[This Transcript is Unedited]
Wilbur Cohen Building
300 C. Street, S.W., Room 5051
Washington, DC 20201
Agenda Item: Welcome/Introductions
DR. COHEN: Good morning. I want to call this meeting to order. This is the second day of three days of hearings of the Ad Hoc Work Group on Secondary Uses of Health Information of the National Committee on Vital and Health Statistics. The National Committee is a statutory public advisory committee to the U.S. Health and Human Services on national health information policy. I am Simon Cohn. I am Associate Executive Director for Kaiser Permanente and Chair of the committee.
I want to welcome committee members, HHS staff and others here in person. As always, I want to remind everyone to speak clearly and into the microphone so those on the Internet can hear. I would also caution everyone that these microphones are a little touchy, so everybody needs to remember to bend over and make sure everybody can hear before they start speaking.
Let's have introductions around the table and then around the room. For those on the National Committee I would ask, if you have any conflicts of interest related to any of the issues coming before us today, would you so publicly indicate during your introductions. I want to begin by observing that I have on conflicts of interest.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina. I have no conflict, but I would like to disclose that our company does send information to the Blue health initiative that will be testifying later this morning.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee and no conflicts.
MR. BLAIR: Jeff Blair, Loveless Clinic Foundation, a member of the NCVHS. I'm not actually part of the ad hoc task force here. While I don't perceive it as a conflict of interest during our panel here, Dr. Margaret Gunter, the president of Loveless Clinic Foundation, will be testifying. I will recuse myself from any questions during that period.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, staff to the ad hoc committee and liaison to the full committee.
MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine, member of the committee, no conflicts.
DR. VIGILANTE: Kevin Vigilante, Booz Allen Hamilton, member of the committee, no conflicts.
DR. OVERHAGE: Mark Overhage, Regenstrief Institute, member of the committee and no conflicts.
DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the ad hoc work group and lead staff for the NHII working group.
DR. GUNTER: You can tell I don't know the drill because I am not on the committee. I am president of the Loveless Clinic Foundation in Albuquerque, New Mexico, and I will be testifying this morning.
(Whereupon, the remainder of the introductions were performed.)
DR. COHEN: Welcome, everyone. I should also start out by noting that even though I say I have no conflicts of interest, you look through the agenda and then you realize that you do need to publicly disclose things now and again. On the second set of testimony we have somebody coming from AHIP, Carmella Bocchino. I should just note that Kaiser Permanente's CEO, George Halverson, is the new president for AHIP for this coming year. So not a conflict of interest, but I do want to publicly disclose that. Kaiser is a member of AHIP.
As you know, the Ad Hoc Work Group on Secondary Uses of Health Information has been asked by the National Coordinator and HHS to develop an overall conceptual framework and policy framework that addresses issues around secondary uses of health information, including a taxonomy and definition of terms.
We have also been asked to develop for HHS additional recommendations on needs for policy, guidance, regulation, public education related to this issue of expanded uses of health information in the context of the evolving and developing Nationwide Health Information Network.
We are taking a broad look at all of this, but we have been asked to start by emphasizing and drilling down into the areas of quality. When I talk about quality, I mean quality measurement, quality reporting. I think we do want to emphasize quality improvement, which is sometimes an area that gets forgotten in this important quality dynamic.
As we look at issues and risks, we are also looking at approaches that help minimize those risks, tools, technologies that potentially can help risks as we identify them. We see this as part and parcel of our report and making our recommendations actionable.
I am leading the work group, but I want to thank Harry Reynolds and Justine Carr for being the co-vice chairs. I was relying heavily on them to move the work of the work group forward. Harry will be leading the sessions as soon as I am done with my introductory remarks.
As I commented yesterday, I want to thank the committee members who are donating their summers to this activity. Many of them thought earlier in the year that they were going to have summer vacations. Instead they get to spend the summer with me in Washington, D.C.
There is a lot of work to be done. This is our second set of hearings. We will have another one at the end of August, but the time would be to have a draft set of recommendations and a report by sometime in the mid to late September time frame so that we can begin to discuss it with the full committee at our late September meeting.
I do want to thank our consultants and staff support. Margaret A., thank you as always. Erin Grant, we acknowledged you yesterday but I don't think you had arrived yet at that point, so thank you also for your participation. We also have our liaisons and HHS staff, and we appreciate your participation. Without you we would not be able to make the progress that we have so far.
In all the testimony we are looking broadly at the issues of secondary uses. Our first panel today will be talking about one aspect, not so much related to quality, but to research. We want to identify the issues, risks, ideas we have about ways to mitigate risks. We are very interested in trying to come up with a dynamic. We move frequently from a high level of framing issues into the specifics of how we can mitigate activities.
For today, we will start out with research perspectives, quality versus research, use of data use agreements which are a key issue in all of this. After our morning break we will be hearing health plan perspectives. Then after lunch we finish the testimony for these sets of hearings with data sharing perspectives. We will spend the rest of the day today as well as tomorrow morning talking about issues relating to what we have heard, framing issues, what we think the report ought to look like, maybe how we begin to frame some of the recommendations, which will be a conversation we will be continuing during conference calls in August and in our next face to face meeting. We will clarify that schedule later on today as well as tomorrow so everyone is aware of what is going on.
Any conference calls we have and discussions are open conference calls. The public is invited to call in and listen in as we deliberate and discuss the issues that we have heard.
With that, let me turn it over to Harry to run the meeting.
MR. REYNOLDS: We will just go in the order on the agenda unless you had agreed to some other order. So Dr. Harris, if you would please begin.
Agenda Item: Research Perspectives: Quality vs. Research; Data Use Agreements, IRB
DR. HARRIS: Thank you. I thought I would start by telling you who I am and what influences I bring to the table. My role at Mayo Clinic is both research and operational, so I look at the research and quality perspectives on secondary uses of data. I have joint appointments in the Department of Nursing. I lead the Division of Nursing Research and also specifically the section on nursing informatics, which is very involved with the data capture, the storage, the way we index it, the operational practices around the retrieval and uses of those stored data.
I have also an appointment in health sciences research in the Division of Biomedical informatics, which is a purely research group looking at the whole enterprise-wide data trust issues and data governance across the entire Mayo enterprise and some of the informatics issues with that.
I sit on an IRB, on several department level research committees and on our medical record and data repository implementation committees. You can see the memberships I have there. I have been on our Minnesota RIO effort, I stepped off that about a year ago, and a couple of professional organizations at a WHO group with Steve Steindel.
The way we look at this at Mayo is that there is a cycle of health data use that starts on the left side with patient focused data capture. The medical record is the area I am most involved with, but this obviously extends to laboratory systems and imaging systems and billing and accounting systems and you name it. Those are captured and stored in transactional databases.
We do replication and modeling to take all or parts of these databases into small to very large analytic data repositories that are optimized for analytics, specifically to support research evaluation and performance measurement purposes. Our goal is to develop and derive clinically relevant and clinically based knowledge bases that we consolidate with other knowledge bases such as guidelines that inform expert systems on point of care execution and implementation of knowledge. In this cycle we hope to take our specific knowledge of the patient and combine it with knowledge of how we practice at Mayo Clinic, and combine it with external resources.
This all requires an enabling infrastructure. I think for this committee the issues are around appropriate use and technology impact. We are going to go to a cycle of practice based evidence to evidence base practice.
I am going to speak to a couple of guides that I as an individual working on Mayo Clinic in the state of Minnesota under the federal guidelines look to whether I am implementing a research study in which I am the P.I. or for some of the quality data retrieval uses we have.
Working backwards, in relation to the HIPAA law, we have a Minnesota state law that I am going to cover in a minute. It is stricter than HIPAA. Mayo Clinic implementation is stricter than either the HIPAA or the Minnesota law. I have some details on that in subsequent slides.
RElated to the common rule governing research, the Minnesota law doesn't address this issue beyond the patient authorization of use of their records for research. The Mayo Clinic however supports and embraces this notion. If you have an intent to publish you are in the realm of research. It is a very clear line at Mayo. So we do not support people presenting quality data either in conferences or their published abstracts or in the literature without going through an IRB and doing a retrospective research proposal to be approved.
To move to the state of Minnesota statute, this was drafted in 1996. It was implemented January 1 of '97. It states that for all health records generated after January 1, providers must disclose in writing to patients who are currently being treated by the provider, the agency or the provider individually that health records regardless of when they are generated may be released, so we need to inform patients of that. The patient may object, may decline -- this is the exact language, their objection and decline, in which case those records will not be released.
Furthermore, providers are required to use reasonable effort to obtain patients' written general authorization for use of their medical record data. This written authorization has to describe the release of records. It doesn't expire, so it is for perpetuity. However, the patient can retract it at any point they choose to.
If there is a lack of response to this request, the law requires that we follow up with two mailings to the patient, to the last known address, with a prepaid return envelope, with a conspicuous note that says their medical records may be released if the patient does not object. So trying to make it very, very clear to patients what the situation is. There needs to be the 60 days expiration since the second notice was sent, and the provider must advise the patient of the rights specified.
I did not make 40 copies, but I have a single hard copy of the Minnesota law and Mayo's implementation of it that I can give to Mary Jo or send electronic copies if you would like.
At Mayo, the way we have driven this law, we have influenced the way the law was written as well as how we are implementing it. In 1997 we held some patient focused groups that looked at and uncovered -- the patients we serve are very concerned about privacy. This is ten years ago, prior to widespread use of medical records. They understand the need for research and they support the need for research. We have another set of studies that say that is the primary reason patients come to Mayo. So I think it is important in this context to understand that patients come expecting that their data will be used for research. They are largely willing participants in that.
They have a high level of trust at Mayo. The other thing that came out was the distrust of insurance companies and government in terms of use of data.
Steve Jacobson, an epidemiologist at Mayo at the time and prior to the implementation of the Minnesota law conducted a two year sample of Mayo Clinic patients to determine what would be the bias with different types of interpretations of patients returning or not returning their authorization status paperwork.
Overall in this two year study, 3.2 percent of patients declined authorization. But the finding of this study that influenced the legislation I just went over was that the non-response rate would be 20.7 percent if the failure to return a written authorization was considered non-approval. I have that ma manuscript here also if you want to review that.
What Steve did a very nice job on was trying to in a smaller sample do some diligent effort to find out why patients did not return the mailing, and what are the implications implying authorization to use records when people had not returned paperwork. The impact is that Minnesota law now allows for presumed authorization if there is no response on these subsequent mailings that are sent out.
The next slide I will show you the most recent update to that as we try and understand this Minnesota law and patients' intentions. Our current efforts are tied to the genomic issues. At Mayo we have many new considerations related to genetic data, and we have an active program to engage the community. Our immediate community which is a catchment area for epidemiology projects as well as referral of patients on decisions.
As I said, we had almost a million patients in our research authorization statistics as of 2005, the last date I am aware of that we carefully looked at it. Overall, 72 percent say absolutely yes, I am more than willing to have my records on that first pass of authorization used for research. Through the second and third mailings we have developed an implied yes of 24 percent, and we see a 3.6 percent no rate, refusal to use records for research. So somewhere between three and four percent of our records in any given study that our investigator is using are not available for use in that study. We have electronic systems that enable a matching of the clinic number and date of each admission to this authorization status that is routinely used by researchers, the IRB, the statisticians who are running the data, and others.
When it comes to Mayo Clinic use of data for quality, we embrace transparency, but I would say with a healthy dose of realism. The state of Minnesota also, interestingly with this protection of data and the research authorization statute, also has a law that creates some tension in terms of intent that requires reporting of the 27 National Quality Forum never events. That has been required for about two years now, so for research we have some very clearly understood guidelines on not using, and including patient data if they have not explicitly given their consent to use those records, or if we don't have a really good understanding that a non-explicit consent to use records may mean yes.
However, for the quality reporting that is on the public website, we have to report all cases regardless of that authorization status. So I don't know that anybody has looked at what that means in terms of public confidence, where the public is with that. It is obviously not identifiable, but some of these never events like the wrong limb being removed in surgery are clearly identifiable events.
We benchmark and share best practices across Mayo sites, Arizona, Jacksonville, Scottsdale and our 15 affiliate hospitals and 70, 80 some clinics and nursing homes, but we don't send any numbers to Mayo Clinic Jacksonville that Florida has a very different law related to discoverability. So if we present our quality data on paper, even if our Florida colleagues are in Rochester, Minnesota, they can look at it but they can't carry any paper with those numbers back to Florida, or it is discoverable. The peer protection laws do not extend to Florida for our quality data.
Regarding patient confidentiality, patient trust is primary. We go a little bit further than Minnesota law requires. We apply the intent of the Minnesota law to internal uses of data as well as external uses of data. So even if it is research that is never going to see the light of day in a publication or quality data, when you think back to that slide on data repositories, we have restrictions on there, so this three and a half percent of patients where we don't believe those patients intend for the records to be used in research, we do not allow those records to come forward in electronic retrievals, even for quality purposes.
When it comes to sentinel events, we dig in. We don't not investigate sentinel events. There aren't many of course at Mayo Clinic, but when they do occur, we do look at them.
An example from nursing where I live was pretty interesting. I don't know how many of you are familiar with the magnet hospital recognition program. We are a magnet hospital, have been for about ten years, but every time we go up for re-recognition our attorneys end up spending a lot of time talking to the magnet and ANCC attorneys about our refusal to report patient level data to this national database on nursing quality indicators because of this Minnesota law. I think it is a unique law in the country. It delays some issues for us in terms of benchmarking quality practices with other non-Mayo entities. And we don't sell data to anyone.
Within the Department of Nursing specifically, I just wanted to mention what we have done to take this down very narrowly to a very specific department implementation. About three years ago we went through a six to nine month exercise at the time we were building our data marked spinoff from this Mayo Clinic enterprise data trusted life sciences system. So we need to merge some data sets with data that comes off the clinical data in a warehouse. So we needed to have a department level guidelines to cover flags in non-use of data coming from the warehouse. Some of our business operational databases in the Department of Nursing don't make it into the MARC.
So we felt like we needed some principles to guide use and implementation, so we have collectively as a department -- this is about 6,000 nurses now; this is fairly well embedded through the policies and procedures of the department -- determined that data are an asset and should be managed as a strategic resource, that individuals using data must assume personal accountability for responsible use of those data.
We put all the electronic supports in that we can, all the policies and procedures, but it comes down to individuals knowing what responsible use of data means. We have many, many orientation sessions about that and updates, that data sources are known and meet requirements for quality, integrity and security.
This is a big one that I think is not adequately addressed in the literature. When we think about the use of data for research or data for quality versus data for research, and the data quality piece specifically and the integrity of the data. Practice changes are made much more rapidly on quality improvement projects than the 15 years it takes for research to get into practice. Yet we have far fewer guidelines governing generally in the literature and ourselves also.
What do we know about the data quality when we are doing our quality improvement processes? I think investigators are very keenly tuned into that, but I don't have any sense that broadly people doing quality improvement are concerned about that on the up front side. They certainly are when they see the numbers, they say where did you get those data and what do those data mean, but there needs to be a more proactive attention to that. I think that is one of the key things in terms of maintaining public trust for what we are doing with this information when we get it.
We have a department level policy that says analysis, interpretation and consideration as well as professional institution and regulatory standards, that technical data standards are recognized and adopted, and that data management tools and resources are available to staff to meet the mission. So we don't want to get proprietary ownership of data. We are trying to make it accessible in responsible formats for appropriate use.
Here in my second to last slide is an example from the literature that conflicts with my reality as I have just explained it. In Medical Care, this very recent issue, was a study. The goal was to assess the accuracy of AHRQ's failure to rescue algorithm. It was a retrospective chart review at 40 institutions that participate in the university health systems consortium.
This is a quote on page 285. Because this is a quality improvement benchmarking project, it was exempt from local institutional board review. Each institution maintained patient confidentiality according to internal protocols. Authors not affiliated with UHC only had access to a limited data set and signed a data use agreement prior to receiving any data.
I have a similar study funded by AHRQ for the manuscript just accepted into Medical Care in the last two weeks on the same topic. We went through full IRB, a full research authorization protection, so everything in that human subjects piece is in that same article. So the same topic, the same journal, the same procedures are very different standards in terms of the investigators' understanding what the rules are and the journal editors' understanding of what the rules are.
My impressions from this in the trenches perspective then is that secondary use of data is as important to patient and discoveries as the medical privacy is. There is a public trust that privacy will be maintained, and that a greater good will be achieved. I think this data quality piece really needs to be considered in relation to the greater good.
For research, patient confidentiality I think can be adequately protected using existing mechanisms, but for quality purposes I think those protections are less clear. I think a key challenge which this committee is addressing is looking at these distinctions not just between research and quality improvement but also the public reported measures of quality. I think they are three somewhat separate but related efforts. There is a real risk to improving health outcomes through research or quality if any undermining of the public trust or the public good is anticipated by the public.
Thank you.
MR. REYNOLDS: Thank you. We will move on to Sharon Terry with the Genetic Alliance.
MS. TERRY: Thank you very much. I am Sharon Terry, President and CEO of Genetic Alliance. Genetic Alliance is a coalition of about 650 disease specific advocacy organizations representing about a thousand diseases.
My perspective comes from a purely lay one, in the sense that I am the parent of two affected children, and founded a foundation about 14 years ago that then led me to be involved with this coalition group. I am the founder and current president of the Genetic Alliance Bio Bank, so I manage for a number of advocacy organizations samples and data that has been aggregated by these lay groups with their medical research advisory boards. I am the manager of a 33-lab research consortium on pseudoxanthoma elasticum, which is the disease my children have.
I am the chair of the Coalition for Genetic Fairness, which is a coalition of about 250 organizations, including industry and professional societies, working to pass genetic information on discrimination legislation. I am a member of the Genetic Association Identification Network steering committee. That is abbreviated GAIN and is part of NIH's project to look at large scale studies and data used widely. I am the founder of Wiki Advocacy and Wiki Genetics, and I'll show you why that is important, and I am a member of the Google Health Advisory Board.
I am going to answer the charge in eight to ten minutes, so it will be a 30,000 foot view. I am not going to go into the weeds on all the things I just described, and they will just inform my perspective as a lay individual.
I think basically that individuals don't know about the use of their data. They consider it information and not data, and they don't quite see the distinction between the two. I think at the same time they still trust that it is okay for the most part. I think that physicians often do not know and are either clueless or worried about the uses. I have seen both extremes, where physicians seem to be very, very worried that any data collected and used either for quality or for research is in fact a problem. On the other hand, I have seen physicians not aware at all that data is being used in these ways.
I think the greater transparency would lead to greater investment, and I will talk a little bit more about why I think that is important. I think the logistics for achieving transparency would require a revolution in a sense about the way we perceive health care. I think there is a continuum between the quality data collection and use and the research uses. I think Marcy alluded to some of that. We are seeing quality uses turnover quicker in terms of best practices and clinical guidelines. Research seems to take a longer time to do.
One of the things that the public doesn't understand is that it is not a done deal. It is really iterative. That loop, were it a continuous loop as it seems to be at Mayo would be a really good thing to have in a nationwide construct.
I think that it isn't that education is required, because many of the groups that I am in simply say better education of clinicians and patients would result in a better understanding of how data could be used and would be used. I think it is more experiential. I think when patients experience something or physicians, they then are more committed to whatever the actual exercise is.
So I think the whole system needs to admit a certain kind of uncertainty. That is, there isn't in medicine an absolute the way some patients believe there are, and there is a need to continue to improve guidelines, et cetera. I think the average person going for any procedure thinks this is a perfected procedure by a person who is an expert, and there is nothing more that needs to be done. I think if we as a nation understood that these procedures and guidelines need to be improved all the time, that we would be more invested as a nation in the iterative nature of this.
I think that engaging the public -- and for some people this may be a silly analogy, but a la Facebook and Webkins, which I'm sure everyone is familiar with. The idea that committees are being formed remittance where people are giving up information that could be considered, and is mined in some ways by companies. Some of it is done in a very protective manner like the Facebook kind of thing, and others are not, like a Myspace community. But I think there is a lot for us to learn around data and information and communication through those electronic communities that are being formed.
I also think that people are voluntarily belonging to them with great enthusiasm, and coming back to them and engaging with one another around the dozens and dozens of issues. Facebook within two hours of the Virginia Tech shooting had one million kids united together to support each other as they went through this, in two hours. So I think if we start to look at those technologies more broadly and understand what they mean for health care systems, that will certainly be useful.
I think building communities -- and I have a couple of examples here. Angie's List, which is this list where people can list what contractor they use, a plumber or painter, and whether or not they have done a good job. So you can go on there and look at a contractor that has had 114 good ratings and one that had 75 terrible ratings, and determine which one to use. Or CD Baby, which is a compilation of artists producing music and distributing it without labels, interrelating with one another, tagging each other's music to be alike or not. Both of those allow communities to be built, and people who are using them understand, I relate to other people in my community. It is a community around different issues, but I think we can do the same thing in research in health care, and certainly quality improvement in health care.
Obviously that is going to require robust IT systems that I think the medical community has only begun to look at, certainly not to the degree that these other communities use.
I think that we continually feedback improvements that include conveniences for the person in the community. So again, I think the person either in a clinical care system or in a research system doesn't really get back anything immediately or apparent. Were they able to as in a Facebook or an Angie's List kind of method, they would be much more inclined to be more a part of what they are doing. So I really advocate for people being participants and not subjects of research, and certainly participants in a quality of care loop, where they understood that their community medical care system would be improved.
I think the potential harms of not being transparent are distrust. We have seen many examples of that, from Tuskegee on. I think we don't want to overplay that. The other fear I have as a person who really needs this research and the quality improvements to progress, is that we then dampen or tamper down all the kinds of improvements we need to make. I think a swing in the opposite direction which we also have seen has not been a good one.
I was one of the people who was part of the punishment for Virginia Commonwealth when they supposedly violated the IRB around human subjects protections for genetic research. One of the issues I asked the committee there was, they shut down human subjects research for three years because they had revealed some information in a twins study, what other harms came of shutting down human subjects research, weighed against the punishment of the group who had made a mistake in the schizophrenia twins study. So I think we need to balance our perception of harms and look at the harms we are also creating when we are not going forward with research.
I think we also have a lack of involvement and engagement. We have certainly seen that in this country in clinical trials. People are not engaged particularly around the more common conditions. They think somebody else will do it. I think if they saw more immediate and communal benefit, they would be more inclined to participate. I think we lose a chance to improve health care more rapidly. We need to be able to aggregate the data, the lessons learned we know from one another. We have no systems to do that, especially with regard to community docs and community hospitals.
Oversight and stewardship for each use of the data. My belief, and this is where I think there has to be some kind of revolution, is that the communities should be allowed to have advisors be part of the projects, whether they are quality improvement projects or research projects. I think individuals need opt-in mechanisms and not just, I haven't said no so you can use my data. That would allow a greater investment.
I think with regard to results and how those are disseminated, I look at something like the Genetics and Public Policy Center's GWAS town halls, those are the genome-wide association study town halls, to look at what would happen if we did put a half a million people into a database in this country, similar to Iceland and Estonia.
Essentially, the people in those town halls, and this is pre-publication data, have said, you need to consent me, you need to give me choices, and you need to respect my desire to know what gets returned to me needs to be controlled by me. Perhaps the most creative solution I saw coming out of those was, people suggested that you have little scratch cards. If you wanted to scratch them off and find out if you were at risk for Alzheimer's disease, you could, and if you didn't want to, you didn't.
I think also the issues around quality versus research could be mitigated by creating a system where the difference doesn't matter. While that sounds probably terribly naive when you are in the weeds on either of those sides, I think if we did get to a place where we were looking at this as a continuum, and understood that all of that data is important, all of it needs to be protected, and the line between it is not something you can slice with a knife, and build communities where there was trust and community engagement, I think that wouldn't be as critical.
With regard to HIPAA and the common rule, creating a hybrid system would require elements of those systems to be merged. I think we want to remember that both of those in some sense were created out of reactions, the common rule to Nazi atrocities and fear of what would happen to institutions, and HIPAA with regard to privacy. These things certainly overlap, but they also have nuances that if we could create a system whereby we were able to integrate the community's participation and the understanding that this was iterative and beneficial, then we would be able to advance both quality and research in a system that would be useful to both.
Thank you.
MR. REYNOLDS: Thank you very much. Dr. Gunter, please.
MS. GUNTER: Good morning. It is an honor to be here to talk with you and to hear from the rest of our panel.
I am Maggie Gunter. I am President of Loveless Clinic Foundation. I am a health services researcher. To give you a little sense of where I am coming from, I think one of the reasons that I was asked to testify today is that I balance two interests. I am a researcher. I have a great deal of use of secondary data, and use it I think in a reasonable and appropriate way. But I am also the PI and project director for the New Mexico Health Information Collaborative, which is building a statewide health information exchange and RIO for New Mexico. So some of the issues about the use of that data are very germane to what we are talking about today. So both as a researcher and as a person involved intimately in an effort to develop a RIO, those are my perspectives.
The Loveless Clinic Foundation is not one of those organizations that gives out money. It is one that looks for money to do research. Our research is very applied. We are an applied health research institute based in Albuquerque, and we are very much about improving health care quality and cost effectiveness, that kind of research as opposed to say testing new drugs or something of that sort. So that is all about where we come from and therefore the issues about quality improvement versus research. Those definitions come up for us as well.
We do have a research affiliation with a large integrated health system, the Loveless health system in Albuquerque that includes a multi-specialty group practice, a health plan and a number of hospitals. It makes for an interesting place to do research.
When I first came there, after having been with a research division associated with a Blue Cross plan in Pittsburgh, it was quite exciting to me to have a comprehensive look at everything that happened to a patient. So many times I had a piece of what happened to them, or I had just what happened to them in the hospital; an in-hospital patient was a rare event. So it was an exciting thing for me as a researcher to be part of that kind of system.
So it has been an excellent research and quality improvement lab for the Loveless Clinic Foundation. Just so you know what we are talking about, although Loveless has looked at electronic health records for many years and is finally putting one in after many false starts, and some of you can relate to that, I think Kaiser has had various adventures in that area, the kind of data in a retrospective way that we have used has been typically electronic claims or encounter data for all health care utilization for our whole patient population. By that, we mean diagnoses and procedures, but also lab results and pharmacy use.
So when you have all of those together, despite the fact it is secondary data created for other purposes, it has really been quite a powerful tool in looking at patterns of care, looking at testing interventions. It has also been wonderful to have a clinic setting in which to test interventions and use often electronic data to look at pre and post impacts of the various interventions.
Just to give you an idea of the kind of applications that we have looked at, you can profile patterns of care. One distinction I make sometimes between quality improvement and research is, for example, if somebody put in an intervention in the entire system at Loveless and looked at the pre and post impacts of say a new intervention to improve diabetes management, the difference might be that when we would do that, we would do something where we would say we are going to use matched pairs of clinics that are similar in various demographic ways, and we are going to assign one of those clinics to be the intervention clinic and one to be the control clinic. Then you have a much better sense of what is really going on, because you have both pre and post, but you can also look at, is there something else going on in general like a new diabetes drug that might explain the differences you found, rather than was it the impact of the intervention that you put in.
So when you do something a little more rigorous, a little more with implications for generalizable knowledge, we will talk about that a little bit more, but that is one of the distinctions we made in terms of quality improvement and research, although almost all of our research is geared to quality improvement.
This secondary data that we have had sometimes iffy access to over the years can be used to profile patterns of care, to identify problems in quality, to feed back comparative performance data to providers to help them improve care. That is even true before there were electronic health records, we would do feedback reports to providers; guide the development of quality improvement interventions, what ones do we need, what things need to be done versus best practice, permit the pre and post evaluation of interventions designed to improve care and cost effectiveness.
