[This Transcript is Unedited]
Wilbur J. Cohen Building
300 C Street, S.W., Room 5051
Washington, D.C.
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
Agenda Item: Introductions and Overview
DR. COHN: Okay, good morning. Will everyone please be seated. We're going to get started. I do want to apologize. We're running a couple minutes late. I'm going to call this meeting to order.
This is a meeting of the Ad Hoc Workgroup on Secondary Uses of Health Information of the National Committee on Vital and Health Statistics. The National Committee is a statutory public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I am Simon Cohn. I'm Associate Executive Director for Health Information Policy for Kaiser Permanente and Chair of the Committee. I want to welcome Committee members, HHS staff and others here in person and also welcome those listening in on the Internet and remind everyone to speak clearly and into the microphone.
I do just want to take a moment and obviously welcome one of our former chairs, immediate past chair, John Lumpkin, to join us today. So, John, thank you for joining us. Okay.
With that, let's have introductions around the table and around the room. For those on the National Committee, I would ask if you have any conflicts of interest related to any of the issues coming before us today, would you so publicly indicate during your introduction. I want to begin by observing that I have no conflicts of interest. Harry?
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, no conflicts.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the Committee, no conflicts.
MR. BLAIR: Jeff Blair, Lovelace Clinic Foundation, no conflicts.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, Staff of the Ad Hoc Committee, Liaison to the Full Committee.
DR. VIGILANTE: Kevin Vigilante, member of the Committee, Booz-Allen & Hamilton, no conflicts.
DR. DEERING: Mary Jo Deering, National Cancer Institute, Staff to the NHIA Workgroup.
MS. PATTERSON: Wendy Patterson, The National Cancer Institute Technology Transfer Center, thank you.
DR. LUMPKIN: John Lumpkin, Robert Wood Johnson Foundation. I live my whole life conflicted, but none with this meeting.
DR. LOONSK: John Loonsk, National Coordinator.
MR. SCANLON: James Scanlon, Health Policy R&D, member of the Committee, no conflicts.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, Executive Secretary to the Committee, and I would have to say that Margaret is very happy to have the current and former Chair here.
MS. AMATAYAKUL: Margret Amatayakul, contractor to the Workgroup.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, Committee staff.
MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine, member of the Committee, no conflicts.
MS. THORNTON: Jeanette Thornton, America's Health Insurance Claims.
MS. OCHS: Lisa Ochs, Impact Medical Systems.
MS. BUEHLE: Allison Buehle, American Health Information Management Association.
MS. FRANKLIN: Angela Franklin, American College of Emergency Physicians.
DR. COHN: We welcome everyone, and especially for this hearing and with these microphones, I just to remind everybody we need to be very careful and really do need to sort of bend over and speak into these microphones. They seem to be very tricky for whatever reason, and we obviously want to have people on the Internet be able to hear us.
Now having just said, of course, I have no conflicts of interest, I was just looking through the agenda, and did a think need to declare that later on this morning, one of the presenters actually is from Kaiser Permanente. So while I don't think there's an absolute conflict, I do want to publicly disclose that. We actually also do have a couple of copies of written testimony that we do want to note, one from Deborah Collier, President of Patient Advocates and Research.
There also was an additional written document from Group Health Cooperative, Group Health of Pugent Sound. And just once again to disclose interest, Group Health Permanente, the physician group actually is a Permanente Medical Group, which is the group that I work with, so just by full disclosure.
Today marks the beginning of the second set of hearings of the Ad Hoc Workgroup on Secondary Uses of Health Information. Specifically, the National Committee has been asked by HHS and the Office of the National Coordinator to develop an overall conceptual and policy framework that addresses secondary uses of health information including a taxonomy and definition of terms.
We've also been asked to develop recommendations to HHS on needs for additional policy, guidance, regulation and/or public education related to expanded uses of health information in the context of the evolving and developing nationwide health information network.
Obviously, we're talking about this and have been. The initial emphasis, though, is on uses of data for quality measurement, quality reporting and, most importantly, quality improvement which is something that tends to at times get a little de-emphasized in our efforts around measurement and reporting.
Also, I should comment that part of our work is to talk about approaches, and by approaches I include things such as tools, technologies to help minimize any sort of risks that we may identify as we consider the area. I am leading the Workgroup, but I do want to thank Harry Reynolds and Justine Carr who have been willing to serve as co-vice chairs. I think, as you all know, I am depending on them significantly, and they really have been instrumental, I think, in putting together, I think, what's being some very interesting hearings.
I also want to thank members of the Committee for their participation, and, of course, our liaisons and our representative from the Office of the National Coordinator, John Loonsk, thanks for joining us, Steve Steindel, Mary Jo Deering, of course Debbie Jackson has been instrumental as well as Marjorie Greenberg. And, of course, there's been staff support with Margaret A, Aaron Grant who I don't believe is here today, and Christine Martin Anderson who once again we may see at these meetings, but of course we're dealing with summer vacations and such.
Obviously, I want to begin by thanking you all for your willingness to participate. I think we commented previously that there is a lot of activity this summer. We have a lot of work between now and when we're out the beginning of August and what we hope will be a nearly complete report by the end of September. So I want to thank you for donating your summer vacations to this activity.
In all, we have planned for six to eight days of hearings, and we're about a third of the way through now with additional time for public discussion and review of our draft recommendations and framework. And, of course, as always this is going to be a very open and inclusive process.
Today we're going to start out with testimony talking about sort of the higher level framing issues and indeed the tension and discussions throughout all these hearings have been moved from high level down into specifics and back again trying to make sure that we're not missing anything. And we're obviously very pleased to have John Lumpkin, whom I've already thanked for his participation, and Wendy Patterson from caBIG, and thank you very much for joining us.
From there, we'll be talking about perspectives on uses of health data, first talking about quality perspectives and then, after lunch, talking about secondary and I think a new term from our last meeting, tertiary uses of health data which I think we may find a useful way of beginning to talk about the universe.
Finally, this afternoon we'll be talking about public health and statewide planning perspectives. As we decided last meeting, we will have an hour and a half for discussion today, and we'll have time tomorrow afternoon for discussion and then also on Friday morning.
Just to remind everybody, as hard as it was getting here at nine o'clock this morning, tomorrow's starts at 8:30. So, now with that, and I know John has to leave, I think, relatively quickly after the session. But John, I think we're asking you first up to sort of give us some of your, I think, sort of broader insights around secondary uses, and again thanks for joining us.
Agenda Item: Key Opportunities and Challenges in Framing Uses of Health Data
DR. LUMPKIN: Great. It's great to be back to see the work that the Committee is doing. I think this is the right issue. It's the right time. We're now about 11 years post-HIPAA, and it's amazing how often the issue comes up. But some of the key issues I think that need to be discussed about HIPAA, I mean, health information technology and the implementation of that relate to privacy. I think the Committee has been right on in looking at key issues particularly in those areas where when we initially looked at privacy that we didn't think about and expanded uses of health data. Personal health records, your letter on personal health records, I think, was also very useful in drawing the right attention, and now on secondary data use, a critical point in our nation's history as we begin to look at what's going on with health.
We have a political environment where health and health care is increasingly being a focus. No matter who gets elected come November of 2008, the issue of health will be high on the agenda of the nation. And I've heard a prediction actually from both sides of the aisle that the basis for fundamental change in relationship to health care may be even greater now than it was in 1993.
And so the work of this Committee in thinking through some of these significant thoughts prior to that debate occurring looms as very likely that the deliberations of this Committee will impact those discussions, particularly as they frequently do, the secondary uses of data get thought about sort of as a last minute as someone's going to conference committee having a document that they can pull out will help guide those discussions. So thank you for doing this.
To highlight my point about where health care is, there's a survey that's done funded by the Foundation that's called health tracking. And, yes, Mary Jo, if you put it near the microphone, I'm sorry, I couldn't pass that one up, that this survey is done, there are 12 sites around the country, and they go out and conduct over 1,000 interviews with various key leaders in those communities.
When they talked to businesses in this survey, one of the important issues related to health care, and this is shown in public polling, is the issue of affordability followed by coverage for all and then quality.
The interesting thing, though, is when they did the survey in these 12 metropolitan areas, they talked to leaders in health care, and what they talked about was that they saw a further evolution, that there was going to be increasing tiers of care. In other words, you have people uninsured who are going to get one tier of care; you have people who are going to be on Medicaid who are going to get another tier of care. Perhaps those who are in self pay health savings accounts kinds of things may get a different level, particularly if they have a high deductible, and then those who are fully insured. They see increasing tiering of care, different levels of care being available. The health leaders also see that there's mostly going to be substantial cost increases and, because of that, a reduced ability to cross-subsidize uncompensated care, all putting pressures upon the health care system.
But they're all looking at health leaders as significant expansion during this time frame, looking at from the period of 2005 until the end of the decade. That's important because they're looking at building, they're looking at buying new toys, all of these which are going to be further drivers for cost.
But the most important finding, I thought, of this survey was when they asked all these leaders of health care organizations, none of them had any cost control strategies. The issue of cost control sort of had gone out of the front of their mind attention.
But when you talk to the public, and this is just very recent poll data, after the war in Iraq, health care has now become the number one domestic issue -- in fact, the number two overall issue for the people in this country. So we believe, and certainly when you look at the positions of each of the presidential candidates in both parties, they all are addressing the issue of health care. Some are addressing the issue of universal coverage. Some are looking at Medicare reform. Some are looking at tax reform, but all with the goal of trying to confront this issue of increasing cost and Americans' increasing fear that they're going to be unable to afford health care for themselves and their families.
What's also clear is that, as the various leaders from both parties begin to address this issue, health information technology falls on their radar screen as something that needs to be done to address it. Increasingly, we're being able to get them to the point of realizing that HIT is not a magic bullet, that it is necessary but not sufficient to enable the changes that need to occur.
So many of the big questions they're addressing is who pays and how. Now put this within the context of another recent poll which found that 62 percent of Americans believe that if they're admitted to a hospital that something bad will happen to them. We know that there are significant studies, the one by Beth McGlynn, that was done in 2003 is perhaps the one that has gotten the most attention and still is the most striking. She's doing some work to follow up on that. But I do want to mention that because it does set the context.
This study, a fascinating study if you haven't looked at how it was done. About 6,700 people – more than that were contacted, by 6,700 people agreed to have the Rand team look at all their medical records. So, you know, hello, I'm from Rand, I want to look at your medical record. When they looked at their records, compared their treatment to standards of care, that's when the report came that roughly half of all care, half of patients are getting the care that would be appropriate for them.
The cost of this study was $15 million, a very startling study, but it had a dramatic impact upon policy. But did it really have any influence on individual care. I point this out as being one of the very important studies which has helped us come to the conclusion that we receive the right care only about half of the time. But the other argument is that much of our health care spending has no value.
Many of you may be familiar with the work of Jack Lindberg who now has retired, and Elliot Fischer's taken over at the Dartmouth Health Atlas, another very costly venture but one which is yielding significant results that have impact.
Variations in cost between the red ones which are the high cost regions versus those that are white which are the low cost regions represent 30 percent of the Medicare dollar. And to put that in perspective, if you apply that across all the health care, you have more than enough money involved in that variation to cover all of the uninsured, no matter whose numbers you look at what the cost of that is.
But this system is primarily driven by Medicare claims data, and it's relatively old. But there are significant uses that may occur for this data. This is the same one that showed that when you look at all medical conditions and you put them in a graph and you compare it to the number of acute care beds, that there seems to be a direct line correlation. The more acute care beds you have, the more people get discharged from hospitals.
So that this utilization of care is not driven by need – you can compare it to, on this chart, you can see the hip fractures at the bottom. There's no decision involved with a fractured hip. Somebody falls, they fracture their hip, you have to fix it. When you go across the communities, and they range from one to six for the number of acute care beds per unit, and I don't remember the unit of population, you can see that the rate of discharges for fractured hips is straight, no difference from region to region.
But when you look at those discharges where there's some decision making involved with them, utilization is based upon the availability of resources. This methodology enables them at the Dartmouth Health Atlas, they can now link patients to hospitals. And so they now can compare how hospitals are performing from region to region, from city to city.
So you take the 25 best hospitals and look at how they compare in cost, the number of consultants they have in the last six months of life, and there's a dramatic variation between the 25 best hospitals across the country, again reflecting significant variation that occurs in health care.
But when they look at it on the basis of the health atlas and they compare the cost versus mortality of those same hospitals ranging from one to lowest cost community and using that as the index to the highest cost community, and that's a range from one to 1.8, mortality is no better at the high cost region. Adherence, in fact, to certain guidelines such as aspirin at discharge is in fact worse in the high cost regions.
So more care doesn't equal better care. And the ability of using data like this to better understand that's going on in the regions and to drive quality improvement, of course, is the holy grail that we're looking to go towards.
One also has to note that there are significant inequities in health care. This particular slide was for me a turning point in my understanding of this. This is from David Narenson, some of the work that he's done in Michigan. An important part of this slide is it compares adherence to the guidelines which is children 5 to 17 years old after an emergency admission to the hospital ought to be followed up by the managed care plan, and the rate for African-Americans is half that of those who are white.
What struck me is that when I first saw this at a meeting, one of my colleagues leaned over to me and said, you know, John, the problem is that both of them stink. And so that when we look at the issue of inequities in systems based upon race and ethnicity, we have to look at it two ways. We have to look at the issue of bias. Bias becomes very important for us to understand because, as we think about that, much of what I believe is engaged in bias are unconscious decisions that are being made.
So a clinician sees someone before him with HIV. They're African American. So they make the assumption, not intentionally but in trying to give the best care, that they don't have the social resources to use multiple drug therapy. And we all know if you're not on multiple drug therapy regularly, you begin to develop resistant strains of HIV.
So the assumption is made quick look, I'm going to make an assumption about that person, they're not going to put them on prescribed levels, so they're only going to put them on one or two drugs to treat their HIV. We all know that with health information technology and decisional support, the system could say, oh, by the way, doctor, this patient meets the criteria for multiple drug therapy because the system would know that they live with a relative, they've got all sorts of supportive networks.
That's one of the ways that health information technology can address it. The studies that we've looked at indicate that this is only a component of the disparities that exist in health care. A much greater factor in the disparities that exist in health care are because not of who people are, although that's a component, an important component, but it's where people go for care Eighty percent of minorities in this country are cared for by 20 percent of the providers. And those same providers tend to be in the safety net. They tend not to have the resources to hire consultants and related to do quality improvement, and they tend to be less able to meet the guidelines.
We funded a study for the last – a project over the last two years called Expectant Success: Excellence in Cardiac Care where we worked with ten hospitals that are roughly inner city hospitals that serve a high percentage of minority patients. And over a period of about 18 months providing them with that kind of technical assistance to do quality improvement, we've dramatic improvement and adherence to cardiac guidelines across the board.
So it begins to be a factor not only of where people – how bias exists in the system, but identifying where there may be areas that you can have specific focus, and this has to be data driven.
We also have a system where people are disconnected from the cost of their health care through much of their encounters. So what this chart shows, it was a study that was done by the Wall Street Journal and Harris Interactive. They asked people what they thought their health care cost, or the cost of certain kinds of treatment.
So, for instance, they asked what do you think it would cost to treat high blood pressure. The average actual cost was $93. People estimated it was $153. But here's where it really becomes significant. They asked them what was the cost of spending a night or day in a hospital. The average person thought that the estimated cost was about $1,000 per night, when the actual costs were over $3,600.
And so we have people who are disassociated from the quality of their care, but they're also disassociated from the cost of their care.
So our strategy in trying to address this, and this is one that we've done in some coordination with the Secretary and the Department of Health and Human Services in other areas is to begin to look at how we can fundamentally change the way that health care is being done from a quality perspective.
And so our work is looking at developing a regional approach. We've done a lot of work with sort of, you know, here's an improvement project at one hospital, and that across town there's another project. But when you look at care overall, we're not seeing dramatic improvement. How do we make that dramatic improvement.
We believe that doing this at the regional level is an important component, that the first component of this is that building coalitions and funding coalitions of consumers and purchasers and payers of care to drive towards transparency. Public reporting of quality and price information.
Now this is important to enable a couple of things to happen. One thing is it enables consumers to be able to make better choices. A good example, a good friend of mine worked for the Chamber of Commerce, and she was in a HAS. So she had a health savings account, so she had $5,000 in stuff that came out of her health savings account, and then everything else was the high deductible plan.
She needed a caesarean section. There are four or five hospitals that were in her plan. None of them would tell her what the outcomes were of their C-sections, nor would they tell her how much it cost. Without that information, how can the consumer have any influence or involvement in the way the system functions.
So public reporting of quality and price information can enable consumers to have direct engagement in the system. The second component of this is that I believe in all my experience and the people I know tell me that providers want to do a good job. And by and large, they don't have a clue how well they perform. And given information on their level of performance, they would identify where they have their gaps. You know, the various studies to look at when you ask providers have they recommended eye exams to their patients who are diabetics and you ask them if they do it, and they say, yes, I do it 80 percent of the time. And you look at their records, and they do it 20 percent of the time. Well, that's a gross exaggeration, but roughly that's the way it works.
Giving feedback to providers about the level and quality of their care will have a dramatic impact. And what we believe is that we'll drive the adoption of quality improvement, and the adoption of quality improvement methodologies.
And so we are committing at the Robert Wood Johnson Foundation significant resources over the next – in the 2007 and 2008 about $112 million to fund programs related to this regional approach, and over a five-year period about $300 million. We want to see this drive improve patient outcomes within these regions. But the key issue is transparency, and one of the key obstacles, even if you use transparency based upon administrative data, one of the key obstacles to doing this is our structure of how data flows in this country.
When I talk to regions, I just talked to a group of people who were meeting in a similar process up in Providence, Rhode Island, and there's a group of collaboratives mostly based around Medicaid in North Carolina, in Providence, Rhode Island, and I forget where the third site is. The number one issue that they raised is what I would call misinterpretation of the HIPAA privacy rules as barriers to trying to do the sort of transparency. We believe that what needs to be done is to figure out how to aggregate data that's meaningful and reliable at the provider level. That means individual clinician. And we're actually funding approaches to do it. We're hedging our bets, and we're funding top up and bottom down. Bottom up and top down approaches. One is to do aggregation at the national level working with organizations such as, well, I can't say that until after my next meeting. Anyway, working with some national organizations –- we haven't announced that. Looking at merging health plan data and Medicare data, coordinating with ARHQ to be able to look at methodologies to do that, coordinating this with the Value Exchange Initiative of the Secretary, but to develop at the national level through national data sets to then aggregate the data at the regional level to begin to measure the quality. And from the bottom up approach, each one of the regions – and we've identified 14 regions across the country, and they range in size from the State of Maine and Wisconsin, Western Michigan, Western New York State to cities like Memphis, Detroit, Seattle, Minneapolis, all the way down to a small town like York, Pennsylvania. And we're looking to expand to areas, particularly looking in those areas that have a higher concentration of minorities so that we can begin to, as part of our strategy, not only look at using transparency to drive quality improvement, but also using – looking at how we can begin to address the issues of disparities and go across the spectrum of care.
We're going to be expanding into some of the other communities across the country. Roughly our goal is to have about 20 communities and to provide them with the resources to develop the infrastructure to do transparency, public reporting of quality and price information, and at the back end develop the infrastructure to do quality improvement.
We don't know what that infrastructure looks like, but we're going to fund a number of different models. It may be hospital centric, it may be health plan centric, it may be professional society centric. But a key component of this will have to be the roll out of health information technology to enable this. And there are models for doing quality improvement. We funded one in North Carolina working with the American Board of Medical Specialties, North Carolina and Colorado to develop models of getting out quality improvement technology in the individual ones and threes physician offices and using and developing a new kind of specialist called the quality improvement coach who actually goes into these small offices. We're currently working with 50 practices in North Carolina and another 50 in Colorado, and we'll be expanding that program in the coming future.
So all of this is geared to try to improve the quality of care. It drives key components of the chronic care model that you may be familiar with, with Ed Wagner. But a key component of that is that if this is going to work, you need to have an informed activated patient. And part of that patient being informed is having the information that enables him to make those kind of decisions.
This all ties in with the work that you're doing and in many ways goes back to the earlier vision of the Committee, the national health information infrastructure, that may not be the common phrase, but we all kind of go back there, and the interfaces between the health care provider, the population health and the person of health domains.
With your work, the work that you're doing here in developing this taxonomy, I think it's very important to understand a couple of key issues, and then I'll say a couple last things and wrap up.
Research is not public health, although some of public health engages in research in order to gain new knowledge. Quality improvement is different than research, although some of quality improvement – Beth McGlynn(?) is a perfect example, engages in research to gain new knowledge. Where we run into problems is where we're not very clear, and, as we have learned from HIPAA privacy, people will many times take regulations to the extreme and will not try to understand the subtleties of it. And so it's important to have at least some place that you can go for the subtleties.
And I could basically stop here, but I'm going to spend about three minutes and then quit on one other aspect of looking at the issue of these different spheres of using secondary data, and I liked the grid that you sent out to the various people. I think that those are really the important questions. So I'm just going to add some, not to change your grid, but maybe a slightly different way to think about it because that's all I could do with your doing so much good work, I didn't have anything else to add. And that is to look at some of the basic principles of biomedical ethics and approach this problem maybe from that perspective.
There are four components of that: respect for autonomy which means to acknowledge the decision making rights of an individual, that relevant parties need to consent to any action that's taken, and do they acknowledge and respect others that may choose differently, the right to refuse.
Beneficence, which this is action, do benefits to others, and a weighing of the balance of the good versus the harm. Non-malfeasance, which is primum non nocere, or above all do no harm, and then finally justice, which is an issue that's a little bit hard to tease out of this not so much in justice in the sense of are we equally applying resources, but are we identifying where the inequities in the system occur.
And we know with TPO that autonomy is fairly well handled in consent. A patient comes in for treatment, they give consent to that treatment. They can refuse to have that treatment. The purpose of this is for the good of the patient. When the patient agrees to be treated, are they going to be treated appropriately. How do you prevent harm? Through security and privacy, through non-release of data that shouldn't be released. And some of the roles we talked about through the justice is are patients getting equitable care. And, of course, that can be determined under TPO.
Let me talk about in respect of quality, and I'll go through the three of them very quickly and I think it just bears some discussion or some thought – not necessarily discussion. Under quality respect for autonomy, you can do that in a way that you focus in on the provider and not the patient. And so the patient's autonomy, the right to make their own decisions, are preserved.
However, quality will improve care for the patient and society. So there's clear benefit. It has the potential to prevent harm, so the prevention of error, and you can use de-identified data to reduce harm, particularly in public reporting.
But the key component to that is that if you're going to improve quality to assure that vulnerable populations are protected, the importance of collection of race and ethnicity data is the only way that you can assure justice in the system.
The public health system has taken the issue of autonomy has been subjected to the public good. And I think the key important component here is that this is not determined by those who are practicing public health. This is determined by our societal system that it's driven by laws, that when you subjugate the public good, the individual rights to the public good, that it not be done willy nilly but in fact be done through a process that we use in our society and our democratic society is through our democratic mechanisms.
That there are public benefits and, in some cases but not all cases, there are individual benefits. So an individual who is on a cancer registry that's determined by state law to be an important public good likely will not benefit from that registry, but other patients will. Other people will.
These systems have legal protections of data, and they vary from state by state. For instance, in Illinois a report of a disease like Syphilis is protected and cannot be released into court – into a court hearing. So there's a higher level of protection because there's a higher level of subjugation of autonomy. Someone who has a sexually transmitted disease can be treated based upon that report, and equally as important, their partners can be treated. All are treated equal under justice, and they're designed to protect the most vulnerable.
And then under research, here I think the issue of respect for autonomy is key, that there has to be a consent and an obligation and an understanding of the right to refuse. Society might benefit because you don't know the outcome of research. The individual might benefit if they're in the right side of the randomized control trial, and there's protection from harm. IRBs, full informed consent which means they fully understand what the risks are, and the studies are designed to minimize harm.
And there are two components of justice which need to be evaluated. One is equitable benefits, and the other is selection of study topics and subjects, and there's been a lot of discussion about the fact that studies on cardiovascular disease until recently tended to exclude women and other groups.
So this is all sort of a biomedical approach to looking at some of these issues, and I just thought I'd toss it out. But the important thing is to look at each one of these circles of research, quality measurement and reporting in public health in their own right. These are very important. What is a talk without quoting Octo Barnett(?) and to point out that we must concern ourselves with the quality, efficiency and effectiveness of the practice of medicine and the provision of medical care, and looking just at quality without effectiveness and efficiency is not good enough, given the current political environment. Thank you.
DR. COHN: John, thank you very much. Now let me just do a little time check with you, knowing that you – you're not quite double scheduled, but you will be soon. Would your preference be that we go to the next presenter and then have a conversation or would your preference be that we just take a couple of minutes and engage you in conversation at this point.
DR. LUMPKIN: Well, I apologize for going long. But – so if we could do the conversation first.
DR. COHN: So you can go to your next meeting?
DR. LUMPKIN: Yes. I apologize. The Quality Line Steering Committee that is engaged in some of the activities I talked about is meeting at ten, and I'm supposed to open that meeting. I won't do that, but I would like to get there as soon as possible.
DR. COHN: Okay. Well, why don't we just open it for questions maybe for the next ten minutes or so, and then we can go on to our next presenter. Wendy, thank you for your forbearance on this one. But first of all, John, thank you, and I actually want to thank you for your focus on quality improvement just because I think that, as I said, in many of our testimonies and conversations, there's been so much focus on measurement and reporting that that last piece sometimes gets not thought about quite as insightfully. So we appreciate that.
Any questions or comments? Bill?
MR. SCANLON: Thanks very much. That was quite impressive in terms of all that you covered.
I'd like to go back to link what you were talking about earlier on with respect to the Winberg(?) work and the over-utilization of particularly the supply side set of conditions and talk about how we can think about addressing those. I mean, it's easier to understand sort of the feedback to the providers and providers wanting to do the right thing, but they'll increase their use of particular services. But there's a question of whether they will decrease their use of services. And it's – I mean, I was talking about these are these people's income that we're talking about in some of these circumstances. And so the question is how do we both develop the information which is maybe just a research task, but then can we get it to the point where decisions are being made through HIT that will be effective in terms of dealing with the realization which ultimately a big driver in the cost problem that people face.
DR. LUMPKIN: I remember it was a lot easier being on the Committee asking the tough questions.
MR. SCANLON: My apologies.
DR. LUMPKIN: This is really the challenge that's facing us. I think we have to address it in a number of ways. One of the positive things that make me think that we're moving in the right direction is that when you look at low utilization regions, Minneapolis, they're also one of the regions that have one of the most sophisticated public reporting systems. So there's hope there. Maybe not enough hope.
One of the areas that our foundation is going to be investing in is development of the concept of episodes of care which are looking at cost experiences of not looking at what it cost to get a diabetic ulcer treated, but what are the cost experiences of people like me with diabetes looking at the system, connecting different care experiences.
So looking at ways that we can reform the payment system and the reporting system in such a way to give us a better handle on effectiveness and efficiency. Will these work? Don't know, but I think we have to find out. Cost is driving the system, and there are components of cost which I think we as a society would think are good, and those are the costs that are driven by advances in health care, advances in technology. And one of the foundations of our system is that we want to have access to them.
On the other hand, there is a fair bit of waste in the system through 30 percent of kids who get antibiotics for their ears, you know, 30 percent of those antibiotic prescriptions for ear infections are deemed to be of no value. A significant portion of back x-rays for people who have low back pain are deemed to be of no value. Health information technology with decisional support can help us reduce some of those by giving warnings. By the way, this patient doesn't meet the high yield back criteria. Are you sure you want to get an x-ray. Enabling the reporting so that the systems can look at those clinicians who are having patterns of care. You know, not every patient's the same, and you've got to order back pain because sometimes you have a gut feeling. But if you have too many gut feelings, then maybe you need to re-examine how you're approaching the patient.
DR. COHN: Kevin, then Harry, Justine. And Mark, did you have a question? No, okay. So we'll do that, and then we'll probably let John wander off at that point.
DR. VIGILANTE: Thanks, John, great presentation. One of the things that came up in testimony last time was these, as you effectively argued, there's a very compelling use of secondary data to enhance quality and efficiency of care. Once collected, though, and in the possession of a provider or provider organization, there is the possibility that that data – de-identified data may be sold to a commercial entity, and it could be the sale of it that actually subsidizes the ability to collect in the first place. What do you see, having been on this Committee, sort of the role of this Committee or the usefulness in sort of addressing that white space that appears to be white space at the moment in terms of providing guidance or observing what the land mines might be in what we're starting to call this tertiary use of data once it's collected.
