[This Transcript is Unedited]
Hubert H. Humphrey Building
Room 705A
200 Independence Avenue, S.W.
Washington , DC 20201
Agenda Item: Call to Order - Dr. Cohn
DR. COHN: Good morning, everyone, I want to welcome you to the first morning of the hearings of the Subcommittee on Standards and Security on the National Committee on Vital and Health Statistics. I do want to apologize for those listening in on the internet that we are running late. I think those in the room here realize that we've been having somewhat of a snow emergency, which being from California I find very interesting. And certainly having been in Los Angeles yesterday where there was like 65 degree weather it may be a little confusing.
Anyway, my name is Simon Cohn, I'm the chairman of the subcommittee, I'm the national director for health information policy from Kaiser Permanente. I want to welcome fellow subcommittee members, HHS staff, and others here in person. I particularly want to welcome those listening in on the internet also. Given that we are on the internet and I believe it is live today I want to remind everyone to speak clearly and into the microphone so that they can hear.
We obviously have a lot to cover over the next two days. This morning we're going to be starting a discussion, or actually hopefully maybe completing a discussion, with Consolidated Healthcare Informatics Initiative, at least on the first phase of your work. As we understand it you're coming forward with final recommendations on four health care domain areas, which include clinical encounters, text based reports, population health, and chemicals. And obviously the intent of these standards are that they be used within the federal health care enterprise and potentially influence work going on in the private sector. Obviously this is part of your federal adoption process and we're very pleased to have an opportunity to hold public hearings to get public input on these recommendations, and obviously we're encouraging you and feel that your work is very important.
We'll also be later on this morning, and certainly as we go along with these recommendations, reviewing our current draft letter, and as I remember even we had a couple of issues from a prior draft, see if there's any additional information that will cause us to update them beyond these four recommended new standards. Obviously the intent of this letter, and hopefully we'll have a chance to vote on it by the end of the morning, will be to submit it to the full committee for ballot on Thursday.
This afternoon we will be having a hearing on the HIPAA security rule and the status of that implementation. I want to thank John Paul Houston, one of our members, for taking the leadership in putting that together. John, thank you. This is obviously a topic that as we move more towards implementation I'm sure we'll be having ongoing conversations with the industry on issues and opportunities around that implementation.
Now tomorrow we begin with a HIPAA update followed by a discussion of the draft letter on the claims attachment standard that were based on the December hearings. The question in that case really for the subcommittee is whether we are ready to move forward with a letter recommending some next steps or whether additional investigation or testimony is needed, but that will be a conversation for tomorrow morning.
Following that we have a conversation with the dental community, the focus of that session is really on SNODENT and whether it is appropriate to recommend SNODENT as a clinical terminology, which is one of the issues sort of left open from our last set of PMRI recommendations. But given what I've seen of the testimony so far I suspect that there will be other issues coming before the subcommittee from the dental community as well.
After lunch we will further discuss our role in investigating and recommending e-prescribing standards. As many of you know the recently approved Medicare Reform legislation calls on the Secretary to adopt standards for e-prescribing and the NCVHS has been directed to develop such standards recommendations. Jim Scanlon and hopefully Karen Trudel will update us on the department's work plan in relation to this and then we'll be discussing our own draft work plan. Obviously I want to thank Jeff Blair for his leadership in terms of putting together what I think is a very good draft work plan but we obviously do need to reflect on the scope.
Now before we go around with introductions I do want to emphasize that this is an open session, obviously those in attendance are welcome to make brief remarks if you have information pertinent to the subject being discussion. We also have time at the end of each session for brief comments by those in attendance. Finally for those on the internet we welcome emails and letters and other comments on issues coming before the subcommittee.
Obviously with that I would ask that we go through with introductions for the subcommittee and then around the room. For those on the national committee if there are any issues coming before us today for which you need to publicly recuse yourself I would ask if you would do that as part of your introductions. Jeff?
MR. BLAIR: Jeff Blair, Medical Records Institute, vice chair of the subcommittee, member of AMIA, ASTM, HL7, and HIMSS, and there's nothing that I'm aware of that I need to recuse myself from.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, staff to the subcommittee and liaison to the full committee.
MR. HOUSTON: John Houston from the University of Pittsburg Medical Center, I'm a member of both the committee and the subcommittee.
DR. HUFF: Stan Huff with Intermountain Health Care and the University of Utah in Salt Lake City. I'm a member of the subcommittee. I'm a vocabulary co-chair in HL7 and so I'd need to recuse myself from HL7 discussions. I'm also a co-chair in the LOINC committee and would have to recuse myself from any LOINC discussion. And I've contracted on occasion with 3M so I'd need to recuse myself from any ICD-10-PCS or like discussions of 3M products or contracts.
MS. BRADFORD: Alicia Bradford, CHI.
MR. SEPPALA: Gregg Seppala, Department of Veterans Affairs, representing the CHI clinical encounters group.
MS. NUGENT: Linda Nugent, Department of Veterans Affairs, representing the CHI text based reports group.
MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health and member of the full committee.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, and executive secretary to the committee.
MS. FRIEDMAN: Maria Friedman, CMS, lead staff to the subcommittee.
MS. SQUIRE: Marietta Squire, CDC, NCHS, and staff to the subcommittee.
MR. SYRAKOWSKI(?): Arthur Syrakowski, Center for Devices and Radiological Health.
MR. KILE(?): Frank Kile, American Dental Association.
DR. COHN: Okay, welcome and obviously this is Simon Cohn again. I do need to publicly recuse myself in relationship to any issues that come before us in relationship to CPT, which hopefully should not be an issue being discussed today I hope.
With that, Alicia, would you like to lead off with an introduction to where we are with the CHI recommendations please?
Agenda Item: CHI Introduction - Ms. Bradford
MS. BRADFORD: Thank you for having us here today. Some of these slides are fairly familiar, you've seen them before. This one is showing the phase that the different teams have gone through, the progress for phase one with our final teams wrapping up, and they're wrapping up their work in late December, I'm presenting now to you in January. The process that we go through from deploying the teams, the analysis and feedback within the workgroup, consensus with the agencies, HHS, VA, and DOD. And now presentation to NCVHS.
And today as you mentioned we'll have four workgroups and this will wrap up phase one of the clinical encounters text based reports, population health and chemicals.
DR. COHN: You might want to change the overhead, are you going to be using these on Thursday also?
MS. BRADFORD: We will and I did. And we've kind of refined this as the project has progressed regarding the range of possible recommendations quickly realizing that there is no perfect terminology. The workgroup could return saying that there was an acceptable terminology that just needs evergreening to maintain the viability. More often then not there could be an imperfect terminology that would result in different levels of follow-up, one being that there are just identified gaps that don't preclude its use but need to be addressed. It could be a conditional approval meaning that the terminology or standard is not ready for use yet until these conditions are addressed. And there could be temporal issues such as the standard is in ballot or production version. And more rarely but has happened that there could be no solution available at this time and we would identify an SDO or a group that the government would work with to fill that need.
As Gregg mentioned, we have Gregg Seppala from the VA and he's representing the clinical encounters workgroup.
DR. STEINDEL: Alicia, can I get a bit of a clarification on what you just said? You said that this concludes phase one, does that mean that multimedia is not going to be presented as part of phase one? You're shaking your head --
MS. BRADFORD: Yes, Council consensus was not reached on the multimedia recommendation and that will be pushed on into phase two in addition with the history and physical that we did not receive, the workgroup did not progress with that and the recommendation was to wait and address history and physical in phase two also.
DR. COHN: Well, Alicia before Gregg starts, and I know he'll be starting in just a second, either today or Thursday is there going to be any discussion of what phase two is?
MS. BRADFORD: I don't believe so, I don't think it's all been decided yet.
DR. COHN: I see, but I guess it has been determined that there will be a phase two.
MS. BRADFORD: We have definitely identified further work to be done so we hope that there is a phase two for us to continue this work identifying and addressing the gaps and additional domains that were not addressed in the first phase.
DR. COHN: When do you expect that you'll be discussing more publicly I guess the various aspects of phase two? Would this be a March meeting discussion?
MS. BRADFORD: I think so, yeah. By then we'll have more knowledge about phase two.
DR. COHN: Thank you.
MS. BRADFORD: Okay, Gregg.
Agenda Item: CHI Final Reports - Clinical Encounters - Mr. Seppala
MR. SEPPALA: As I said before my name is Gregg Seppala, I'm from the Department of Veterans Affairs, and I'm representing the CHI workgroup that helped define select terminologies for clinical encounters. The other members of the group, those people on the internet can't see the slide probably, include Dave Bergland(?), CDC, Theresa Cullin(?), Indian Health Service, Jason Goldwater, CMS, Gail Graham also of VA, Bart Harmon of DOD, Ken Hoffman of DOD, Eduardo Ortiz of AHRQ and Cynthia Wark of CMS.
The first challenge we faced was trying to figure out what clinical encounters was and what it wasn't, so we spent some time first of all doing use cases to see how broadly we felt clinical encounters should be scoped, and we concluded as a group that it needed to deal with encounters in all kinds of settings, ambulatory care, inpatient care, which would be acute, intermediate, or even long term, emergency care, home health care, field care, and virtual or tele-medicine. Once we broadened the scope to that point we were seeking some way to narrow the scope and so we were looking for a definition for encounter and the one that we thought was the best definition was the one in ASTM 1384, the version was 02A, standard guide for content and structure of the electronic health record. And we felt that that was an apt definition.
After we had agreed on the scope and definition for encounter then we needed to determine which data elements would be within the scope of our recommendations and which would not, and we turned to the CHI approved messaging standard, the HL7 version 2.4 ADT message as representing the data elements within the scope of clinical encounter. That message in 2.4 consists of 25 message segments comprising 612 fields, so again we were looking for ways to constrain scope so items that we declared were out of scope were demographics, because they were being done by another workgroup, allergy information, diagnosis and problem lists, financial and payment, insurance information, interventions and procedures, all of those were within the scope of other workgroups. So although they would be considered part of a message about a clinical encounter the standardization work and recommendations are being done by other groups.
In scope we had admission information, transfer or patient movement information, discharge information provider information, and then two segments which didn't seem to have another home in CHI but were part of the ADT message which was accident information, death and autopsy information. Also excluded from our scope were practitioner to practitioner interactions, practitioner to record interactions, and ancillary service visits, because those did not fit within the definition of clinical encounter balloted by ASTM, and we've identified those as gaps. We do know that in the future there is an interest in being able to exchange information about clinical services but our opinion was that the ADT message and the current definitions didn't well support that and that's identified for future work.
So when we were finished taking segments and data elements out of scope the 612 data fields were reduced to 92, and of those 92 data elements 38 of them used coded data, and so we focused on those 38 coded data elements. We looked at ASTM 1384, we looked at ASTM E1633, which is the standard specification for coded values using electronic health records. We looked at the X12 837 health care claim message, we looked at SNOMED CT, we looked at the UB-92, or the CMS Form HCFA-1450. We also looked at the data elements for emergency department systems release 1, also known as DEEDS, and we looked at HL7 versions 2.4, 2.5, and version 3.
After we'd looked that over in general what we recommended is adoption of the coded values recommended by Health Level 7 version 2.4 and higher, and then we had a number of gaps that we'd identified to be addressed in the future.
Some of the gaps as I mentioned before would be better support for home health field and virtual encounters. We felt that the current standard really focused on ambulatory and inpatient encounters and didn't provide clear support for those. Clinical services that don't meet the definition of a clinical encounter, such as provider to provider interactions without the presence of a patient, provider to record interactions, and ancillary service visits. Another gap is that we are looking for and between the time we wrote this and today the final regulation to the National Provider System was released, so we're looking for those identifiers to be used for both practitioners and health care organizations. We'd also, it would be helpful to have standard location identifiers but I think this is a gap that will exist for some time. And another challenge would be standard hospital service names.
So that's the short version, I'd be glad to answer any questions or go into more details about the recommendation.
DR. COHN: Questions from the subcommittee? Steve.
DR. STEINDEL: I have one question and one clarification since I'm the keeper of the documentation it needs to go on. The clarification is Gregg, the transmission that was submitted to NCVHS does not explicitly state some of these gaps that you noted. Would you like the documentation to reflect that, at least I do not see them, like the virtual encounter, etc., it just says one of them, so Alicia or Gregg, if you'd like the transmission document to explicitly state that, which I think would be a good idea, if you'd see me at the break or something we'll just add it, Simon, if that's okay with you.
DR. COHN: It appears that the overhead that they have here doesn't, isn't in any way related to the documentation, which I think is what you were observing.
DR. STEINDEL: And the documentation actually forms the record that we transmit over.
DR. SEPPALA: I did send in an updated longer report on January 7th which matches this a little better so maybe we just --
DR. STEINDEL: Maybe we just need to sync. We'll just do that at the break. That was cleaning up your documentation side of it, just as a question point of view I noticed that you say 13 data fields are published in version 2.4, seven in 2.5, and four in version 3. Are the ones that are in version less then 3, the version 2.X data fields, are they intended to be transferred over to version 3 or are they represented in similar fashion in version 3 at this time? Do we have to make any note of that? Stan as vocabulary co-chair if you want to give a technical answer to this it might be helpful, too.
DR. HUFF: Our intention is to transfer all of the version 2 tables into version 3, but there's not a defined timeline to do that.
DR. STEINDEL: Thank you, I think that's a satisfactory clarification.
DR. COHN: I guess maybe I'll ask a couple of questions. Obviously we have a report from you from January 6th, so it's probably not the one you're even referencing. That's what I referenced in red. Obviously I'm sitting here trying to remember and I apologize, I don't have E1384 in my office so I was trying to figure out what the definition for encounter that you were referencing since it wasn't to be found anywhere in the document except the fact that you agreed with it. So do you have it, is that something that's short enough that it's readable to inform the committee of what the definition was? Is it in there? Where is it?
DR. STEINDEL: Very beginning.
DR. COHN: Oh, I'm sorry, I apologize, I was looking at page two and page three, I take back, I mean obviously it's short so why don't you read it just so, as my face goes from red to slight lighter shades of pink.
MR. SEPPALA: This is a quote from the standard and then we go on to elaborate a bit. So the definition for a clinical encounter, again from ASTM E1384, is one, an instance of direct provider or practitioner to patient interaction regardless of the setting between a patient and a practitioner vested with primary responsibility for diagnosing, evaluating, or treating the patient's condition, or both, or providing social worker services. Definition two, a contact between a patient and a practitioner who has primary responsibility for assessing and treating the patient at a given contact, exercising independent judgment. The ASTM chapter goes on specifically to exclude ancillary service visit, which is defined as the appearance of an outpatient in a unit of a hospital, or outpatient facility to receive services, tests, or procedures. Again, the key point is exercising independent judgment. And then because it requires a direct interaction with the patient this clinical encounter definition would also exclude practitioner interactions in the absence of a patient such as practitioner to practitioner interactions, or practitioner to record interactions.
DR. COHN: Okay. Jeff and then I'll ask a couple more.
MR. BLAIR: Was there any thought given to providing diagnostic services or evaluations over the internet? Because that falls outside of the definition.
MR. SEPPALA: Anything that would happen without direct interaction to the patient, now tele-health might include patient to provider interactions not in real time, so I think that's an area that we would like to investigate in the future, certainly a gap.
MR. BLAIR: I don't know if it's a gap or not because I don't know if that needs to be referred to as an encounter, maybe tele-health becomes a separate, so I don't know, I was just raising it as a question, whether it was considered, if we're going to move more into that area do we need to either modify the definition or do we need to consider that as a separate activity.
MR. SEPPALA: Actually the ASTM definition, I think it was five years ago, explicitly excluded telephone as a modality for an encounter and at VA's encouragement that restriction was removed. So VA certainly feels that there are tele-health encounters, there are probably other things which take place over the internet which still wouldn't be categorized as an encounter, but I think it's a new area that needs to be looked at.
DR. COHN: Marjorie?
MS. GREENBERG: I just wanted to clarify regarding ancillary services such as an x-ray, so if a patient goes and gets an x-ray the x-ray technician is not considered to be exercising independent judgment, that's not an encounter?
MR. SEPPALA: That's our understanding of that definition.
MS. GREENBERG: When the radiologist reads the x-ray he or she is exercising independent judgment but the patient isn't there, so that's not an encounter either.
MR. SEPPALA: Yeah --
MS. GREENBERG: Is that right?
MR. SEPPALA: I think so.
MS. GREENBERG: Way back when, actually the committee and the department were developing the ambulatory care dataset, those types of situations were actually considered encounters because they, I think they were trying to align more with what generated an actual claim. But the ASTM definition is not really aligned with what generates a claim but more the requirement of both the patient and provider both being there and the independent judgment.
DR. COHN: I guess I should ask the question, I'm just trying to think of whether or not I'm going over the line on this one just by asking but it really is that billable encounter concept, which obviously there are HIPAA standards, and typically the issue of service versus encounter, they do sort of overlap a little bit, they more then a little overlap and there's one code system that I can think of and it's obviously it's the AMA CPT that goes, at least discusses a lot of types of clinical encounters in its E&M(?) section, and so I'm wondering if there's a slight disconnect between this and, I mean they for example have codes for telephone, for internet, for various, I'm just trying to think of how all this works out, it's not a position statement it's just more of an observation.
MS. GREENBERG: That's why I made my observation because the claim/encounter transaction is used for events or whatever that are not, that do not meet this definition of an encounter. But then this is really for the clinical environment and the exchange of clinical information as opposed to the administrative environment.
DR. COHN: But having said that I mean within my organization, for example, I mean we track telephone encounters, we certainly track internet --
MR. SEPPALA: Telephone is included in this definition.
DR. COHN: Oh, included? I'm sorry, and then there's also internet encounters and email and things like that that we're tracking and considering to be actually a service and an encounter.
MS. GREENBERG: I think those are covered right?
DR. COHN: I don't think virtual, isn't that a virtual encounter?
MR. SEPPALA: It is a virtual encounter. What we said is that the standard doesn't, the definition and scope includes virtual but the current message definitions don't well support the different viewpoint. For example in a virtual encounter you might actually have two locations that you're tracking, one is the practitioner's location and the other is the patient's location. We've discussed it some in the context of an HL7 version 3 modeling how this would be handled but we've actually excluded that from the release one scope.
MR. BLAIR: Oh, that's what I missed.
DR. COHN: Steve?
DR. STEINDEL: I'm trying to recall what was discussed when this was presented in the preliminary form at NCVHS because I do recall that we had some discussion of the definition of the encounter with regard to laboratory reports, x-ray reports, etc., about whether they were encounters or not. And I think we somewhat decided that the key word here was contact, and that it did not necessarily mean physical contact with the patient and that we felt that these reports were some type of clinical encounter and that this did cover those, this recommendation did cover those because of the stretching the word contact. And I'm basing this on recollection, I want to know if anyone else had that kind of recollection or if we should make any comment about that.
MS. GREENBERG: The radiologist reading --
DR. STEINDEL: Yeah, or the pathologist issuing --
MS. GREENBERG: Was an encounter.
DR. STEINDEL: Was an encounter, was a clinical encounter.
MS. GREENBERG: I read this definition that it wouldn't be but --
DR. STEINDEL: I think we had some discussion on that because this is actually a very critical portion of this definition of the encounter because I think, while I think there's some question about the technician doing the test, the technician or the technologist doing the test, whether that interface with the patient should or should not be considered a clinical encounter I think most people consider the physician interpreting the results to be a clinical encounter.
DR. COHN: Well, it's certainly considered to be a service.
DR. STEINDEL: A service, yes.
DR. COHN: Which obviously begs the question and if we, the question is is the definition interaction with health care system or is the interaction with the practitioner, which I guess is sort of the question you're begging.
DR. STEINDEL: I mean if we apply, strictly apply the ASTM definition what it involves is what does the word contact mean, does it mean physical contact or indirect contact as well.
MR. SEPPALA: Well after, I think it was in October the preliminary report was presented and we considered that issue and then we looked more closely at the messages and still felt that although reporting clinical services that didn't fall under the ASTM definition was important, that the current message didn't support that well and we identified that as a gap that needs to be addressed soon.
DR. STEINDEL: Thank you, that then gets to the clarification in the text that the NCVHS has right now as identifying that as a gap because if those types of issues are addressed in the final document that's transmitted to NCVHS then we really don't need to make a comment on it in the letter, but I think we would want to make sure that those types of things are mentioned.
MR. SEPPALA: When you look over the version if it's not crystal clear from the document then we can edit it again because that is our intent, to identify that as a gap.
DR. COHN: Other questions or comments from the subcommittee? I'm struggling a little bit because obviously the version you're referencing is different then the one that I think I have on my desk and so I'm going, and I think different then the one that we were sent out though I'd have to double-check that.
DR. STEINDEL: Yeah, it's different then the one that was sent out because I went looking through my various documents and I can't find a more recent one.
DR. COHN: Obviously everything you're saying I agree with, I don't have any objection to any of your comments I'm just trying to think of, it's hard to accept a document or make modifications on it when we're having trouble identifying what the base document is.
MR. SEPPALA: Unfortunately the primary edit was to pull out the gaps, which were sort of sprinkled around in the document and highlight them in one section.
MS. BRADFORD: This is Alicia. The teams have a working document that the use to lead them through the process and it's quite long and we condense that for a report to present to you. So some of that was probably left out and we can elaborate on the report that you have on the gaps and redistribute that.
DR. STEINDEL: We can do that at the break.
DR. COHN: That's something we can do contemporaneously with the conversation today.
Are there any other questions? I mean overall I'm not hearing anything that we should just not accept, or should concur with, excuse me, but obviously we probably need to take a look at that document.
I guess the one other question and I will apologize because it's probably in your document, at least in the version I'm seeing there's basically a description of certain data elements needing further work, is that, are those listed out explicitly in your document?
MR. SEPPALA: Yes. So in the ADT message we identified six coded data elements that have no vocabulary in HL7 nor in any of the other items that we looked at, and there are actually some notes because some of these although they're called coded data elements I'm wondering if that's true. For example one is a pre-admit test indicator, which sort of sounds like the codes would be yes or no but it's actually a coded set, a discharge to location, which would probably be a location identifier but it's defined as a code. So these six, I think we need to refer to HL7 to look at whether these are actually coded data elements or something else, and if they are coded data elements start coming up with a starter set of values. Recurring service code, role duration and role action code, so that's the six that don't have any suggested values.
DR. COHN: Other questions from the subcommittee? How would you like to proceed, I mean we can, I think we're in a situation where we sort of need to see the final document first before we can identify how to modify it but I'm, I'm sort of thinking that by this afternoon we'll have it.
DR. STEINDEL: I will get with them at the break and we'll have Marietta print it out --
DR. COHN: Get copies of it and then hopefully we can --
DR. STEINDEL: And I'll do it in mark-up form so we'll be able to tell quickly.
DR. COHN: Okay, great. Well, Gregg, thank you very much.
MR. SEPPALA: You're welcome.
DR. COHN: I guess we were supposed to have multimedia but we're not having that, how would you like to proceed Alicia, do you want to move on to text based reports?
MS. BRADFORD: Is time good? I have Linda Nugent, representing the text based reports is Linda Nugent, she's one of the co-leads along with Viet Nguyen, who wasn't able to make it today.
Agenda Item: CHI Final Reports - Text Based Reports - Ms. Nugent
MS. NUGENT: Good morning. I'm Linda Nugent and I'm representing the text based report. The team consisted of several very bright and knowledgeable persons. Dr. Viet Nguyen from the VA and Dr. Timothy Mahew(?) from Indian Health Service did most of the research and largely put this paper together and provided the majority of the information. Dr. Howard Hayes, Alicia Bradford also assisted us in keeping us on the road and keeping us straight and keeping us thinking about the right kinds of things. Sandra Bailey from the VA and Derek Wang joined us to talk about the e-authentication piece that we finally discussed in the paper. It was not part of the original scope and we added that later on. David Thomashock(?) and Bart Harmon from DOD.
Our domain included identifying the standards and terminologies used to define the messaging architecture and syntax of clinical text documents. Clinical text documents were defined as being generated by health professionals, comprised of free text, which was primarily unstructured data. However, in an electronic record we have the capability to utilize standards to structure this free text and turn it into extremely useful information.
What the group determined to be within our scope was the text document structure and syntax, the electronic signature, document section headings, and the clinical document types and title. Because of the overlap of the domains of the groups working on other aspects of the CHI we determined some document components and data domains to be out of scope. These included clinical signs and symptoms, vital signs, physical exam observations and findings, laboratory findings, diagnoses and problems, and orders.
In preparation of a recommendation for standards adoption the CHI Text Based Reports Subcommittee analyzed many options. These options included the HL7 Clinical Document Architecture, CDA, the ASTM E1384-02, Guide for Content and Structure, Continuity of Care Record, CCR, SNOMED CT, Abstract Syntax Notation One, CEN, Portable Document Architecture, Rich Text and Rich Text Format, XML, Extensible Mark-up Language, and HTML.
