization registry isn't a covered entity, it would be affected directly by these rules. The provider, in disclosing it, would have to meet certain conditions, and those would be allowable disclosures either for care or for public health.

MR. GELLMAN: Would it be a business partner in some context?

MR. FANNING: Conceivably. But even if it isn't, I think we would regard it as an allowable disclosure, at the very least as a public health disclosure, but possibly as a health care disclosure. But the rules do not follow the information.

DR. LUMPKIN: So once it is in the registry, which is not a covered entity, unless -- well, that's not true in every state, because you have state health departments that provide local and direct services, including billing such as Florida, Arkansas, Mississippi, many of the southern states. So they potentially could be covered entities.

MR. FANNING: Is their registry function a covered entity?

DR. LUMPKIN: Can you segment your functions?

MR. FANNING: Amy Wahl(?) of Gary's staff address this.

MS. WAHL: There is a section in the preamble which explains the covered entity is the component. So in the case of a state health department, it would be the component that's a provider which is a covered entity. That doesn't then extend to the entire state health department, only that component that is a provider. So the immunization registry in most cases, I would assume would be separate from the covered entity, and therefore the rule would not apply, as John Fanning explained.

DR. LUMPKIN: My assumption would be that would cover -- immunization registries may be somewhat different than let's say a report of infectious disease kind of thing. Any other public health issues while we're on that topic?

MS. HORLICK: Maybe, John, you could clarify this, but in reading this is it the information that is transmitted in connect with those nine specified standardized transactions? Because my reading of those transactions would not include most of the information in the immunization record. It is encounter information, but it's not clinical information.

MR. FANNING: I don't know. What goes into this type of registry?

MS. HORLICK: Well, it varies, but essentially it's what shots are given, and the dates of the shots and so forth. But the information -- my understanding of this is that this rule addresses the information that is transmitted electronically in connection with those nine specified --

DR. ZUBELDIA: Can I address that? The immunization registry would have the child's name, address, social security number.

MS. HORLICK: Sometimes the number.

DR. ZUBELDIA: Sometimes. That it's the same name and address that would be transmitted with the claim.

MS. HORLICK: Right. So then if a provider transmits that information in connection with a claim, is all of the information, including the clinical information protected?

DR. LUMPKIN: If I can borrow a term I have learned from Lars, that becomes moot, because most immunization registries are electronic. So therefore in the process of converting it to electronic, you meet the test at the beginning under the scope, because now it is an electronic medical information.

Now once it is received by the registry, it may be in a different class. But the provider, just by the act of converting it into electronic means, would fall under the test at the beginning of the regulation it seems. I'm not a lawyer, so I'm just like doctoring it.

MS. BRUNS: It's important to understand that our legislative authority allows us to cover information only so far. Once it becomes protected health information, it is covered while it is held by a covered entity, or when it goes into the hands of a business partner that through the contractual agreement, it essentially remains protected health information.

When it leaves those bounds, so when it goes into the hands of law enforcement, when it goes out for the public health that is not a covered entity or in those terms, we no longer have a legislative authority to cover that information.

MS. HORLICK: And just to clarify what you mentioned earlier about the components if the public health department is a provider.

MS. BRUNS: Essentially not only for public health departments, but for all entities. The easier example is you have a large company that has a nurse's office within their building. That means that the nurse's office, and the information that happens within those confines is covered information, but the rest of the entire corporation isn't covered.

So if you look at the health department in a similar way, it means that information that is gathered while providing care, or as the health department is serving in a plan function, it's covered information. But it can leave those bounds and go into registries, social services. It can break out from that, and once it does so, it is treated as any information leaving the covered entity.

MR. MAYES: Following that logic then, the covered entity couldn't disclose it to itself or to other components in that, unless they had a contractual agreement. But I can't contract with myself.

MS. WAHL: It could be one of the allowable disclosures. I think you establish essentially a contractual relationship. It's a little rough in that area.

MR. FANNING: I think the regulation may not be precise about what goes on within government agencies, but our recommendations did envision government units for example that would call upon some other governmental unit to perform a business partner function.

Now whether the contract mechanism, which is out of a business framework is the exact, correct mechanism may be open to discussion, but the concept is the same. The other outfit that is helping should make the same promises that we demand here in the business context.