Without these data, we could not have done the things we did in becoming pioneers in the area of what is now called disease management in the mid to late 1990s, where we documented major improvements in care and cost effectiveness in about 17 different conditions.
The reason that I mention that is that I realize all the time that there is so much done in health care where we think that we have enough money to do the intervention itself, to make the program change, but we don't have enough money to measure whether it made any difference. So we fairly frequently do interventions and continue them or not, separate from any knowledge of whether or not they work. That just seems to me a sad and bad new of our time and our money in a time when we are spending 15 or 16 percent on health care as it is.
One of the things that came to us as we were doing this exciting work in the area of disease management research was, we didn't have an electronic health record. We knew that one of the issues was, how do you assure sustainability of such programs and not 70 projects, and how do we further integrate these disease management programs into everyday practice, so it became something that physicians did all the time and not a project. On the other hand, how do we send them to the broader community, so that was how we were coming to the effort that eventually led to our effort to develop a regional health information exchange.
So again, I'm not a medical technologist specialist, but I knew that one of the key things if we were going to continue to make any changes in health, that information technology was the most promising answer, both electronic health records and also health information exchange.
It was always coming out for example that physicians don't often just do work with one insurance plan. That was even true at Loveless. We are not a closed system like Kaiser. So you might if you were lucky get some feedback on the patients from Loveless health plan or some other health plan, but you only get a small snapshot of all the diabetes patients, for example. The health information exchange had the promise that you would have aggregate data on all of your patients once that was fully implemented.
So we got down to business in about 2003 and started mobilizing 30 community partners, and eventually applied for one of the AHRQ implementation grants to establish what we called the health information collaborative, which is basically a health information exchange for New Mexico in September of 2004. It has been quite the adventure, as even Marc Overhage and others know, even though he is one of the key experts.
We also always were concerned in that regard about privacy and security. We knew it was a key issue. We knew if we could not resolve that issue and have trust among the organizations of consumers, we would never be successful.
So in 2006 when AHRQ and RTI International put out an RFP for a privacy and security project grant to examine privacy and security issues affecting health information exchanges and develop solutions, we went after that, and were awarded that in 2006.
To their great credit, they realized that if you just have a plan for solutions and never any money to implement them, that is one of those other things that tends to throw things down, and to their great credit, AHRQ and RTI made additional funding available to the city for organizations including ours that were in states that were putting together a privacy and security implementation solution.
Our top choice was to develop and hopefully pass in 2008 new state privacy and security legislation covering transmission, storage and use of electronic health information. Right now we have very fragmented laws that address only paper use. We just felt that trying to fix that hodgepodge of laws would not do the trick. So we are working closely with the governor's office and the department of health and the telehealth health information technology commission to put together new state privacy and security legislation.
We wanted to talk a little bit about privacy issues and data access. Because of the various kinds of work that we have done, we have extensive familiarity with state law. Yes, we too like Minnesota have some state laws that are considerably more rigorous than HIPAA.
One of the troubles with our state law was that it was so short and so brief that it gave almost no protections, just pretty much said there shall be no disclosure under the state HMO act of any data other than for priority purposes. The only way we were ever able -- when people had small heart attacks and discovered that state law, the only way as a research entity that we were able to get access to data was because we are a separate verifiable 1C3, we are separate from the health system, we are not part of it, so we are not part of the covered entity in any sense.
We had two attorneys, one on our side and one on their side, that felt that this work was important, and because our work is virtually all quality improvement related and because the law allowed quality improvement activities, we did it under that basis. But each project has to be carefully scrutinized to make sure that it meets the quality improvements needs of the state law.
I also spent six years as chair of an IRB, so I am very, very familiar and very sympathetic to the need to protect human subjects in research. We have spent an enormous amount of time on HIPAA related privacy issues.
So we have a sense of those things. I have to say I really appreciated hearing about Mayo's approach to research versus quality improvement, because it is something that we have struggled with for some years. I actually don't struggle with it much, in the sense that we have basically decided that we are a research institute and virtually anything we do is research. But I will say there have been some aspects, because we do interventions, that part of the project might still have a part that is quality improvement like establishing a health information exchange, and then evaluating it might be the part that is research.
It is so an ambiguous area. I think Margaret had asked me if there were differences between the common rule and HIPAA regs. I think both of them basically consider research -- that the primary purpose is to add to generalizable knowledge.
The issue of publication is one we have talked about a lot, and yet there is a great deal of quality improvement work that is published. So it is one of those ambiguous areas still, because many projects including ours have dual goals of quality improvement and research. When you look at some descriptive and observational research, there are people that would question whether that is ever going to add to generalizable knowledge, and so they are much like quality improvement.
So I think the issue for so many of us is that IRBs and organizations apply HIPAA and IRB rules differently. That is what makes it difficult. We are part of the HMO research network along with a lot of the Kaiser organizations and Group Health Cooperative of Puget Sound, and we are trying really hard to figure a way for these 15 prestigious research organizations that all have population based databases, how can they work together as a national resource in a way that is cost effective, and every one of the 15 IRBs doesn't have to look at something that is very, very straightforward. It just shows you that this whole research infrastructure, how can we make that a little more smooth and cost effective, so that we are not depriving patients of the great translational research that can be based on that kind of data.
For us it doesn't look very different in the pre HIPAA versus the post HIPAA era, in terms of our access to retrospective data. By the way, when I say retrospective data I have been mostly talking about electronic. We don't do almost any research on our retrospective data that is not accompanied by at least a sample of paper medical records or at least full medical records, because we feel that electronic data by itself in its current state, before everybody has electronic health records, is not yet at a level of quality because of coding issues and a lot of other things.
We feel it is very important for two reasons to use at least a sample of full charts. One is, because many things are not in electronic data as it stands mostly today. If you want a blood pressure, if you are at a place with electronic health records, you have that. If you don't, everybody takes it but it is not in the electronic record, and it is a really important variable.
The other is simply that you want to validate that the data that you are picking up retrospectively is validated through the quote gold standard, which is not always so gold, that is, the medical record.
In the pre HIPAA era we went to the IRB often when it was a large database we were talking about. It was not practicable to get individual consents and we asked for a waiver of individual consent based on the fact it would not be feasible, but it was important research and it was of minimal risk.
Of course, the whole minimal risk thing depends on how you feel about confidentiality. I was talking to a privacy expert recently and she said, so many IRBs think that retrospective data is not risky data. It depends on if you are a patient that has a lot of sensitive issues. They may think that is more than minimal risk.
In the post HIPAA era, it has typically been, we had to go through both the IRB and the privacy board for a waiver of patient authorization based on somewhat similar reasons in the HIPAA regs. They are similar but not identical, and that makes it more complex for us frankly. Whenever you put something new in, about the time HIPAA came in at the same time at Loveless that the health system was sold to a new organization. That means that all the relationships -- you've got new people, you have got new roles, you have got new nervousness. So all of those issues have to do with the application of something. There is HIPAA and there is fear of HIPAA, and both of those matter greatly to us as researchers.
The cost. I cannot tell you what the cost of privacy regulations -- and don't mistake what I am saying here. I think privacy regulations are critical. I am a patient, we are all patients. We need to be protected. I think even organizations need to be protected. But there is so much different application by IRBs and health care organizations in applying the common rule and HIPAA differently, and an enormous hodgepodge of state laws that further complicate data use and research.
This uncertainty about the patient greatly increases the cost of research. We are a small not for profit, and it is sometimes is one of the most difficult things we have, even sometimes more difficult than actually winning the grant or winning the contract. It delays the conduct of research.
The translation of research findings isn't a real world improvement in practice and outcomes. You probably heard that that takes about 17 years. We have got to do something better. We see NIH doing this new clinical and translational science awards in universities, so we can start moving more quickly to translate research findings into the community, from the bedside to the community.
The legal fees and researcher time associated with HIPAA compliance has been very burdensome for research organizations. I have to tell you that our attorney that has been with us for about 15 years is amazed by what large fees have been generated by a small research organization. He has become a HIPAA expert, he is an expert in RIOs now, he is an expert in a great many things. This is not about anti-HIPAA, it is just trying to find some answers where we are not having researchers and lawyers doing much of what should be done instead of research itself.
As I say, much of my time and that of my research is devoted to compliance with IRB and HIPAA regulations, not to research. Very frustrating and demotivating. These are people who care about human subjects and research, and they think that that is entirely appropriate, but sometimes we laughingly say, and not so laughingly, that we don't do research, we do regulatory.
One of the hard things to us because we are not part of the covered entity, is creating an ongoing and accurate and efficient data warehouse that is HIPAA compliant. It is central and yet very difficult to achieve. One of the issues is that as researchers, we actually have much more training in issues of ethics and so on than people that work sometimes in the health system. We are probably more careful with the data. But it is one of those things where the HIPAA regs on some of these issues are not quite as clear as they might be. Or at least, it is sufficiently scary for people to share their data on an ongoing basis. But we get into issues of quality.
If we just get somebody else's version of the data that they pull, they are not researchers and don't pull it with quite the same care and rigor that we do, so it really does affect the quality of our work. We worry about that all the time. Remember, we are very applied, and we want this to be meaningful not just for publications, but meaningful for applications in the real world.
We again find that most of our colleagues in the HMO research network have reported similar costs and frustrations. One of my colleagues at Kaiser says she spends half of her time with attorneys, or did until recently, just trying to understand issues and protect the organization in terms of issues of research access.
Although this is clearly not the intent, it often seems that the laws and regulations are not really protecting patient privacy, but rather protecting patients from the health benefits of good applied research.
What about secondary use and RIOs or health information exchanges? I will have to admit to you that I had not recognized that, because we have not discussed ourselves the issue of sustaining RIOs based on secondary use of data and data services. But I am understanding that there is a growing recent interest in sustaining RIOs through being able to use that data for either selling it or data services.
Our approach in New Mexico, despite the fact that I am a researcher, I really wanted to be very sure that we were meeting the needs of the community and not anything to do with our needs. So our initial emphasis has been only on the use of the data for treatment. Purposefully we have avoided discussion of secondary use. Our attorney said to even talk about that at this stage, people are just getting used to this idea, will be a real mistake. This was not about transparency, it was, we are not going to use the data for other than having information at the hands of the physician across systems at the time of the visit, very much a treatment orientation, not a research or any other kind of orientation.
It is because it is a new and sometimes scary concept. It isn't so much in Indiana, but it is in many of the other states, for both providers and consumers. We find that the providing organizations know the data is a really valuable commodity and they are not comfortable as a first step. So we wanted to take baby steps first as education and trust develop. This is a whole social capital kind of thing. We also thought the HIPAA issues would be easier as well since sharing data across organizations for treatment purposes is allowed under HIPAA.
We also did a federated system approach, not your favorite approach from an IT standpoint, but that is where each data source would control their data and where access to that data would only occur at the time of the specific use for an individual patient. That control of the data, the sense that they could turn off the machine, was comforting.
Secondary use I will say again is not just an issue for patients, but also for providers, health systems and health plans, who all recognize the proprietary value of the data and are concerned about potential negative comparisons across organizations as well as potential liability for disclosures.
I do think in terms of a long term vision for RIOs, I can remember talking to our state department of health epidemiologist. I could see their mouths water when they thought of having something someday like a piecemeal data that they have on what is going on in the state, prevalence of various conditions. If they could someday have comprehensive population based statewide data, how exciting that would be and what a great thing it would be to public health and to policy research, and would be so much better informed.
One possibility for the future, and it could certainly be RIOs, but the future, a national network of centralized data repositories operated by reliable and trusted neutral organizations with carefully designed privacy and security requirements governing access, de-identification procedures, storage and use.
I think again such population based data could provide enormous benefit to the cost and quality of health care in the U.S. Heaven knows we need help there, data to guide quality improvement, comprehensive data to improve public health and to provide public health policy.
But care must be taken to move slowly, to listen carefully to privacy advocates. It is a sensitive issue. This is an early phase of developing RIOs at a politically sensitive time. I think as we build the trust over time, I see it in my own community, it is a very, very sensitive time and that trust is easily broken. The social capital in the bank can be taken out quickly both for the consumer side and for the provider side.
It may be best to seek other means of sustainability first. That is what we have thought. The irony of course is that this data is not very useful unless you have quite a bit of it. Until a fullblown RIO occurs you really don't have a great amount of data to even use in secondary use. So maybe user fees for treatment uses, hospital discharge summaries for hospitals that are currently mailed, lab results electronically.
I think it could include those, payments to RIOs or others like them, for aggregate data analysis and support of quality improvement activities like I mentioned before, feedback of aggregate RIO wide data to physicians, but keep performance indicators for all of their diabetes patients instead of just data on diabetes patients from one health plan.
There is one thing that I do get concerned about, and I have it wrong there; opting in would be more difficult. I think it is so important that we all have transparency. We all are patients and that we have control of our data.
But I will tell you that I haven't heard a lot said about this. Any value to secondary data developed by RIOs will be greatly diminished by quote opting in or opting out, meaning the issue of patients not sharing their information. It would be very biased information.
There is every reason to believe that patients who choose not to have their data shared are different in important ways from those who agree to share their data. One would certainly support that if I had a major behavioral health problem or AIDS or a substance abuse problem or a number of other things, that I would be much more likely than other patients without those not to share my data. It absolutely should be your right to do that, but what it will mean is that you will have a very incomplete and biased data set, and one that in my view from a population based sense will be of little use even for quality improvement.
We sometimes think there is a whole lot of data, it has got to be wonderful. I have had people come to us and say, we would rather work with you than some of these enormous data sets that are already out there, because you know about the quality of the data, you know the physicians that helped generate it, you can pick up the phone and talk to them. We can figure out why the data looks goofy sometimes. So just a lot of data does not mean good data.
Sadly, the very patients whose privacy rights are being protected through opting in, opting out, choosing not to share their data, which is absolutely their right, will not have the opportunity to benefit from research on the illnesses that would be made possible with complete data.
When I spoke to our attorney about this, he said, I am getting worried that it won't be very useful for treatment, either, because I will have this illusion if I am a physician that I have all of the information on that patient when in fact I don't know when they made evident their information. While it may be their right to do so, it may be an illusory sense of complete data.
Only comprehensive data for all patients will support the essential quality improvement, public health, policy and research applications needed to transform the quality, efficiency and cost of health care. But we must find a way to allow transparency and patient control of data, and to build the trust and privacy protections necessary to encourage virtually all patients to share their data.
Thank you.
MR. REYNOLDS: Thank you. I'd like to thank all three of you for the richness of the testimony. It continues to challenge our job as we hear so many perspectives.
With that, I'm going to open the questioning.
MR. ROTHSTEIN: First, I want to echo what Harry said. Those were three wonderful presentations. I think we could have questions for each of you all day long. I know I would.
Let me add parenthetically that I only asked one question yesterday. But I will only ask one question to begin with.
This question is to Dr. Harris. Has compliance with the Minnesota law that has now been on the books for ten years, in your experience, has it undermined your ability to do research and quality assessment, in the sense that the sample is skewed?
DR. HARRIS: No. In fact, I think it strengthens our confidence. I think given this pretty low rate, this three and a half percent, when you consider all the other noise in retrospective research studies, I think we are not seeing the substantive differences in people who are part of that group and who are not. I think we are feeling fairly confident about that.
MR. ROTHSTEIN: Thank you, that is very helpful.
DR. TANG: Thank you. I just think this panel was stellar. I just really think they added a lot, continue to add to the body of evidence of how much good can happen with appropriately acquired and maintained and guarded information in research.
But those are all very strong words, too. These organizations have done all that appropriately guarded and acquired. I think that is the key to this whole issue that we are undertaking to study.
The other piece is the notion of the lack of clarity. Hybrids hurt and cost money. I think a lack of clarity causes not only a decrease in effectiveness, with all of the effort that went into complying with the Minnesota law, it doesn't decrease the effectiveness, but there was a whole lot of cost in the quality research area and wasted cycles in terms of how much effort it cost to comply, not comply I don't think with privacy provisions, but to comply with the uncertainty or the vagueness of the interpretation.
So our biggest contribution is to create some clear path. Even the software vendor yesterday -- and by the way, I want to mention that I don't think that company was atypical. There are a lot. I will disagree with Mary Jo that it is the whole industry. I also know many that have zero reselling of data. But I think the world would be a better place if we could find this clear path.
But I think we are also getting closer, and this last panel helped find some clarity. So in my normal simple way, it is like bellybuttons, there are innies and outies. If your use is going to be an innie, if your purpose is to do things inside the organization that is an innie, and can be quality or all the opts, and you have your normal way of protecting it. If it is going to be an outie for whatever reason, most of the stuff goes out. It is very easy. Stop the perseveration in whether you do or don't, just do. They have a clear path of how they work with their IRB. That also is very helpful.
Let me get to some of the things that you said, which is two things. Minnesota is distinctive as a state. It is known for its collaborative approach and people. So you have organizations that are business competitors but they get together and collaborate on the ICSE model of guideline. Yet it has this law. Laws can either be representative of the people because of the electoral process. It also can be a sausage making outcome.
Which one is this extra duty and burden to opt in a reflection of the peoples' willingness? Or was it somewhat of an accident?
DR. HARRIS: As I remember it was the peoples' will. I think Minnesota has a lot of threads of populism in it. I think very much a population based initiative.
DR. TANG: Then I have a very concrete question, again looking at the concrete clear path. You mentioned if a quality study wants to go outie, I thought I heard the phrase retrospective research review or IRB review. If you can explain that process a little, maybe we can understand what it takes or a way to have that happen.
DR. HARRIS: Sure. From the IRB perspective, the key driver is what is the intent at the time you collected those data. So if you intent was quality improvement that focuses on the practice and on the internal processes of delivering care within a specific patient group or practice group, and then you go back and say we did something good and we ought to share this, then you can go ahead and request permission to use those quality data that were collected for treatment and a retrospective data set. They are de-identified, and all that goes on.
If however, and this happened to some very well-known people at Mayo, you come to the IRB and you say -- some people have come with abstracts, and we have had people withdraw abstracts from conference if they are submitting that prior to getting IRB approval. They say it was a quality project, but you clearly had an intent to publish it going in, if I understand the IRB. We disallow those solidly. There have been some very hard lessons on that internally.
DR. COHEN: First of all, it has been fascinating so far, including the questions. Innies and outies are not part of the vocabulary. I want to state for the record that some of my best friends are attorneys, given the amount of attorney conversations we have had this morning. Some of them are even on the NCVHS.
Moving into the substance of the conversation, we are talking about quality in research, but I think this is an ideal panel to talk about issues of trust. Since we have a new HIE, we have an institution that may be a personification of heritage, history and all of this, and you have a lay person as she described herself, though I think she knows a lot more than a layperson as far as I'm concerned, a very sophisticated layperson.
To my view, a great basis of all of this is around trust. I certainly am beginning to see that one dimension of trust is time, that you just don't earn trust overnight no matter what credentials you have.
I'm curious about how as you all think about this one how you might describe -- I think at the end of the day one of the pieces that we are going to be having to talk about are trust models or how we don't just take one leap into the future and that's it, how you take steps forward.
You talked about it in some aspects, but I just wanted to give you the opportunity to reflect on that a little more, about what it is that it is going to take for us all to be trusting this new environment.
MS. TERRY: I spent a lot of time thinking about this issue, because I spend a lot of time building trust communities. All of the advocacy groups essentially are trust communities. For example my bio bank has 100 percent participation with no one opting out because they trust me.
When I examine what does that mean, I think it means first and foremost that the association has the individual's interests first and foremost in their minds and hearts. That is a somewhat difficult thing to evidence through our health care system currently because there are so many issues around payors and around structures that put a barrier between the initial agency and the patient themselves. So I think first and foremost is the sense that this person or this agency has my interests at heart.
I think transparency is enormous. Even if it is not so right and not so good, that that is communicated to the individual. They are usually much more forgiving if they understand that this is not a perfect system, we are doing our best here. They seem much more able. I've worked with Native American tribes and with disenfranchised communities that are much more accepting of the system and wanting to be part of it if they understand that you are going to be transparent.
Then I think some kind of participation in the system, to whatever degree the institution can allow, allowing the voice of the people who are the participants to be part of it. Not so much of privacy advocates, bioethicists, proxies for the person or the patient or the consumer. I think the consumer understands that that is an industry in itself that has its own inherent conflict of interest to perpetuate the need for privacy experts and advocates. So it is incorrect but I am going to say it, because we bump up against it constantly.
So I think those are ingredients are excellent ones for creating trust communities.
MS. GUNTER: From the time we have started the RIO, it is funny how many times the term trust us has come up, and how long we think it takes and how fragile it is. I am even talking about in the provider organizations. These are competing organizations, so you have got several levels of trust that we are talking about. You've got consumer trust and data provider trust, what are you going to do with my data and how do you protect it, and how do I trust you to be the entity that is going to be transparent on lots of different levels.
It is funny, because many times people have said this isn't about information technology, this is about social and political and trust issues. We are now calling it social capital. I think it makes total sense, and it has been my instinct from the very first, that this is by far the most critical information. As we can see, HIPAA by itself -- we welcomed HIPAA, to tell you the honest truth. We said at least there is something that is in place that provides us some guidance in terms of how to go about this.
Our reading of HIPAA was that it did allow on a person by person basis for the purpose of sharing of data with business associates for the purpose of health information exchange if the purpose of health information exchange was treatment. That is not what is going on nationally at all. It is much more the sense of the need to opt in and opt out.
I think it has to do with something that is this new. Innovation is always messy, it is always sensitive. I think that is what we are going through now. One of the things that we have to make sure is that any transparency is accompanied by education about the benefits. They often find that if all I know is the risk of my PHI being shared I am rather unlikely to share it. But if I know that there are significant benefits that could accrue to me and to health care I might be more -- in fact, the evidence is that people are much more likely to share. So I think part of trust is the educational process.
DR. HARRIS: Something I would add, fully supporting everything they are saying in terms of the community aspects and the educational needs, that is that it really is about the behavior and the experience an individual has with the system, with the individuals in the system.
One additional thing we could look at doing I think is, given the multiple disciplines that are feeding into this whole environment, we need to look at codes of ethics and standards of practice across groups like the American Statistical Association and some of the IEEE engineering groups.
We do journal clubs. We did one on ethics and reviewed standards and codes. Our programmers and our statisticians were in the group and some of the basic scientists. In many of their disciplines this is a foreign concept to the privacy and confidentiality. So as those disciplines become engaged in our quality and research efforts, we need to look at broadening this discussion to other communities as well.
DR. OVERHAGE: Understanding where Harry is coming from, I found a way to combine three of my questions into one. I would be curious to hear your comments. There was a lot of discussion about how you engage in particular consumers in thinking about how their PHI will be used. We heard from Mayo about community conversations and about individual understanding in the genetic arena and so on.
One of the challenges I see is the understanding at a global level about if the PHI might be used for research, how that might benefit and so on, and that broad-based understanding and agreements to use for data. At one end of the spectrum, sure, I'm okay with my data being used for research, I don't have to hear any more about it. The other end of the spectrum, I want to know as a consumer about each and every use of my information to be able to control and approve that, understand the value of that.
It gets for me at the issue of heavyweight versus lightweight research projects, things where I am utilizing genetic information, 20 people, and you can have a conversation with all 20 of those people, to the other end of the spectrum where we just ran a study that we submitted the IRB on Monday, got approval on Wednesday, it was an expedited review, executed the study yesterday on 3.5 million people. Obviously that is a different level discussion and conversation.
Then as part of that conversation, and through this question about people saying no and biases, but it is a free rider in some ways. Those individuals saying to the rest of society, I don't want to be immunized. You guys take the risk of being immunized but I'll be okay because of immunity. I want you to make your data available for research. I can benefit from it, but I don't want my PHI at risk.
So wasn't that very artful, putting those three together into one? The question is about education awareness and consent or not consent. You could say, if you are aware of consent and its broad uses, I don't need to ask individually. At the other end of the spectrum, every each and every patient and each and every use.
The question is, how should we recommend to HHS from a policy standpoint how we, as Paul was saying, bring clarity to where people need to be on that spectrum?
DR. GUNTER: Currently there is a ton of secondary data out there. I don't think I fully got it. There is quality improvement oriented research by a not for profit, pretty pure, relatively pure or not always pure but relatively pure, seems like a different kind of thing to me.
I just happened to be talking to somebody that had worked for the pharmaceutical industry. That is not mocking the pharmaceutical industry, but they of course have for-profit self interest that they should have for those that own their stock and so on. It seems to me that to sell data from a health plan so that there are 30 million records all with identifiers because there is a business associates agreement that is owned by an organization that then sells the data to for-profit industry proprietary firms, seems a different use of the data to me than research for quality improvement and research. So it is that issue, too.
Are all of these things going to be treated precisely the same way? I know that is not precisely what you were saying, but it made me think as you were talking about this range. That seems like a pretty critical issue, and I don't think I clearly got it, that that data -- how is that okay with HIPAA that you have a business associates agreement to put this data together for resale, so you are doing a particular task that is all right, and then you sell that data.
I don't think many of us know that that happens to our data. Do you know what I mean? I think at this point we are still allowed through IRBs to do just what you talked about, the 3.5 million. There is a process for doing that. The issue is, what happens -- are RIOs going to be the thing that we expect to do that work. That is one issue.
DR. OVERHAGE: One of the things that I am worried about is, they are selling data and saying, give me a million dollars for that. There is benefitting from the data. I was able to get the ten million dollar grant. I'm not making a profit but I was able to get a ten million dollar grant on the backs of your data.
MS. GUNTER: And we do that. There is no doubt about that. The term selling has such a bad feel. But you are right, my organization benefits all the time from patient data.
Now, we hope very much that we also are making a big effort to not have these just be projects, but something that -- but that isn't what an IRB would ask of me, either. They would not require that of me.
So I don't think I have a magic answer in terms of that continuing issue that you are talking about. I think maybe the more critical issue is for people to be as transparent as possible as to the types of uses their issue would be put to. It is not simple, you're right. It isn't like, aren't we wonderful because we are not for profits, but we are still benefitting from the data, there is no question.
DR. HARRIS: There are at least four, and there are probably more, additional uses of the data. I think there are also types of data. How do you de-identify and anonymize genetic data? I think that is very different than the clinical data that is in there. Whatever taxonomy is developed, we need to take some of that into account.
The covered entities, they're very different. Again, the national pharmacies have different – are not covered entities the way national providers, clinicians are, and then maybe there's a classification group that's around the infrastructure that's availability and available technologies and procedures and processes to assure some protection and correction in the auditing processes for the transparency.
MS. TERRY: And I would urge you since you're looking long term and forward not to be bogged down in what we're capable of today because I think very shortly we're going to be capable of using technology to consent in a whole different way. And that patients, especially in these public gatherings and town halls that we've been doing, are looking for commitment both ways, a contract not just that they're making and signing, but that the contract comes the other way. And that, for example, our bio bank with only 5,000 samples, so very tiny, it's set up so that patients can log in, see what kinds of studies are going on, and commit over and over and over to participate, and they do a hundred percent of them all the time.
So I think with that kind of choice, and while that sounds burdensome right now, again, going to MySpace and what Google Health will become, et cetera, those things are going to be very, very simple with technology as we move forward, and we can't just look at what exists today.
DR. HARRIS: But given that, we can't require that there's a use every time because if somebody dies and is no longer available, we still want to understand that they intended –
MS. TERRY: Right, and we have provisions for that, and also I'm not saying every single project, I'm saying every single kind of project, every single kind of data, those sorts of bigger bucket kinds of uses, but not a blanket use, and we're all partners.
MR. REYNOLDS: Okay. Bill?
DR. W. SCANLON: Mark actually took care of most of my question, but I wanted to add an extra little comment to it. I think that even though there's the very positive experience from Mayo, Dr. Gunter's concerns still, I think, are something that we need more information about because even within the Mayo experience, your Olmsted County had twice the rate of the referral, and you acknowledge the uniqueness of Mayo and maybe the motivation of people coming to Mayo.