The Consolidated Health Informatics Text Based Reports Subcommittee recommends without conditions adopting the standard for text based medical reports of the HL7 Clinical Document Architecture, current release and subsequent releases. Upon release of the final e-authentication policy in the companion NIST technical guidance, the workgroup recommends that CHI reconvene the workgroup to review the guidelines and recommend adherence to risk assessment evaluation and application of appropriate security technology.
The Clinical Document Architecture is a standardized representation of clinical documents, such as reports of medical history, the physical exam, progress notes, and many others. The CDA is also a framework for exchange of those clinical documents, it is based on a set of design principles that include keeping the barrier to entry low while still providing a migration path to sophisticated electronic medical records. By leveraging the use of XML the HL7 reference information model and coded vocabularies, the CDA makes documents both machine readable so that they are easily parsed and processed electronically, and human readable so they can be easily retrieved and used by the people who need them.
The combination of clear definitions and interrelations of medical terms, such as LOINC and SNOMED, can be used to populate an HL7 CDA document using standardized XML syntax. This will allow medical information to be transmitted to and retrieved from any local area network or from any secure telecommunications system connected to the world wide web. In turn this achievement could enable a clinical to retrieve any patient's medical chart, laboratory and radiology reports, and other necessary information anywhere anytime given proper security. The information represented in the standard structured format will allow manipulation of the data to facilitate advanced functions, including record searches, patient specific guidelines, outcomes research, accounts receivable and others.
The consensus was that the HL7 CDA is a mature standard with valued functionality that was widely implemented, richly expressive and flexible, and tested. Today most major dictation vendors have HL7 CDA capability and many EHR vendors have some degree of HL7 capability. There are a series of vendors adopting both health care and non-health care specific XML tools for the CDA, preeminent among them is Microsoft. Adobe is also demonstrating use of their PDF forms generator for CDA. In the U.S. the HL7 CDA is being used by several federal agencies, including the VA, DOD, and FDA. In addition some large non-federal institutions have shown some degree of commitment to the CDA based document strategy. Outside the U.S. the HL7 CDA is even more widely implemented.
A major impetus to the adoption of CDA has been the proposal for its use in the HIPAA claims attachment and there is scheduled to be an extensive interoperability demonstration that shows many vendors working with the CDA and the full family of HL7 at the HIM Conference in Orlando.
Thank you.
DR. COHN: Questions, comments? Stan, did you --
DR. HUFF: Well, this is one where I have a vested interest, I need to recuse myself.
DR. COHN: Jeff?
MR. BLAIR: This is kind of indirect but my employer is personally involved with the CCR and therefore I feel like I need to recuse myself as well.
DR. COHN: It's our usual situation in that anybody who has expertise in any of these areas has to recuse themselves from the conversation.
I guess I have a question, an observation and a question or two. Steve?
DR. STEINDEL: I have a question, I don't really think in this particular instance either one of them has to recuse themselves, they both worked on the development of this but really have no vested interest in it.
DR. HUFF: We have no financial interest but that's not really the same as not having a personal interest.
DR. STEINDEL: We all have personal.
MS. GREENBERG: The CDA is an HL7 document.
DR. STEINDEL: But Stan's only responsibility in HL7 for instance is he's chair of the vocabulary and CDA is not in that area.
MS. GREENBERG: His waiver is for HL7.
DR. STEINDEL: Okay. Thank you.
MS. GREENBERG: Now in the case of Jeff I think he can comment on an HL7 activity but not on, actually I don't think you have a waiver but I would agree with you that continuity of care record since your employer is responsible for that would be inappropriate for you to comment on that. In that matter I would not have an problems with --
DR. COHN: I apologize to those testifying, as I said there's ongoing issues that we have in our areas of expertise, we're typically often excluded from making comments or asking questions.
I guess I would both observe to the subcommittee that I believe that further investigation of CDA and CCR is actually part of the work plan for this coming year and we probably ought to note that in whatever letter we have to the Secretary just as sort of a statement of fact. I mean certainly I'm not sure I have any major objection to what you're doing but it's more that we're sort of seeing that as an upcoming issue to try to figure out how all this relates and sort of, I mean just I think a piece of our ongoing discussion related to PMRI standards. We're obviously thankful that you've sort of looked into some of this already.
Now I guess as I look at what you're describing and I'm, and once again I apologize that when I see documents mentioned in your reference I have not been as good as I probably should have been going looking at the source document. But obviously the issue of, was it electronic signature has been only a slight issue over the last while, that was actually part of the original HIPAA standards, was never actually invoked into a final rule and will now become an issue for us again as we move into the world of e-prescribing, and it's going to be not a small issue as we move into the world of narcotics prescribing and other drugs that have DEA issues associated with it. now you seem to be handling the issue by reference to the GSA OMB e-authentication policy and the NIST FIPS publication 199, though you also reference that the NIST publication is apparently a, actually maybe I'm confused here. Are those final documents, are those preliminary documents? Because you're also referencing a final e-authentication policy and companion NIST technical guidance that's supposed to come out some time in the future. Can you really reference where we are with all of that and what you're perception is?
MS. NUGENT: Actually I can't.
DR. COHN: Okay.
MS. BRADFORD: I don't think they're final documents, I think that because we are an eGov initiative and another eGov initiative is handling the electronic signature, and that's a cross cutting initiative, that we have relinquished that sub-domain to their leadership. But I think that the documents that are referenced here are working documents, I don't believe they are final documents yet.
DR. COHN: Okay, I mean effectively it sounds to me like you're sort of taking that out of scope in other words, or at least referencing it to another --
MS. BRADFORD: We're recognizing that it's within scope of text based reports, that it's out of scope of the workgroup to determine the standard and to turf that to the other eGov initiative.
DR. COHN: Okay, well then let me just ask sort of a general question, is that there's, I mean if I were Kepa, which I'm not, but he is obviously very versant and will be here this afternoon, we would probably be observing that there's sort of various levels of durability and appropriateness of an e-signature standard. And obviously it's one thing to have a, there's actually already federal law that relates to some of e-signatures but there's various I guess levels of authentication and strength of the authentication. And as we move into actual prescribing and things like this, which are not really text based reports but really do relate to e-signature, is this going to be a standard or policy that's going to have the strength to basically be able to handle that? Or is that going to be good enough for text based reports but not for the type of thing we're talking about? Does anybody know?
MS. BRADFORD: We had some discussion with the gentlemen from GSA, Davis Thomashock, that we had call into our workgroup regarding those different levels of authentication saying that it would be, different levels were required for different business cases and those would have to be determined within each agency and their business needs. And that we couldn't, no one felt that they could put a blanket level two or level three authentication on the text based reports depending on the content. So I just think it's something that's still emerging and not quite there yet.
DR. COHN: So I guess our recommendation here of e-signatures is just a recognition that this is really even though described in here it is really not being addressed by this workgroup, I would think that the subcommittee, the full committee would consider this to be a very important issue that does need to be resolved, maybe working on it as part of e-prescribing, but there really does need to be some resolution of this issue. I think it was deferred from the HIPAA standards because NIST hadn't come up with a final policy about all of this one and it appears to continue to be an issue that's unresolved. Or is it going to be resolved soon and we're just talking about that we've just not had a final balloted or final approved recommendation here?
MS. BRADFORD: I would have to get back to you on the specific dates, to my best recollection I don't believe that it's a final rule yet but I have seen the documentation which I believe came out late last year.
DR. COHN: Okay. Other comments about this one? Am I the only one who's concerned about this one or at least ignorant about it? John Paul?
MR. HOUSTON: I don't have any comments, I really don't.
DR. HUFF: I don't have anything to add, I'm very interested as you are --
DR. COHN: Well, I'm just trying to make sure I'm not completely off on this one. Other comments or questions? Marjorie? No? Okay. Well, it sounds like we have a couple of comments about this one as well as questions. How do others feel? Jeff, are you able to comment about this one at all or do you have to completely --
MR. BLAIR: I have no concerns or objections.
DR. COHN: Well, in that case is there a motion to, I guess we'll have to see what our comments look like as written out, yes there is a quorum, John Paul, with you being here there is a quorum. So we can actually vote on whether to concur with this, with the comments that we'll further discuss, or at least review after we're done with the presentations. Actually Steve how far are you with comments at this point?
DR. STEINDEL: I've just noted the committee would like to note that we, this is what I put in as rough wording. The committee would like to note that we will be further studying both the HL7 Clinical Document Architecture and the Continuity of Care Record as part of our ongoing work. We further note that the need for e-signatures is an important component that has been investigated by the committee in the past and we'll be exploring further as part of our investigation into standards for e-prescribing over the next year. And I'll probably wordsmith that a little bit, that was just what I typed in now.
DR. COHN: Okay, well, is there a motion?
MR. HOUSTON: Those who haven't recused themselves --
DR. COHN: Since I'm the chair I think you're the only one who can --
MR. HOUSTON: I move.
DR. COHN: Concurring with the following comments.
MR. HOUSTON: That's right, I make a motion to concur with the following comments.
DR. COHN: Okay, I guess I'll second it. All in favor? Jeff, are you voting? Jeff in that case you second it. All in favor?
SUBCOMMITTEE: Aye.
DR. COHN: Opposed? Abstention? Stan's abstaining. Okay, well thank you. Well, with that, I think we're right at break time, why don't we take a 15 minute break and we'll get back together at 10:45. Thank you.
[Brief break.]
DR. COHN: Would everyone please be seated? We're going to get started here. I think our next topic is population health.
DR. STEINDEL: Are we going to go back to the encounter letter, Simon, before that? Or do you want to do the other two first?
DR. COHN: Well, actually it might be a useful, given our conversations to go back and look at the encounter letter for just a second, is that okay Alicia? Do you have time?
MS. BRADFORD: Sure.
DR. STEINDEL: Do you want me to introduce --
DR. COHN: Sure, Steve, why don't you --
DR. STEINDEL: With regard to the encounter discussion that we had earlier it was noted that the document that was presented to NCVHS did not include specifically the minor gaps that were noted by the CHI workgroup in their report. As was noted by them the gaps they considered were items that should be filled but did not necessarily prevent the adoption of the standard that was recommended.
What I've passed out to the group is a minor modification of the report that explicitly includes the gaps that were mentioned, and you'll find that in the last section under conditions. And the modification was the words noted below just to point to the list and then the list itself, and the items that they noted as gaps were explicit support for home health field and virtual encounters, support for clinical services that do not meet the definition of clinical encounter, national provider system IDs for practitioners and health care organizations, standard location identifiers, and standard hospital service names.
I didn't talk with the workgroup concerning the national provider system identifier since between the time this report was created and now the final regulation has come out about whether we should leave that as a gap and as was noted during that discussion while the final regulation has come out there's still going to be at least 18 months before the system is implemented so they felt that this was a gap that should remain.
So Simon, I think that completes the sense of the report, and I think it adds many of the items that we discussed at this table.
DR. COHN: What sort of comments had we, just to remind us, were there some comments that you had or were they all related to our --
DR. STEINDEL: I think they were all related to what's covered in these gaps, and the main ones that we discussed around the table included the observation that the definition for encounter that they were proposing, the HL7 definition, was week in its support for, the ASTM definition, and also I believe the HL7 for virtual encounters because of the lack of two addresses, etc., two locations, so there is some strengthening that needs to be done for home health field and virtual encounters both in terms of the message and the ASTM definition, and also the support for clinical services that do not meet the definition of a clinical encounter as defined by ASTM, in particular I think the clinical reports, radiology reports, pathology reports, etc.
DR. COHN: I guess that's, is that actually listed, I guess that is sort of stated in support for clinical services that do not meet definition of clinical encounter. This obviously as one looks at it, the January 7th version is obviously a little more complete then the January 6th and it does address most of the issues. I guess the only concern that I would bring forward might be some sort of recommendation that we might want to make that further work in this area needs to be done, especially, and I guess I would almost describe it as including some reconciliation between the concept of clinical encounters and billable encounters, just because there is, obviously these, I see that they're actually, by the time they're done with their larger definition obviously begins to handle that universe, but I think there is some, there needs to be sort of closer interaction occurring between the two recognizing that most business cases do sort of revolve around that second issue. And maybe we have a different better, better word then billable.
MR. BLAIR: That probably is where the gap occurred because the federal government doesn't necessarily have the same billing as the private sector, so maybe that's why they didn't focus on that.
MS. GREENBERG: I think there's a recognition of this being an issue and the problem is, and again, this was something as we were discussing off-line people have been agonizing over and trying to figure out or come to terms with for a long time. I think my interpretation is the workgroup felt that they could use the ASTM definition to come up with a recommendation that they felt met that definition recognizing there were services and other types of health care activities that would not be captured in that definition, feeling they would get probably tied in through administrative or other processes. I think what you said, Simon, about trying to find some kind of reconciliation between the clinical encounter definition and billable encounters is worth saying but easier said then done.
DR. COHN: Well, I think it's simply for further work, and I think that they begin to move in that direction as they talk about the future work that needs to be done, except that they don't really label them as conditions, more as sort of future suggestions is what I'm sort of reading these as. So obviously I think we accept these future activities but I think we do need to reemphasize that this alone as it is right now doesn't probably meet most people's use cases. And I think that final piece, which really is taking a hard look at this and figuring out how it all relates in with billable and sort of reconciling the two may really be that final step. Bob, it looks like you have a comment.
MR. HUNGATE: This question may be too far off the subject to be valid but it's an uncertainty that I have that you can perhaps help me with. Thinking about the personal health record, where there will be information that the patient is self reporting, what does that get called and how does that fit into the structure of events in the record if you will. This is a clinical encounter which seems to me is an event within the record of an individual, and it seems to me that we're talking about other things that are pertinent to that individual that maybe don't fit this. And so is there a class of other things that goes parallel with the clinical encounter that there's a list of that cover these other contents? That's the question.
DR. COHN: So the example you're giving is sort of a patient directed --
MR. HUNGATE: If the personal health record takes form there's going to be a lot of input there, yes I did take the drug, no I didn't take the drug, I didn't like it, I got this side effect, there's going to be content that's germane to the clinical process for that individual.
DR. HUFF: I think the heart of this comes back to why do you want to distinguish these clinical encounters. It's clear why you want to distinguish billable encounters because you want to bill for them, or you want to track at least the financial implications of the care that was provided. I mean in our case, speaking for IHC, all of that other, I mean there's the electronic medical record and things in that record, some of them represent billable encounters, some of them by the definition that was given would represent clinical encounters, and then there's a lot of other data that's just in there that's part of the electronic medical record. And I think maybe that comes back into this desire that Simon expressed reconciling sort of those definitions and asking the question is it really essential. I think the definition that was given here was appropriate for bounding and focusing the work of saying what terminology should be used for encounters but I'm not sure it has any real, I'd like to understand the use case for distinguishing it otherwise within the medical record. I think the rest of it is just data that's important to the health of the individual it should be part of that record.
DR. COHN: Stan, I don't know if you're reflecting and coming up with some further wording for our comments or not, it seemed like you're almost there. Do you have something to propose that we add to the, I sort of agree with you, I'm just not sure how to --
DR. HUFF: Well --
DR. COHN: Is this a subject for further work, additional --
DR. HUFF: I don't know how to formulate it any, I guess what I'm saying is that I support the work of CHI for the clinical encounter and the way they approached the work and using the definition they did allowed them to bound the work and determine terminologies and standards that would be used for communicating this clinical encounter information. What's not clear is how it relates to billable encounters and how it relates to other things that don't seem to fall into the encounter at all but are clearly part of the electronic medical record and those should be a subject for future work of the committee.
DR. COHN: Jeff?
DR. HUFF: So I'm not formulating it very well.
MR. BLAIR: If I piggyback off of your comment, Stan, about use cases, it's almost as if we've heard three and where the report was called clinical data encounters it seems to me like maybe if it was called patient provider encounters and then Bob Hungate's comment is that we may have patient directed or patient generated encounters that have yet to be well defined, and the third one would be billable encounters, then we have three different types of categories and maybe that would help to encompass what you're saying as use cases, encompass Bob Hungate's observations, and encompass yours, Simon.
DR. COHN: I think the world of billable encounters is pretty well defined to the HIPAA administrative transactions.
DR. HUFF: The other thing that plays into this, this is confounding more then helping. I mean the other concept that is very useful is the idea of episodes, which are focused around a particular disease process and that's very useful because then you can track the costs and the provision of care as appropriate to that specific disease process. And that's sort of left undefined in all of this, too, we've never figured out a good way that's not, that's sort of operational to do episodes right because it's hard to figure out how to allocate things to a particular episode. Well, it's not actually so intellectually hard but it's just practically hard in terms of determinant for every piece of information which episode it applies to.
DR. COHN: Well, though I will tell you that probably some vendors would be happy to help you with that problem.
DR. HUFF: Yeah, I think so, seems like I've seen that. I mean I can see a use case for that because it helps you track the quality and cost of care focused around a particular disease process.
DR. COHN: Steve and then I have a comment to make also.
DR. STEINDEL: Simon, I have to in one sense put on my CHI hat right now and we have to look back at the purpose of CHI, which is to define standards to be used for federal interchange of health care information. And while the comments are very appropriate concerning billing and concerning the personal health record, this was not, billing was identified as a domain of CHI and that was reported and it was noted that the HIPAA standards would be used for the billing domain so I think in a sense that encompasses the billing encounter. And the personal health record was not noted in this phase of CHI as something that was particularly important for federal health care exchange. And when the encounter workgroup came together they asked what is left that we should be defining, and they looked at the clinical encounter itself as they defined it here. I think it's totally appropriate for NCVHS to comment in the letter about the extension into these other areas, a note to the Secretary that NCVHS is concerned about it. But I think to reflect it as a recommendation to CHI to change what they were saying may not be --
DR. COHN: So basically I think we're coming up with two recommendations for extensions that would be of value. The part I think I'm having trouble with and let me just be honest about it is, I think this is very good work and I actually agree with the recommendations, the problem that I have is that I'm not sure I agree with the fundamental definition and the way they're constraining the universe. And I just don't know how that helps us at all and that's the part that I'm having some trouble with even in the federal health care enterprise. And I guess I had thought, when I first heard about clinical encounters I thought that there was really a universe of clinical encounters, I thought nurses had clinical encounters with patients, I thought all aspects of the health care system really had clinical encounters and that probably was inclusive of your perspective, Bob, in terms of patients have their own initiated encounters, and this is really I think what they've taken as, by the act of taking clinical and moved it into decision making, which I think the ASTM definition, or a direct whatever, that obviously, I mean it's an interesting definition, I'm just, I need to understand better the use cases that make this a valuable definition and a valuable constraint.
DR. STEINDEL: As I understand it the ASTM definition is not constrained just strictly to physician/patient encounter but any practitioner.
MS. BRADFORD: Social work --
DR. STEINDEL: Social work, nursing --
MS. BRADFORD: ET, OT, they're all included.
DR. STEINDEL: That exhibits any or all of the characteristics that are noted in the definition.
MS. BRADFORD: I believe all other then ancillary personnel, such as nurses aides --
MR. BLAIR: Did the ASTM, it had more then one definition, the very first one is the broader one, the second one was the one that indicated decision making on the part of the practitioner.
DR. COHN: Okay, so let me just ask maybe again, maybe I'm missing this. As I read this one it still doesn't look, I mean does this include a nurse to patient interaction in the process of care or does it exclude it, because I guess I can't tell.
DR. STEINDEL: It is my understanding it is supposed to include it, there was some discussion about this at CHI Council.
MS. GREENBERG: That it was what?
DR. STEINDEL: Included, nurse/patient --
MS. GREENBERG: Nurse practitioner you're talking about?
DR. STEINDEL: Any nurse.
MS. GREENBERG: I don't think so, that would be excluded.
MS. BRADFORD: No. It even includes here such as social workers, anyone for the responsibility of assessing, evaluating, treating a patient, which can be any of those practitioners. I don't think practitioner is limited to physician. It's a licensed practitioners, so not --
MS. GREENBERG: A nurse is under the supervision of the physician as opposed to being the provider who can bill or whatever, and I hate to get into the billing but if the nurse is under the supervision then is he or she exercising independent judgment?
MS. BRADFORD: Nurses evaluate and formulate their own plans of care for patients outside of a physician, so they're included, as well as physical therapists do the same and social workers do the same. So I think it's limited to licensed practitioners.
MR. HUNGATE: Just thinking about the content it seems to me that there are two issues involved in it. One is the source of the information, because it has a different credentialing process if it's the physician or a social worker probably. And the actual content, what it is. And the patient, although not a licensed practitioner, controls more of the health process then anybody else, so it just seems to me the source and content are both kind of wrapped up in this definition. And I wonder.
DR. STEINDEL: Simon, would it be appropriate to say something to the effect of, something like it is our understanding that this workgroup is recommending that an encounter apply to a wide range of practitioner/patient episodes but we are unclear if the definition is broad enough to cover this and recommend that it be revisited, something like that? I mean I have to word it a little bit more appropriately but --
MR. BLAIR: I guess in my view when, if you look at that first definition I thought it was broad enough to include all different types of practitioners and even added social workers, but the thing that I was thinking of is maybe the problem is in the word clinical encounters, see that's where I was thinking that this is really provider/ patient encounters, and within that context I think those definitions fit and the recommendations fit.
DR. STEINDEL: Jeff, if I may comment, I deliberately used the word when I was trying to phrase some wording in my mind that we're unclear on the definition, it's not that the definition may cover it. But actually a very similar discussion occurred at the CHI Council level, so the CHI Council itself had some questions about the breadth of this definition and it was viewed on both sides of the fence as it's being viewed here at this table on both sides of the fence. So I think we realized that the intent of the workgroup is to cover these encounters and we may be trapped in just some wording, and they looked through the literature to find a definition that they could site and chose not to make one up on their own, and this was the closest that they found. So I think our comment back that the closest definition works maybe 90 plus percent of the time is appropriate but we have some questions about that percent that it doesn't fit and if we could word something in the letter that says that I think it would be appropriate.
DR. COHN: So I'm hearing that there's sort of three things that we're saying, oh I'm sorry, Marjorie.
MS. GREENBERG: Why don't you say your three things.
DR. COHN: Well, I think the three things, one had to do with asking for additional clarification, to make sure that it's as wide as we'd like to see it be. I think B, we're asking for some reconciliation with the world and I'm trying to think, better come up with something better then billable encounters but I'm just trying to think of services identified under the HIPAA administrative and financial transaction, I'm trying to think of what the right term is but it probably --
MS. GREENBERG: I think it's alright.
DR. COHN: Billable services?
MS. BRADFORD: There's a billing domain workgroup for CHI which recommended HIPAA, we could reconcile with that domain's recommendation.
DR. COHN: That's right, with that domain's recommendations. And finally is that there needs to be I guess further work around the very important area of direct patient interaction, the patient initiated interaction is really what we're describing.
MS. GREENBERG: Patient generated information, is that what we're talking about?
DR. COHN: Patient generated.
MR. HUNGATE: Patient initiated.
DR. COHN: Patient initiated encounters with the health care system. Is that what --
MR. HUNGATE: Well, by entry into a personal health record you'd say this is information about me that's important for my medical --
MS. GREENBERG: I think it's patient generated information because they may not even, I mean from what you're describing not necessarily interacting, I mean most encounters are initiated by patients, the majority I guess are one way or the other but this is the case of, you're talking about a personal record, personal record for which they have allowed some linkage to the electronic health record, so that's really patient generated information.
DR. COHN: Does this also include things like letters that patients send into the doctor about their condition and all of that?
MS. GREENBERG: That would be patient generated.
DR. COHN: I mean that's not an unusual occurrence even in the world pre-internet.
MR. HUNGATE: I'm presuming that a clinical encounter is reported by a clinician and that's a distinction from that which is self reported by an individual, not having been reviewed by a clinician. So there are different kinds of information in that way, I don't know how that gets dealt with in the standards --
DR. COHN: Or in the concept of clinical encounter.
MR. HUNGATE: And I'm not sure whether the patient unreviewed input is called clinical in this context.
DR. COHN: Mike, do you have some wisdom here?
DR. FITZMAURICE: I don't know if it's wisdom, I know that we had an awfully rough time defining an encounter and to talk about it as what's missing, and can we shove it into what's missing almost begs them for a modeling of information, what information do you need to make a decision, what information is not in an existing set of standards adopted by CHI, and I'm not proposing that we have CHI then take an exercise in information modeling or data modeling but really that's what this is getting into when you start asking what do we not have and let's put it in here.
It bothers me that a patient goes to get a lab test and the physician who's the head of the laboratory reports it someplace, that it may not be an encounter, I tend to think of encounters as if I'm an HMO what do I want in an encounter because I get paid not on the basis of the same billable units as the fee for service insurance, and so do I want something in there that has the same effect as an electronic medical record, you want something in there that defines some discreet units that I can count up and serve as fodder for HEDIS measures or other quality measures. And then it gets back to, it's information modeling and then it gets back to Stan, well what is the use case, what are we going to use it for and here's a place to put the information in there that we'll need. So I can think of supply and quality measures, I can think of pseudo billing so you can justify maybe a payment from a health plan or a Medicare when you don't have bills.