DR. LUMPKIN: Early on in my training, I'm reminded of a guy who I studied under, Peter Rosen, one of the grandfathers of emergency medicine, and at the University of Chicago where Peter was the head of our department, we developed a set of Rosen rules that I'm not sure if Peter ever knew about. But Rosen Rule Number Two is when all else fails, do what's right for the patient.
And I think that's really the charge of this Committee is that within the context of what HIPAA was originally set up to do and based upon transactions, as your letter aptly notes, there are areas, blind spots in relationship to privacy. There are blind spots in relationship to once the data gets aggregated and sold, are there ways that it can then subsequently be disaggregated, and we know that there are ways, and can we protect against that.
Well, if that secondary group doesn't have the same obligations, we have concerns. I think having concerns around personal health records that are being managed by non-health care entities is another area. And one of the important roles of this Committee as AFA(?) goes out, identify them and I think make very reasoned and important recommendations for change.
MR. REYNOLDS: John, thank you. I especially thank you for adding to our chart – parts of our chart. One clarification, and then a question.
You may a statement, research is not public health, but public health does research. And right after that, you made another statement, but some of us can't write fast enough.
DR. LUMPKIN: Well, the same thing about quality. In the field of quality, they do research, but quality is not research; it's really a mechanism by which the improvement occurs. And so you have to look at that piece of it differently.
What I didn't say and I should say is that when you look at the hierarchy of the tests that need to be looked at getting access to the data, I think the highest test is for research. And to the extent that you look at it for quality improvement of public health, that where they're doing research, they need to meet the higher test.
MR. REYNOLDS: So the question I have, you, obviously as a group we're looking at the privacy; we're looking the NHIN, and we're looking at this. And you've touched on autonomy and consent and so on. So when you add in the EHR and the NHIN and then what we're doing here, do those change your feeling at all? Because you are changing the procedure on individuals, and we consider at some point transferring them across the NHIN, and you see the patient at one point, and then all this starts to happen including secondary uses. Does all that together change any of these for you, or is that a new category for you, or does everything still play the same?
DR. LUMPKIN: I think it plays the same. I think that for what purpose is that data being used. If you are flying to Minneapolis to harvest a heart, you are charged not only with the surgery to remove that heart; you're also charged with safe transport and then safe transplantation. I think that the health data is very similar. It's data at rest and data in motion, and you're charged with taking adequate and appropriate safeguards.
MR. REYNOLDS: But if a person has made a decision to keep part of the data, block it, parse it out, do whatever, does that play in this at all?
DR. LUMPKIN: I think that's where it gets complicated, not that you don't know. But let me particularly go into where I think it goes – the two areas where the answer is different than, let's say, health care treatment or research.
Can a patient with multiple drug resistant TB choose to prevent that data from being shared? I think we would all say no, that shouldn't happen because that's the public good. But the basis of making that decision is not based upon an individual clinician or practitioner making that decision. That's a public decision made through democratic processes.
Similarly, in quality I think we need to have the same sort of democratic processes and structures saying that quality information is a public good, although the difference, of course, is that quality data can be de-identified, and public health data, if you're going to have that kind of impact, needs to be associated with an individual. So you kind of have public health data, clearly defined protections to keep it identified to move through the system, public good, but also much higher level of responsibility to protect it.
DR. COHN: John, you're eliciting some comment here. I think Steve wants a clarification.
DR. STEINDEL: John, did you actually mean to say that a person with multiple drug resistant TB should be identified. It seems to me what you're saying there is the person should carry a sign around and say I have multiple TB. I think you meant that he should be known to public health –
DR. LUMPKIN: Identified to the public health agencies.
DR. STEINDEL: Yes, thank you.
DR. LUMPKIN: Who have then the responsibility and authority to protect their identification – their identity as they're engaged in public health intervention.
DR. STEINDEL: Yes, and it actually involve release of the person's information in cases of real need. But that's not a general case. Thank you.
DR. COHN: I guess I should ask, John Loonsk, did you have a comment on this one, or did you just wanted to make a – have a question or comment later on.
MR. LOONSK: I have an additional question.
DR. COHN: Steve, then Marjorie and then John Loonsk, and then we'll wrap up.
MS. CARR: John, thanks for a great presentation as always, but I actually want to follow up a little bit along the lines of what Harry was saying because, as we talk about addressing disparities, improving quality, and then we also balance local privacy and the concept of masking elements of the medical record and making the control of that a decision of the patient, whether the physician can have that information straight on up to whether it's available for research, I wonder if you might comment both at the micro level, so masking data elements from the physician in your point about making decisional support, in other words, having information blocked, how do you implement decision support and then on up, how do you look at disparities or other needs, public health or quality needs, when that option of masking data's available.
DR. LUMPKIN: Well, again, I'd rather ask this question than answer it. I guess I have some fundamental beliefs that masking individually identifiable data, the best example is my dad who would go into a doctor and would never tell them that he had a heart attack at age 39. Part of his response was, well, they're a doctor; they're supposed to know these things.
You know, that doesn't work. Clearly, there are certain aspects of the medical record for which we already currently hold separately, medical health components, and others, and the electronic health record has to reflect that. It also has to try to protect clinicians, or our system needs to protect clinicians who are trying to make the best decision that they can and perhaps don't know that there's information that could have an impact upon their decision.
So it begins to get even more complex in that regard. Once you start taking that data and aggregating it, there may be a few people who will completely opt out of the system. But when you look at the volume of data that we can have to build the decisional support to measure disparities in health care, I think the small percentage of people who will opt out won't skew the results of those systems. So I think that we can tolerate a little bit of fuzziness in the data.
The final one is, is there's an obligation on all of us to inform the patient. A very important study that we did in relationship to attitudes of minorities in relationship to collection of race and ethnicity data, we made a mistake in asking the question, and we learned a lot about it. We got halfway through the study, and we found out that 60 percent of the population's predominantly African Americans who are opposed to the collection of race and ethnicity data in relationship to health care – 60 percent opposed, 40 percent in favor.
We looked at the question, and then we expanded the sample size, and we asked would you be in favor of collection of race and ethnicity data to reduce disparities in health care delivery, and it flipped. It is not 60 percent in favor.
We have an obligation, those of us who engage in policy, to explain in ways that people can understand and to use data in ways that they can see can have an impact and improve their lives.
MS. CARR: Great. Thank you.
DR. COHN: I think Marjorie and then John Loonsk, please.
MS. GREENBERG: Thank you very much, John, for coming and speaking and, as always, giving us a lot to think about and birth the big picture and sort the bottom line. So we weren't disappointed.
I have a slightly different question here than the line that's been going, but that is that you describe the three general quality improvement model that RWJ is funding, and I think we all know that RWJ has been as important a contributor to our health care and health system as really probably the many aspects of the federal government, and we're appreciative for that.
But when I look back, you know, when you're as old as I am, and you look back on some of the initiatives over the years, and many of the initiatives over my entire career have been regional approaches, and they have had mixed success, particularly a number of the information sharing and information technology approaches. And I wonder what is different about this new initiative of yours. Is it the focus on transparency and public reporting? Is it the fact that health information technology has advanced to an extent that we really can share more relevant information and learn more from the experience? I mean, I don't know if you get my drift, but I mean, you know, we've tried this – I mean, I go back to the PSRO Program, that's where I got started in health data. So what makes this different.
DR. LUMPKIN: Well, I think what enables us is the fact that we are able to collect even administrative data in ways that we couldn't 10 or 15 years ago, that's one piece of it. The second is that we've had two decades of significant improvement in our ability to understand and measure quality in health care delivery.
And the third, which I think is the transformative piece is transparency, public reporting of quality and price information, because it drives, you know, in health care we've always talked about, well, what's the case for quality. And we know that if you're a hospital and you improve quality, your length of stay goes down, so your revenue goes down. So why is that a good thing.
And then we say, okay, let's make the business case for quality, and that becomes even more difficult because the people who benefit from quality improvement aren't the ones who have to fund the quality improvement efforts. What transparency does is take all that off the table, and it makes quality improvement of business imperative, just as GM and Ford and Chrysler address the issue of quality in the ‘70s in competing with the Japanese automobile industry. It no longer became an issue of what's the case or the business case; it became a business imperative to stay in business.
And we believe that public reporting of quality information will put providers in the position for two reasons, they want to do well, and second because people will be asking questions. Their information will be public, and they will begin to adopt quality improvement as a result of market pressures and as a result of a professional desire to perform well that will get us over the hump of moving into quality improvement – widespread quality improvement adoption of which HIT is one piece.
DR. COHN: John Loonsk.
MR. LOONSK: Thank you, and thank you for your testimony, John. I thought a particularly compelling statistic about the way in which quality information may be useful, but race and ethnicity example I think was highly relevant to this group and compelling in terms of the importance of communication.
I wanted to clarify one point with you. I thought I heard you say very specifically that you're addressing this issue from two extremes, working bottom up and top down, and that from the bottom up perspective, I think, you referenced data residing in the clinician's office, or at least I may have may misunderstood. And then you talked about episodes of care. And how are you approaching in terms of the funding consideration getting the necessary data for supporting episodes of care or thinking about getting the supporting information when it's clearly not a top down activity, it's much more specific data than those, but also may not reside specifically in a particular clinician's office.
DR. LUMPKIN: Then if I said that, I misspoke. We're looking at a region like York, Pennsylvania or Minneapolis doing their own aggregation at the regional level, using data that's available at the regional level but they collect and then aggregate as opposed to another effort which is looking at national databases, Medicare, for instance, database and then aggregating that so it's relevant to that particular region and making it available to them.
The obvious advantage of regional aggregation is you don't have this huge large database which some of us feel uncomfortable with. The disadvantages is that it's expensive to do data aggregation. There may be some economies of scale. And I think those are lessons that we need to learn as a country and then make policy based upon that.
Episodes of care are going to be – most of that work will be done on some of the larger databases at the national level, and then when – if we think we have a viable model, then we'll test them out at the regional level with the data collection. All of this is being done in a way to create products that will be in the public domain that will be open source so that they can be tested by others and not held proprietarily by any one particular organization or operation.
DR. COHN: Well, John, I want to thank you for joining us. I particularly want to thank you for two pieces here. One is I think you obviously will know the history of the NCVHS. Reports such as these obviously aren't created in a vacuum, and I think your reference back to the NHII work from work that we did together, I think, were very useful in helping setting the context of the conversation.
I think the other piece is that we're in the process obviously of developing frameworks about how to all think about this, and I think we have certain elements that you've described, but I think the basic principles that you described, and particularly the justice piece that I think you brought forward, I think it would be very helpful to help us flesh that out.
So I want to thank you. It's a great pleasure to see you again. I'm sorry you can't join in for the rest of the day.
DR. LUMPKIN: As am I.
DR. COHN: John, thank you. Now I do want to before Wendy starts and really my apologies. You can tell we've completely deconstructed the agenda today, and we will rebuild it up. I do want to remind everybody (a) that the next session after this only has two presenters. So we're really not far behind, as well as the session right after lunch, I think, to my understanding, has actually one presenter. So we really do have a fair amount of time for these conversations.
This may require some adjustment of the lunch hour, but so if we start at 12:15, that may not be the end of the world.
But Wendy, thank you very much. I appreciate your forbearance on all of this. Please.
MS. PATTERSON: I apologize in advance if some of these material is repetitive. I don't know how much you all know about this program. So I'll try to spin through some of it a little quickly.
First of all, I want to thank everyone for the opportunity to speak today on behalf of the Data Sharing and Intellectual Capital Work Space of the NCI's Cancer Biomedical Informatics Grid.
My name is Wendy Patterson. I'm a senior advisor in the National Cancer Institute's Technology Transfer Center where I provide guidance on data sharing and intellectual property matters. One of my responsibilities is to serve as the NCI facilitator for the DSIC Workspace. Our members represent a wide variety of perspectives on many issues, including some of the ones we'll discuss today. Discussions in the Work Space are conducted in a frank and open and transparent manner. We don't always reach consensus in our positions, or at least not right away. And I'd also like to point out that the views that I'm expressing here today are those of most members of the Workspace and are not the official position of the NCI, NIH or the various institutions with which our members are affiliated.
I'd like to set the stage for my remarks within the overall context of the transition to personalized medicine where we will soon see unique level of characteristics of the individual patient that are driving the prevention of disease and the delivery of health care. This paradigm will require the synthesis of multi-dimensional data and the joining of multiple diverse communities including researchers, care providers, and data repositories in order to direct care that is based on the molecular characteristics of disease.
This approach is not without precedent in the cancer community. Treatment of childhood cancers today relies on a model that joins such communities to direct care that's based on these characteristics. And this model arguably is responsible for the tremendous successes that have been observed during the past several decades as is soon to be the case in adult cancer, childhood cancer is the chief cause of death by disease in children between the ages of one and 14. However, unlike adult cancer, mortality rates have declined nearly 50 percent since 1975. The pattern of care that's associated with childhood cancer differs remarkably from that of adult cancer. First of all, childhood cancer is treated in a context that blends care delivery and clinical research. On average, more than 50 percent of children receive treatment in clinical trial setting for treatment of acute lymphoblastic leukemia (ALL). This number is nearly 85 percent. ALL in children is also treated with consideration of the individual child's bio markers that are believed to reflect the molecular origin of the disease, and these molecular markers are currently used to tailor the intensity of therapy to minimize toxicity.
So in order to deliver on the promise of personalized health care, we need to be aware of a number of challenges. First of all, there's the biological complexity. There's the isolation of researchers, the technology disconnect, the health information tsunami that's confronting us with the overwhelming volume of data, multitude of sources. Obviously, reaching our goal of harnessing all of this information is going to necessity, but not easy to enhance cancer research.
Finally, there's the informatics tower of Babel which is at the heart of the barriers to better science. Sciences in different fields use the same terms for different meanings for different things. They use different terms for the same concept. Our own NIH community demonstrates this in many different areas of domain expertise. And while this diversity may bring outstanding results in a given, it's currently impossible to bring it all together.
And finally, we haven't really progressed radically from the 17th Century model of scientific information dissemination which relied on professional meetings and journal publications. So with all of this in mind, NCI recognized the strategic importance of using information technology and biomedical informatics to advance the goals of personalized medicine and therefore it has launched caBIG to create the full cycle of integrated cancer research that extends from bench to bedside and back again.
So caBIG is NCI's platform for molecular medicine, and it's designed to be the next generation web for biomedical research. It's a virtual web of interconnected data, individuals and organizations. The intent is to redefine how research is conducted, care is provided, and how patients and research participants interact with the biomedical research enterprise. It's intended to address the complexity of cancer by integrating biological and clinical silos, IT infrastructures, software and data institutions and people.
The enterprise itself is trying to bring different communities together through IT using a common infrastructure of vocabularies and tools so that each individual institution can connect it and resources in a way that will categorize discovery and advance the practice of oncology.
Just a brief note. There are four fundamental principles on which the enterprise is organized: open source which John Lumpkin referred to in terms of the development of software, tools and applications. I would point out that those tools are made available on a non-bio basis so that end users are free to take the derivative products that they make using our tools and wrap them in proprietary applications or not. Open access – resources need to be available, open development so all of our products which range from tools and applications to some of the things we'll talk about later are developed in an open and participatory way. Anyone can be on a caBIG teleconference. We have many people hold AHRQ. I never know who's there, but that's part of the process of making it open and transparent.
And finally, federation which is something we'll talk about in more detail further on, but it's basically a network of networks so that access to data is controlled locally.
In terms of the operational structure, we function in – we have domain work spaces where we have communities that work on specific topics of interest. We have cross-cutting work spaces that support the basic infrastructure, and we have strategic level work spaces that address issues of concern to the entire community. And so the DSIC Workspace is a strategic level work space. It facilitates data sharing. It's intended to facilitate data sharing and address a number of challenges, legal, regulatory, ethical issues, policy concerns, proprietary issues, which won't really be the subject of what we talk about today, but they loom large. And by necessity, we have a diverse membership. And I will say that, you know, in the first year just wanting to talk to each other was quite a challenge. Getting the lawyers and the IT folks to talk to each other was quite a break through, but it is interesting, and I think it's been illuminating on both sides.
And so obviously a number of data sharing challenges that I've alluded to and that John also mentioned. There are varying obligations under federal and state privacy laws, different IRB requirements both as they interpret things and also different policies and different cultures, academic considerations, concerns about protecting intellectual property, patient safety issues, and last, but certainly not least, public perception which are key.
And you know our view is that the maximum utility of this infrastructure depends on the ability to address these barriers, potential or perceived, and that we need to reconcile the needs to protect these concerns both in patient information but also in proprietary information in a way with controlled and secure access. But you know, also with the knowledge that – and I use this word advisedly, excessive restrictions, and who's to determine what's excessive, but we'll get into that, is going to choke the flow and impair the ability of researchers to leverage those silos. Yes.
DR. COHN: If you could just be a little closer to the microphone because I –
MS. PATTERSON: I'm sorry.
DR. COHN: I'm hearing most of what you're saying, but occasionally – no problem.
MS. PATTERSON: So with that in mind, from the start we've recognized the entire caBIG community, not just our workspace, that in order to accommodate the needs of diverse stakeholders, we really needed to take kind of a three-pronged approach to addressing these issues, and I'll talk about them in a minute.
But the first is a federated architecture, the second is an analytical framework that will enable continuous and consistent analysis. And finally, a sort of a technical approach to developing standards, tools and infrastructure that are broadly available.
So turning to the first prong, let's just talk a little bit about the architecture, and I also would want to make a full disclosure. I'm not a technically trained person, so bear wit me. But I certainly get to you much additional information.
The technical infrastructure is based on a set of technologies that we call caGrid, and it allows systems that are constructed according to a series of technical compatibility guidelines to interoperate with each other and with properly authenticated and authorized end users. The security infrastructure is federated, so users are authenticated at their local institutions and local providers have the flexibility for addressing proprietary and regulatory concerns about particular data resources. Institutions and individuals that make data available through this infrastructure are responsible for complying with applicable laws, regulations and policies including any requirements for informed consent, patient authorization and needs for protecting intellectual property or restricting data access for proprietary reasons.
This slide is intended to depict a series of federated grids that are based on a common technical infrastructure. The NCI instance, and that's a tech term that spawned from the language of software design, we call that NCI-caGrid. The federated and distributed nature of the caGrid technology stack allows for the interconnection of a series of networks that are managed independently but are interoperable with the NCI-caGrid. This flexibility allows, therefore, an individual medical center, cooperative group or other entity to set up its own instance of caGrid that can operate behind a firewall, with different security requirements than those of the NCI-caGrid. However, the participants in a local caGrid installation can interact with participants in the NCI-caGrid so long as there's an appropriate trust agreement. Similarly, participants in the NCI-caGrid can interact with other large scale implementations of caGrid that are expected to be compatible with caGrid standards such as the upcoming cardiovascular research grid or the United Kingdom's NCRI oncology information exchange.
Turning to the analytical framework, this is our strategic approach, and this is a framework, and I apologize. This is hard to read even from here and in a public raw data I would have brought a much larger version. It is reproduced at the back. If you have copies of the written testimony, so we actually brought updated versions that have the appendices. So I don't know if those were – okay, that's Attachment 1 at the end of page 15. It's a little easier to read, but not enough.
But in any case – I'll get to that, but the point is that this framework is based on sensitivity of data and access controls that are appropriate to level of sensitivity, not per se on the uses of the data. And this approach recognizes that there are varying levels of sensitivity of health information, and that many data changes require agreements, validation of users, authorization of intended uses and so forth.
And I would say that we appreciate that some data are highly sensitive and should never be shared without individual permission. Because this infrastructure is premised on the concept of federation, and I'll say this again, individual entities that control access to data are responsible for assessing the risk and the consequent protection that's required for data to be shared. So institutions determine who's authorized and under what conditions.
So this framework is grouped – we use basically four inputs to try to make the analysis, and those are the four coupled columns. And that first column talks in terms of economic proprietary concerns of researchers and research institutions. The second column talks in terms of federal and state privacy and security auth regulations, the third column speaks to ethnical considerations that are reflected in explicit consumer and IRB imposed constraints on data sharing, including restrictions that may be specified in informed consent documents, and the last column focuses on contractual restrictions that are imposed by research sponsor which often come from industry but may come from foundations or even from the government.
Once this analysis is completed, we think that a number of the barriers that we've talked about before can be reduced or even eliminated for some subsets of the data. So let's move on to the next page, if we could.
So in terms of actually implementing the framework, we're not trying to move forward to develop web-based terms of use and standardized contractual provisions for trust agreements that are designed to facilitate data sharing that would be consistent with HIPAA and other applicable privacy security laws, and also with human research protections and accreditation standards. We're also looking at modeling which for applications that are submitted to IRBs to educate their members regarding caBIG and the NCI-caGrid. It talks then about the benefits and the risks of data sharing and the various mechanisms that are utilized in various caBIG tools to mitigate risk.
And we're also working on model language from informed consent and authorization documents that's designed to encourage consumers and patients and research participants to participate in the caBIG initiative in a manner that's consistent with requirements specified in the Common Rule FDA Regulations Accreditation Standards and HIPAA.
Another workspace the caBIG tissue banks and pathology tools, for example, has developed a tool that we call caTISSUE Core that tracks the extent to which individual patients or research participants have given permisson for their collected biospecimens and related data to be used for research purposes. And this tool allows users to track different tiers of consent, for example, as well as decisions by research participants to withdraw consent for the use of specific specimens.
Finally, we have the caGrid Security Working Group which is staffed by the caBIG, the DSIC Regulatory Group. We have two groups, a proprietary group and the regulatory group, and also our architecture workspace so that, as we are developing the functional requirements for security, that the technical aspects can be built into the procedures.
So areas for recommendation here are going to involve security policies regarding federated authentication, certificate management and provisioning, group-based authorization, protection of sensitive data, user security policies and procedures, also implementation procedures for the various providers of data which we also refer to as Nodes or grid facing components. And then finally procedures for periodic security risk assessment for the infrastructure and also for the nodes that are making data available through the grid.
We're currently focusing on a set of baseline policies that will allow a low barrier to entry of data via the grid, particularly for systems that are carrying non-sensitive data. We will then turn our attention to developing policies and procedures for more sensitive information. We recognize that's going to take time. This working group, like other work spaces within the community, are populated by a diverse number of stakeholders. We have, as I mentioned, the two work spaces, DSIC and Architecture who are standing members. We have community members from the domain work spaces, clinical trials, imaging, tissue banks and our genomic systems biology group. We also have patient advocates. All the meetings are open, so again anyone can participate.
So let me just come to the thrust of our concerns here. I think from what you can see, we view research as being an integral component of the health care delivery system. And our concern is that conceptualizing data use in terms of primary or secondary activities may imply a value judgment that doesn't make sense within the current environment, you know, where clinical care, quality improvement and research are often integrated and where in many instances, as I referenced earlier, research data can be as important to clinical care delivery and vice versa.
Obviously, there's a balance of interests that needs to be achieved. I think we would all agree that there are various opinions on the adequacy of HIPAA in terms of protecting privacy. As I mentioned earlier, there don't appear to be many protections, if any, for PHI that's maintained by various commercial entities. It's our understanding that HIPAA's not geared to research in particular. I mean, there are mentions of it in the Rule. But given the projectory of personalized health care medicine, there's a concern that the way the regulation's currently structured is that it could become outmoded and be outstripped by the expectations that people have for health care in the 21st century.
And so we would hope that the Committee could consider a middle group to recognize research as central to health care delivery if it's conducted in a manner that's consistent with informed consent or appropriate exceptions such as an exemption from IRB review or an IRB approved waiver.
But I think before we even get into that discussion, I think it's important that we as a society and this group in particular need to agree on priorities. I mean, do you value privacy, privacy in the name of patient autonomy to the exclusion of other concerns, or do we – and the other thing that I think needs to be resolved, and I think that first question is rhetorical because I think we all value a number of things besides privacy, and privacy is incredibly important to our group, too. So I don't want to convey that impression at all.
The other, I think, question that is often unasked, and I just want to put it squarely on the table, is can patients make an informed choice. Do they understand that withholding information for clinical care, quality improvement, outcomes evaluation of research can contribute to a reduction in the validity of results and potentially negatively impact their own individual care. And you know, I was listening to some of the comments before, and I guess the answer to that question is it depends. It depends on the number of people who withhold their information.
If we can – we need to be able to maximize the number of people whose information is made available for research and quality improvement in a manner that respects patient autonomy and privacy. I mean I don't think that we want to see this as mutually exclusive; I think that's a false dichotomy. But I think it's incumbent on us to develop ways to enable both objectives.
So in conclusion, we'll just say that we think that personalized medicine offers an opportunity to improve our ability to deliver effective prevention and treatment to patients, and that research is an integral part of the personalized health care paradigm. For the standpoint of access to data, it's our view that treating research as a secondary use is artificial, you know, as highlighted, for example, on the case of childhood cancer where those have been combined, and that we would be concerned about an unintended consequence of leaving research as a secondary use because it could disrupt the extension of this paradigm into new areas.
Obviously, health information technology and health information and electronic health information initiatives offer huge opportunities, and we would encourage the Committee to recognize the role of research and quality improvement activities in the 21st Century biomedicine paradigm when considering privacy policy.
And I would be remiss if I didn't acknowledge the work of my colleagues in the room as well as those elsewhere who have been instrumental in helping me develop my views and shape my remarks, and the members of our workspace who reviewed drafts of the document on a very tight timeline.
So with that, I'll take questions, and thank you for indulging my rapid fire comments.
DR. COHN: Wendy, thank you very much. Thank you for indulging our changing the agenda around and all of that this morning.
Obviously, you covered a lot of area, and I know there's going to be a lot of questions. I already see Steve Steindel raising his hand and wanting to make a comment. Obviously, we'll let others ask questions, and then I'll make a comment. Steve?
DR. VIGILANTE: I actually should have looked at the agenda more carefully before I made my opening comments. I don't believe there's any conflict of interest, but in the interest of transparency and full disclosure, Booz-Allen is a contractor that supports CAB(?).
DR. COHN: Kevin, thank you.
DR. STEINDEL: And thank you for fascinating description of the great work that NCI is doing in moving this project forward. I also really was appreciative of the very closing remarks that you made towards the very end. I think that gets more to the heart of what this group is looking at and discussing.
And what I was very impressed by was, as we move into this future world of personalized medicine, it seems to me that you were discussing there is a blurring between the research and actually what care decisions that you would make. And one area that there appears that this might be occurring in real time today is in the area of childhood cancers in particular where you said 80 percent of what was it, ALL patients who are now in clinical trials.
And so what it seems to be today, they're trying to practice this idea of personalized medicine by going through the IRB approaches and the full blown protection, and what you're saying is in the future we probably should consider moving to a less rigorous way of doing things.
MS. PATTERSON: I don't think we're saying to remove IRB approval.
DR. STEINDEL: That's why I used the word less rigorous.
MS. PATTERSON: Okay, okay. So I think we want to retain that protection. I think that the concern is that there may be additional and potentially – I'm going to put this word in quotes because it's a question, superfluous layers of protection, and that, you know, we certainly think that if someone is not otherwise regulated that the existing regulatory framework within HIPAA to the extent that it covers should be applied.
But in many cases we wonder if it's really necessary to have the HIPAA framework for research that is under the watch of an IRB. Is it a bit of belt and suspenders. And also there's – and I think someone else made this point, I mean, there's tremendous confusion out there in the real world as to what applies and what doesn't.
There was recently an article in the New York Times that talks about it's basically easier to say no, the way the system is geared. And it's just had a very chilling effect on the things that could be done. So I don't know if that addresses your concern or not.
DR. STEINDEL: Well, just as a quick comment before I address your comment, one of the key people that was interviewed in that article is sitting on my left.
MS. PATTERSON: Right. I'd just like to point out that members of the –
DR. STEINDEL: He's too modest to say so.
MS. PATTERSON: And that article received broad attention. My father made sure that I saw it right away.
DR. STEINDEL: Mark made the comment to me on the aside that the reporter who wrote the comments said this was one of the most commented on articles that the New York Times received comments on, et cetera. It really hit a nerve. So I think we take your point to heart.
What I'm really concerned about is from the Committee's point of view – the Ad Hoc Committee's point of view is should we look at, when we talk about other uses for health care data, really consider the move to personalized medicine in a different sense than what we're considering a lot of the present aspects of research, et cetera. It sounds like we should make some specific note of what you're discussing.
MS. PATTERSON: Yes. But I think what we're saying is that from the standpoint of personalized health care that considering research or quality improvement data as a secondary use or public health data as a secondary use is not necessarily meaningful. I mean, if these objectives are realized, and I – again, I'm not a medical expert so I can't say, you know, sort of assess what the promise is that it will be delivered. But if it comes true, you know, it could be that in the process of a patient encounter there would be a research effort that is conducted in real time, and admittedly there would be other factors that would come into account. I mean, there are other sources of regulations that might have you view information differently.