And so the question of when you move outside of the Mayo context, outside of the Minnesota context and you're in an urban area where there's a whole lot different incidence of very serious kind of problems that Dr. Gunter talked about, we may have more problems with respect to a skewing of a sample depending upon the vague consent process that we have involved.
MR. REYNOLDS: Mary Jo.
DR. DEERING: Well, actually I think Mark's question 3.5 got to what I was going to say and did have about education. So I'll just ask them to do something in follow ups, almost more as homework, and it has to do more specifically getting at appropriate ways to directly communicate these issues because I did my Google homework, and I happen to know that Dr. Gunter has actually written on cultural competence and communication and all that and disparities and all that. So, again, given the fact that we do have to write recommendations at the national level, I would ask you by e-mail even in a few bullets what could a group like this appropriately say about appropriate actions at national policy or lack thereof, for that matter, should it be something that on the contrary is unlikely.
So your thoughts about what is the most effective recommendations regarding the public education and the provider and professional and the data source education, I think, would be very useful.
MR. REYNOLDS: Mark?
MR. ROTHSTEIN: I have a comment and a question for Sharon, Terry. First, I feel compelled to pretend to be offended by your suggestion that the world would be a better place without bioethics busy bodies, even though it might be true. But here's my question.
You touched on something that's been troubling to us since we started this, and there really is a continuum between quality and research, and yet recognizing that doesn't really help us all that much because of the regulatory significance of calling something one thing or another because as soon as you call it research, then for HIPAA you need an authorization, you need consent, you need IRB approval and so on and so forth.
So recognizing your view that it is a continuum and something that I think most of us would agree with, in practical terms, do you have any suggestions on where these heightened burdens should kick in.
MS. TERRY: No. I mean, I think these examples we've seen are struggling with that tension, and I think your job is going to have to be to look at those current day solutions that do struggle with those differences. I think from the patient point of view, those differences are not obvious except that perhaps they're supposed to get more immediate result from a quality study rather than a research study. But even that, I'm not sure, is obvious, and I do understand running both research projects and also working with HIPAA covered entities the regulatory mess that exists. You know, in our cases we always get IRB approval for everything, even a simple study of what do our leaders of advocacy studies thinking about yaddy yaddy yadda, just to be safe because that's the kind of country we live in right now in the sense of wanting to not step over any lines.
But that brings up a whole other issue around can we make the IRB more effective and educate IRBs about what really is risk and how sometimes putting all the emphasis on risk and not appreciating benefit is a risk to patients. So I have absolutely no easy answer, having lived a lot in those two regulatory paradigms, and I don't think we should get rid of bio ethicists. I think that they should be part of the puzzle and not the only processes.
MR. REYNOLDS: Paul, you got the last question, question being the key operative word.
DR. TANG: Well, there is a method to my madness, Harry. You actually get three answers when you get something in front of them, and you get to see whether they nod or not.
So actually I'm trying to now get concrete because I think we want to eventually get to recommendations. So I want to vet something with you, and it's not this specific idea but your reaction to whether this kind of things work.
I think actually the community understands what quality is, and I think the providers can do that. I think, unfortunately, it has become a loophole that could be exploited by people who want to do other things than what we consider quality, and that's the root of the problem. And the other piece is trust is something we want to earn and over and over prove. And a lot of the way we get trust is through transparency. Now here's the idea for your reaction.
What if when a provider group wants to do quality initiative like the clinicaltrials.gov and just register what I'm doing, what I'm doing it for, and let's say who am I, who's accountable, and what data am I using. That already now all of a sudden it's transparent to everybody inside and outside.
If I want to convert and do an outie, I will only be allowed to convert if I'm on that list just like clinicaltrials.gov, and then the IRB will then review my request and turn this into research that goes out. And what happens is now you've got disclosure. In a sense, you've enforced transparency ala the abstract example. If the person didn't put it on the quality list, it isn't even available to convert. So you get transparency. You get declaration. The exploitation would have to have been declared upfront as an example, and yet you have a path to get to research. The concepts, I mean maybe the specific, just tear that apart and see if there's something that can try to get transparency to create trust and help with our quality research dichotomy because really we're trying to get rid of the exploitation of the quality vagueness.
MS. GUNTER: Paul, would you make it clear at what point in that “research” or quality continuum you put it on the web and say that I'm doing this. The reason I ask is obviously for researchers or even quality people, there might be innovative things that they have in mind. And so at what point that before you would even be getting IRB approval or anything like that or wondering whether you need IRB approval.
DR. TANG: So the only time you're putting it on this transparent list is when you're doing a quality initiative, and it is there. So if somebody wants to question, I mean, it's not on the public website, but it is somewhere where it can be examined. So I'm declaring that I'm doing that.
And what happens is even as a quality person I just can't go forging for no reason. I basically am always declaring, yet the other thing is you're not imposing a big administrative burden because that's the other downside to try and regulate quality projects.
So I'm trying to put them all in one basket and get your reaction from your experiences.
MS. GUNTER: So if I could just, we do something that's like that, but I realize that you may see it as an administrative burden, and that is that we decide that since it may be in somebody's interest to have something be just because it's in their interest to have it be exempt from IRB, that all of those things, if there should be a general category in your organization of types of things or OSHPD guidelines for what quality looks like. And if anybody has a question, I think that that really does need to at least go to the chair. It might not have to go for some kinds of adjudication about that.
And I think that we did that even with part of our study for a charter(?). We went to both our IRB and others and said we think this part of the project is “quality,” and this part is research. And some of that had to do with how difficult it would have been to accomplish it otherwise. But we also made what we thought were good points and had them vetted by key people. Now that's a big project when it was for IRB, you know, for health information exchange.
But I think that it's still worth saying that probably it needs to be – you're right, somebody other than your decision that it's quality versus research. And you were trying to find that area, I know. And is it your concern that if it went through the IRB or to somebody on the IRB that that would be too –
DR. TANG: You did it all the time for all your QI reporting and initiatives. I'm just trying to find a clear way of –
MS. GUNTER: I hear you.
DR. HARRIS: well, I'm kind of intrigued by the idea, and I'm sitting here trying to think what would be the potential impact in terms of a repressing people's initiatives and wanting to just look at things prior to doing something formal like registering it.
It's coming out of my sense that most clinicians, physicians, nurses, physical therapists, social workers, you name it, don't – I don't' mean to say they don't have respect for quality as we're talking about it. They do. But the performance matrix driven quality initiatives are not where clinicians put the highest value into. They put the value into what's happening when I'm seeing this patient in my work group at Mayo, and I think it's true of most institutions there is slightly less formalized organizational support for doing those types of quality projects versus the ones that are driven more by IHI or NQF or you name the list of agencies.
So I guess that would be the balance. I would not want to see any repression of any sort or discouragement of clinicians who are coming up with ideas that they're kind of doing on a shoestring and really are providing the kind of fun insights into things.
DR. TANG: But posting this little –
DR. HARRIS: Yes, it could be easy to do.
MR. REYNOLDS: Let me ask, let me ask. We're going to be deliberating a lot of this afternoon and tomorrow morning. So –
DR. TANG: Right. My purpose in asking them is they've got a lot of experience and have put tons of thought into this, and I just wanted to get their –
MR. REYNOLDS: But I'm sensing it from a number of people, the question is not drawing it out. So –
DR. TANG: Okay. Do you want me to clarify that piece?
MR. REYNOLDS: Well, let Kevin ask you the question to make sure that you at least hear from someone.
DR. VIGILANTE: So the dilemma of distinguishing quality from research becomes operationally important when people try to sneak things through the quality pathway when in fact all along they thought it was, you know, the intentionality was to do research.
DR. TANG: To do research or to resell.
DR. VIGILANTE: So that anybody contemplating doing quality work, let's call it, that in their mind they say, well, in the back of my mind if what I find is interesting and potentially publishable or usable in some other way, by putting it on this transparent registry that somehow enables me to pursue it with the acknowledgment that it might eventually require putting it through another pathway. I'm just trying to understand how – that basically said, no matter what intent you have, if you put it here, that's your scenario, right.
DR. TANG: So I want to do something with patient data. By definition, that's human – it involves the potential for human subject risk, okay. It's gone too far?
MR. REYNOLDS: You're explaining it again. We want the question because we've got another panel coming, and so I want to make sure that whatever we can say to have them answer a question would be good.
DR. TANG: I think they all understand.
DR. VIGILANTE: Oh, I'm sorry. I'm the slow one. So would that help? Would that be helpful in resolving this.
DR. TANG: I was asking whether it would be helpful, help some of their dilemmas while not imposing additional burden on – well, you're nodding anyway, for the record.
MS. GUNTER: I think it makes some sense, what you're saying.
MR. REYNOLDS: Okay, with that, we're using this clock again because I don't know what your watch is on. I know it's not right, but we're using that. I'd like everybody to come back at ten minutes til eleven. We would also like to ask this panel if you can stay around today for further discussions as we might need would be great. And Sharon, to play off of your comment, when 150,000 people voted last night between 11:00 and 11:15 on whether there should be an asterisk on Barry Bonds' record of home runs, there is a new world out there. Thank you.
(Break.)
MR. REYNOLDS: We're going to go ahead and start our next panel. With everything we've learned so far, it probably should be 2:00 p.m, but it's still morning. We will continue forward. So the next group is a panel called Health Plan Perspectives. We're going to have Carmella Bocchino from AHIP, Shirley Lady from Blue Cross Association, and Dr. Deborah Peel from Patient Privacy Rights Foundation.
So with that, we're going to go in the order for the agenda. So Carmella, if you would, please. We need to get you a little closer to the mike. These things are –
Agenda Item: Health Plan Perspectives
MS. BOCCHINO: Is that better? Thanks. I want to thank you for the invitation to participate today on this really important subject. I was telling some of the members of the Committee I've been speaking about secondary use of data to a lot of different scheduled groups lately. So it is an important topic.
Let me tell you a little bit about AHIP. We're the national trade association representing nearly 1300 health insurance plans that provide coverage to more than 200 million Americans. Our members offer a broad range of products in the commercial marketplace including health, long term care, dental, vision, disability and supplemental. Our members also have a very strong track record in participation in Medicare, Medicaid and FEHBP.
Our members are seen by the employer community since we have an employer-based system as the accountable agent for providing health benefits to the employees. And in that, they are looking for the plans to create innovative programs for chronic conditions, promoting wellness and preventive health care and providing information on provider performance to stimulate quality improvement and consumer decision making.
I'm going to talk this morning a little bit about what the current environment is like in these discussions, some health insurance plan initiatives that actually address all three areas that you've been talking about today, public health research and quality, and talk a little bit about the importance of both consumer and provider trust in any of these programs which we do believe are very important and essential. And then I'm going to offer some recommendations for the group.
So as I said, I've been talking to many organizations about secondary use of data lately, and this was just to look at where all of you have some overlap in what you're all discussing.
Now the good part of that is that you now raise these issues to where they need to be discussed and debated so that we can address them appropriately. The down side of that is you all could come out with different recommendations.
And so I really encourage you to be collaborative and try to come out with a set of recommendations that are collaborative across all these groups or at least not in conflict. It will be impossible for the marketplace to implement anything if some of you say do this, and another advisory group says do that. And so I think that's extremely important.
What are the benefits of a national or regional or local electronic health exchange? We've all seen the numerous reports that are confirming substantial gaps between the best care possible and the actual care. I will tell there is growing impatience from the employer and purchaser community, whether it be the private sector or Medicaid or Medicare, about the inconsistent quality that is occurring in the health care system. You could just read the front page of the New York Times last week when you look at cancer care and see the inconsistent quality that exists across the United States right now where some practitioners have all the information, put it into practice; other practitioners don't have that information readily available and are doing the best job they can. This is not a criticism of the providers of care. It's we need to find ways to give them good information so they can improve their care.
Public reporting and detection has, the studies show that it does lead to overall health care improvements. Recognition of the urgent need to align all these different measurement and reporting initiatives. Part of my job is actually working with the numerous different groups that are trying to collect performance measures at the regional, local level. We actually tracked there are close to 70 different regional health care collaboratives going on in the United States with plans or providers. Employers are coming together in a state or in a region to collaborate and collect information on a set of measures. They're all using different measures. They're all using different methodology. They're using different attribution rules, different sample sizes. That's only going to – it may be helpful to the local community, which is where we want to drive change, but it's going to be extremely difficult then to compare that across communities. And if you're a consumer who lives in an area such as the Mid-Atlantic area where you could reside in D.C. but get your care in Virginia and Maryland, you want to be able to know what that care is like across that full area where you may go for care, not just within an area, a particular area. So we need to do something about reducing all this confusion.
We also need to address delays to interoperability. It's essential. Paul and I are frequently on numerous panels trying to push MORONO(?), an R.W.J. Advisory Group, interoperability and the use of health information is going to be essential as we go forward, and I'm going to give you some examples.
Health insurance plans promoting quality. We about 20 years ago started reporting data to the National Committee on Quality Assurance, collected a standard set of measures that actually the employers used to evaluate different health plans. There are now numerous different quality improvement programs for employees that are disease management and wellness physician assessment that will allow a feedback group giving information back to physicians to encourage improvement to actually promote evidence-based medicine.
Public health surveillance. I want to talk really very briefly about a demonstration project that was done in 2002 and 2003 with 20 million lives in Massachusetts, Minnesota, Colorado, Texas and North California where they used de-identified patient data daily count of certain diagnostic codes or symptoms that were reported through medical groups or health plans that had medical groups as well as nurse call line to look for blips relative to certain symptoms that certain individuals would be presenting that could then get reported to the local public health, and they could actually map out or they were seeing these little up ticks of symptoms to see if there were public health problems that were actually occurring.
That's the power of some of that data. The other piece has to do, I'm sure you've heard about the CDC's VSD distributive data model. That same safety link has been in existence since 1990. It actually started as a database that was located within CDC. They have now moved to a distributed data model. It is a comprehensive data set on a particular scope of work to address specific issues related to vaccines.
There is eight plans currently working with the CDC on this. What they do is they determine the scope of work. It goes to an IRB. Even though the data that comes through the distributed data model is de-identified, the comprehensiveness of that data set which is all health care encounters, both inpatient and outpatient, post vaccine are there. And so the reason for going through the IRB was to make sure that there were patient protection and security and privacy. But the success of VSD which is now moving to actually a rapid cycle analysis for CDC, we have gotten evidence that says you can use influenza in children from six to 23 months. That was studied very quickly. ATP came out with a recommendation.
Rhoda Virus was actually taken off the market because of problems that were found, very important patient safety issue. And most recently, VSD is actually engaged in a study relative to Menactra, a meningcoccal vaccine because of two isolated cases of Guillain Barre, and they are doing a rapid cycle analysis to make sure that this is not related to the vaccine.
This is the power of what secondary use of data can do for us, particularly in the public health area. But it is quality. If you can find this out, it relates to patient safety and quality, and we can't blur those.
Very quickly, the AQA Alliance is an alliance of the physician community. It has to do with measurement and improvement by giving physicians measures of quality and cost effectiveness in their own practice. The challenge here was that you need to have adequate sample sizes. And so there has, as I said, numerous collaboratives have come together to aggregate de-identified patient information across a particular marketplace so that you have a much larger sample size. This is identified by the provider so that, again, the provider can get this information. But it's de-identified on the patient side. It actually will reduce burden to that physician because instead of getting ten different requests for measures, they're going to get requests from a collaborative in a particular marketplace.
The AQA has a data aggregation work group who's actually put out some principles, which I would encourage you to look at. We can actually have them sent to you and a model for a national data stewardship entity. The AQA is composed of about 85 different specialty and sub-specialty medical associations, the purchaser community, consumers, and the health plan. They really believe that there should be an entity that creates standards relative to data sampling, data sources, attribution rules, and that that should be transparent and put in the marketplace so that we can all use those same kind of methods no matter where you are and then be able to compare data nationally or regionally and locally.
AHRQ recently just put an RFI into the Federal Register asking for sort of marketplace consensus or advice about is this needed. They had over 75 different responses. They're just reviewing those responses now. So I'm sure we're going to hear more about it.
You're going a little bit from Shirley or a lot from Shirley about what the Blues have done with BHI. I will tell you that AHIP is actually talking because we have not only Blue's plans, but we also have the large national plan about putting together a national data aggregation effort on provider performance, strictly quality measures focused to start with so that you can collect data at the national level, but you can move it down to the regional and local level for use by physicians, but give you some comparisons at the national level.
I want to talk quickly about our PHR Initiative. I'm sure you've heard a lot of PHR. I know Paul is tired of hearing me talk about PHRs. But the potential for PHRs is for consumers to have a health summary in one place. It does not replace the electronic health records. We really believe the reason there's an interest for PHRs right now is because we don't have enough electronic health records within a physician's office.
Our industry actually – so this is sort of a schematic. It can provide important information to consumers that they need just so that they know what's going on with their own health that they can share with their family or significant others. It can provide targeted alerts and reminders for preventative screening. It can send information about drug-to-drug interaction, particularly for patients who are going in and purchasing over-the-counter meds at a drug store won't interact with my prescription drug. These are all the powers of PHRs. This was a joint project with the Blue Cross Blue Shield Association. All our work was based on focus groups and research that we've done with consumers as well as providers, and trust certainly was an overriding theme.
The physician community had actually asked the industry to work together to come up with a common template for PHRs. They were concerned that each plan would do their own PHR, and we'd have more noise and confusion in the marketplace as opposed to some standardization. So we worked together to define and agreed to a minimum common set of data. We actually worked with a consultant to develop a portability standard which has now been turned over to the standard development organizations. What this portability standard allows is that if I as a consumer change my job or change and therefore get a new health insurer or change my health insurer from my own choice, I have the ability to make a decision about moving that data from the plan I'm with to the new plan. This is very much consumer-centric. The consumer makes the decision if their PHR is going to be populated. They make a decision about what data gets moved, and they make the decision about who has access to their data in the PHR.
I think I went through most of this. Let me go to privacy and security. I think I can go through this quickly. You already know that HIPAA requirements govern use and disclosure of information for treatment and patient health care operations, which includes quality, assessment, improvement, population, health and care management. It sets rules for de-identification. Consumers get information from the notice of privacy practices, and it has significant electronic security protections.
I heard some of the discussion from the last panel, and I've looked at a lot of the material before you. You'll hear my recommendations. We're not doing a good job of educating consumers, and we really do need to do a much better job of that.
Recommendations. I'll go back to the initial slide. Because there are so many federal groups and even state groups that are starting to talk about secondary use of data, we need consistency in these recommendations. Part of the challenges right now with state laws for privacy is even if a consumer wanted their data to move from one state to the other and the state will prohibit moving across the state boundary, some of that data can't be transferred. The patient can certainly pack it up and take it with them, but interoperatively they're going to have trouble transferring that if there's a state law that says you can't move that data across state boundaries.
We have to make sure that transfer of information that's vital to patient care is ability to move with the patient wherever they get care. We need to have a better understanding of the diverse business models that exist to aggregate date that could actually benefit consumers, and I talked about that.
There's the importance of real time data to get the right care at the right place with the right outcome. For almost all of this, you can use de-identified patient data. When you're not, you're going to use IRBs, and I think that's the direction we want to know. Data, no matter how it's used, if it's used in the public health sector or if it's used for research, at the end of the day should drive quality improvement, whether we learn what works or doesn't work, that's still an important indicator of quality. And so in my mind all three pieces are very much aligned together.
HIPAA provides effective legal parameters to protect privacy and security of individually identified health data. I talked a little bit about state requirements that may impede electronic transfer. There is this blurred area of non-covered entities that are beginning to look at some electronic health information. You may want to focus your attention there. I would really encourage you to focus your attention on where we have known problems. We don't want to lose vision of where we want to be, and we don't want to put barriers in place that are going to keep us from where we want to be.
We support public education programs about the use of clinical quality data to improve health outcomes, both on benefits of PHRs, benefits of quality reporting and public health.
And I'm going to skip my last slide because I actually want to read something to you. As I said, Paul and I are actually – he's actually the Chair of this project with Robert Wood Johnson that is called Project Health Design, which is to be the next generation of personal health records. So it's very innovative, and grants were given to different sites for them to actually push the envelope.
We actually got a little note yesterday, and I wanted to share with you because I think its message is so important. This was a writer who had recently just reviewed some of the innovative models coming out of the RWJ grants, this next generation of PHRs that are going to empower patients, engage them and improve care.
And what she says is, “Their description is a contagious spirit of blue sky creativity. You see, I live in Washington, home of the filibuster, partisan gridlock and bureaucracy red tape. Nearly every decision of health and IT, and there have been plenty in the last 20 years, is mirrored by a review of the barriers locking its progress. Where is the technical infrastructure, who's going to pay, will doctors use it, can patients trust it. But this project waives those concerns aside and asks us to imagine for a moment what is possible.”
And I would encourage you with your deliberations to remember what is possible.
MR. REYNOLDS: Before we go to Shirley, Simon's got a comment on one –
DR. COHN: Listen, Carmella, thank you very much for some very good testimony. I did want to, since you had mentioned it a couple of times, address the issue of what you describe as consistency or collaboration for a sort of common vision.
Earlier today and I think every morning when we talk, when we sort of do our introductions, we sort of talk about the purpose of this activity. And I just wanted to emphasize or at least put a comment that this is actually being done at the express request of both the Department as well as the Office of the National Coordinator. We have close collaboration and normally sitting in the chair across from you is John Loonsk from the Office of the National Coordinator. Aaron Grant and others are really meant to provide close coordination with AHIC. We obviously also have John White who is normally here, but is not here from AHRQ. We've obviously been closely collaborating with HITSP. We have an officer of the National Coordinator representative sitting back there.
I think I would – I just wanted, since you had brought it up a couple times, I just wanted to sort of emphasize that we agree with you that there needs to be a consistency of vision. This is certainly not something we would have started embarking on recognizing all of the other stuff going on if we hadn't been specifically asked with our role being hopefully to bring a lot of this together.
MS. BOCCHINO: And I think it's important for this group to discuss this, and it's certainly important to get a broad consensus on the same recommendations. And so I applaud you for all working in that direction. To sort of paraphrase from what I just read, I've certainly lived in this town long enough to know what can also happen with opposing recommendations. So it was just – I applaud your efforts. I think it's appropriate for you to address it, and the collaboration is essential.
MR. REYNOLDS: Shirley.
MS. LADY: I'd also like to thank you for inviting us to participate today. It gives me an opportunity to tell you what BHI is and what BHI isn't because there's a lot in the market that has presented questions in the past. I'm here to provide you an overview with Blue Health Intelligence, and this is an initiative that's bringing together the claims records of about 80 million Blue Cross Blue Shield members nationwide.
It is not there yet. Right now in the data warehouse, we have approximately 52 million, but this is not a process that easily happens overnight, and if I can emphasize anything else besides the difficulty and the challenges of bringing the data together.
When you talk about data aggregation, it's just not something that's an easy idea, but the execution is complex and timely and costly. Our intent with BHI is to produce national –
SPEAKER: What's BHI?
MS. LADY: Blue Health Intelligence. Okay, let me, I commented on the way over here. I answered the questions that you presented, but I have not given you any of the background on what BHI is. So let me give you a thumbnail sketch of what this initiative is.
A few years ago, a number of the members of the Association health plan at Blue Cross Blue Shield determined that for marketing and employer reporting needs because they're our clients, and they wanted reporting especially for a national count basis that could extend across the country relative to where their employees happen to be located, and they wanted information relative to benchmark information on cost and quality and on utilization.
And so other plans voluntarily came together. This is the entire group of plans. It's 19 out of the 39 Blue Cross Blue Shield plans as independent companies pulled their resources and said we need to build a data warehouse.
Much of this surprised the industry because many thought Blues had a data warehouse in the back corner somewhere, and we were sitting on all that data. That actually was not the case. But this initiative began, and it began very methodically. We brought in a number of plans and consultants and experts in the industry to educate us on the what's and the how's, the hardware, the software and how to structure it appropriately so we could get out of the data what you put into it – the efforts that put into it would be reflective of that.
Our initial loading of data is the medical claims record and enrollment data on a member basis. I'll talk more in detail about what that consists of and how it's done. But it's being done in stages with multiple phases. The first stage was bringing the medical and enrollment data with a little bit of provider data that can be gleaned from the claim but not full provider data.
The second stage is pharmacy. We're in the design stage at this particular time. That will be followed by enhanced provider data and then eventually lab data.
Our initial output from BHI is to provide benchmarks to those clients, just as I've indicated. But it's certainly known to all the participants the potential wealth of information that can be developed or extracted from BHI, relative quality improvement programs and eventually research. We are not to that point yet, but we certainly have that in mind. We have developed a number of advisory groups to advise us on that, including from our employer community as well as the physician community. So we walk down that path kindly and with a lot of deliberation.
And this particular time, we're producing benchmarks. Our data is actually coming in, and I'm so happy to say because it was job security for me, that the dot data is coming out of BHI. We are delivering on benchmarks on the national, regional and MSA basis. These benchmarks are in the categories of cost and utilization, and, as you can see here, reflective from the traditional categories that you take a look at health care data across the enterprise.
The data's certified to meet the strictest quality standards. I'll talk more about that in a few minutes also because you questioned very specifically about certification and quality. And we had to make sure it was statistically viable and the data integrity was maintained. You need to understand that for us this is an extremely important asset for us. We're not about to do anything that would compromise it.
The first thing you do when you're a large company of any sort is to make sure that you have to be able to reflect any kind of criticism. And when you're the largest, you're going to be the most criticized. So it's very important for us to maintain the integrity of the data and the accuracy of the data so that we do put out benchmarks there instead of opening the marketplace and not subject to that kind of scrutiny, and subject to that scrutiny and pass that scrutiny.
The data produced by BHI is de-identified. I'll talk a little bit more about that, and there are no third party sales much to a difference to what some of the media says. The purpose of this slide is to show you there's a big difference between BHI and what's out in the industry. For the most part, many of our competitors are within one health care plan. I need to tell you the challenges of bringing together 19 plans. One of the biggest challenges was just basic data definition.
All of our plans are very knowledgeable, and they all have data warehouses that support this large data warehouse enterprise. So individually the plans have data warehouses. We're taking data out of that and pulling that then into this large data warehouse. Dr. Tang, have I answered your basic question. All right, thank you.
So these 19 plans will reflect the 80 million members. But the warehouse was not built to do the quality health care management on an individual basis. It's built to develop trending, patterns of care, patterns of experience for cost and quality indicators, epidemiologic indicators across the nation, across our book of business, to give us inside knowledge into what's happening to our population. All the true identification of individuals for disease management and those kinds of programs are done at the plan level where they do have that one on one relationship with the member. And so BHIs is for a very different purpose.
But the data definitions, as I mentioned earlier, was a significant challenge. It's down to things such as what does it mean to have a mother and a baby stay. Well, there's multiple ways that you can describe that, and we had to get all those 19 plans to agree on those data definitions. That was a significant accomplishment. I presented to CMS, and I remember Dr. Straub(?) commenting pretty amazing, we struggle with those kind of data definitions across medical data sources all the time. Getting that kind of agreement to those data definitions is pretty significant.
But we needed to make sure that an outcome coming out of Texas was the same defined outcome that was coming out of Minnesota or New York or Washington. So it's very important for us to get that data quality in right up front instead of definitions and to maintain the integrity, not for the short term, but the long term of the project.