It's not wisdom but it's a way of looking at it in a modeling that, it's leading us in that direction and I guess I would propose that we give some kind of overview thing, and this is an attempt to put information that might not be gathered elsewhere that is not complete, it doesn't have some of the laboratory information, it's not a clinical patient encounter at that time.
DR. COHN: Well, I think we should observe that the X-12 837 is actually just not for billable transactions, it's also actually in the definition, it's also indicated as for encounters such as you're describing, I mean whether it fulfills that purpose completely is another topic but that was certainly how it's defined. So what do we do with all of this?
DR. HUFF: Here's one more chance, one more thought. So I would say that I agree with the scope and recommendations that the committee has made relative to clinical encounter but that we not use that definition as a guide as to what should be included in the electronic medical record.
DR. COHN: Or transferred.
DR. HUFF: Or transferred or whatever.
DR. COHN: Or exchanged.
DR. HUFF: The idea being that again, I think it's appropriate within their scope to say for purposes of defining the set of terminologies and transactions that we need relative to encounters their definition is appropriate, but that we not use that definition in trying to exclude data from the electronic medical record simply because it doesn't fall into the definition of this clinical encounter as it was used by the subcommittee.
MS. GREENBERG: And they would agree I'm sure fully.
DR. COHN: I feel sorry for Steve trying to put all this together.
DR. HUFF: I don't think we want to use this definition, basically we don't want to use this as a reason to exclude any data that should be included in the electronic medical record.
DR. COHN: And I think that that's really the conversations that we're all having sort of fall into that issue of this clearly is not the universe and I think we're all observing that for all the many reasons.
DR. COHN: We could go on to say specifically we expect to include patient generated data but I think it's not only patient generated data but there are other things that could be noted by family members or by health care providers that wouldn't, I mean if they observe a fall, there's just a lot of things it seems like wouldn't fall under this definition but would be information you would want in the electronic medical record.
DR. COHN: Steve, how are you doing with this as we give you all sorts of good advice on, you all thought we'd have more then enough time to do all the work that we needed to do.
DR. STEINDEL: Simon, if you'd like me to read what I've captured at this point in time I'm going to skip the first sentence, which presumes a vote that we haven't had yet, but then the expansion part. We note that some clarification is needed regarding the scope of the definition for encounters. It is our understanding CHI intends for the definition of encounter to refer broadly to all types of practitioners interacting with a patient. We feel the definition encompasses all encounters between practitioners and patients, there should be a while in there, we feel while the definition in some explicit clarification may be in order. While not possibly within the scope of CHI we note the standard proposed might not apply to patient provided data as might exist in a personal health record. We finally note that the scope of this CHI workgroup was narrowly defined and that encounters as would be observed broadly in health care or as might be enumerated in an electronic health record is broader. I have to do some wordsmithing still but I think that captures the thoughts that I was hearing around the table.
DR. COHN: Stan, does that, I think that's actually pretty good.
DR. HUFF: Yeah, I think that --
DR. STEINDEL: Adding the wordsmithing.
DR. COHN: Yeah, the wordsmithing. Does anybody have any additional comments? I think that really sort of captures --
DR. HUFF: If you had longer I think you could say it in shorter but that's okay.
DR. COHN: Okay, well I think we're all nodding our heads, which is a good sign. Do we want to see this, we probably ought to let Steve do final wordsmithing and then we can reread it but I'm sensing that this is sort of the sense of the subcommittee on this one and we'll, review it when we're done with the next two items I think and then we can sort of reflect back.
DR. STEINDEL: Simon, we need closure on a vote.
DR. COHN: Oh, on this one?
DR. STEINDEL: My recommendation there is that we concur with the recommendation of clinical encounters as modified.
DR. COHN: With the following, well isn't as modified but the following --
DR. STEINDEL: The observations are separate, we've actually made a slight modification in the document. The way we've been handling this previously is that we edit the gaps.
DR. COHN: Okay, I'm sorry, I thought this was consistent with the 1/7 version but I guess this is not the --
DR. STEINDEL: Well, I'll let them worry, we'll just say as modified.
DR. COHN: Oh, as modified, fine, okay, does somebody want to move that with the following comments? With the comments as described simply to further wordsmithing, Jeff?
MR. BLAIR: I move that we accept that language.
DR. COHN: Second? Stan? Other comments? All in favor?
SUBCOMMITTEE: Aye.
DR. COHN: Opposed? Abstentions? Okay, Alicia, thank you. I think we're on to population health, that's Steve, we're asking you to multi-task.
MS. BRADFORD: The next two that we have are both led by Steve, population health and chemicals.
MR. BLAIR: Do you want to hold one hat while you wear the other?
Agenda Item: CHI Final Reports - Population Health - Dr. Steindel
DR. STEINDEL: Thank you, rapidly changing hats. Population health, this workgroup has had a long history, it was one of the first workgroups that was formed and it was one of the last workgroups that actually started to work. It was identified by CHI Council as a very important workgroup and as it was discussed in the early stages we realized that population health reporting encompasses a large number of areas that might be defined by other CHI domains that hadn't produced reports at that time. It was decided at that time to defer this workgroup until those reports started at least providing some information in draft format if not final format.
As that material came in in the fall we realized that we were seeing an intellectual gap starting to exist between what was going on in population health and what was coming in in the area of clinical reporting standards. There was a lot of discussion at the CHI Council level about what to do with this workgroup and what form the report should take. After much discussion it was decided that the workgroup for population health reporting would not recommend any or a specific standard, and the report that I'll be giving reflects that basic thought.
We had, Alicia if you can go back to the first one, the workgroup itself was made up of numerous members, most of the team that participated in the formation of the workgroup is noted in the slide were from various HHS agencies since most of population health reporting comes from the HHS agencies. There were comments from DOD on the report.
I reviewed most of this material about what population health data is, and we were looking at it as a domain that might be dependent on other standards but also using what's existing today. If we can go to the next slide, this is the approach that we took creating this report. The first was that we could not produce a specific recommendation, that we decided to produce a recommendation that could be used as a basis for future work in this area, and the first step that we did was to ask the various HHS agencies to produce a rough list of the population health statistics reports their agencies produce and what standards that are being reflected in the clinical environment that might exist in those reports.
The report specifically excluded those population health reports that did not use any of the standards that were being recommended in other areas and I need to point out especially with respect to CDC that a lot of the material that does exist in this report is based on older data since that was all that we had our hands on and some of this is in a state of flux. So this was used to put together the recommendations.
The scope of this domain included public health reporting, which includes surveillance information, etc., population health statistics, which includes such things as vital health statistics, etc. It excluded billing data and statistics related to that as it was covered under another CHI domain. And finally we did note that institutions tend to keep these types of statistics as well, however, the CHI domain would not encompass that but we did suggest that if institutional statistics were being kept that they use standards that are similar to what's being used for the external statistics just as noted.
Alternatives identified and this was based in part on the list we put together from the various HHS agencies. These lists in just part of the standard terminologies that are being found in population health reports that exist today. If you take a look at it you can see that it is a wide range of classifications and terminologies, and it would be difficult to make any type of specific recommendation at this time based on this.
Our findings were that the current terminologies are numerous, they're not coordinated among the various agencies, the list contains recent population health reporting systems used by HHS and that contain one or more standard terminologies, and this list is provided as part of the report, it's approximately a ten page list, it is not complete by any means. The list found some HHS population health reporting systems today that are widely used and widely noted such as the National Disease Surveillance System from CDC that are not on the list, and the reason it's not on the list is because at the time the list was created in 1997, which was the data I used to put it together, the National Notifiable Disease Surveillance System only used its internal codes. Today we are making a move at CDC to convert that over to SNOMED codes and we are in the process of doing it, but actually if I produced that list today I still would include it because that conversion is not complete. So you can get a sense of the extent of standard coding systems that are currently being used for population health reporting systems.
So if we can go on to the, well, we also observed, however, that today many of the reporting systems that are being used to gather population health statistics are covering domains that have been noted by other CHI workgroups. For instance, in infectious disease reporting we tend to use laboratory results and CHI has made recommendations for both laboratory test names and laboratory test results that have been adopted. And we note that where the domain is equivalent that that domain can be used for population health reporting. So we didn't feel that we needed to re-enumerate those but just make that broad statement, so for instance CDC has a very active program now trying to convert the nation's laboratories into using LOINC and SNOMED codes, which are the two domains that have been recommended by CHI for public health reporting and that is within the scope of the notes that we took for the population health workgroup.
We note that the list that we provided we acknowledge is incomplete, we acknowledge that we have no idea beyond this list of the extent of the population health reports that are being produced or what terminologies are being used. I will note that the Data Council of HHS has created a list that is assumed to be complete of all the population health reporting statistics that are being generated within HHS and a website exists that allows access to those reports. However that specific report that was created by the Data Council does not go down into the data domains that are used or the terminologies used in that area, so our recommendation is still complete, that we do make an exhaustive survey of the population health reports now being produced by the federal government and the various terminologies that are being used in those reports so we can relate those to what's going on clinically and we do have that inventory and we've suggested that this task be assigned to NCHS because they are the designated the national health statistics agency.
The next part of our report involves something that we noted and that is that there is a transition in effect right now and that is the movement to the use of clinical data for the generation of population health statistics. And I noted that for example in infectious disease reporting we are already starting to make that move. However, many of the population health statistics are reported using already existing classification systems, etc., that are not widely used clinically and today there is a human translation of this clinical information into the codes that are being reported for population health. In the future we are presuming that that transition will occur electronically, possibly using maps, possibly using other means, but there will be an electronic transition.
We have no idea how --
MR. BLAIR: Transition or translation?
DR. STEINDEL: Transition and translation, I think both words are appropriate, Jeff, thank you. We have no idea of how this new data derived from clinical data will track longitudinally with preexisting data and of course as we're well aware longitudinal data is very important in population health statistics and we think some investigation should be done as to make recommendations for this transition.
We also note that at least for a time, and that time might possibly exist forever, there will be a dual system that exists between the electronic translation of clinical data into population health statistics data and human translation of this data into population health statistics data. And while we say for a time, obviously if everyone is using electronic health records we hope that it will always be done electronically but we presume that at least there will be a time gap before that occurs and that time gap may exist in isolated areas where human translation will always exist. And there have been studies that have shown that humans can tend to be subjective and machines tend to be very objective and we need to know if there's going to be any difference in how we can make decisions based on these changes. And we suggest that an authoritative body look into this. And those are basically our recommendations for two future studies in this area.
Are there any questions, comments?
DR. HUFF: Maybe you could address, do you see for instance data that is contributed or passed to either cancer registries or disease registries to be in scope of this particular recommendation?
DR. STEINDEL: It is our notation that data that's generally passed to specific disease registries, for instance cancer registries, etc., what we tend to have passed into those domains actually is the clinical data, the tumor diagnoses for instance, the anatomical location of the tumor, etc. And those recommendations have been covered by other CHI domains and we feel that those recommendations are appropriate.
Now what we don't know in the future is the reports coming out of the registries, sometimes they're translated into classification systems and sometimes they are not, and so it's that next step that we feel a little bit of the cloudiness occurs. But the data going into the registries we feel will be clinical data, it is clinical data today.
DR. COHN: I actually sort of think the recommendations are a reasonable one what you're describing, I did have the same question that Stan had about whether we should be observing good work, for example at the immunization, HL7 immunization standard and all that and whether that was something to acknowledge, or the work going on by the NCHS related to developing an implementation guide for the 837 that relates to public health --
MS. GREENBERG: Discharge data?
DR. COHN: Is that what it is specifically? I was actually thinking more of the work that you've done with the data, the consortium --
MS. GREENBERG: The guides for health care services?
DR. COHN: Exactly, about whether any of that are things that we should not but it seems like it's sort of out of scope from what you're describing.
DR. STEINDEL: We actually noted that as being out of scope for this particular workgroup because it's using billing data.
DR. COHN: Okay, well I guess we won't say nice things about that, it's always nice to say nice things about things but I guess we'll be reflecting that in the HIPAA report instead. I guess the one thought I had as I was listening to this is that this sort of work almost sounds like the next step for the 21st century statistics vision. Is that --
DR. STEINDEL: I think that that's an accurate reflection.
DR. COHN: I don't know if there is a next phase of work of all of that but it just feels like this is really sort of how we're talking about sort of clinical data meet future statistical systems and how does this all really play out.
DR. STEINDEL: Well, Simon, I didn't specifically, if we look at the last slide and the last bullet it says specifically it is recommended that the NCVHS, the Board of Scientific Counselors of the NCHS, and the National Library of Medicine would participate in these studies. That is reflected in the report.
DR. COHN: Well, do we have any comments? Do we just want to concur?
DR. STEINDEL: Please, just do that, so I don't have to do any wordsmithing.
MR. BLAIR: I move that we concur with these recommendations so that Steve doesn't have to do any wordsmithing. No, no, I move that we concur, as is.
DR. COHN: Other comments? John Paul, do you want to second?
MR. HUNGATE: I will second.
DR. COHN: Further discussion, Mike?
DR. FITZMAURICE: Just a question, Steve, you mentioned two studies, which of those bullets refer to the two studies, the first bullet and the --
DR. STEINDEL: The first study is the compilation of the population health statistics reports that are being done, and the second study is the future relationship of the clinical data to population health data. Those are the two studies.
DR. FITZMAURICE: You might want to make it clearer in the recommendation.
DR. STEINDEL: Actually it's clearer in the report then it is in the slides.
DR. COHN: Any further comment, questions? All in favor?
SUBCOMMITTEE: Aye.
DR. COHN: Opposed? Abstentions? Okay. Steve, you're on to chemicals.
Agenda Item: CHI Final Reports - Chemicals - Dr. Steindel
DR. STEINDEL: Okay. Now the chemical domain, this was interesting from somewhat of a personal point of view because most of the years at CDC and I would say essentially all the work, almost all the work I have done at CDC, I have never acted as a chemist, which is what my degree is in, and this is the first time I think I've actually put on my chemical hat --
DR. FITZMAURICE: Well, you had been a catalyst haven't you, Steve?
DR. STEINDEL: So it was nice to be involved in something that was chemical for a change. But this was a very limited domain, if we can go to the next slide we'll take a look at the people that were involved. I was the team lead, we had Bill Hess working on the report from FDA, John Harmon from EPA, and Dick Nemeyer(?) from NIOSH at CDC, our National Institute for Occupational Safety and Health, primarily because of his interest in toxicology.
The domain was specifically stated to be chemicals of importance to health care outside of medications. We have already made a recommendation for the terminology to be used to list drugs and medications, so this is the other chemicals.
We had a lot of discussion about where these chemicals might appear and how would they be used and it was our feeling that most of these chemicals when they would appear in a health record would be chemicals that were found in the work place or the environment that contribute to a patient's health. So we felt that generally speaking these chemicals would not appear widely in a health record of any kind and if they did they generally would appear as part of the first encounter with the patient and as part of the history and physical, but they would not be widely used.
MR. BLAIR: Steve, you said they would contribute to a patient's health, so you're say positively only? I thought it was both --
DR. STEINDEL: Both, both.
MR. BLAIR: -- negative --
DR. STEINDEL: Any aspect of the patient's health. So we looked at this as non-medical chemicals were in scope and as I mentioned the drugs, etc., were out of scope.
We looked at, originally this was focused as just a confirmation domain because we were aware of many lists of chemicals that are out there. There are literally thousands of chemical lists that are available on the internet for people to use. SNOMED CT has a list of about 16,000 odd chemicals. Our feeling and the feeling of the drug group when they looked at SNOMED CT is that SNOMED CT was a reactive list. When something appeared in the medical literature it would then appear in SNOMED. What we were looking for was a more proactive list where the list of chemicals would appear before somebody encountered it, and so it could be used, so we felt that SNOMED was not appropriate for this.
There is a very good list of these types of chemicals that exist, the registry of toxic effects of chemical substances, that until about a couple of years ago was maintained by CDC's NIOSH division and contains roughly 150,000 toxic chemicals and the impact of those toxic chemicals. We would have really liked to recommend this list but a couple of years ago NIOSH decided that it could not afford to maintain this list and released, and signed an agreement with an outside vendor and consequently this list is no longer available in public domain and has a license fee associated with it. We did not get a firm feel for what the license fee would be but it's approximately on the order of $250.00 a user, so we felt that that would be prohibitive.
There is a widely used list, it has I think about 23 million chemicals listed that's maintained by the Chemical Abstract Service, a division of the American Chemical Society, it is considered to be the list of chemicals. The problem is that it also encompasses a license fee and it is allowed to be used without licensure for regulatory purposes, the Chemical Abstract Service does allow that, so consequently you see Chemical Abstract Service numbers widely appearing in other lists because those lists are used for regulatory purposes. We have talked with the Chemical Abstract Service and we are both in agreement that using these for medical purposes does not constitute regulatory use so consequently the CAS numbers were not considered appropriate for this domain.
After looking broadly the EPA maintains a list of approximately 80,000 regulatory chemicals as part of their substance registry system. This list is available in the public domain, it's maintained by the government, and we felt that this EPA list would serve as our recommendation for chemicals. The EPA list as you might gather is very complete with respect to those chemicals of environmental importance. It is not complete with respect to those chemicals of toxicological importance and we have discussed this with the EPA and given adequate resources they are willing to expand that list to encompass those chemicals.
We have also noted that the EPA list is not distributed completely. Now people who want to get information from the EPA list can query the list for specific chemicals or specific sets of chemicals as defined by EPA regulatory domains. This would not be adequate for medical purposes, the EPA is willing to make a subset of that list available for chemical purposes as a download from their database should this be selected as a government standard for that.
There are some minor other things, like for instance if we do accept this as a government standard we would have to develop an object identifier for use in HL7 messaging, and I think that about covers the conditions and gaps. But these were noted as conditions and gaps that were critical, that we could not start using the standard until they were filled. Since these do require some resource allocations from EPA, EPA is not going to start filling these gaps until there is some specific recommendation that resources be assigned and negotiations occur to find where these resources should come from.
There were some non-critical gaps, the first one is one that EPA itself has identified and is working on it concerning synonyms and how they're used in the SRS, and also the introduction of a common exchange file format. Presently the list is available for download as a comma or tab delaminate file of EPA defined structure. There are known chemical file structures that have been defined, I've listed two of them, the MDL Mole(?) Files or the Chemical XML structure, both of which are widely used, established, and EPA has made an internal commitment to investigate and to use these structures so we think progress is being made here.
And those conclude the chemical recommendations, I'm open to questions.
DR. COHN: Jeff?
MR. BLAIR: Steve, could you explain what you mean by an object identifier that you'd have to create?
DR. STEINDEL: An object identifier is used by HL7, it's an ISO standard identifier that uniquely identifies where the terminology comes from. So if we did use the EPA SRS table it would have to be assigned a unique object identifier so that whenever we gave it in messaging it would have this long number and all these people who memorize these object identifiers would just take a look at the long number and say oh, that's the EPA SRS.
One reason it's actually listed there is because I've had discussions with EPA, there's two ways an object identifier can be assigned, an external body can assign it or EPA can assign one internally if they decide to establish an object identifier structure. And CDC has decided to do that and that's the way we assign our object identifiers, and I've talked with EPA and told them that this would probably be a good route for them to go. So before one is assigned we just have to work that out internally.
DR. COHN: Stan, why don't you go and then I'll --
DR. HUFF: A couple questions, one, did you actually try and negotiate with the CAS guys or did you just --
DR. STEINDEL: Yeah.
DR. HUFF: So you explained to them that we'd like to use their number and if they wouldn't let us use it for free we would do something else and they said go ahead basically?
DR. STEINDEL: Yes, I have a letter from CAS.
DR. HUFF: Second question --
DR. STEINDEL: Stan, just to elaborate on that, actually the National Library of Medicine went through a similar exercise a few years ago with the same response.
DR. HUFF: That was my second question is what's the coverage of these kind of chemicals in either MeSH or the metathesaurus?
DR. STEINDEL: MeSH and the metathesaurus, the coverage in those areas is roughly the same as SNOMED and the coverage in it is complete from a reactive sense meaning that if a report appears in the literature MeSH will pick up the chemical.
DR. COHN: Steve, I think I have a similar question to Stan's first one but related to RTEC, did a similar discussion occur with them in terms of --
DR. STEINDEL: The actual discussion occurred when NIOSH made the changeover to RTEC.
DR. COHN: I guess it really does point out that the government ought to try to coordinate their activity and centralize their databases as opposed to having significant redundancies --
DR. STEINDEL: I actually think if there was something such as CHI going on two or three years ago when NIOSH made this decision internally, since NIOSH is part of CDC, we probably would have recognized the problem of doing this in the future and we would have kept it.
DR. COHN: Jeff?
MR. BLAIR: I understand that the scope of this workgroup for chemicals is external to drugs and medications. However, is there a possibility of any difficulties if the coding structure for these chemicals is different then the coding structure that the FDA is putting forth for ingredients in drugs and it might be the same chemical? Supposedly we're trying to say that these are going to be considered separately but what thoughts are there about inconsistencies?
DR. STEINDEL: The FDA and EPA have already started discussion on eliminating any inconsistencies that might appear. We do note that there probably is very limited overlap between the two lists, if any overlap, just because the environmental chemicals are generally not drugs, so we don't know what the extent of the overlap is but we think it's very, very limited. But I think as you might recall that there was an EPA representative and an FDA representative on the workgroup and both of them without any real prompting noted the synergy between the two lists of chemicals maintained and there is discussion to harmonize those two lists.
MR. HOUSTON: Wouldn't there be chemicals such as used with animals and otherwise in essence be the same compound, I'm sorry, I was just saying that I think in agriculture there would be a fair number of chemicals that might overlap because they would be used both with animals as well as in humans.
DR. STEINDEL: I think what we have here is we have two types of agricultural chemicals and those, the agricultural chemicals used for the production of food products, be they fertilizers or pesticides. A lot of those are already, are regulated by EPA and are on the EPA list from that point of view. And then there's the other set of chemicals that are used to augment animal growth, like for antibiotics and stuff like that, and those are generally considered to be drugs and FDA usually has those in the list. We don't have any veterinarians present but I think there are very few veterinary medicine that would be just existent in the veterinary world, and they probably are for reptiles or something like that that might have different types of metabolism then mammals.
DR. COHN: Bob?
MR. HUNGATE: Another question related to the personal health record part of it. A lot of alternative medicine that's going around, and I'll bet that a lot of the things listed in these lists are in alternative medicines.
MR. BLAIR: Do you want to speak into the microphone?
MR. HUNGATE: I was trying to but I guess I wasn't close enough. So I don't know whether the reporting mechanism you've talked about here is history and physical, but I think it might also be personal health record if this information gets translated through products that its in in ways that individuals understand it. And I don't know how that gets done or how it fits but it seems to me like it's a piece of it.
DR. STEINDEL: I think we had some discussion regarding alternative medicine when we spoke about the list for drugs and I think there is still a lot of flux going on within the FDA structure about how to handle the whole area of alternative medicine when they start thinking about changes to the NDC codes, where there are now non, a lot of NDC codes for these types of products that are not considered to be in the domain of the FDA, and I think we're going to see some codification in that area. Now that's one answer. A second answer is I think your observation is quite correct and I think a lot of these alternative medicines were covered in the RTEC list but are not covered in the EPA list and we do note that the RTEC list needs to, at least a large portion of it, appear in the EPA list but will not do so unless resources are allocated to do that.
MR. HUNGATE: Well, my suspicion is that people are going to put stuff in their mouth and in their body without FDA's control of that process, but medically it's going to be there and there ought to be a good way of keeping track and knowing what it is.
DR. COHN: Carol?
DR. BICKFORD: Carol Bickford, American Nurses Association. When you're talking about chemicals that are not related to medicine how did you crosswalk that to laboratory toxicology studies, for example, carbon monoxide?
DR. STEINDEL: That actually would be within the domain of this group.
DR. BICKFORD: But was there an actual crosswalk --
DR. STEINDEL: Not as a specific exercise because most of the people who were involved with the workgroup were familiar with it, like the person from NIOSH, his expertise is toxicology, I'm a clinical chemist for instance and have done that crosswalk mentally many times.
DR. COHN: Steve, final question about the SRS, is there, I mean in many of these terminologies, some of them have no structure, others have structure, is this a structure terminology or how does it --
DR. STEINDEL: Yes, it's a very --
DR. COHN: It's a well structured --
DR. STEINDEL: It's a well structured terminology within the domain that they're working.
DR. COHN: That's what I mean, you can identify siblings and, I mean unique identifiers and you can identify closely related other substances that are similar and all that, as opposed to a flat file.
DR. STEINDEL: Right.
DR. COHN: Okay, good. Other comments, questions? I don't think we've solved everything, clearly this is an area that's going to require mapping to everything else and I guess would be incorporated into the metathesaurus?
DR. STEINDEL: It is our intent that eventually it will be incorporated into the metathesaurus.
DR. COHN: Okay, so that would ensure mapping with SNOMED, with other, the various drugs and everything else.