DR. LUMPKIN: Except our agency on a regular basis has interagency agreements with our department of public aid, our department of children and family services. And those kind of mechanisms govern how information can be shared, and what protections have to be carried for the data that we give them.

So I think that that mechanism was in a single entity, but it does also reflect this discussion upon the issue about the employer. And the employer who runs a health clinic or a dispensary, certainly there are ways therefore, for it to be compartmentalized and it should not go across that compartment unless it's an authorized release under what is discussed in the regulations.

MR. MAYES: It might also go to the registry issue as well then.

MR. GELLMAN: The lovely thing about your intra-agency agreements is whoever violates it, the same person goes to jail.

DR. LUMPKIN: Any other public health related questions?

DR. MC DONALD: Well, I think the discussion we had today is going to repeat itself in every single organization that handles health care for months. That's going to be the high cost of this, and some of them won't back it, because they don't know. We've been through this trying to do with clinical care without any of these extra regulations. And they get paralyzed by the regulations.

So our goal should be to make these as clean and as clear as possible so that they don't have to spend too many months internally making up their own interpretations of the rules.

DR. LUMPKIN: Unfortunately, my experience with rulemaking is the cleaner and clearer you make it, the longer they have to be, and therefore the less -- it really is a complex process.

DR. ZUBELDIA: One thing that has been extremely helpful with the other proposed rules has been the frequently asked questions section of the Website. Maybe out of this discussion we're having, you have a seed of frequently asked questions to begin with.

MR. SCANLON: Usually they have a frequently answered questions.

DR. LUMPKIN: Okay, let's move into the area of research. Do we have any issues related to research in these? I'm going to try with the time left to kind of hit the areas that the committee may not necessary feel that they would normally hit, or other areas that would involve members who are not part of the subcommittee.

DR. MC DONALD: I've been browsing it as we have kind of been talking. On the surface of this, compared to a lot of the different legislation, a lot of things are pretty well balanced. But it's the details, how you work through them. I'm not sure how they all interconnect. The business about what you have to record and who records it, and where you keep it. How do you know when they told you what they know, that you got it right? Who's going to be responsible.

DR. LUMPKIN: Maybe it might be helpful, John, if you could just give us sort of a summary of how you see the research components.

MR. FANNING: The allowable disclosure for research. It's in section 164.510(j). It's 293 in the single spaced printout. And the basic principle is that information may be disclosed for research in identifiable form if certain conditions are met. And the conditions are modeled on, but are not identical to the conditions that must be met now when a federally funded research seeks to do records-based research, and seeks waiver of the normal requirement for research of informed consent.

The institutional review board, under the rules governing the federally funded research, must make certain determinations before permitting the waiver of informed consent. What we propose here is something very similar, but with a few additional conditions which are specifically designed to deal with waiver in the information use situation. And they do follow the pattern that we have seen in bills in the Congress, and that we proposed in our recommendations. Now that's the criteria.

Now the who must do this review. We propose here that the required review may be performed either by an institutional review board that is constituted under the federal rules for protection of human subjects, or a privacy board -- and that is an invention or contribution of this regulation -- that meets a limited set of standards that are meant to incorporate the significant protective features of the membership requirements of IRBs for federally funded research.

The members must have varying backgrounds and appropriate professional competencies as necessary to review the proposal; has to have one member who is not affiliated with the entity doing the research; and doesn't have any member participating in review of any project in which the member has a conflict of interest. The covered entity may have its own board, or it may rely on the approval carried to it by the requesting entity.

Is that a fair description? Anything else?

MR. GELLMAN: John, there is a list of criteria for the IRB to follow. Are those all right out of the common rule?

MR. FANNING: No, there are some additional ones that are out of -- they are peculiar to disclosure. They appear on page 294. I think the first four are out of the common rule, but then we have added, the research could not be conducted without access and use of the protected health information. The research is of sufficient importance so as to outweigh the intrusion into privacy. And there is an adequate plan to protect the identifiers improper use and disclosure. And there is a plan to destroy the identifiers when they are no longer needed unless there is a health and research justification for retaining.

DR. FRIEDMAN: One of the things that is mentioned in the novel is the need to take another good hard look at the common rule. And I assume that is particularly around other than clinical research. At least for those of us who are involved in trying to make IRB decisions, particularly around administrative data, public health data, et cetera, et cetera, that would be extremely helpful. Because right now we really don't feel that we have the guidance from the common rule to make those decisions in the way we should.