Currently, we provide coding to, they're all benchmarks, and the combined services, we do have the cost purpose applied to this and for these various categories. As I indicated earlier, the aggregate is the national, regional and the MSA level. We adjust these by various aspects, something that we've incorporated into BHI, which is fairly unique for us is a sick code, and that's an industry standard code. It's a Dunn & Bradstreet coding for it so that we're able to compare a bank to a bank or to coal buying industry to a coal buying industry. It's something our employers really want to know. If you're in telecommunications and you're Verizon, you want to know what telecommunications is doing and similar or another industry. So we're able to pull the data by their sick codes and compare industry to industry. Whereas in one plan, for example, if it was the State Empire, the State of New York, they would only have maybe two banks in their system. Now there'll be multiple banks across the system that can of course compare their experience amongst and between each other.
We also include by product category CDHP products and any new problems in the market. We need to be able to measure the success, what kind of characteristics are behind those so that we can do improvements in those product designs, improvement in the financial tools that work around the CDHP products as we have experience for the types of individuals that are selecting those and their experience in those particular products. We also have the individual markets, the PPO market, the HMO market. So it's the stamp.
We do not have at this time Medicare, Medicaid nor the Federal Employee Program. And we are a larger insurer of the FEP Program. We will bring in the FEP data after the first of the year, after the first of 2008 into the system. So it's fairly comprehensive, broad based group of commercial business that's represented in BHI.
We enhanced our analytics, the analysis, the benchmark analysis that I've just given you, and the purpose is to be able to do a number of things. Evidence-based purchase for long term improvement provider and network quality efficiency. This is part of their transparency program at the Blues. This is not today. As I indicated, the BHI is being built in stages. That's in stage three is provider data. Until we get to that point where we have the enhanced provider data, we won't be able to do this. But this is the vision of BHI as we move forward.
Work with the employers, we're there already with the data that's coming out and helping them manage their costs and overall health care of their employees. Consumerism, we have to make sure that we provide cost and quality transparency to the consumers as well as to be able to support some of the PHI/EHR efforts out there.
BHI's not going to be the one to give them the detail on those particular components because it's aggregated data. However, at the health care basis, what we can do is identify particular trends or indices across the nation or within our region and feed that information back to the plan that they can investigate the impact upon that employer group or that particular aspect of their employee and enrollee population.
To provide physicians and hospitals with insights. Our biggest ally in health care is our physicians. We don't have anything, we don't have health care and that contains physicians and hospitals. So we have to make sure we work collaboratively with them in any information that we find or insights that we find relative to physicians and hospitals would need to be shared and work with them as we take those results and then put them into application.
We believe we're going to be creating opportunities for medical experts and researchers. That's fairly far down the line. We recently just engaged our Physician Advisory Panel, and research is very flattered about the potential of BHI. I have to tell you my phone rings often on that. They're very disappointed when I tell them this is not tomorrow that we're going to be able to do this. But once we have the full robust BHI up there, we certainly will be interested in having those kinds of research studies done.
When I work, part of my hat is with the Federal Employee Program, and we through our Pharmacy and Therapeutic Committee, we were ahead of the FDA's indicators on Vioxx way before it ended up hitting the market. If we had that same kind of opportunity with BHI across a much broader base of individuals who will have much faster, sooner and more complete insight into those kinds of situations and perhaps provider the government as well as some of the pharmaceutical community information prior to it hitting the market and the aspect it does and perhaps even preventing deaths and side effects that aren't necessary.
We also anticipate that we'll give insight into StruckVicki(?) and also technological devices and those kinds of safety and procedures.
This is kind of how it works. We generate the – at the plans, of course, they generate the raw data with medical and claims data membership provider data. That then, that data we have – we are a business associate at the Association, and we have multiple agreements with the plans relative to BHI. And then we impose, of course, the strict privacy rules as well as security rules that are contained within the government regulations that exist to date.
We, of course, cannot disclose any participating plan's raw data. Any data that comes to us that is plan specific only goes back to that plan specific, that specific plan. Believe it or not, the plans that participate in BHI are also competitors. So we have to make sure that not only do we protect them from an outside entity, but we also protect them from themselves sometimes.
Plans own their medical and drug claim data. They are the ones that have a relationship with the members. We only aggregate de-identified data that's generated by BHI. Nothing comes out of BHI that isn't aggregated and de-identified.
You can see here the various variables of the region, age groups, and the combinations. The NO5 is because we can't create, our rules contain the information. We can't create a benchmark unless there are five individual claims of five different individuals from five different providers with three different health plans. That kind of qualification on what can be contained at the benchmark gives some additional anonymity relative to not only individuals but also from plan to plan so one plan can't tell the financial arrangement from another plan. So that kind of protection has been built into BHI's aggregation strategy.
We strip out the data coming from the health care plan to BHI strips the information of the 18 elements that are in the HIPAA privacy rule. You can imagine we not only have our own HIPPA Council at the Association, but we had all 19 of the councils from the various plans participating in the discussion about making sure that we were HIPAA compliant.
In addition to that, because we were going down to an MSA level, we wanted to take an extra step. We were under the HIPAA requirements for three-digit zip codes, but we needed to make sure it was still non-identifiable. So we went the extra step and hired an independent statistician from a company called Lexicon who's an economics statistician to give us their opinion on the strategy as well as the statistics validity of what we were proposing, and they did agree that it was highly unlikely to ever be able to identify an individual. There are no names, dates, births, et cetera in BHI, but we do categorize them by range anything that's in the output. So everything that's output of BHI is aggregated and de-identified.
All the information travels across a private network. It's what we call our Bluesnet Network, and it is a secure private network that connects all the Blues together, and it's been around for a number of years now, and we've never had it penetrated. So nothing ever hits the Internet or anything that would have that kind of access or public access or ability to be compromised.
Our plans do give privacy notices as required under HIPAA for use of the medical information. And BHI as the business associate then comes under the authorization for business associates to perform the data aggregation services.
We gave you a couple of examples here of what could be determined, and you can see that we can't identify an individual that had a CAT SCAN on a particular date. But what we can do is say that there were at least five because remember we have to have five at least claims of individuals from five different providers and three different plans to build that benchmark. We could say that there are males from this age range who had inpatient services for a specific disease category, here digestive system, in an area, in an MSA area in a year. So we can give that down, but that is the de-identified under HIPAA compliance, and it cannot be re-engineered according to our statisticians to re-identify the individual.
We did have no plans to sell the data to non-third party, not even the aggregated data. This is a significant Blue asset. That's how we view it, and you don't go giving away your assets or selling your assets.
We do anticipate having access to the data in the future because we think there is a lot of health care, quality and public good that would be available from this warehouse.
We intend to be very prudent in setting what we call our sandbox for being able to get access to that data, being able to get into access for those research kind of initiatives. But I cannot give you the exact specifications of what that will look like today. That is still in development and probably will be because we won't even have the pharmacy data in until sometime in 2008. So until the pharmacy is in, we probably won't even be entertaining those kinds of requests, even though they call me all the time for it.
We believe that performance, measurement, and identification of trends will allow us to do quality improvement projects. The unprecedented size and many of you who are statisticians know that the law of large numbers drives a lot of information. It provides the depth and breadth and accuracy that we've been unable to obtain in the past.
We're adding episode groupers. We've added one of the same groupers that CMS is using which is the Megs grouper, and that we will have standard formats with a common data dictionary so that across the entire BHI 80 million records we have common outcomes with common definitions so that the data is credible. And as I've indicated earlier, we added the sick code.
All the data goes through four levels of certification in our process, and that certification is to the quality of the data. The first process takes place at the local plan level. They have to reach a threshold, and there's a software tool the data has to run through successfully to say yes, you've gotten quality data.
The second and third take place actually at BHI, and the fourth one is run again through quality matrix. And the fourth one is done by an independent third party, Milliman, Inc. which is a large actuarial firm that validates the data. So we've done everything we can to validate the credibility and the quality of the data coming out of BHI.
We believe, then, because of this data quality it will make a very robust research tool. As I indicated earlier, as we developed these employer and physician advisory groups that we'll be contributing to the insight and the utilization tool for public health and research initiatives.
We anticipate that the data will be retained in our warehouse. We would take those research requests and apply them to the data rather than taking the data and giving it to a third party. That is not in the cards.
I'd be happy to stand for any questions. It's a very extremely challenging project, but I have to say it's awfully exciting. The potential that we can do with BHI that we can provide to not only our own plans, which of course we will do, but also to the community at large. The potential is just tremendous, and I have a lot of people that are excited about that opportunity.
MR. REYNOLDS: Okay, thank you, Shirley. Dr. Peel.
DR. PEEL: Thank you. I really welcome the opportunity to be back here. I was here in front of you in 1999. Some of you were here then. I think Jeff was, and I was on a panel about PBMs, you know, secondary uses. Okay.
I guess I should tell you all a little bit about myself. I'm a practitioner. I'm still at the cottage level. I see patients, and I have been seeing patients for I guess approximately 35 years now. And what really led me to found Patient Privacy Rights was the fact that there really were no effective voices for consumers in the area of health privacy.
So my practice in particular, because I'm a psychoanalyst and a psychiatrist, has always involved the most sensitive information. And so everything I've learned about privacy and the lack of privacy is from my patients. I mean, in the ‘70s when I went into practice, people would pay me cash on the barrelhead because their lives or their reputations had been ruined. So I know firsthand and from the people that I'm here speaking for today that when information is not contained within really your doctor's office, you're very likely to be harmed.
And so frankly, for years I've been giving what I call Moranda warnings. If you use a third party payer, if you go in a hospital, anything that happens can and will be used against you in the future. Okay.
The key points that I have to make the only way we're going to get to quality and the only way we're going to get to the data is if we have privacy. Transparency's not enough to reassure anyone, and the only consumer concentric system that will work is one where individuals control where their information flows.
The good news is, and because of our position as leading this effort to restore privacy which Americans really had until 2002, we've been approached by all of the technologists that have these tools. So I'm here to tell you at the end I've got great news. There really is technology existing, ready to go now that's going to provide all the kinds of flow of information for all the research everyone wants and still be able to protect people's privacy.
I would say to you there is a ton of electronic information out there, and the primary use of it has nothing to do with health. They're discriminatory uses, and I love this forced to research quote. You can read it y yourself, but privacy is just beginning; we're not at the end, and these various kinds of industry consortia that have been set up through HHS. I'm even on some of them; I'm no HITSP, CCHIT is out there. Consumers are really not any kind of a reasonable part of these efforts, and they're really faux inclusive would be how I would put them.
Why don't we have any privacy? Well, first of all, consumers are just now learning about the ramped secondary uses of their PHI. They really don't understand the health system is a leaky sieve. HIPAA did eliminate consent, and then Mark, of course, convincingly wrote about the problem of coerced consents through the health care industry. They're really illegal. They have to do with things like when you sign up for a health plan at the beginning of the year, you sign up to give away all your future data. Well, that's illegal. You can't possibly meaningfully consent to release a piece of information that doesn't exist yet. So the coerced consents are a large part of the problem.
And then the value of the data is just beginning to come out. IMS Health, one company that sells prescription data, this is on their website or in the SEC filings, I forget where I found it. But in 2005, the last record, filed records, they made $1.75 billion selling prescription records. That's just one data miner, and of course the protections don't follow the data.
This was our most persuasive educational tool for Congress and the media in 2005 and 2006. You can read for yourself. Congress intended that HHS set out privacy rights that Americans would have. That's the first box. Second box, we got the privacy rule, and the first version, the original privacy rule says that we have a right of consent. Consumers have the right of consent.
You can read the third box. Consent as we play. That's the whole key to the vast dispersion and illegal data mining industries that are going on now. Consent does not have to be obtained because virtually all the uses of data could be subsumed under health care operations. So that was, this was really shocking to many in Congress to see what had happened at the agency level that the regulations changed the intent that Congress had. Okay.
This was our other educational piece that we put together to give people some idea of who the legal users are since HIPAA's been changed. Zone two shows all the covered entities, self-insured employers, hospital chains, third-party administrators and so forth. There are over four million covered entities that can use and disclose your data without your consent right now. They can, as you know, share it with their business associates. Who knows how many millions of them there are. And then the fourth zone I added because people don't realize this, but the Graham-Leach-Bliley Financial Services Act of 1999 allows banks and financial institutions to share medical records with their affiliates and non-affiliates. It sounds like the universe to me. Okay. And to barb wire is the Texas touch, okay. If you think you've got privacy when millions and millions of people can access your data, I don't know what you're talking about. Outside, of course, are the hackers and thieves, the people that make off with laptops. Security is a problem, but the focus of our organization is on privacy. The security problems clearly can be solved, too.
This is why I started Patient Privacy Rights. The data flow ends up in people not getting jobs, not getting jobs, all sorts of discrimination. And if we build a health IT system that's a super highway for data mining and virtually every corporation in the nation can get their hands on this stuff, we're going to create whole new classes of citizens who are uninsurable and unemployable. That's not a good outcome in my opinion.
The privacy rule really is a disclosure rule. You can see all this in the handouts. I'm sure you all have seen all the polls. I won't really pay too much attention to them. The famous one from 2005 where Consumer Health Care Foundation identified that about one in eight Americans engage in privacy protected behavior. They don't go to doctors; they ask doctors to change diagnoses; they pay privately for tests; they avoid tests altogether. I would add they forgot to ask about paying for prescriptions privately. I don't know if you know this, but one of the most stunning pieces of information to every audience I speak to is that even if you pay privately for a prescription, you can forget it. All 51,000 pharmacies in the nation are data mined daily, have been for over a decade, and that information is sold primary to insurers. Okay.
Consumer polls, the public really wants the government to give us back our privacy. And you know, you can look at all the polls. They all say consumers want privacy. They want control. I put in a little bit about law and ethics. We really believe that this nation has had an incredibly strong tradition of protecting health information. It's been better protected than any other kind of information. I hope the lawyers here will agree with me or comment on this.
We think that essentially we have constitutional protections under the Fourth, Fifth and Fourteenth Amendments. There are a number of states actually that have the right to privacy in the state constitutions. There are very strong Common Law state law protections, tort law, physician-patient privilege. There is in all 50 states a psychotherapist-patient privilege. All of this really comes from Hypocrites and the Codes of Ethics of all of the health professions all require consent before information is disclosed unless required by statute. So we have a very strong tradition in this country that the data's controlled by the patient.
For example, these are some of the kinds of secondary uses that the nation's just waking up to, and I have a slide from Thompson Med Stat. They sell data that they take from Medicare/Medicaid patients, health plans and the uninsured, and this information, if you want the White Paper, it's not on their website any more since I've started referring to it. But they're using and selling data, and the public has virtually no knowledge of this.
Blue Cross Blue Shield, when the Blue Health Initiative was started, I talked with the Director, David Blotchner(?), and he said that the intended use was to service big employers that pay the bills and want to pay smaller bills for health insurance, and he – well, you know, you can read that.
Anyway, we had a conversation about this, and he said that the intent was in fact to sell the data. So I appreciate hearing from you about this, and I talked with you all already about the data mining of prescriptions. That's seamless, daily, going on for over a decade, and you might also have noticed the new IRS ruling relative to the Administrative relaxing stark and anti-kickback laws in order to allow health plans and hospitals to give doctors electronic medical records specifically allows the data mining of the physician's electronic records, even the ones that aren't covered by the plans.
So who are all these unwanted and unknown secondary users and sellers? And I know that you all are looking at categories of data users. There are prescription switching companies, pharmacy benefits managers. I think you were talking a little bit about the technology industry. This is not widely known by consumers. Many of the technology software products and database products include contractually that the vendor, the technology company, has the right to use or own the data. So really, when patients go to a doctor's office or to a hospital, they should say, so who is your data vendor and what does the contract say.
So data aggregators and data miners, hospitals are selling data. The transcription industry, too, gets their hands on data; they sell that. Banks and financial industries can sell it. These other bottom quality assurance improvement, hospital studies, the things you're talking about, these are all uses of data that the public is virtually unaware of, virtually unaware of, and it's not been consented.
And in my State of Texas, for example, there are over 200 databases. You know, there's no way that Texans know that these are being used for studies and data mined, and then you might recall, for example, recently the State of New York decided that diabetes is a public health emergency. And so all blood sugar tests are going to be reported to central public health database.
This is the slide from that Thompson Med Stat White Paper, and I see accidentally my slide that shows what their data sets are was not included, but there's data on the sex, the age, the hospitalization dates and so forth in their White Paper.
Again, you know, we consider this basically theft, that this data is stolen. Every state in the nation has strong laws that say that you can't use medical records without consent, and this data is all used without consent or knowledge.
This is the FBI C Notice that they put out relative to Graham-Leach-Bliley, and I'd just thought you'd be interested in some of the language. They can share medical information essentially like a consumer report in between banks and financial institutions. Instead of saying we don't think banks and financial institutions should have medical information at all, they talk about how to share it.
The idea that data can ever be, that health data in particular which is so rich and so many unique pieces of information can ever be de-identified is simply false. Data cannot be de-identified, and I'm sure many of you know about Latanya Sweeney, and she's sort of the one that broke the story about how easy it is to re-identify data. She might be interesting for you to hear from.
PHRs, we are advising consumer groups not to use them. They have been specifically designed so that existing law and ethics don't apply to them. So there's no guarantee of them having any kind of protections. The financial model for many PHR vendors is actually selling the data. Like I was talking about, they'll give you a free PHR. You put your data in, and then they can data mine it. This is the financial model of selling the data in order to get infrastructure is such a terrible idea. You know, it's understandable because the data's so valuable. But it's a little like, you know, asking your daughter to be a street walker to pay for the wedding. It kind of defeats the purpose.
So even LOINC, Dr. Kolodner and company commissioned a study on the status of PHRs that came out in January. I have that; I'm sure you can find it if you want it. But looking at the PHR vendors, they looked at 30 of them. Some of them didn't even have a privacy policy. So they're really not there.
And I was talking with you about how people approach us when they have privacy protected products, and there is a PHR vendor that we have seen, the only one I know of that has multiple layers of encryption and PKI. So that if you had a PHR with this company, it would not be data mineable. That would be the only kind that we would approve of and that consumers are interested in. They're not interested in PHRs provided by employers or health plans because neither of them are trusted.
So what's the solution? We need smart consumers, smart technology and smart legislation to get what we want which is access to the data to improve health, to be where the data is actually in the hands of the patients and the doctors so they can do something about health as well as the researchers.
And I just want to add particularly as a psychiatrist, you know, the data in my field is terrible. It's terrible. I would love to know what a million people that have had depression and that's been managed for ten to fifteen years and they've been on three or four anti-depressants, what's the next best choice for that. We have absolutely no data like that, zero. There's nothing like that. So we're very Patient Privacy Rights and me personally, we're very pro-research, and we want research. And the way to get the research is with real privacy protections. The only people – we don't think that it ought to be up to anyone else, and this was Hypocrites' genius again, to figure out where you draw the line. Each person, people really do have different opinions about where they want to share their data or how generous they want to be with it. There isn't any need any more for all of us to get together and try to figure out what's best for the common good. With technology, each individual can decide instantly, easily, and we don't have to create structures that aren't what people want because people can create their own structures.
How we got on the table in the national debate was last year, we built a coalition called the Coalition for Patient Privacy, and it was a group of over 40 organizations, bipartisan, from across the political spectrum including the Christian Coalition, the Family Research Council, the ACLU, California Medical Electronic Privacy Information Center.
Anyway, and we took basic privacy principles to Congress and said, look, you've got to put the right privacy stuff in upfront in the technology because you can't rewire it.
And so this year we have had to update our principles based on new knowledge, and I thought you ought to see what they are. Clearly, people have to have the right to health information privacy with definitions in federal law. We think that the protections need to follow the data no matter what source, where it is, who's holding it. People must be able to opt in. I got to tell you this as a physician. If you take away the right to opt in, they're going to opt out by not getting care. Then you get zero data, and you get more illness. You get bad outcomes when people avoid care. And in my field, I really have seen that. People are so threatened that information about depression or addiction will leak out and will destroy their lives, they're very hesitant to get treatment. That's not a good outcome for this nation.
Then, of course, no secondary uses without consent. That's the second to the last bullet point. You probably know this, but HIPAA does not require audit trails for where data goes except for uses that are not treatment payment audits. We've got to have audit trails. We absolutely have to have audit trails. Okay.
And we need breach notification. We need to make sure that consumers are never compelled to share health information as a condition of employment, certain kinds of insurance, credit, admissions to schools, et cetera. And we have to again really put the firewall back between employers and employees' medical records. Some of you may remember the scandal that Walmart got into when the Chambers memo came out about a year ago announcing how they use medical information to determine who to hire and fire. It's the nation's largest employers.
The second to the last data point, of course, is no secret health databases. The nation is going to be appalled. Each of us are in innumerable databases across the world, transcription databases in Pakistan. We don't even know where our data is. The public's going to really be appalled to find out. That's the kind of transparency we need. We need to know where that data is and be able to get it back, and we need meaningful penalties and enforcement.
So we think we've got to have Congress set the privacy policy returned to what this nation had until 2002. Some of you may have seen the Kennedy-Leahy Health Information Privacy and Security Act that was recently introduced. It's about 105 pages. It has everything you could possibly want. The problem is it's not connected to the health IT bills. It needs to be part of any health IT legislation.
And then the other smart legislation that we really need to have is we need to have databases for health information that patients can trust, and that's why we think that we need to have independent health record trusts where the fiduciary duty of the data holder is only to you. It cannot be data mined ever by anyone.
So what is smart technology? Well, this is one of the new tools I want to tell you about that's going to make it very easy to get consent. There are new tools called independent consent management tools where you can set your consents in one place, change them instantly. You can be down to the explicit granular level if you want to. You can give certain kinds of blanket consents like I want Dr. Tang always to deposit my visit information and lab reports and so on in my health bank account. I want always to receive them, and whenever I'm hospitalized I want that hospital to automatically always send things to Dr. Tang so he can keep up with me because he's my primary physician.
So there would be the possibility of setting various kinds of blanket consents, essentially advance directives for emergencies, and so forth. And if you're really paranoid and you want to know about every study or quality project, you can be pinged. You can even be informed on your cell phone.
So we think these consent management tools are really, really going to take back privacy, and that it's going to become imperative that any data holders, before they use your information for anything other than the use to which you gave it to them for, you know, for example, insurance companies. We give them permission to have some of our data to pay claims. That's it. Claims payment, nothing else. The fact that they're aggregating our data and using it in ways that we have no ability to even opt out of is just wrong, and we believe it's illegal. By the way, I have Blue Cross Blue Shield insurance. So I'm criticizing my own plan.
SPEAKER: You mean, you have it today.
DR. PEEL: Yes, you're right. In terms of security, we've got to have state of the art, you can't privacy without security. Somebody can get into the data, it's done, and you all probably know this. The health industry has the worse record of any industry for protecting data. Most of it is lying around in data banks; it's not even encrypted. And you know, hospitals use like two passwords to get into the data. It's a nightmare. So we've got to have data encryption. We've got to have strong two-factor authentication, and we need PKI, we need firewalls.
And the other idea about the health bank is that essentially when we can trust a place to keep lifetime records, it will be an incredible research tool, and then there's no need actually to release the data. The health bank can intercept queries, and if we've agreed to be part of research, can run the study on our data or however many thousands of us want to be in the study, and give that back to the researcher kind of like the Census Bureau operates. They protect our data, and they run the queries. They don't ever send the data out.
The other thing that I just want to mention, we're being asked literally to develop some type of certifying body because the leaders in technology know that the standards out there are nil. I mean, CCHIT is going to put out certifying standards for PHRs that say they have to be interoperable, they have to have security, and they have to have a privacy policy. Eh, a privacy policy doesn't mean anything. The privacy policy can be you don't have any.
So it's going to become very clear that to win in this marketplace going forward, it's going to be the product and technology companies that really offer the kind of control and privacy that patients want.
And then I've already pretty much told you this about health record trust, and I think you even had a presentation HASNOF(?), so you're probably really up to date on that.
The other thing about the health bank is, of course, it can enable secondary uses. And you've heard of this, too, from HASNOF. I think everyone, and the research shows that everyone wants to participate in research, but they want to know about it. They want to have the chance to say yes or no.
So I guess that's about it.
MR. REYNOLDS: Thank each of you.
DR. PEEL: I think I covered everything. Oh, there were some other things I wanted to just briefly mention. There's a lot of research that I know about that's frankly sleazy. I mean, I love Mayo and all that, but, you know, for example, in Texas the Texas Department of MHMR had really a scandal over the treatment of inpatients being recruited for drug studies and people on the staff doing that. And in the area of psychiatry, it's really bad. So there's research, and there's research.
There are also independent physicians in my community that in and of themselves recruit people in their practices for research projects. They're paid $7,000 to $8,000 to try another anti-psychotic. We've got to be really, really careful when we talk about research. And I agreed with some of the discussion earlier. How do people, what's the difference between quality, research and all the rest.
In the minds of consumers, I don't think there is one. I think everybody needs to be asked about participation in these things. But it's really important because there has not been transparency. And I want to make one other point.
I think that the public has been really pressed about the benefits of Health IT, and the real risk most of them have yet to know about, these secondary data uses. The real risks have not been reported. I mean, it's like the main use of the Internet, as I understand it, is for porn, okay. The Internet has a lot of great uses that we all take advantage of. But you know, the thing is the system, this system can be the greatest system for data mining on earth, the super highway for data mining of health information, or it can really be built the right way, and we can get all the benefits and information at the right time and right place.
So, anyway, and we also, the bio bank thing is very important. As I understand it, we don't own any tissue. We don't own the rights to any of our tissue that's left our body. That's a serious problem just like health information. That can be used and sold without our consent or knowledge either. So the banking of tissue and who's got it is going to be a great scandal to the public as well when it begins to come out. Thank you.
MR. REYNODLS: Okay, thanks to all of you. Another step in our journey as we go forth. So Mark, Paul.
MR. ROTHSTEIN: Thank you, Harry, and again a very interesting and perhaps even provocative. I have a question for Shirley Lady. If the subscribers in your universe were afforded the opportunity to opt out or you were required to give them, you were required to have them affirmatively opt in, something like that, and further assume that the rate in which this choice was exercised was, say, double what the Mayo rate is of 3.5 percent, so it would be 7 percent, you would still have almost 75 million in the BHI.
So my question is would that loss of some five plus million, would that undermine your ability to do what it is that you want to do, in other words, to use cleansed data to check for length of stay, quality of service, and so forth.
MS. LADY: Well, first of all, the information coming out of BHI's aggregated and de-identified. So I don't know about the consent aspect, but certainly the plan level would be interested in any kind of thing that would identify an individual be required to get their consent.
Relative to your specific question, I think it would be in the nature of the study that was being done, and that consent you're asking before use of the data. My experience has been, through the FEP Program, we've done programs both with consent and without consent.
Significant differences in the response rates based upon the nature of what you're asking them to do. If it's something that's sensitive such as mental health order or something that an individual would find much more privacy sensitive than another, you're going to have a less positive response than you have on something that is generic like did you have an appendectomy.
So much of it would depend on the nature. For a lot of large surveys, however, this database when it's fully populated, 75 million certainly would be adequate as long as they're the right 75 million.
MR. ROTHSTEIN: I just want to know what do you mean so long as you have the right 75 million.
MS. LADY: That people have opted in were the ones with the diagnoses. If the five million that opted out were the five million needed for the particular study, then you've negated the purpose.
It depends on if the population that chooses to opt out is the population that you view that information in order for you to have a solid study going forward to get the information that you need, then it could have a really major effect. If it's even regional, if one whole region, that 7 percent sat in one whole region and you're trying to look at practice variations across regions, and you can't make a determination based on a certain region because of an opt out, then you've got the same challenge. You can't move that ahead.
MR. ROTHSTEIN: But you could also make the argument that if so many people opted out of a study, say, dealing with mental health, that would perhaps indicate that they thought very strongly about how important that information was and how sensitive it was. Then maybe you want to think about other ways of acquiring that information.