DR. STEINDEL: There is a commitment from the National Library to make sure that all the CHI recommendations are in the metathesaurus. Putting on my workgroup chair hat what I would like from NCVHS if they do concur with this recommendation is that in the letter we do make an explicit statement about the need for resources for EPA to fulfill the use of this, we'll word it accordingly.
DR. COHN: Okay, comments? -- but also I presume that the NLM has funds to make sure this is in --
DR. STEINDEL: We're not sure where the funds would, I don't think it's our, the NCVHS's domain to decide where the, we just note that --
DR. COHN: Funds are needed.
DR. STEINDEL: It's my understanding that EPA might be able to provide its own funds for this from a reallocation point of view if they were told it was a mission but they're not going to do it unless they're told it's a mission. I think the actual funds that are required to add the new toxicological terminologies the way it was described to me is they have a consulting chemist that validates that there's no duplication, etc., with existing structures in the tables and it would be basically contract work with him.
DR. COHN: It seems like there's two pieces, one is the expansion of the terminology, the other is the integration into the UMLS, but of course that second one is true of everything we've been describing so far, all the recommendations.
Well, I think we are basically supportive of that, is there any, we're obviously concurring I think with the recommendation that resources are going to be needed, we're probably making a sort of a reminder that applies to all of these and I guess we've, are we doing 15 or 14 domains this time, that obviously to help this all happen there needs to be adequate resources to support the integration and mapping.
Anything else? Do we have a motion then?
DR. HUFF: I move we concur with this recommendation.
DR. COHN: With the additional comments.
MR. BLAIR: Appropriate resources. And I second it.
DR. COHN: Further comments, discussion? All in favor?
SUBCOMMITTEE: Aye.
DR. COHN: Opposed? Abstentions? Okay, that's passed.
Now I will tell you it's 12:25 and I think everyone has a well deserved time for some lunch. Why don't we take an hour now, when you come back my understanding is is that we have three presenters, testifiers relating to security. I guess the hope would be is assuming they're all here by 1:30 that maybe we can do a single panel rather then having two separate panels on the discussion, and maybe at the end of that if it's okay with everyone what we'll do is to take a look at the letter as it is now. I guess there are a couple of questions that were, reflecting on what we passed back in December, what we're looking at now, I think there were a couple of outstanding questions, I don't know if Alicia is going to be around or maybe she can supply any answers to Steve so as we sort of look at them, how we need to revise certain parts of the letter but just make sure that we're comfortable with it for taking it to the full committee on Thursday.
DR. STEINDEL: Simon, in the draft of the letter that I have I have only one outstanding question that we asked to be revisited, and that concerned the licensure terms for the recommendations in genes and proteins.
MS. BRADFORD: And that has been clarified and it is free, the human genome nomenclature is free and the website has been updated to reflect that.
DR. COHN: Okay, well good, so we can resolve that one issue.
DR. STEINDEL: So I can just take that out.
DR. COHN: Any other issues, comments, concerns at this point? Okay, so we will break then until 1:30 and thank you all.
[Whereupon at 12:20 p.m. the meeting was recessed, to reconvene at 1:30 p.m., the same afternoon, January 27, 2004.]
A F T E R N O O
N S E S S I O N [1:40
p.m.]
DR. COHN: Okay, we're going to get started here in just a second if everyone would please be seated. As I commented during the morning's introduction obviously the security issue is, security rule is one of the more important issues that obviously we will be tracking. This is the first session knowing that we're getting close to a year into the implementation for us to sort of talk to key players in the industry to see where we are and see what issues may be ongoing here. But I think the reality is is that this will be an issue that we'll be hearing from you and others as we go along and the actual implementation adoption date gets a little closer.
Now I want to thank John Paul Houston again for helping put this together, and I was actually going to ask if you would like to make a couple of introductory comments, sort of give you the gavel to sort of facilitate this session.
MR. HOUSTON: Certainly, I'd be more then happy to do that. I think as Simon indicated we're almost a year through the compliance period for the security rule and we really hadn't, I guess because of the other HIPAA rules hadn't really spent much time focusing on security rule and I think probably most people in the industry hadn't either. I think privacy was a great time sync and I think then the transaction standards themselves really took a lot of effort and I think what ended up is people I think both mentally as well as financially sort of deferred the security rule. And now I think we're at the point now where we have to start to worry about it. And we haven't really heard much yet from the industry as to what are the problems with the security rule and I'm sure there are problems, but we weren't sure, we hadn't heard anything, it really isn't, if you go out and read today about HIPAA you're going to see a lot about privacy, a lot about transaction standards, and I don't think, I don't read really nearly as much about issues with the security rule.
And for that reason we really thought it was important to maybe get some testimony, get some feedback now, as to where, if there are potential problems, maybe there aren't, but if there are what are they and try to formulate some recommendations if there are issues so that there is some time to respond prior to the compliance deadline. Again, sort of like what happened with privacy. So again, today was really intended in my mind, and I think Simon's, too, to be sort of an open ended what do you think, what are your general thoughts, sort of pulse taking as to what, if there are issues with the security rule or what can be improved upon or maybe it's all glowing comments about security although I doubt that having read the testimony. So that really was the intent.
With that said how did you want to --
DR. COHN: Well, why don't we ask each of our presenters to introduce themselves and then we'll start off with John since he obviously is the first one on the agenda, but John would you like to start off with just an introduction?
MR. TRAVIS: My name is John Travis, I'm with Cerner Corporation, Kansas City, with Cerner I oversee our development efforts in the area of what we might call information, security, and privacy. I've worked with our client base in trying to prepare for both the privacy and security rules and spend half my time serving in consultive roles as much as development roles towards that end.
DR. COHN: Well, thank you, we obviously realize it's not the easiest thing today getting in so we appreciate your participation.
MS. SCHULMAN: I'm Roslyne Schulman with the American Hospital Association, I'm a senior associate director for policy development and HIPAA security among a variety of other things is on my plate.
DR. COHN: Are you from Chicago or here?
MS. SCHULMAN: No, I'm from the D.C. office.
DR. COHN: Oh, good, I know that wasn't easy either but thank you. Tom?
MR. WILDER: My name is Tom Wilder, I'm with AAHP/HIAA, I'm vice president for private market regulation and I'm responsible for helping our members deal with federal regulatory issues including HIPAA implementation.
DR. COHN: Tom, thanks for joining us. John, would you like to start out?
Agenda Item: Security Rule Implementation Issues - Mr. Travis
MR. TRAVIS: First of all I think we may represent a little bit of a unique perspective because we come from the particular aspect of being a health care information system supplier, vendor to the industry, to the provider side of the industry, so our interaction is as one who experiences trying to help a lot of organizations work through compliance issues and trying to take a read of the market basket. So my remarks are going to be kind of from that perspective.
Cerner has around 1,000 provider clients in the U.S., also quite a few in international markets, so we get to see on the balance how does HIPAA stack up against other jurisdictions, especially the European Community in the Pacific Rim. I want to start off a little bit by talking about what we see as the current state, which is really a fact of life for a lot of our clients. Most provider organizations right now are making do with a significant inventory of legacy systems and that really is their starting point. And they're also trying to take a more strategic or enterprise view of security as something to deal with across their organization, I think a lot of the tone of what I'll speak to hits upon the tension that comes between becoming compliant and making improvement toward that end.
So there's several observations I would make. First, each system vendor in clinical IT has tended to solve security in their own way, so they're self contained, they historically have not had to worry about anybody but themselves, they develop their own security architectures and they wind up especially in a best of breed scenario being structured that way. And so a few vendors have prepared their systems to really support dealing with security at an enterprise level, so you don't see a lot of collaboration or a lot of specialization in health care around enterprise security.
And then there has been a lack of security standards development, maybe more so guidance and adoption of standards in health care to govern really trying to take an enterprise focus, sharing information between systems about security policies and standardizing health care roles and I'll speak to a number of those.
And then I think even a very few provider organizations have really maybe because of the lack of capability or the lack of focus looked at security as an enterprise problem to be solved. So they start out their compliance programs really with an extensive legacy system inventory, non-standard security implementations, and then trying to assess and see where they are and where they can make progress.
So when they come to making decisions they have really two main choices, they can try to work with existing systems and put their faith in vendors getting up to snuff, or, and it's probably not a pure or, it's an and/or, they can try to improve their capabilities by investing in enterprise wide technologies or administrative solutions that can reduce their costs. If they're taking that latter course they may have to plan for a long project plan horizon, not just strictly their compliance plan but probably more looking at the quality improvement for getting individual vendor solutions replaced over time, for getting other solutions upgraded, and then trying to deal with the mandatory requirements of the security rule in the short run, so they can't ignore that but I think a lot of them are struggling right now trying to figure out which way do we go with this so that we're not revisiting the security issues three, four years down the line. Is the right opportunity because we have a compliance imperative that could help drive our organization.
And I think administratively speaking providers are often for the first time perhaps defining formal security policies, they went through the experience of the privacy rule with minimum necessary guidelines and privacy practices, and this is a similar exercise for them with security policies around need to know and relating need to know to job rules. So there's a number of challenges for implementation and compliance and I'd really characterize the first one as being that matter of policy definition, that they have clear definition of policies and procedures that guide health security then can be set up in their systems.
I think that having well defined roles will help them in their assessment process, help them in defining what clinicians and staff can see and do in systems, because that's really where the rub of it is. Unfortunately for most organizations defining roles and systems was probably done by department system managers, line management at mid and low levels in the organization as they implemented systems that in some cases could be ten to 20 years old, so the changes or the guarantee that a role in one system has any validity for a role in another system would be almost by accident. And in fairness there's only recently been standards based work proposed to try to define job roles for health care that could guide information systems policy management around security.
I think the good news on the front is that most providers because they spent the time during the privacy rule compliance efforts for policy development did spend the time to look at need to know policies, and so most of that is probably done, most of their assessment work is probably done, so they're not in bad shape from that standpoint but I think that there is still a remaining test to make sure the systems support those policies in some degree of consistency, even if it's trying to reconcile different definitions, different architectures.
Kind of speaking a little more to the point of improvement, we see a lot of providers desiring to pursue single sign on and what we might call single point of administration types of projects. And so if they see the security rule compliance effort as a chance to also reduce administrative costs and make real improvements these are areas of real focus. With single sign on the idea there is that a user may be able to sign on once and have that identity or that sign on information shared throughout all the systems that run on that provider organization's network. The administrative point is to have information shared between systems about who users are, what roles they may play, what memberships they may hold, credentials they may present, and have all systems be able to support sharing of that information so that each system is not compelling providers to maintain that information separately and uniquely system by system by system. That's the reality historically, most vendors have not thought in terms of gee, I might share information from a network source or with other systems, I'm going to require you to define it through my tools and my system manually and you'll have to do that for as many times as you have different vendor applications.
So that is a major opportunity for improvement and I think that's where a lot of the administrative costs for security management could be reduced if vendors were to make improvements to integrate with those types of enterprise technologies. Those technologies are available, they're in use in other industries, they're in use in health care but probably to a more limited degree then most anybody would like. And the main issue is the matter of limitations to be able to share that information.
I think the second point around that is that this is a matter for standards work as well to be able to share security attributes, to be able to share personnel attributes between systems, and be able to do so avoiding non-standard types of information sharing. Standards work has been underway within groups like HL7 for a number of years to try to push ahead with this and I think that that will eventually make the process much easier but we aren't real far down the path for adoption.
So I think with single sign on and centralizing or standardizing security policy they may not be literal compliance requirements but they are things that organizations are trying to debate spending time and money on doing now since they've got, they may have some corporate focus on those types of issues.
Another area that's very much related is electronic signature, because I think while people are looking at the security issue they still, while the signature requirement may have been scoped out of the final security rule they're still looking for a way to have a secure and reliable electronic signature methodology in place to share information, and I'll speak to community sharing a little bit later. But at a recent meeting of HL7 the committee chair of one of the groups I participate in for medical information made the comment that a lack of standard driven or regulatory requirement driving electronic signature standard or requirement at a federal level is going to serve the dampen the use of the web for sharing patient data. I think we are entering a time where we are seeing some regulatory requirement in other ways for sharing of patient data via the web, I cite by example the e-prescribing initiatives that will come under the recently passed Medicare Reform Bill, so this isn't an issue that's gotten a lot of historical push because systems have traditionally shared information only within an organization, within a closed network, and not with other organizations through the web. But I think we need to see more ability to have trust in that information sharing, a lot of that's going to come back to the reliability of the electronic signature. So we'd encourage the committee and the Secretary to consider moving ahead with proposed rulemaking and standards, or backing of standards, for electronic signature.
Probably the most challenging and costly aspect of security rule compliance is one near and dear to me because I'm an auditor by background and started my career in that end, and that is for accountability in audit systems in health care. Probably no other issue will cause system replacement or upgrade like this one and I think there's three factors that contribute to that. First, many existing systems just simply do not provide an adequate level of auditing in the manner that the security rule contemplates. It's particularly true if the patient information is only inquired or printed but not actually modified or changed or created. Many systems offer auditing for those types of operations but enabling audit of inquiry or printing types of events is a major system enhancement for most of them. The availability of audit data is going to be especially problematic for older systems that are still in use that may not have been designed with any knowledge in mind of how to identify just a simple inquiry that didn't actually change data.
Most vendors I think are addressing this with newer versions of systems, ourselves certainly included. So that is why in a lot of cases there are going to be system upgrades or replacements often simply because of trying to deal with the auditing requirement. Second, and also of issue, good security practice requires audit information to be reposited separate from the patient record keeping system. That just is a plain separation of duty requirement that most are reading as part of the requirement for the audit systems. So for patient care systems that do provide availability or capability to audit how patient information is used many of them do not provide separate and secure audit logs for actual control of that data. As a result a security auditor may well have to traverse enumerable logs at a network level, at application level, in order to get a fairly complete picture of what end users see and do within patient records.
There really needs to be a focus on trying to have organization level audit logs, enterprise level types of audit logs, that can draw from each patient care system and present one whole audit trail. That's not the current state of the market but it's our opinion that we need to move to that.
The third area in auditing, or the third issue with auditing is that only draft standards are available for health care providers to try to share audit data between patient care systems and an audit system. HL7, ASTM, and DICOM have come together and agreed to propose a common audit standard that should help solve that problem but it's still a ways from adoption. Some vendors have designed auditing around this standard on a prospective basis to anticipate that that will become the standard, but mostly for their newer versions of systems. So providers are still left with incomplete ways to get audit data for whatever they can find. Audit data is probably going to be a tedious task that's going to require knowledge of the data architecture of systems to be able to get at the data, and custom programming in order to harvest it. So there's no guarantees that are a very complete picture of accountability emerges in that kind of a state.
I've highlighted the importance of standards in guidance to the health care information systems industry in a number of areas, and so I kind of take a moment to underscore that. We've talked about auditing personnel or user management and some other areas but our main point is that health care IT has suffered from either a lack or a lateness of standards adoption or availability relative to security. I think unlike HIPAA EDI where standards were very strongly supported by regulation and industry consensus and long study, that's not been the case quite for security under HIPAA. There is a lot of standards work available but it just simply has not been analyzed for adoption or with the speed for adoption that it probably needs to be. So the more that can be done to promote the adoption of standards within health care IT relative to security we think the better.
That also speaks to treating security as an enterprise organization level problem to be solved, and we feel that providers need to be thinking that way and vendors should back that, especially through pushing for standards that ensure consistent definition of security policies at the enterprise level and provide support for using those security tools that can reduce costs of administration and provide user convenience for accessing systems.
We see good examples in the provider community or organizations attempting to do this. The VA within this very department has taken a leadership, I should way within the DOD, is taking a leadership role to standardize user roles and they're pushing that as a proposed model for health care information systems generally. Many organizations are implementing the kinds of security tools that I discussed earlier to ease the burden of administration, and we need to see auditing treated as a problem to be solved once for an organization, but that does lag behind other areas.
I don't know that it's the government's interest directly to encourage particular tools or techniques but we do think it advisable for best practice develop to be encouraged. So interpreting and providing working examples of what organizations have done successfully, such as what was done with WEDI SNIP for HIPAA EDI needs to be encouraged.
Another area that concerns us is what we see with what's going on of balancing information access with privacy. Now that the privacy rule has been in effect for nine months the industry has had ample opportunity to take a lot of the measure of its impact and we think a lot of our clients have taken advantage of our systems to improve protection of the security and privacy of patient information without necessarily having us to make a lot of major coding changes, and we do see that as our clients implement systems one thing has changed and that is security and privacy has become a major part of any new implementation effort, so they are considering it. However, we are finding an interesting situation that's beginning to emerge, it does seem to us many organizations are treating compliance as primarily a legal problem and not an operational one. Many long standing practices have had to change about how patient information is handled and disclosed. Probably my favorite, we've had many clients ask our advice about whether or not faxing should even be used, and many represent to us as a matter of fact that it's outright banned under HIPAA as a practice.
Some provider organizations have behaved as if protecting privacy is a primary role of their health care IT without due consideration given to the role of information systems to really automate their business processes. So this poses a challenge and we think perhaps a threat to proper patient record access and use. We encourage the committee to consider recommending to the Secretary that guidance and reasonable perspective be given on the security rule just as the Office of Civil Rights did a very good job with the privacy rule.
Currently there's a lot of speculation on what a compliant system is and much is left in the eye of the beholder. For example the limited amount of standards based guidance on health care roles leaves providers to determine this for themselves at a time when they are trying to reconcile roles across systems that have been very inconsistently defined over time.
And finally there is a matter of enabling true community information sharing, the issue is whether or not the security rule works well with other regulations from a proper sharing of electronic health information between health care providers. It does seem desirable for the government to wish remote examples of appropriate information sharing between community members and a good example for this is what I mentioned earlier with e-prescribing under the recently passed Medicare prescription drug legislation.
As we observed in the privacy rule amendment process and in the guidance given by the OCR for things like eligibility practices and processing of prescriptions, sometimes you see literal interpretation of regulation that goes too far and retards the very thing it was to assure happened properly. We see many provider organizations make a determination or remain very closed, and only disclose information when there's absolute written proof of patient permission even for permissible disclosures related to care. We also see a lot of desire on many parts of the provider organizations to share properly with each other and promote such sharing within a community to better the care delivered to patients they all share in common. This is retarded by the fact that some organizations interpret the privacy and security regulations as making a presumption that electronic health care information seems only to be held only within provider organizations and somehow should not be at a community level, or that community sharing is only possible with very burdensome administrative and technical conditions applied.
We encourage the committee to consider taking a position on proper information sharing practices that can encourage enabling electronic community level health records. We believe that the government has a strong interest in the promotion of electronic health records standards that include appropriate information sharing as an important goal. Personal and portable electronic health record is an important future objective for many health care information systems and it really is a vehicle by which real patient rights toward their records can be realized.
We believe the U.S. health care system has an interest in promoting good model frameworks for how to reconcile the security and privacy requirements for the health record with the community level information sharing objectives in mind that are important to such a health information structure.
So to summarize our recommendations, we believe the following are important to consider, first, the promotion of the use of standards in health care information systems security, we've identified several key areas of emphasis. Number one, or I should say A, health care roles for users, audit, exchange of security information between systems to reduce administrative costs, and then the use of electronic if not digital signatures. Standards work is available or nearly available in most every significant area. We do not necessarily suggest a formal DSMO process for their adoption but we do recommend that their adoption be given a strong backing by the committee.
Number two, the development of guidance or best practices around what constitutes proper and appropriate information sharing practices, especially at a community level so as to promote an effective balance of privacy and availability of patient data.
Three, consideration for some kind of best practice sharing forms, such as WEDI SNIP for security practice and privacy practice.
In conclusion, the security rule compliance period catches health care information systems, vendors, and providers using their systems between an era when it was okay for vendor solutions to worry only about their own systems and an era when health care is rapidly moving towards enterprise solutions for security. There still is quite a bit of existing system inventory in place that serves to hinder the pace of that progress. Providers do not have the budget in many cases to both remediate their systems and move to adopt enterprise solutions.
The last comment I would leave you with is that much consideration should also be given to the good faith efforts of providers and their vendors to enable compliance in the design of the enforcement regime for the security rule. I'm certain that many providers are going to be in the process of implementing their plans come April 2005 because of the choices they have to make between remediation and improvement.
On behalf of Cerner I would like to thank the committee for the opportunity to present our observations and recommendations on this matter.
DR. COHN: John, thank you very much and we'll have questions and discussions after you all have testified. Roslyne, I believe you're next.
Agenda Item: Security Rule Implementation Issues - Ms. Schulman
MS. SCHULMAN: Good afternoon. I'm pleased to be here today to talk to you about the AHA's perspective on how the nation's hospitals are implementing the HIPAA security regulations. Today I'm going to be going over some challenges that hospitals face regarding security as well as some preliminary data we have with regard to where hospitals are in the process of implementing and becoming compliant with security.
I would echo John's comments on the late start on security, I think both our hospitals and AHA has gotten sort of a late start on security. The greatest challenge for hospitals remains ensuring that they are able to submit HIPAA compliant claims and receive payment in a timely fashion. We're still in the contingency phase with regard to transactions and code sets, and our primary concern right now is ensuring that TCS is not interfering with payment.
There's also the ongoing issue of HIPAA burnout. The energy focused on implementing the privacy regulation and the ongoing challenges of implementing the transactions standards has been exhausting for the nation's hospitals and HIPAA momentum is fading. As a result providers may be behind on implementing security.
There's also some confusion regarding the differences between the requirements of privacy and security at the executive level, that is when security implementation is raised as an issue the question arises haven't we already addressed this in privacy. It's hard to disentangle these requirements and it's hard to explain.
This raises a resource question because the cost to comply with security could be more then initially perceived by our nation's hospitals. It really depends on what the organization's normal security efforts are to date. There are some privacy components that are dependent on the final security regulations, a covered entity needs to have safeguards in place in order to comply with privacy. For instance, mapping the minimum necessary policies to access controlled requirements. On the other hand, due to the overlap in privacy, some of the groundwork for security has been implemented in some hospitals. Also some organizations may have begun implementing provisions of the security rule when it was still a proposed rule, and some may be ahead of the curve for that reason.
We are pleased to have heard CMS continue to emphasize the fundamental principles of flexibility and scalability in the security regulations. It's critical that CMS's enforcement activities stay close to these principles. It would not be helpful to second guess the risk calculus and decisions that hospitals make and CMS needs to respect these decisions. Further, it's important that CMS understand that because of this flexibility and scalability a security breach does not automatically mean that there has been a violation of the rules. There are some threats, uses, and disclosures that cannot be reasonably anticipated.
Also due to the overlap between privacy and security it's not clear when a violation goes from being a violation of privacy to a security violation and vice versa. CMS's Office of HIPAA Standards and the Office of Civil Rights are working together because of this overlap, and we've head from CMS that a complaint may be initially identified as a privacy violation but may also contain a security breach. There doesn't appear to be a bright line between these and so therefore consistency in enforcement between privacy and security is critical. Also consistency in interpretation is key. We've talked to CMS about the consistency between central office and regional office interpretations of privacy and the same goes for security. We need consistency between the approaches and actions taken by the regional and central CMS offices.
Also providers are worried about the resources that compliance will consume. As with the other components of HIPAA the security rule will result in technology purchases in the nation's hospitals. Among other things hospitals are concerned that for IT folks this may seem like Christmas. Long repressed technology wish lists will now come to the foreground whether or not they are necessary for compliance. Also as occurred in previous components of HIPAA we're concerned that there may be incorrect information and scare tactics used by consultants and vendors that are designed to encourage hospitals to do and purchase unnecessary things.
Also it's important to realize that technology alone will not lead to compliance with the security rules but over promises from vendors regarding the results of their technology in totally addressing security is a problem. On the other hand technology is ever changing as are the scope of the threats that are facing hospitals and therefore compliance with the security regulations must be an ongoing process. The need to dedicate resources to ensuring that the appropriate safeguards are in place over time will be a challenge for hospitals.
Like I said before, while the AHA like its members are really only now beginning to take a comprehensive look at how hospitals are implementing the security rules last week we did have an initial conference call with our members regarding security rule implementation. We had a number of presentations from experts from CMS, from Ernst & Young, from Hogan & Hartson, from AHA staff as well as from a hospital system. And the thing we're going to talk about now is that in order to register for the call individuals were asked to complete an online series of questions and I'm going to be going over the responses we got from approximately 475 organizations. This is not a random sample, that's a caveat, the providers who responded I think are more likely to be on the ball about security and perhaps a bit ahead of the curve. But on the other hand it gives us a taste of where hospitals are.
The first questions we asked were with regard to HIPAA security regulation, implementation and compliance. And we were pleased to see that they really have gotten started, only 1.4 percent said they have not yet started, 43 percent said they were doing initial research or trying to understand HIPAA security requirements. About 47 percent were in the planning stage, 43 percent were performing risk assessment and evaluation, about 26 percent were in the implementation stage, and 9.3 percent claimed that they were compliant with the HIPAA security regulations. This adds to way more then a 100 because they were able to select more then one so you'll see that in a couple of these questions.