MR. FANNING: You may be interested to know that our office and AHCPR are funding a study by the Institute of Medicine of how IRBs conduct reviews of records-based research with the potential product of some guidelines or best practices in that regard.

DR. ZUBELDIA: I have a question on this. The next section right here it says requires a signature. The recommendation has to be signed by the chair. There are several other places where there is a requirement for a signature, specifically patient signature. Would it be correct to assume that digital signatures are allowed as long as they follow the HIPAA rules on digital signatures?

MR. FANNING: Yes, I think that's fair to assume that. In fact, I think it's covered explicitly, is it not?

MS. WAHLS: In some places.

DR. KRAMER: Would you see these rules falling within expedited review procedures that are typically used under IRB or not I guess? These sound much like what would be an expedited review process.

MR. FANNING: Yes, and that is discussed in the preamble.

DR. LUMPKIN: Any other issues related to the disclosures?

MR. GELLMAN: I have a question about research. The definition of research is kind of interesting. It's the systematic investigation stuff. That doesn't trouble me so much, at least not in any new way. It talks about generalizable knowledge.

It says, "Generalizable knowledge is knowledge related to health that can be applied to populations outside the population served by the covered entity." That seems like a curious standard. If I am a health plan, and I choose to do something that would be generalizable knowledge, and I just simply say that this my conclusions are peculiarly applicable to the members of my plan, then I can say that this isn't research, and I can use the records as I please, without going through a board.

Is there something more behind this standard here? It seems curious. In some cases of course it's not curious that someone does research that is applicable to other people. But in a commercial context it seems like a loop hole.

DR. LUMPKIN: Bob, where are you?

MR. GELLMAN: I'm on page 282, at the bottom, definition of research.

DR. KRAMER: My guess is they would justify that as part of plan operations. That it's basically program evaluation for the purposes of plan operation.

MR. GELLMAN: That's what I'm getting at. How do you tell the difference.

DR. KRAMER: Right. I agree with you.

MR. FANNING: That's a very good question.

DR. HARDING: It would seem like there should be so much of the knowledge going into the public domain, its research. We are talking about true research. It's not the company coming up with some new ways to save money or have a better treatment. It's something that has to eventually go into the public domain if it is true research. It's something else if it's a proprietary condition.

DR. COHN: Well, I think there is a lot of drug/pharmacy company funded research that probably this applies to, that I don't believe goes necessarily into the public domain.

DR. HARDING: The question of whether that is research or whether that is proprietary worth, that's a different issue.

DR. FRIEDMAN: John, as I'm sure you know, the CDC has in the past year or two, been grappling with just this. They have sort been changing their approach somewhat. And I think it's a better approach, although a very confusing approach to apply, because it seems to be -- it's purpose-specific. You can have the same information, you can have the same project that at one point in time won't require IRB, because it is not generalizable beyond the people to whom we are administering care. But as soon as you for example turn around and write an article for the literature about that, presumably that would then become IRB-able.

MR. GELLMAN: After the fact?

DR. FRIEDMAN: Oh, yes, in that it's being applied after the fact. Sometimes the purpose doesn't become clear until -- or the purpose can change after the data have been collected. But it is hard. I think the CDC approach in some ways is clearer than it had been previously, where they were trying to differentiate just between surveillance on the one hand, and research on the other. But it remains really difficult to apply. Both theoretically, as well as in practice, it's very difficult to apply.

MR. SCANLON: I think the discussion is reflecting the discussions we had within HHS, and the discussions that the privacy subcommittee here at the National Committee had when it tried to make distinctions between health care operations and generalizable research as well. It turns out there is no bright line. I think we would all welcome any guidance from all of you where you think we can establish criteria. But there is no bright line between this.

It looks very similar. It might be the very same study, and one would be called research, and one would be called operations. So any guidance I think you can offer here, we would welcome.

MR. FANNING: May I just say a word for privacy? In the long run these distinctions aren't important except in very narrow areas. The important thing is that the information be carefully safeguarded and protected while you are doing whatever you are doing to it.

MR. ROTHSTEIN: Does an individual patient have the right to opt out of allowing their medical records to be routinely used for research?

MR. FANNING: This regulation does not provide that. There is an opportunity to request opt out if you will, only with respect to the use of disclosure for treatment and payment and health care.