MS. LADY: I would agree if the nature of the study was something that you needed to know the name of the individual, and it had any way of being tracked back to them. If you're looking at something that's broad based trend across something for mental health, depression, I mean, one of the most over-diagnosed and treated in this country inappropriately, that's my opinion, not Blue Cross Blue Shield just because Prozac's the number one antidepressant or number one drug right now, the number one drug that is prescripted in the country. If we had information or more specificity about the range of the individuals, the nature of the individuals, where they are located, we may be able to glean information that could help us in this kind of diagnoses. That's not getting to the individual's health record that's going to be able to attribute a negative or positive to them as an individual. It's all in the nature and how it's done, and you have to be very careful. We at Blue Cross Blue Shield, and I can personally speak for this because I've dealt with these areas, are very much for patient privacy, absolutely we want to protect the patient. I mean, they're our members. They're our life blood. They contribute to those premiums that bring us income. So it's very important to us to protect that patient's privacy, and we will jump through every single hoop that we need to that is necessary within the law. But it changes and expands, and we need to take extra steps, we will do that, too.
DR. PEEL: I'd just like to point out that right now the insurance plans have a great deal of electronic data. And so they're wanting to do the studies. But I think that that same population of people would feel very differently about a study that was conducted through a health bank where they knew they controlled their information. People are really not happy to have their data used without their consent particularly by insurers because so often the employers get that identification at an identifiable label, and it affects jobs. They're not trusted. So if we have data banks, then we can get the kind of studies we want done by trusted researchers and trusted institutions where people would know that the data's really not going to be used against them.
MS. LADY: I disagree that the employers are getting the information. There is a firewall between employers getting the specific information. Even an employer who is self-insured who is responsible and pays out all the claims, there is a firewall, and they cannot get information on a specific employee. That really is a misperception. I really want to come back to sort of context here while listening to customers and their understanding of consumer education. We need to educate consumers on all sides of these issues. We need to educate consumers on the value of how that information gets used to improve their care as well as the kind of privacy and security that's put in place.
And I don't want to use scare tactics with consumers because if they are frightened at all, they already tend to be compromised and frightened when they go into a health care setting where they've got a chronic disease, where they have a catastrophic disease. I don't want to put them in any more of an anxious situation where they have to worry about things. I want to provide them education.
When we did focus groups on PHRs, clearly what we heard initially was no, we don't trust anybody. When you show them the power of the data and how that data could be used by them both to empower them and to help them take care of their care, they understood it better, and a lot of them opted to have their PHRs populated.
So consumer education is vital in this area if we're going to be able to move forward.
MR. REYNOLDS: Okay, follow up.
MR. ROTHSTEIN: I just want to clarify one thing. Employers can lawfully – I'm not saying unlawfully, lawfully obtain the complete medical records of individuals when they apply for jobs. Now the firewall that you were talking about is between claims and employment records. But if I apply for a job as a condition of employment, the employer can require that I sign an authorization that in 48 states is unlimited.
So I think perhaps what employees fear or individuals fear is not so much that their current employer will do something that's now technically illegal, but that a future employer may do something that is technically legal, yet they're not crazy about it, just to clarify.
MR. REYNOLDS: Paul.
DR. TANG: I have two short questions formatted in the traditional way with a question mark, PT way. You mentioned that you have four phase. In phase three, you had I think you called it either advanced or enhanced provider data. What's in that data set?
MS. LADY: That data set tells us things about the – in much more specificity about the hospitals and the physicians down to specialties, credentialing criteria, the subspecialty certifications, all the data that we use for credentialing a physician to have him come into our network. It also gives languages that they speak, office hours, those kinds of detail so that you've got much more enhanced. Right now, not necessarily is the rendering physician on the claim. And so it gives us inaccurate information. So we need to be able to have much more accurate information about who rendered it, who submitted the claim, what group they're in and those kinds of things. But personal identification numbers, though they aren't the panacea that we wanted them to be, will be of great assistance moving forward.
DR. TANG: And the second question is in stage four you have lab, I presume you mean lab test results.
MS. LADY: Yes.
DR. TANG: How does that fit the minimum necessary provision in doing your job, which is paying claims.
MS. LADY: We have been told repeatedly that for a comprehensive picture of an episode of care and the ability to have appropriate analysis that we need the lab values. And there are no member identifiers. Obviously they were all stripped from HIPAA that would be attached to the claim. So we'd be able to take the total episode of care and have a comprehensive understanding of what's taking place in that particular arena.
The other pieces just this week from our Physician Advisory Committee, they recommended strongly that we see if we get lab values just for now, they're of course thinking down the line when it comes to the point we're able to glean additional indicators out of the BHI data sets that this would be a value to have that value in the data set.
DR. TANG: No further questions, Your Honor.
MR. REYNOLDS: Simon has a follow up.
DR. COHN: Well, I need to ask you a follow up question of BHI, but maybe also one that Carmella might also want to address. You know, I am struck that obviously a lot of times we have these conversations about these very, very large databases, and they're 50 million, or is it 80 million.
MS. LADY: Fifty now, eight to be.
DR. COHN: And it gets bigger and bigger and bigger. Obviously, one of the conversations that's been going on nationally is centralized databases versus distributed almost along the lines of data is held locally, queries are sent out to more of a local environment with the idea that a response or an answer comes back and so once again there's more local control. There's less this sort of sense of very, very large databases.
Can you – I mean, actually all three of you commented about the pros and cons of that approach in terms of privacy, secondary uses and sort of, just your thoughts on that.
MS. BOCCHINO: So let me just start quickly basically because of the experience that we've had vaccine safety data link which actually initially when it was created was a large data set that was sitting at CDC for the use of public health purposes which has gone through a distributed data model for two reasons.
Number one, they found the technology now you can get your scope of work, your questions, get it to an IRB, actually just pull the data you need to answer that question. It can be done in a rapid cycle, and therefore have more security and protections than if data were sitting in a centralized warehouse.
As our industry is talking about creating some aggregation across our members relative to quality measurement, we have after a year of work, again, this is not, this is de-identified patient information, it's identified on the provider so that you can actually give feedback to the provider for certain areas. We are actually looking at a distributed data model and not a centralized warehouse.
DR. PEEL: Yes, this is Deborah. Actually, we think that in terms of being able to provide really state of the art security that larger databases may have some advantages because they can do the kinds of things like, you know, are done for top secret government information. There are some incredibly secure kinds of places for data, and I don't know that every small community or every hospital could afford them. And so actually there are some advantages perhaps to larger databases because we could certify them in terms of security and privacy practices. So we actually think that because they are pretty expensive to get the highest levels of security, your information is probably safer there. And that's what we're hoping that the health data banks will have is very secure information.
And I wanted to mention when we get consent management tools, I think the need really for IRB approvals for research will essentially be nullified because people can make their own approvals. The reason for IRBs was it was impractical before technology to contact a million people. It's not impractical any more. In fact, it's easy. And so I think the standard of care is going to move away from people deciding for others whether they want to participate.
You know, Maggie was talking a little earlier about something that I said that actually consumers are very upset at the idea of people snooping in their health records without knowing about it, and they are. And IRBs have always thought of that as not really dangerous because they're looking at is this drug or procedure going to kill somebody. They're looking at livelihood, life. And they think that looking at paper doesn't threaten people's lives. But that's not what consumers feel. They don't want people snooping in their records.
And so we think that technology's really going to solve and enable research because people really do want to participate in research.
MR. REYNOLDS: Jeff?
MR. BLAIR: Deborah, could you clarify for me. You had indicated at one point, or least I thought you indicated at one point that there's really not a sure way of de-identifying individuals.
DR. PEEL: Yes.
MR. BLAIR: And, of course, I would – I've been a person that has tended to take comfort that once patient protected health information has been “de-identified,” that I worry much less about secondary use, tertiary use or multiple uses as long as the individual patient can't be hurt by the disclosure of that information.
And the piece that confused me a little bit was you do take comfort, or my understanding of what you said was that the concept of a health bank, Bill Yasnof's construct was one you felt comfortable with.
DR. PEEL: Yes.
MR. BLAIR: So could you clarify for me, please, both of those pieces, the idea that health care information can't be de-identified, but what is it in the health bank that makes you feel comfortable?
DR. PEEL: Well, the idea that it can't be de-identified, and I wish I'd – one of my slides got dropped that showed the Thompson Med Stat data set, and it had dates of hospital admissions. It had a lot of information. And if data is collected over a period of time in someone's life instead of simply episodic, you're going to have a 55-year-old woman was treated at Seton Hospital on a certain date.
So there are so many specific dates and places in hospital data that can't be stripped out without essentially scrubbing the data into worthlessness, particularly if you want to begin to compare, for example, treatment in different settings, Seton Hospital versus Brackenridge Hospital or whatever. So hospital data has gotten, really can't be de-identified.
And the idea, what LaTanya Sweeney did was she took outpatient data sets from Massachusetts and sort of cross-matched them with voter registration records and re-identified health visits from Governor William Weldon and his family.
And so statistically, you know, I think we would need a lot of reassurance about, for example, about the Blue Health Initiative data. You're not going to use data down to a set smaller than five. That might be not – five might be not enough of a number to protect people. I mean, it really is going to depend, you know, on very sophisticated methods like the Census Bureau uses to determine what's re-identifiable and what isn't.
So that's our problem with de-identified data. Over time, it really does have where you were on what date you were treated, and employers, if they get these longitudinal sets of data that's de-identified, if you have multiple hospitalizations or multiple dates where you've had lab tests, and somebody missed work, you could cross absence records with health records. And many employers really do lean on the health plans to give them data.
You know, I understand that's not supposed to happen, and I understand many employers don't want the data, but many do because health costs are going through the roof. And if you're going to, you know, anyway, well, I'll get off that. And why would it be safe in a health bank? Well, again, if you keep your information in a health bank and then the health bank essentially pings you because, Jeff, you say well I want to know about any cancer studies on this particular type of cancer that runs in my family, then the health bank would send the information to you, and it would be up to you to contact the researcher or go back and be part of a plan. So you could be, you know, they could notify all the health banks that we're looking for candidates for this, and then the candidates could identify themselves so they'd have their privacy that way.
And really the health bank could be, you know, if I knew my data was never going to be released, I'd probably agree to every kind of study. Why wouldn't I? Because it would still be sitting there very secure, encrypted, only used in the ways that I want it to be and not sent out. I mean, I'd probably participate in everything because I'd feel really safe.
The other thing is that if we ca have a place where people really trust, they really will put their full health time records. You know, the insurance companies have very limited data. They don't have data from physicians' offices. They don't have the data that really matters to physicians and to patients. That's in the doctors' offices. And if we could accumulate that, you know, my visits to Dr. Tang or Dr. Cohn and keep that in my database, then there would be really incredibly rich meaningful information to study. And if I could add to it on my own when I take herbs or get acupuncture, we could have unbelievable research data because the institution holding it would be trusted. It would be a trusted institution, and we'd have the richest data. So that's why we're so excited about the health banking concept. A number of states have decided to do that as their way of building health by T-system. The State of Washington, the State of Texas. You know, states are realizing the way for the information to flow because so many parties in the health care system don't want to share. They think they own the data. Hospitals have to build agreements to share data in communities and so forth. The only people who can make the data flow are actually the patients.
So that's the best way to get all the data, and we want the data. Thank you.
MR. REYNOLDS: Good. Excellent. Thank you. Mary Jo? I didn't see you.
DR. DEERING: Okay, I'm sorry, and I will be quick. I basically have questions about two bullets from the slides. But I wanted to just preface my remarks by thanking everybody and thanking you, Deborah, for making what I interpret as the case that patient control is technologically possible.
DR. PEEL: It's done.
DR. DEERING: It's a done deal, and therefore it does not need to impose workflow burdens for its implementation and execution. It does not need to, at least ultimately.
Secondly, that –
MR. REYNOLD: Mary Jo, you're cutting in on –
DR. DEERING: Okay, I said that technologically because patient control is feasible. It does not need to impose an additional burden on the workflow ultimately. It is conceivable that it can be engineered into the workflow. So it need not – I'm not saying it might not initially.
Secondly, that it need not diminish the quality of the information and even the quantity of information that is available for specific purposes at specific times. So, again, I think if we hold – I think we hear too often the assumption is that it is going to be impossible to implement and reduce the quantity and quality of the data available. And I believe that we just need to start from the assumption that it need not. Thank you.
And by the way, the RFP that was published, well, here's comes ONC that is out there for the pilot implementations will test that. That's required functionality in some of the use cases. So over the course of the pilot implementations, there will be empirical evidence about it. So I would hope that we would at least have an open mind about that.
The bullets that I wanted clarification from Shirley, thank you very much, was on I think it's your slide eight where you say BHI does not and has no plans to sell data to non-Blue third parties. Do you sell the data to the Blue?
MS. LADY: No.
DR. DEERING: Okay. How do they – what is the business case for that? Have they paid in advance? Is there a business, and this wasn't meant to be negative. We're trying in fact to get away from the sense of commercial uses and recognize that there are financial costs to maintaining data. So what is the financial arrangement under that.
MS. LADY: Right now, these are independently – the BHI is financed independently by each of the plans. They pay annually into the cost.
DR. DEERING: It's fee based.
MS. LADY: It's actually cost material to –
DR. DEERING: Okay, I wanted to give you the opportunity to say that. And Carmella, you went over slide ten and said you thought you'd covered it. But your last bullet there says that consumers understand that health plans have this information and view PHRs as a convenience. What exactly is it that they understand, and how do you know that they understand it with regard to your specific PHRs? And what in fact information do the PHRs give to the health plans?
MS. BOCCHINO: I can actually send you over sort of a model PHR with the data categories because if I were to try to do it off the top of my head, I would miss something. Our focus groups clearly indicated to us that they knew that there was flow of information going from the physician's office to the health plan. And so the health plans had a lot of the information that populated the PHRs. Their questions to us, and we did focus groups at something like ten different states, with a whole variety of different populations, not just both Hispanic populations and African Americans who have tremendous concerns particularly about their data that we've heard consistently. They wanted to know the benefit they would get if this information were sitting in a PHR, how it would help them particularly if they had a chronic disease.
If you can show them examples of that, if you get them engaged, if you let them know that they control the data and the way it flows, there's a competence level that's built there.
DR. DEERING: But the information that they put in that isn't pre-populated from the plans, does that go back to the plan?
MS. BOCCHINO: They have an option of filling out health risk assessments. They can choose to fill it out. They can choose not to fill it out. That information is used. It is explained to them how that information is used. It's used to identify if they would be at risk for certain conditions, do they need additional information, particularly in preventive screenings that they may be at risk for. So we want to stay on top of it. But that information is provided to them before they fill out that health risk assessment.
DR. DEERING: So anything that I would put in with that identifiable information is shared.
MS. BOCCHINO: Yes.
DR. DEERING: Okay, I need to –
MS. BOCCHINO: Well, it's shared within the plan.
DR. DEERING: Within the plan.
MS. BOCCHINO: The patient has the choice of how it's shared. I mean, the sort of downward curve here is –
MS. DEERING: They've been asked certain information or –
MS. BOCCHINO: If they make a decision that they don't want certain information sent to their provider, they actually have that control. So they right now, because there's not an interface with providers' office, we worked on interfaces between plan to plan connectivity. If you change jobs or change plans and had a new insurer. They control what data gets moved. But they can print off that PHR or if the physician's office has an electronic, or they can give access to their physician to see what's in their PHR. If they control what that physician gets –
DR. DEERING: So the plan would know whether they smoked or drank or weighed 200 pounds.
MS. BOCCHINO: Yes, but that's something the consumer filled out through their own choice to do.
DR. DEERING: I am a PHR fan. I've been waiting for it for ten years before I retire. It's clearly too late because I've only got a few more years left, and I've been trying to get one through Aetna for a long time. So thank you very much.
MS. BOCCHINO: Oh, okay.
MS. REYNOLDS: Thank you to everyone. We appreciate this panel. We will be back by one thirty by this clock again, and thank you very much.
(Whereupon, the meeting adjourned for lunch 12:30 p.m.)
AFTERNOON SESSION 1:34 PM
MR. REYNOLDS: The panel this afternoon is on data sharing perspectives. I think we have been talking about that all day, and we just didn't call the panel that, and we are going to hear from Dr. Karen Adams from NQF and Dr. Sharyl Nass and Barbara Siegel.
So, let us just go in the order of the agenda if that is okay with you. So, Dr. Adams, continue, please?
Agenda Item: Data Sharing Perspectives
DR. ADAMS: I would like to thank the Committee for inviting me to give you an update on the NQF project that is looking at evaluating efficiency across episodes of care and naturally this has implications for longitudinal data requirements which I know you also interested in.
So, I thought I would start by giving you a brief overview of the project and also provide an example so that you could see within the context of a chronic condition in this case acute myocardial infarction how we are looking at defining episodes of care and longitudinal measurements in that matter and then I thought I would also put forth some methodological issues that the Committee is thinking about and some things that of course you will be grappling with.
So, briefly I will give you an update on the National Quality Forum Priority Setting Pilot Project.
There is a project brief for you. One of the main deliverables out of this project will be a comprehensive measurement framework for measuring efficiency and we are going to be looking at this longitudinally across health care episodes and we will see the framework of having three key components.
MR. REYNOLDS: Karen, you need to get closer.
DR. ADAMS: Can you hear okay now?
MR. REYNOLDS: Don't lean back.
DR. ADAMS: I will be sure to lean forward. So, the framework we will have three main components. One is some clear definitions. There are lots of definitions going about of what efficiency means, what quality means, how do we define waste and so the Committee thought it would be quite helpful for us to have a common language and just for some clarity as to what efficiency means at least in the context of what they are examining.
We are, also, going to put forth a discrete set of domains for measurement, for example, patient-centered outcomes such as morbidity, mortality, health-related quality of life, key processes of care and as well as resource use and then some guiding principles for implementation.
So, it is easy to say in the framework what you think should be done and what the future vision should be but we also want to provide some guidance in that regard.
In addition to the measurement framework we will be identifying a subset of priority conditions. We will be building upon the IOM work on the priority setting as well as some work at the NQF and we want this to be a starting point for looking at measuring efficiency.
So, we thought by choosing some common chronic conditions or an acute condition such as AMI that certainly has chronic implications we could make this more real.
We also want to put forth national performance improvement goals for two-priority conditions. We are going to be looking at AMI and low-back pain and put these goals out for the next 3 to 5 years and then a research agenda more towards what would be needed measures to start looking at longitudinal care as well as some models of accountability. So, the NQF convened a multi-stakeholder steering committee and I provided a roster for your referral. It is being co-chaired by Kevin Weiss whom many of you might know leads the AQA performance measure subcommittee and Elliott Fisher from Dartmouth.
So, a bit of an update on the Committee's progress to date. It is still a work in progress. We are drafting the measurement framework and on the twenty-ninth of August which I think will be good timing for your work we are having a workshop with additional experts to sort of flesh out some of the domains and the longitudinal measurement issues, and we as I mentioned earlier we selected two priority conditions, AMI and low-back pain. The AMI work group is being led by Bob Bono at Northwestern and the low-back pain working group is being led by Jim Weinstein at Dartmouth.
So, the first order of business of course is this common terminology and we built on the work of the IOM, the AQA and many other stakeholder groups. So, we didn't assume these definitions just on our own and we defined quality of care as the Institute of Medicine does with timeliness, effectiveness, equitable and patient centered.
Now, the IOM had efficiency in that definition of quality which you will see we have punted down a little bit lower but we certainly feel that quality is multidimensional and should be measured along those domains.
Cost of care we define as resource use including unit prices and volume and importantly efficiency of care because efficiency seems to be the definition that, well, it depends on from what vantage you are coming from. So, we put forth that efficiency is quality and cost and I think that this is a really key take-away message because in order to make judgments in regard to the efficiency of the health care system and is the health care delivery system doing its job and the Committee defines that as improving health and reducing the burden of illness, and in order to be able to judge that their performance measurement, we have to look at both quality and cost. So, they do come down rather adamantly on that point and now moving towards value of care they defined as the efficiency equation of quality plus cost but also paying more attention to patient's preferences. We don't measure that a lot now. We certainly do have the work of the CAP survey that retroactively looks at patient experience of care but we really want to start putting the patient into the measurement equation and valuing their preferences both proactively as well as retroactively.
So, why both with longitudinal measurement or looking at extended episodes of care and there were four points I wanted to drive about this. First, the Committee feels that this is a patient-centered way of thinking and when you look at an episode you follow the patients' natural path, their trajectory, onset of illness; if there has been a intervention and we put a predisposed endpoint particularly the chronic conditions because those go on for years but in this case the Committee wants to push out beyond what we traditionally look at initially to 1 year and beyond.
We really feel that extended episodes and longitudinal measurement is more directed at value because through the episode approach you can link the quality and the total cost of care over an extended episode and that will push more towards value and also once again linking in the patient preferences.
We, also, think that episodes will help address some things that are really important to measure that really matter but we don't often do and that would be care coordination. We know from the work of Eric Coleman and Joanne Lynn and Mary Naylor and others that this is where patients fall between the cracks and so not only is quality of care jeopardized; there are serious safety issues, medication reconciliation and there is a lot of waste that occurs here with duplication of ordering and tests, etc.
So, we feel that episodes will allow us to start capturing some of that across care and the lat bullet of course we could spend a lot of time on but we do feel that looking at episodes might be able to address our current encounter-based finance system which might not be an optimum model for looking at episodes.
So, I provide for you here and example because now it sounds very conceptual and so we are working on this. I do have it as a draft because the Committee is still deliberating but here is how they are conceptualizing an episode of care for acute myocardial infarction and so I am hoping through this example you can see where some of the data, things that we might need to address will come in.
So, if you start to the far left with is larger bubble of the population at risk ideally we would like to prevent a heart attack from occurring, primary prevention but we do know they occur and this is certainly a serious problem.
So, in this episode we will not be looking at primary prevention because primary prevention in and of itself is worthy of an episode but for methodological reasons and data and comparing apples and oranges we can really only in this episode look at secondary prevention, post-AMI, not only health life style behaviors but also you know look at management and things of that nature.
We feel the primary prevention in taking that population-based approach look is so important we include that as a reminder in this episode.
So, as the patient has onset of chest pain you see that they move into what we call the acute phase. Now, traditionally the episode would begin once you have hit the mortar and bricks of the ER or the hospital and our Committee would like to consider pushing back a little bit. That episode would begin at the onset of symptoms. So, we don't collect data usually then and there are going to be implications and I know my colleagues will be talking about privacy but it is just not something that is routinely done. So, we want to push out that to bring in some of the community elements around infrastructure support, EMS, etc.
So, the heart attack occurs. You come into the acute phase and we feel at this point, I mean certainly not when the person is going in but once they are stabilized and you want to assess their preferences because and now this is I admit a simplification but for diagram purposes we have talked about two trajectories for the AMI and one would be you know you are a relatively healthy adult and the goal would be to rehab and back to work or whatever your preference would be and then there is the trajectory where you may be someone who has multiple chronic conditions, quite ill coming into the infarct. It is another assault and you may at that point want to start thinking about what are this patient's preferences in regard to palliative care, advanced directives and working with the family.
So, we want to put that assessment of preferences up front in the acute phase but importantly for the longitudinal measurement as you go from acute to post-acute you know the handoffs that occur there and the transfers are very important as well as when you go back into the home or into the community looking at secondary prevention.
So, for this episode we would like for it to begin as onset of symptoms and then measure at least out to 1 year post-AMI.
The National Quality Forum has endorsed a 30-day mortality measure for AMI but you know we want to push beyond that or the Committee when we look at longitudinal care particularly for chronic conditions would like to go a little bit further.
So, in the context of that example here are some methodological issues we are grappling with, and what we thought of course for your consideration as well and I classified these into three categories, but the first one is data and I think the data integrity, I mean that is an issue regardless if we are looking at extended episodes or not but I felt it amiss not to put that there knowing that Paul is on the Committee, too, having worked before. You know, there are just the data elements that we need for efficiency around quality, cost of care measures that move beyond resources. That is going to be tricky particularly when we are dealing with administrative data and the strengths and limitations of doing so there, but what I would really like to focus in on is that second bullet on data collection and aggregation because you saw from those bubbles you from acute to post-acute back into the community you are going to be leading to collect data, aggregate data. Ideally we would like to aggregate at the smallest unit of analysis as long as it was accurate and reliable. You need individual provider level, group practice, organizationally, the hospital, nursing, etc., out to the community you know to have that ability to roll up and roll down so to speak, and so I think these are things you know your group as well we are going to need to work with as we push more toward longitudinal measurement over episodes and then of course these data standards.
So, we don't have at the moment data standards that might map to this perfectly and how we would need to codify those for use in the electronic health record so hopefully things could be collected at point of care and not be a high burden.
So, lots of data considerations I humbly present to this group of course.
Another issue is around accountability and how we can attribute care across these multiple providers and this is this notion of a warranty. So, how can we make sure that every provider that is involved with care, for example, over the AMI is accountable or is somehow held accountable downstream and what type of models might we look to not only for data collection but for encouraging groupness so we can avoid the problem of small N's at the individual physician level, etc.
So, the Committee is spending a lot of time thinking about these types of models and looking at something called an accountable care entity and virtual groups, some of the things that come out of the Institute of Medicine and their performance measurement report and then finally which I know my two colleagues will discuss in much more detail is privacy because as you go across these multiple settings you know how many times do you collect consent forms? Is it a year? What is the time frame? I think there is going to be a lot there to deal with in regard to making this feasible and management and of course respectful to patients' privacy.
So, I will stop here, of course, and entertain any questions you may have.
Thank you.
MR. REYNOLDS: Thank you, and what we will do is we will move on to Sharyl.
DR. NASS: Can you all hear me okay?
MR. REYNOLDS: Yes, we hear you fine, thanks.
DR. NASS: I, also, would like to thank the Committee for having me come to present to you an overview of an IOM study that was recently launched. We had our first Committee meeting in June of this year on health research and the privacy of health information, the privacy rule.
Last June the National Cancer Policy Forum held a workshop on this topic to explore issues prior to undertaking a consensus study which was just launched this year and that workshop is summarized in a report and you can read it online at this web site if you are interested.
The consensus study was originally requested by the President's Cancer Panel which is why the workshop was held by the National Cancer Policy Forum, but when the IOM decided to undertake this study they agreed that it was important to have a much broader overview of the issue because certainly the HIPAA privacy rule is not just having an impact on cancer research. It would be potentially affecting all branches of research.
So, we have a broad range of funders including cancer-focused organizations like the National Cancer Institute, the American Society for Clinical Oncology, American Cancer Society and C-Change but we also have quite a number of non-cancer focused sponsors including NIH, the American Heart Association, the American Stroke Association, Burroughs-Wellcome and the Robert Wood Johnson Foundation.
The next couple of slides are a verbatim recapitulation of the Committee charge and I put them in this way because the charge is what drives the study at the IOM and the reports at the end are reviewed externally by a panel of experts in light of this charge, and so it is important to have that laid out, but overall the charge to the Committee is to investigate the effects of health research of the privacy rule and IOM reports are evidence based. So, we need to look at what evidence is available to undertake this examination and it is important for the Committee to look at the needs and benefits of patient privacy as well as the needs, risks and benefits of health information.
In conducting the study the Committee will look at a broad range of study types, a broad range of sponsors and also review the provisions that are specifically relevant to health researchers. I am sure all of you know the privacy rule was not written directly to regulate health research; so not all of those provisions are actually relevant to research and the Committee will also take into consideration issues of interpretation and implementation as we have often heard that there is a great deal of variability from one institution to the next as to how these things are being interpreted and we will also consider issues of harmonization with regulations that may have overlapping provisions such as the common rule or FDA regulations.