The next pertinent question we asked, we were trying to get an idea of what they considered to be obstacles to implementing the security regulation so we asked them whether their focus on HIPAA privacy regulations has been an obstacles. And we were pleased to see that about 70 percent said that no, privacy had not been an obstacles. About 28 percent said that it had been.
We also asked them whether the transaction and code set requirements had been an obstacle to their focus on implementing security. And very similar results, about 65 percent said that no, transactions had not been an obstacle, and 33 percent had said yes, that it was.
We then asked what other obstacles, had there been any other obstacles in security compliance, and 63.5 percent said that yes, they had other, there had been other obstacles in compliance, and the next slide goes over some of their list of what they consider to be obstacles, sort of the obvious things, lack of budget, lack of resources, timing issues, having multiple priorities, other competing IS projects, misinformation or unclear guidance, IT security education and training, the sheer scope of the project, that is a good answer, finding good security policies, the complexity of the organization, IT IS staff turnover, outsourcing, and a lack of agreement on the scope and depth of required security regulation implementation. So it's a variety of obstacles they're seeing ahead.
We also asked whether the organization has budgeted for security rule implementation and 55 percent, the majority said that they had, and 34.5 percent had said no, they had not budgeted. The other ten percent said something other, I'm not sure what that means except maybe they hadn't budgeted enough.
And then finally we asked them whether they were able to rely solely on internal resources for HIPAA security implementation and compliance and what we found is 62 percent of them told us that they were actually using a combination of internal and external resources. About five percent were using only external resources and 25 percent said they were using internal resources only. And seven percent said other, again, not sure what that means.
Among the resources that AHA has established to help the nation's health care providers with the security requirements are several. We have a website that's dedicated to HIPAA, go to www.aha.org and click on HIPAA under key issues. There's a few things there already including an advisory and a couple articles we've done. We will be adding additional advisory sort of drilling down into security over time, we'll also be, we are considering doing a survey of the hospitals, a bigger survey of our hospitals to see where they are in implementation.
As I mentioned a moment ago we do audio conferences for our members on HIPAA issues and we more then likely will be doing additional audio conferences on security. Also the AHA has selected Ernst & Young as its strategic advisor for HIPAA security services and we've endorsed their HIPAA security services including risk analysis, gap assessment, and all security implementation services.
We will continue to develop advisories and checklists and briefings and other documents for AHA members, and then finally as we progress through the April, to the April 2005 deadline we will be vigilantly tracking the journey of our members towards compliance, ensuring that bumps in the road get smoothed out.
And I'd be happy to answer any questions at the end.
DR. COHN: Roslyne, thank you. Tom Wilder.
Agenda Item: Security Rule Implementation Issues - Mr. Wilder
MR. WILDER: Thank you and good afternoon. I also want to thank you for the opportunity to be here with you today. AAHP/HIAA represents approximately 1300 health plans and insurers, and our members provide a variety of health coverages to over 200 million Americans.
As I mentioned I'm responsible for working with our members as they deal with federal regulatory issues, including HIPAA implementation and I want to speak to you today about what our members have been doing to implement the HIPAA security rule. A number of the points that I'm going to make have already been mentioned in the prior testimony.
In talking to our members, although we've not done any kind of in depth survey, what we're finding is they're actually pretty far along the road in terms of implementing the requirements of the security rule. And I think in large part that's due because their work on getting ready for the privacy rule laid a lot of very important groundwork because in many respects what you need to do for the privacy rule helps you in terms of the security rule because they both deal with uses and disclosures of information and protecting against the misuse or unauthorized access to that information.
In visiting with our members there are some challenges, I think Roslyne in her survey gave you some very good, an excellent outline of what some of those are but some additional things that our members have mentioned is for example taking off the shelf products such as software, hardware, fire walls, or taking the security aspects of a software program and adapting that for your own particular business needs. Setting up the infrastructure and the systems to track uses and disclosures, and to monitor who has access to a particular level of information. Dealing with business associates, how much do you want to monitor their activity. Setting up policies and procedures and training programs. Again, these are not insurmountable but these are the kinds of issues that the health plans and insurers are dealing with as they get ready to implement the rule.
There are some additional issues that I just want to raise with you. First of all we were very pleased that this rule is scalable and flexible, and the idea of course is that you take a look at the rule and look at it through what is your own particular business needs and operations and how you adapt the rule, and we think that's very critical given the diversity of covered entities that are covered by this rule. Obviously what's needed for a very small practice group is vastly different from what's needed to address the security needs of a multi-line insurance carrier that has global operations.
I know there's been concerns raised, including concerns by members, that this scalability leads to uncertainty, there is a certain amount of comfort from a compliance standpoint of knowing that you have to do A and B and C and you only have to do D if you have 50 or more employees. But again, the practical reality is that given the diversity of business operations of covered entities that if you're going to take that approach the security rule is going to probably be the size of several phone books stacked together. So we support the approach that in the rule of having a scalable and flexible set of standards that covered entities have to follow.
We also support the enforcement philosophy outlined so far by CMS that they're going to be compliance driven rather then punitive in terms of helping people get ready for the rule. Obviously that makes the most sense. Because of its scalability and flexibility to a certain degree the rule is fuzzy around its edges and so people are trying to assess what best meets their needs within the boundaries of the rule. For many covered entities, particularly I think for a lot of the smaller providers and to some extent, to the extent that employers are covered by this rule, it's a new world for them, so covered entities really need assistance in coming into compliance rather then being fined if they don't meet these standards, and I think the best way to help a covered entity get from point A to point B is to help them along the path and not hit them with a stick if they stray too far. There obviously are enforcement processes and penalties built into the rule and those can be assessed where appropriate but I think again for most covered entities they need help with compliance.
And finally I think CMS quite frankly needs to be a little bit more engaged in the process in terms of outreach and education for covered entities, again particularly for a lot of providers or for employer groups that are not as familiar with the rule as they probably ought to be. I think for a lot of the larger providers and for a lot of health plans and insurers they have sophisticated IT and compliance systems and so while they have some challenges and they have things they need to do to get ready they have the tools available to them to get where they need to go. I know CMS has been very involved obviously in helping people get ready for the transactions and code set requirements but I think it's very critical that they turn their attention now to security compliance. For example, I think they need to develop some checklists, some very simple checklists that people can use in order to assess how far along they are with their compliance activities. They need to do a lot more in terms of developing educational materials and guidance on their website. They need to ramp up their activities to put on seminars and educational activities. Obviously our association as well as the American Hospitals Association and others are involved in this process but I think the more communication that can go on by not only the associations but by CMS the better in terms of helping people get ready for compliance.
And I think they ought to sit down and have a serious conversation with the Office for Civil Rights. I think OCR did a very good job to the extent they had the resources available to help people get ready for the privacy rule. They had seminars and educational sessions across the country, they've got a very good website where they post some guidance, they've been very responsive as questions have come up, they're developed some education materials and checklists for people and do they've got a good guide for what's working. And again, as I mentioned, the privacy and security rules have a lot of similarities in terms of what you need to get ready.
And finally they should obviously partner with the industry. I know we're ready to work with CMS to help get our members ready, I know American Hospitals Association, AMA and others are ready as well, so we are ready to work with the government to help our folks get where they need to be.
Our member companies obviously use and share health information everyday, it's a very basic core function of what we're all about, the same can be said for health care providers. We all have a strong vested interest in seeing that the security rule is implemented and that the security and health information is protected and that uses and disclosures are appropriate. And this really goes beyond the fact that you have this rule out there that you have to comply with. It's really just a central part of our business operations and philosophy. We believe that the security rule is an important benchmark for the health care community and again we're ready to work with this committee and CMS and others to make that a reality.
DR. COHN: Great, thank you all for some very enlightening testimony, that's very useful. Comments, questions? Maria.
MS. FRIEDMAN: This is Maria Friedman speaking with my CMS hat on, and I'd like to thank everybody for their ideas and suggestions, and just to follow up on what Tom has said, we are actively underway developing our outreach materials very similar to the transactions and code set materials that we have up on our website. We're doing a similar set of papers and checklists and all of that that will be going up. And we will be continuing partnering with the Department of Labor and others for their seminars and outreach, looking at roundtables. We still haven't got our budget yet so we're still trying to figure out what we can do with what we're going to get. But we're going to continue on with the model that we've used and we appreciate the opportunity to partner with anyone and everyone.
DR. COHN: Thank you. John Paul, do you have comments?
MR. HOUSTON: Not a one. Actually I have a great deal and I don't want to monopolize the conversation, so I'll take a stab at a couple.
DR. COHN: Okay, and then I see Stan has some questions, too.
MR. HOUSTON: I guess I'm going to start with John, from your perspective, knowing you're just one IT vendor, I guess I have a question, are the IT vendors prepared, are they able to deliver HIPAA compliant, HIPAA security compliant information systems at this point in time that even can be implemented? You talked about people wanting to move to new information systems to become HIPAA compliant but is the state of the industry such in your mind that there are solutions readily available to speak to the issues that I think everybody spoke to.
MR. TRAVIS: I think that many vendors have probably started out and I'll speak by metaphor our own experience, trying to enable an appropriate level of especially access control capability. We all, and I've shared a lot of information at least through industry forums non-competitively where we can kind of talk openly with each other, that we all tried to assure that if at least there were capability to have appropriate role based security models in place, I think you'll find most vendor solutions, especially those that are in use now or newer versions of existing products, would address that pretty adequately. I don't think that's where the greatest fear would be. I think the auditing area is probably the one that is the most challenging. I think most vendors have focused on that being a matter of new solution version or upgrade capability, may not have taken that back to all versions of prior legacy system. I will say that I think most have tried to make that clear with their clients about what versions would enable those. The barrier does remain though that given the reality of the environment in health care IT and providers that auditing has not been a problem solved at an enterprise level. I think that there's going to be challenges in making a security auditor's job horrible quite frankly in trying to be able to traverse those audit logs to have a good system of accountability that can alert and really enable real time intervention for possible issues of abuse.
MR. HOUSTON: Sort of a follow-up question, I know from my organization, I think trying to have somebody, one, who has a relationship with the employee to know what the employee should be accessing, ensuring you don't have an overly restrictive set of rules to restrict access to information while still being able to then effectively audit seems to be a real dilemma.
MR. TRAVIS: Yeah, I think you're right, you have the balance between do I implement access controls that are very restrictive and therefore I can probably not focus on those areas that I know are appropriate accesses because I've locked down controls very tightly versus putting a higher level of trust in my staff in trying to establish some pattern of auditing that really does do a good representative sample of review across those and identifies patterns of abuse when they happen. You mention employees, I think one particular challenging case we've seen repetitively from clients is employees accessing their own health records or accessing records of other staff, and being able to detect those patterns. I think that can be challenging in some instances the way some systems are architected to know this user is an employee engaging in an access to another employees record. That is an area where there's been a wide variety of efforts to recognize those circumstances. And that's a fairly common area of maybe not malignant abuse but it's been an area of abuse nonetheless.
DR. COHN: Can I ask sort of a follow-up question on that because I certainly agree with you that you don't want as a security issue and privacy issue you don't want to have someone check someone else's staff record or whatever, maybe you can explain to me a little more about the security or privacy issues about a person checking their own record, I mean that's --
MR. TRAVIS: it is perhaps more of a policy issue for organizations. A lot of our clients have policies of access to the subjects record that require formal requests in writing, that require an organizational response because there could be third party data in the record that shouldn't be released to the individual, that there just shouldn't be the same level of access right to you as a patient as you may possess as a provider's staff member, a physician, a clinician of other kinds, for the lack of the opportunity to the organization to vet your request and to properly respond to it as the privacy rule would suggest there should be due process to do. One of the things that you're not going to find health care IT in a real good state to support right now is the idea of a consumer or a citizen portal to get into their own record so that there is this idea of a safe sharable record that's been published that the patient could come and get any time they want. One of the issues about that is that most health care systems are provider based record systems, they are not necessarily designed to support the role of a personal health record, which is really a little bit different animal and so employees attempting to use a provider based record as their own personal health record so to speak may fly in the face of a lot of the policies of certain organizations to have some control over that release.
DR. COHN: Sure, and thank you, I'm actually well aware that most organizations have policies about all that, I just didn't really think it was precluded by the security rule.
MR. TRAVIS: I think the problem is that it's actually not precluded by the security rule adequately so that you can tell the difference.
MR. HOUSTON: But there are I know, at least in Pennsylvania, there are state laws that would, though they allow patients access to the record interestingly enough there are certain types of test results, such as HIV, HIV test results you're required to have, the physician is required to provide counseling regardless of whether it's a positive or a negative so you can't just go online and look up your own HIV test results, it's intended you should have to go to the physician and the physician is supposed to deliver it to you. So there might be certain cases where patient access to the record, which is very convenient for employees, may fly in the face of treatment relationship as well as certain limited state laws.
DR. COHN: Stan, did you have a couple questions?
DR. HUFF: I'd just ask Roslyne for a clarification, I didn't understand exactly what you meant by there shouldn't be second guessing of risk calculus decision.
MS. SCHULMAN: Well, as part of the requirements of the security regulation you're supposed to identify the risks, possible uses and disclosures, and then prioritize those and apply solutions to what you consider to be the most important of those risks. And the concern is that if there is a breach, a security breach, that CMS might come back and sort of second guess that whole process as opposed to considering whether there really has been a violation or not, just second guessing the decisions the entity made in good faith.
DR. COHN: Actually, John Paul why don't you go and then I have a couple questions also.
MR. HOUSTON: I have a bunch of questions, vested interest here. I sort of heard two sort of countervailing positions on the level of specific guidance regarding how detailed the security rule should be. I think John your position was that there should be more, there wasn't a lot of support for specific measures that should be taken on the security side if I'm not mistaken. Roslyne's was sort of to the opposite of there's a scalability issue of it's nice that it's scalable I think and I can find the words if need be but I'm interested in sort of --
MR. TRAVIS: My perspective and admittedly keeping in mind where we come from, our basis of making that statement is that we do work with medium to large health care organizations, the scalability is in a sense, they're at the upper end of the scale so they are fairly technology dependent on solving security issues. And I think from their standpoint development of best practice sharing and the promotion of standards is going to be an enabling factor for them. Scalability is going to be probably limited a bit by what technology choices you made prior to ever entering into the client's effort so I think it works to be good working examples of how do I make progress.
MR. HOUSTON: But do you want specific, are you looking for specific guidance as to exactly what should be implemented based upon --
MR. TRAVIS: I'm probably looking more for the type of forms or structure to give best practice sharing, to promote that the industry provide more guidance to itself if you will. I think the examples of the WEDI SNIP group sets up very well, they spoke a lot to best practices for bringing systems and procedures into place, to try to see HIPAA EDI as an opportunity for operational improvement, and I think that our, at least our type of client is going to be very interested in being able to have that similar kind of a forum. I think the other kinds of guidance may go more towards procedural matters or interpreting scalability based on the kind of organization you are but that's not really what I was --
MR. HOUSTON: Are people specifically looking for guidance as to I'm this size or I have this complexity of IT systems, this is what I should be doing, these are the types of controls I should have in place or the type of technologies I should be employing? I guess that's as much --
MR. TRAVIS: I defer to Tom on what he may have intended by the remark, I think for us it's probably a little less define the set of requirements that's appropriate for me, I think people are looking a little bit more for I'd really like to be able to standardize, how do I go about doing that. But is there a good model, for example I mentioned the VA in their health care roles, I've got the security policy, I developed job roles in my HR system, I know what kind of profile people have but now I've got 50 information systems that I need a benchmark or a baseline of what's appropriate.
DR. MCDONALD: If I could interpret for the industry, I think that, I work in a hospital and I see patients, I think by and large this looks like someone's invented something that no one knows how to build in the universe, it might not be buildable, we don't really know what it is, leave it light and let us figure out is kind of what I think I'm hearing because we're trying to find a way and I don't need someone knocking it down and making it be this, this, and this.
MR. HOUSTON: That would be my preference, too, I sort of thought I heard sort of two different perspectives on give me guidance or let me figure it out for myself and I wasn't sure, I just wanted to sort of get a sense.
MS. SCHULMAN: Flexibility and scalability is a two edged sword, on the one hand it's nice to have that ability to scale your compliance to your own specifics of your organization. On the other hand there's sort of an anxiety out there about am I doing this right, am I going to be cited. So to the extent that CMS enforcement is consistent with that philosophy we would continue I think to support the open endedness of the flexibility and scalability.
MR. TRAVIS: I take as my measure that it's an issue to be dealt with by how many times they get asked is your system HIPAA compliant, and I hear it frankly a whole lot more in security then I do with EDI, and I was involved in both efforts for Cerner. And it's an interesting question because I can't, I'll tell them it's relative, are you speaking of a patient care system that's accessed by 20 different classes of users, are you speaking of a lab system that's only accessible by med techs? Are you worried about accesses by med techs in a lab system as something you would audit versus a patient care system accessible by thousands of residents in an academic situation? So it's really that point, I think that there are very relative as to what the scalability and flexibility are going to mean for somebody.
MR. WILDER: If I could follow-up, I think again, as I probably mentioned to this group before I'm a lawyer by training and experience and so I tend to look at these things from a lawyer compliance standpoint. Letting us figure out what we need to do is good, giving us some guidance is good, figuring out what best industry practice is is good. Don't tell us if we don't do this that we're in trouble, because coming up with what the roles are at a medium sized hospital doesn't apply to everybody, coming up with what those roles are may be good for that medium sized hospital today but it may not be good for them a year from now. So we need from a compliance regulatory standpoint giving us more certainty is good but don't give us a whole set of rules and standards and requirements that just really don't fit what we're trying to do.
DR. COHN: John Paul, I think they like it the way it is, ambiguous.
MR. HOUSTON: I just want to make sure I understood that, I like to be more open ended myself, I like that concept of me figuring out what I need to so but absent a lot of guidance right yet I think everybody's sort of questioning, Roslyne, I think you sort of said it, I believe you said it sort of we want to make sure we're at least going in the right direction and we're not way off base come compliance time and find out there's a huge variance between what the expectation is, maybe it was Tom that said it, and what we've done.
DR. COHN: Actually, why don't we let Kepa, do you want to introduce yourself?
DR. ZUBELDIA: Sure, I'm Kepa Zubeldia, member of the subcommittee and I was late today.
DR. COHN: Welcome. And tomorrow.
DR. ZUBELDIA: And tomorrow. And I apologize for being late but I have a question that may have been addressed in testimony and the thing that Mr. Travis kind of referred to it, you've been asked many times are you compliant, would it be beneficial to have a reference place or a process by which you can submit whatever you're doing and have it deemed compliant? Or is that getting into the boundary of things that you'd rather not do?
MR. TRAVIS: I would probably defer to those who represent covered entity associations here because Cerner doesn't technically fall under that. I think what our client base is after is guidance and I'm not trying to redo the point of standard, it really is very close to the same thing that at the end of the day it's implementation guidance so I don't know if that kind of process gets you in trouble where you may be literally asking for a safe harbor for something you're doing. But I do think a matter of more structure to best practice sharing, the industry needs to solve that to a large measure for itself but there was a lot of encouragement given I thought. One of the best documents I read in the last number of years was what the OCR wrote on the privacy rule when things got out of hand and people were thinking chicken and the egg, I can't verify your eligibility because you haven't given me permission to share your information to verify your eligibility. So we get into certain situations when we take things too literally. But I think at least to, it may be more of that mode where there's questions of I'm contemplating doing this, I have this business problem, this is what I'm thinking of doing. It may not fall under the matter of a safe harbor provision or a letter, compliance letter, but it would fall under the matter of general guidance given to the industry to debunk the myths that are going to be floating out there and are.
MS. SCHULMAN: For the AHA I don't really know but it sounds like a good survey question, something to ask our members. I just don't know how you would do it, I mean it's, compliance is so dependent on the specifics of that particular facility I don't know how you could ensure that you were, to sort of certify your compliance, I don't know how that would be done, but it's worth thinking about.
MR. WILDER: We've not addressed this issue specifically on certification by the security rule, how we've looked at it in terms of other things like the privacy rule, number one, I think it would be very difficult to come up with a program that would work for everybody. I don't know that CMS would be acceptable to that and if you give me, Claredi for example gives me a certification and CMS says I've still broken the law, am I going to come after Claredi?
DR. ZUBELDIA: We won't do it, just to make sure, we don't want any parts --
MR. WILDER: And I apologize, I didn't mean to point fingers at you but again, give us, help us get where we need to go, don't give us another set of hoops we've got to jump through to get a piece of paper that may not do us any good.
DR. ZUBELDIA: What I have in mind is people like NCQA and the Joint Commission that are getting into this kind of situation right now, they have certification programs for HIPAA security compliance. Is that helpful? Is that something that the government should support or not?
MR. WILDER: Again, I want to be very careful how I characterize this on behalf of our members, the NCQA process has been helpful to some extent but we've also found that NCQA for example has gotten into areas where they're not really, where they don't really know what they're doing. And they've established some internal certification requirements that we actually had to go back for example and walk them through what the privacy rule actually meant and how their certification requirements differed from the privacy rule. And they eventually got there but we had some struggles with them as well to educate them about what the privacy rule meant.
DR. COHN: Tom, I think you handled that one well. And certainly I think as Kepa is commenting there are certainly likely to be a number of players getting into some aspects of certification or otherwise. Many of these groups will be, they'll be part of, they'll be one item out of 30 pages of things that they look for when they accredit a hospital or otherwise. And of course given the flexibility of the rule exactly what they will be looking for will be hard to know, so that's part of the issue.
MR. TRAVIS: One of the things that was very good in the final rule that they went away from that I think was spoken by one of the panelists, I can't remember which one of you made the comment, that there was a degree of, we liked the rule because there was a degree of flexibility, the original rule implied or at least I think a lot of consultant dollars were spent in this area on matters of very formal risk assessments, very formal certification processes, almost based on the Department of Defense NIST series taken very literally and that's where a lot of security consultants were making tremendous amounts of money about three years ago when we thought we would have a security rule imminent in the summer of 2000. But I think that organizations are not going to have the capabilities to do that level of formal assessment, it's going to be much more informal, but still they want assurance that they're covering the right things, that there's a good basic set of things we should be evaluating and looking for that I think all of us to some degree are reflecting on. So I view it more from the standpoint of we get the outcome of that assessment process and clients coming to us saying what do we do, and I'm not sure we're best positioned to serve in that role for our clients because we still have a vested self interest, which is trying to offer commercial software solution acceptable to all of the market and we struggle getting into a lot of different implementations if we try to go down that path.
DR. COHN: I think Michael had his hand up and I think Stan you also had a question?
DR. HUFF: It's just a questioning face is all, I didn't raise my hand or anything.
DR. FITZMAURICE: When we drive an automobile they all have similar kinds of tires and engines, a lot of things are interoperable but we all get to drive at the speed we want and we get to turn when we want. As John was talking and then I heard more --
MR. HOUSTON: There are speed limits.
DR. FITZMAURICE: But there aren't governors on most cars and so --
MR. HOUSTON: Didn't you ever listen to Bob Newhart's driving instructors, 30, 40 years ago, you can turn but next time wait until the street?
DR. FITZMAURICE: So anyway, as Tom and John were talking I got to see that you can spend an awful lot of money on security if you wanted to, and then if there were some uniformity like we have in tires for cars and engine parts, that if some things were interoperable that you could save a lot of money because as one company buys out another or as you have different components and you work together, building for the enterprise seems to be less expensive in the long run then building for each particular system. So I guess my question is are the appropriate forums, are there sufficient forums to discuss this, do you know where to go to talk about it with your hospitals, with your health plans, with your other vendors on developing or listing functions that are needed from health information management systems and from the vendors of those systems first of all?
And secondly do you have a place to go to to talk about developing standards for these supporting functions, such as role based access, and how you would do it across components of an enterprise, maybe even between enterprises? And do you have a place to go to to talk about encouraging or specifying the uniformity and interoperability among systems for security functions? Because right now we spend a lot of time on interoperability and uniformity of data, having uniform comparable data, but I'm not aware of the same sorts of things for how you do the security functions so that mine would fit with yours so that we can start getting role based access, I define the role the same way that you define the role so that when we get our security systems talking it's going to talk as well as we hope our data systems will talk. Is there a place to go to, do you have places like that where you go to talk about it and to work for those ends?
MR. TRAVIS: I'll take it from our perspective, to a degree, I don't think, it's been one of the slower areas for the industry to really build momentum to even talk about. HL7 is a major forum if the concern is how do I share information without judging the technologies that are sending and receiving that information. ASTM, ISO, other organizations are focused around this issue frankly because in other international jurisdictions, especially for ISO, it's of much greater concern and you also have national health economies like the NHS in the UK, at the state level in Australia, where they are trying to get to standards, or at leas the public health sector that really give impetus to those.
I think the issue we face in the U.S. is it's still very much up to individual participants to take and adopt those things. And I'm not suggesting that that aspect of it shouldn't change, I think more promotion, more visibility to the availability of these sorts of things because a lot of work has been done, this isn't as if we need to investigate and discover ground work for the first time, it's probably more for evaluating things that are available.