So, for example, diagnostic test data from a research test might be viewed differently if it's completely unvalidated. But if you're on a phase three clinical trial in pediatric cancer and that's the only source of care, you wouldn't want the doctor who has access to the patient as a doctor to suddenly be denied access or have a much more onerous ability to combine information when he logs on in the role of the researcher.
DR. STEINDEL: Thank you.
DR. COHN: Margaret.
MS. GREENBERG: Thank you, and I also really appreciate your presentation. It's fascinating and thanks to Mary Jo also for calling our attention to this important work. I thought, and I think Steve mentioned this, but one of the really interesting sort of additions at least you gave to my understanding is this example of the childhood cancer treatment where research and treatment really are inexorably related, and I think it's those types of sort of nuances are somewhat different than what we typically think of as the dichotomy that are very helpful and, of course, make this all the more difficult.
But I guess I was just struck by something that is, although I would be interested in your response to this as well, but something that John Lumpkin mentioned and, of course, you mentioned and I have been hearing over many, many years that I have been working with this Committee, and I just since, well, I'll be gone much of August and may not be able to participate in all of your discussions, I just hope that the Subcommittee or the Workgroup will really give serious consideration to is this tremendous need to, well, it's sort of patronizing, I think, to say to educate the public, but to engage the public and public opinion at all levels in this dialogue about what the benefits are and what the risks are. And to be honest, I mean, often we – and we all do this. We spin things. We want people to see all the benefits, and we like to minimize the risks or the negatives.
But I think there is such limited information in the general public about how information is being used, about the different types of research, about who benefits, who, you know, where the costs are, and we've been saying this for years, and we've been recommending it to the Department. I mean, my colleague across the aisle here certainly has written a number of letters, and I think all of the information. But somehow we aren't penetrating, and I think this is just such a critical point, and I think it's something that I'm sure ONC is very aware of as well. It has to do with public trust, but it has to do with knowledge and we just have to do a better job of this, and it really will make a difference, I think, if just some of the resources would go into a really concerted effort at education and dialogue. So I just encourage the Ad Hoc Workgroup to keep that on your radar screen.
And my question to you is of what – are there innovative things that this project is doing to try to engage the consumer and the public.
MS. PATTERSON: I couldn't agree with you more, and I think we're very aware of that. And as we begin to build out the tools, and I have to say I was a little uncomfortable coming here today. I would have loved to come in six months when we had all of the supporting documents, and I could have given you five or ten attachments to the testimony.
But at the end of the road, what we'll be doing is dissemination of information at different levels. And you know, the NCI website does a pretty good job, I think. They have a lot of information's geared to patients as well as to physicians. And I would see us as also, and Mary Jo's very aware of our communication efforts, preparing those kinds of materials. So that's sort of a static method, if you will, putting it on the website.
We are also getting out and pushing out information to various groups, and we'll continue to do so. And then I also think a really, really important piece of this is really sitting down and working with IRBs which are tremendously overwhelmed by all kinds of, you know, their day jobs and then there is what some people allude to as mission creep in terms of having to get into lots of other issues.
And so we really want to work with them. We want to be – I want to say this about us and I want to say this about them, that we want to be part of the solution, not part of the problem. And I think it does nobody any good not to talk about risks but also to talk about the full flavor of benefits. And when we talk about risks, I think – and excuse me if I say something that's not PC, but I think, you know, I'm always reminded of the expression, you know, trust in God but keep your powder dry. The security infrastructure is really important. And so we are really working carefully to develop that part of the piece so that when people are told, are sold on how wonderful this all is, that they have some trust in the ability of these systems to keep information that they believe safe to be safe. Otherwise, we will still be able to use the Grid, but for a fraction of its intended uses.
DR. COHN: Oh, please, and then we have Justine, Kevin, and then I'll try to wrap up so people can take a break.
MS. DEERING: I just wanted to call the workgroup's attention to a printed submission that you have here which is from in fact a patient advocate. This is what it looks like. And I think what you'll find is that – this happens to be a patient advocate from NCVHS who has actually been intimate whose name was acknowledged up there. But I think what you'll there is that it's not just a statement of the patient's interest; it's also a technical analysis, and she knows a lot about what happens to this data.
So I do hope that members will take a look at this and understand from the patient's point of view. I think it gives good arguments for the language that can be used about the value of it. So it should be in your stack. It should be in the pile that was in front of us. This is not one – it should have been in your pile. In Deborah Collier's? We'll get it. Thank you.
DR. COHN: We'll dig through and find it. But Mary Jo, thank you. Justine and then Kevin.
MS. CARR: Yes, I'd like to respond to your observation that secondary use has a higher hierarchical and potentially unintended implications, and I'd like to suggest to the Committee that we think not in terms of secondary uses but perhaps a term like expanded uses of health data because I think, as we're hearing this morning, as we expand moving to greater expanse of benefit, and perhaps that would delete some of the hierarchical element.
DR. COHN: Kevin?
DR. VIGILANTE: So Marjorie, I think I've come up with a bumper sticker for your campaign. Instead of saying donate your body to science, you should say donate your information to science. So, so, you know, this taxonomy of primary and secondary data has been a troubling one from the get-go because it does, secondary has this sort second class sort of value rating, it's sort of weighted, right.
But on the other hand, it is, you know, if you're – whether it's a lumping or a splitting, sometimes it's useful to split to sort of analyze things, and there are some differences here that I think we want to preserve so that – to make sure we in the course of discussion we identify what's different about it.
And I think, you know, in the case of, say, the 80 percent of kids in ALL being enrolled in clinical trials, I mean here clearly there is a therapeutic often experimental intervention that's being conducted in which, you know, consent is mandatory and IRB approval is essential. And a primary use of the collection of that data as articulated in that study is to conduct that experiment.
And so, you know, in that case, it's different than sort of data that was collected with no particular trial or research intent in the beginning, but it was collected when the patient was seen. And then after the fact, and we believe that – even if you believe in the beginning that someday this data will be useful for some clinical problem and ought to be available to be mined, it still seems to me that it's different in the sense that but for the desire to seek care, were it to keep you well or to make an intervention to make you better, that data never would have existed. That is really that desire to seek care from a provider that was the motivation to yield that data, and that the fact that it may be used for other purposes, whatever we call it, is different than sort of the IRB setting, and it's different than the intent for which it was originally collected which is partly to care for the patient.
And there is some special case here that I think needs to be preserved, carved out and thought about separately. And I don't think we're any of us disagreeing. What we call it, I'm not really sure. But there's clearly a continuum going on here that –
MS. PATTERSON: Yes, I would agree. There's definitely a continuum, and just sometimes the lines are blurred, and it can be used for different purposes. And what we're arguing, I think, here is for the recognition that in many cases, not in all cases, but in a number of cases this data that's collected in IRB regulated research does constitute – is used for primary purposes to use that taxonomy.
DR. VIGILANTE: There were two primary purposes in that case, right.
MS. PATTERSON: Right, exactly, fair enough. So I think we all, at least in our group, feel that an extra level of protection is required which is why we would be concerned about not having IRB jurisdiction, if you will, and that –
DR. VIGILANTE: Not having IRB jurisdiction over the case that I just talked about, in other words –
MS. PATTERSON: Yes, in other words –
DR. VIGILANTE: You come to see a doctor. There's no trial going on; there's no research planned, but there –
MS. PATTERSON: Right.
DR. VIGILANTE: And I think most of us would probably agree.
MS. PATTERSON: Right, right. In most cases, that will require some consent which I think we all know is in many cases it will require IRB consent which it may, as we would all agree, is not just simply a piece of paper that is designed to protect institutions, but is a process. And I think we feel very strongly about that. But there are other cases where re-use of data will be exempt from IRB review if there are sufficient protections, or will be subject to waiver. But in any case, the IRB gets to make that call.
DR. COHN: I want to thank you for the presentation. I am reminded, I think, and Kevin sort of began to ask the questions that I was trying to get into about this sort of how somebody uses work. I guess I am reminded, and whatever we call this research area, one has to recognize when we're talking about HIPAA or any other framework, it's talked about a little separately because it does have IRB, yet there's obviously a structure there.
However, having said that, I am reminded that there's actually a whole world of research out there that to my knowledge doesn't really go through IRB or anything else. I mean, you're talking about really a world that would be described as, and I'm not a researchers, so I may be inarticulate in this description, but it's federally funded sponsored research that has very robust safeguards overall, and yet we're all sort of aware out there sort of in the back of our minds that there are other things going on which may not have the same protections you're describing, and I think you would agree with that comment.
MS. PATTERSON: Yes, absolutely.
DR. COHN: Which is probably another way of making that another differentiation that needs to be addressed.
MS. PATTERSON: Yes absolutely.
DR.COHN: I guess I should ask, I mean, do you worry at all in all the work that you're doing that – I mean, you talk about patient perceptions, you talk about the structure you're creating that trust may be undermined by some of this other pieces that are sort of outside of your control?
MS. PATTERSON: Oh, absolutely, for the very same reasons that Marjorie indicated. I think the public doesn't really distinguish between all of these different kinds of activities. And one bad apple spoils for everyone. Our view is somewhat narrow at this juncture because we are dealing largely in the world of federally regulated research.
But I think that ultimately if things take off the way people are projecting, there will be many, many different uses of data by people who are otherwise unregulated, and I think that needs to be examined very carefully. I'm not saying that they are by definition harmful, but it at least needs to be examined and appropriate safeguards need to be put in place. But what we're just concerned about is, you know, unintended consequences of overbroad regulation areas that have been subject to what many would consider to be a pretty good system already. And at least from reports in the field, there's a lot of confusion. And if there's confusion as indicated in the New York Times article about what providers can share, you can imagine the level of confusion in the research world.
DR. COHN: Well, Wendy, I want to thank you. I have the sense that we may go into some pieces of this as we continue to deliberate and talk, and I will – I hope I'm not warning you, but we may be calling you back or asking you additional questions.
MS. PATTERSON: Sure.
DR. COHN: And I hope you don't mind.
MS. PATTERSON: Right. We'd be delighted to. I just wanted to point out that I too will be out of the country in parts of August. But we will get you information one way or another.
DR. COHN: Well, we appreciate that. Thank you so much. Now's it's 11:15. As you know, we've deconstructed this day, and we're reconstructing it as we talk. We're going to give everybody a ten minute break. We'll get back together at 11:15. I suspect that session will go probably until about 12:30, and then we'll start up again at 1:30 p.m. So thank you.
(Break.)
DR. COHN: Okay, we're all going to get started. If everyone please be seated.
At this point, I'm actually going to turn the session over to Harry Reynolds, our Co-Vice Chair to run the meeting. And I obviously want to thank our presenters for coming in and being willing to testify. And I do want to thank Scott Young, and I presume you're on the phone? Is Scott Young connected? Do we have a line? Oh, okay, good.
And as I commented before, I do want to just again publicly disclose that Scott Young is with Kaiser Permanente which is my organization. Then with that, Harry, I will turn it over to you, and what? No, he's formerly with the government, but he's with Kaiser Permanente. I guess this is Simon Cohn, would the people on the phone please identify yourselves.
MR. YOUNG: Good morning, Simon. This is Scott Young.
DR. COHN: Okay. And is there another person on the line? Scott, I'm just turning this – who is that? That's still Scott. Scott can you hear us?
MR. YOUNG: Yes, I can.
DR. COHN: Okay, good. I was just in the process of turning the chairing of the session over to Harry Reynolds. But I did just want to thank you for being willing to participate.
MR. YOUNG: Oh, my pleasure.
Agenda Item: Perspectives on Uses of Health Data
MR. REYNOLDS: Okay, the next session is having to deal with quality perspectives, and the first speaker's going to be Joel Goldwein from Alliance/Elekta. So, Joel, if you'll please proceed.
Agenda Item: Quality Perspectives
DR. GOLDWEIN: Thank you. First, I really truly appreciate the Committee's indulgence in inviting us to discuss our oncology data alliance which is perhaps at the point of care one of the models of data utilization that may fit in terms of the satisfaction of both HIPAA and Common Rule, and I'd like to take this opportunity to describe what this program is and what it entails and how it's evolved and what kind of things we're able to do with it.
But first what I'd like to do is discuss the company that employs me just to give some background and perspective.
Impact Medical Systems was established in 1990. It was literally a Silicon Valley company that started in the garage of one of the three founders and evolved first from information technology and electronic medical record systems in the radiation and oncology space to medical oncology to cancer registry to a number of other oncology related disciplines using information technology to support patients and practices and populations at the point of care.
The core product of Impact is an oncology specific electronic medical records system that is used primarily in ambulatory and hospital-based facilities for ambulatory patients who are being managed with perhaps one of the most difficult medical maladies, cancer. And, therefore, this particular system needs to involve a number of different very complicated modules in order to support everything that happens with the patient from the time they walk in the door and get registered all the way to late follow up when their physicians are seeing them on some yearly or less or more basis.
The system itself includes a number of substantial reporting capabilities, pulling data out of the EMR system that helps the practices manage the patients both directly and indirectly. It has numerous interfaces to external health information systems, to billing systems, to medical devices. We have a number of regulatory regulated devices that we interface, too, and we have regulated modules within our software. We have interfaces to cancer registry products, and we own two cancer registry products that we directly interface to from our EMR systems and a number of other resources that this pretty complicated program needs to interface to.
Primarily, the system is designed with patient safety, practice administration, data management and all components or modules or aspects of cancer care in mind. Our oncology data alliance which is the program that I came to discuss today was a quality assurance – is a quality assurance initiative that was established for our customers about two or so years ago, actually less than two years ago. So it's a relatively new program. It's still a program in a tremendous amount of evolution. We have perhaps a couple handfuls of customers who are participating in this program, and it was a program that was actually sparked out of interest on the part of our customers to help improve the quality and utilization of our system and to help them better use the electronic medical records to prepare for some of the pay performance initiatives that are coming along in all aspects of medicine, but in particular right now are active from the part of CMS and other providers or insurers for oncology practices, and that includes both radiation and medical oncology. And it allows our customers to leverage the community of other practices who are participating in this program.
They also leverage a data aggregate which is a byproduct of this particular program, and I'm going to describe how that is constructed in a few moments. The program for our customers is optional. It's transparent to them. They know everything that is happening to their data. They have access to their own data. I'll explain that in a few moments as well.
There is no additional direct charge on our part to our customers for this data. But I ought to have put zero dollars cost in quotes because there is a not insignificant cost on the part of us to vendor and the part of the customer in terms of administering this system. The customers need to have more active processes in place in order to enter the data, some of which is not necessarily entered as well as it can be. They need or often do have data managers or other people who are involved in the care of the patients being interactive with this particular system, and we as a company also have to have or incur costs in terms of managing the data, in terms of making sure that the data is acquired properly under the proper constraints, regulations is aggregated and de-identified and detached properly. And we have a regulatory department within our company that helps oversee and audit these types of issues. Currently, the cadre of customers who are participating in this program are our medical oncology customers. We have roughly 250-300 total medical oncology customers. But I would say roughly about 10 percent of those customers are participating in this program. And the implementation of this program involves not just providing them with software, but also providing them with training in processes and procedures and supporting them in the endeavor.
So we train our customers very actively in best practices for data entry, making sure that customers are entering data in a way that both achieves the goals of this particular system, but also allows them to have some, if you will, conformance with other practices. So that, for example, if they're entering a lab value or acquiring a lab value or entering the weight of a patient or other data that we may or may not be abrogating, that they do so in a way that is in compliance with how other customers who are participating in this program do that.
The software that we provide them then in effect collects the data electronically over the Internet for us. It does so in a way that's secure, and I'll describe a little bit about that in a few moments as well. And then we take that data and we de-identify it. We completely detach it from any identifiers, and we aggregate it with the group of customers' other data that are involved in this program. And then what we do is we take this data, and we feed it back to the customers in a de-identified manner so that they can use it to benchmark their practices to understand where they set relative to their peers, where they can improve the quality of their programs, and where they excel compared to other customers who are participating in this program.
The subset of variables that we collect fall into four categories listed on this slide. And as you can imagine, there are obviously identifiable parameters that we are pulling from the data sets that the customers hold. But over the course of this process, that data either gets removed or de-identified using processes that, for example, will turn dates or date ranges into ages that will pull out something like an age that's 93 years old and say simply that's 89 or above.
The same thing goes for virtually every identifier that we could be pulling out of this group. So that if there is a zip code, for example, we de-identify it at the level of the requirements for HIPAA, and if there's laboratory data, as long as that's not associated with the patient, we obviously pull that out and clean that up and do what we need to do in order to be compliant with both Common Rule but moreover with HIPAA regulations under which we believe fall. So no names, city, state or zip codes of staff are ultimately collected, and select treatment dates are collected, but they are shifted, as I just described in various ways to disenable anyone who is looking at the aggregated data from identifying in any way a particular patient out of the group.
Date of birth is used to calculate age only. It is also not recorded in the aggregate. The benefits to our customers are wide ranged. We believe that we provide them with quality reports at their request that help them in a variety of different ways. One of the key and initial reports that we provided them is simply a report telling them what data is missing from their data set that helps them to improve their practice.
As an example, something around initially 30 to 40 percent of our practices were not entering stage in the constrained data fields that in a cancer EMR system you would have to have in order to actually do the kinds of things that you need to do to support your patients and practices and manage your populations of patients better. So we provided them with a mechanism to identify what patients were missing these different parameters that would allow them to go back and, if you will, it was a feedback loop that improved the quality of their care of their patients by showing them what data they needed to enter into their systems. And this, again, is something that and our customers believe would prepare them for some of the quality and pay performance initiatives that currently exist.
We also provide our customers with access to a secure website that allows them to view the aggregated de-identified data sets, and compare their local facility data set which they have access to as well so that they can benchmark their practices and understand the populations that they're treating and how it compares, again, to the other members of the group.
We also have external commercial partners that we take the scrubbed de-identified data and sell to, and these are consulting and health care research firms that have significant interest in real time patterns of care and the management of cancer patients. And our program members are cognizant of this, and they fully participate in this partnership.
This program was created as a vehicle to collect, aggregate and de-identify quality related oncology data, and as a result of this, we as a company are learning how to improve our products to better support our customers and their patients. As an example, we completely redesigned our TMM, our cancer staging module to allow our customers to enter the data in a more consistent, controlled and easier way. The interface and the usability of that has increased tremendously as a result of information we received from this program. For our customers, they're able to do quality comparison against the aggregated baselines of data, and they have access to other data quality reports and trends that they wouldn't ordinarily have access to unless they participated in this program. And our position about this is that it's permissible as covered entity health care operation for our customers to disclose the data to impact in order to improve their health care operations.
I alluded to a regulatory department that we have. That department is charged with managing the program from a HIPAA and a regulatory standpoint. They ensure that compliance is in place. They audit our process, and they ensure that there's proper management of legacy data including data protection, the audits and the intended data destruction.
In terms of where we see this program going in the future, we believe that this is a model for use of data that approaches real time. Right now, the data set that we're pulling from our EMR is limited to about 40 to 50 different parameters and is fixed. The path that we are moving towards is the ability to pull more data out, if you will, to open the faucet and adjust which parameters are required depending on what quality initiatives need to be performed by our customers.
We also are improving the interface from our EMR to our cancer registry products, the thought being that cancer registry which now is a system that is almost by definition at least six months behind real time is a system that can evolve to being a real time system, particularly as more and more practices are going electronic and are being introduced to EMR systems and information technology.
We also are evolving our feedback loop to our customers so that we're refining the kinds of reports that we're providing to them to help them improve their practices, and we're facilitating the time line for providing those reports so that they are done more rapidly and can be more responsive to our customers' need.
So that is the concluding slide, and I'm open to any questions at this point or to whatever you would like.
MR. REYNOLDS: Joel, thank you very much. And what we'll do is we'll hold the questions until we finish Scott's presentation, and then we'll ask on both of them. So Scott, can you still hear us?
MR. YOUNG: I'm here. Can you hear me?
MR. REYNOLDS: Yes, yes. You can go ahead and start your presentation. I'll let you know as soon as it's up and ready to go, and then you can begin, please.
MR. YOUNG: Okay, great.
MR. REYNOLDS: You're all set, and if you would mention next slide when you want us to move it, that would be good.
MR. YOUNG: That's good, okay. Are the slides up?
MR. REYNOLDS: Yes, they are.
MR. YOUNG: All right, well, great. Well, let's go. Good morning, my name is Scott Young, and I am the Senior Medical Director and the Co-Executive Director for Kaiser Permanente's Care Management Institute, and thank you for allowing me to spend a little bit of time with you this morning. Let's go to the second slide.
I really want to spend some time this morning on kind of five key messages, a little bit of background about Kaiser Permanente. I would like to tell you a little bit about our quality drivers.
Thirdly, I'd like to talk about some of the data sources and issues with secondary data used by Kaiser. We have five critical focus areas for secondary use at Kaiser: clinical management, performance measurement, accountability, patient safety and finally research, and I'm going to talk to you briefly about all five of those. And lastly, I'll spend just a moment talking about future directions. Let's go to the third slide.
Kaiser Permanente is America's largest non-profit health care program and integrated delivery system. It's around 8.6 million members, you know, in eight regions that span nine states. We span six time zones. You know, you can see the other statistics there for yourself. We're a fairly large organization which has critical data needs, you know, driving much of our operations. Fourth slide.
Data strategy. Some of our key drivers are at data use. One of the things that we see data as critical needs for, one is a growing chronically ill population. We need to better understand that population and deal with the trends and understand what the tendencies are in that.
We're seeing a demographic shift. You have the baby boomers and the elderly unfortunately are merging. The baby boomers and the elderly. I have to count myself as one of those. You know, we need to understand more about this population and the shifts in that. Advancing medical kinds of technology, you know, post-marketing surveillance, these sorts of things, we have an increasing need for performance information and transparency within that.
And finally, an emerging trend, transitions between care settings and how do we track data between those. These are really a lot of the drivers behind sort of the initiatives that you're going to hear about today. Fifth slide.
KP Quality Strategy. It's data driven. Data, as you can see, is a key attribute of our quality systems improvement, and I'll say that since I've joined Kaiser Permanente, I've been impressed at how robust that data system is. Data to us must be actionable at multiple levels, and we take that all the way from the national view right down to the provider view.
It's fine to have an academic view of data, but to us it really has to have an actionable component as well. We've used common metric either JCAHO, et cetera in our data strategy. There's very few custom matrix within it. And finally, you know, data comes to us as many other folks from multiple sources. There's internally developed data that we get from clinical care. There is member developed data that we get from our personal health records at KP.org, and that's becoming more and more prevalent.
And finally, there's external data, you know, medical records, these sorts of things which flow into Kaiser Permanente and are incorporated into our data systems. Next slide.
You know, let me talk for a moment about the secondary data aggregation, not only sources but issues and concerns. I just want to spend just a moment on this. There is a critical need in our mind to standardize how data is exchanged, and the technologies and the standards underneath that exchange. HL7/SNOMED-CT and we would include CDA and CCD for data transmission between systems. You know, this is critical for us both internally and critical for us to be working with external partners to see the standardization issues resolved.
Another is the expansion of currently collected data. I mean, you know, now we do health risk assessments, HRA health care status data that we get essentially from members and bringing that into our data warehouses, and we get a better sense from the state of health of a member, for a population, and what we can do to critically impact that.
Incorporation of data from chart notes is problematic. I mean, natural language processing technologies are there, but they are not in our minds at scale or in a way that we can actually deploy in a real way. So we need to make the chart notes into some way machine readable enough that we can extract critical information from that.
And finally, and I'll just put this out there. Issues of attribution with data remain critical for us. Is it a provider that we attribute to outcomes and data, too, or is it a care team. You know, with some things it's maybe pretty straightforward like surgical outcomes. On in others, you know, care of a diabetic patient or somebody with coronary artery disease, these sorts of long term engagements that require attribution that's much less straightforward. And we would recommend to the Committee and the workgroup that this is an issue that takes some consideration. Next slide, slide seven.
Secondary uses of data. Remember, I talked about those five areas before, and let me talk about those briefly separately. Clinical management, this is really an area that we in care management spend a lot of time on. Secondary use improves primary clinical and patient care. Now this includes target populations, diabetics, coronary artery disease, predicted and simulation modeling, merging technology and care processes where we might have panel support, too, where we can actually kind of see care gaps in diabetics, and it allows us to discover and test innovations in care and to improve preventative services, you know, automation.
Some examples, at Kaiser Permanente include a population care information system where a provider can see a panel of his or her patients with chronic diseases like diabetes and actually see a care gap in there, and, you know, what we're working to is actually move directly from seeing that care gap into generating orders, you know, checking hemoglobin, A1C and those sorts of things.
Predictive modeling is the next thing. How can we predict who in a population is going to maybe have a bad outcome or require increasing services and actually try to intervene in that individual earlier. We're actually doing that now.
Archimedes, which you've heard about before, is actually a synthetic modeling system where we can actually do trials, if you will, inside a computer. One example of that is the aspirin-lisinopril-lovastatin program, ALL, that we have at Kaiser Permanente we're rolling out to all eight of our regions, giving patients at risk for coronary artery disease, if indicated, these three medications. We're seeing an improvement in morbidity and mortality in this group.
Now we trailed ALL inside our Archimedes. It went from the computer to a field. Next slide.
Performance measurement and management. We needed to develop and provide actual measurements(?) for our operational leaders and our providers and, you know, we needed to aggregate this both clinical and non-clinical sources. These, as your previous speaker, talked about need to be as close to real time as we can get them, and we've actually developed a dashboard which we call Big Q that measures safety, clinical effectiveness, service, resource stewardship available at a variety of levels.
Now when you go to the next slide, you'll that dashboard and what that actually looks like. I'm on slide nine now. The Big Q dashboard lists the clinical effectiveness, safety issues, service issues and finally resource stewardship issues as well, and this shows the national level. But inside the electronic products, you can actually drill down into different regional views.
Slide ten is secondary data use around accountability, and this really offers a view of diverse lists of operational needs, you know, all the way from finance to regulatory issues. It helps us understand the utilization pattern of KP members so we can best provide services for them.
One example would be mammography utilization rates. If the utilization rates are starting to accelerate, then it's how do we provide mammography services, radiologists, these sorts of things in a place that's convenient for our members.
Slide 11 is really talking about our fourth use for secondary data, and that's outpatient safety. In Southern California, the pharmacy outcomes research group there noticed an alarming trend in adverse cardiac outcomes among patients using COX-2 Selective intake. They actually developed some preliminary data, contacted Dr. Graham at the FDA. And as you can see, it started a wider investigation of the impact of ultimately Vioxx adversely on our members. This is the kind of thing that we do because we have such powerful databases to look across our membership and allow us to do that.
Slide 12 is secondary data use for research. We have research centers established in all eight Kaiser Permanente regions, and the topic ranges are broad and diverse. We're able to leverage, you know, our clinical data from our membership around that research agenda. An example of that where we cooperated with the Veteran Affairs Administration, the TRIAD Study. Now there is a very clear firewall the way we manage data on the clinical side and on the research side. I mean, the Common Rule is the rule of the day and anonymization is paramount within that.
Slide 13, the future. For us, we've just come through installing an electronic health record through Kaiser Permanente, the epic platform, and we call it KP HealthConnect, and we think this will enhance the availability of accurate and actual secondary data. That's our hope and our dream, and we think that that will become a reality very soon.
You know, for us I think for any kind of an integrated system, whether it's real or virtual, we'll have the ability to learn from our clinical and population outcomes. And to do that, we have to best know how to manage secondary data to actually ask actionable questions, propose hypotheses, and understand how best to improve the care of our patients. But that has to occur within some sort of an integrated environment.
Finally, you know, we think data driven feedback will become more and more real time. I mean, as things get farther and farther away from the event or from the action, enough other interventions and an active managed health care environment are occurring, they really muddle the data that you're looking at. For us, we really need to move data acquisition and reporting as close to real time as possible.
Finally and in conclusion, this is slide 14, you know, secondary data will be increasingly available from multiple sources. I think you've seen that from your prior speaker, and you've seen it from us. You know, we and other integrated delivery systems are aligning and using lots of data for multiple purposes in quality. You've seen our five parameters. Standardization is critical, and I can't over-emphasize that, and lastly, EHR in my mind remains our key tool. It's how we're going to get to the data. You know, we have to either train our data collection or train our EHRs to be interoperable one to another. This really provides us a platform finally, a platform to provide evidence based medicine and to test that evidence based medicine against data and outcome. Thank you for allowing me to spend a few moments with you this morning, and give you our perspective. I've left you some information and some ancillary slides that are behind there discussing internal sources, our views on quality improvement and regulatory structure. So I'll pause there.