MR. ROTHSTEIN: So in other words, if I am a patient at a hospital, I can't say and by the way, I don't want my records used for research?

MR. FANNING: This regulation would not provide a binding command on the institution as a result of that request. That's correct.

DR. ZUBELDIA: How about opting out of de-identification? Saying I don't want my records to be de-identified and used further?

MR. FANNING: Excuse me?

DR. ZUBELDIA: That same sort of opt out for research for de-identification of the data. Can the patient say, I don't want my records to be de-identified and then used for anything else?

MR. FANNING: The text doesn't address that, the implication being that that option isn't explicitly available.

DR. LUMPKIN: I have a question on 290 under public health. It lists a number of agencies, disclosures and uses for public health activities. Under (ii) it talks about a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect. It doesn't really discuss elder abuse or other kinds of abuse, and I could quite fit that into any of the other categories.

MR. FANNING: That's a result of an anomaly in the statute where it says we are not allowed to interfere with disclosures for public health, and then it gives a list, including child abuse. So that's why it is mentioned there. There is another section among the allowable disclosures that permits all other disclosures that may be required by state law, and that would cover any report of abuse.

DR. LUMPKIN: Other issues with disclosure? Does anyone have any questions that they may want to toss out?

DR. HARDING: In the research, does an individual need to be notified that their data may be used in research?

MR. FANNING: Yes, there is a requirement for everyone dealing with patients or enrollees to give them a statement as they enroll, or under certain other circumstances set out here, of the possible and intended uses of the information.

MR. GELLMAN: The notice, Richard, will be in Volume 2 of the patient disclosure one.

DR. KRAMER: Having done considerable research with managed care organizations and the like using their internal process, research operations, and their internal IRBs and so on, that is very big area that needs to be dealt with very directly as to say whether it is fish or fowl. Is this research when it's very program oriented, or is this administration?

And if so, what are the requirements in that case, because typically none of these kinds of requirements -- I mean there is no informing individuals that they are in fact in a control group or given intervention, and that their information is being used. So I think that's probably a whole area that really needs to be dealt with quite explicitly.

MR. FANNING: I don't quite understand control group in a given intervention. Is this records-based research?

DR. KRAMER: Yes, records-based research. When I say an intervention, there may be some people that signed up for a treatment, and they wanted to be compared with usual care. And then you will use a usual care group that comes from 2,000 enrollees who never knew they were actually part of the usual care group. This won't necessarily have been randomized study, but something of that nature.

And again, that kind of a research approach is common within an organization that has this captive population, and has records on those individuals, and can pull those people in. Again, there is no intent to draw inferences to the population beyond their program necessarily. So it may not fall under research, but it's a use of information that I think just needs to be dealt with, and I don't quite know where it fits in the regulation. I'm struggling with where it fits in the regulation.

There is a growing amount of it now, because more and more of these organizations have in fact their own research arms to do this kind of work. And a lot of times their research funding does not come from federal sources or foundation sources, where they have to go through the traditional IRB type approvals. It's internally funded program evaluation. So it's the kind of thing you were alluding to.

DR. COHN: I was going to comment as a representative of at least one large managed care organization. I actually am impressed by the wording of the proposed rules. As you commented, John, at the end of the day what we want to do is to have records and individually identifiable medical information protected, be it used for internal operations or for research.

Now as one who has done both at certain times in my life, to me one of the main distinctions between research and things that worked for operations, and I think many of the things you were describing really are operational, quality assurance pieces internally, is that at the end of the day are you going to publish?

In my experience dealing with external journals, they will not allow you to publish unless you have IRB approval. So at the end of the day, that is one of the fundamental distinctions. I know most researchers, it was the publish or perish rule. That becomes an important piece of all of this.

DR. KRAMER: You would use that more than anything as the distinction. Is the goal here for publication?

DR. COHN: I see that as one of the fundamental distinctions. But I think to me the issue is you want to make sure that regardless of what the use is here, since there is no very good line that things are well protected, regardless of what happens. And I think we'll need to think about that as we move forward, to see if indeed we feel that that is data well maintained and protected regardless.

DR. KRAMER: Where it falls. That's where I'm coming from too, where does it fall within these different categories of use.