As a framework ISO 17799 gives you a very good framework of what you need to do, NIST has done tremendous amounts of work and laid out the common criteria available as a common point of reference. It's just simply I don't hear a lot of discussion or progress for organizations to want to take a look at adopting them. And the major issue over time is going to be when you get to I want to share information at a community level, I want a pass security attributes with that information so that the receiver has the right to the information I intend to convey, or as they take that information into their system they can set up the appropriate right that's intended to be conveyed.
We're going to run into issues with information sharing as long as we have a very decentralized non-standard way of sharing information that doesn't address the security attributes of that information. So that's where it gets concerning is making progress on building confidence that you can share information, have a true community record, enable some other things a lot of people would like to see happen, including the government.
DR. FITZMAURICE: Do you have places to go to talk about it in hospitals and health plans or is this something that you prefer not to spend any money on because you've got a bunch of other stuff on your plate? But interoperability is going to hold down costs in the future I believe.
MS. SCHULMAN: I think a lot of this is still developing, I know that some of the committees that John mentioned, there's not a lot of hospital representation, they just don't know what's going on there, it takes a real commitment of folks to go to these meetings. I think this is all still under development, it would be helpful I think, I think WEDI is doing some good work that hospitals can turn to.
MR. WILDER: I would agree, although John and Simon might have a better look at how they've been approaching this issue on behalf of their plans. But I think we're not as far along in terms of discussing some of these security issues and particularly in terms of interoperability as some of the other IT and patient record issues may be in terms of places to go to talk about things, to share information. Obviously WEDI, NIST, some of the other groups are starting to address this but it's not as robust I think as some of the discussion of the other issues.
DR. FITZMAURICE: What I'm struck with a sense here is earlier, maybe within the past two or three weeks, AHIMA wrote a letter to the Secretary and one of the arguments they made was if we do something sooner rather then later all the new systems that are developing and being brought on board will be able to incorporate it rather then having to retool those which has a larger expense. I see that applicable here that we're not going great guns on security, we've got an awful lot to do on privacy and a lot to do on transaction and code sets, but if there's some thinking that starts off this and everybody starts to begin to fit into a framework, then it's going to be cheaper in the long run down the road. That's what prompted my question.
MR. TRAVIS: One of the, probably the best example I've seen, and we adopted it very vigorously in our own right, HL7 has proposed an audit message standard that really is a good data set and a good standard for sharing of audit data for security or patient record access types of auditing. And that is, though it's not going to be in a standard until a new generation of HL7 is really an industry adoption they did do work to get consensus with two other standards groups, ASTM and DICOM, I think it's what enables enterprise wide auditing in a common basis. I think that it is a scalability issue, how much do you audit, what do you audit, but if you want to move to saying I've got 20, 30 patient care, financial, administrative, 20, 30 systems that hold personal health information and I want a common audit view so that, you know I only have two security officers in my institution and it's a 2,000 physician staff, I'm going to have a very difficult time having those two individuals traverse 30 systems and have anything approaching a credible system of accountability. So open standards towards that, even that alone would be very significant to see progress in.
I think that we're going to 15, 18 months down the line, we're going to see that one really rear its ugly head when people realize, the first test cases have proved to me that that individual wasn't in, we had two cases occur in our client base in this that I'll cite without certainly citing the institutions. One where an individual was selling face(?) sheets in the admitting office to a workmen's comp consultancy that worked with ambulance chasers, and the other where a staff member in a lab department knew a 16 year old girl had been in for pregnancy tests, that patient had expressly said she was a competent minor in the state where she was, that individual had said do not call my family or my home about my pregnancy. This kind staff member called the parents and said your daughter's pregnant, congratulations, I don't think it quite went that way but both egregious violations, one probably the death penalty under the HIPAA privacy rule, the other inadvertent disclosure, well not inadvertent but not meaning harm but grossly overstepping bounds of propriety.
Both examples of things that systems of audit, no one's going to know enough to intervene in real time but they are places you would build the audit trail that could to that individual, be possibly admissible in a couple of law or a civil proceeding. These types of things, it's not going to take many of those occurrences to cause a lot of provider organizations to say this is a matter of corporate risk and liability for us, health care IT department what are you doing about it, so I encourage it in this area.
MR. HOUSTON: It sounds to me like, I was going to ask the question what is the biggest issue with the security rule, it sounds like collectively that the whole issue of accounting and coordination of auditing and things of that sort sound like they're really, that's at the fore as being the big issues, how do you manage it, how do you practically do it. Is that the big issue or is there something else out there that really is, that really trumps that as being probably one of the dicey security issues?
MR. TRAVIS: I think so, I'd say three things, one is it's probably the one most open to interpretation because the security rule just simply says you will have a system of accountability. It is for electronic health data, we have to remember the security rule is about electronic data, not about paper based data, so there's no denying that you have to have some manner of electronic system of accountability towards how patient information is used or disclosed. It's probably also the area, I think most systems do well with the access control and technical and physical types of requirements, auditing, these systems were not designed in their inception to have these kinds of audit trails, they focused on audit trails for history and data integrity of the clinical record but not for --
MR. HOUSTON: But even if you could amass all the audit information for the purpose of review it sounds like that's still a huge issue of who's going to do it, how are you going to practically do it. I think Tom you'd sort of, I believe you were concerned about monitoring access and disclosures, too, correct?
MR. WILDER: Yeah, I would agree, I think building the infrastructure and the system and the policies and procedures and the rules track where all the information goes and figure out who ought to have access to it, and who ought to have what level of access is probably the biggest challenge that health plans are faced with. And you all probably know this better then I is number one, that information is spread out in a lot of different places. I've had a lot of privacy officers tell me that they had no clue where all information went and the various kinds of uses and disclosures until they actually sat down and did a gap analysis, so dealing with that, dealing with the proliferation of the ways that you can now access information, the development of hand helds for physicians I'm sure is a whole other complex area of issues that you've got to think about. So the access and the accounting and the tracking is probably the number one.
MR. HOUSTON: -- any need for a way to be practically achieved within, by April 2005? Or is that --
DR. COHN: Well, achieve what?
MR. HOUSTON: I hate to say it, when I think about what John describes is you have to take all these disparate systems, you have to some way consolidate the information in a way that can then be distilled down so that people can review access, because it really is --
DR. COHN: Let me just jump in here a little bit because I think you're going, this is not the world of black and white, the security rule is a world where you do risk assessment and then based on that risk assessment you put an action plan into place, at least as I understand it. And I think there's, I think John is obviously talking about the perfect solution I think for an enterprise but obviously there's lots of policies and procedures that can help keep you afloat while you're seeking that perfect solution. Am I off on that one, John?
MR. TRAVIS: I would agree that reality is organizations are going to have to make choices about what are the most critical systems to have these kinds of audit systems in place, or what level of capability, it's certainly going to start with what level of capability is there, and then I think it is a plan in progress to answer John's question, I don't think it's going to be a reality that people will have these kinds of centralized audit systems in place with the intelligence to traverse activity over many by the compliance date. I think it's something to aspire to, I think what is going to be a bit challenging is that risk assessment process that, that's where I'm going to have to trust the access control systems, do I audit where I have an access control system that's pretty robust or lock down and pretty tight. They're going to have to have some good judgment about how they implement, how they establish the risk calculus for why didn't you turn on auditing in your lab system while you were auditing your reg systems. And unfortunately though I think there is going to be an aspect of this that's going to depend on their experience and their sense of their own historic risk that's going to drive a lot of that decision.
DR. COHN: I know Stan has a question, too, but one would observe that the things that you were obviously describing as egregious issues may not have even been picked up on an audit log because they may have been authorized users, in fact most of these things are done by authorized users.
MR. TRAVIS: In those cases admittedly a prospective or a real time intervention was probably not possible. A retrospective review to try to prove conduct still was something that may have been detectable. It's arguable but certainly absent those capabilities there's not an opportunity to detect those types of activities. No data was changed, no intervention was happened, they were simply print events or inquiry events in all those cases and I think that's the state of readiness of systems to determine, you know I could go into a clinical record and see a history of who did something to the record actively online, most systems will give you that even though it may not be terribly easy or retrievable for the kind of purpose we're speaking of, it's still there but I just was in there inquiring, I just was in there printing and keeping a record of that also for the disclosure requirements under the privacy rule that I think are most challenging, the generation of systems most providers are using.
DR. COHN: Well, Stan, I know you raised your hand up a while ago.
DR. HUFF: I had a comment and then a question. I guess my comment is just to second what's going on in terms of the discussion, I mean we're fully, clearly fully auditing in our clinical systems and the volume of data we get quickly escapes any manual sort of prospective analysis to see things and so we've used it retrospectively on specific individuals to prove culpability. I keep looking for a graduate student who would take a decision, a knowledge driven rule based approach to analyzing this kind of data and I think that's where you've got to go before you can get to any kind of prospective sort of catching the stuff. I think it would be fairly sophisticated and be very interesting research. But that's just a comment.
So my question is on the one hand we like the fact, we recognize I guess the diversity and complexity of the areas where we're trying to implement this and that leads to us liking the ability to flexible and to individualize it. But on the other end, I mean my intuition says yeah, but if you went out and looked at some places you would say oh, but that's passed what I'd call flexible into not best practice or maybe non-compliance, though I hate to use that word, and I wonder if there's a middle ground, it was spurred by Kepa's thought, but I mean is there some middle ground where, it seems like just sharing best practices may not be enough and at the same time with the diversity and complexity you don't want to go out ticketing a lot of people who are in good faith trying to do things but you'd like to over time create some pressure for people to improve and not just sort of accept what they did as being at face value adequate. And I wonder, so I mean, you wouldn't necessarily find them compliant but I can imagine that, I mean the only way that I ever know how to do these things is look at lots of instances and say oh, you know that one stands out as not really being appropriate, you can't say that a priory, I can say it only after I've seen 25 and then you go gee, that stands out as not being appropriate. And I wonder if there's some mechanism that we ought to think about that could provide that sort of non-punitive but some at least pressure to improve.
DR. COHN: Well, Stan, I guess I have a couple questions on this one, I'm sure others will jump in. I mean one of them is obviously as you were commenting is I think there are a lot of organizations that may wish to jump into this fray and maybe a little more directive then you were describing, and this may have to do with licensure. As we all know in many contracts between employers and health plans there's obviously always the clause about being in compliance with state and federal laws, and we've seen that a lot with the HIPAA rules, that that sort of shows up and it begins to sort of push all of that happening.
Now I was reflecting, I've been in this area basically since the beginning of HIPAA along with Clem and a couple of others and I think we maybe have sort of a longer view on all this knowing that some of these rules have taken a long time coming to fore. And the security rule was based, or not based but was enlightened by it was the National Research Council document called For the Record, as I remember, there were various players participating and made recommendations. And I think the observation at that point, and this was as I said a number of years ago was A, that there really weren't many standards in this area, B, the general level of security, and by that I mean policies and procedures and physical technical safeguards, as opposed to the general perception of security, I think most people felt they had a secure institution. But the perception, the reality was that there was not a whole lot there in most health care institutions. And so the rule that was developed really did not reference standards very much, it really more referenced a lot of the recommendations out of the NRC report which said hey, let's at least start auditing, let's do a risk assessment, let's deal with low hanging fruit. And that was really what we see in this rule as it's being implemented.
Now obviously a lot has happened over those years and I think we're all beginning to sort of mull, I mean John you mentioned the ISO standard, there's various other standards that are admittedly probably not perfect and we probably need to investigate further applicability, but the question is is are we moving into a world where maybe there is more out there that we could use and I think the question, the thing that I wonder for the subcommittee and others is do we need to be investigating some of the standards to see about the applicability about all this as we go in. Are they at a right level of abstraction that maybe they really do provide guidance to health plans and large and small hospitals and all of this, maybe a little more that's in the regulation but maybe a little less then being told exactly what to do. Will they be helpful in all of this? I mean is that something we should be looking at? Clem?
DR. MCDONALD: Well, maybe not exactly to the point but hearing all this discussion makes me worry a lot that we could find a way to pour the whole national economy into this effort for no productive gain. When we're talking we don't really have a way to tell if anybody's looking at the records, well if nobody can tell does it matter that much? If people are learning it and keeping it a secret, that is is it just sort of an idea that someone might know but if there's no sentient signal to anyone in the universe that anyone else knows is it that important? I mean I think about this in terms, we've got 27,000 people a year in car accidents, well, hell, we could fix those up like Indy cars and no one would die, but we're investing in that, we're going to be investing in an immense amount of effort --
MR. HOUSTON: I disagree that nobody knows --
DR. MCDONALD: Well, if there's someone that knows, the way we detect, what I was going to lead to is we have some very good teeth in this rule, and if somebody does something that's, they sell it or they use it they go to jail. I mean in between that, if someone says, the daughter learned about it because the father told her, well, we got a nice signal there. We go back and smash him. The point is I don't know that we have to be, we either have signals that tell us what's going on and we have good tools to deal with them, this prospective and analytic, it reminds me of the Chinese in the 800's or 1200's, they had this great theory of life and everybody studied it like crazy, the courtyards, the courtiers, they all knew it. It didn't do anybody any good, I smell a little bit like the same thing going on here.
MR. HOUSTON: But here the issue is that is the case where often happens in a hospital environment where an employee looks up a fellow employee's records, and we're not quite sure which employee it was but it gets out that a certain employee had some procedure done or there was some issue, and all of a sudden there is an issue of, the issue arises and we have to figure out what employee did what.
DR. MCDONALD: Those are actually very easy to track without fancy systems.
MR. HOUSTON: But the point is is that often, the only time it ever comes to the fore is that something occurs and then we investigate it and then we find it out, but there is a latent issue that under the surface that unfortunately you don't see, which is, I know within our health system our employees are captive members of our health plan, which means they have to come to us for services, and you hear stories about employees absolutely being afraid of coming for services because they're afraid that one of their co-workers is going to go look at their record. And unless you have a good mechanism to ensure that when somebody does try to look at a co-worker's records that we find out about it to ensure that it wasn't inappropriate --
DR. MCDONALD: But is that documented, is the place emptying out, because I mean you can tell whether they're coming or not.
MR. HOUSTON: Unfortunately I'm using anecdotal evidence but again, I've seen it, we've investigated it, we've discharged employees ourselves but it does occur and I think that there is, when we decided to go to a captive health plan, our own health plan so you can only go to one place for your health insurance, that means you have to come to our system then to get services, there was a substantial outcry from the employees saying I'm concerned, I don't want my fellow employee looking at my record, I'm afraid that's going to happen. And the only way to ultimately get to the point where you have a high level of employee confidence and frankly consumer confidence is when you get to an environment where the auditing is such that it does trigger an inquiry when something seems, you went to one hospital for services but somebody at another hospital where that employee works is actually looking at --
MR. TRAVIS: We face kind of an interesting challenge because we do see, we see both ends of the spectrum, we have some clients who will more or less go status quo and bet that nothing bad is going to happen, and they might only do reactive investigation to things. Then you have the sadder but wiser, the privacy officer of the first client I mentioned who frankly now has gone way to the other extreme, wants to turn on, in our system we enabled audit ability in most anything an end user can do. And it is, it's an overwhelming audit trail yet this privacy officer wants to turn it all on, keep it online for 180 days, keep it near line for 18 months, living in fear that something could happen again and they're facing a multimillion dollar civil litigation right now beyond what the individual employees are facing criminally who were involved with this.
So I guess it is the perspective of has it happened to you or not as to what your opinion is going to be about the importance of the audit trail, as a system designer there's our spectrum. So we went to great expense to develop a capability that was neutral to that that you could bury yourself in data or you could be laissez faire and choose some more moderate, perhaps even not to use it at all, type of perspective.
So this is where you do get to kind of the use case as a best practice or a reasonable practice. We have this mandatory requirement in the security rule to have a system of accountability, what did you mean by that, it really is the most undefined open to interpretation sort of a definition and I would say that's an area the industry, right now that's what we're left with, we have some who say it's a procedural answer, I'm going to educate my staff, I'm going to assure that I monitor them through observation and things like that and trust that they won't abuse things, and then you have the privacy officer who has a multimillion dollar civil lawsuit pending, and my metaphor is when you get a corporate integrity agreement on the fraud and abuse provisions of CMS you're going to be told what your audit program is going to be and it isn't going to be laissez faire. You're going to have some very intrusive procedures for the period of time that CIA is in effect, and that could be one possible future scenario for bad issues of compliance violation.
DR. COHN: Bob?
MR. HUNGATE: John Houston used the term consumer confidence and I think there's a very important content issue there because the inter-linkage between privacy and security is pretty strong and consumer confidence is not as good as it once was in terms of whether they're being well protected by the system. It strikes me that the content is such that you almost need some of kind of a, in the accounting profession has gotten some trouble in its own management, so it's not necessarily the perfect model, but for me to hear that a hospital says we audit whether we do this or not doesn't rebuild my confidence. If there's somebody outside the hospital that audits against some kind of set of rules and I don't know how prescriptive they should be then it could start to rebuild my confidence. So I think somewhere in here there's something that, there has to be some, and maybe it's the Joint Commission and the way they go about it, I don't know what it is, but I think there's a content issue here, and I'm just using the visibility of it, not necessarily the reality of it.
DR. COHN: Clem?
DR. MCDONALD: Well, I'd like to clarify, I was not arguing at all that we shouldn't keep track of all the access, we do that, I was just saying that the prospective audits may be very difficult but there are signals that come back and over time we should be able to correct any of the clearly big violations fairly easily. But it's still, getting back to the employee thing, I don't care what you do at the computer, if I'm walking down the hallway with my skivvy thing half open in the back and there's other employees there, I can't protect that with any amount of computer security, that is they're going to see me and my butt in that hospital. So they may have some concerns about being in a hospital and the attendant of the computer controls that you can put over the bodies walking around --
MR. HOUSTON: Let me just say this, with the evolution of an EHR here you have a truly purely electronic medical records environment, you can't simply lock up the medical record inside the medical records department and know that it's safe. You have this concept of global availability and in fact in order to efficiently deliver health care and meet the needs of the consumers that record needs to be readily available from a variety of places and having a multi-hospital system, a very large one, we want it to get to the point where no matter where you happen to present that record is going to be available in its entirety so that we can deliver the highest quality care possible. But in that type of environment it's very easy for somebody in a very secretive way, almost anonymous, I shouldn't say anonymously, but without calling suspicion, raising suspicion, to go to look through a record. And you want to make sure you provide the appropriate access so the clinicians absolutely have the capability to deliver, get the information they need to deliver care, sometimes though that provides a level of access that unless there's an effective way to audit and log you may be opening up that record to a level of access, again, on a fairly, somebody could sit in an office and they can pour through, here they can look through a record, it's not like that have to go to the medical records department and check the chart out, that would raise that suspicion immediately. It does sort of change the paradigm though and that's I think what the issue is here.
DR. ZUBELDIA: All of these security provisions that you are going to be putting into your hospital system, you don't do that because of HIPAA, you do that because it makes sense. And I think that there has to be a distinction between what has to be done as HIPAA compliance, and what has to be done because it just makes sense to do it.
MR. HOUSTON: But I disagree we do it just because, in one sense we, there's a lot of things we should do that the economics sometimes don't allow us to do what we would like to. I agree that if we had all the resources that we could possibly have available we would do it, HIPAA acts as a catalyst I think often to do things that maybe we'd like to do that now we're saying we should, we have to put more money into, in other words because it's a compliance issue now it gives us another justification or basis for doing it. Health care people are good people, I mean we're not evil, they're not evil people, but still, at the end of the day HIPAA does raise the bar, it sets a standard, it sets a standard for which expectations with regards to security and privacy and I think it does change what we need to do and the level at which we have to do it.
DR. COHN: Steve?
DR. STEINDEL: John, I have a question for you. Kepa raised the point that you do it because you should do it, and not necessarily because of HIPAA. If the person that John Travis was talking about loses the multimillion dollar privacy suit what impact would that have on your security provisions, and especially with respect to HIPAA?
MR. HOUSTON: I think that clearly loss history, when you hear these types of events it does cause you to go back and reassess your position, absolutely, I'm not saying it doesn't. Certain things speak volumes and in that particular case, yeah, you hear about it and boy, you don't want to be the next occurrence at the University of Washington where 50 records were stolen and that sort of sent a chill down a lot of people's spines about how to protect their electronic health records environment. So absolutely, you want to do the right thing.
Again, I welcome, personally welcome the security rule, I think the security rule helps me accomplish some things that may have not been as high a priority, or I've been able to reprioritize so that it comes compliant now. We have a priority order in IT at least in my organization and at a high priority in my organization is compliance. So if something is labeled as a compliance initiative it gets a higher priority then a variety of other things. Now obviously patient care comes first, regulatory compliance may come second, system upgrades that will continue to allow us to operate systems and allow us to get vendor support also falls in there, too, but then a lot of stuff falls below it. So I'm saying, you make a lot of balancing decisions as to what you implement and what you do based upon funds available and other requirements.
DR. COHN: I'm not sure where to go other then to observe that to be the case. Kepa, you had an issue or question about electronic signature that you wanted to --
DR. ZUBELDIA: Yes, and I missed the testimony presentation from John Travis but I was glancing through it on paper and you discuss a topic on digital signatures, and this is a topic on which I have very special interest. And I sometimes wonder the question what would be best. About four years ago, three years ago, there was a lot of activity on PKI, and there's still some activity on PKI, not dead, but there has never been a lot of activity on signatures. And the special signature requirements in health care, for instance, archival retention, counter signatures, double signatures, multiple party signing the same document, signing encoded documents, what does it mean to sign an HL7 in the limited format, can the signer understand what they're signing, and all of that. And sometimes I wonder would it be better for the government to create an electronic signature standard, no necessarily CMS but perhaps NIST or somebody to create an electronic signature standard, rather then waiting for the industry to develop one that could be adopted by the Secretary.
MR. TRAVIS: I think that in particular because CMS is one of the parties to a lot of health care transactions that I think we viewed it running something like this, that when you got to having the claims attachment standard out, now you're going to enhance the probability that you would have electronically signed documents being transmitted associated to claims, that might lead to a vested interest to promote electronic signature standards to ensure the integrity and reliability of those signatures, that it may come through that kind of a process or with e-prescribing and exchanging medication history between pharmacists and providers and health plans or pharmacy benefit plans. That those both present you with very strong use cases for doing exactly that and I think there is a regulatory interest in both that would be interesting to see the government push.
I am familiar with a lot of the work the HL7, I'm on the Medical Information Committee so I view it from that perspective of managing the signature chain of trust if you will and how you keep association and the integrity of the signature to what you're signing. From a workflow standpoint our position is you do have to back up and look at how the origination and the signing and the management of the signature process plays in source system because you can't simply adopt this standard in space if you will between organizations, between systems, it has to be something that sending and receiving systems do both abide by in order to have it implemented consistently.
So we do have some organizations pushing ahead believing that state laws are requiring them to adopt this. This is an area that is very confused, we had as you said, the PKI initiative, some states were trying to press for very strong electronic signature requirements that implied digital techniques, then you had the National E-Sign Law that supposedly preempted any states because it was a matter of interstate commerce. We didn't see a lot of good use cases emerging in health care to say I outright need electronic signature to be digital for this because of this and I think that guidance still really suffers from being clear. But I think, I'm afraid we're going to wake up here not too long and suddenly have the requirement and not be real prepared.
DR. ZUBELDIA: The requirement is here, I mean with the e-prescribing the docs are going to need signatures. And the question that I have is the industry waiting for the government to adopt an electronic signature? Because I think the government is waiting for the industry to develop an electronic signature. So is the perception that the government has to adopt something before the industry, or the government has to define the standard before the industry will implement it?
MR. TRAVIS: I think that's very possibly the case both because of it being in the early security rule, and anticipating that it might come out as its own rule as a matter of requirement for claims attachments or e-prescribing. I think unfortunately there is a little bit of that, they're going to promulgate something, we'll react to it when we see it. It's not completely disregarding development of standards on the part of the industry, those efforts are continuing, but they really need a kick in the pants I think to get across the line and be adopted. And put into use. And a lot of workflow management around clinical documents in systems is going to have to understand to appreciate that standard so that's a serious investment and I think that may also play into why there's a little bit of a wait and see, let's see what emerges so we know for example what kinds of authentication, re- authentication and verification techniques we really need to support, are there going to be encryption methodologies and definitions of value defined the signed dataset that emerge.
DR. COHN: Kepa, you missed the early morning presentation from CHI where they were talking about NIST having responsibility under the eGov to try to come up with something though it still sounded like it was draft. And of course the question is is when will it stop being draft, which is a very reasonable question given the length of time they seem to have been working on it.
DR. ZUBELDIA: The work that I've seen from NIST centers on authentication and PKI, and I haven't seen anybody putting out any work that centers on how you actually sign a document, which is the standard that needs to be adopted, something for electronic signature. And how do you sign an HL7 document, how do you apply two signatures to a document?