MR. REYNOLDS: Okay, Scott, thank you. And now I'm going to open it to the group for questions. I've got Justine, Marjorie.
MS. CARR: Thanks, Scott. Thanks both of you for great presentations. I have a question for Scott, and that has to do with the differentiating quality improvement from research, and I'm thinking in particular of the Vioxx, the kind of pharmical viligence of what's going on. But when you had discovered something that needed further drill down, it then became a study and, you know, published for the greater world.
So this is something that we hear a lot in terms of where on the continuum does quality improvement become research. And you mentioned you have a tight firewall between the two. So how is that invoked.
DR. YOUNG: Yes, that's a good and interesting question. I think, you know, the tests on research are – a lot of them are pretty common, I mean, when you start out, we're going to do pure research, it's, you know, is this going to be published, is it generalizable, is it possibly supported from other sources, those sort of things. So you kind of know where the research is over in this corner, and then quality improvement, you know, the Vioxx study started out as quality improvement. People said, hey, you know, there's something going on in one of our populations here, and we have to understand that and improve how we do our therapeutics over here, to direct that one. I mean, at some point in that discussion, you know, we said, look, we at Kaiser Permanente are going to make a change in how we manage individuals for arthritis, for individuals who take insulin. We're going this off the formulary, we're going to change this from our formulary, and we're going to hand this – we think this is interesting enough we need to hand this off to somebody else to have a broader look at it.
You know, I think that for us, you know, we try to be disciplined and where did we cross that bright line into stop and say okay we've now completed our quality initiative, and we're now maybe asking a broader question, and that might entail bringing in partners.
One of the – and let me tell you that's a minority event that occur like that. I mean, 90 some odd percent of the time, more than 90 percent of the time it's either a quality or a research agenda that's being pursued, and it's pretty pure one or the other.
But you know, we want to defend and know where that bright line is, and when we cross it, becomes a research project and it goes into attributes of the Common Rule.
MS. CARR: Thanks. And I think it sounds like you have very clear definition. But I bring it up before the workgroup to say that there are millions of examples along this continuum where it's not clear what is the definition of research and how we're there. So I just bring it up so that we incorporate that into our thinking.
MR. REYNOLDS: Okay, Marjorie.
MS. GREENBERG: Yes, my question was along the same line, and I guess Justine asked the difference between how you differentiate between quality and research, and I'm wondering how you make that differentiation also with operations in an integrated system such as Kaiser.
Not even, you know, going the next step, whether it is quality or research, but you know, is it just part of, if not treatment and not payment, then at least operations. And whether secondary uses is a useful term from your point of view or from your vantage point there at Kaiser, or whether there's some other type of terminology that we should be thinking of in building our definitions and taxonomy.
DR. YOUNG: You know, it's interesting. When we sat down and were looking at this and your workgroup allowed us to look at our definitions again and to test them, you know, there's secondary uses to improve care, and that's the Archimedes thing and that sort of thing, and then there's the dashboard that we use, the quality dashboard. And then there's that accountability side of this, which is what I think you're talking about and kind of where is the boundary between, you know, quality of care for mammography utilization and accountability for mammography utilization and actually how do we buy radiology equipment and staff it up, and where do we put that stuff.
And those areas, you know, are separate. We have delivery system leaders who are the operational leaders, and we have quality leaders which sit in the same room and have the same discussion about trying to make care really great for Kaiser members, but they look at it differently. I mean, you know, and it's such a big and complex operation. I mean, it really is daunting. We really need to parse it out a little bit. We have, and we're going to spend a lot of time looking at quality and a lot of time looking at safety, and we have a lot of people say I really need to know, to effectuate affordable high quality care, where do those utilization parameters need to be, how much money do we need to charge people, how do we need to pay people, where do we put this operational system up. So they're in the same room. They are focused on the same outcomes. They look at the same dashboards, but they have different responsibilities in getting there.
MR. REYNOLDS: Steve.
DR. STEINDEL: Joel, I'd like to address my first questions to you. These are just nitty gritty questions, so please don't, while they may sound somewhat judgmental, please don't take them that way for information, and I think people will know where I'm going to.
First of all, you said this was primary between -- your impact network was primarily between your customers. Can people outside your customer base join?
DR. GOLDWEIN: No. It's limited to just the customers, and they need to have our software in order to use the system.
DR. STEINDEL: Okay. Now as you went on, it was clear that you are selling the data de-identified, et cetera under all the HIPAA requirements onto third parties who are using it to make judgmental thing. That it also sounded like the people who are part of the network, the institutions are aware that you're selling this.
DR. GOLDWEIN: That's correct.
DR. STEINDEL: Is there any information at the patient level that this is going on either internally, passed on to you or then sold to third parties.
DR. GOLDWEIN: And I don't know the answer to that specifically. I can tell you in general terms I've seen some general consent forms that stipulate that data is being utilized for various purposes within the context of the care of the patient. But I don't know whether patients know directly or indirectly whether that's –
DR. STEINDEL: Thank you. And the reason why I said this was not judgmental is because one of the things we're trying to get at is what is the transparency of patients' knowledge in this area.
DR. GOLDWEIN: And it's an excellent question. And frankly, were I on the other side, I'm not sure – were I on the patient side or the provider side, which I was on five years ago, I'm not sure what the right answer is. And part of the reason for that is that it is so confusing even to us in industry and even to the practitioners as to what is required and what is fair and what is right.
But I do believe in Rosen's first rule which is basically do what's best for the patient. We heard that Dr. Lumpkin today. And secondly, do no harm, and I think that both the providers and the vendors and frankly everyone in the system wants to be make it better.
DR. STEINDEL: And that's why I was asking the question because I think it's general in the Committee we don't know where to draw the line or define it yet. We do know it's a question that we have to look at.
And Scott, I'm going to turn around and ask you somewhat the same question. What is the transparency of the knowledge that Kaiser's using as patients' information at the patient level when you have patients join the plan, et cetera for your quality programs.
MR. YOUNG: Transparency to – tell me a little bit more about your question.
DR. STEINDEL: Basically, is there any explicit consent that they're using for operations or quality, or are they informed in any way like assignment this may be used for quality purposes, et cetera within the Kaiser system, and I'm basically assuming the answer is no because generally speaking that's the case. But as I said earlier, this is not judgment; this is just background.
MR. YOUNG: You know, let me forward that information. I don't want to speak on the specific consent that occur when somebody signs up for membership.
DR. STEINDEL: Simon's looking confused at me.
MR. YOUNG: So let me find out that information, and we can forward that to the Committee.
DR. COHN: And Scott, I'm looking puzzled from Steve Steindel's question only because I was thinking this would likely be included in the HIPAA –
DR. STEINDEL: No, it's a privacy, in all probability, yes.
DR. COHN: And so that was what I was expecting it to be, though, certainly, Scott, please check. But that would be the –
DR. STEINDEL: Yes, and that was basically, like I said, this was an information question, yes.
MR. YOUNG: I just need to find that out, and we'll get that to you.
MR. REYNOLDS: Okay, Paul, then Debbie, and Mary Jo, then Mark, then me.
DR. TANG: Well, thank you both for your presentations. One technical question.
DR. COHN: Paul, could you just introduce yourself and disclosure issues.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Committee, no conflicts. One simple technical question. You said you upload patient data from your customer bases at support over the Internet, and is that encrypted?
DR. GOLDWEIN: Yes, it's encrypted. The SSL and I believe that the data set itself is also encrypted. So the channel over which the communications is made is encrypted, and the data is rolled off and encrypted, as I understand it.
DR. TANG: Then along the lines of actually all of the previous questions, do you know whether any of your sites participating use this data for research?
DR. GOLDWEIN: I don't know, I don't know. I suspect it all depends on what we would call research.
DR. TANG: Do any of them publish their information? That might be another –
DR. GOLDWEIN: No, I don't believe. This is a fairly young program, and I don't think that any of them have gotten to the level this point in the program. You know, they're honestly getting to the level of being better at actually entering the data that they're required to enter in order to participate. And there may be less than a handful of centers that are doing that so well that they could actually use it to publish some information that would be research oriented, and I'm pretty sure those particular centers have not done that.
DR. TANG: So do you have a limited data use agreement with all of these centers?
DR. GOLDWEIN: Well, we have an agreement with the center. Limited data use is maybe a term of art that I'm not familiar with. But I know we have an agreement with those centers, and chapter and verse in terms of what we are doing with the data is in there. So presuming that that is something we're doing with their data, it would be in the agreement.
DR. TANG: So I think one question is you also probably don't know what the recipients of – the customers who you sell the data to are doing with the data, either.
DR. GOLDWEIN: It's going to intermediaries who are aggregating it further with other data sets in some cases that they have. What they do after that, we don't know. We suspect that it may go to pharmaceutical companies. It may go to vendors trying to figure out where and how and when to implement changes in different systems within particular regions. But we don't know exactly what's happening to it.
DR. TANG: Well, I guess one of the questions is Steve was asking about transparency to patients, and I think that's certainly a very fair question. Another is it sounds like since you don't know a lot, there's probably some room for research to be conducted either at the sites, maybe not right this instant, but in the future or the people you sell it to.
DR. GOLDWEIN: But just to clarify, any research that could or would be conducted after we've processed the data is with de-identified data sets.
DR. TANG: And I understand that a lot of research even in an organization happens after it's de-identified. But the IRB or the Common Rule, the oversight of the use of it's basically subject, protection of subjects governs the process by which you take PHI into its future form, whether it's de-identified or not. And so the question is whether that is something that's covered in this whole relationship as data moves from your customers to you to customers that you resell the data to. I mean, it's still along the same continuum. We have to figure this out.
DR. GOLDWEIN: I don't have a good answer for that. I don't know what the right answer would be, but we regard the data once we've de-identified the data as not necessarily, and we may or may not be right about this, but it's regarded by us as not falling under the Common Rule. But that may or may not be correct.
DR. TANG: So I guess the line, and again something just Steve's question, we have to figure out. So because you've got the data in one of your slides because you said you're using it for health care ops, I guess we have to figure to trace the data and figure out what is it really being used for, and what oversight should apply to it. So that's what we have to figure out.
MR. REYNOLDS: Put your microphone on, Mary Jo. Nobody can hear you.
MS. DEERING: A clarifying point. As was said previously, the Common Rule applies to federally funded research. My understanding is that most of your clients are small to middle-sized private practices, is that correct?
DR. GOLDWEIN: Medical oncology.
MS. DEERING: Yes, I just wanted to state that for the record.
DR. TANG: I don't think that excludes federally funded grants or the people you sell –
MS. DEERING: But at the point of data collection was my only point, is that the point of data collection if these are patients in private practice, then there is no research being conducted at that point, and those practices are not conducting, I don't believe, federally funded –
DR. GOLDWEIN: No, I understand the issue here, but you know, kind of one thing I think that this points out is that there's a lack of clarity as to where the Common Rule starts and where operational improvements end. And so if that is something that can be clarified, I think that that would help vendors like myself, ourselves, our customers and ultimately patients and patient advocates.
MR. REYNOLDS: Okay, Debbie.
MS. JACKSON: That clarity really kind of hits to what I was thinking of because of you, Scott, I wanted to pick your brain, having come from various perspectives of circling in the clouds of policy and now being in an integrated health system, two of your slides really spoke to me, one dealing with the critical need to aggregate data spanning clinical and non-clinical sources, and then towards the end, you indicated the integrated delivery system aligning and utilizing data for multiple sources. There's this amazing fluidity of data. And coming from your perspective, this sort of policy and then federal work and, from what I understand, VA, and you've got this amazing mass of background, I guess I would be remiss if I didn't ask you to just offer some of your insights and comments and any ah-hah moments of having come to now, in a situation of one of the premiere data systems, but you're carrying with you the understanding of what we're trying to accomplish. What advice would you give to the Ad Hoc workgroup in dealing with secondary use?
DR. YOUNG: Mary Jo, that's a broad question. Let me – I think the one thing that has struck me has kind of a common thread through all of these discussions and all of these different entities is a desire to improve the health and welfare of an individual.
And at the same time, trying to be vigilant and privacy protection, you know, these sorts of things. The one thing that really strikes me in this because these are all, you know, organizations that we either talk about today or you have just referenced are like minded aligned with what I think are good actions. But the one thing that strikes me is really a need for us to think, you know, clearly about what a complexity in gathering this data and standardizing this data and protecting this data and finally utilizing this data. And I'm struck with just how very difficult that is to do.
We at Kaiser Permanente are able to achieve some of those attributes, but only with tremendous effort and tremendous complexity, and we're aligned. I mean, and we don't have nearly the kinds of barriers that sit outside of this aggregated health care environment, and we are working hard to standardize and to aggregate and to check for accuracy and those sorts of things.
So the one thing that has struck me in coming from the health IT policy environment and then coming into the Kaiser Permanente is just how difficult this is to do really on the ground. And I think for policy makers like yourself, it's that kind of realization and really, you know, trying to align standards, really trying to align the kinds of vehicles and allow the development of the kind of vehicles, whether to help information exchanges or whatever, that are going to try and lower those barriers.
So I guess my take away is that I often say that I believe it takes a system of care to be able to pull together data in a real way, in a way that's in any way useful, and that system of care can be bricks and mortar like Permanente or Mayo or Dicenger(?) or Inner Mountain Healthcare, or it can be virtual. But it really does have to have a system, and I think it's our job to put together policies and programs that allow those systems to come together.
MR. REYNOLDS: Mary Jo.
MS. DEERING: Just one observation and then a question. You also have in front of you testimony from the Group Health Cooperative, and I would call your attention to the fact that I would guess it would be about page five. They have a handy little chart for their soul searching on what is the difference between not research, hybrid overlap and research. The Group Health Cooperative, Dean Hart and colleagues out of Group Health Cooperative.
And so I –- here's another piece of testimony that I hope the Committee will take a look at. It will be very interesting, and Wendy, you might be a little bit of ours in what is the easy pass system versus what isn't. But anyway, you can pick this up over there. It will be on the table.
My question to Joel, and I actually don't expect you to know the answer to this, but I guess I'll put it out there then as sort of a rhetorical question. At the AMIA Secondary Uses meeting, GE Centricity gave what could have been exactly your slides. I mean, the numbers might have been a little bit different, but GE Centricity is doing exactly the same with its customers. And at a meeting of the American Society of Clinical Oncology where they had an EHR vendor because Zasco(?) is trying to push EHR vendors to get more active into the oncology space because actually impact has been sort of out there in front for quite a while. I know that this is where frankly we first became aware of this practice, and all of the EHR vendors are doing this.
So the rhetorical question is we now GE Centricity is doing it proudly. You're doing it. I mean, it's really a very robust program. And so the question that's out there is are indeed all EHR or clinical systems vendors doing this? Is there a subset of them? Who among them are, how would we characterize those who are. But I think just getting a feel for the scope, depth and nature of this practice would be very interesting. So I don't know, do you know who else is doing it?
DR. GOLDWEIN: You're correct. I do not know the answer to that question, but I suspect that as especially in the oncology sector vendors become aware of the opportunities and of the need, and I probably should flip flop those, the need being on the provider side, that they will start to figure out that there are secondary uses that can help support the programs on the provider side. And what I mean by that is and I said this in one of my slides, and probably I need to highlight that now. It's not inexpensive to implement this kind of program. It takes a lot of dedicated time, effort, resources, training on both the customer provider side and the vendor side. And it does really in theory and in practice improve the operation, but it's at a cost. And somewhere that has to come out of some bucket, and this is just not an easy bucket but one of perhaps others that I think vendors will be looking towards in order to support implementing these very complicated systems. In oncology, these systems are totally new. The oncology market right now for EMR type and EHR types of systems is maybe five percent penetrated. Oncologists are not kind of natural in front of a computer. And as I look around this room and I can say that because I'm an oncologist. As I look around this room, I see maybe 10 percent of the people taking notes on laptops, and this is simple compared to the kinds of data that oncologists are collecting.
And so we are expecting them and their practices to come to speed very quickly with something that is a total paradigm shift for them, and we're looking as vendors for every way we can help them to do that.
MS. DEERING: I just want to add one note that, again, this wasn't the AMIA meeting. GE enables the provider customers to share in the benefits in that they receive a proportion of the sales to these intermediaries. It's a fixed percentage pool that's then shared among them. And so, again, somewhere along the lines these activities, if they're deemed beneficial, have to be paid for. And so GE laid out a fairly crisp path of financing these activities.
MR. REYNOLDS: Mark?
DR. ROTHSTEIN: Thank you, Harry. My question follows up on Steve's inquiry a little earlier on transparency. And with regard to my understanding of what both of you described, I'm fairly certain that what you're doing falls under health care operations under the privacy rule, and therefore it is permissible without getting any sort of patient authorization or consent.
But I think an argument could be made that the health care authorizations provision in the privacy rule is overly broad and somewhat open ended, especially with regard to thinking about the NHIN and all the possible new health care operations that could be going on.
So my question is for each of you in turn. Suppose it's in some manner the health care operations provision were tightened up, however that might be done, to require that these programs that you're describing had an element of patient permission attached to it. Either they had an opportunity to opt out, or they had to expressly opt in or consent or authorize or something like that. What effect, if any, would it have on what it is you're doing. Would you consider it burdensome, expensive, interfere with your basic research agenda. Do you think many patients from your experience would elect to not participate.
I think that's an important question as we try to think what we might recommend.
DR. GOLDWEIN: Well, I can answer from two perspectives, from the provider perspective because not long ago I was a provider. We covered this, and frankly if I were a provider today, I would be covering this in either a HIPAA or a general consent form. And the degree to which the program was described would be variable, I'm sure. But I think that that would probably satisfy the burden that you're actually suggesting.
DR. ROTHSTEIN: What I'm suggesting is that that's perfectly acceptable now. But what I'm saying is, if there were some requirement that there were a separate consent required or an opportunity to separately opt out, how would that affect –
MR. REYNOLDS: Before you comment, Simon had a question to make sure we understand.
DR. COHN: And Mark, I'm just asking you for clarification regarding your question because I heard two things going on in this case. I just wasn't sure whether you were referring to all of them or one or the other. I heard things that fall very clearly at least right now under health care operations. But then I also heard a secondary sort of repurposing of the data. Are you referring to both of them together, or are you making a differentiation?
DR. ROTHSTEIN: Well, I'm not trying to parse things out.
DR. COHN: Okay.
DR. ROTHSTEIN: As to the specifics of what each does, especially where it gets into research. I'm just saying a lot is covered now under health care operations, and the sort of quality improvement activities that are being described, I'm curious to know what effect a change in the rule would have, whether it would be burdensome –
DR. GOLDWEIN: I think that that is an excellent question of ask of providers, and it's difficult for me to answer that right now. In my former life, I was a pediatric radiation oncologist. I would spend approximately two hours getting a consent for treating a child with cancer with radiation. There's a lot of side effects; there's a lot of morbidity or potential morbidity. It was very, very complicated.
They had to sign perhaps one other consent at that time. I think the more we add to that, the less likely it will be that that will be meaningful in cancer care. I mean, I'm not saying that it's the wrong thing. I'm simply suggesting that we can overload them with these things, and it may not benefit the care of the patient to do so.
From the vendor's perspective, it's a little bit more complicated in that if you develop an interface to pull out all the data and then suddenly say, well, there are going to be patients who are going to have to be given the ability to opt out. Well, simply doing something to the software and the system that you've set in place so that you can have an opt-out flag so that you don't pull that data up. And beyond that, there's probably not a level of difficulty that is extreme from the vendor's standpoint.
MR. REYNOLDS: Joel, the oncologist to my left has a question.
DR. YOUNG: This is Scott, if I could jump in on this. I think that there is a real danger with the election bias, and you know, skewing your cohort. I mean, I should take that Vioxx example. You know, we talked about it earlier. I mean, if by some fluke all of the Vioxx patients had decided that they didn't want to participate in the kind of surveillance that we had, you know, we probably wouldn't have seen it.
And you know, how much of that would have put future patients at risk. I mean, you know, actually there's this balance point between consent, between really being a good steward of this data, and between being able to have a scientifically valid way of looking at the population. And if you skew the cohort, you skew the population. It gets really hard to tell a story that's based in fact.
MS. CARR: This is Justine. I wanted to just add to that. So if I think I understand what you're saying, Mark. If a patient has an opt out opportunity and they can say all right, you can use it for operations; you can use it for institution-based research, but you can't send it out, and you can't sell it, then just as Scott was saying, the utility of that data set may erode.
What you found is a meaningful observation within Kaiser, say, in the case of Vioxx. By the time you took that data set to send to the FDA, they may say, well, there's nothing here. So it's just sort of taking it to the extreme.
MR. REYNOLDS: Joel, I have a question for you. We, one of the things that we've identified as definitions. So you use de-identify, scrubbed de-identified which may be, I guess, is better than de-identified, but I'm not sure. But then as you look at individual records, an individual record can be identified. But if you're going to do an episode of care where you're linking a patient's pharmacy and laboratory and all these other things with them, if you go by strict de-identification, I don't see how you do that.
So in a lot of cases, when you put those things together, if you put a tag on it to do episodes or doing these other things, so help me with when because these definitions are really important to us because one person's de-identified may be HIPAA, and one person's anonymized, and we've heard all these things.
DR. GOLDWEIN: When I say de-identified and maybe I should just restrict my language to that term as it's defined with the 18 or so parameters that are considered to be elements of identification by HIPAA, that is what I'm describing.
In terms of how our system manages the aggregations of disparate data sets, they're all ultimately collected in the records of particular cases within the EMR systems that reside at our customers' sites. So they are in effect the episodes of care are all aggregated under one case record there before we pull it up. And whenever we do a refresh of the data, I am not exactly sure if this is true. But my assumption is that all of the previous data that we had is tossed. It's just completely thrown out. It's however from a standpoint of whatever we need to do. However it is scrambled and thrown out, we do that, and then we refresh it with completely new data from all of the centers who are participating.
So we don't need to match with anything that's previously there with any identifiers.
MR. REYNOLDS: So you used another term, case record.
DR. GOLDWEIN: Pardon?
MR. REYNOLDS: You used case record as another term. So as you sell your data for research and you sell as cases in some places, can that case record identifier ever get back to the real data?
DR. GOLDWEIN: No. There is nothing that links. If and when it gets sold, any identifier, any kind of record, number that we would put on it would be completely new and untraceable to the original record. Does that makes sense, and did I use any terms there –
MR. REYNOLDS: No, we're trying to understand the term.
DR. GOLDWEIN: I understand.
MR. REYNOLDS: With that, I'd like to thank both of you, and I'd also as we continue these hearings, I think what's a lot of our questioning is very focused. So it's not personal, it's not, but we're getting people that are doing the things that you're doing are very important to us as we review it. So Scott, thank you for being on the phone with us, and Joel, for what you did. And with that, we'll break until 1:30 on that clock, 1:35 on that clock, and we'll be back then. Thank you.
[Whereupon, the meeting adjourned for lunch.)
MR. REYNOLDS: Okay, we're going to go ahead and start the afternoon. We've got a few members that will be joining us again shortly. But we do have a quorum, so we can continue.
First thing this afternoon is we're doing to have Jean Chenoweth, and the panels we were going to have was commercial perspectives, secondary, tertiary uses, and so Jean, we look forward to your discussion.
Agenda Item: Commercial Perspectives: Secondary/Tertiary Uses
MS. CHENOWETH: Thank you first of all for inviting me to present our point of view. And secondly, I am employed by Thompson Healthcare which is a division of Thompson Corporation which is an $8 billion in revenue company, kind of in the news today because of Reuters and Thompson going against Rupert Murdoch, something I never thought I'd be a part of.
But Thompson Healthcare's a small division of Thompson. We have 2,100 employees. But more importantly, we serve over 3,000 hospitals and physicians, 140 large employers, over 100 health plans, the government itself, AHRQ, CMS, CDC, Homeland Security. We run the INCHA(?) system, and we serve nearly all pharmaceutical companies. I myself have been in this business for many, many years. I was President of the Commission on Professional and Hospital Activities which are located in Ann Harbor and was the first discharge abstract system in the country and served 2,800 hospitals since 1954 in ROI ICD-9-CM and built most of the rules for the UHDDS in the '60s, but I'm not that old, thank you very much.
Our customer profile is very broad. And as a consequence, we bring a very broad perspective to the need for confidential data, the protection of individual patients' identity, and the protection of hospitals. And from our history forward in the ‘50s, our company never released the identity of a hospital nor the identity of a patient.
Furthermore, we needed written authorization from the hospital to ever release its data even to its own medical staff. We have consistently worked with aggregated data to serve all of these entities. For us, the definition of quality is pretty broad. We believe that hospitals and health systems and employers and insurers are all seeking directly or indirectly the improvement of not only the quality of clinical care, but also the efficiency of care to improve payment of care and to improve the operations of the health care providers and the payers. As a consequence, we kind of subscribe to a definition of quality that goes back to Donna Abedian(?) from the University of Michigan -- of course, we're from Ann Harbor, so what else would we think, that quality equals efficiency and effectiveness. And, therefore, our applications focus on doing the right thing at the right time in the right setting for the right cost to get the right outcome.
And that's broader than just looking a patient's treatment record. These are a list of some of the things that we do with data and use aggregations of data to support these needs. We help employers who are self-insured to design effective benefit plans. We target and evaluate the effectiveness of preventive medicine programs and disease management programs.
We attempt to work with hospitals throughout the industry to improve clinical care, the efficiency of care and outcomes, build more effective provider networks, improve financial and efficiency using detailed operational data, evaluate and manage risk, develop strategic plans for hospitals to meet the needs of communities. It's a very broad range, and it would be impossible to list all the possible things we do.
This is a schematic of the kinds of data that come into our organization, everything from consumer surveys to public data sets. We receive proprietary individual patient billing records from hospitals. We receive 1500s from other kinds of providers. We have evidenced-based medicine systems and compare adherence to those evidence-based systems for hospitals in their electronic records systems.
We do a range of things from assessing eligibility to tracking adverse events. We also develop for our customers matrix for measuring the performance of hospitals. People from our Med Step Division have worked with AHRQ to develop the patient safety matrix and a variety of others as well as the Commonwealth Foundation and others.
So we have a broad range of data. We have a broad set of applications, and first and foremost we also provide comparisons so our customers can get a sense of how they stand. As you can see, a part of our data management process starts with privacy protection. The government data that we receive is either carrying no ID or has an encrypted ID.
When we receive data, most of the data that we receive from hospitals has no identifiable patient data other than the medical record number, which we encrypt. The one thing that is important is the first thing we do is to protect the privacy of the individual patient. We still to this day, except for the use of publicly available data, ask the permission of the hospitals and build that into our contract to get their written permission for release of the hospital's performance.
From that point on, though, the availability of the data at its lowest common denominator allows us to integrate data, to standardize it for effective and valid comparisons, the development of benchmarks to customize it for a particular need of our customer, whether that's government or private payer or a hospital, and to add value to that data by building in computed matrix and applying methodologies to make that data more comparable.
This really says essentially the same thing. I mention that one of the first things that we do is the encryption of identifiers that are received. All employees have access to data on a need to know basis. We've had federal audits. We've had external audits from private companies. All employees wear a badge and have to be checked in. Our data center processes and controls are quite secure.
One of the things, though, that I wanted to bring forward was that since HIPAA's passage, legitimate uses of data are no longer possible, and I'm not sure that this group is even aware of that. The real reason is why are really twofold.
One is that the law itself bows to the most stringent standard. So if a state has a stricter confidentiality requirement than HIPAA, the state law supersedes. We've accommodated that as we have over the years accommodated the different authorizations and data elements that were censored by state hospital associations and state governments.
But what it does, as we face the need to improve the quality of care from REOs() who will be distributing data as a severe impediment that needs to be studied carefully because when you have a patchwork quilt of confidentiality laws all across the country when what we need is faster understanding of the difficulties or the complications that arise from uses of drugs, that can't be identified until a population is using those drugs.
When we're trying to develop greater efficiency of care across settings and want to use episodes of care to hasten evidence-based medicine across settings of care, that patchwork quilt will be a much bigger problem than for a company like us who's used to building into its systems all kinds of oddities for different organizations.
Secondly is the interpretation of HIPAA itself by collectors of data. And we have seen hospitals believe that transfer of core measures would be against HIPAA, transfers of core measures data which is patently ridiculous. But let me use CMS as an example because CMS is such an important source of data, it is the only source of publicly available data that reflects care of all hospitals and all providers across this country. We depend on that to build national norms and national benchmarks so that we aren't left with mediocrity by people. In 50 percent of the states, half of the care will be in the lower half of the country, and half will be above, by definition every single year as you measure by mortality, complications, length of stay, et cetera.
National benchmarks are needed and norms are needed to raise the boat. And that's why CMS is – I'm using CMS as an example. In the public limited data files when I try to figure out what we could and couldn't get, and I talk to HIPAA experts in and outside of our company, it was very difficult to nail down what MEDPAR does and doesn't have.