Because of the workshop that we had undertaken last summer we knew going in that there was very little data available for the Committee to work with.
Most of what was out there was anecdotal evidence and in some cases surveys had been done shortly after the rule was implemented and so there was some concern whether they were relevant in the sense that there would probably be a learning curve when the regulations came into effect and that they may not be as relevant now.
So, the Institute of Medicine undertook the unusual step of commissioning several surveys to gather evidence. This is not something that we normally do but we felt that it was very important for the study and so this is a list of three surveys that are either ongoing or have been completed, a survey of US epidemiologists on the HMO research network and also a Harris interactive poll for public perceptions.
In addition to these which are actually funded by the Institute of Medicine a number of foundations and institutions have also planned to undertake their own surveys and will be providing input to the Committee based on the results of those surveys. That includes the American Society of Clinical Oncology, the American Heart Association, the North American Association for Central Cancer Registries, Academy Health and the International Pharmacy Privacy Consortium.
Just to give you a brief overview of the surveys that we have commissioned the survey of epidemiologists is actually completed although the data analysis is still ongoing. It was a national survey that was web based and members of 13 different societies of epidemiology were invited to participate and responses were anonymous.
There are several categories of questions that were included including quantitative responses that ask about the types of data that researchers collect, rates of recruitment pre- and post-rule implementation and experience in obtaining things like waivers and de-identified information.
There were some questions that used a Likert scale to measure perceptions of ease or difficulty in conducting research and the impact of the rule on privacy and confidentiality.
There were also some questions that entailed case studies where researchers were asked whether their institutions, IRBs or privacy boards would be likely to approve. All of them were cases that should have been allowable under HIPAA. So, it was a way of assessing variability across institutions and finally there were some open-ended qualitative questions where people could provide more detailed and variable input to the Committee.
As I said the analysis was still ongoing, but a preliminary overview of results indicates that most of the respondents perceive the privacy rule's impact as quite negative.
There were a lot of concerns about variability and local interpretation and also about added costs and delay as a result of the privacy rule.
The second survey is not yet fielded, but is nearing completion and is almost ready to go. The survey of the cancer research network investigators which includes 13 sites and collaborating institutions entails more than 50 faculty and they are engaged in a broad variety of research types and they will also survey the IRBs that work with these groups to try to get another feel for how variably these organizations are operating and finally an overview of the Harris survey. This one is also nearing completion and will probably be fielded in the next month. It asks questions about the public's experience with and attitudes about research and privacy,
Some of the questions will be asked of all respondents to get their attitude about health research and some of the questions will be specifically for people who have already had experience with health research.
Based on previous surveys by this group approximately 10 to 15 percent of the respondents have participated in studies and they asked a preliminary question in a survey that was just fielded this June and about 14 percent of the respondents said that they had participated.
This is a time line of the study. As I said, the first meeting was held in June of this year. Our next Committee meeting is scheduled for October 1 and 2, this fall. The meeting is open to the public. So, you are all welcome to attend if you are interested in it.
We hope to be finishing up the report by next summer and starting the review process in the fall and we hope to have the report finished by the end of the year with final draft reports issued in early 2009.
This is the Committee membership. If you are interested in providing input you can go to either of these web sites, the current project web site for the National Academies or we have a project web site as well.
With that I would be happy to answer any questions you might have.
MR. REYNOLDS: We will hold them until we finish with our next presenter, Barbara Siegel from AHIMA.
MS. SIEGEL: Chairman Cohn, members of the work group, ladies and gentlemen, good afternoon.
My thanks to the work group and Margaret A for the opportunity to provide input into this important discussion on the development and use of secondary data as well as the confidentiality and security functions surrounding the release and use of such data.
I am Barbara Siegel, Director of Health Information at Hackensack University Medical Center in Northern New Jersey. HUMC is a 680-bed tertiary care teaching facility which participates in many data reporting initiatives including the CMS quality demonstration with Premier, the Institute for Health Care Improvement Pursuing Perfection grant and the State of New Jersey as well as many other requests from a variety of resources seeking secondary data.
I speak to you as a department director whose responsibilities include the disclosure of secondary data. I also speak as a representative of the health information management profession.
It is HIM professionals who manage the many tasks associated with gathering and analyzing the data which makes up an individual's primary record. HIM professionals are also responsible for disseminating data for a variety of secondary functions including quality measurement, public health or biosurveillance, research and myriad of administrative and operations reporting requirements.
In 2004, I provided the NCVS Work Group on Quality a brief description of HUMC's quality and secondary reporting activities and staffing requirements.
In June of this hear AHIMA and MGMA provided an update for that report. This slide shows the Hackensack has encountered about a 72 percent increase in costs due to the increase in demand for data.
So, I can really assure you that the issues around the reporting of this data are very important to us. I have noted a few of the quality projects at HUMC. Our quality unit and our HIM department receive an ever increasing set of requests from third-party payers, health plans, state agencies, researchers and others seeking secondary data. It is the diversity of these requests, the lack of standards in process and data and the fact that our industry has yet to achieve an interoperable electronic health record that present many of the issues you are addressing. HIMA supplied this slide depicting a tertiary care medical center's demands for secondary data. I have not attempted to do this but this does look very much like what we are doing with it at Hackensack, and it is in your handout.
HUMC considered the role of secondary data reporting as we established the processes and policies necessary to meet the requirements of HIPAA earlier in this decade.
Our policies and procedures reflect both the HIPAA and State of New Jersey's confidentiality and security requirements. Our ongoing orientation and training programs reflect these policies and our understanding of the state and federal requirements.
You are aware that there are situations where HIPAA requirements when taken in relation to other federal and state requirements create some uncertainties. When it comes to the release of secondary data this uncertainty will increase as the community recognizes the value of secondary data especially as the health care industry migrates to a standard interoperable electronic heath record.
If we are to have quality data and data integrity industry and the government must address these ambiguities and improve the standards for secondary data reporting and collection across all sections of care.
To comply with HIPAA and state laws Hackensack instituted simple policies, procedures and a notice of privacy practices and in your handouts there are a few examples of some of our policies.
Typically our policies and procedures have been adequate for the ongoing secondary data reporting projects. HIPAA does not require a separate consent for disclosures or access to protected health information or PHI when it is disclosed or accessed for treatment, payment or operations, TPO, or when required by law.
HIPAA also provides exceptions for certain research disclosures and for disclosure of information that has been de-identified. The remaining disclosures require an authorization. All of these requirements are tempered by the state preemption section of HIPAA so that if a state has a stricter requirement the entity must follow the state requirements.
We constructed this table to show patient authorization or consent requirements for secondary data with the assumption that the individual has reviewed the HIPAA privacy notice and signed the initial releases normally required. Note that there are a number of cells where the entity may not be required subject to state law to obtain an additional consent or authorization. There are a few situations where an authorization is required and there are several where we placed a question mark because the release would be situational. The request for data or the knowledge that a patient is covered by a particular secondary data reporting requirement may not be known until after the individual is discharged.
These questionable situations could occur when quality measurement requests or other data requested do not potentially meet the TPO requirements. For example, an entity might ask if a quality measurement is part of a requirement to receive payment then can it be assumed that the release is covered by HIPAA or TPO? Is the group requesting data a government entity or a subcontractor of a government entity? Is the request covered by as required by law or by TPO?
Another question that will also arise relates to the requirement for minimum necessary. What amount of the individual's record is the minimum necessary given the specific request and the entity requesting the information? Providers of secondary data face the dilemma that patients may be involved with one or more payers or health plans or multiple agencies desiring their health care information.
While it might be perfectly appropriate to release data for a health plan that uses quality data for payment purposes, is it appropriate to provide such additional data to a secondary health plan that does not?
How does minimum necessary apply to each and just how do agencies and health plans use the data they receive under TPO? Are they a covered entity or do other federal or state laws apply? HIM professionals address these questions daily. Secondary data is produced from paper records, electronic records and mostly nowadays from a hybrid record of paper and electronic records and in just about all cases the analysis is a manual process. How requests will be handled when there is a full adoption of the standard EHR and network health information exchanges remains to be seen especially if we anticipate a computer-assisted response.
Fortunately the number of requests beyond the TPO requirements today are relatively low but as the health care industry becomes fully electronic the demand for secondary data will and really should increase.
The need to define who is requesting the data will also increase along with associated questions. What data are they requesting? Is it PHI? What right or rights does the individual have to restrict the data? How will the entity track or audit releases in the AHR system or through an HIE?
As the requests for secondary data increase so will the need to train health care professionals and educate consumers on the various nuances associated with requests and requesters as well as the laws, regulations and rights in effect.
As consumers receive more information or misinformation about the use of health care data providers could find themselves in situations where consumer restrictions are placed on the release of data for external parties. To avoid this, the users of secondary data must provide a clear picture as to how secondary data is being used and the protections being provided to ensure such information is confidential and restricted to the purpose for which it was originally provided.
Feedback must also be provided throughout the health care community to ensure that the data is used accurately and that if processes or collection of data needs to be changed the system will actually change.
If we can achieve a uniform understanding of what authorizations or consents must occur, when and under what circumstances then we can better spend our time ensuring the completeness, integrity and confidentiality of our primary and secondary data and not on the nuances of multiple and complex regulations.
Identifying the requester of secondary data not only impacts the decision of whether an authorization is required but also the amount of PHI included in the data provided. Requests for secondary data especially for quality measurement and public health must be judged not only for a TPO relationship but also to determine any individual requirements for identification or de-identification.
Some data is identified by name or a patient account number. Other situations call for a de-identification process where a separate identifier is used in case the patient needs to be informed of a situation calling for follow-up care.
Such variation can be addressed in situations where only one payer, health plan or agency is involved but the issue becomes more complicated when there are multiple plans or agencies similar to what I described above for authorizations.
Over time we expect to see additional information requested as secondary data. Metadata will be required to determine the source of the data elements that make up a measure or a collection of data needed for reporting. The individual's ability to restrict specific record information outside of the usual categories will complicate matters from an administrative perspective and requirements for an accounting for data access and disclosure will potentially rise to ensure the disclosure limits are respected.
In a fully electronic system the accounting and restrictions should become less of a problem but in today's hybrid environment it creates significant administrative burdens. While an electronic environment will make some processes and protections easier the ability to provide secondary data will continue to be difficult unless the health care industry and government can also come to consensus on data standards.
The development of uniform standards and other processes leading up to the adoption and use of standard EHRs are meant to ensure that the standard EHR can capture all the data necessary to provide health care clinicians with information they need to care for and provide optimal treatment decisions for the patient.
First and foremost the EHR serves as the primary health record for the patient. The record must be accurate and complete and ensure integrity and data transfer among sub and external systems, data identification and provision of data to ensure the clinical and business needs of the patient and the provider.
While the record is for care the same attributes are needed for the provision of secondary data. The community, the provider and the patient are best served if the primary records data can serve many purposes rather than the primary record itself becoming a hodgepodge of information collected specifically for a variety of secondary purposes.
The role of the record analyst is to review the record and provide secondary data when requested or required. With the adoption of the standard EHR made up of uniform terminologies some automation via computer-assisted coding will provide common forms of secondary data. The lack of standardization makes the process of analyzing data for reporting difficult and can result in two different organizations, data requesters having different results for the same measurement. This in turn can lead to confusion for consumers as well as health professionals, a situation we have faced several times at Hackensack.
Variance in data requests that often target the same output makes automating secondary data and ensuring data accuracy and integrity very difficult. There is no standardization among organizations seeking quality monitoring let alone across industry for research, population health and administrative activities.
While there are some national standards they are not necessarily followed on local or state level and all standards in data definitions are typically on a volunteer basis. The recent AHRQ RFI introduces the concept of an entity that could initiate and manage the coordination of secondary data measures, data definitions and other attributes of secondary data requests so that data providers can report the data and maintain data methodologies that meet industry, government and consumer expectations.
This entity would deal with the process of developing data set standards, aggregation processes including confidentiality and security and coordination between standards and data users.
Working in a teaching and research facility close to several other states I would appreciate not only the uniformity of secondary data but also the confidentiality and security requirement for disclosure and transmission of data. I also hope to see some means of requiring adherence to the standards and guidelines a data entity would produce. However, it does not appear that the proposed entity could mandate uniform use of standards and guidelines, a problem we have seen even with HIPAA standards.
As a director of health information I am a steward of the individual's record and data. However, once the secondary data we produce leaves our facility some other entity takes on the responsibility of steward of the transferred data. I have no control of their stewardship and they must comply with requirements under HIPAA, IRB or some other state or federal rules or laws.
In some way government and the industry must ensure that privacy protections extend to health care data no matter where it exists or is stored. If individuals cannot trust the overall system they will be reluctant to provide information in the primary record or they will add restrictions to the use and disclosure of data diminishing the value of secondary data.
I want to note that Hackensack also complies with HIPAA and state laws in the internal use of health information. There are so many things that we are doing with all our efforts we take on a regular basis that if you have any questions regarding this I will be happy to answer them.
I noted that you are also considering the role of health information exchange. Unless the HIE is itself a data repository I do not see it as the reporter of secondary data. Through a combination of policy. Through a combination of policy and technology it may someday be possible that issues of identification, authorization and consent may be addressed by an HIE. As the provider of the secondary data usually a health care provider has a direct relationship with the consumer. I believe the decision points we have to discuss cannot be handled at the HIE level but without a clear model of an HIE it is difficult to say just how an HIE could or should address the issues of consent, authorization and other confidentiality and security requirements.
AHIMA and AMIA have suggested that uniform legislation should be passed to prohibit the intentional misuse of an individual's health care data or discrimination of individuals related to their health care data. Such a law could then ideally permit the sharing of data for secondary purposes without a complicated set of rules pertaining to parts of the database and identifiers and so on.
Whether the health care industry or the United States is prepared to take on such legislation and actually prosecute offenders is open to question.
In conclusion I have only skimmed the surface of the issues facing the disclosure of secondary data. Let me conclude by noting that if the community as a whole is to benefit from the vast amount of health care knowledge that can be extracted from a fully interoperable health care system then we must reach an ongoing nationwide consensus on uniform use of authorizations and consents, uniform use of industry-wide terminology and classification standards in sync with international standards, uniform use of measurement or data set standards to ensure consistent data collection across a spectrum of secondary data requesters, uniform confidentiality policies and practices along with security measures to protect data that is both identified and de-identified including issues related to authentication and accounting, education of consumers in the industry and the need for and use of secondary data and its relationship to primary data as well as how confidentiality can be guarded and increased in an EHR/HIE environment and strong uniform legislation to punish discrimination and intentional misuse of health care data.
The health care industry must also address the mechanics of secondary data exchange including the impact of the paper hybrid EHR transition on the data required and the process for collecting such data and the need for feedback in any secondary data system to ensure maximum use of the data and data accuracy as health care knowledge grows.
I have attached some practice briefs, recent statements and a summary of recommendations on terminologies and classifications.
Whether today or in the future if I or AHIMA can be of any assistance to the work group please contact us and again thank you for allowing me the honor of testifying on this important subject and I am ready to take any questions.
MR. REYNOLDS: Thank you. I have got two quick clarifications and then it is Marc and then Simon and then I will look for anybody else.
Sharyl when you talked about the survey that you did was one of the questions whether or just how much or how well the physicians and others understood privacy?
DR. NASS: Our surveys are not really being targeted to physicians. They were aimed at researchers and the public. So, I don't know that our surveys will address that question specifically. It will start to get at to some degree how well researchers understand the regulations but there is another layer of complexity because how they are interpreted by their institutions varies quite a bit and so I think most people deal with the regulations at an institutional level rather than with the original regulations.
MR. REYNOLDS: On the chart that you had where you had patient authorization and consent and at the bottom of it you had HIPAA PPO no authorization if you could when you get over there to research did you have a clear demarkation between quality and research and then when you get into research you said, "Non-IRB," and you had "Yes."
MS. SIEGEL: Yes.
MR. REYNOLDS: Help me a little more with exactly what that meant by yes?
MS. SIEGEL: I am not sure I have an answer for that.
MR. REYNOLDS: Okay, and then when you got out the payment or claims which I know from all the testimony we have tended to hear fit into TPO, the word "some" raised a question as to why there would need to be an authorization.
DR. RODE: The reason for some is that we can run into some payers who are not HIPAA entities and so in a case where you have a payer that is not a HIPAA entity you have got to get an authorization. It is not covered by TPO. I am sorry, this Dan Rode, I am with HIMA.
MR. REYNOLDS: Thanks, appreciate it.
Okay, Marc?
MR. ROTHSTEIN: Thank you. My question is for Dr. Nass and it follows Harry's question. We are thinking in the same way. It is sort of a comment but if necessary I can make it a question.
(Laughter.)
MR. ROTHSTEIN: The NCVHS has long been concerned about the effect on health research of the privacy rule and we have held several hearings and written letters to the Secretary dealing with aspects of this and we believe that there are some inconsistencies between the privacy rule and the common rule that make life difficult for researchers and we have asked the Secretary to address those and there is a task force or a committee or something at HHS that is beginning to take a look at this, but I have some reservations about the methodology that you are using to gain information that it is surveying the epidemiologists and HMO research network and the public about its perceptions.
Let me describe to you very briefly two of the kinds of responses or bits of testimony that we got at our hearings and these were not by sort of dumb-off-the-street researchers. These were representatives of major professional associations and institutions.
There would be people testifying before the Committee. They would say that for 10 years we did X, Y and Z and then the HIPAA privacy rule comes along and now we can't do X, Y and Z. Isn't that terrible? And our response was what IRB allowed you to do X, Y and Z for 10 years? It is expressly prohibited by the common rule. You couldn't do that to begin with, and they would say something, "Well, never mind."
(Laughter.)
MR. ROTHSTEIN: The second type of testimony was something like the HIPAA privacy rule interferes with our research because we want to do A, B and C, and we can't do that according to the HIPAA privacy rule, and then we would read them the provision of the privacy rule dealing with research that says, "Researchers may do A, B and C," and they would say, "Well, never mind."
So, it goes to Harry's point about I think there really is at least a couple of years ago, the last time we looked at this issue a tremendous knowledge gap among a wide range of researchers as to what the common rule demands, what the privacy rule demands, what the relationship is between the two and so that going exclusively with subjective reports may in fact be misleading and I think it might be very valuable if you got a sense of whether the researchers are actually correct in their assumptions.
DR. NASS: I think those are all very excellent points and we are attempting to try to get at that. I think there is definitely a recognition that there is variability across institutions and that the institutions tend to take a very risk averse approach to these regulations which are very complicated and as you say have overlapping stipulations with other things that may apply in some cases and not in others depending on who is funding the research, who is doing the research and so on and the questions that we are asking in the survey at least some of them try to get at whether the researches themselves think that things should be allowed under HIPAA and also whether their IRBs would allow things to go forward at that institution.
So, I agree that it is an important issue. We are trying to get at it. There are limitations in doing the surveys and if you have suggestions for other ways that we could try to collect that sort of information I would certainly be interested in hearing it.
MR. ROTHSTEIN: Okay, will do.
DR. VIGILANTE: Case-based approaches where you are saying, "Given this scenario is this or is this not appropriate?"
DR. NASS: We did do some of that in the fist survey that was fielded.
DR. COHN: First of all thank you all for what has been a very interesting set of observations and issues. I actually had a couple of, and I am being perhaps a little naive, Sharyl and I want to start with a question or two for you and just to help me understand the study you are doing, is it focused on federally funded research or are you taking a broad look at all research?
DR. NASS: It is any research that would fall under the HIPAA regulations. So, it may be federally funded and it may be privately funded. Anytime that the information that you are collecting is coming from an entity that has to deal with the HIPAA regulations then it is relevant to that project. So, that is part of the complication is that it varies depending on who is doing the research, how the data is collected and how it is funded and so on, and it is different than the common rule because there are different stipulations there again as well. It is a very complex set of regulations.
DR. COHN: I will apologize. I had actually meant to go home, assuming I ever get to go home again from all of these hearings and was going to read up on my favorite document which is of course HIPAA privacy, but you need to help me with this one and you may know or may refer me back too the document or maybe Marc can help me, but as I understand it the federally funded research or institutions that receive federal funding for research they have to have IRBs and the common rule applies.
Now, if you are an organization that doesn't have federal funds coming in for research in any way, shape or form and you don't have an IRB or don't necessarily have an IRB and you don't have the common rule and so am I right in assuming the only thing that applies is HIPAA? Am I missing something here?
DR. NASS: If the data that you are trying to collect is coming from providers who are working under that HIPAA privacy rule then you need to obtain consent to get that data under HIPAA.
DR. COHN: Okay.
DR. NASS: If you as a researcher are not required to work under HIPAA once you have that data they may no longer apply but if you are trying to get the data from an organization that does have to work under HIPAA then they do apply.
DR. COHN: Okay, just to make sure that I am sort of understanding, so obviously in places where federal funding is occurring you are looking at the interaction of the common rule and HIPAA in places where --
DR. NASS: -- FDA registration you have to include those regulations as well.
DR. COHN: Okay. This is an interesting tapestry. In places where there is no federal funding the scope of the project really does include just HIPAA alone.
DR. NASS: Right and the other could be places where only HIPAA applies and not the common rule.
DR. COHN: Okay, and I am glad to hear that because I think that is an area where a lot of people seem to focus on the overlap between the common rule and HIPAA and the confusion or I am not sure if it is confusion but whatever is going on there as opposed to wondering what is happening where there really isn't a whole lot of protection necessarily with non-federally funded research potentially.
So, thank you. We will look forward to that report. May I ask another question? Okay.
It is not to you but to Karen Adams. This was actually a question of your extended episodes of care which I think sounds wonderful. I will be watching to see what methodology you wind up either inventing or adopting for that. Obviously there are a lot of episode treatment groupers out there but whether any of them requires extended as you are perceiving, now, having said that though obviously the purpose of this hearing and what we are investigating has to do with secondary uses and risks and contemplation of issues as we sort of move into this world that HIPAA may not have completely considered.
Now, as I think about what you are doing obviously there are risks as you put more and more data together into a single record and obviously as you extend episodes of care it isn't just that person who is now de-identified on a date that id de-identified had X procedure or X encounter but now you have 30 of them together or 50 of them together or extended maybe 100 of which 5 are hospitalizations and there are three procedures and whatever.
Now, what is your contemplation around risks that relate to either privacy or anything like this if this all happens? I mean is there contemplation that this will all be done and any sort of an evaluation will occur locally within an institution and there will be no exposure of data or what are your thoughts about all of this?
DR. ADAMS: On your first comment on methodology I just wanted to mention that this Committee certainly has looked at the episode groupers and of course MedPAC has done a terrific analysis of the strengths and weaknesses of the common ones out there.
They aren't going to suggest an alternate methodology or add-on methodology but put forth that maybe existing methodologies might not be able to meet these needs or there might need to be modifications or let the market rule, you know.
So, I think with the privacy issues there are a lot because rarely are you just a patient with the AMI. So, I gave you an isolated episode of AMI but that person with AMI as you are saying could have multiple other comorbidities and all of this is going to play. So, the group hasn't dived into as much on this privacy issue. They dove more into the data issues and the collection and the desire to want to measure at multiple levels and that of course puts forth issues, too, particularly when you want to do it at the individual provider level which is often most important to the patient.
So, I guess my answer is that we are aware that these are going to pose multiple privacy issues. I think when we were talking about how many times will you have to get consent will it be across an episode; will it be every time you go into a different environment? It becomes absolutely cumbersome but you want to of course adhere to the rules. So, I think our group is lucky in some ways because they are putting forth a framework, a vision, how they think longitudinal measurement should occur and why they support an episode approach but you know it is not going to be easy I guess would be my answer and privacy definitely would be an area of concern.
MR. REYNOLDS: Okay, we thank you very much.
So, what we are going to do now is we will take a break until 5 minutes until 3 by the clock and then we will be back for open discussion.
(Brief recess.)
DR. COHN: Okay and I think we have Marjorie Greenberg on the phone also joining us. Is that correct? Maybe we don't.
Okay, we are going to get started. I think as we have talked about this one both earlier today and yesterday obviously the plan was to have relatively significant amounts of testimony which I think we all feel that we have received. This begins a period of time where we are going to sort of talk about some of what we have heard as well as begin to talk about various framing pieces.
I am actually going to turn it over to Margaret A in just a second here to sort of show some of the pieces, talk about some of the work that we have done. I think I should state at the beginning that this is, in all of these projects we started out early drawing pictures and trying to figure out how things fit together. None of these are decisional. These are things more to try on for size to see if they help explain the story or help us put our thinking together better or help us identify issues that we want to address better in a more focused fashion. So, we will I am sure go through a number of these over the next several weeks to a month and one-half.
So, just take it as these things, they don't have big drafts all over them but they effectively do. So, I just want to start with that sort of disclaimer, but with that, Margaret, do you want to talk a little bit about this as well as begin to get into some of the smaller pieces of all of this?
MS. AMATAYAKUL: Maybe before I begin it would be good just to make sure everybody has the documents that we passed out last night because there were quite a number of documents.
One document you should have received was something that looked like this and it has got Page No. 3 on the side here. This was yesterday evening. Simon, it may be in your other document earlier. We have got extra copies if you need them.
The other document is an outline of report and a document that begins with Page 9. So, obviously the document that starts with Page 3 is sandwiched between 1 and 9. We made a slight change yesterday morning.
The other thing you should have is a page that has got red and blue and it is August 23, 24, testimony. This is our draft schedule that we are working on for the next set of testimony.
Simon and I took a look at this sort of doodle and it really is a doodle because I just did this this last hour while I was listening to the last testimony and hence you don't have a paper copy of it, but we thought we would go through that a little bit as sort of a real high level, very, very high level overview and then start looking at more of the secondary uses of data framework which is this document that starts with Page 3.
In addition Harry and Justine both have their own doodles as well that we will use and pop up when we can. So, this particular one draws from Lumpkin's model where had public health research and quality as overlapping concentric circles and then we started hearing from testifiers that treatment really also overlaps in all of those areas and in some cases the overlap area is an area of concern, that we may want to shrink it, define it better make sure that the circles aren't overlapping or make sure the circles are more completely overlapping.
So, we have treatment payment operation. We have quality. We have research and we have public health and then we have also been talking about other uses that are somewhat undefined.
So, I have drawn a circle around here to sort of suggest this is the other uses, some of which may be outside of treatment quality research and public health. Some may be inside and then we have these areas in several of the domains that are completely outside, some a little smaller than others that are still also of concern.
So, for example, we have heard that research and quality are blurring. Quality may be a part of the operations component of TPO. It may not. Research may be federally funded and within the purview of IRB it may be not federally funded and totally outside the purview of IRB and potentially even HIPAA. We don't know and the same might be true for quality.
So, that is just sort of a high-level picture of kind of what we have heard.
MS. GREENBERG: Hello?
DR. COHN: Hi, Marjorie.
MS. GREENBERG: I am there. Can you hear me?
DR. COHN: Good. We asked about you earlier when we started the session.
MS. GREENBERG: I was here then, too. I have been here since before you came back from the break.
DR. COHN: We can hear you much better now.
(Laughter.)
MS. GREENBERG: It was frustrating to hear you say that I wasn't there because I was.
DR. COHN: Welcome.
MS. GREENBERG: Actually the technician knew that I was here because he checked on me when you were on break, but anyway, thank you.
DR. COHN: Mark wanted to add a comment.
DR. OVERHAGE: I guess I had a question. I am struggling to figure out what is in some of these areas and could think through but one of the first things I kind of asked myself, so what is in the quality circle that is not in the TPO public health or research, and I am trying to think of a concrete example for each of these non-overlapping or overlapping areas and I can't think of one there.
DR. COHN: Let me make sure I understand what you are saying. So, you are wondering for quality what is --
DR. OVERHAGE: Why does it have its own circle?