MR. HOUSTON: I agree with what John is saying simply that most of the industry is out there waiting for somebody to dictate a standard, and that's I think, that is the issue right now, I hear it all the time.
DR. ZUBELDIA: And I don't think, from what I've seen, I don't think that there is anybody out there trying to create a standard for health care, it's more like waiting for the health care industry to develop a health care signature standard.
MR. HOUSTON: Then it's sort of the --
MR. TRAVIS: I think that's accurate and it's, most health care systems probably have some fairly weak authentication method used for re-verification like something that's password based, there's a lot of work that goes into both the management of the signature path, which gets into your routing of the documents for all the appropriate signatures, ensuring that the right precedence of signatures is established. But then there's also issues about, and it gets towards HL7's need or dilemma, how do I identify what I've actually signed and managed versioning and the dataset that's actually subject to encryption or subject to reference to that particular signature event. And I think that it's not a small development to ask for any of the health IT vendors so it is probably something that they're waiting for clear guidance on. HL7 has done some work but I think you read it correctly, it's the hesitancy both ways.
DR. COHN: Jeff?
MR. BLAIR: Help me with this and I don't know whether this is going to be John or Kepa, but there was an attempt, I remember ASTM created these digital signature standards which seemed to at least meet a number of the requirements for non-repudiation and authentication but I thought that it wasn't adopted for the most part because it was just very complex and you had to wind up having the certificates and you needed a whole infrastructure for the certificates, which there was some entities that were starting up to try to do that but I just haven't heard anything in this last year or so. Did that fade away? In short, why have digital signatures died? Is it too, I've mentioned a couple of things, the complexity, the other thing is the certificates, was there more then that as a reason or did it even not need all the requirements?
MR. TRAVIS: I think part of the reason it may have died was that the focus did swing very much towards authentication and that authentication did not literally have to have a digital technique applied, it just simply had to be two factor, most vendors and probably most providers only invested in what they needed for their purpose at hand. And absent a requirement to use certificates or digital techniques for authentication it died because there was no real impetus for digital signature as a mode of electronic signature of documents to then be supported or pushed. So authentication was where people's heads were at three years ago, four years ago, when it looked like we might have that kind of requirement possibly emerge in the security rule. But absent that I think it has withered. It's going to wind up getting impetus again through if nothing else e-prescribing, other required modes of information sharing electronically, so it's not going to remain dead, I think it will get revived.
MR. BLAIR: Your answer surprised me a little bit because I thought it died because of technical difficulties in implementing it.
MR. TRAVIS: It did die of some cost issues and technical difficulties at the time, I think those technologies have come a fair way in the last several years and continue to come a fair way. It really was a cost factor at the time that helped kill it as well.
MR. BLAIR: I thought what I heard you saying in your reply was with e-prescribing and some type of a government incentive I thought I heard you saying it still is a viable approach, is that correct?
MR. TRAVIS: I think that there is going to continue to be a requirement for a trusted reliable signature method applied to electronic data shared between organizations and that does get you into the questions of what is a trustworthy signature, what are the requirements for it. Most people will go to conclude it's something that measures pretty close to what we saw in the definitions of a digital signature. Now if that literally is the requirement, the only path, or if it's conveyed by some kind of secure token or secure certificate by other means, I mean predominantly from the authentication standpoint you either could present smart card that would have your certificate on it, you could present tokens that are pluggable tokens, things like that, so there's a variety of methods that could achieve a secure signature. I think the costs of those have gone down and that may make it more viable now.
MR. HOUSTON: I think it all goes back to what we were talking about before with security which is people will then spend the money once there's a compelling, a requirement to do so. I think it is going to be a fairly expensive undertaking nonetheless.
DR. ZUBELDIA: And it's an area where perhaps since the industry is clearly waiting for the government do so something, and the government is not, I don't think is ready to do anything about it yet, perhaps this is an area where the best that can be done at this point is to have a designation of compliance given to certain technologies or certain processes, like the global e-sign act, although it requires that you write your name at the bottom of an email, and something like that and that's enough. And perhaps for prescriptions for filling drugs there should be an indication from the department that says there has to be more authentication then just somebody --
MR. HOUSTON: It's not just authentication, it's repudiation and everything, repudiation and other things, I think it's very tricky also --
DR. ZUBELDIA: And it all is contingent upon what are the attributes desirable from a signature, because today when you sign on a prescription pad there are no attributes to that, nothing is preventing that prescription from being changed or from the signature being forged or from anybody validating the signature anyway because when it gets to the pharmacy they don't know what your signature looks like. So I think that we're jumping from the low technology level where we are today to an infinitely secure signature that has certain attributes that are maybe not even necessary but because the technology is such it's in the hands of perfectionist propeller(?) hands like myself that like to have the best signature possible, but we may never get there.
MR. TRAVIS: The suggestion of guidance or standard reminded me of some, it does need to go back to what are the attributes of a valid strongly trustworthy signature, it's not a method, I don't think we would ever suggest you specifically specify methods but you do define attributes that those methods have to measure up to.
DR. ZUBELDIA: I'm even questioning the strongly trustworthy signature, because that's not an attribute required today.
DR. COHN: I think the DEA might disagree with you.
MR. HOUSTON: Can I make a statement? I think the issue is it comes back to the issue of electronic information versus paper and the global accessibility of an e-signature and the thought that if somebody presented a script from a physician to a pharmacy that the pharmacy maybe didn't recognize the physician's name or hadn't, or something of that sort, would they question it today, and what is the ability of somebody to gain the system, I understand it definitely occurs, but does it become a much more global issue by all of a sudden having it in an electronic form that can, I don't know the answer to that, I'm just questioning whether that's part of the case, too.
DR. ZUBELDIA: We're just still feeling the taste in our mouths with the HIPAA transaction requirements, where there are additional data requirements that were not there before and are causing all kinds of problems because the industry wasn't ready for that. And perhaps as a stepping stone towards that goal of perfect signature perhaps there should be some less then perfect workable, I'm not saying just write your name at the bottom of the prescription, I think it has to be a little bit better then that, but some workable mechanism that would enable e-prescribing for instance.
DR. COHN: Clem?
DR. MCDONALD: Well, actually to be a little disrespectful about how intense this prescription issue, in some countries you just go to the drugstore and you get what you want, people are allowed to do that and they aren't all dead, so it's not the worse thing. The second thing is much of the prescription kind of intensity comes from worry about if we God's sake would ever give a narcotic to somebody who didn't need it or who might like it, of course this at the same time we go to this thing where you've got to write down how much pain they have and why you're not giving narcotics by almost by regulation, so I would support your position that we don't, at the same time it's coming across in truck loads, we worry about these milligram amounts that leak through the medical system in boats, big shipping cranes of narcotics, so I think that we sometimes get out of whack so I would support your position of some more modest steps to get something done.
MR. HOUSTON: The signature depends on the level of narcotic, a narcotic of a certain class would require a certain --
DR. MCDONALD: Well, I mean there's sort of an intent or a goal that we would all have to do or electronic prescribing to get a narcotic, a class II narcotic. My point is it will have no measurable effect on the total narcotic use in this country. They're measured in tons not in milligrams because of the other mechanisms for getting narcotics.
DR. COHN: I'm going to change the subject just slightly if that's okay, is that okay? Well, I was actually going to ask both Roslyne and Tom because they've been sort of quiet and listening to this techno talk for the last while. One of the questions I had coming into this particular session was really, we have the privacy rule and I think Roslyne you commented, and Tom also, that we've gotten a lot of the way towards security because of the privacy rule, and I was trying in my own to decide is what's left of security rule that isn't in privacy, is that something that's so hopelessly technical that it really needs to be handled by the security subcommittee, by the HIPAA standards crowd, as opposed to the Office of Civil Rights and the NCVHS Privacy Subcommittee. Now I probably have answered my question just listening to the last hours worth of conversation, it probably does deserve to be over here but I'm curious about what your thoughts are in terms of implementation and what makes sense in all of this. I think there's been long debates about whether security is really a standard or whether it's a, something more along the other lines. In terms of assuring a reasonable implementation here who should take the lead, how should this best go? Tom, do you want to --
MR. WILDER: I guess we're waiting for the other to take the lead here. I think it's appropriate to keep the discussion in a whole bunch of different forums because there's a whole bunch of different aspects to it. There's some pretty highly technical IT standards that need to be addressed by various groups. There are some legal enforcement issues that need to be handled through probably OCR and through other places within HHS that deal with more the legal enforcement side. There's just some issues of developing best practices that need to be handled by those groups that talk about best practices, so I don't think there's any one central place to talk about security.
MS. SCHULMAN: And I think, if you just look at the rule itself there are three aspects of the administration, the physical and the technical, you're not going to find one home for all these and it's appropriate for you folks to be trying to sort some of that out.
DR. COHN: Obviously I was just sort of observing the breadth and the fact that this security rule seems to live in different places depending on your perspective on all of this.
Now I heard somebody, I think John Paul already left thinking we were getting ready for a break. I do think it probably is time for a break so why don't we take about a ten minute break and we'll wrap this up, talk about other things that need to be handled by the committee, and if we're lucky maybe we'll actually get out of here before the ice gets too thick outside. So let's take a ten minute break.
[Brief break.]
DR. COHN: Okay, why don't we get started for the last session. I don't think we're completely done, we probably didn't really complete this session. Maybe John Paul, would you like to, I think we really just sort of need to wrap this up and figure out sort of where we are and next steps. From my view, obviously we've heard a lot of things and have sort have gone off in a number of different directions. I was actually hoping that John Paul might be able to put it together a little bit in terms of thoughts about what we heard and sort of next steps.
MR. HOUSTON: In talking to Simon briefly at the break, it sounded like, if you ask me I think the dominant issue in all of this again relates to logging and auditing and that particular aspect of the rule and that really seems to be from what I can tell the one big thing that stands out there I think we probably need to think about and comment on maybe come up with some alternatives or at least some recommendations. Nothing stood out to me personally that, and again I think there was a lot of good discussion, but it sounded like a lot of what was going on was manageable with regards to the rule and I think that auditing was a big thing. I think e-signature, though I think it's a concern, is really going to be consumed within --
DR. COHN: I think it's likely to hit head on with e-prescribing.
MR. HOUSTON: -- e-prescribing, so we're probably best off to let that one go to the point where we really deal with that directly. And I think the other potential topic we may want to ensure we comment on relates to guidance as well as enforcement or how is CMS/OCR going to deal with the issue of the privacy/security complaint, which nobody's quite sure what it is or if one morphs to the other, and how are we going to deal with guidance that maybe overlaps between security and privacy because I think there is an overlap there. So I think that might be the other topical area that I see personally, I mean I would, I'm going to go back and read through each of the testimony again just to make sure I haven't missed something but are there things otherwise that really are way at the fore that we need to consider?
DR. ZUBELDIA: J.P. I think I heard very clear at least from Tom and Roslyne the agreement that flexibility is good and that the flexibility in the regulation should be preserved, that that is a good thing.
MR. HOUSTON: That's a good point. I would add that to the, even though I think to some degree John was sort of thinking, I think I can draft it in a way that meets everybody's sort of comments with regards to flexibility as well as other sources of guidance.
MR. TRAVIS: I would agree the auditing thing sticks out as the one mandatory requirement if you will that just lends itself to the need for definition and guidance, and is the one area where the state of the art if you will in health care IT is probably not where it needs to be as a starting point and that starting point is kind of a two year comment because it takes a while, I think newer generations of systems are there but they still are decentralized, I mean they still are probably logging relatively to their own audit logs, the security of those audit logs is probably debatable, and there's not a real great way to share that data or harvest that data to a central type repository.
I think one thing I didn't mention, when we got into our own development effort we got approached by every technology under the sun from ERE vendors to data mark technologies to deep dark IP, intellectual property rights protection type technologies, and they all offered to solve the problem so I can imagine what it's like for the security administrator at a large health system or at a health plan and who's pitching to them in terms of who can solve this problem.
DR. COHN: Other comments?
MR. WILDER: I think from our standpoint those are kind of the high point, in terms of putting together some comments or recommendations for the Secretary.
DR. COHN: I mean my sense is that everything that I'm hearing leads me to believe that we're still sort of in the early phases and that we really have not, I mean I think the comments Roslyne that you were sort of making about the fact that everybody's been sort of preoccupied with all of the other things coming in is I think, obviously caused people to sort of only now be focusing more on the security rule, so I suspect that we'll be sort of following this up with conversations as the year goes on. And I suspect that they'll be more things to identify and comment on and certainly we'll look to CMS and the Office of HIPAA Standards to, I think we're all learning how best to support these sort of massive industry implementations and hopefully we can take the learning's from the previous and apply it to this one. Yes, Carol?
DR. BICKFORD: Carol Bickford, American Nurses Association. What I'm hearing is that we are automating our current business practices and I'm inviting us to think of new ways of doing business and actually making sure that what we're trying to do is the appropriate action. Are we truly looking at our business practices in a different way, are we looking at our decision making as being the accountability piece or are we just accounting for tasks? So I'm just sort of tossing out something that Clem was talking about sort of, which was are we really looking at the important things in the great scheme of life? Are we locking down things that shouldn't be, that we shouldn't even be recording, or recording and setting up new business rules? Sort of looking at the enterprise, so I'm just tossing that into the pot for a think about.
And if we are looking at improving our health care system who should be doing that? Is that an NCVHS initiative as we have an opportunity to do some really innovative things as we move forward with our electronic health record initiative?
DR. COHN: Does anyone have comments? Thank you for the thought. Okay, well I think with this I think we'll I think complete this session so Tom and Roslyne we sort of made you sit up there just to finish things off but we wanted to make sure that we were sort of all together here.
Agenda Item: Draft CHI Recommendation Letter - Dr. Cohn
DR. COHN: Now you can feel free to sit there for the next session, we're really going to be talking about the CHI letter at this point, or if it is easier you obviously see the screen hopefully sitting back there. Steve, are you going to be sort of running through the letter for us?
DR. STEINDEL: Yeah, I think what I'll do is project --
I'll start with just where we left off with after the last session, which is I think the last three or four bullets starting with encounters, and then we can return to the rest of the letter. Now please realize that to the full committee we will be distributing the draft letter plus all the CHI documentation which follows this letter, and some of which has modification and some of which is just plain, so the actual letter that we will be distributing on Thursday will be a little bit thick.
The first that we talked about this morning was clinical encounters, what now reads you can read on the screen but I'll read it to you, concurs with the recommendation for clinical encounters as modified to include the explicit notation of the CHI noted gaps. It is our understanding that CHI intends for the definition of an encounter to refer broadly to all types of practitioners interacting with patients.
MR. BLAIR: Could you change the word our to it is the NCVHS's understanding? Or it is the understanding of the NCVHS?
DR. FITZMAURICE: Or NCVHS understands?
MR. BLAIR: Yeah, something like that.
DR. STEINDEL: NCVHS understands that CHI intends for the definition of an encounter to refer broadly to all types of practitioners interacting with patients. While we feel the definition encounter encompasses all encounters between practitioners and patients some explicit clarification may be order. We finally note the CHI workgroup scope was narrowly defined and many encounters observed in health care, such as from patient provided data as might exist in a personal health record or as might be enumerated in an electronic health record, occur outside this scope. Wordsmithing comments.
DR. ZUBELDIA: I would remove the word finally.
DR. STEINDEL: We note.
DR. COHN: Marjorie?
MS. GREENBERG: I don't really think you can refer to patient provided data as necessarily being an encounter, I suggest the following for the last paragraph rather then, this last sentence rather then what you have here. We finally note the CHI workgroup scope was narrowly defined, an electronic health record would include many other sources of information such as those from ancillary services or a personal health record, which are outside of this scope.
DR. STEINDEL: But I don't think it's totally appropriate.
MS. GREENBERG: Well, what we have currently doesn't really make sense to say alright, we all agree with this first phrase, we finally note the CHI workgroup scope was narrowly defined. But then it says and many encounters observed in health care, such as from patient provided data, I don't think that's an encounter observed in health care, patient provided data.
DR. STEINDEL: Patient provided data could refer to encounter type situations that do not strictly meet the scope of the clinical encounter as defined as a practitioner/patient relationship.
MS. GREENBERG: How about many encounters observed in health care that might be enumerated in an electronic health record as well as patient provided data occur outside the scope? I don't know, I just have a problem --
DR. COHN: Well, I agree with you, I have a little problem with this, too, but I guess the question I have is that I think we're describing basically the patient, the act of the patient providing the data as actually another encounter isn't it, I mean the patient interaction with the record, I mean that's the part to me that's confusing here, and I think it's part of the problem.
MS. GREENBERG: This is somewhat unique, I don't know that there's much --
DR. COHN: Is that an encounter or not?
MS. GREENBERG: -- a lot of acceptance of that as being described as an encounter.
DR. STEINDEL: The problem that I'm hearing is that we have a problem with the question of patient provided data, may I suggest we break the thought and we note the CHI workgroup scope was narrowly defined and many encounters observed in health care as might be enumerated in the electronic health record occur outside the scope. Then add another thought concerning the patient.
DR. COHN: Very good, okay.
DR. FITZMAURICE: Simon, could I raise a question? Does this conflict with HIPAA's use of the 837 for clinical, I'm sorry, for encounters?
MS. GREENBERG: It's contradictory with that sort of.
DR. FITZMAURICE: HIPAA encounters versus clinical encounters? If there's overlap in the data definitions do we go with the HIPAA definitions? That's the thing I'm raising.
DR. COHN: Well, we brought that up, were you here earlier for that conversation? I don't know that we really ever resolved it --
DR. FITZMAURICE: Maybe my confusion just stems from the fact that we didn't resolve that.
MS. GREENBERG: Bill Braithewaite(?) made an interesting comment to me, he said he really felt that encounter was a billing concept, it wasn't a clinical concept, so it was almost like an oxymoron to talk about clinical encounters, that I think episodes was more a clinical concept.
DR. COHN: Well, I did, we did certainly all reflect earlier that most of us think of an encounter as a billing encounter, I mean that's how our systems are set up, the type of data we get, whether or not we're involved in the actual act of billing or not. Hadn't we in this one also talk about the reconciliation, is this the one we had the reconciliation between billing encounters and, didn't we actually have that as a thought here that had gotten lost?
DR. STEINDEL: We actually discussed that and we also discussed a lot of similar types of thoughts and I just encompassed it with the statement that these are the type of things that might be enumerated in an electronic health record.
DR. COHN: Well, but that I think is a different, I agree with what you said there but I'm just wondering if this is an additional concept or an additional recommendation, because I think we said, I mean we said there are lots of things out of scope but I think we also said that there are, I mean finally, I think that there's, once again I apologize, I'm sort of stuttering here, it was sort of this sense of maybe some reconciliation between this concept of clinical encounter versus the concept of billable service, I don't know. I mean that was sort of, that sort of does bring up that issue again.
MS. GREENBERG: That's why I had mentioned, specifically mentioned in my rewrite about ancillary services, that seems to be a big area where that would definitely generate, as a service it would generate an encounter form but it doesn't seem to meet this definition of clinical encounter.
DR. STEINDEL: Simon I was trying to wordsmith during the time we were having that discussion and I think that there is a separation between a clinical encounter and a billing encounter. The fact that the two of them are the same a lot of the time is I think more coincidental.
MR. BLAIR: What if you included at the beginning of this phrase a distinction and point out clinical (not billable), (not necessarily billable), so you point out right at the beginning of this letter paragraph here of our observations that we're distinguishing between clinical encounters and billable encounters.
DR. STEINDEL: The CHI document actually lists billing encounters as being out of scope, so they explicit state that, if you would like it repeated I can.
MR. BLAIR: I'm just saying from the standpoint --
MS. GREENBERG: For this domain.
DR. STEINDEL: Yeah, for this domain.
DR. ZUBELDIA: I think that there is a distinction here between a billable encounter and the billing for an encounter, and the billing for an encounter is out of the scope, but the encounter is an encounter, it's the same thing, but the billing for it is different from the clinical reporting of it.
DR. COHN: Unfortunately that's not where they came to, though.
MS. GREENBERG: The ASTM definition will exclude clinical services that are ancillary in nature and don't involve --
DR. COHN: Kepa, I think we were talking around this whole point as you were describing, which is that we were trying to figure out what the business case is for this particular concept, or the use case or whatever you want to describe it and I think we sort of keep struggling with that one. I'm beginning to wonder if there's something really that's wrong here that we need to say but Mike, do you have a comment?
DR. FITZMAURICE: I guess if we could show that it has a different use, different use case to use Stan's term, then the encounter that's envisioned in HIPAA, I think what's envisioned in HIPAA is here's a record of the encounter, such as for an HMO that doesn't bill by the encounter, but it contains the same kind of information anyway so you could do a pseudo aggregation of charges to see how much to pay the HMO, you could aggregate to do HEDIS measures and other things. That's what I sense that HIPAA is to be used for. If this has a different meaning, that it's more detailed clinical information and is used by different people then I think it's fine, but I don't want to try to invent the same thing that already exists for the same purpose.
DR. COHN: Clem?
DR. MCDONALD: If you read over the CHI thing it really was defined as looking at vocabulary that it needed in the context of encounter, and I think the difference, there is a difference, it's the object that you have to have if you're billing a clinical record to know who did the service, to follow through to the results and the findings and the other parts of the other objects, it's an important link that's both an aggregator and provides the other things you needed to know about the roles and who's doing what to what. So we don't know what kind, so you got a lab test down there, you don't know if it's a hospital based one unless its got an encounter attached to it which you can group it by and that says those kind of things. So I thought if you look at the CHI recommendations it wasn't, it didn't really conjure the kind of concerns you're describing in this thing because it's not a message, not talking about a message --
MS. GREENBERG: Yeah, talking about vocabulary.
DR. MCDONALD: Talking about the vocabulary that goes along with the fields that you find in an encounter as you would see it in a database is how I view it, and use a couple different heuristics to find those, including looking at the ASTM definition which then didn't have any vocabulary specifics in it.
DR. FITZMAURICE: -- adopting HL7 for the standard for this and we've adopted X-37 as the standard for the HIPAA encounter, do we have a conflict in vocabulary for the same thing?
DR. ZUBELDIA: No, the 837 has been adopted as the standard for reporting the encounter for billing purposes.
DR. FITZMAURICE: But it can also be used for the encounter not for billing purposes, it's one of the categories.
DR. ZUBELDIA: Sure, but it's still reporting between a provider and a payer of an encounter. The encounter is going to have a lot more information then what is reported, and not all encounters have reportable for billing purposes or for payment purposes.
MR. BLAIR: Why can't we reconcile this in that sentence where you wound up indicating that this has a narrow, what was it narrow definition, narrow scope, that phrase, and then you said the and after that, you know where I'm talking about, Steven? Like your last sentence I think?
DR. STEINDEL: Yes, we note the CHI workgroup was narrowly defined in many encounters --
MR. BLAIR: Narrowly defined, I'd do a period there, okay, and then for the rest of that phrase I'd just simply make the statement NCVHS understands that the following is out of scope, and that includes billable encounters, that includes --
MS. GREENBERG: Well part of the billable encounters are in scope, that's the problem.
MR. BLAIR: Maybe it's Kepa's phrase, what was your phrase, you didn't say billable encounters you said information for billing or something like that?
DR. ZUBELDIA: The reporting of the encounter for billing purposes.
MR. BLAIR: Reporting of the encounter for billing purposes, that's a more accurate statement.
DR. FITZMAURICE: But under HIPAA there's an encounter data that's not for billing purposes, and I'm only saying is if you have the same variable in both are they defined the same, and if you use HL7 vocabulary for one and 837 vocabulary for the other there may be a conflict if somebody goes through and makes that comparison.
MR. BLAIR: But even if that's true, Michael, this is just talking about CHI, the way they've defined it, and the way they've defined it that would be out of scope for this definition.
DR. FITZMAURICE: But it may conflict with the definition of an encounter and the variable that was used for an encounter --
MR. BLAIR: Maybe it does conflict, but that's a different point.
DR. FITZMAURICE: So that gets back to who is using the encounter and who is using the HIPAA encounter, who's using the clinical encounter versus who's using the HIPAA encounter, and since we haven't gotten to the users, that is the use case, I don't know the answer.
MR. BLAIR: I was just simply trying to nail down the scope, that last sentence, to get it clear and full.
DR. FITZMAURICE: And I'm just trying not to avoid having the same encounter definition and the same variable, that they don't match.
DR. COHN: Well, Michael, I actually sort of agree with what you're saying, I'm just trying to think if we, isn't that sort of what we need to say?
MR. BLAIR: Maybe the phase is that we find that the codes used for clinical encounters is not mutually exclusive with the code for HIPAA encounters.
DR. COHN: Marjorie?
MS. GREENBERG: Maybe Steve who is the source of all knowledge here, when the subcommittee and then the full committee commented on the billing domain --
DR. STEINDEL: That's what I'm looking up right now.
MS. GREENBERG: -- say something about the need for harmonization?