All of the people in the research department said we cannot compute readmission rates. We cannot compute a 30-day mortality rate. We cannot track market share. After tracing the facts through, MEDPAR in its limited data file which is intended to enable organizations such as ours to use data for valid improvement of care, valid improvement of payment of care, and improvement of operations limits the cells to 11 patients. That's not a problem, but does not provide a patient ID or an encrypted ID. Many of the experts were very confused by this and thought, yes, there had to be an encrypted ID. That's what it says on the lock. That is not how it's implemented, and therefore you cannot track any readmissions in the MEDPAR file.
There also is no readmission indicator. As a consequence, you can't tell if a patient is going from one hospital to another because they received bad treatment. And the absence of dates is not so bad in the actual MEDPAR file except that you only get quarter of discharge.
So even if you could track, if you had an encrypted ID, you wouldn't be able to track a patient and tell when they came in and where they were treated first. That becomes an even greater problem when you consider the standard analytical file which is designed for longitudinal analysis of patient care.
And there, while you do get an encrypted ID across settings, you get only quarter of discharge. So if you want to compute a readmission rate, you can't do it on the standard analytical file either, nor can you track a patient from a doctor's office to a hospital to post-hospital care. You can't compare a variety of things.
Monitoring hospital and physician service for local and regional populations, for example, looking at the access of the poor to health care facilities is not possible as a result of no-patient zip code. It reduces the ability of traditional epidemiologic and demographic data analysis.
And while the government can do this or a university researcher can go to the IRB, a commercial company which traditionally provided this to hospitals, to universities, to many, many different organizations including those organizations of many of you sitting here, we can't do that any more and haven't been able to do it for a number of years.
We can't analyze the distance patients must travel for access to care, general or specialty. We cannot compute market share for hospitals or physicians. We cannot identify pockets of underserved population which are of great need in local communities. We cannot identify pockets of high incidence of disease.
We are dependent on the government and anybody from a university who gets a grant to identify a Love Canal or a pocket of disease. That did not use to be the case. Variances in readmission rates across geographic areas and payer are not possible, and the dates of service are perhaps the most difficult because it precludes any sequencing of care.
Sequencing of care has been absolutely crucial for moving forward to understand the impact of general care, hospital care and post-hospitalization care. But those benchmarks and norms cannot be produced at this stage because those data elements are missing.
And we can't create norms and benchmarks for high quality cost effective longitudinal care for chronic care either except for non-governmental data. By living by the rules of the insurers, which follow the letter of the law, how it is written, we are able to produce episodes for that. However, for the public benefit, using public databases, it is not possible.
So those are the things I wanted to bring out, and then I'm open to any questions.
MR. REYNOLDS: Jean, thank you. I'd like to open it for questions. Kevin?
DR. VIGILANTE: This is a very quick question. So when Fischer and Lindberg et al created Dartmouth Atlas and they tied patterns of care to that area of HSAs, they are trying to successfully tie it to 6,000 different counties in the United States. So help me, I'm obviously missing something here. Tell me why they can and you can't.
MS. CHENOWETH: Jack is a researcher at Dartmouth, and the Dartmouth Atlas was begun as a research project in conjunction with the federal government. As a commercial company, we would have to go to an IRB and get a single purpose use. We serve thousands of customers, and there's a difference between a single use by someone who has a record of contracting with the government. We happen to have a division that contracts with the government, but what customers need are often broader application, and that's the difference.
DR. VIGILANTE: Thank you.
MR. REYNOLDS: Paul.
DR. TANG: So if there's all these things that you can't do, how is it that you're still in business.
MS. CHENOWETH: Because we can do many things that we can do, Paul. What I'm trying to look forward to and nice to see you again, what we're trying to look forward to in particular are the needs of the hospitals to make effective use or improve on core measures.
A very simple example is pneumonia vaccine. Now that metric, only hospitals like Bellevue in New York City do well in, and that's because they treat the poor and they give the vaccine to almost every patient. But if you go look at Presbyterian or you look at a private hospital in Chicago like Northwestern, then you see that they don't score well on that. And that's because the physicians in private offices like to give the shot to their patient and collect the money for it as well, and the patients don't want to receive it in a hospital clinic. So what you have to do to be able to do well on that is to bring data together that reflects physician office treatment and hospital treatment. It's the hospitals that are required to report on it, not the doctors, and those needs are cropping up all across the country.
The hospitals want to get ahead of the game and start looking at episodes of illness to improve their efficiency because even in the poorest performing hospitals, I'll tell you an interesting thing. Our latest research shows that the announcement by Dennis O'Leary and Carolyn Clancey(?) and Rich Ombudstock(?) of AHA that hospitals are improving in core measures is only the tip of the iceberg.
Our results for the last five years trending hospital improvement over those five years shows that significant improvements have taken place not just in core measures but in mortality, length of stay, patient safety measures as measured by AHRQ, profitability and cash deduct. That's unpublished data, but we will be issuing it, I think it's next week. And by looking at data like that, it's important to know that the industry is moving.
We also know that the poorest performing hospitals are improving by shifting patients to outpatient faster than the rest of the industry. They need to know how good that care is. We can't track it any more. We used to be able to tell at least in the hospital clinics.
DR. TANG: So I'm going to use Steve's perk. This is not a judgmental question we ask.
MS. CHENOWETH: Okay.
DR. TANG: I'm going to try to figure out – and were you hear for an earlier testimony in the morning?
MS. CHENOWETH: No.
DR. TANG: Okay, so there was a company, a software company that can get all the data that you're asking for and resell it in de-identified format. So I'm trying to reconcile or figure out how to think about the fact that here's an unrelated software company that get all this information and do the things that you said you can't do. So what's the difference.
MS. CHENOWETH: Okay, the difference is, and I don't know, is that a company that is an electronic medical record company? And they provide the electronic medical record in the physician office and the hospital as a combination?
DR. TANG: In the office, yes.
MS. CHENOWETH: Well, then they could string data together. We can string together commercial insurance patient data because we work with – we serve as an administrator in one division of our company for self-insured employers, and we also are an administrator for Blue Cross in many states and for Medicaid. Okay. But in those instances, we can string the data together.
What I'm talking about explicitly – let me go back, is CMS, the one provider of data for all patients, all Medicare patients in all hospitals, that is the gold standard for epidemiologic studies. And what I'm saying is how HIPAA has been interpreted and rules have been applied, even within the government which intends to do good with these, has had crippling effects on very good uses.
DR. TANG: So I think I have a theme that we have to probe further in figuring out where we come down and what we can recommend. So interestingly, she pointed out exactly the thing that we heard this morning which is if they get access to data for another reason, that is the way that they're getting the data in useable format because you mentioned the way you got it from your claims side of the house and the software vendor got it because they run the software product. So I think that's part of the crux in there we have to somehow –
So she's saying, and correct me if I'm wrong, she's saying she cannot get access to data to do a lot of these useful analysis when you want to just go out and get data that's relevant to this analysis. But she can where another part of her company has access to, in this case, claims data.
MS. CHENOWETH: Yes but let me be clear about one thing. One is from the federal government's interpretation of HIPAA. The other is from the private vendors and the hospitals who have gotten those authorizations for release of data, have signed the HIPAA acknowledgment form and have encrypted data and sent it to us.
DR. TANG: It's a use thing. Okay, and then in the other case, it's the same thing. So this software company has access to customers who use its product and then use it for what they said is the QA benchmarking, but also use it for other things. So this is the intersection I think we've been really struggling with.
MS. CHENOWETH: Yes.
DR. TANG: And this is just another example.
MS. CHENOWETH: And it's complex. But hear me what I'm trying to say. I'm trying to say that the danger as you go forward in your deliberations is to underestimate the needs of the providers and the insurers to improve care. That it's already been impeded not by what the law says, but by organizations that are overzealous and don't recognize the necessity of these kinds of uses to monitor chronic illness, to improve care, to get care in the right setting.
And so I want you to make that fine point of differentiation.
DR. TANG: Yes, I think there may actually be at least three different issues that are being discussed here. One of them is about use and the use of who's receiving the data. Another may be about a point of aggregation and the ability to, depending on how the data are accumulated, whether they can be linked because of their status and who originally accumulated them, and then the issue of interpretation.
So I'm not sure we've teased out all of the subtleties of those different layers of issues, but they're all potentially at play here.
MR. REYNOLDS: Mark.
DR. ROTHSTEIN: I just have a brief disclosure for the record that another division of Thompson is publisher of several of my books. So conceivably I've got something to disclose.
MS. CHENOWETH: I think we sold it. No, the publisher.
MR. REYNOLDS: Blair?
MR. BLAIR: Jean, some of the things that we've been discussing in these hearings is what is an appropriate definition of secondary use of data, where are the boundaries as to when something is primary or secondary, and whether even the phrase secondary use of data is the most useful, most meaningful way for us to protect privacy and still have data available for appropriate uses to improve quality and operations.
I'd love to know your thoughts about whether the term is appropriate, and if it is appropriate, where you think the boundaries are and any relevant thoughts that you have surrounding that topic of secondary use of data.
MS. CHENOWETH: Well, I don't know if I would get into a definition of terms. But I do believe that there is a construct for thinking about what the REOs propose to do. When you have a regional collector of information, a lot of people, including us as we were looking at what are these things, what are the opportunities, what are the problems, et cetera, we had to carefully separate what those organizations do. And in my mind, you have a collector, and you have a user because the collector is responsible for gathering disparate pieces of data, it may or may not add all of the things that we do to data. But that collector is basically a commodity, isn't it, and it serves the same function as, let's say, a phone company or a cable company because what it's doing is transmitting information from one point to many others. And that's why it should be a commodity, and that's why it should be incented to be a commodity because what you want is the most efficient way to distribute that data as safely and accurately as possible.
MS. BLAIR: So it becomes a commodity once it's de-identified, is that what you're saying?
MS. CHENOWETH: I think that the commodity function, if you look back at even the history of all data collection goes back to the CPHA days when Blue Cross ran all of the discharge abstracting systems and was the only source for most hospitals to get data. They served in a business that kept being diminished over time, and they mostly went bankrupt after Medicare laws came in, the DRG law came in and they just plain disappeared except for what's now left in Thompson or CPHA.
The reason was that was really a commodity business. They were collecting data from many sources and then transferring it back in generally one format. Today's needs, so whoever's the most efficient in collecting that data is one kind of business. But those who add value to that data to meet the needs of the physicians, the hospitals, the government, the Homeland Security, et cetera, et cetera, et cetera, those are all specialized far advanced applications today, and no one organization could serve all those needs, not us certainly, and we're huge.
There are many organizations that use data to help support the health care industry and patients. That's the value add and that's where the expense goes into the research and the development. Once the wires are there and the data's flowing, it's who's the most efficient in protecting that data and getting it out efficiently.
MS. BLAIR: You've said something that might alter my perception here, but I want to get it clarified because I've tended to think in terms of PHI, protected healthcare information. It related to a patient, and you've referred to data as a commodity, and I'm trying to understand clearly when does it become a commodity and not PHI.
MS. CHENOWETH: It doesn't. I'm talking about the business structure. The data transfer business is a business that is a commodity business. In other words, the incentive in a commodity business is fastest, cheapest. In a value add where you're converting a commodity or raw resources into a valuable application, then you have a very different business and smartest, best, most effective, two clicks to value, those kinds of things apply.
And I think they're radically different businesses. I grew up with the business called CPHA. It did both. The way the world's evolved, those that tried to do both are no longer there, and you don't see an HBO who designs patient record systems or a server who designs patient record systems excelling in comparable data applications, do you, or providing epidemiologic data. Well, there's a good reason for that. There's a different mentality today. The way the whole industry has evolved, Jeff, is first there was a separation of the hardware guys like you guys at IBM and the users of the data like Simonj, okay, and the government people here and my company.
And that's been evolving for the last couple three decades. And now we're faced with a way to make distribution, that commodity part of the business, very, very efficient for the benefit of reducing cost and improving care across this whole country and perhaps around the world.
But I think if you're looking at how do you do that, right, you have to look at, those are two different kinds of businesses, and you have to act accordingly. You have to make sure that the collection of the data is efficient as possible and serves its customers which are the people who will add value to that data and not get in their way, but at the same time assure that we have epidemiology somewhere other than just in the university when somebody's lucky enough to get federal funding. That's what we're limited to.
MR. REYNOLDS: Good. Bill?
DR. W. SCANLON: Yes. It relates to John's point about use being sort of one of the key dimensions here, and I guess I'm wondering if CMS is really misinterpreting HIPAA or deciding that they want to control use.
My grants from CMS' predecessor are pre-HIPAA grants, so they were obviously only of a historical nature, not nothing that's sort of current. But if I remember them, there was both sort of very careful delineation of what you could do. There was provisions that you would have to destroy anything that you got after you did it, that you would agree to go to jail if you released it, I mean, those kinds of things.
And then there was even a point in time where they said the grants weren't strong enough from a legal perspective to enforce these things. So they became cooperative agreements which were closer to a contract, but not quite a contract.
So there was definitely sort of a very conscious effort to control the use. And I guess part of my question is your commercial sources, is there the same sort of level of control, or, because I guess from what we heard this morning, it sounds like once the data are turned over and not to be judgment, once the data are turned over, then there are all kinds of applications that then become feasible and that they may occur.
And to put this into some context, I mean, in another sort of setting, the issue of CMS sharing Medicare data has come up, and there's been some resistance to it because of the idea that there's concern that providers are a community that CMS needs to have good relationships with, and not so much hospitals because hospitals in some respects don't have a choice in terms of participating sort of in Medicare, but other provider types do.
And the issue is do you know that when you participate in Medicare, we're turning your data over to others, and they may use it whatever way they will. And just this last, I guess it was about a week ago, a little over a week ago, we had an article in the Post about physician profiling and some of the controversies about that which is that a lot depends upon the profiler, and that two different profilers can take the same position and come up with very different results. And the question is what's the valid sort of measure here.
So there's this issue of control of the uses of data. There's an issue of sort of fear of some kind of negative response if you do sort of let data out on the part of providers. And you know there's a question of whether all those uses of data are mature enough that a provider of data can feel confident about turning it over.
MS. CHENOWETH: We have to annually get data use agreements from every hospital as a part of using the MEDPAR file or the standard analytical file. We automatically in compliance with the law encrypt all of our data. We've been in business since 1954 and have never released a patient's name because we've never collected it, nor have we ever identified the patient.
That has to count for something in the history of the use of health care information from its inception. So legitimate use of data is there. The question is can the government preclude legitimate use of data that serves the needs of the public through all hospitals, through employers and others that the government doesn't serve. And that's, I think, what you have to balance.
Now we submit our applications, even the 100 top hospital study is used by CMS as a very valid use of public data. We have worked with AHRQ and its PR agency by undergoing their review of our applications so that they know data is used. We don't have any problem with that. We don't have any problems with useable encrypted Ids.
What we have a problem with is not being able to have enough information to do epidemiological analyses and to create strings of episodes to assess the efficacy and efficiency of care across settings which is necessary for where we're headed and will be even more important as you go ahead and try to deal with the transfer of electronic patient record.
And I think that that's the real issue. Patient confidentiality is honored within the vendor community because we've all signed agreements, and I see nothing wrong with contracts. Contracts protect the confidentiality. What I see a problem with is restriction of data to the point that even legitimate uses of data for the past 40 years are no longer possible.
DR. W. SCANLON: Would there be any issue then if there were contracts that specified that this is the use for these data, and that once that use has been sort of satisfied that the data cannot be used for anything else?
MS. CHENOWETH: You know, we had that restriction years ago in CPHA, and what it did was it protected CPHA's business from its competitors, speaking as its former president.
The problem with that is that when you serve thousands of customers, how do you do that without – how do you do that without eliminating the business. Perhaps the best way to do that is to allow, and I'm just speculating off the top of my head, is to allow the general uses but have an audit, you know. There are audits for financial reports from hospitals. Why not think along those lines, rather than create enormous bureaucracy that you can't do much about or that really adds to the cost of health care in ways no one really wants.
If we can think of ways to facilitate what will be need and still protect patient identification which encryption does quite well for organizations like ours that aggregate data. We have no interest in tracking patients. When you limit maybe the use to aggregation but allow the encrypted data and the date of discharge and the zip code to allow market share analyses, to allow all of those traditional uses, then you perhaps thought part of the way. What you have as a challenge to you people, I think, is the challenge of thinking up what new uses will be very important to individual patient care as a greater detailed data is available and it needs to be transferred, and it's a big challenge.
MR. REYNOLDS: Jean, I have a question. With some of your clients, are you a business associate?
MS. CHENOWETH: Yes.
MR. REYNOLDS: And are those the arrangements that work fine for you versus the other ones that you say don't work fine?
MS. CHENOWETH: Well, yes, I mean, that's what we've signed with everybody, and we follow all of the government rules and get the DUAs signed, et cetera. We follow the rules.
MR. REYNOLDS: Right.
MS. CHENOWETH: Because we want to stay in business.
MR. REYNOLDS: Right. But you were mentioning you couldn't get data from CMS. So you're not a business associate of CMS?
MS. CHENOWETH: No, we would – I don't think so. You know, I honestly don't know because there are so many divisions of Thompson. It's possible that some other –
MR. REYNOLDS: Well, no, I'm trying to understand the difference between, you seemed satisfied with your relationship with some, and you seem dissatisfied with your relationship with others. And I'm asking the question about covered entities because, I mean, business associates, and they have certain rights under all the ways the laws are set up. Whereas, if you're not a business associate, then I doubt that some people would give you some of that data. So I'm trying to understand exactly what –
MS. CHENOWETH: And I don't know how to answer it because I don't recall the explicit definition of the business associate. I know that that's how we serve all of the hospitals. We are an agent operating on behalf of the hospitals or on behalf of the insurance company or on behalf of the employer. When we buy the Medicare files, I know that we have to sign the DUA, we have to get a DUA from every hospital, but I'm not sure whether we also sign a business associate agreement as well.
And I don't know that because sometimes we're working on behalf of the government, and sometimes we're not because we have a large government division. Maybe you can help me.
MR. REYNOLDS: No, no, that's fine. Again, you posed an issue and you posed that sometimes you get what you want, and sometimes you don't, and sometimes you – and so we're trying to go through and say what's in place that allows certain things to happen, and what isn't. And I was just trying to understand clearly because you had a point where some people you like what they're giving you, and others won't give you stuff, and I'm trying to figure out what to do.
MS. CHENOWETH: Right, and what I'm trying to say is I don't think that has to do with the business associate agreement. I think that has to do with the interpretation of how data can be released which is a completely different level. It's an interpretation of what confidentiality is under the HIPAA law.
MR. REYNOLDS: Okay.
MS. CHENOWETH: And I think that's the best I can answer it. But –
MR. REYNOLDS: Mary Jo?
MS. DEERING: Thank you very much. When I mentioned this morning when you weren't here that at the AMIA Secondary Uses Conference, GE Centicity described a process of getting data that was very identical to the one that we heard this morning and that people have referred to. And whether this was – and what I can't remember is if Thompson came right after, and they spoke sort of as a pair. And what I can't remember is whether Thompson was a client of Centricity and was receiving data from it. Actually I sort of got the impression that they were, but let's just leave it on the table whether that relationship existed or not. But the proposition is clearly on the table that, of course, the vendors would be selling their data.
And I think one of the things that I'm trying to understand is that data to you is an input. Let's say you are –- it's one of many inputs. And as you think of the NHIN and everyone focuses on the bright shining horizon of all of this data collected once at the point of care. But I guess what I'm trying to understand is, and this may be an absolutely meaningless question or non-question, but I'm trying to figure out there are so many ways that data is acquired and made accessible. If you looked forward in time and the regulatory environment was hospitable from whatever way you needed it to be hospitable is the collection of that data and a fairly direct path via the NHIN, the only model, would that supercede all other ways in which you could ever acquire data, or would there still be – are there other sources. Now one of the things that I'm asking myself, for example, is we heard a couple weeks ago that it appears that the law may pass both Houses, and the FDA will go ahead and set up a hundred million person database under contract to continue to collect information for safety from the VA, from CMS, from, did they mention some of the big integrated delivery systems.
And so if the government which, by law, has the right to collect it for one purpose for the FDA, is there a scenario whereby Congress and/or the regulatory process in its wisdom could identify additional uses of that body of data available for quality purposes. Right now, I believe it's only for patient safety purposes and monitoring. But if the government is paying people to collect and aggregate that data to certain standards, then is there a scenario in which through that effort the kind of data that we're talking about, GE needing individual patient consent for this other feed your PHI through the pipeline scenario, it's fuzzy in my mind whether we're talking one and the same thing. I just don't know. So if you were looking into the future, where would you get your data from and how would it –
MS. CHENOWETH: Okay, let me share with you what happens today. I can't tell you what will happen in the future; I could speculate, but I don't know.
We collect data directly from hospitals under contract that preclude us from identifying a hospital, a doctor or a patient. That is the way it has been since the conception of the company in the ‘50s. And what we do with that data is clean that data, standardize that data, apply methodologies for risk adjustments, severity adjustment, et cetera, and then provide that hospital with comparable information from our data bank. So source, the hospital. We run state hospital association and state government data banks. We receive the data on behalf of the state government or the hospital association, and we do the same thing, but we apply additional restrictions from that state government like North Carolina or Rhode Island or any of the states that we operate in, and we add in their restrictions on data as well.
When we put it in our centralized national data bank, that data is encrypted so that we don't know who the patient is, and at that point it's absolutely irrelevant to us anyway because what we use that to do is build benchmarks to compare, okay.
Then we can buy data from public sources that we don't operate such as CMS or a state government. We can buy data in aggregated form from other companies that have rules as Byzantine as not only do you not get the data directly, but you get the data directly, but the data's encrypted, and if you ever have to know the identity of a hospital, you have to ask a third party who is an independent party to validate that there might be a problem with the data and go back and ask the original vendor a question of the hospital.
So what I can tell you is in the information business, patient confidentiality and hospital confidentiality and client confidentiality is taken very seriously because our reputations depend on our maintaining that and adhering to the letter of our contracts, and it's very serious business. We have nothing but our trust.
So there are other ways. Now if you had a situation where all data for the whole community were coming through one spicket, then the most important thing for that company that was running that spicket is to be the most efficient and most effective receiver and channeler or distributor of that data. When that data hits other organizations, would there be a way to get data from a hospital separate from that spicket? Yes, because the hospital has a right to its own business information.
The expense, however, of collecting that data is enormous, and it goes back to the very reason why the CPHAs and the Blue Cross systems, the not-for-profits were the only ones willing to collect data for maybe 20, 30 years. And then, when it became a byproduct of other business processes in the hospital, they disappeared. Now that's why I say it's important to separate those two kinds of businesses as you go forward.
MR. REYNOLDS: Jean, thank you.
MS. CHENOWETH: You're welcome.
MR. REYNOLDS: Very compelling testimony. Thank you very much.
We'll take a break until 2:50 on that clock, and then we'll start the next session.
(Break)
MR. REYNOLDS: Okay, our next panels going to give us a look at public health in statewide planning perspectives, and it's going to be David Carlisle from the California Office of Statewide Health Planning, Leslie Lenert from CDC, and Vickie Hohner from Fox Systems. So David, can you hear us okay?
Agenda Item: Public Health/Statewide Planning Perspectives
MR. CARLISLE: Yes, I am on the line, thank you.
MR. REYNOLDS: Okay, well, we'll just go in order of the agenda. So if you would please start your slide presentation. Your slides are up, and if you'd just say next slide whenever you want to move forward.
MR. CARLISLE: Thank you. Share I begin?
MR. REYNOLDS: Yes, please.
MR. CARLISLE: First of all, my sincere regrets for not being there. On the East Coast, as you know, California is without a state budget, and we are restricting payments to various beneficiaries of state programs, restricting hospital and physician payments imminently, and this does not fit within our travel criteria at the present time, so my apologies under those circumstances.
But thank you for inviting us to participate in this very important meeting. We're looking at slide number one, and I am the Director of the Office of Statewide Health Planning and Development within the California Health and Human Services Agency.
If you move to slide two, you basically see the hierarchy of health programs within the California government. OSHPD is one of several departments in the Health and Human Services Agency that have responsibility for health care functions and health policy. There are a total of 14 departments within our agency, and six specifically have healthcare functions.
Moving to on to slide number three, I just wanted to share with you some of the reports that we have prepared dealing with hospitals and, most recently, physician outcome. If you look at the top lefthand report on the slide, that is a report from our coronary artery bypass graph surgery outcome reporting program. We just released the first report west of the Mississippi, first report for California that includes surgeons' outcome in addition to hospital outcome, and that is now available via our website. We've used our data for other reports on preventable hospitalizations, on community acquired pneumonia, on heart attack mortality, and race and ethic disparity, and continue to make information available to the public.
Our mission is to make as much information available to the public and to consumers as possible. We do not view reports with a hospital that are not available to the public.
Moving on to slide number four, you see a summary of our databases, and we basically have five different types of data that we collect and report. The first are financial data, i.e., revenue and cost for a variety of health care programs. The second would be utilization data, the number of total aggregate visits per year and types of visits. And then we have patient level, individual patient level specific discharge data. And finally, we have clinical data.
The clinical data are focused specifically on our coronary artery bypass graph surgery reporting program. We have trained data collectors who actually go to hospital facilities, abstract the medical records, report them to the office and generate the database.
Returning to the financial data, we basically collect, as I mentioned, revenues, gross revenues, net revenues, all sorts of financial parameters. Our hospital data set here is perhaps, I think, one of the most complete in the nation. In fact, compared to data that most other states collect on hospital financial performance, this is an extremely comprehensive data set. It is highlighted here as a limited database because not all hospitals in California report individual hospital-specific data to us. We have an exemption in California called the Kaiser exemption which allows a hospital within the Kaiser system to report their data as a system instead of as an individual hospital facility.
As a result, we don't get data from hospitals that are, specific hospitals that are run by Kaiser. But we do collect individual and hospital finance data from all other hospitals within the State of California. We also have some limited less comprehensive data financially on long term care facilities, on ambulatory clinics within the State of California, and recently on ambulatory surgery centers.
If we move to utilization data, California also requires all health care facilities that are licensed by the State of California to report utilization data to OSHPD. And, again, we have fairly comprehensive utilization data on hospitals, emergency room facilities, emergency departments, on hospices and home health agencies, and recently ambulatory surgery center.
We also collect utilization data from long term care facilities. In the area of clinics again, we have an exception in the State of California. Some of our large public municipal and county run clinic networks do not report clinic level, specific clinic level data to OSHPD. Going down to the discharge data set, our hospital discharge data set, I think, has been recognized as being relatively state of the art, very comprehensive, very complete and has been around for over 20 years and has generated, I think, we would say in excess of probably 1500 peer review scientific articles in the literature since the data's been available
We have just recently added similar level data, individual patient discharge data from emergency departments and also from ambulatory surgery centers to this portfolio, and we expect that data to also be as rich and as useful from a policy and utilization review as the inpatient data set has been.
Then finally again I did mention the clinical data that is abstracted from medical records specifically support the CABG outcome reporting program. Moving on to the next slide, I'm going to share with you more detail about a patient level data set, and this is, I think, the data set where a lot of the questions for testifiers really drive – that they drive to.
The hospital data set has about four million individual records or observations per year, and these can include more than one hospitalization for an individual patient. The emergency room data sets, one of the new data sets, has almost nine million observations or discharges per year that are captured, and we have about three million discharges per year on our ambulatory data set.
We collect very expensive demographic data, age, gender, race and ethnicity. We also collect patient zip code which is mentioned below. In terms of our clinical data and the data sets, patient diagnoses up to 24 are included, up to 24 procedures. E-codes, external cause of injury codes, are collected. DRG classification is collected. These are all – I should mention that this data set is based upon billing data financially. Because of the existence of billing data historically, we were able to move forward in generating and collecting this information.
Finally going on to the final bullet, zip codes were mentioned already. This is the patient five-digit zip code. And I do want to make the point that we actually collect from the facilities the social security number of patients. In California, not every patient who is discharged, especially on the pediatric and delivery side of things, has an SSN. But we collect the social security number. We then transform that number into OSHPD records linkage number, so in comes the SSN and out goes for all virtually intent and purposes, a scrambled record linkage number based on a very complex but reproducible scrambling algorithm.
We collect admission source, disposition, payer, that is, the type of insurance company or whether the patient is self-insured. We collect charges in California, and we have a hospital ID number.
I want to come back to charges, and this is actually one thing that's very important. A lot of attention, I think, has been placed in the media recently about the cost of health care, and I think a lot of the reporters are having trouble differentiating cost data from charges data.