DR. COHN: Okay, and is the question why it has some clear circle or why it has some of this?
DR. OVERHAGE: First of all why does it have its own circle at all in research and public health, for what purpose, for research or for operations, which is it or for public health?
DR: TANG: It is outside patient care.
MS. GREENBERG: I can hear Marc, but I can't hear the other person, but I think it is the part that is for operations, isn't it?
DR. OVERHAGE: Why did you do the survey? I wanted to find out how many people really get flu vacs.
DR. TANG: TPO only applies to data that I captured in the process of care.
DR. OVERHAGE: Wouldn't your point be that that is research when you have a question and you want to investigate.
DR.TANG: TPO is a figment of HIPAA's imagination.
DR. OVERHAGE: But there is a lot of value in aligning what we talk about with those figments that other people --
DR. TANG: I understand but the difference is if I go do something in the name of quality or research that does not take advantage of, make secondary use of data collected for the care of patients I think that is outside of TPO.
DR. OVERHAGE: So, you are defining in that case TPO as being HIPAA uses of data for TPO which feels really funny to me.
DR. TANG: That is because HIPAA is the one that made up TPO.
DR. OVERHAGE: That is fine but call it operations then if it makes you feel better.
DR. TANG: I am not a health care provider. I am a surveyor
DR. OVERHAGE: I agree. I don't care who you are. I think the model has got to work.
DR. TANG: Agreed. That is why we are talking about it.
MR. REYNOLDS: Marc, let me ask you a question. What would you see that picture as?
DR. TANG: I guess I am just asking the question.
MR. REYNOLDS: I know you are asking the question but --
DR. TANG: It struck me as funny that there is a separate circle and I think you take the quality circle away.
DR. COHN: Let us hold it as a thought here and let us just discuss how we may want to represent this one.
Steve, do you have a comment?
DR. STEINDEL: Yes, Marc, I have a question for you. Why would you take the quality circle away? Why not take the TPO circle away.
DR. OVERHAGE: Because TPO is imaginary. It is a fig newton of HIPAA.
DR. STEINDEL: That would be fine with me although quality is a topic not a process, I guess is why.
DR. OVERHAGE: I think that is what we were asked to address.
DR. STEINDEL: We have got two different dimensions, circles representing two different dimensions here. Shouldn't this be quality, safety and efficiency? Aren't those the three circles we ought to have on here then?
DR. TANG: Let me try another one? This represents, so there is a domain of quality. There is a domain of research.
DR. OVERHAGE: But they are not. They don't get it. They are from different puzzles.
DR. TANG: I am reconstructing another diagram. So, there are three domains of use of data, okay? Now, I am going to put in those circles data that supplies those different kinds of uses, okay?
DR. OVERHAGE: What are the three circles?
DR. TANG: The three circles encompass data that is used for each of those three purposes.
DR. OVERHAGE: What three, the three what?
DR. TANG: Quality, research and public health.
DR. OVERHAGE: Those are not parallel things. Public health encompasses quality.
DR. VIGILANTE: It does but it does come back to what we were talking about yesterday, the issue of intentionality. You know people who work in the quality world use very similar statistical tools and methods as people who work in research and people who work in public health and so those things don't distinguish. Your methods per se don't necessarily distinguish between the three of them and the fact that they are generalizable or not generalizable, they all have generalizable results. They could have generalizable results. It really is the intent for which it is being used and quality is really about focusing on improving care and processes of care in particular and as you get into an organizational environment operation then I can see how one might carve that out. If you are talking about research in the context of things you are going to publish in the peer reviewed literature that have a broad range of research implications I can see carving that out as being somewhat distinct in intentionality and the same for public health if it is really about the public good in a protective kind of way.
So, the teleology of them kind of is what makes them different.
DR. COHN: Can I make one suggestion? I don't know if this helps anything. Can we go back to that earlier version that really tries to redo this and would people feel, I mean I agree with you that "O" includes quality at least by HIPAA definitions, at least much of what we think of quality and so I am wondering if actually TPO with quality is actually those sort of double circles together and since we want to focus on quality it is a piece of the TPO but that also we are hearing about these sorts of other uses on the edges also and this would sort of allow us to sort of try to maintain sanity with HIPAA as well as the quality thing.
MarK, does that help at all? I mean we are playing around with concepts now and not trying to create symmetry of circles but would that help a little bit?
DR. OVERHAGE: It helps some. That is what I was saying. I mean quality to me is a topic within and you could call it operations or process improvement or whatever you want and put theme in as a separate thing or whatever but it is part of operations. It is part of research or it is a topic that can be addressed by operations and by research.
DR. COHN: Okay, and I think what we saw yesterday and I will give it to Steve in just a second but I will comment you know you weren't here yesterday and one of the things we kept hearing over and over again was what we described at that sort of overlap between given that research has different rules than quality work that there was some ambiguity in an area of concern that we likely will want to address.
DR. OVERHAGE: I understand, but that --
DR. COHN: And that helps with that.
DR. OVERHAGE: Then research overlaps, okay, fine. Why pull out quality?
DR. COHN: Okay, why pull out quality? Because that is one of the areas of emphasis we were asked to talk about.
DR. OVERHAGE: Then we are only looking at that one dimension. I mean if the two-dimensional, or it is a three-dimensional thing that you are trying to squish it into a one-dimensional, you have got a whole topic in each of these areas. You have got quality and safety as a good contrast but where is safety in this? I mean it is not a focus area but I am just saying to me that is an analogous area to quality and so you have to be able to have a model that kind of --
DR. COHN: Okay, Steve and then Marc?
DR. STEINDEL: I like this discussion and, Marc, I totally agree with the point that you just made. Actually you weren't here yesterday when Les Leonard spoke and in one sense in a way we are talking about quality with respect to this group. We actually did say except for some very specific projects public health has no quality because we don't do clinical care quality necessarily in public health except for some very specific circumscribed usually in hospital safety but that is specific, but I like the way this is going.
Mark's concept is something we have discussed about before, is that there are multiple tiers and dimensions to other uses of data or secondary uses of data but we have been asked to focus on this one layer and so I think we have to cull it out.
The thing that I wanted to point out and this is just an aside comment that I think we need to make is we did hear yesterday from NCI and again a little bit today from the genetics person that there is a blurring starting to occur in the area of personalized medicine you know where treatment, research, quality are fusing together because you need that type of information to decide how you are going to use genetic information to treat that specific patient and we don't know enough. I don't think that that comment is worth changing this diagram and I think it is something to keep in mind when we write the letter.
DR. COHN: Okay, do we have the space for it just out of curiosity? I mean is it that overlap between research quality and --
DR. STEINDEL: If we actually take TPO out and we remove treatment from this because personalized medicine does involve treatment then it is actually out of this diagram. We said that it is not TPO. We are calling that inner circle I thought quality or I mean we can call it TPO.
DR. COHN: I think we were calling that part of it of which a subset is quality.
DR. STEINDEL: Then it is a subset, okay.
DR. COHN: I am sorry, Marc, we have been going back and forth.
MR. ROTHSTEIN: I would like to propose a simpler way of looking at this. I think all these inner overlapping circles are hopelessly confusing. I haven't heard anybody say that we should rethink the rules on disclosure of information. I mean that is what we are talking about with regard to public health.
So, I would just sort of take public health off and I don't think we need to be rethinking what research is. We can't redo the research rules. I would take research off. I think what we are talking about is quality and I think conceptually quality now is under operations and the problem that we have at least in my view that we heard is that operations is so broad that there are problems raised by it. So, my diagram would be sort of like a rectangle and there is a line in the middle and on the right side of the line are those operations where we, those quality measures where we think the current rule is okay.
So, in other words, you supply notice only and if a notice of privacy practices then you don't have to do anything else, and we can discuss what that would be and I would think like internal uses, reporting to the government, quality measures, maybe even for accreditation purposes, etc. The left side would be those quality uses which now are under operations and don't require anything other than some opaque mention in the notice and things that we are sort of troubled by, selling the data, using individually identifiable data, publishing data, using data for marketing purposes, sharing with other researchers and you can put on whatever you want but the left side is made up of things where it is in a broad sense quality but maybe we are uncomfortable having the old TPO non-involvement rules apply to it and I would however we define those terms, I would suggest that that left side might be appropriate for some heightened level of permission from the individual, however we want to work that out. Is that opt in? Is it opt out? Is it who knows what?
That may be a simpler way of looking at it. We have taken research off the table because if it is research it is on a separate page. If it is public health it is on a separate page. So, this is non-research, non-public health quality.
DR. COHN: I will make a comment but I will hold it because I see Paul and Bill. I think we can all live together but I will explain that.
Paul and then Bill?
DR. TANG: I am going to piggyback on what you said because I am on the simple side of the world and I think there are two things, too, because if the other way of looking at this diagram is you could color the majority of it as AOK, I wouldn't limit it to quality because public health research is quote, AOK and on the whatever side was the AOK side and Bill helped me remember you know the Willie Sutton, go where the, the bank robber and in this case it is more than just a pun. That is where in Kevin's word the outrage is. It is making a profit, a gain, a financial gain off of my data and we need to have clear-cut rules if that person is asking for it and I think there are such. I heard it in the Mayo discussion. I heard it in the NCHS. It is easy. It is also clear-cut what kind of rules we would like and once you have those in place I think people can start agreeing to letting their data flow in places where we would like it to get all the benefits on the right side. So, I would subscribe to that way of looking at the world.
DR. W. SCANLON: I respect precedent and it is sort of been recognized how hard sometimes it is to get to a point where we are but at the same time I guess I am worried that if we live too much with what we have got and accept it we are really giving up on the potential of electronic record and we are also potentially not recognizing the risks of the electronic health record.
I think everything needs to be somewhat on the table including TPO. There is a difference in the information that potentially is going to flow between provider and insurer in an electronic world than flows today where things are coded and there are very limited amounts of information and there is a question of is that all going to be okay sort of under the current sort of HIPAA rules.
The same thing with respect to sort of public health. You open up new possibilities in terms of what you could do in terms of health monitoring, health promotion, postmarket surveillance, etc., when you have got electronic health data flowing and the question is are those all going to be acceptable sort of under the current set of rules. I don't know and then I guess the last area is sort of this issue of research and quality to me is a part of research and whether or not you publish is not necessarily I don't think the critical thing. I think in fact in some ways publishing is a good thing because it gets the information into the public domain and everybody can use it and the actual research that I worry about is the kind that becomes proprietary sort of and ends of sort of being restricted, you know the access is restricted and somebody uses it for their own profit.
So, I don't want to blow up the world and say, "Let us start over again," but at the same time I would like to kind of keep an open mind in terms of are we making sure that we are including things that we wouldn't have envisioned today as being sort of possible but they are going to be there 5 years from now or 10 years from now and they are either going to be very beneficial or they are going to be very problematic and you know we potentially are not going to make these rules but the rules are going to potentially affect sort of whether they are there beneficially or whether they are there problematically.
MR. ROTHSTEIN: So, Bill are you basically saying that instead or in addition to the sort of the quality rectangle we need a public health rectangle, a research rectangle where we say, "Okay, the way things are but maybe on this side we need to re-examine the" --
DR. W. SCANLON: I am kind of but I am more where Marc is. I don't think we need to separate quality from research. Quality is a topic, and it can be sort of an issue that in some ways data that flows into the public health sector are going to have quality implications and so I think the issue is public health which maybe we will separate from research, I mean it makes sense to separate it from research but then we have got research and then we have got the operations. So, I would get back to three but those three not just two and also keep an open mind about what we need to do with all three.
DR. COHN: Kevin, did you want to make a comment and then I will jump in?
DR. VIGILANTE: So, if we draw a small circle in the middle and do some concentric circles and that is patient care, that is primary encounter where this data is originally generated then another concentric circle around that, into that space is where outside, in the second ring is where the permissions of HIPAA in particular around operations and quality is where that we accept that that can go. It can pass from the first circle into the second circle. However, this circle unfortunately is a semi-permeable membrane and it can go then to a third tier for other uses other than what the patient was made aware of in their notice of privacy that may include certain very sensitive things such as the sale of that information and I think that is a good place for us to focus our attention but as I was saying earlier you know there is this risk communication expert Peter Salmon from Princeton who would actually be a good guy to come talk to us and he talks about risk equaling hazard plus outrage. You can have certain things that are very high hazard but relatively low outrage like 50,000 deaths on the highway every year. You can have things that are relatively low hazard but very high outrage, maybe say one anthrax letter, I mean depending on how you want to interpret that.
So, it could be that one could imagine that even if your data was protected and de-identified in every way possible and the hazard was very low the fact that it is being sold and you are not being told is a high outrage phenomenon. You could see it on the cover of the New York Times front page and I think as we consider this that is something, those are things we need to balance and I think it is that leaky membrane that permits the sale of that data into that other circle that has the high outrage potential that I think is at the crux of what we have to grapple with.
DR. DEERING: Don't draw any circles here whatsoever. It is more like something I would like to put down as sort of one of many checklists for whether or not we have been successful and in my mind language about setting some stuff aside because it is AOK it seems to me what we have heard is that is an increasingly shrinking world and the checklist that I would only suggest is that speaking of outrage we did have a lot of testimony about things not working. Some of that not working was simply because it is misconstrued or misapplied at the institutional level but there were implications in some of the testimony and we have known that there are things that don't work well. So, I would hate for us to conclude our work setting aside HIPAA and the common rule as AOK not needing any work whatsoever and let us only focus on other areas.
So, I would just hate to take that off the table.
DR. COHN: Sure, and I will come back to it but I want to let Harry talk and then I am going to try to sort of maybe move us down a little.
MR. REYNOLDS: Kevin, let me engage you on your comment. So, the leaky membrane, I am not smart enough to know the other word you called it. So, the leaky membrane, we heard discussion today. There was one term that came out today, secret databases, in other words there are things that have permission under HIPAA but as we have had some discussion about it business associated agreements as they start being chained our further and further you know start to erode because of the fact that they are further from the covered entity. They are further from what HIPAA really is s you get the covered entity and then you get a business associate, then the business associate uses a vendor and then you are going on down the line.
So, what other than the obvious and I like the chart, other than the obvious how do you explain how big that leak is and how do you start talking about that so that your picture, I can specifically put things in every category and go, yeah, yeah, yeah, yeah, but the other thing is and we continue to hear, we talk about wanting to just use HIPAA but the understanding of HIPAA and the understanding and the operations were still not clearly defined and I deal with every day, too; so, how do we define what is --
DR, VIGILANTE: At a simplistic level right? I mean I think that the way to reduce the outrage and I don't know if this is the right solution because there are some down sides to this solution is to make at the point of care when the information is being collected for the very first time which may be destined for parts unknown to let the individual know that that information may be destined for parts unknown outside quality and operational purposes.
Now, of course how you do that matters very, very much because if you say to the person at the point of care when maybe it is part of the HIPAA notice of privacy it is going to be used for you know may be used for this operational purpose and payment should -- if you say, "And it may be sold," I can pretty much guarantee you that a very significant number of people are going to say, "No way," and the question is have you basically for maybe what may be a fairly low hazard but to protect you against high outrage, have you caused your whole ability to use secondary data to implode, not just for commercial purposes but for other purposes?
So, I think that is the place where you create the transparency that reduces subsequent outrage. The question is how do you do it in a way that is not regulatory heavy handed.
DR. COHN: Justine has a comment.
DR. CARR: Before we began this and as I was thinking about this today I think it is helpful to sort of state first principles namely what is the good we are trying to achieve; what is the harm we are trying to prevent and what are the elements that are critical to success. So, in terms of what is the good we are trying to achieve improving care and the common good are two of the things I heard. What is the harm we are trying to prevent? There I had privacy violations and also harm from privacy violation and also we heard about misinformation and misuse or unsophisticated aggregation and then what are critical to success, trust, accountability, transparency and we also heard the need for uniformity and alignment of rules, definitions and laws, also, uniform privacy protection, protection following data and then potentially consent management technologies.
So, it doesn't exactly fit into this but I think we need to hold onto where we are going and defining what we are trying to address and I think that Kevin's issue about hazard and outrage really rings very true to me because that is what we are trying to balance but I think we have got to keep our eye on where we are going because there are so many, there will be trade-offs and I think we have to sort of stay on top of what are we trying to do and what are we trying to prevent. That is all.
DR. COHN: Steve, you had a comment and --
DR. STEINDEL: Now, I have two comments and this has to do somewhat with Kevin's and Justine's just now. I don't think that the criteria should be how will this look on the front page of the New York Times when Rupert Murdoch just bought the Wall Street Journal. Newspapers will publish anything. They will blur it in many ways and so I think we need to look at what is the right thing not necessarily what is the hazard of doing the wrong thing and then, Kevin I have a question I have a question for you that is very specific on your semi-permeable membrane. Where does BHI fall in the semi-permeable membrane in disclosures?
DR, VIGILANTE: So, using the example of the front page of the New York Times that is just a graphic way of showing the things that bother people and it only goes on the front page of the New York Times because it triggers something of outrage in people.
It is not the fact that it is in the New York Times. It is an index to say that this is something of great sensitivity to people to have their information sold and not be told about it or not even be aware that it might be going on. That is the point I was making. Whether it actually appears on the front page or not is actually irrelevant. It is just an index or a barometer of people's feelings.
What was the second one?
DR. STEINDEL: The Blue Cross Blue Shield data warehouse that is being put together, where does that fall in your semi-permeable membrane and what type of disclosure should be in that area and from where?
DR. VIGILANTE: I didn't sit through the whole presentation but what I am saying is that if you can collect personal health information, stuff that you collect under a rubric of patient care and then say you can deidentify and use at will for operations and quality is a part of that we have all accepted that or HIPAA does at least that that is a legitimate use. All I am saying is that once it has been aggregated there is no guidance on any limitation of further use of that data, tertiary, quaternary you know any use of the data and that is the point and I think that that is one problem in terms of people not being aware of that.
The second problem is that if one of those uses is the selling of it I think that that is one problem in terms of people not being aware of that. The second problem is that if one of those uses is the selling of it I think that is of concern. Now, I don't want to sound like I am anti-market person. Actually I believe very powerfully in the power of the market to actually do a lot of the things that need to be done in quality management and I think we need to be very careful not to put an impediment in the way of future business models yet to be imagined that could actually help us measure quality or improve care.
So, I don't want to be perceived as being sort of Draconian that way. I am just trying to identify where I think our area of focus of should be.
DR. OVERHAGE: You are talking about things I think of as an example and correct me if I am wrong but I am almost certain that every one of the participants in that have signed an authorization. When you get your insurance you have signed an authorization I can almost guarantee you that says that they can do whatever they damn well please.
DR. STEINDEL: That is not true.
MR. ROTHSTEIN: The only people who have to make a good faith effort to get a written acknowledgement of receipt of notice of privacy practices are those with a direct treatment relationship and other covered entities including health plans only are required by the privacy rule to send you a notice. So, they wouldn't have received authorization from individuals necessarily.
PARTICIPANT: I guess I was trying to ask the question is it about authorizations and notification or is it about understanding and awareness and expectations which I think are different.
DR. STEINDEL: My issue is getting to what you just said, Marc in your last statement. I am actually less concerned about the level of identification of data because I think we have heard repeatedly with today's system you can probably identify especially if it is episodic care even if they have done everything they possibly can to deidentify all personal information there is a chance you can figure out who it was if you wanted to.
So, what I am more concerned about is the transparency issue and the consent issue and that the people are aware that you are doing this stuff with the data and we have heard repeatedly that people don't have a fundamental problem with good things being done with their data. You know it is like you have to have increase the trust in the transparency level and I think that is where a lot of our focus should be.
MR. REYNOLDS: I think we have to be careful thinking about it too linearly. Kevin, I fully agree with you on the statement at the time of patient care what you would or wouldn't do. I don't know what might have happened as you mentioned with the -- and then we all talk about HIPAA. We talked a little bit about databases today and we have talked about what providers have and others. You know HIPAA even mentions that clearinghouses are covered entities and there are no patients going through clearinghouses. Yes, the data is there. They are covered entities. You can draw the same circle. Nobody has got any consent from me that my data is going through a clearinghouse but they are covered entities and I think it is just, I am just saying this to remind us that education also as we draw all these circles and we do all these things besides the linear understanding of people as they go through the process, they go to the doctor and then it is going to go to a payer and it is going to go somewhere else, this whole idea of raising the educational level as we move forward especially if you look at the next 2 years and what the Internet has done as far as education I think we really have to keep that in mind because as we talk about these whatever picture we draw is going to have another dimension. So, we have got to make sure we keep all this in mind because if you talk operations you think certain things in HIPAA but there are a lot of other players in this that don't fit a nice linear progression.
DR. COHN: Mary Jo and Marc, and then I think I am going to try to put things together at least for a moment.
DR. DEERING: I thought Harry was going somewhere else when he said that we shouldn't be too linear and I wanted to get back to something that Bill said which is that linear mind set is very much today's mind set and to the extent that our recommendations are targeting however modest they are and ambitious we may be, changes that will take years to affect and we all know that. These things are, by the time they are really operational the world will be different than in this moment at which we have written them and I think if we don't do a best case effort to imagine what that world will look like as we make our recommendations and I know we don't have a crystal ball but this is a particularly acute period of time for us to be mired, not so mired but totally within our August 2001 perspective and related to that in this network environment I think when you say that it all starts at the point of care I think the definition of where these data origins are is something that will be different 5 years from now and I think to just assume as it always does it begins with a disease or an illness or a walk through and a doctor is there or some certified medical provider is there and that is the moment of creation, that is the divine start for personal health information is when the doctor just like bringing you into the world has created your piece of health information. I don't think that that is an appropriate sole model to bound our considerations and in that respect again my hobbyhorse as you know but I think we should given the interest in personal health records if we do something that does not mention personal health records except to say, "Oh, gee, we had better keep studying them," then there, too I think we will have been remiss.
So, I think whatever our model of study is it has to account for issues, concerns that may be generated by pieces of data that did not originate, are captured by or owned by the providers within HIPAA.
DR. COHN: Mary Jo, I just want to thank you for a moment for just reminding us this is actually about the patients and maybe we should be considering about the citizenry and not just about the provider.
So, thank you for that comment.
Bill Scanlon, Mark Rothstein and then Paul Tang and then I will try to put things together to move us to the next stage of the conversation.
DR. W. SCANLON: I was going to react to Kevin. I think that you in some ways portrayed something that is not a feasible model which is if you tell people that your data can be used for anything at some point in the future and as you said you may have a lot of people sort of opting out, that is not a viable model in terms of what we want to accomplish here and therefore it has got to be off the table and that kind of blanket sort of permission or notification has got to be eliminated.
Then I think one of our challenges is okay if a blanket notice is not going to work how do we define the list of entities and the list of uses that people should be aware of as potential sort of applications of their data and sort of anything other than those people are going to have to come back to the patient and say, "I want to use your data for this purpose, yes or no?" I am glad some other people think the same thing, Marc, that your HIPAA sort of when you sign these things there is not a whole lot of choice, that if we don't sort of give patients sort of either trusted options or realistic options we are going to lose in terms of skewing samples and we are going to much worse off than we could have been if we had done this sort of thoughtfully in terms of identifying how it is you should be dealing with the patients to really give them enough trust that even when they don't have a choice they don't feel bad about sort of not having a choice.
MR. ROTHSTEIN: I am relatively comfortable that the merits of what we come up with will be more or less acceptable to this group whether it is Kevin's model or my model or anybody else's model. What I think is probably more important though is for us to figure out a political strategy that is going to develop a letter and a set of recommendations that has a reasonable chance of being implemented by somebody at some foreseeable time and you know it is tempting to be utopian and I could think of ways I would like to rewrite all sorts of things, you know the common rule, the public health system and so forth and I am no fan of the privacy rule but I think what we need to keep in mind is who asked us to do this; what t hey asked us to do and in what context and it seems to me what we are being asked to think about is the changes that we envision in the use of or the quote secondary use of information that is going to be caused by new health information exchange. I mean ONC has asked us to look at this and that means that we have to talk about sort of where we are in terms of the status quo and how the current privacy rule applies or doesn't work well and what are the future uses and how are we going to reasonably recommend that those be regulated if not under the current regime under some foreseeably adoptable regime and I am not giving you the answer because I don't know what the answer is to that but I think that is the fundamental question so that whatever it is that we come up with is going to be valuable not just to ONC and to the current Secretary but to the next Secretary and maybe to the next Congress without being so out of touch with reality that it is sort of DOA, and so I think we need to spend as much time working that out as we do you know whose diagram we are working with.
DR. COHN: Paul, last comment and then I will try to put this together, and, Marc, thank you.
DR. TANG: I will ask a question first. Is this an appropriate time to put back on the table what I was proposing at the panel?
DR. COHN: What were you proposing to do?
DR. TANG: Either we have to come up with this pristine criteria of what you can and can't do or you figure out how to make available in an acceptable way what you are doing with your -- your notice of what you are doing and your record of what is being done with your data and people have the ability to examine that and make their decision in terms of whether they opt in or opt out of NHIN.
DR. COHN: I think we need to acknowledge the piece. I am struck that I think we need to go through a little more conversation before we start coming up with solution statements which I think --
DR. TANG: It is a solution but it is asking whether this is the approach versus the criteria. It is sort of like the transparency approach or the criteria approach.
DR. COHN: Let us hold your thought without coming to an answer on that one because I am not exactly sure what to do if we said, "Yes," or "No," because I think the answer is it may have very appropriate value depending on what it is we come up with.
Give me a second to understand it a little better because I am not sure exactly what it is that we should capture there in terms of what you are thinking. You can state it and we can draw it up here or do whatever.
I guess you can come back and tell me that you had the right answer after we have spent a couple more hours talking which is certainly, you know, we actually have a bunch of pretty smart people around the table which would be very useful on all of this and the fact is that we don't all see this in the right way, in the same way.
(Laughter.)
DR. COHN: Let me just sort of go through the process that I think may be helpful at this point and I think this is something that Margaret has come up with. I mean I think we are, also, talking about the same sort of thing and how to put it together and I think this is a very useful conversation. I sort of remind everybody that the framework that we have talked about and what we wanted to do here was yes, we want to emphasize quality but quality isn't the only piece that we want to talk about here. We really want to somehow try to talk about the overall issue of uses of data, however, we describe it, the secondary uses of data and I think it bears looking that yes, and the original drawing we can go back to was only trying to describe at least I think it can better describe as if there are sort of these sorts of things that have happened since HIPAA, the NHIN as Marc has described or whatever that we need to take a particular focus on but that doesn't in any way say that we shouldn't sort of take a look at care delivery. We should take a look at quality, research, public health because there probably are issues in both the current environment and where we would like to see them go that bear comment, consideration and discussion knowing that of course we will I think emphasize at the end the quality domain because we were really asked to take a hard look at that area and I think I would actually turn to Margaret at this point because what she is trying to do and I think as her pages, was it 3 to 7 is you know some of you and I think Marc Rothstein was somewhat eloquent on this one saying, "Gee, we should be aware of where we are on the current environment." I think we have heard enough to get to know about the areas that we are sort of uncomfortable about that aren't just limited to quality but there are pieces in a number of these things and even for care delivery I think we probably all agree if we are happy with the way it is right now that education is probably an area we would want to emphasize anyway.
So, I think it merits to sort of look at the various dimensions and what we have thought about recognizing that it allows us at least to begin to think about what recommendations should look like and I think, Paul, that is where you were beginning to go in terms of how we frame solutions to the problem, I think. Maybe I am wrong.
DR. TANG: In terms of what to concentrate on the vast majority of secondary uses that people, the consumers and patients are comfortable with and the methods of guarding, protecting their confidentiality seems robust and rather than characterizing all of that it seems like we really need to figure out what is on the right side and that is fundamental. So, there is a dichotomy of approaches there and how do we spend our time and who do we hear from in order to characterize the three bubbles that characterize the right side. That is my main contribution.