DR. STEINDEL: I believe they did and I'm in the process --
DR. FITZMAURICE: That I think is the way out of it is to make a recommendation of the fact that they harmonize their definitions of the same variables they have in common with the HIPAA encounter so that there's not a conflict.
MS. GREENBERG: It's not just the variable, it's overall kind of gestalt.
DR. COHN: Well, it's the definition of encounter.
MS. GREENBERG: -- the definition of what constitutes an encounter more work needs to be done on harmonizing these.
MS. GREENBERG: It seems to me it was the national committee that said something about it.
DR. MCDONALD: Let me clarify what they actually say in the CHI, and this is really the focus was on ADT answer messages, these are not going to be direct overlaps --
MS. GREENBERG: Not going to be what?
DR. MCDONALD: The same stuff is not going to be in both messages, they'll be some overlap I'm guessing, I didn't list them. Concluded that 17 data fields that hold identifiers do not require standardization because they're really just, they're not vocabulary issues because they're dates or numbers, seven should use the national provider system identifiers once they're available, and it goes on and it says there's 16 fields that have elements for about admission information, transfer patient moving information, discharge information, provider information, accident information, death and autopsy information, these are the kinds of data elements they're talking about.
DR. COHN: Well, Clem, I actually don't think our question has to do with the ADT/HL7 transaction, I think what we're sort of hung up on is actually the ASTM Definition of clinical encounter and what exactly that means in all of this, which is on the first page, and how it really applies and it seems to almost create more confusion then it does clarity, sort of like how does it relate to the rest of the world is I think what we're sort of --
MS. GREENBERG: Except I think Clem was getting at what Gregg was saying, Gregg Seppala, if they tried to extend this HL7 message, well, vocabulary, the thing that's a little unclear to me is an HL7 message does include vocabulary, but anyway. If you try to extend what they've adopted for their definition of clinical encounter to these other types of services it's difficult because you don't really know always who did them and the roles and at least who's responsible and everything isn't necessarily clear always with these services.
DR. STEINDEL: I've tried to craft something and may I ask the opinion of the committee, it's the last part of this paragraph, I'm not sure if structurally it belongs there or not. I said NCVHS knows that a similar concept of an encounter exists within the HIPAA process and harmonization should occur between the two.
DR. FITZMAURICE: It points out the problem.
DR. STEINDEL: What I've heard from the discussion is that that is what seems to be the essence of the problem and our job is not to solve the problem in this letter.
DR. COHN: We've already tried.
DR. STEINDEL: Now we can attack wordsmithing and position if we'd like.
MS. GREENBERG: I would say the scope was somewhat narrowly defined, I don't think it's that narrow, it's all the interactions between patients and practitioners, I mean that's a lot, by saying narrowly defined it sounds like it's really a small piece but it isn't, not the full Monty.
DR. ZUBELDIA: Well defined.
DR. COHN: No, actually it was not well defined, we actually thought it was narrowly defined.
DR. STEINDEL: I think narrowly encompasses the sense of the --
DR. COHN: I actually thought that there were a lot of things we pointed out that were sort of not included in all of this --
MR. BLAIR: Maybe now that you've added that sentence about the need for harmonization maybe we don't even need that sentence anymore about the scope, scope is already in the document, we understand what the scope is, and the issue is the need for harmonization with the billing.
MS. GREENBERG: We could just say that we note the CHI workgroup scope does not include many encounters observed in health care as might be enumerated in an electronic health record. But then you only have to refer to scope once as opposed to saying it's narrowly defined and these things are out of scope, you can just say that we note that it doesn't, that the scope did not include, just kind of making that --
DR. COHN: That's actually okay, so the scope does not include many encounters --
MS. GREENBERG: -- encounters observed in health care as might be enumerated in an electronic health record. I think that makes it a clearer sentence.
DR. STEINDEL: Repeat that Marjorie.
MS. GREENBERG: We note the CHI workgroup scope, and just get rid of was narrowly defined, does not include, then the rest of your phase, does not include many encounters observed in health care as might be enumerated in an electronic health record, period. I think fewer words and says the same thing.
DR. HUFF: Up on the second sentence I think we can clean that up a little more and just say NCVHS understands that the CHI definition of an encounter refers broadly to all types of practitioner interaction.
MS. GREENBERG: See I have a little wonder about that, it doesn't include pathologists interacting with patient specimens --
DR. MCDONALD: No, but if they went and did a biopsy it would.
DR. HUFF: I was just trying to fix the grammar, I wasn't trying to do anything with the content.
MS. GREENBERG: Maybe you should say NCVHS understands that the CHI definition of an encounter refers broadly to all types of practitioners interacting with patients: however this may require some explicit clarification may be needed. Because otherwise it gets pretty repetitive.
DR. HUFF: So if you want to improve the content, the real issue that we brought up in regards to that is that we shouldn't interpret the ASTM definition to mean that only a physician could exercise independent judgment about the patient, diagnosis or treatment.
MS. GREENBERG: Well, I wouldn't have interpreted it that way but I do question whether, it's a little unclear to me whether the ASTM definition includes a health care practitioner who is functioning under the supervision, the direct supervision of another practitioner. So certainly if a nurse is providing some services within the context of a visit which the principle practitioner is the physician, then those nurse services don't represent a separate encounter, they're part of that encounter is my understanding. I think it's a little unclear myself.
MR. BLAIR: Steve, why don't you read what you have?
DR. STEINDEL: I was going to suggest since we've made numerous changes why don't I reread the paragraph as it exists right now, and we can comment on wordsmithing on what I have. Concurs with the recommendation for the clinical encounters domain as modified to include the explicit notation of the CHI noted gaps. NCVHS understands that the CHI definition of an electronic, of an encounter refers broadly to all types of practitioners interacting with patients, however some explicit clarification may be in order. We note the CHI workgroup scope does not include many encounters observed in health care as might be enumerated in an electronic health record. Additionally, patient provided data as might exist in a personal health record is outside the CHI scope. NCVHS notes that a similar concept of an encounter exists within the HIPAA process and harmonization should occur between the two.
MS. GREENBERG: I think that sounds good myself.
DR. COHN: I think the only question I have, and I have to ask Bob Hungate on this one, I'm now looking at this, I'm fine with everything, I'm just wondering the relevance of the personal health record data as this has evolved. Do you still feel it's relevant or does it seem a little bit out?
MR. HUNGATE: Well, I asked about the personal health record in order to lessen my own misunderstanding. I'm not sure I've made progress in listening, because I'm not sure that I understand what this is now, because I can, the result is that the personal health record is not part of CHI, okay, maybe that's right --
DR. MCDONALD: Well, to clarify, this isn't defining the whole scope, this is all aimed at defining vocabularies --
MR. HUNGATE: That's not what that says, it says it's outside the CHI scope.
MS. GREENBERG: The CHI definition of a clinical encounter.
DR. MCDONALD: All these scopes had to do with vocabularies, that doesn't mean that they're not going to do anything else.
MR. HUNGATE: I understand. I don't understand is also part of what I'm saying, that I don't understand the interactions of all the definitions and the vocabularies and what's in there and I was trying to for my own edification ask questions of how is the personal health record dealt with because I thought it might be important. So that says it's not in this domain so therefore I would conclude it must be in another domain or it's not in the whole thing.
MS. GREENBERG: Well, it could be like in that history and physical domain which hasn't been addressed yet.
MR. HUNGATE: So that's what I was trying to get at, was the content question, where does the content appear and how does it get in.
MR. BLAIR: So the bottom line is that you're not suggesting that we refine the wording on this any further.
DR. COHN: Well, actually Steve is doing a good job for this one, the question though, we should look at this one and probably see if this makes more sense. The pregnant question is is there a bullet at the end that says we recommend that work be done to identify terminologies for patient interaction with the personal record in the next stage of a CHI activity, I mean that would be --
MR. HUNGATE: That might be the answer. The other comment that I had was that in the domain/sub-domain in scope and out of scope, we could just put another item at the bottom of it that said personal health record. In the table it was on the earlier page and it wouldn't need reference here because in the discussion of the attachment where within clinical encounters it says yes to admission, transfer, discharge, provider, accident, death, and autopsy, and it says no to allergy, demographics, etc., so a no would also be to personal health record.
DR. COHN: So basically you're saying enumerated in electronic health record or personal health record, is that what you're saying?
MR. HUNGATE: That in the domain/sub-domain inclusions and exclusions, on the first page of the attachment.
DR. STEINDEL: I'm actually more comfortable with what Bob is suggesting right now then the sentence appearing here, and we can just change the first sentence to note that the modifications that we're recommending include the exclusion of the personal health record in their document.
MS. GREENBERG: As being in scope.
DR. STEINDEL: Yeah, we'll just modify the document as Bob just suggested and make a note of it.
MR. HUNGATE: That doesn't take care of my other question, how does the patient reported information get in and that's another --
DR. STEINDEL: That's what, it's starting to concern me more and more about this sentence existing here because it raises a lot of other questions that really the clinical encounters domain workgroup and CHI as a whole may not, has not addressed.
DR. COHN: So is there a way for us to take that question and put it in as a we recommend in a next phase of CHI work that the issue of patient reported data be considered?
MS. GREENBERG: If we want to make that recommendation it would be timely.
DR. COHN: That's right, exactly, and works well in the letter.
MR. HUNGATE: The reason, one of the reasons I think it is important is that the patient data may not get into the database, experience that don't get into the database of medical information, like adverse effects that don't get reported, where the personal health record will be a good avenue for some of those things, so it's the way we have to do the enrichment of information.
DR. COHN: And we absolutely agree with you, we're just trying to figure out where this fits in with this letter.
MR. HUNGATE: I understand that. But it may not be a domain specific comment is all I was wondering, if whether it's a generic overall comment as opposed to a domain specific.
DR. COHN: I bet we'll see this being addressed in some way as a domain sort of in the same way that multimedia is considered to be a domain or history and physical is considered to be a domain because these are pretty generic, I mean really they're taking slices of this, if you think about it that applies in many settings, so I think it actually would be appropriate for them to take it.
MS. GREENBERG: Sort of like legislation, this is the opportunity to say it. You're right, it's broader then this particular domain.
DR. COHN: So in our letter can we at the very end sort of say something about the recommendation for another stage, the next stage of work?
DR. STEINDEL: No, because it changes the format of our style letter. Yes, we can.
MR. HUNGATE: This is a little out of sequence but it's germane to the same thing. In the disability section it would be natural to think also about health status reporting, which comes back from patient reports, the SF36 kind of thing that people might do on an annual basis, and that section talks about not making a recommendation at this point, but I wanted to raise a question about philosophically saying whether we expect to get a single standard on things like patient status and stability and whether there's a broader topic there.
DR. COHN: You're asking a really good question which we sort of, we deliberated on quite extensively, let me see how I can best describe this one. There were two issues that were brought forward by the disability workgroup in their recommendations. One of them had to do with the, actually there was one but we observed that there were two, the one issue that they really brought forward ad to do with the issue of questionnaires, a la SF36s and all the questionnaires and how did they codify them, and we were having a hard time with existing terminologies and we were sort of recommending that they needed to explore more of a question and answer terminology a la the LOINC style or something like that to basically be able to represent that.
But then there was also the other question which they really didn't talk about, which was representing the concepts of disability, which were sort of left unstated. But clearly the part that they were really having conundrums with were around this issue of these sort of question and answer, select one through five of severity and all of this stuff. So I think we had recommended that they needed to do more work on it with the hope that maybe that would be in the next phase of activity also.
I don't know if that quite answered your question, I can only say that they I think were questioning the same issue you were, we tried to advise them of what we thought were reasonable solutions, and we don't have a solution today for them, nor do they have for us.
DR. STEINDEL: I wasn't following but I would suggest that we return to like the past discussions when we get finished with the next three.
DR. COHN: Okay.
DR. STEINDEL: I was working on the --
MR. HUNGATE: It was related to the personal health record and that's why --
DR. STEINDEL: What I've done is added a paragraph just before our standard closing paragraph, it's a one sentence paragraph and wordsmithing is always appropriate. During our deliberations on the scope of the CHI work we have observed that the personal health record has not been explicitly discussed and we encourage investigation during future CHI investigations.
DR. COHN: Okay, that's great.
MS. GREENBERG: The vocabulary for the personal health record has no been explicitly discussed. Well, messages or vocabulary I guess.
DR. STEINDEL: I would just say in general they haven't discussed anything about --
MS. GREENBERG: You're right. And we encourage this investigation in the future.
DR. COHN: Future CHI deliberations.
MS. GREENBERG: By CHI in the future.
DR. STEINDEL: Investigation by CHI? I like that.
DR. COHN: Okay.
DR. STEINDEL: I didn't know if I should say phase two because I don't know how formal that is, I mean it's been colloquially referred to but --
DR. COHN: Sounds good.
MS. GREENBERG: In the future.
MR. HUNGATE: That serves the clarification I needed when I asked the question originally.
DR. COHN: Okay.
DR. STEINDEL: And then the paragraph that introduces this section has been introduced now with concurs with the recommendation for the clinical encounters domain as modified to include the explicit notation of the CHI noted gaps and the inclusion of the personal health record as out of scope. And then we have eliminated the sentence that's in the paragraph concerning the personal health record. Can we move on to the next one?
DR. COHN: Yes.
DR. STEINDEL: Okay, concurs with the recommendation for the text based report domain as presented. The committee will further be studying both the HL7 clinical document architecture and the Continuity of Care Record as part of ongoing work. We further note the need for e-signature is an important component that has been investigated by the committee in the past and will be exploring further as part of our investigation into standards for e-prescribing over the next year.
MS. GREENBERG: I think that would be explored further.
DR. STEINDEL: And will be explored further. I'm not sure what, and will be explored, thank you, I was not hearing well. Any other comments?
DR. COHN: No, I think we're okay.
DR. STEINDEL: The next one is concurs with the recommendation of the population health domain as presented.
DR. COHN: Okay.
DR. STEINDEL: Concurs with the recommendation of the chemical domain as presented. We note and support the explicit need for additional resources at the Environmental Protection Agency.
MS. GREENBERG: There I had changed it, because originally it just sounded like we were advocating for their budget.
DR. STEINDEL: Yeah, I actually noticed that, too.
MS. GREENBERG: -- the explicit need for resources at the Environmental Protection Agency to accomplish the additional work required.
DR. FITZMAURICE: Yeah, we ought to be more specific about what's required on that.
MS. GREENBERG: Take out the first additional.
DR. COHN: Okay.
DR. STEINDEL: Now we should return to the areas above in case there's been some changes over the last N months.
MS. GREENBERG: Just in the first paragraph, just wordsmithing --
DR. STEINDEL: The first paragraph is standard, that's fixed.
MS. GREENBERG: It says consequently NCVHS is now working, I mean we have been for quite a while so I don't think you really needed now.
DR. COHN: Okay, delete now.
MS. GREENBERG: It sounds like it's a new development. And then that last sentence, recommendations as part of the CHI Council acceptance process, the the got into the wrong place. You could put a the before CHI or you don't even have to.
DR. COHN: Okay.
DR. STEINDEL: Okay, I think the first one is on anatomy and physiology --
DR. BLAIR: Rather then read each of them through if you just mention them and ask if anybody has a question.
DR. STEINDEL: That's what I was thinking of doing, was the first one is on anatomy and physiology, any questions? Comments? The next one is on billing, questions, comments? The next one is on medical devices and supplies. Questions, comments? Then the nursing domain, questions, comments? History and physical questions, comments? The next one is disability, questions, comments?
MR. BLAIR: Yes.
DR. COHN: Do you want to read that one over?
MR. BLAIR: Actually the very last sentence there's one word I'd like to have us consider altering, if you just read the last sentence.
DR. STEINDEL: We further recommend that future activities consider the different needs and perspectives of all domain stakeholders.
MR. BLAIR: When you say all domain stakeholders it blurs the point I was trying to make, the different needs of the different disabilities, different disability, disabilities represented or disabilities to be considered.
MR. GREENBERG: I think this actually captures that as part of it.
DR. STEINDEL: Yes, and I also think the domain stakeholders are not just the disabled.
MR. BLAIR: Could you read it again?
DR. STEINDEL: We further recommend that future activities consider the different needs and perspectives of all domain stakeholders.
MR. BLAIR: Maybe it's the different disability needs then. The thought I'm really trying to get in here is that a one size fits all for disabilities is something that I am concerned about.
MR. HUNGATE: And I would echo that, I think trying to get a one size fits all will not be successful in meeting the needs of the --
DR. COHN: Well, I guess maybe I'm, I just have questions about that because I think if we, I mean just in the same way you're a surgeon your terminology is different then being an OB-GYN then being different then an emergency physician, I think what we've tried to do is to say yes, there are different ways of expressing your key concepts but you ought to use the same terminology. And I think what we're trying to say here is is that clearly the important issues for each disability are different but if we're going to come up with the right terminology it should be expressive enough that every disability should be able to express their key issues in that terminology. And so I guess I'm, I worry if we start trying, I mean we obviously want to have input and involvement by all of the stakeholders and I would agree with that, but we don't one terminology for people that are deaf, another terminology for people that are amputees, I mean we've got to have the same terminology so it all fits together, at least I would, that would be my sense going forward. Jeff, thoughts?
MR. BLAIR: Well, what I'm speaking now is reflecting a concern, and Simon, I do understand your point and actually I agree with your point, I just don't want there to be an execution of this task, which isn't exploring directly from the different disabled communities where somebody is not just --
DR. COHN: And I agree with what you're saying absolutely --
DR. STEINDEL: Could we modify it to say we further recommend that future activities consider the different needs and perspectives and involve, and something like and involve all domain stakeholders? I think your question is more participation then actually dictating a result.
MR. BLAIR: Okay, the different needs and perspectives of the different disabilities and related stakeholders.
MS. GREENBERG: Yeah, there are other stakeholders, too, like WHO is a stakeholder.
MR. BLAIR: Different disabilities and related stakeholders.
DR. COHN: And other domain stakeholders?
MS. GREENBERG: Different needs and perspectives of all domain stakeholders, including those --
MR. BLAIR: See when you say all domain you lose the point that I'm trying to make.
MR. HUNGATE: The domains and populations are two different things it seems to me, domains are what we're referring to in other things, we're referring to something differently here and we ought to make sure that there's a distinction --
MS. GREENBERG: These are stakeholders in the disability domain.
DR. ZUBELDIA: Then say that, or disability domain stakeholders. If they're not stakeholders in the disability domain they don't need to be considered, but if they are --
PARTICIPANT: Well by definition aren't stakeholders --
DR. STEINDEL: May I suggest the following? I've just typed it in. We further recommend that future activities consider the different needs and perspectives of the disabled population and other domain stakeholders.
MR. BLAIR: See, it still is lumping everything together as if you could look at all disabilities as one entity, and what I'm trying to say is that there's very different needs and perspectives among the different disability groups. Yes, you could fold that into one terminology but I'm trying to say that it has to consider the different disability groups.
MS. GREENBERG: You could say consider the different needs and perspectives within the disability community.
MR. BLAIR: Among the disability communities.
MS. GREENBERG: The thing is disability --
PARTICIPANT: [Comment off microphone.]
MS. GREENBERG: Can I say something here?
MR. BLAIR: Thank you, that would work.
MS. GREENBERG: This is maybe getting a little nitpicky but this domain about disability is relevant to people beyond what would be termed the disabled population. If you think about the disabled population you tend to think about a narrower population then people for whom they're functioning and who have temporary disabilities, generally I mean somebody who injures him or herself and needed rehabilitation, this domain is relevant to those people but you would not consider them being in the disabled population. So I think that --
PARTICIPANT: Aren't they represented in the other domain stakeholders, isn't that our wording --
MR. BLAIR: We weren't eliminating that, all I was doing was adding of the different disability groups and all domain stakeholders.
DR. COHN: I still don't think we have what we need up there but I'm not --
MS. FRIEDMAN: Why don't you say the unique needs and perspectives of the different disability groups and other domain stakeholders?
MR. BLAIR: Yeah, that does it.
MS. GREENBERG: I like that terminology a little better.
MR. BLAIR: Thank you.
MS. GREENBERG: I mean ideally, I agree with Simon, ideally you would have a vocabulary that was sufficiently robust that it would be responsive to unique needs of all these groups --
MR. BLAIR: It could be one vocabulary --
DR. STEINDEL: We don't dictate the result with this sentence.
MS. GREENBERG: But you don't know, it may not be possible.
DR. STEINDEL: What we're asking for is the process that's inclusive, and we're not dictating what the end result would be, which is I think what the objective of the subcommittee was.
MS. GREENBERG: Do you want to say and all other domain stakeholders?
MR. BLAIR: It's fine.
DR. STEINDEL: No, I just want to say and other domain stakeholders because then we have to sit down and define all. That could be a very big all.
Okay, does anyone want me to read any more of this? The whole thing? Okay. The next one is genes and proteins, the original draft had a sentence in bold that asked for clarification on the cost and we did get that clarification so it was removed. The diagnosis and problem list domain is next --
DR. COHN: Read to me the second sentence and explain to me what it means.
DR. STEINDEL: We further recommend the addition of ICPC to the list of terminologies for early mapping efforts.
DR. COHN: Oh, no, no, no, I'm talking about under genes and proteins.
DR. STEINDEL: We recommend that an explicit comment on the lack of terminology for the remaining sub-domains be added. Basically genes and proteins came in with a recommendation for just the human genome and did not note in their report that there was no terminologies for the other sub-domains that they recognized.
DR. COHN: This is wordsmithing and I'm not sure we want to take time now but it would be nice if that sentence stood on its own so we want to say that, you might want to say recommend that explicit --
DR. STEINDEL: For the remaining sub-domains and then list the sub-domains.
PARTICIPANT: [Comment off microphone.]
DR. STEINDEL: I don't think there were many.
DR. COHN: Yeah, you're right, somehow we need to, they only came up with one recommendation.
MS. FREIDMAN: NCVHS notes the lack of terminology for the remaining domains and recommends that some should be added, or something like that. Is that a phase two thing, too, that you want to add it in phase two for ongoing activities?
DR. STEINDEL: I don't know because the workgroup did not make any explicit statement concerning --
MS. GREENBERG: Maybe he's talking about up in Pennsylvania, Gene Lengerich just sent an email to Vicki Mays saying since the forecast is for four to 12 inches of snow on top of the ice we currently have, okay maybe he's talking about up in Pennsylvania, I'm sorry, I thought he meant down here, most likely will be using the call-in number.
DR. STEINDEL: This is probably where he is in Philadelphia.
DR. COHN: I think is Dr. Lumpkin is having similar concerns and problems himself.
DR. STEINDEL: Simon, I can't find it right now.
DR. COHN: Well, I don't think we need to handle it right now, I think it's just something, it's a wordsmithing issue where it just doesn't stand on its own very well. So let's continue on and we can just sort of fix that.
DR. STEINDEL: That was just, okay, concurs with the recommendation, the diagnosis and problem list domain is next, that's the one we just, and then finally non-laboratory interventions and procedures is the last one. So we just need to clean up that one sentence on genes and proteins.
DR. COHN: Is there a motion for acceptance of this document with the modifications, wordsmithing that Steve is going to do to that one bullet?
MR. BLAIR: I'd be happy to move to accept this.
DR. COHN: Is there a second?
DR. ZUBELDIA: Second.
DR. COHN: Any further discussion? I'm sure you'll have a chance to look at it tomorrow with any further modifications.
DR. STEINDEL: And do we hand it to the new members when they walk in for the orientation session at 4:00?
DR. COHN: I think we'll wait until the next day.
DR. STEINDEL: Wait until after the initiation ceremony.
DR. COHN: But I do think we all ourselves ought to have copies of this with the attachments if we could tomorrow.
DR. STEINDEL: Yeah, I will probably give this to Marietta tomorrow morning for her to produce for both us and the full committee.
DR. COHN: Exactly. There will be times where if we have to be comment I will be looking to everybody on the subcommittee for exactly what did we mean by X, so we'll need all of your help in terms of that presentation.
DR. STEINDEL: And so Simon can practice reading it.
DR. COHN: Having said that, so basically we have a, it's been moved and seconded, any further discussion? All in favor?
SUBCOMMITTEE: Aye.
DR. COHN: Opposed? Abstentions? Okay.
Well, with that --
DR. STEINDEL: We closed CHI phase one.
DR. COHN: Almost. Now we are going to adjourn until 8:30 tomorrow morning, I'm trying to remember why we did that but it's too late to change. One of the things that I want the subcommittee members to think about a little bit is obviously we have a relatively full agenda, actually a very large agenda for the remainder of the year and I'm going to need some guidance from the subcommittee members about whether we're going to need to schedule more sessions or whether we start going into three day sessions, so we don't need to talk about that or decide upon that right now but I'm happy to do either. But I'm just sort of seeing this coming as I look at the to do list, the number of items, and obviously the new requirements of the Medicare Reform. So think about it, we'll probably discuss that a little bit tomorrow. Thank you. The meeting is adjourned.
[Whereupon the meeting was recessed at 5:20 p.m. to reconvene the following day, January 28, 2004, at 8:30 a.m.]