Not too many states actually are able to capture and report cost information. California at the level of the individual patient or unit of service does not collect cost information. We do collect charges data, but those can sometimes be a factor two or even three removed from the actual cost of care or actually what is being paid by payers for services. That's just one important point that I wanted to make.
Moving on to slide number six, again, with regard to our patient level data sets, the discharge data, as mentioned we do collect this information from hospitals, emergency departments and ambulatory surgery centers. We then categorize the data set into two broad categories. The first is the public data sets, and as you see near the asterisk, the public version emphasizes the type of data that would not be able to be utilized for violation of patient privacy.
We basically include all of the records, all the observations, but we use age categories instead of specific ages. We do include the five-digit zip code. So we use masking for a variety of elements that could be specifically used to identify an individual such as race, diagnosis and procedure.
The masking is generated by or is related to the level of geographic fields that is used. So for instance, if you use a zip code, some zip codes in California have very few residents, and some have quite a few, probably ranging from a couple hundred or fewer even up to many thousands, 30,000, 40,000, 50,000. Small zip codes require masking, and if we had an African American individual who had undergone a CAVICH(?) and was a resident of a very small zip code, simply those two fields might allow one to identify that individual if he had knowledge of people residing in that specific zip code. So we might mask those particular data elements.
Moving on to the non-public data sets, we basically have two types of non-public data sets. We have a fairly standardized non-public version that is kind of packaged for specific users. I'll speak to that in detail later. But we do have some specific users of non-public data that could include hospitals, public health departments in the State of California, and we do have fairly standardized packages available for them.
But we also project-specific IRB reviewed request for non-public data, and again there'll be more detail on that later. But for those users, we basically produce custom non-public data sets, and they are dependent upon the project that is anticipated and envisioned and are designed to fit within – I apologize, we're across the street from the fire department. This may not happen – this probably will happen one more time, we'll see. But yes, that is our project specific non-public data set.
Moving on to slide number seven, we are aware and very cognizant of the fact indeed that patients are not necessarily – they don't know that the information about their discharge may be reported to the State and may be reported by the State to others. It is expected that, again, individuals whose data are being used don't know about this. But on the other hand, we do not ask for a consent or authorization from individual patients prior to reporting their data to the State. This is part of our Data Act in the State of California.
We, however, do know that hospitals and clinicians who are reporting the data are aware that the data are being collected. As a result, we do use very strict security measures to make sure that the data remain confidential or de-identified.
And moving onto slide number eight, the legal constraints on disclosure of non-public patient level data in California are several. We basically are guided by two specific laws. Our California Information Act says that we are able to report the data for research purposes to non-profit educational institutions, i.e., universities, California state universities, University of California campuses within the State of California and others such institutions within the State of California and elsewhere.
We have a Data Act that basically extends the access of the data to local and federal public health agencies. So we share our data with the California Department of Public Health, the California Department of Health Care Services that runs our MediCal Program. They use our data for reports of billing and rate setting functions.
And we also share our data with use of the federal government. Certainly, the CDC receives data from us, as does the AHRQ, and our data go into national discharge databases that are then shared with researchers. But they're used also to support other federal functions, as I'm sure many of you know.
Moving on to slide number nine, we have certain constraints on what we share with the public. Again, designated users have limited data sets. Although we're not a HIPAA covered entity, we comply with HIPAA regulations in terms of data disclosure.
As I mentioned, we collect from the facilities the social security number of an individual, but we do not report direct identifiers. Again, we do not report the SSN. We would not report a patient's name, which we do not collect, although we would not report a patient address also, for instance, if we were to collect that.
Data that we report that is non-public must be limited to the minimum content required to fill a specific purpose. And data that are used by researchers has to be for a specified purpose of research, and we have a data agreement that establishes the permitted uses and who is permitted within, say, a given research entity or shop, who is permitted to actually utilize the data, so we are very proscriptive in terms of who can use the data and what it can be used for.
Going on to slide number ten, the recipient then agrees to use the data only as specified. They have to use appropriate safeguards to prevent misuse or disclosure. They have to report to us any disclosure not provided by the data use agreement, and they have to ensure that agents or subcontractors agree and comply with the same conditions and restrictions.
They have to basically also agree to never contact or identify individuals as a result of using the data that we provide to them, and actually this has been something that's come up a couple times before the State IRB, and once again the researchers must promise never to contact or identify specific individuals.
Moving onto slide number eleven, yes, we do have a committee for the protection of human subjects, or essentially an institutional review board within the California Health and Human Services agency.
Researchers and data users including OSHPD's own outcome program have to have protocols reviewed by a CHPS or IRB. Protocols actually get reviewed. We do this pretty aggressively. We have a committee comprised primarily of Ph.D level individuals and others who are very familiar with the use of data for research who make up the membership, and the IRB reviews our research by virtually all of the state agencies and private universities that might be utilizing our data.
Moving on to the next slide, within OSHPD we have a highly secure internal information technology environment. We use very sophisticated encryption techniques. Our staff data sets that the data sets are basically comprised or held on secure servers. And we're very rigorous, using locked facilities behind an IC firewall to basically prohibit access.
Again, we don't disclose SSN numbers, and we don't disclose other identifiers, and we use very strict data use agreements with all users that don't have direct access such as the Department of Public Health to our data sets.
Moving on to slide number thirteen, we actually are also rigorous in terms of our data stewardship. Our patient data discharge section collects and performs quality testing. We have electronic mechanisms for data reporting within the State of California. Virtually all of our data at the individual patient level are reported to us electronically. The data are heavily edited using the various electronic algorithms that are updated. And then we have a data management office that has responsibility for warehousing the data. Again, it's a secure private repository that also is able to link and match our various data sets together. And then we have within OSHPD a health care information resource center whose job it is primarily to review all data requests and is able to generate custom data products for various users of our data sets.
Finally, we then close with the last slide, slid number 14. This has contact information for OSHPD. One can go to our website at oshdp.ca.gov to view our data set and contact us directly for your health care information resource center. We have an email address for the center at the bottom, but also a telephone number.
And why don't I stop there. I know we have other panelists who are eager to present. I don't know if you want me to take questions at this point or after their presentations.
MR. REYNOLDS: I have a question for you first.
MR. CARLISLE: Sure.
MR. REYNOLDS: Since you have the budget situation, and we heard sirens in the background, do we need to ask you the questions now, or would you rather wait until the rest of the – can you stay with us through the rest of the panel.
MR. CARLISLE: There's never a dull moment here in Sacramento, and sometimes that's preceded by fire sirens. But I'm here with you and can be here for the duration of the panel.
MR. REYNOLDS: Okay, well then we'll just continue through the agenda, and Simon, I think you want to make a brief introduction, and then I'll let you do that.
DR. COHN: David, this Simon Cohn. I first of all just want to thank you for your presentation.
MR. CARLISLE: Thank you.
DR. COHN: I was struck and probably ought to publicly disclose as Chair of the Committee that I actually am Associate Executive Director for Kaiser Permanente, and we obviously do appreciate the forbearances you give us in terms of our data submission to you as part of OSHPD. So, and we do very much appreciate that.
MR. CARLISLE: I should mention that we have a variety of technical advisory and data advisory, Ford Commission committees, and Kaiser is a consistent participant in each of them. Thank you very much.
DR. COHN: Yes, certainly it's not by way of public disclosure, but I thought I should at least comment. Thank you for joining us.
Now I did also want to take a minute just for introduction for Les Lenert. Les, we're obviously very pleased to have you joining us. Les is the new Director for the National Center for Public Health Informatics, a post that I understand now that you've had now for ten days. So we know there's been actually a very extensive search for this position, and obviously I should just comment that for those of you who know the new structure of the CDC, the Centers are obvious collections of, I mean, basically I guess collections of the various agencies and organizations within CDC do report up to these national centers which include, I think, the National Center for Health Statistics. Am I wrong?
MS. LENERT: Actually, a cluster of centers report to a coordinating center. So NCHS and CPHI and the marketing center are all in the same cluster.
DR. COHN: Okay, so it's sister, that's right, another aspect of the cluster. Okay, well, that teaches you how much I understand about how CDC works. But having said all of that, what? Oh, Vickie, are you on the line?
MS. HOHNER: I am.
DR. COHN: Okay, thank you. We were just introducing Les Lenert who's going to testify in just a second, and you're following her.
MS. HOHNER: Correct, I'm here.
DR. COHN: Okay and thank you for joining us. Well, anyway, now that I've completely mangled that introduction, I just wanted to thank Les for being willing to participate and come up on relatively short notice. I want to thank Steve Steindel for helping to facilitate your appearance and presentation. And obviously, we look forward, I think, to a long and close relationship working with you. The NCVHS is a department-level federal advisory committee, but obviously we have very close relations with CDC. The Executive Secretary is within CDC in the National Center for Health Statistics. Obviously, we have very close relationships with them, and obviously we also work closely with ASP(?). So we're obviously very happy to have you here.
DR. LENERT: Thank you. I want to give you a brief background on myself and who I am. I'm a medical informatics researcher. I have done work in a variety of other areas before joining the government. I have training as a general internist and a clinical pharmacologist, and I also received a Masters degree in Medical Informatics from Stamford concurrent to I received doing a fellowship in clinical pharmacology.
I have worked in a wide variety of areas in medical informatics from use of secondary data sets such as OSHPDs to evaluate the effectiveness of critical care near the end of life to development of public health intervention strategies for the Internet such as smoking cessation and behavioral change methods.
And most recently, I've worked on technologies that allow first responders at the site of a disaster or a terrorist attack to use electronic hand held medical records wirelessly and to track location of victims and to get telemetry from wireless instruments and other sorts of advanced technologies and evaluated that.
But I tell it's my pleasure to really tell you about public health and its potential role in informatics. I have to do so with a great deal of humility, being in the public health world really only for ten days and having such outstanding contributions from people in the public health world to this Committee so that I'm pleased to be able to do that.
So if there are other questions that you need further advice on different things, Steve is available to add to this as is Tom Savelle(?), my chief science officer, and we're happy to fill in what I can't answer now.
My task today in talking to you is to give you an overview of what the National Center for Public Health Informatics, and then I'm going to talk in a very general way about public health use of clinical data and what the implications are for that, what are the different models and strategies, particularly with regard to what's going on at the CDC. And then I'll also talk a little bit about future states and what we will be doing and give you a brief summary for that.
Public health informatics, it's the systematic application of information in computer science and technology to public health practice, research and learning. This should really be nothing new to you. As we've heard already that NCPHI as we call it, the National Center for Public Health Informatics, resides within the Coordinating Center for Health Information in service, and that our two sister centers, the National Center for Health Marketing, National Center for Health Statistics that we work very closely with on a weekly or daily basis.
So our focus is really on this use of informatics and technologies to improve science and service in public health. We see public health clinical data being used in four different areas, for developing and promoting the science of public health informatics, for supporting the necessary research and work for its bases for growing this discipline, and for establishing strong leadership partnerships, and then really working to establishing strong representation for public health at all national IT initiatives including this one. And so we're very pleased to be here.
I might just skip over that. To get to the heart of the matter, the public health has a substantial use for clinical data, and our perspective is that this is not secondary use, but this is really a societal primary use, that we have to think about the notion of a society having the needs for protecting itself from infectious agents or other health threats, environmental, toxicological. But we can focus on the bacteria as a threat and other organisms as a threat to public health, and that's really where the legacy of public health and the CDC come from.
So the four different cases that we'll talk about really are surveillance, the idea of case and outbreak management, and then population health assessment which we have heard a little bit about already today, and then our population health interventions or the specifics of trying to improve the health of the group.
Giving health care is a public health function, but the federal government has a public health agency, the Indian Health Service, and it has other agencies that provide direct health care, but the CDC does not really provide direct care unless there's a national emergency. We are here to organize health care processes in the system until we are invited to perform direct activity.
So to talk about public health surveillance when it's one of the uses for public health purposes that we think is most important. It's often the only item that can appear to people on our agenda. Indeed, the focus is really on this notion of infectious disease, but it really extends beyond that to health related effects and environment and other types of exposures.
Infectious disease surveillance is our cornerstone. It really developed the public health system. Until the late 20th Century, the control and elimination of infectious diseases was the major focus of mankind.
With the advent of antibiotics in the mid-20th Century, we've won part of the war with the microbe, but we are in a continuing battle against the resistant organisms and often face challenges from the reproductions of these microorganisms that are adapted to the modern environment of microbial. However people perceive less threat than there is now, and we need to move forward with continuing to be vigilant.
Almost any morning, we see on the news that we are far from a state of relaxation, though, that there are people are constantly bringing threats, whether it be from the Harry Potter series where you've maybe heard of the mad eye moody, the need to be constantly vigilant, and that people are afraid. The news media or other sources may be putting fear into people.
Almost all organizations do monitor for the induction for the new strains of microorganisms, and this issue of resistance. But as you can tell, this is a difficult task. And even as our recent experts were trying to determine whether certain types of TB organisms can be treated with antibiotics, it's at least a difficult question.
Small wonder public health surveillance has a special place in this discussion. We are fortunate to have a public that recognizes and accepts the role of government to detect threats and grant special authority to allow us to do so. While there are no federal laws regarding the reporting of infectious disease, these laws are common at the state level and at the local level, and that good practice by public health practitioners and really the culture of public health winds up with these reports being aggregated for the common good.
HIPAA itself recognizes the public good of the function of surveillance by allowing passage and information into public health entities during health care delivery without consent, the so called Public Health carve out for HIPAA allows disease surveillance systems, disease registries such as those for cancer, immunization registries and several other vital tasks.
Providers unfortunately have had to bear the burden of this process so far. That is to say that when you see an infectious disease, you have to pull the yellow card and report it, or when you see an adverse drug reaction, you have to report it. And that this process goes on without compensation largely through professional self-regulation standards.
But in the future, we're going to need to have approaches to automate this, to ensure that it's done more reliably, and done more completely.
I'd like to talk a little bit about this and the notion of a matrix of different activities for the four dimensions. So in public health surveillance and the other areas, we'll discuss, we'll talk about accountability, transparency, the permissions required, what we're doing for identity protection, oversight, the laws and regulations, the standards and the benefits.
Right now, the accountability to report in this is based on civil requirements. It's not really enforced so that there really isn't any setting that says that health care provider or a covered entity is penalized for not reporting. However, professional practice has rendered us with some capability.
Transparency, our activities are transparent to those who know the HIPAA law, but they're not necessarily transparent to the public at large.
Permissions, well, the permissions are granted by statute or the authority of the state and local governments so that they're not necessarily required. The identity protection is cultural, and it may also be part of the statutes. But the primary protection is that public health practitioners have a very strong culture of patient confidentiality, and there's a history of success from this tradition.
Oversight, while public health is a government body and there are governmental procedures for self-oversight, other local and regional government bodies that overlook what we're doing to ensure that the practices are appropriate. However, I think that the main factor is to see that there's no financial motivation and that these organizations exist for the public's good. And to the extent that they're corrupted in those things, all public processes have been corrupted.
Laws and regulations, state and local standards processed. NCPHI's, one of its largest roles is to advocate the use of standards in reporting and to develop systems such as meds and other platforms that can enhance the use of standards.
Public health statistics, again, I'm a little bit hesitant with it. I don't care to talk about the collection of public health data, but as you can see both the states and the CDC as a part of data use agreements or statutory law collect data on the health of the nation, and that this activity is an inherent one to government. People want to know how we are doing with the health, baseball statistics. We look at averages. We want to know whether health is improving. We want to know what the areas are of risk, and that this allows our nation to monitor this.
The roots of this go back to the National Census and other areas. And that there are many different issues that come up with this. Inside the CDC, the National Center for Health Statistics is our designated national statistical agency for health care, and NCDS is tied very closely to this.
At the federal level, we really gather data at two sources. The states report data that is collected to us, then there's direct data gathering. The states bring us data through specific use agreements and other activities. You've heard a little bit about some of the state activities from OSHPD and how they then transmit select data to the CDC for further analysis where it's treated with the same care as it was treated at OSHPD.
The amount of security in surveys such as the NHANES is extensive. In fact, it's so secure that restrictors have to travel to special centers to access the data, and that there are significant limitations on different types of data that are available.
So, again, to look at our matrix on this that the issues of accountability, there really are not people measuring how well we're doing with this and reporting to the public. However, we have been good stewards with this, and we stand ready for the public to inquire into our processes.
The transparency, the public may not be fully aware of the state activities and the ability to know and be aware of what's going on with CDC varies depending on the particular program. Permissions, well, again, we've had the sort of same issues that either we have statutory programs or we have programs that require IRB permission. The CDC does operate IRBs and does collect data that requires human subject approval.
Identity protection, the primary rule is individual de-identification with regard to the potential for re-identification by a different means and tied to some of the other issues that have been raised within the comments by the folks from OSHPD.
The issue of oversight, data stewardship, ownership and control that we are stewards of data, but not owners. When we receive this type of data at the state level, and that we do own and control federally collected data, but that we take good care with that.
I think you can look over the remainder of this sort of grid as you can see here. And I'd be happy to answer questions or refer them to Steve.
The last area is specifically funded programs, systems such as BioSense or data repositories such as the Cancer Registry. We collect the data directly into federal systems such as BioSense which collect data on ER activity in a number of hospitals to be able to monitor the nation for evidence of outbreaks related to bioterrorism or to influence other rapidly transmitting infectious diseases. For this program, the CDC actually has servers at the interfaces of clinical information systems at a number of hospitals around the country. The level collected varies. Right now, there's about 350 systems where we're collecting data up to every 15 minutes that has been pseudonymized. There are very strong use agreements in place that are similar to HIPAA agreements that define our requirements for processing of this data, and that BioSense was approved by the Office of the General Counsel of the CDC and by the CDC's IRB.
Other data collection from clinical systems is emerging around our longstanding hospital infection program and that there the National Health Collection Surveillance System gathers data on health acquired infections and is tracking those and helping us understand the patterns that are there as well as the national health care safety network for reporting adverse events. These are anonymous systems for case reports.
The CDC funds many registries. These are activities such as Cancer Registry, the national program of cancer registry that the NPCR. There are a wide variety of other activities that are done under IRB approval but may have patient information in them by content and following HIPAA regulations.
The last major area would be public health research. Essentially, all CDC programs have a basic research component tied to their mission. The laboratory programs develops tests related to these related programs. We do research on public health entities and the new diseases. All these programs have IRB approval, and they may have patient specific data if it's relevant to the program, and that has all been obtained with patient consent.
I certainly must have left off several examples of CDC activities. That's because of both the scope of these activities, they're enormous and my relative newness to the program. But I hope that if you have specific questions, we can clarify those, and that there are programs and environmental impact occupational safety and toxic waste measurements that also deserve note and your attention.
So to kind of go over specifically funded programs, again many of these do not have accountability for how people are using the data beyond the sort of IRB review. Transparencies, there may be issues with that permission. Generally, we sort of require consent, but BioSense does not require consent for participation.
There is indeed protection in these areas that is appropriate to the level of consent obtained, and that there is direct oversight by the agency controlling these, and that we think are related to our mission. And while some of our activities such as BioSense draw heavily on standards, others are hardly compliant at all, particularly certain types of disease registry activities, and these may not use any types of – may not use relevant medical informatic standards.
So I'd to with that move on to the future. The future is not known, and I would be the first to say that NCPHI and other CDC programs are in a state of review at this time. In fact, the Director has just called for presentations from a variety of centers to either assess our state and develop our systematic program.
We do have many data collection agreements in place that follow the law. There are many manual processes that we're attempting to automate, and I think that the future efforts will look to see case reporting in particular automated through integration which will help carry information systems, and we have demonstration projects obviously within one of our centers for excellence, and also we have one of our divisions of integrated systems has a demonstration project on automated reporting for this purpose.
We have to look to new data sources particularly for BioSense and to look to protect our nation against epidemics and other outbreaks. These data sources will be regional. They will integrate with the National Health Information Network. We will be attempting to try to create situations where public health monitoring is a byproduct of participation in the network, and that where we are not required to purchase the data or purchase the connectivity, but we try to have people attracted to us by the services we offer to them for the software that we offer. We need to find new ways of doing this because we simply do not have the resources to pay to connect everyone everywhere.
There remain to be significant data linkage issues for the CDC and for local public health. Our focus in collecting data is also changing this area. Local public health and statewide public health is a priority for us, that our data collection efforts will not be independent of those sources, and really will drive their activities and we'll be pushing data to local authorities as we collect it through CDC programs.
We're actively engaged in research through enhanced confidentiality through our Centers of Excellence program. So our future state will allow linkages from multiple data sources, using richer data tests capable of extending knowledge and productivity that we have to balance this with potential unexpected consequences of inadvertent release of confidential data.
I believe that as we move forward, we'll move away from a central repository mode to grid computing approaches and to distributive approaches which will minimize these risks or compartmentalize them, and that that will be another element of those programs.
We cannot go too much further in our description of what's going on. We have just commented on this to the Secretary and others, but I will be glad to take your questions. There's a great societal need to detect and control infectious diseases, and there is an unquestionable willingness to do this.
We are faced with two devils, the devil of the organism which – microorganism which continue to threaten our society, both man made and naturally occurring, and that we also have a devil that is in the details of management of data and the production of confidentiality, and we must balance these two as we move forward.
To summarize, the CDC sees much benefit in data sharing, and we want to work very closely with this Committee, and we're happy to support it in whatever ways we can. We see a productive future in our efforts for data requirements as we retask the electronic data collection through the National Health Information Network. We see new but workable and predictable challenges in this effort from the perspective of society and public health, and many refer to the problems of ensuring privacy and confidentiality of the world. We support patient confidentiality and privacy. We also encourage patients to understand the benefits of a collective societal approach to health and to recognize that infectious diseases are an ancient threat that we must deal with as a community, as are many other hazards to our health.
And I really thank you for allowing me to speak on the subject today.
MR. REYNOLDS: Les, thank you, and I can't wait to hear your presentation after you've been there three months. That was pretty smooth.
So Vickie, are you still with us?
MS. HOHNER: I am.
MR. REYNOLDS: Okay, if you would proceed, and then just mention next slide whenever you want the next slide put up, okay.
MS. HOHNER: I will do so, thank you. My name is Vickie Hohner. I'm with Fox Systems Incorporated, and I appreciate the chance to come and talk with you today.
All of Fox Systems works in the area of health care consulting primarily with public sector entities, primarily also in the aspect of business operations and health care technologies, and a lot of my experience has been primarily with doing HIPAA assessments for a variety of public agencies and programs, primarily those outside of the Medicaid arena. So behavioral health and other non-traditional or smaller public programs. So I have a lot of experience from the side of looking at their assessments, you know, what their practices are and what the needs and compliance barriers are.
Slide one would be, or the second slide with the bullets on it. I also want to go back and say that in my previous life I did act as the hospital data products manager for the Washington State Department of Health, and that was a role very similar to what you heard from the California OSHPD presentation. So my goal will be to kind of go over some of this quickly but just to revisit what my role was with the State and then how I've been able to take and flip that around in the consulting perspective and see what other entities have had to deal with and where some of the complexities and confusion arise.
I also have longstanding associations with the National Association of Health Data Organizations which is the organization that works with all the state agencies or state associations which may also be hospital associations who collect hospital discharge data or other large scale data sets like that as well as a founding member of the Public Health Data Standards Consortium where I served as the co-chair of their Privacy, Security and Data Sharing Committee. So I just wanted to let you know in terms of my affiliations where I also have connections in that sense.
Also in my role with the State of Washington, I – before I left, I was the HIPAA Coordinator for the State Department of Health, and the later on moved to be the coordinator for the overall State government efforts in looking at HIPAA compliance across not just the Department of Health which was the public health agency but also with the Medicaid agency and a variety of other agencies that were impacted by HIPAA requirements. So I just wanted to give you that background as I preface all my comments today.
So when I was working for the State Department of Health as a data products manager with hospital discharge data, my role was really to be the gatekeeper for requests for that information for any secondary uses of the information. We had requests from both public and private sector, and I just gathered these up really quickly for you, but to see some of the extent of what kind of requests would come through the door.
So public sector uses included both internal and external to the agency and internal and external to state government as well. Sometimes they would cross to other state governments and also to other countries since in the State of Washington we border with Canada. We often also had data change with Canada as well for the intersection of where people would cross the border for various kinds of care.
In the public sector, we sent data out epidemiology purposes, program management and evaluations, grant writing, and rate rebasing, mandated reporting, research, planning efforts among all varieties of the government sectors, mapping, indicators of measurements and outcome measures as well. Public sector uses included planning, marketing and research, and that also began to move into the measurement area with HIE and other areas as I was leaving that particular position. So the California presentation had a little more extensive description of some of these uses, but obviously they're very similar in terms of what kind of secondary uses would be facilitated by the hospital discharge data and other similar data sets.
Since you did hear from California, I'll try to do this fairly quickly. Washington State disseminated hospital discharge data with the goal to release unless explicitly prohibited by law. So the goal was to try as much as we could to get that information in the hands of the public and other requesters.
There was a legally mandated public data set which mirrored a HIPAA limited data set, and that was actually mandated by law that there should be a public set that would be provided to persons on request.
Again, we often responded to some of the data requests by creating customized data sets in which we could then use the minimum necessary criteria to create specifically what people needed whether it was a data request or data sets, or whether it was indeed some kind of custom analysis which also was requested through some of the requests that we received.
The trust issue really has to do with dealing with hospitals who are the mandated reports. And obviously when you start a situation where you have to turn over data, you cannot start from a strong position of trust. So trust has to be developed through building relationships and by working in partnership and consulting with the hospitals as much as they possibly could. So it really was a relationship built over time, and I find that that is not unique to just being in this particular role. But that a lot of the trust issues have to do within an industry more with developing relationships and building relationships rather than with looking at exchange purposes or just being able to relate upfront that this is an okay exchange to conduct. It has more to do with whether they feel comfortable that that information will be used correctly and handled appropriately and protected in the correct ways. They want to make sure they have that.
I apologize. This is on slide three. And now go ahead and move to slide four which is actually a continuation of some of this as well. So the Department of Health had a mandated stewardship and dissemination role. And so that was our job primarily to just get that information in the hands of those people who requested it. The State had originally mandated the collection under a cost containment program which was sunsetted about the time I came on board, and therefore the information was collected without a specific purpose in mind and, therefore, the goal was actually to try to maximize the ability for others to use that information rather than collecting it over again for other purposes, but instead to facilitate use of the information that was already in the hands.
Same or similar information was also collected by other entities, and I believe still is. The State Hospital Association was doing it in Washington, but as a voluntary effort, and I think there was some role in them trying to get that information out a little sooner, but in much broader forum. So there were some different approaches that we were trying to use in order to get information. That information would be available, of course, only to the Hospital Association membership.
And I already talked about the mandated reporting and the trust factor. So let's move on over to slide number five. In terms of the confidentiality laws, this data will have public participation. Obviously, and I'm sure most of you know from your own personal experience, if you work in this field and you talk to friends and family or other people in the industry, you often find out that of course what people know about how their information is used is pretty limited, and they're not really aware of the information used beyond use for their own particular treatment and payment.
I have found the HIPAA name awareness is out there, but just because people know HIPAA they don't really understand what that means. And so in terms of the public understanding, I don't know that we've gained a lot other than they know that HIPAA's there and it has something to do with protecting their information, and that's about as far as it goes.
Within the State of Washington, part of the role I had was creating information from the hospital discharge data that would be useful to the general public. So we did try to also have as part of our role as to make sure information could be created that would be useful to consumers. So we did create things such as average charges and produce those in print form and later on through the web for people to be able to access so at least give them guidelines if they were going in for some of the more common conditions into the hospital, they could get a guideline for how to see what they might either have to pay or what their co-pay might be if they had insurance and a variety of other things they could use to make some choices if they have the luxury of being able to do so before they went into the hospital.
Public participation in Washington was and is required in certain activities so that when there are major changes made to the data collection effort or data elements, those all had to go through a public meeting process, and whenever there were other feasibility studies or other activities that went on, we usually try to include some kind of consumer representation or consumer interface to be sure that there was some feedback from consumer groups to be able to add that to the information we collected in trying to make decisions about enhancing the data, improving the data, enlarging the data scope of the data collection activities.
Slide number six, confidentiality laws in Washington are relatively straightforward for hospital discharge data, and the State has a comprehensive law for research requirements. Confidential information requires IRB approval if for research or a data sharing agreement if it was for use for other authorized purposes.
There was no re-disclosure of confidential information allowed under any of those mechanisms without explicit approval from either the Department of Health or from the IRB that would have made sure to contain any re-disclosures or uses that were unknown and therefore would potentially be outside of the realm of legally allowed uses.
Again, we use customized responses to data requests as well as to research requests whenever possible so that we can minimize the information that was done outside and put just the information that was necessary in the hands of the requester.