DR. ZUBELDIA: Along those lines, I would hesitate to say unless it is published, it is not research, because there is a substantial amount of pharmaceutical research by contract research organizations that I know of that never gets published. And it is proprietary, not pharmaceutical company or group doing that research.

DR. HARDING: That's where we get into trouble, because negative research doesn't get published, but it should be. That's research. The negative studies have to come out, because that's true research, as opposed to operational in my opinion.

DR. LUMPKIN: Is that within the scope of this legislation though? I agree with you. There are a number of editorial boards that quite with that idea, but to try to get those things published sometimes is a little bit difficult.

Other research items while we're on this section?

Individual rights. John, if you could summarize those? If you could do that individually.

MR. FANNING: Again, the proposal follows a standard set of fair information practices. You want to be told clearly up front how the information is going to be used, and proposed regulation sets out some of the criteria for that notice.

You ought to be able to get to see your own record. There are some limited exceptions. You ought to be able to file an amendment or observation about a record that you believe is inaccurate or incorrect. You ought to be able to find out to whom the record has been disclosed in some circumstances, but not with respect, as I understand it, to treatment, payment, and health care.

And what else? Anything else in the set of basic rights? That's it.

MR. SCANLON: Does disclosure count?

MR. FANNING: Yes, who else has seen it.

DR. COHN: I had a question here. I'm just looking at the wording of the right of an individual to restrict uses and disclosures, which is at the bottom of this document at 283. It is somewhat awkwardly worded, but I find myself sort of having a question about it.

It reads, "A covered entity that is a health care provider must permit individual to request the uses and disclosures of protected health information for treatment, payment, or health care operations be restricted. If the request restrictions are agreed to by the provider, not make uses or disclosures inconsistent with such restrictions."

Now I think I can sort of -- as I was looking at this one, I think I can understand payment in terms of people may want to not have things billed. And I think I can understand treatment. I was having trouble why health care operations was included. Very clearly I don't think we mean to include this. Do you have any comments or thoughts? Why would we want to restrict uses for say quality assurance or otherwise?

MR. FANNING: In fact, the point is that it may well be that the provider who is asked may say no, we simply can't agree to that. If you come for care here, we have review processes to be sure we are doing it right, and you can't opt out from it. So as a practical matter one can't envision that as a regular thing. But we think the opportunity to ask ought to be provided to the extent that there is some specialized circumstance that might affect people, which they may seek to have the provider not use it for that purpose.

MR. ROTHSTEIN: On the individual rights that you outlined, John, was any consideration given to a provision that would say that these rights may not be waived?

MR. FANNING: No, we haven't said that. We haven't said that. I think it would be part of our basic scheme that we would not want let's say providers to say please sign this. We won't treat you unless you waive your rights in this regard.

MR. GELLMAN: Can I make a comment on it? This is an issue that has floated around for a long time, and no one has ever really confronted it directly, because it gets potentially troublesome at various points, because it is not clear how you phrase -- you have to be fairly specific in terms of saying which rights a patient can't waive, because there are other provisions here that may or may not look like rights, but may be affected here.

It's just troublesome to do. And it has to done with some delicacy, which is one reason that I think that no one has never really ever done it, because it's going to call too much attention to something that has been a problem.

MR. ROTHSTEIN: But I would recommend that with all the delicacy that you can muster, you ought to take that on. But please don't waive your right to discuss that later.

DR. LUMPKIN: Other issues under individual rights? Any discussion under preemption? I don't have the HIPAA legislation, but are we comfortable with the ability in the rulemaking to preempt state law? Okay. States don't like federal preemption.

MR. GELLMAN: They ought to be used to it by now.

DR. LUMPKIN: Any of the administrative requirements areas that we want to discuss? Requirements for documentation on the policies and administrative systems? Okay, it seems like we have kind of run out of stuff.

I'm a little bit disappointed. We've only had a two and a half hour discussion on a document we all haven't fully read, but I hope it will help the committee in their work, and certainly many of us who may not be involved in the work of the subcommittee, but will see the document after the first week of December, hopefully this discussion will be useful as you see their deliberation.

It seemed to me that if I can perhaps summarize the overall feel for our letter. It would seem that we would note our prior recommendations to the secretary as being the framework that this is what we really wanted. But recognize the fact that this rule is being promulgated within the context of HIPAA, and that there are restrictions that are imposed. And then really frame our discussion.