What we did also do in the State of Washington which I don't have indicated on the slide here was we were responsible in my particular area of creating a series of linked databases which we linked certain other information to the hospitals discharge data collection which California also is doing. Often that was vital statistics data, but sometimes it involved other proprietary data such as Medicaid data, a variety of other things that people would come to us after a while and ask us to create these data sets.
The complexity came in trying to blend more than one confidentiality law and coming up with how would we than be able to disseminate information from these blended databases when we have to look at multiple laws that affect these particular systems.
Sometimes that could actually be more complex than you would think when you're only blending two data sets, but it did sometimes take a lot of work before we could figure out how to do that and be in the clear for all the laws that applied.
Normally what happens is you would apply just the strictest requirements from whichever law has the strictest requirement and apply that to the overall data set that's unapplied. The reason these were – this kind of work was done was because we created these linked databases on an ongoing basis. And so it's so much like the hospital discharge data, they were also used in really in a similar fashion, and again we provided the gatekeeping for those particular data sets.
With the recognition of how difficult it was sometimes just to blend the laws that applied to two data sets together, this obviously shows that when you're talking about engaging in a comprehensive health record or health information exchange effort, it can get overwhelmingly complex with all the laws that are out there and applied. So it's something I did want to raise and have that experience of doing it on a small scale just to be able to add that to the perspective of what's necessary and certainly the HIPAA project has pointed this out as well about the complexity of the variety of privacy and confidentiality laws that are out there and how piecemeal they all are.
Moving on to slide seven, most of the rest of my remarks I'm going to make now rather than from my perspective as being the data products manager for hospital discharge data in a State to my experience in moving to the other perspective and doing consulting for a variety of organizations that have this kind of information and were on a regular basis sharing this kind of information whether or health care purposes or for other purposes where the issue of understanding the complexity of the laws created a lot of challenges for them.
So I want to address first the issue of quality versus research. And most of the work in establishing standards for privacy in health information exchange has to do with finding problems and commonality of understanding terms. Obviously, HIPAA introduced a number of new terms or old terms with new definitions, and this has been a major contributor to misunderstandings of the requirements and has a lot to do with the tendency of many players to refuse to share information. I know that we've heard earlier people talk about barriers that a lot of folks put up and said we just don't' share information. And it's not even so much from not wanting to share the information, but I believe that everything is so complex that in lieu of not understanding the full, you know, what everything means and when you apply what when, people have retreated into let's not share information. So that also has a lot to do with the stance that's being taken among many players in the industry.
We have the same issues with the terms quality and research. They're not used consistently in the health industry. Quality tends to be a term often used by the insurance payer perspective and more often in the private sector. But when you move into the public sector, the term quality's only beginning to be used, and it really is not a term that's been in existence within any of those programs for a long time. They may look more at things like evaluations or outcomes or some other terms that might be more synonymous with what they think what quality's meaning in terms of the industry right now. But terminology, again a big, big issue.
The same thing in research. There are many people who use the term research or many organizations and agencies, research is what they call their own internal analysis, and I've heard that over and over again, and some of those entities may never engage in what HIPAA calls or what the IRB statutes call research that never has to be peer reviewed. But yet they use the term. They may have a group of people that just does statistical work, and that is their research people as they see it. So, again, no commonality in understanding and therefore lots of confusion again.
There may be some overlap in those terms, but I think that most people may see them similarly. If you talk about you're doing analysis and that's your research, it may also have quality impact. So there's no bright lines of boundaries between these terms and how people understand them.
So I think a lot of the effort are just coming up with the barriers, and people really feeling like they understand what is being talked about and what is being asked of them when terminology shifts or when certain terms become dominant in the conversation.
The only thing I have to say about the differences in the terms quality and research has to really do with who's it for, who benefits, and where it is, that activity takes place. So research from the federal perspective really speaks to something that's not just for a single entity but has more applicability for the industry, for consumers, for a wide range of applicability within health or health care, whereas quality or non-research efforts may have to do more with internal, although we are now moving quality to be broader than that. So that will also add to the confusion about how people split up research from quality. So understanding, I know, is a key barrier that has to be factored into how do we communicate, how do we make sure that people are involved and cooperative and correctly implementing along the lines of what the industry's anticipating.
Slide eight, obviously there are a variety of useful new data sources and availability of data that's out there already, new advances in health care knowledge require the ability to look at care over time, progress in controlling chronic conditions, effectiveness of various treatments. All that requires looking at information beyond a single system or beyond a single point in time, and that's the area where I think health information exchange efforts or electronic health records could help facilitate that.
Right now, those efforts take a lot of time and effort. You're looking at different databases that may not have much in the way of comparability of coding terminology, definitions or anything else. And so kinds of efforts now take a lot of work and certainly standards and ways to consolidate information or create common rules for health information exchange would greatly improve the ability to look at that information over time and across systems.
However, and that's where we enter the next slide, page nine, while these efforts to simplify access to and use of the health information for secondary uses, it should not be overlooked that the data's most reliable and easiest to use after it has been cleaned, aggregated and stripped of key elements.
That's where entities such as OSHPD and the State Department of Health work have their value in being able to take the raw information and then create it, strip it and put it together in such a way that is much more easily used by people who are involved in statistical uses, analysis, research and all those other efforts.
When you talk about having nationwide electronic health records and some standardized exchange, there has to be a balance somewhere between being able to share raw information and being able to pull out useable information. So somehow those efforts have to make sure that there is an ability in there, factor in the ability to have some process that takes care of the information and puts it into a form that's more easily useable for people who are actually wanting to further investigate various avenues through use of that information.
And slide nine or slide ten, a lot of this has to do with work that I've done more in the consulting term. Obviously, I came across some of it in working with the State. But my experience in working with a wide variety of public sector entities and the private sector as well has shown me that there's a lot of common issues that are creating problems for implementation on the ground or for understanding or for people to be able to share with some kind of comfort level even information for treatment purposes.
I just got back from doing some work in doing assessments for a substance abuse agency, and I find this often true that in many areas where they often have a variety of services and not just a single service, they actually go and get authorizations to release every and anything. Substance abuse, of course, has a little higher standard. But I have also seen this in other agencies that are not so much subject to substance abuse confidentiality requirements, but they just have patients and clients authorize every single exchange of the data including for treatment, including for payment, including for pharmacy, including for everything, and they are not required to by state law. But I think it gives them a comfort factor that they are not somehow missing a requirement to get the patient's agreement before they send information. So what is done instead of create less paper, I think it's created more so that people, because they don't understand exactly, it's too difficult to apply exceptions, that people are just applying authorizations and consents as a rule.
So one of the things I've found is that, of course, the legal, privacy, confidentiality and reporting requirements are narrow and scattered, may conflict and contradict and very few organizations have resources to do this work. Very few people have the knowledge base to do that work adequately, and very few statewide efforts are truly comprehensive in their scope.
Therefore, what happens is it comes down to each organization is trying to figure this out for themselves, and that is a huge barrier because it takes time, it takes somebody with a good understanding of the regulations and the rules, and it's really created a huge burden and has stopped a lot of people from progressing. And that's part of why I think some of the smaller entities especially have not progressed in terms of their privacy or security aspects, that it is just a show stopper right there. They don't understand the laws that they have to comply with to begin with, and then trying to add other things on top of it, there's just not enough publicly available information that tries to pull that together or to use some of that work for them, and it's a huge, huge barrier.
Even if they understand privacy and confidentiality requirements, they're often undefined or poorly defined and not specific. So if a law says this information shall be considered confidential, blah, blah, blah, and that's all it says, how do they interpret that. What does it mean you actually do to make that information confidential. And I found a lot of people in health organizations often thing that if you call it confidential, somehow it is and has difficulty being able to say what they actually did in terms of behaviors to make that information confidential. So they need some more specifics, they need more behavioral, you know, what is it that you do that creates confidentiality, creates privacy. It is very, very, again too loose, and many people, if you're a health professional, health professionals do get professional ethics training, but that can be different from profession to profession. And many organizations hire people who are not health professionals who then, I think, are assumed to have a similar knowledge base, and therefore confidentiality is very variable within a single organization in terms of how people view it.
So that again is another barrier, and leaves inconsistencies in approach and whether the common thing of where you call and ask for information from one person who may not release it to you, but you might ask another person, and they might is another big issue.
Privacy and confidentiality are often assumed rather than assured which means they just think that if you call it confidential, it's good. Yet they don't actually engage often in active training or in follow up to make sure that people are complying with practices or even have standard practices or procedures for dealing with confidential information. And I guess I talked about the last bullet already about health professionals adhere to professional ethics and often lack knowledge of state laws and also fail to then communicate those to people who are not health professionals.
I often use myself as a good/bad example because I came to work with the State Department of Health without any health care background. But I went to work with the hospital discharge data and was not told that the information was confidential and what that meant. So it took me about six to eight months of working there before I really figure it out, even though I was in charge of handling that information and also disseminating it to some extent at that point.
So that's a common situation, but it doesn't facilitate our ability to effectively share or engender trust in terms of the use of the information.
Slide eleven, to facilitate secondary uses, we need to balance strong privacy protections while providing for access for legitimate uses. What's necessary is more bright lines and more clarity, privacy and in particular confidentiality are such a muddled arena that without some really, really clear guidance and procedures and policies or whatever, it's going to remain that way or some consolidation of the laws into a single aspect where people can actually look at one thing and understand everything that has to apply.
So consolidate, synchronize and simplify confidentiality and privacy requirements. Facilitate that with standardizing the definitions of “confidentiality” and “privacy” and specify what actions or behaviors are required to make it confidential or make it private.
Provide guidance and assistance to bridge the gap between the letter of the law and operational practices to help implementation of good privacy protections. So, again, the bright line. People need examples. They need specifics, and they're searching very strongly for these defining very clear voices that are able to help them out.
So I appreciate your time, and I hope that this was helpful in understanding at least what I've seen, again, primarily in the public sector, but I don't think it's unusual in the private sector as well. And I just wanted to make you aware of the things that I've seen over and over again, but I think are something that these scripts could help address. Thank you very much.
MR. REYNOLDS: Okay, thank you. We're going to invite Ed Sondik from NCHS to join us at the table as we go through this, and you can make any comments as we get questions and so on. And so with that, I'll open it first with Paul with any of our presenters.
DR. TANG: Well, thank you, all three presenters or four for the education about what the public sector is doing with this data and how you handle data requests. One comment on what Vickie said about the quality and research, and, boy, have we sort of hit on that today.
But I certainly like the pragmatic approach that at least that was described which is, well, just figure it's more – be the stricter version in sort of most of the things of research as long as it's going anywhere outside the organization, and that's one operational way which could be something we consider.
I want to ask one qualifying question and then pose a what if. So the qualifying question is how quickly are data requests turned around by the various public agencies at the state or agency or CMS federal level. Is there a comment, is it like, is it reasonable, is it way too slow? What's your sense?
MR. REYNOLDS: Is this to all three?
DR. TANG: To all three.
MR. REYNOLDS: I'm not trying to direct it where you – I just want, because there are two people who are on the phone that can't see you. I want to make sure we're clear.
DR. TANG: Yes, that's right. Well, at the state level and the CDC level, how quickly could you turn around external requests for data, and then if anybody could talk to CMS, on behalf of CMS, that would be useful.
DR. CARLISLE: Well, perhaps, this is David Carlisle from OSHPD in California, and maybe I can go first. There is a front end of data requests which is the lag between the close of our reporting period and the time that data can become available potentially for reporting. And in California now, we have that down to less than 18 months for our various discharge data sets and hope to have it even reduced further in the future via electronic data submission. But there is a front end, and that is somewhat a source of frustration historically, but I think it's true probably of all the secondary data sets.
Then in terms of receiving a request, our IRB meets on a monthly basis, excuse me, two-month basis, and so in terms of getting an IRB reviewed, there's that period. And actual data preparation could add a few more, a couple more months perhaps to actually getting data into the hands of researchers. So we may have a period of about two years or so before somebody can actually access data from the time that it is actually collected or the reporting period.
MS. HOHNER: This is Vickie Hohner, and I can speak from when I was working in the State of Washington. It's similar to OSHPD. It was variable. What we did was try to, similar again on availability, is to have information available. But on the end front, what we spent a lot of time upfront was trying to work through what people needed. So we tried to nail that down first and make very sure we were very clear about what the requester was looking for. So some of my role was to speak to them and make sure we could provide what they were looking for. Some requesters are very knowledgeable and can provide exactly what they wanted, and others were not. And so a lot of that was just really nailing down upfront what the request was for.
A lot of simple requests we could turn around pretty quickly, maybe within a week or so if they were from data that was already available. Some of the more complex analyses or research requests might take longer, but normally, well, I should say, some of the data requests or research requests we got were to do data linkage. Obviously, that took a long time. But a lot of them that were just providing information were not usually not extensive. So once we had solidified the data need, then all of the applicable agreements or research criteria had been met.
A lot of times, the data turn around was fairly quick. I'd say most of the time we could, they were probably within a week or two more complex perhaps within a month unless it was something really extensive like a linkage project.
DR. TANG: So NCHS would be –
DR. SONDIK: Well, I think that what Vickie said is probably along those lines. But you know, it raises the question of what's data in what you said. For example, I'm assuming you mean something that goes beyond the data that's already been designed for public use.
DR. TANG: Well, actually there's this preparation time as Dr. Carlisle was talking about. So they have a lag of 18 months built in on the front end. And then there's the processing of the request side for something that's already prepared.
DR. SONDIK: But we spend a lot of time and effort producing public use data sets. So a lot of the requests that we get are for people who need some interpretation and help in guiding them to the public use data sets and so forth. And then we get a range of things from people who want information that they want derived from the data. That can be very fast. In other words, they want analyses. That can be very fast, or it can take longer. And we have people who use our research data center. That requires in almost every case the preparation of a data set that they will use which is drawn from the identifiable data. They then get an identifiable data set that's a subset of the main data set. And, depending on how busy our staff are, that could take too long, okay, which would be on the order of perhaps months which would be way too long, or it could be much more expeditious than that.
We have a staff that actually works in our research data center whose job it is to produce those data sets. But sometimes it gets complicated, and it can be longer than that. But I would just say our drive is to make the data as rapidly available as possible and not to have what anybody would see as inordinate delays in receiving it.
DR. TANG: So I guess my what if question was, because we've heard from the public sector there's really a fairly comprehensive and, I think, trusted method of dealing with requests and understanding the uses and understanding, the terms were up in all those slides minimal, minimum necessary. I take that as a given, I happen to trust that. So
DR. SONDIK: Well, I don't.
[Laughter]
DR. TANG: So I guess my what if question was because we've heard from the public sector that there's really a fairly comprehensive and, I think, trusted method of dealing with requests and understanding the uses and understanding and the terms were up in all those slides, minimal and necessary. I mean, I would take that as a granted. I happen to be one of those that trust that.
Then I ask, well, isn't turn around one of the problems. So the what if is if public trusted authorities, holders, stewards of data could be funded at a level that could produce timely turn around, what's the down side of that? What's the pro and con perhaps from the agency point of view and perhaps on the consumer point of view because then you do have someone who can deal with take the analysis, perform the analysis on the PHI, the identifiable data set and render a reliable de-identified aggregate analysis. What's the down side if it were funded and staffed, or is that not possible?
DR. SONDIK: Well, I don't see any other hands up, so I – for those of you on the phone, I think you just need to jump in.
MR. REYNOLDS: You've got a definite home court advantage.
DR. SONDIK: That's right. I don't see any disadvantage. I mean, the issue that there is a question of the art of making a data set as de-identified, to use that term, as you can. And we have research going on in the Center now to try to make it less of an art, particularly when people are actually requesting tabular data. Larry Cox, who is one of our associate directors, is a major expert in that.
But a lot of the data we're asked for is not in that form. It really is some abstract of records, and I think it's really an art at this point. We're not talking to this point, but I think it's really an important one. We really don't know how to take data and make it balance the amount of information that's in it against the probability that it would be able to be identified.
Now clearly, we aggregate it. We can all look at that and say we're not going to have any problem there. But it doesn't take all that long to get down to the not-so-mythical dentist with nine children in North Dakota, for example. But I don't see any down side to this other than leaving that there's got to be some time for the analysis, which in the end is probably going to be a judgment call on the part of the stewards that this data set can be released.
The other thing is we also need to have an appropriate set of penalties. As we have more and more of this information and it becomes more and more available, we have all of these other allied data sets. We've got to have an appropriate set of penalties, which I'm not prepared to speak to today as whether what we have is appropriate or not. But it's got to be tough to dissuade people from playing with other people's lives.
MR. CARLISLE: Yes, David Carlisle here again. We recognize that there are costs to making the process more expedient. One very important cost, at least as reported to us that we're not able to really quantify but we do appreciate, is the cost to the reporting facility. We could probably shorten our data end phase if we were to increase our data reporting cycle in terms of their frequency. Instead of having data reported semi-annually, it could be every quarter, every month, every two weeks, something like that, and that would greatly accelerate data availability. Plus there is a certain cost to the reporting facility if we go that route.
Right now, we probably have achieved, I think, a bit of a happy equilibrium at this point because we have shortened our reporting cycle. As I mentioned, we do use electronic data reporting systems. But then we also have issues or complexities that surround our data stewardship issue in terms of making data available. As everyone else mentioned, we do negotiate and design custom data sets before something would go to our human protection committee for evaluation, and that's a time period there. I'm not sure that we could accelerate that process necessarily with more resources because it is a pretty time intensive process. We may or may not have it queued, depending on volume. It's hard to anticipate as far as that's concerned. But certainly data end is a constraint for the reporting facilities, and they would certainly say, I am sure, that if we wanted to make that period shorter, they would bear increased cost.
MR. REYNOLDS: Simon, do you have a question?
DR. COHN: I have a question that maybe is a little off from what we've been talking about today. I am, as you reminded, I may actually sound like Mary Jo Deering for a minute or two without the higher voice, but I'm reminded at the last session we had some conversation about are we talking about health care, are we talking about health. I guess I would add to that are we also just talking about the patient perception of health through the provider, which is really what secondary data uses are all about. Or are there occasions or circumstances in which we want to hear more directly from the actual patient consumer about their experience.
Now as I think about this one, I'm actually glad Ed's at the time because I think Ed has probably more experience with the issue of survey, which is actually a way of actually getting directly to a consumer than some of the other methodologies we were providing. And so I'm trying to think in this world, and I actually get a little confused because I don't know whether it's primary or secondary or what we talk about when we talk about this one, but I'm not sure where this fits into this vision.
Actually, I'm also curious from Les about as you move into this sort of vision of the future of public health informatics about whether there's any place to hear directly from the person rather than the provider in all of this stuff. And where is, I mean, where are we thinking about out there. And I guess I'm also curious about the states, knowing obviously the states have these data sets about whether there's any perception around all of this. And I just want to bring the issue up, and I'm sure Mary Jo would be much more eloquent around all that. I think I've been hanging around Mary Jo too long. But Ed, do you have a thought on this one?
DR. SONDIK: Well, you know, when I was responding to Paul's question, I really sort of lapsed into thinking that the survey data that we were collecting is health data, is in effect primary health data. And I think I mentioned this to you once before, I think, when I knew this session was coming up. It's that I really don't know what secondary means. Actually, I think I know what secondary means; it's the primary that I probably have difficulty with.
I just don't think that it's easy – I don't think this is very good terminology, and it would really be helpful – I am being serious about it. I really think it would be, I don't know if it came up earlier in the day, but I really think it would be helpful to have something that puts the uses sort of at the same gut level, if you will, because secondary sounds like it's just not quite as important and sort of removed from the other which is the more patient specific.
But I think that there'll be, as we have more and more records, there'll be more and more opportunity for us to have information directly from the patient and to talk, if you will, directly to the patient. So the survey data that we collect is not collected as – well, it's not collected as one would normally think health data. It's not health data, per se, and it's not being aimed directly at that individual to turn that back and to say this is what your health state is.
But on occasion in NHANES, for example, we do receive data, and we use that to refer patients to their physician because we see an issue. So in the sense of the data that we get from surveys, that doesn't go back, at least as it stands now, to the individual once it's processed. But the fact is that if you go through NHANES, when you leave the NHANES mobile exam centers, you're given a print out that are your values on a variety of different measures that are specifically yours. So that clearly is your -- in that sense is your health data.
So I'm not sure that I'm directly answering your question. But I think that survey data is really aimed primarily at what we would think of as the secondary uses to give us pictures of populations. The variety of other health data that we're talking about needs some other things added to it to give us a picture of, I think, an appropriate framing in secondary use.
So, for example, if you take just a fraction of hospital discharges, for example, that's not, you need to have some framework for that, whether it's something that happened on a particular day or whether there's the demographics associated with it in terms of catchmen(?) are as people used to call it, or whatever it is. But you need something in order to interpret it in terms of that secondary use.
Another difficulty I had was in quality versus research. I actually never thought about that differentiation. I mean, I thought if you're developing information on quality, you use research methods, whatever they are, to do that. But if it – it would seem to me you'd know whether something is quality in terms of whether there was a particular standard that that information met. That's what you're going to compare it against as quality. Whereas, research is the more general investigation, so to speak.
MS. HOHNER: This is Vickie Hohner. Can I speak to that issue, too?
MR. REYNOLDS: Please do.
MS. HOHNER: I think, once again, we're looking at perspectives and terminology because secondary and primary to the consumer, if we're going back to the original question about consumer, would mean nothing. To a consumer, they're probably more concerned about the information that flows through their physicians than through their care providers rather than something that might be collected through a survey.
So research perspective sometime primary data is given some elevated status over secondary because it comes from the source. But we also know that sources can error. We also know that when you collect some surveys, one survey and how those things are defined is very different from another survey to another to another, whereas some secondary sources you may have more standardization if it's with the hospital discharge data. So there's some sort of, I think, perceptions and perceived notions and plusses and minuses about the various types. If you're going back to the original idea of the consumer, looking at it from the consumer, they also participate in the surveys voluntarily whereas you don't voluntarily do that with your physician. So I think they would probably have more concerns over the use of their information as it travels through the health care system and then goes beyond their control rather than the other side.
MR. CARLISLE: If I may, Dave Carlisle here also. We know that the various local entities, public health departments, hospitals collect the data, and they use the data more for a population based methodology. But they may also be looking for specific outlier situations where they may identify the potential to intervene using secondary data sets.
We're currently actually about to shift into kind of a new era by adding some additional clinical to our administrative data set, and this might include laboratory values, prescriptions, things that aren't administratively collected historically but actually represent true health parameters for an individual, and we might, for instance, have abnormal labs that might identify people with specific pathological conditions that might require subsequent intervention.
So I think we're moving toward measuring health with our “secondary data.” Of course, California has a number of, has several direct surveys that are collected from individuals for our health care department. We have a health insurance survey that can capture some health measures also from specific individuals.
DR. SONDIK: If I could say one more thing, there's also a kind of a cycle here that I guess as we've seen in the past, but I could see that we could have more of this, kind of a cycle, say, where you go from survey data which gives you a picture of something and maybe gives you, I don't know, a set of measures from which you pick out a county, and then that data gets linked to surveillance data which would then be used to try to identify perhaps particular outliers or the like. And that, I think, really gets to, starts to get at issues of the appropriate use of the information by whom.
But we, the point I want to make one point related to survey data, is that we treat that as primary health data with all the confidentiality that that would have as if it were in the medical records.
DR. LENERT: I don't want to debate this, the issue of personal health records and as electronic personal health records are created, especially by independent vendors, there needs to be standards for how the data will be combined over them by those people for secondary use, for advertising, for other sorts of commercial services. It could just be governed by a complex legal agreement between the person who is working with the vendor and the vendor who's providing the service. But I don't believe that a consumer may be able to make a fully informed choice on that.
Second, consumers may wish to allow their records to be used for medical research from personal health record repositories and to have a checkbox or something where they do that, and then that kind of secondary use may create some interesting opportunities but would also need to be, have come with some sort of regulations to protect the consumer in that setting.
MR. REYNOLDS: Okay, Mark, final question.
DR. ROTHSTEIN: I just wanted to comment in terms of definitions and that it might help clarify the research problem if we focused on the fact that research is a term of art, and it's defined by federal regulation in both the Common Rule and the privacy rule in a very specific way. And so that refers to human subjects research or research on human subjects, as opposed to the more descriptive term about manipulating information which may satisfy sort of the intellectual definition of research. But if the information is, say, anonymous, then it wouldn't satisfy your definition.
So as we go through this, we might want to not just use the term research when we're talking about research on human subjects and use a more complete term.
DR. COHN: Yes, I was just going to mention since we've been having this ongoing dialogue, I think, for all four days of hearings now on research versus quality, I think some of us were wandering through some of the written testimony, and one thing I'll just sort of point out is Group Health of Pugent Sound actually has a little set of boxes which I think we should at least look at or things like that to see if it may be an approach that might be useful for the quality versus research conversation and maybe actually have you think about whether this begins to fit into, if it's a useful way to help separate things.
Agenda Item: Committee Discussion
MR. REYNOLDS: Okay, with that, I'd like to thank this panel very much, very interesting discussion, continues us on our journey and thank you. And with that, we'll move right into Committee discussion, and the floor is open, or if there are no takers, maybe we'll go around the room a little bit like we did the last time.
Well, let's just open it for comments because just remember this is part of what we tried to do today is leave a little bit of time at the end of this to discuss this because, as we move on to the next day and the next day and on our journey, we want to make sure that we leave that appropriate time. So does anybody want to start off the conversation.
MR. CARLISLE: Okay, Dave Carlisle here. I just want to say thank you very much for allowing us to participate.
MR. REYNOLDS: Okay, thank you so very much. We appreciate it.
MR. CARLISLE: Okay.
MR. REYNOLDS: And thank you, Vickie.
MS. HOHNER: Thank you. It was wonderful.
MR. REYNOLDS: Jeff, you have a question.
MR. BLAIR: I thought the purpose of this Ad Hoc Task Force began with protected health information. Can you hear me? Okay. I thought that the definitions had been set forth with the primary use of protected health data for patient care. If it's a patient care, that's the primary use of protected health information. Secondary use of protected health information could be for any of the other purposes we're examining, whether it's research or reimbursement for public health purposes or whatever. But if you don't have the word use, primary use, secondary use as related to protected health information, then I think you lose the anchor. And I thought that was what was happening this last hour.
MR. REYNOLDS: Well, it's actually been a significant part of the discussions since we started the Committee because I think, yes, we started out with a structure. And I think as we have heard more and more definitions and then you overlay the HIPAA's and you overlay the covered entities and you overlay who'd doing quality and where does quality fit and what does it mean, what we're finding is that, that I think Ed said it well and this is his first time with us, primary denotes one thing; secondary denotes another, and that's blurring in some cases as we're going through this.
So part of our deliberation is to make sure that we recognize that that was one of the premises that we thought about going in, but not completely tie ourselves to that especially, and one of the reasons we have such diverse panels and are really doing this on a fast track of significant different opinions is to make sure that we understand the spectrum. We can always go back to that. We can always use that as the anchor.
MR. BLAIR: What I thought I was hearing was that the reason it was blurring is because the word primary was out there without the rest of the two key elements, that it was primary use of protected health information or secondary use of protected health information. But, you know, maybe there's other elements.
MR. REYNOLDS: Other comments. While I'm waiting for anybody else, if they want to jump in, I think definitions still continues. I think we are finding that no matter who testifies and each of them are experts in what they're doing, the words that are put out on the same subject, the same information, you know, whether – so, for example, today again and Justine and I were making a little list. So, you had masked and you had de-identified which sometimes was called confidential, or maybe it wasn't called confidential.
And so it appears to me continually as we go through this, if there's not a good clear set of some kind of definitions that we can use that are not only that match everything that's out there but also help the general public as we consider whatever we're going to set up some kind of trust model, if we don't get to some kind of reasonable set of rhetoric so that everybody that looks at it doesn't look at it their own way and say it their own way, which then adds to the confusion, it's a topic that I know that I'm trying to put because you want to make sure you're hearing the words using some kind of a structure, and they get harder and harder as everybody kind of comes in with their own way of saying it.
For example, scrub de-identified is not a good or bad term, but it's an interesting term. De-identified has a clear definition under HIPAA, and it's about as scrubbed as you're going to get it. And if you scrub it further, what does that mean. That's just an example, not to point one out as good, bad or indifferent. But just to point out. Justine, you want to make a comment.
MS. CARR: Well, I just have been making notes on themes. I think when we started out today, John Lumpkin's comments about cost and, well, about the common good and the importance of data availability, aggregation, integration, and that's a theme that we heard also in terms of public health is the societal primary use.
And I think that just as we're getting into what's primary and what's secondary, I think that that's a theme that continues to come through over and over again. There's a concern that primary and secondary implies a value judgment, and a question about the common good as a legitimate primary use whether research, public health and quality.