So it would be in two parts. We would like it to be this, but since it can't be this, this is at least how you can make this better, is what I think would be the approach. It was also the intent that there will be some areas for which there is not agreement, and that's okay. And the intent will be to therefore document both sides of the position, and then record the vote. That would be the intent.

So when we have the conference call of the full committee, then the intent would be to perhaps deal with those issues for which there is controversy, take the vote on that, and then take the vote on the full report. So that's the way we'll try to manage that.

Any questions on the procedure or final comments?

DR. HARDING: Are we just going to say a word about law enforcement? Our recommendations last time were not shall we say followed. I guess we can individually comment on those.

DR. LUMPKIN: I think we can comment as a committee on law enforcement if we so choose. And that would be the subcommittee should come forward with a recommendation if that's something that they think ought to be commented on. And then I think it's equally appropriate to comment on exemptions for other state agencies and the intelligence community if that again is something that the committee feels that they should comment on.

DR. ZUBELDIA: Is there any linkage between this proposed rule and the security proposed rule to the extent that if one complies with the security proposed rule, that would be adequate protection for privacy?

MR. FANNING: It's not one for one.

MS. WAHL: The security proposed rule and the privacy rule are very closely linked to one another. One of the key areas where you see that linkage is in the administrative procedures under safeguards. The privacy rule makes a general statement, you need to have sufficient safeguards in place to protect how information is handled, both within the bounds of your entity, and as it moves beyond that. What we have done is make a very general statement so that the security rule can work within more detail in that framework.

DR. ZUBELDIA: Would it be required of a provider that sends protected health information to another provider -- would the provider that sends have to get some certification or verification from the provider that is going to receive it that they are meeting the security requirements before the information can be sent? Where is that responsibility? Is it in the sender? Is it in the receiver?

MS. WAHLS: Well, it's important to note that the two regulations are very related to one another, and certainly in developing the proposed rule we worked to make sure that they were two things that could integrate with one another. It is also important to note that as far as compliance, there are separate documents. So that you would have to consider both separately and compliance at the same time that you were understanding that linkage.

I'm trying to think if there was a better way to answer your example. In your example, if the information is being shared between providers, each of the providers is going to be covered independent, and compliance can be followed up for each independently. They are going to be required to comply with the security regulation independently, and with the privacy regulation independently.

With business partners, one of the contract terms is adequately safeguard. The covered entity that is making this contractual arrangement could even say that to meet that standard to adequately safeguard, we want you to adequately comply with the security regulation, even if we are not a covered entity under the security regulation. Does that make sense?

DR. ZUBELDIA: As a health care provider, if I send medical records to another health care provider, would it be adequate for me to know that they are a health care provider, and therefore they are subject to the same rules, and therefore I don't need to take any extra precautions?

MS. WAHL: Correct. You are responsible for your own security.

DR. ZUBELDIA: I'm not responsible for making sure that they are going to keep the security, because they are provider, they are obligated to keep it.

MS. WAHL: Right.

MS. BRUNS: Where you need to worry is when you're disclosing to another entity that it not a covered entity.

DR. ZUBELDIA: I'm assuming they are all using EDI.

MS. WAHL: In theory it is an accurate statement that you could have another provider that isn't a covered entity, because they don't do anything electronically. But in practice we think that that is going to be a fairly rare case than less rare.

MR. GELLMAN: Just send it to them electronically, and then they will be covered.

MR. BLAIR: Covered health entities -- health plans are a covered entity, but insurance companies are sometimes included as part of health plans and sometimes not? Could I get a clarification as to when an insurance company that is providing health care insurance, under what circumstances that's a health plan, and when it is not a covered entity?

MS. WAHL: I don't have that definition right in front of me. That was defined in the statute. Do you have that with you?

MR. FANNING: Yes, but I think we have pretty much copied it out into the regulation, but I think it has to do -- an individual or group plan that provides or pays the cost of medical care. And then statute gives a number of examples from specific programs like Medicare and so on.

I think it's fair to say it envisions a plan that covers individuals who are identified in advance, and probably doesn't cover a liability insurer who is paying the bills of the person who has been run down their insurance. But there are probably some close cases even there.

MR. BLAIR: Would it be fair to say then that any insurance company that sells and markets health care insurance policies to individuals -- I'm not talking about ones that are paid through a corporation or a government agency, but just that they are selling them to individuals, they are not normally defined as a health plan, but are they a covered entity or not?

DR. LUMPKIN: Can we maybe ask if Karen can come to the microphone? Did you want to weigh in?

MS. TRUDEL: Yes, actually I did. For the most part, those insurers would be considered health plans. The ones that are excluded are life insurers, property and causality companies, as John mentioned, certain workers compensation plans I believe. But either individual or group insurers of health care are considered to be plans.

MS. FYFFE: What about automobile medical policies? Are they property and casualty?

MS. TRUDEL: Do you mean the policies where the automobile insurer would pay the medical bills of a person who has been injured? Not include. Excluded. That's under the property and casualty.

MR. FANNING: But I think you still raise a good question. Her question is not about the liability portion, but about medical payments coverage that is frequently sold along with liability that covers the purchaser of the policy. It's kind of an obscure subset, but obviously it has to be dealt with.

MR. GELLMAN: It's not that obscure. It's an incredible loop hole if you allow health policies that are contingent, or that are part of a casualty policy to be totally exempt from this, because I can write a policy that protects you against being hit by meteorites, and then cover all kinds of other health things, and call it a property and casualty policy.

MR. BLAIR: Workmens compensation sounds like that's another area where medical records are requested. Why are they excluded?

MS. TRUDEL: There was a specific discussion of that in the course of the legislative deliberations, and as I understand it, that's where that exclusion came into play.

MR. FANNING: Jeff, in our recommendations we didn't propose covering them, because it was a difficult issue, and we just couldn't get ourselves mentally organized to deal with it. Because workers compensation shares some elements of the plans that we're speaking of. But it also shares some element of the property casualty mode of relating among the various parties.

And for one thing, we didn't want to include them among payer generally, because we were providing for easy disclosure of information to payers. And there may be specialized conditions that apply to workers compensation. It definitely needs to be dealt with.

MR. BLAIR: Thank you.

DR. ZUBELDIA: I would like to have a clarification on the definition of health plan. First of all, let me say that the three definitions or the new definitions of certain terms, specifically clearinghouse is right on the money. But on health plan, and this may be just a typo, there is a comma missing or something. It says, "Health plan means an individual or a group plan that provides or pays the cost of medical care."

So I could read it that an individual provides medical care is a health plan. In which case, the other issue whether they do EDI or they don't do EDI is irrelevant, because it would be covered. As health plans all providers would be covered.

MR. FANNING: Where do you see this?

DR. ZUBELDIA: On 273.

DR. LUMPKIN: It should say means an individual plan or a group plan. I think that's the intent.

MS. WAHL: I agree with that, that it's just a wordsmithing. In the preamble discussion of what the statute used, it does say exactly what you explained, an individual plan or a group health plan.

DR. LUMPKIN: See, and you thought that the editing was through.

MS. WAHL: It's never over.

DR. COHN: Actually, I didn't have a specific question about the NPRM. It was more of even though this is not a meeting of the subcommittee, I thought maybe it was an occasion for the -- we have already talked about the overall process of the committee. We haven't talked about how the subcommittee itself is going to get from today through December 8 where everyone will have copies of this letter. Maybe Kathleen could help us with this on how the whole committee can help.

MS. FRAWLEY: Actually, I had mentioned it earlier. The subcommittee will meet by conference call. So I'll be surveying all of you for availability for conference calls. What we'll do on the conference call is discuss the recommendations, and come up with our key points. At which point I will draft the letter and circulate it back out to the subcommittee. Then it will go on to the full committee on December 8. So you can expect that we are going to have a conference call at the end of November, beginning of December.

DR. COHN: Would it be helpful if any of us who had any e-mail correspondence related to any of the issues, any of the committee members to send them to you, or someone else, so that could be the basis for the conference call?

MS. FRAWLEY: Sure.

DR. LUMPKIN: I would encourage that, and I would encourage them to do that within the next two weeks. So we're going to ask everyone to send their comments within the next two weeks to Kathleen. There will be a conference call sometime the last week of November, early part of the first week of December, sometime after Thanksgiving.

Before we adjourn we have a couple of announcements, if we have nothing further on the privacy rule.

[Administrative remarks.]

[Whereupon, the meeting was adjourned at 3:25 p.m.]