The other, I think we continue to hear confusion about HIPAA versus IRB, what applies, and we heard that the default that is easiest is to just say no, and that this has had a chilling effect on work that could be done. So the other theme that came through again is the overlap of research operations and quality.
I think we're hearing a couple of interesting parsing of the data about do we call it internal versus external, I think Paul said, or differentiating research on human subjects versus other research. Anyway, those are just some of the themes.
MR. REYNOLDS: Paul, Bill and Simon.
DR. TANG: I think some of the themes are really carryovers from the previous days of testimony. And one of the things that I feel there's a lot of trusted acceptable and accepted uses of health data. When they explain it to you, it stills sounds acceptable and accepted. In public surveys, it sounds acceptable and accepted, and those are public health, clinical research, surveillance. There's just some very quick, and it almost seems like we shouldn't keep raising something that is already okay and making it most costly which was Wendy's point, so that's point one.
The other theme that happened both the previous hearings and this one is the central issue is when you repurpose data for sale without transparency with the patient and sometimes even the source of the data, that just doesn't arise in any kind of acceptable or accepted level on any surveys, and maybe we need to really focus on that.
The other thing that's sort of clear and this most recent panel, I thought, brought that out, all of the policies, procedures, the way they think about data in the public sector seemed very not only acceptable, accepted, but robust to my way of thinking. So, again, we know sort of how to properly handle data, how to properly be a steward, and we even have agencies that could do it. Now whether they can do it and all that kind of stuff, that was my what if question.
So less of a question in my mind is, are there ways to handle confidential health data appropriately to serve the public and individual goods? I think the answer is yes, and I think we need to delve into how, and one of the early – the software vendor said, you know, I don't really know whether we're doing it right or not, is what he said, but I'd really love to have rules. If you could actually hand me rules, maybe we can find a way to do it in a more acceptable and accepted way.
So I guess the – and I'm just sort of digesting and summarizing and then also if anybody wants to challenge it. It seems like we know where we have to focus both on behalf of the public and even the people who are handling data. How can we make clear the conscience and do an appropriate in all regards. That's where I'm left to hearing testimony.
DR. W. SCANLON: I'm actually very much in agreement with Paul. It seems to me that there are uses that are for the public good, and things that are distinct from uses that in some respects are proprietary in use, and you could take the same data and you could do “research” on it, and you could keep the results confidential for whatever your enterprise is and take advantage of them. And those, if it's going to be identified data or I would ultimately create a category of identifiable data that there should be a higher standard for use for proprietary purposes.
The idea of sort of identifiable data is, and this came up when the Population Subcommittee was talking about linking data sites, and there was this issue that as hard as you work to make something anonymous, there's the potential that we find the dentist in North Dakota with the nine children and, lo and behold, we've identified somebody.
And there's actually times when you need the level of detail that would allow you to identify that dentist or somebody. You know, one of the discussions in the Population Subcommittee was that there's a real loss of information in terms of trying to make things anonymous, particularly from a health services research perspective where the environment in terms of the market place that people are operating in matters. And so, therefore, eliminating things like all sort of identifying information for any place that has low density populations, I mean, that's a real loss. If you're only going to be told that people are from the western region, that's not very informative in terms of what kinds of situations that they may take. So the purpose of the activity, I think, is critical in terms of saying what's the threshold that we should have in terms of an acceptable use.
The other issue that relates to the idea that we potentially can identify something or someone and their information is I think there's an interaction here which we haven't talked about much between sort of privacy and security and risk, and the fact that the attention devoted to security changes the nature of the risk or the extent of the risk and, therefore, we might think about this in terms of what's acceptable from a privacy perspective and a confidentiality perspective as different if we specify simultaneously what the security requirements are going to be for information because that will influence sort of the ultimate sort of risk.
And I think that Paul's trusted agency we were talking about earlier today, this issue of sort of turning data over for a purpose versus turning data over for future unlimited use are very different kinds of things. And I think that when you can identify sort of acceptable purposes and that's going to be approved, that's very different. And that's actually the way the data centers are, that you have to have an accepted purpose before you can access the information that is potentially going to be confidential. Thank you.
MR. REYNOLDS: Did you want to comment?
DR. SONDIK: I was just about to say something actually very similar to what you said right at the end. It strikes me that we talked about confidentiality. But when we do an agreement with people who are going to give us data, there's two aspects to it. One is that we pledge the confidentiality. But the other is we also tell the person as to how the data will be used. We give a set of purposes, and we say, we pledge that the data will not be used for other purposes.
So I think we have to, it seems to me, in other words if you have both pieces of it and it gets back to secondary uses as to what the scope of those secondary uses actually is.
MR. REYNOLDS: We have Simon, Marjorie, Steve, Jeff and Mark.
DR. COHN: I think we're making progress, and I actually like a lot of what I heard Paul say as well as Bill, I do want to annotate and sort of comment.
Number one is Paul, it was interesting that you didn't mention quality as you talked about public health and research, and I think I would add quality and probably operations into all of that just in terms of, I think, and in reality I think that it's from a public policy perspective. Anything that we can do to help support quality improvement, I mean, it's a very clear societal good, and I think we all have to sort of recognize that.
I do like Paul's sort of, I mean, there's somehow and we need probably to get a little clearer about it, this issue of sort of repurposing and sort of like how does, you know, whether that's just part of disclosure of fair information practices, is he actually doing that, or as others would describe, centered, I mean, exactly how that plays, but clearly it needs to be handled not just surreptitiously, and I think that's the issue that we're all concerned about and we're all actually talking about.
And I do think that we are beginning to sort of more closely differ between quality and research which is useful. I also think that – we seem to begin to see the difference in quality and research? Yes, I mean I present that graph that I pointed out earlier, but it may or may not be right or wrong. But we begin to help, and these are sort of guidance's that would be helpful to everybody if there were ways that we could begin to suggest that they think about it in a uniform fashion.
Now as Bill was talking about security, I'm actually was reminded that we were talking about approaches, tools, techniques to minimize identified risk, and you're actually beginning to jump into some of that. I would add on top of these, though I'm not sure I think about it as security, we still haven't heard a whole lot about the risks of re-identification. And whereas on the one hand I worry a lot less about a really streamlined single encounter HIPAA data set, de-identified data set that doesn't much of anything in it, I do begin to wonder as you begin to create case files that have 18 different counters all linked together that it could be completely HIPAA de-identified. But once you get sort of that bulk of information together which is really what sometimes people need, I think, although it may be my ignorance of HIPAA. I'd want to hear from the security experts about the risks of re-identification which may cause us to think about some of these sort of repurposing of data areas maybe a little differently. But I'll hold my comments until hopefully we can get a little more from some of those people.
MR. REYNOLDS: Marjorie.
MS. GREENBERG: very, very interesting day, and thanks to those who put together the agenda and great mix of speakers and very thought provoking. What has just been said by the last three speakers resonates with me considerably. But I want to go back first to this whole issue of primary versus secondary, et cetera, and trying to think outside of the box or just, you know, how to frame this. And we've heard from every, you know, if secondary is sort of in the eyes of the beholder, and we heard about childhood cancer treatments where there were probably, you know, two equally maybe important purposes going on, and it all depends on if you're the parents of the child, the most important purpose is the child's health, of course. And as a health care provider, you do, as John said, you not only do no harm, but do what's best for the patient.
But the whole reason it's getting all this public funding of this type of research is to try, is really more population based, is more to improve health in a population sense. So, again, it's kind of in the eyes of the beholder as to what's primary, what's secondary.
And I think that it's not always just one or the other. Often, there are mixed reasons of why information is collected, even down to the data elements. And I think I've raised this before. But I mean, you may not be collecting the person's race and ethnicity, certainly not totally for that person's benefit, but maybe if there's certain genetic or other conditions that are associated with a particular race, ethnicity or country of origins, and then you may need it just for that purpose. But it's more for a population purpose. And yet it's part of what you're collecting as the intake or as in the patient care context.
So instead of calling it secondary or primary or what have you, it seems to me that at least we should go back to various basics as to why are the data being collected, and it may be single purpose, but it may be multi purpose, and why is the person providing the data. And there, we get to the education aspect.
I mean, I know and I've heard very responsible people report to this Committee, not this work group, but it more the Privacy Subcommittee kind of lamenting the fact that they are having to give the patient more information than they used, and of course their goals, the purposes they have are not nefarious by any means. But the more people understand maybe how their data are going to be used, the less likely they might be to provide it.
And yet I think, you know, from the point of view of, as someone raised, what is really consent, people do need to know how their data are being used, not down to every analysis that's going to be done, but it needs to be done in a context. And just getting a piece of paper or five pieces of paper that tells you all these ways that either scare you off or you just don't read them.
But I think that if we're going to do definitions, we need to get back to why data are collected and then why people are providing the data, or what people need to understand about why they're providing the data. And then certain uses really are not the purpose that the data was collected for or within the persons' consciousness that they're providing the data, but may be acceptable uses if consent is obtained or another approach. Maybe that starts being secondary, then, I don't know. But I'm just suggesting that we instead of using those, throwing those terms around, we think about those two issues.
The one place, a few places I would differ with Paul just in his conceptualization is that I don't really think it's simply proprietary versus non-proprietary. There are uses that aren't really proprietary, but and maybe it just gets back to what I was just saying, but the person didn't think their data was going to be used that way, and they feel a certain invasion.
I know somebody who is very highly respected person in the health policy field. This is not an ingénue. But when this person had a type of cancer and then got something in the mail that basically was a spin off of the data having been provided to a cancer registry, this person felt violated. I mean, intellectually the person understood all these purposes and very knowledgeable about it, but it was a sense of violation. I mean, it didn't go to court or whatever, but we don't want people to feel violated as part of the health care process. That's not positive. But what she got in the mail was not a proprietary thing. It was maybe even offering some counseling or something like that, but from a public agency, you know. It's not just the proprietary versus not proprietary. It's what people's expectations are.
And then I think there's so, this gets back to public education which I talked about this morning. Then there's the issue of stewardship which you mentioned, and I'm very curious as to what's happening with that HRQ RFI on stewardship, but I think it's a critical thing we have to factor in.
And I would also say one size doesn't fit all. But I think at the end of the day, and you were starting to raise that, Paul, you've got to recognize that to do this right does take resources. For NCHS to really be responsive in the data center, and this is in the letter or whatever, it really does take resources. You cannot do this right on the cheap. And I think that's something that people often don't recognize also.
DR. TANG: But actually just from the point of framing things, I loved John Lumpkin's slide on basic principles of biomedical ethics. I thought that was with four very good points that we should think about when we discuss other uses of health care data and using that as a framing thing. And as for respect for autonomy, beneficence, non-malfeasance and justice.
Have we respected the patient, autonomy, what good did we do with it, are we using it for good things, and is there any penalties, et cetera, involved with it. I thought those were four very good framing points in this discussion.
And Vickie Hohner's slide on to facilitate secondary uses, balance strong privacy protections while providing for access for legitimate use, consolidate, synchronize and simplify confidentiality and privacy requirements, standardize definitions of confidentiality and privacy, and specify what actions of behavior are required and provide guidance and assistance to bridge the gap between the letter of the law and operational practices to help implementation of good privacy practices.
I thought between the two of them, they found, one formed some nice principles of operation, and the other formed some nice principles of behavior and thought. And I thought we could frame a lot of the discussions between those two points.
Like everyone else, I heard a lot of the themes that came forth from the last set of hearings about the word secondary use is bad, you know, there's a continuum. Unlike Simon, and that's why I asked the question to ask what you said, I'm still not sure I heard a very clear definition between quality and research. I have looked at the Pugent Sound definitions earlier in the day and felt it was good for people who like boxes and like to put things in boxes, yes, it was very nice. But I didn't know if it actually clarified it.
I like what Marjorie said a few minutes ago about really what to do is to look for what the data is being used for and start thinking about it that way. And if it's being used for quality purposes, whether that quality bin comes under the domain of TPO and operations or whether it comes under the domain of research, you know, I still think it's quality and that we're using it for something that's good. And I think one of the comments that we probably want to focus on is this issue of operations and, you know, both the vastness of that definition and sometimes the confining nature of that definition and how it conflicts with the way people think about what research is and how they blur. And I think we do need to have some discussion about that. I still haven't heard much clarity there.
Those were the main points that I synthesized in just this last few minutes. I'm sure we'll come up with many others.
MR. REYNOLDS: Jeffrey.
MR. BLAIR: Some of the things I hear is I'll hear one person talk about the fact that we're concerned about the trust of patients and whether they feel violated or not. And to me, when you talk about that, you're talking about protected health information. Because if you're not talking about protected health information, we're not concerned about trust, we're not concerned about privacy, we're not concerned about people being upset.
And so I wind up saying that makes sense. But then I'll hear someone right after that refer to secondary use of health data, and they may even mean the same thing. They may be saying in their mind when they say health data that it's protected health information. But a third person, when they hear health data, they think of surveys which is not protected health information and has a completely different scope and context and usage.
So that is why – pardon, okay. That is why I think – oh, I'm sorry, he's got the phone, okay. That is why I believe that we start to get on solid ground when we talk about primary use of protected health information and then anything else is secondary use of that if the primary use is patient care. That, at least for me, that gives me a construct where things can fall into place, and I can begin to wind up sorting things out. If protected health information, if that phrase changes to health data, I'm lost. Or if the word primary or secondary refers to primary data or health or secondary data, I'm lost.
So, it's just the way I'm able to sort things out.
MR. REYNOLDS: Mark.
DR. ROTHSTEIN: In the HIPAA privacy rule, the world is split into TPO and non-TPO, and there are different rules for each. We have heard people question those definitions that are in the HIPAA world, maybe health care organizations or research or public health or whatever. My impression is, and I know John will speak shortly, is that we're not being asked to rethink the HIPAA world and the way the world is broken down in the privacy world. We're being asked to think about the NHIN world where information is going to be available in a different manner. It's going to be, as we all know, increasing drastically in volume, in scope, it's going to be comprehensive, longitudinal, interoperable. And so the question, I think, that we would be remiss if we didn't address or the series of questions, how is the world going to change. What new opportunities are there going to be for the linking of data for non-clinical purposes, if you will. What are the threats to privacy and confidentiality and security raised by this new type of accumulation. What does the public need to know, what do health care providers need to know, what do all these other entities who are going to be involved in this, how can we set guidelines and rules so they have a clear understanding of what they're expected to do and when they need to some sort of permission and so forth.
So I think those are the unique challenges that we're being asked to confront. And I think we need to make sure that that's on our to-do list.
MR. REYNOLDS: John.
DR. LOONSK: With acknowledging Simon's point, I think there's been a lot of really helpful testimony, and that this is – progress is being made. I'm still in a very unsettled place, and I'm in an unsettled place because I see both, I see professionals who don't agree over definitions and who describe things in many different ways and just keeping thinking about how the public can navigate this when the professionals don't.
I see people talking about definitions, and, you know, it's absolutely fair that some of these definitions are very fuzzy. And when you try to nail them down, they just get squirmy, and you don't find them very useful any more. But it's hard to talk about these things without having more specific definitions. And I feel like we're going to have a little bit of an unsettled time with this until some of the things are better defined.
It's an odd place. We have what has already been defined; we have what HIPAA defined from a terminology standpoint and what it represents, and then we have what needs to be defined to move forward to be specific in the world that Mark alludes to, and the possibilities for what that can and needs to be.
I think we haven't really grappled with commercialism completely. We're still arguing about it. We sort of know what it is when we see it, but I don't think we could put that – Paul made a suggestion for that. I think that where there are in the country we live in, where there are commercial ventures that are doing public good, that's a complicated application and difficult thing to sort out.
The concept of repurposing and use is still difficult from a definition standpoint. Clearly, one way you can look at secondary data is to look at data for being used for that which it was not originally recorded. That would put primary data as being the surveys that Ed talked about where the person being surveyed definitely knows for which their data is intended. But I'm not sure we're agreeing on all that, and I'm by no means suggesting that secondary use is a good term to go forward with.
I think we've had adequate testimony about pejorative assumptions as associated with secondary in this context. That doesn't mean that we don't have to get to a delineation though. And I'm not sure that it's two levels, frankly. You know, it might be three.
So I'm going to stay unsettled, I think, until we have gotten to some definitions that we can build from instead of deconstruct, and I just don't think we're quite there yet.
MR. REYNOLDS: Simon, you had another comment.
DR. COHN: Yes, actually it was well said for John, comments. John, I think first of all obviously I would be if we had all the answers, we'd be done with the hearings, and we'd have our paper written. I absolutely agree with you about the tensions and the uncertainties.
Now I'm not going to address them. I actually just am and at the end as we wrap up, we'll talk about tomorrow and the next day. I did, however, just want to make two comments about somebody I had forgotten to mention earlier. So it's very limited.
One is just sort of a big reminder about, I think we heard over and over again and many commented about this, about the important role public education, provider education, user education, or whatever is going to play in whatever we do because a large part of what's going on right now just has to do with the fact that people don't understand, they haven't figured out even what's going on now. So that's a piece that we need not to forget.
The other piece, and I think it's a general thing that keeps coming back to what I'm saying, the other piece I just want to hold a placeholder on this one because I had forgotten to mention it before. I just came away, obviously we're trying to delve into quality, and I recognize that that's something we absolutely have to do and get done in the world of the NHIN.
We've heard a lot about research, but I just want to continue to refine our terminology a little bit because I think we hear a lot about federally funded and supported research upon which there is what feels to me like a very robust set of protections around. I'm holding my judgment on non-federally funded research, and that may be an area where we really actually need to say some things about because it seems to me that there's sort of this, that's like a gray area there even though we continually talk about research, and I just want to hold that as a placeholder for further conversation. John, did you have a comment you want to come back to me on?
DR. LOONSK: Yes, thank you, Simon. I just wanted to add to your comment about public education, public consumability is an equally important part of this, and that has – and I'm not sure that what has been done before has met that bar. So that was the comment.
MR. REYNOLDS: Mary Jo and then Kevin.
MS. DEERING: I guess it is good timing because, as you'd expect, I'll pick up on the communication. Can you hear me better now. Okay, I will pick up on the communication issue.
And one small thing, it seemed to me, that again words do count, and I don't know whether our client would permit us to change our own name, but I would suggest that, at a minimum, substituting a single word in our title already helps a lot. Instead of being the work group for secondary uses of health data, it would be optimizing health data. So just get rid of it.
But then specifically to the issue first of definitions, I sense that the work group will strive very hard to work toward definitions and to present them. And, again, purely from a communications point of view, what occurs to me that what would be helpful when we do that is not just to lay out our new glossary and definitions, but make a sort of, it could be characterized either way, present and future, legal, non-legal, whatever it is, not just a single sort of data point for the definition when you have a word so that anybody reading it recognizes that there was maybe an original construct for it and we are in a course of evolutionary trend or we're now planting our stake in the ground and using it differently.
So, again, I just recommend that we always present it that way.
And then finally getting to this issue of both the public education information and the professional, I think this was part of my wrap up comments the last time, and I'll say it again. In my 20 years, the federal government has never devoted adequate resources to that effort, and I don't believe they will, nor do I believe they have the expertise to do it.
And so harking back to our original 2001 NHII Report where we issued recommendations to others outside of the Secretary, and we had recommendations to other stakeholders, Margaret and I were canoodling a little bit earlier that maybe this is one that we secretly target to John Lumpkin and Robert Wood Johnson Foundation or something like that. But be that as it may, I think that we need to recognize that the federal government should not be the definitive source of all that public education, both either to consumers or professionals. They're just never going to do it, or they won't do it right, and they certainly won't sustain it.
So I think that it's really not a helpful proposition for us to just say and the Secretary should.
MR. REYNOLDS: Kevin.
DR. VIGILANTE: With regard to the taxonomy issue and I don't specifically have a problem with the term secondary data. What we call it is personally I don't really – I'm not concerned with that much. But as long as we have the same understanding of what it is we're talking now, whatever label we give it.
But I do think it matters. You know, actually I think secondary is not inappropriate because it's relative to – it's about intentionality, the intentionality of the individual whose autonomy we'll respect. So you have two people go to the emergency department with fever and productive cough. And their intention is to go get care, to be made, to take care of their fever, take care of their cough and go home. And yield up information based on that premise.
And the data that's collected at that time is primary data that would not have otherwise been collected unless they sought help. And it is their expectation that that data is going to be used for those purposes.
If it's going to be used for other purposes, then that is the secondary use of that data which was collected for the primary purpose of patient care, and there are very legitimate uses. In one case, the person may just have Pneumococcal pneumonia and get hospitalized and get antibiotics and go home and be fine. The other person may have TB, and that person will be hospitalized. But because their smear comes back positive, that will be reported to public health. And there will be some secondary use of that data from a public health perspective which is secondary to the primary intent of that patient which was to seek care.
The reason they came was not to serve the public health need. The reason they came was to seek care. We as a society would like to use that for other purposes. If that data is then used from a quality perspective to look back and see which patients got antibiotics within four hours or six hours or eight, whatever it is these days, well, then that's a secondary use of that primary that was collected for that primary intent.
So I think the intentionality of the person whose information it is and their understanding of it is paramount. And then it's their understanding of the intentions of the person to whom they're giving the data. I'm giving it to you to take care of me, okay. If it's a survey of NHANES, I'm giving this to you for survey purposes in which the primary purpose now is research and survey data, which may be public health.
So I do think sorting it on that basis does seem appropriate to me.
MR. REYNOLDS: Any other comments? That's why we left time today.
MS. CARR: I just want to respond to Kevin. I understand what you're saying, that it clarifies, but it doesn't operationalize what we do. So knowing that something is secondary doesn't then dictate a path of –
DR. VIGILANTE: No, I agree with you. But if it weren't for the issue of the perception of the patient, the understanding of why they're giving it, we would not be here talking about it. In other words, it wouldn't be a sensitive issue if the individual yielding up the data completely understood and agreed with the fact that I'm going to give it for primary purposes, but it's also going to be used for public health, and it's going to be used for research, and it's going to be sold to all these different companies.
If I understand that and I go with that understanding from day one that it's going to be used in secondary manners, we would not – and nobody had a problem with that, we wouldn't be here talking about it. It would be a non-issue.
It's that secondary use that makes it worthy of this discussion that we're having. And, depending on how it's used, the intentionality of the users, whether it's really for public health purposes with a community benefit, whether it's to publish a paper so they can get tenure, or whether it's to sell so they can make a profit, I think, would matter to the individual because it gets into this issue of agency. Is this person's interest aligned with my interest when I've given my information or not.
MR. REYNOLDS: Steve?
DR. STEINDEL: Yes, I think Justine picked up a little bit of what I was thinking of when you were saying that. Let me just be a little bit argumentative on it. On those two patients that went into the emergency room, you have a lot of emergency room docs, and I'm sure all of them realize this never happens.
Let's say one of those people was homeless and it happens to be raining and cold outside, and the reason they came in is because they wanted a warm place to stay. You know, what is the secondary use of their data in that case.
DR. VIGILANTE: Well, the point is they didn't come in to do a sociological study. They came in to be taken care of.
DR. STEINDEL: No, they came in to find a warm place to stay.
DR. VIGILANTE: That's right. That's exactly – taken care of means a place to sleep and food to eat, and that's exactly appropriate.
MS. CARR: But the other thing, though, we heard today is – I mean, this would fit into a grid. It looks great. But as we've heard with the Kaiser discussion when they were doing their surveillance and they noticed that there was an association of Vioxx and adverse outcome and that was part of their operations and so on, and then they had a discussion with other people, and then they involved the larger group, and then that data went on.
You can't – what would you tell the patient when they came in and got Vioxx. You might –- all these things might happen.
DR. VIGILANTE: No, no, no. All I'm saying is –
MS. CARR: It might end up being research.
DR. VIGILANTE: All I'm saying is that collecting that information and learning something about Vioxx is a very, very good thing. The research that's being done is very good, and the public health information is very good. All I'm saying is that when the patient first came into the ER with their MI on Vioxx, they didn't come there for the purpose of gathering, they came with the intention to be taken care of. And that's the primary – that's why I'm saying that's where the fault line is here between distinction between primary and secondary.
And I'm not saying it's a bad thing. I'm just saying it's a distinction worth having because it's their understanding of how data's going to be used that makes this a sensitive subject that brings us to the table.
MR. REYNOLDS: Mary Jo, and then that's it.
MS. DEERING: Well, again, I'd like to put us forward into the new world. This doesn't exist it, granted. And I'd also like to put us forward in the world when perhaps someone, we know not who, has accomplished some of this public education that we've talked about. And I would assume that, by definition, if successful, that public education would have left in the mind of the consumer and citizen from the get-go that there are multiple uses of their data. That would be a successful outcome of the communication effort in my mind.
Secondly and entirely different, I would simply like to put out the concept of meta secondary uses if we are going to keep it at all, meaning that – and meta data sources, and I keep coming back to this image of the fact that, gee whiz, and I know I've already mentioned once today and getting back to Lynn Etheridge's, is FDA going to have a million person database there from all these people? Is that database going to exist and be available and have been created according to all these strictures that the government will have imposed upon it? And if so, is that something or that concept worth focusing on as a means of accomplishing some of these meta secondary purposes.
Since you've already got, let's just use that one for those purposes and stop putting the burden on the individual Mrs. Jones walking into the emergency room to accomplish some of the other purposes.
MR. REYNOLDS: Concluding comment from one of our guests. Because obviously remember every day we're going to have some discussion, and if we're start returning to a debate, we're not establishing everything.
MS. PATTERSON: So I think this has been a fascinating discussion. I'm sorry, Wendy Patterson from the National Cancer Institute and Cancer Biomedical Informatics Grid.
So this has been a fascinating discussion. And being trained as a lawyer, of course, I find definitions to be very important. That said, in this context I think while there are legitimate reasons for differentiating between some of these uses and why the patient is seen and ultimate reuse of the data, I wonder if, although that's an important issue, we should think about in some cases so what, because depending on what the need for reusing that data is will determine the level of protection, whether consent is required before that any subsequent use can be made of that data, or whether in some cases no disclosure or consent is required if it's a public health purpose.
If it's in reference to a patient has Tuberulosis, if it's in the context of a clinical trial and there's an adverse event or some other situation that you referred to in terms of Vioxx, I'm not particulating this at all. But I would just urge the group to think about even if you do distinguish between different kinds of uses, and there may be very legitimate reasons beyond the work of this group, to just think about, even if you have those distinctions, what are the consequences and how do you essentially build into safeguards to protect patients and public for those eventual reuses of data.
MR. REYNOLDS: So to close it out for today, we had great testimony. The other thing is, as we consider structure and final explanation of what this is, the more we can hold our value judgments on anybody protecting that something may be secondary, I think, will be very important because we're liable to hear a whole different set of perspectives tomorrow. which are going to take us to new and different places than we were last week and where we were this morning, but continuing to think about the structure of discussing it and being able to explain it to whomever may help with that. So thank you.
DR. COHN: You don't get to close. You know, I think we've actually had a very good conversation. This is not the end of this conversation, and I did sort of like Wendy's so what comment. So we probably just need to keep that.
And the so what in all of this, of course, is what best tells the story. I mean, what makes it all understandable. So that may be the so what, but we'll need to figure that one out.
Now to get real here for a minute, I want to remind everybody it's eight thirty tomorrow morning that we start again. It's not nine o'clock. So for those of us in California who like working the end of an overnight department check.
Now tomorrow is going to be a little different in the sense that I think we're ready to start the conversation. So what's going to happen tomorrow is that we hold hearings in the morning. By mid-afternoon, we're going to be talking, and the good news is that Margaret has begun to put together some framing pieces. I mean, be aware that there are other decisions we have to make other than how to describe primary versus secondary, or what sort of framing we use. We really actually need to be talking about the framework for recommendations, where there are holes, what we need to think about them, and I think actually Margaret may even have some taxonomy and definitional pieces that may help us through some of these issues. So I think that may be very useful. I mean, it's very timely. I think we're ready for that conversation.
Now we're going to go through the afternoon and conversations around all of this. I think hopefully Margaret's information helping through some of all of this. Friday morning, we again start at eight thirty. This is just all discussion on our part. We are not having any testimony Friday morning.
Now for those of you making plans to travel, I do want to tell you that my intent is that we will finish no later than eleven o'clock. So we have a twelve o'clock publish time; we will finish by eleven o'clock. And once again, hopefully by that Friday morning we'll be talking about the agenda for the August final set of hearings and conversations. We'll be continuing on our conversation about some of these framing pieces.
Now with that, we are, at least according to our clock on the wall here, it is now five thirty Washington time, so we will adjourn until eight thirty tomorrow morning.
(Whereupon, the meeting adjourned at 5:30 p.m., to reconvene tomorrow morning.)