DR. COHN: Margaret, do these help us with the conversation?
MS. AMATAYAKUL: Yes, this has been very helpful altogether.
(Laughter.)
DR. COHN: Mark, did you have a comment?
MR. ROTHSTEIN: I just want to slightly take issue with something you said, Simon and that is that we are concerned here with all of the secondary uses and of course we don't know how to define that yet but if you think about the privacy rule and all the ways in which health information is disclosed, personal health information is disclosed without authorization which includes for law enforcement purposes, for drug and device adverse event reporting for judicial processes, I mean the list is quite extensive and we didn't have any testimony. I don't think we are really going to consider that. So, I think that we are dealing with a subset of however defined secondary information is and mostly but perhaps not exclusively in the sort of the operations quality.
DR. COHN: Thank you, a very good point.
So, Margaret I guess do you want to talk about these pieces here that we had thought to sort of at least begin to discuss with everyone and be able to get input?
MS. AMATAYAKUL: So, what I have done here is taken those five domains, care delivery, quality management, public health, research and other uses and if you don't like those domains we can take those off. I think what we are trying to do here for the most part is try to separate it out so we can take little pieces and look at it and try to focus on some sort of model of trust if you will and there aren't a lot of trust models out there that are good examples.
I have got a couple at the back of this big packet that we circulated. Kevin sent me another one but what I tried to do here was say, "Okay, in whatever domain it is that we are talking about, whatever domain we may end up talking about what are the trends in trust and risks in uses of information?" and I think that could be done in a variety of ways but I particularly like the Belmont report and the ethical thing that we saw as long as we don't use the big words, malfeasance and things that are difficult to pronounce. We can come up with easier terms but if we could kind of describe that so that would be described on the left there and this is really just a framework to get us started to think about it. It may serve as an appendix as sort of a chart for people to refer back to or else just not at all a picture but ultimately bubble up to the language of the report.
Then taking the AHIMA, FIER(?) Demarkel(?) privacy principles, the CaBIG tool and some of the others what are the dimensions of things that we have to consider? What are the laws and regulations, the standards, accountability, enforcement, oversight, data storage, etc., and I played around with these a lot and certainly they are open to whatever. If you like the notion of dimensions of consideration we can play more with those and then say what is the current environment and then what possible interventions for improvement might there be in that domain for that thing.
So, for example, in care delivery we have TPO which may include quality but we are also going to take quality out just for the purpose of the focus of the report. Today we have information practices, HIPAA and state consent laws and we are not talking about IRB here because research is a separate domain. That is just by virtue of the format.
The standards we have we have in addition to the laws and regulations of HIPAA. We have got some new CMS security guidance that came out in December. We have VA guidelines and I am sure there are other things that we could identify.
Today we have sanctions that have been identified in HIPAA that are sanctions that you can apply within your covered entities as part of both the privacy and security rule and then we have HIPAA civil and criminal penalties. Oversight data stewardship we have provided a purpose collection and use limitation which I really like from the Markell privacy principles and we saw frequently minimum necessary but never really brought out a lot and, Paul you asked a question today about this and we see it a little bit but we don't see it a lot. Even though everybody assumes they know what it means, I am not sure they really do always know what it means and so we could go down.
Some possible interventions and I have tried to come up with and have more on a handwritten list from today. So, for standards maybe we need a standard authorization and these are all things I heard. I just put down what I heard. I didn't filter like this is something I thought was a bad idea or a good idea. I just put down what I heard. Self-policing, there was an article in the paper a week or so ago about ALINA(?) having over the last 2 years hundreds of privacy violations and since January of this year they have instituted a zero tolerance policy and their number of internal HIPAA violations has significantly decreased.
We heard OCR and CMS enforcement might be something that needs to be stepped up. HIPAA minimum necessary might require OCR guidance. Transparency, we have the notice of privacy practices. Maybe we need some plain language notice or maybe we need something else in terms of education.
HIPAA individual empowerment permission, again just for the care delivery piece today we have rights access. We have right to request restrictions. We have authorization for release of information in certain areas.
Certain state laws also have their own consent. Some things we heard might be personal health records, health record banking and state law harmonization.
So, I mean we could pick on any one of these items. Here I guess what would be helpful for me is if this structure makes sense and then we can fill in the boxes.
DR. STEINDEL: My first comment is I don't see this as trends in trust and risk. I don't see where this touches on building trust or anything like this. As a matter of fact I can see most of this as probably impeding the building of trust because we are just saying, "Let us perpetuate some of the HIPAA processes in these cases." We know that people don't trust that.
So, I would like to find another title for the first column but then let us get to the actual dimensions, current environment, possible interventions and which I think is the main purpose of this not necessarily the word smithing on the column and you know it was pointed out by Les Lenert in his talk on public health we don't have simple things to put in these boxes. It depends on what you are talking about. Actually patient are is one of the easiest things to fill in these boxes but once we step out of patient care and go into quality, go into research, go into public health it really depends on what aspect of quality you are talking about, what aspect of public health and then even in a broad aspect of public health what specific process are you talking about, and so I don't see simple ways of categorizing in these boxes.
MS. AMATAYAKUL: Let me just comment on the first piece. When we started looking at trends in trust we were trying to find some way to describe do we get the sense that there is a lot of trust in this area, not so much trust? Do we feel like the trust is degrading, will degrade more rapidly over time, those kinds of things? That is kind of where that came from.
I don't know whether that is important to try to articulate or not but we heard a lot about trust and so I was trying to get across as you were suggesting there is a lot under each of these and there are different levels of trust in each of those areas.
DR. STEINDEL: And I think a chart like that would be useful but I don't know if it is really the way this chart is laid out.
MS. AMATAYAKUL: I think it would be useful but I am not sure we could ever get agreement or that we would get a sense of being accurate about it.
DR. STEINDEL: I also agree with that statement.
DR. COHN: Mark?
DR. OVERHAGE: I guess I am not sure what we are trying to do with this chart if this is to identify where our questions are. I guess I am still struggling and I actually like the leakage model the best from all the things we have talked about so far just because I am still not 100 percent clear on the through all our testimony, discussion and reading and all the smart people in the room, I don't know what we think the problem is. I don't think we have a crystal clear statement of what the problem is. What do we think the problem? Can somebody say in a few sentences what -
DR. TANG: Yes, I think that that leakage of the semi-permeable membrane is the problem. Okay, that is the problem. We will ignore the parts that are not the problem which is my issue and go after that membrane and figure out how to create the rules that control the case of the membrane, make it accessible to consumers at the time they want to sign up for this, that or the other and then record everybody who goes through the door passing the criteria and we will adjust the criteria but --
DR. OVERHAGE: That helps me because I am not sure what we do with this in the context of that and I like that approach.
DR. COHN: Harry?
MR. REYNOLDS: I am probably not one of the smarter ones in the room but I am pretty good at process. Steve just did exactly why we have worked hard on this chart because if you can't fill anything in on public health then what do you say? What do we say, just, "Have a nice day"? Remember we are talking about trust and we are talking about the other stuff. So, have a nice day because people in this room may really understand it but we are writing a letter to the Secretary about what is going to happen. I would say right now and we have spent a whole lot of time on this is we are probably going to end up, Paul right where you want to be, exactly where you want to be which is what is outside of there but as we go through these and say, "Covered, covered, fine," it also shows a due diligence. If you are producing a document, if you are producing a report it shows due diligence that we know they are okay and that there are already things out there that make them okay. It doesn't matter whether you fill in every box. It doesn't matter whether every one of them has got the right answer. If we just take the one says public health and say, "Public health, have a nice day," but the point is at least if we don't have a chart up here that decides what we think about it then when this goes to everybody it is going to go out to I think Paul that we are going to be at the point where you are. I mean there is no question. What is outside of this, but until we give somebody the journey as to why operation is just fine; why is public health fine and it could be one sentence, it could be 20 sentences but if we don't show the journey and we don't show that we thought about it then we just dove over here and we said, "Trust us. Trust everybody on these other things," and that is all I am saying because right now nobody really gets HIPAA and some of these other things nearly as completely as they need to.
So, our knowledge in this room is robust on the subject. The knowledge of most people that will read and deal with these subjects may not be quite as robust.
So, it is not to belabor, it is not to drag you through something you already know but it is to think about a process. So, I am not going to defend it anymore. I am saying why we put it up there to help the discussion.
DR. COHN: I think I had Deborah next and then Steve.
Come up to a microphone and introduce yourself, please?
MS. PEEL: Thank you, Deborah Peel. Thank you for letting me make a public comment. Since you are thinking about the future I just want to share with you I think we can expect the public to get more and more aware of where the information goes and more and more sophisticated about it and you know, frankly, the Markell principles don't even include the right to health privacy. That is why I put our coalition's principles in here for you to think about.
If we are thinking about privacy certainly one of the most important principles is the right to control access to your information. That is pretty important and the other comment I would like to make is minimum necessary is talked about a lot here in terms of giving protections. I have talked to lots of lawyers about it but on the ground you have got to understand how minimum necessary works.
The insurance company who is going to pay the doctor for the visit says, "I want this information," and so you have the 800-pound gorilla asking for the information and if the doctors push back too much they either don't get paid; they get dropped from the plan or they can have their payments received retroactively denied.
So, minimum necessary is not workable on the grounds even if a doctor was going to take every request for information, look through the chart, figure out what is the minimum necessary to answer the question, and that would require hiring more staff and physicians' offices aren't going to do this.
So, I just want to point out that minimum necessary sounds great legally. How workable it is in an actual physician's office, forget it. I mean we used to have actually since I am so old at practicing when we had indemnity insurance we actually did give out a minimum set of criteria for claims and I can still state them. You probably can too, Simon, date of service, place of service, type of service, cost and diagnosis. There was a minimum data set that used to be all that was required but now when insurers ask for more information most physicians and most patients are over a barrel. So, that is not helpful. I just wanted to point that out, but our impression is consumers are going to get more and more sophisticated about this and that is why we added to our principles between last year and this year.
There was so much information about data abuse, secondary uses of data. We are probably starting this year in connection with other consumer organizations a campaign for prescription privacy because we think every American is going to get that. They go to a drugstore at least once a year and they are appalled when they find out that that information was data mined and sold without their knowledge and consent and that will be an intro we think to help the public begin to get educated about the gazillions of secret databases there are.
So, I just want to say I think that rather than thinking that privacy can be worked out without going back really to the foundation of ethics which is the Hippocratic oath and consent we have just got to, you know, I think you are going to hear from and want more and more from consumers and they are going to want more and more control, but the good news is if they are going to give you the access you would make a good case. That is what we believe.
Thank you.
DR. COHN: Steve?
DR. STEINDEL: Harry, I don't think we can provide any information beyond the first page because we don't have any definition for what quality is, what public health is and what research is and we have heard that through this testimony. We haven't heard a clear statement on what quality is.
We have heard a lot of very loose statements that cover a vast range of items. Research, we have heard the very vague definition given in the laws but operationalize that and it is going to be very difficult because it covers a wealth of different projects. We stated public health covers a wealth of different projects and how it fits into this depends on the project.
So, my feeling is if you were looking at this t say, "Did we do our due diligence or not?" I think we heard a lot about the difficulty in filling in these specific boxes outside of care delivery.
MR. REYNOLDS: But the other thing that we have also considered is don't take the chart literally. If quality needs to be broken into four pieces, better categories or whatever we decide we think we have heard, if research is two different kinds, if this and that, again, it is, so you are right. I am not saying we fill them in but it was a structure to think about. It is not right or wrong. It is a structure to think about and pieces can be broken so we go to research. Some research if it thoroughly funded, you may take research and you may fairly fund it and then you may have something else. I don't know but it is a way to talk it through. If it goes away that is fine, but it is a way to think about it.
DR. COHN: Justine, Mark and then Mary Jo.
DR. CARR: Just too follow up on what has been said I think that what we have learned is that we don't have uniform definitions. It seems that every single presenter has come with a different definition and II think that is why we can't fill this in because it is not clear. So, I think that is a finding and that is a need because it is very hard to implement a process when you don't even know what you are talking about.
DR. COHN: That may be a little overstating it.
DR. CARR: I am sorry, but --
DR, VIGILANTE: I think most of us have a pretty good idea of what we mean by quality in research and public health.
DR. CARR: I withdraw that statement.
DR. DEERING: I actually was going to say that my understanding was that we understood our charge to include the issue of definitions. We hadn't yet decided how we were going to execute that charge but we recognized it as a charge.
So, I guess one of the things I am thinking from a process point of view is whether a document that began and I know you have our taxonomy there but rather than just a taxonomy some attempts at capturing and maybe you do have them there, the various definitions whether as a tool to moving us forward, not perhaps to solve our overall assignment but whether it is just one part of moving us forward that would be useful and I would also point out that if you recall when you open a dictionary to a word there is not one definition. There are multiple definitions with their provenances that are given right there and that might be a perfectly useful model for us but I just wanted to keep the definition alive around the table.
DR. CARR: Just to respond to that, I agree. We thought this was going to be about defining identified and de-identified and I think what we found is that there is blurring of margins of when quality becomes research or which rules apply to which groups.
DR. DEERING: Just to jump in I mean for example even in the area of selling data words matter because we do all acknowledge that data analysis, data interpretation costs money so that there may even be a blurring if we use the words "selling data" as opposed to a business case for it. So, again, I think words do matter.
DR. COHN: Without necessarily defining the corpus I think that we really saw that one of our jobs is to try to reduce the blurring between quality and research and so without having to define each we can sort of identify in that border area not that we will ever get rid of things completely but if we can make sort of much smaller space that will have been probably a good thing and I would suggest that probably is one of the pieces of work that we have. So, I just would sort of put that on the table.
Now, Mark is next. I saw Paul's hand up and then Steve.
DR. OVERHAGE: First I think Harry's argument for going through a systematic approach is a compelling one. That brings us back to the circle and the diagram because if we are going to use it in that kind of framework then I think it becomes critical to lay out what are the buckets that we are going to do that in and then this discussion about definitions made me even more strongly think that for example when you say, you know, definitions of quality and research or quality and operations, I think we may be asking the wrong question because you can do quality in any of those domains and so it gets back that I think we are trying to convolute things and if we sort of said, "Okay, we will look at quality, safety and access and things," those don't overlap or if we are going to look at research and operations and I don't know commercial uses, I don't know, you know, those don't overlap. So, I think in Harry's mode one of the things we need to do is be able to answer have we covered the ground. I think we have to have either a linear one this way or this way or whatever but I don't know what the right one is but we need to have a puzzle or a set of pieces that when you put them together it is the whole thing and not subsets of it. Otherwise it is going to be hard to tell the story.
DR. COHN: We can show that first slide again if you like.
Margaret, did you have a question?
MS. AMATAYAKUL: Marc, could you just kind of talk a little bit more about that because I think that is what we are trying to do is to get the pieces and you know it seems like we always start off with pictures and we never end up using them. So, that is not a problem, but if we could hear you a little bit more about what do you mean by buckets and is it only two buckets; is it five buckets; is it 10 buckets or hundreds of buckets.
DR. OVERHAGE: First of all I don't think it is two, and I don't think it is 100 buckets because just to tell the story you want five, seven, eight buckets or whatever.
Now, the question is along what dimension of the problem, do we want to create those buckets. So, my instinct although clearly there were a lot of people around the room who didn't share this instinct would be to say, "Take the activities that people understand and know about and try to then make sure we have covered it," and what I mean by that is for example okay, let us talk about research. Let us talk about treatment. Let us talk about health care operations just because those are, while I agree those aren't crisply defined, let us define them however we want but make sure we get a list of those that cover the ground. I don't think quality is one of those. I think quality is a topic or we could choose to do it in a different dimension. We could have buckets that are quality and efficient access and safety or whatever.
DR, VIGILANTE: Topic as opposed to what? They are all topic in a sense. In what sense are they different?
DR. OVERHAGE: I am sorry, thank you. I am just saying that if we are going to look, if we are going to try to cover the world and make sure that we have thought about all the aspects of it we need some categories to present our analysis and I am just suggesting that there is more than one of those, more than one collection of buckets or categories that could work and I am not sure why but I don't have a strong feeling about what the right one is, but I think they have got to be parallel in their structure and either they are about uses of data and I think that is a reasonable way to bucket them, right, like research or quality or you know I mean --
DR, VIGILANTE: I see quality, but with quality I think about when quality measures are being used for physician reimbursement and hospital reimbursement to me that is a very specific use of secondary data that is different than the usual sort of research.
There is services research which is quality research but this whole emerging domain of both improving your own hospital operations but then reporting on that publicly is I think a category worth --
DR. OVERHAGE: I am fine with that. That may be a good bucket or category. So, maybe and let me just play it out a little bit more. So, there is research. There is the internal operations. There is whatever and I don't know what you would call that bucket but it is data sharing public accountability or something like that. I mean I don't know what the name for that bucket is but you could make a bucket and that is a good point. It is an example that is a little bit different than I think people contemplated with operations and we did hear in the testimony about another one of the areas and maybe this falls into that, sort of the interorganizational data which gets into a lot of stickiness and maybe that is another bucket for uses.
DR. COHN: Marc, help me with this one because I think we are actually getting, it is a very interesting conceptualization. We have obviously talked about innies and outies. We have talked about and typically I don't talk about quality only because the term drives me nuts generally but I usually talk about, well, no, because I don't know what it means which is I think your issue but I talk about quality measurement, quality reporting, quality improvement, but I think you are making the distinction of well, geez, are we talking about somehow a piece of that for the outies as Paul might comment; is that sort of what you are, the two of you are beginning to come to?
DR. OVERHAGE: I am not sure I understood your --
DR. COHN: I think there is internal quality measurement, quality improvement.
DR. OVERHAGE: Oh, I see what you are saying.
DR. COHN: Whatever, and that sort of has fallen in typically within what we have contemplated as TPO historically.
DR. OVERHAGE: Let us forget TPO.
DR. COHN: But that is the operations quality.
DR. OVERHAGE: If you are saying that yes, I think we were talking a little bit about it. I mean there is operations inside your doors and there is, I don't know what the right word is, operations outside your doors.
DR. CARR: Quality going out your doors, also, actually part of payment if you think about it for pay for performance.
DR. COHN: So that is sort of what we are, however we describe it that is sort of the area we want to focus on.
Paul, did you want to comment on this one? I know Steve had a comment, but, Paul go ahead.
I am assuming you want to talk about this one.
DR. STEINDEL: No, my comment should dovetail to what Paul is going to say because it is going to be very, very short because as I have been listening more and more I think Paul's basic comment about thinking about this as innies and outies is the way we need to think about it and I think it was phrased very nicely in the discussion you and Marc just had about internal operations versus when you start looking at things that are going external to your internal operations and we look at things differently and that is basically the way I interpret your innie-outie type comment.
DR. TANG: I can't resist an opportunity to weigh in on Harry's intelligence.
(Laughter.)
DR. TANG: But I will second the vote that he is on to something. So, there is no way that I don't think any of us are objecting to the systematic build up of the report and I think one of the things we have sort of what I have been saying is we have heard a lot of good evidence that says that for research and public health they do it really well and it is well defined and the methods are even there and it is testable and so really it is this semi-permeable membrane and when I run into a word that just hangs us up which I think quality has and I actually think well, I think it has hung us up because TPO, everybody understands treatment and everybody understands payment. So, you have got to go after the "O," and if it was TPF you know treatment payment and friendship we would be after the "F," and the reason is because if we call it that word, "quality," it is a free ticket. If you cal it friendship, it is a free ticket, and so we have to find some other way and that is where we got the innie/outie is to make it clear and you can't escape it because they couldn't come in and say, "Well, what I wanted to settle for was treatment," because it doesn't work. So, you come in for any blurry word you can get as long as it sounds nice and that is sort of I think how we got hung up because I think we almost have to ditch the vernacular which I think we just got hung up in this discussion.
I guess I am supporting your idea of being systematic and building up the case, but I also am sort of, we have still got to go where it is fuzzy and go pin it down and relabel it if we have to and particularly if that relabel is very descriptive and well understood that we will make a step forward.
DR. COHN: We are getting closer.
Steve?
DR. STEINDEL: Speaking as a chemist now, I will put on my chemist background and the semi-permeable membrane of before, the innie/outie works very well in that purpose because if you have the certain characteristics of the chemicals or the right osmotic pressure everything stays inside and if its characteristics are such that it can leak through the membrane then we have other types of things that we need to consider about it.
So, I think it is a very good conceptualization and ties in well with Kevin's idea about the semi-permeable membranes.
DR. COHN: So, let me go back and I am not sure if we want to go back to the original graphic or whether we want to go back to your areas but what I am hearing is that maybe the lumps, let us just talk about the lumps that we somehow want to deal with this one, it appears to be a lump that is called treatment, payment, and basically what we described as sort of internal operations that relate to quality and all those other things that we can't define very well.
There is a piece called the sort of external quality and performance reporting measurement and I don't know whether improvement falls in, I mean there are some pieces of improvement that seem to be out there but maybe not but they are sort of uncontemplated. What?
PARTICIPANT: There is the feedback.
DR. COHN: Yes, exactly and maybe it does wind up but maybe it really is that I don't know I guess that external uses of data. Now, we obviously have research but I think I would also suggest that we have this somehow need as we talk about research that, and I am just reflecting the areas that I found that made me concerned as we listened, and one is non-federally-funded research which may be an area that is permeable and I don't know whether it is or not but it feels sort of permeable to me, and there is also this issue of trying to figure out what is quality and what is research because there seems to be some permeability around that.
DR. STEINDEL: We need to talk about.
DR. COHN: We need to talk about it, okay. Then somehow we need to at least for issues of completeness we obviously need to --
DR. STEINDEL: We need to talk about public health, too.
DR. COHN: Okay.
DR. STEINDEL: And the innie/outie model is out there and what we may say about it is that we heard at this point in time the way pubic health is handling the data that there is a good trust model but as Les pointed out in his talk we are thinking about doing two things and going at some of these new sources of data which may change the trust model and I have no objection to saying that.
MS. GREENBERG: Whoever is speaking I can't hear you.
DR. STEINDEL: I am sorry, Marjorie. I didn't have the phone on. What I was saying was Simon was making the comment about public health and I was saying, "Yes, public health is out there. It is already an outie. We have to talk about it," and what I am envisioning what we would say is you know that we have a good trust model with public health as we handle it today but as Les pointed out in his talk we are very seriously considering new models of working within the new data environment and we may want to issue some statements about that and how it looks on the other side of the membrane because now it is getting very close to some of the other ways we are collecting data.
DR. COHN: Mary Jo and then Bill.
DR. DEERING: A lot of this discussion is sounding like we are going to be focusing largely on the protective aspect and given the fact that certainly within quality the goal is also to enable, facilitate, promote I would like to make sure that whatever we do in our analysis we remember that there may be some things that are AOK because they have got a good trust model but if in fact the existing regulations are barriers or are not optimal then I think we would be remiss in not calling those out as well.
DR. COHN: Very good point.
Bill?
DR. W. SCANLON: I was just going to comment on the trust model for public health. I mean I think that the trust in some respects is the public support of the fact that public health reporting has value to society. It is not necessarily the trust on the part of the person being reported upon that appreciates this and that is an issue for us which is that getting data into the system to be used is a consideration because we don't want the sample to be skewed in unacceptable ways so there is a question of sort of where are the limits of trust and where some form of coercion is important because there are both social benefits and even benefits to the individual that they maybe sort of myopically decide that this is not sort of in my interest but it may be and we have to think about that in our considerations.
DR. STEINDEL: Simon, I think that is a very good point to make because we did hear that from several people. There are very good societal statements about the benefits of public health and it is embodied in many laws both federal and at the local level and that is a different type of trust. That is a societal trust and a lot of what we are talking about in other areas is individual trust and we have to make a distinction between those two.
I think research is an interesting area and the comment was made one reason things like the common rule came about was because people started to stop trusting research.
DR. COHN: This has been a very useful conversation. I guess the question is, I mean do people have more about this? I am actually wondering whether we should go back and look at some of the things. Margaret, I am going to scare you, going back and looking at some of the dimensions of consideration maybe trying on the right size buckets that we have just been talking about and obviously one of them is I mean we talked about, I mean the first one we have just been talking about wherever that is is basically the sort of treatment, payment, internal operations which in include internal quality work and then recognizing the public and after that is the sort of external quality reporting measurement.
MS. AMATAYAKUL: I am lost.
DR. COHN: Okay, I thought we were talking about what sort of buckets we wanted to go through with this sort of a model.
MS. AMATAYAKUL: On the far left or the dimensions of consideration?
DR. COHN: No, the far left.
MS. AMATAYAKUL: Okay, got you.
DR. COHN: I was not talking about the dimensions of consideration.
Mary Jo?
DR. DEERING: Getting back to the point I just made that you said was a good one, I am wondering if the label on the left, is this only to look at the trust issue; is this particular appendix only to look at the trust issue or even in this document should we get at that also affirmative enabling aspect as well or is it hard to do it or are they two different purposes?
DR. COHN: No, let me tell you what I think the purpose of this document is even though Margaret may be a little less certain than I am.
I think that this becomes the framing for recommendations and so to my view recommendations fed into whatever recommendations we reel are necessary in relationship to this area is that the intent here, and I sort of at least personally saw this as a vehicle to help us figure out as Marc sort of commented, well, I don't which of these tools I want to use in this area but at least this becomes a vehicle to have the conversation whether it is just notice for information practices, consent, I mean exactly what it is that needs to be around all of these things or exactly how we want to slice them. So, absolutely.
DR. DEERING: It just would imply something like a phrase and barriers to optimum use or something like that which gets a little awkward thee and I am not sure how to do it but if indeed this is to be the framework then somehow that left hand column has to be beyond just the trust mode/
DR. COHN: So, basic trends and trust and risk and use of information and barriers to optimum, sure.
Steve?
DR. STEINDEL: I made the comment earlier. I don't like the word "trust" in that column. I mean we heard a lot about trust but I think we are talking about you know, trends in risk, uses, barriers, etc. I don't know if we are necessarily talking about trust.
DR. CARR: I was going to make the same comment. I think we have some objective data about areas of overlap and confusion. I think trust is more of a qualitative response to those overlaps in different settings. So, I would first focus on where are the overlap and areas of concern and then come back with trust at another point. It is a separate issue.
DR. COHN: Can you help us given the conversation?
MS. AMATAYAKUL: It sounds to me like what you are trying to come up is first what are the big bucket domains, the activities that we are going to focus on and then within that we want to try to characterize the level of trust and we want to describe the barriers to optimum use.
DR. COHN: As well as possible interventions.
MS. AMATAYAKUL: Oh, yes.
DR, VIGILANTE: I agree with what Justine said. I mean I think we all know that the trust issue here is very important but the trust is very hard to quantify without an actual trust scale and it is really the consequence of having specific things in place that create a relationship which over time you will trust.
So, we can go into what those things are. There are various models but I don't think we are in a position to measure trust. I think we are more in a position to talk about risks and benefits and the degree to which those risks may b mitigated by existing policies, procedures and so forth and so on and then identify the white space for risk, you know, then identify the risks for which there are no or inadequate policies and procedures or regulations.
DR. CARR: May I follow up on that? I think what we want to start with is in these areas that are on the outside what are the challenges and why are they the challenges. So, maybe they are a challenge because there are overlapping regulations or maybe because there are confusing definitions but what causes the challenge on these outside uses? So, if we were to say, let us take quality, we have heard 15 definitions of deidentification, masking, scrambling, purifying, you know, everything like that. That is a problem because we are talking about data going outside and we still can't figure out what is attached to it and what is permissible and what is not permissible, what rules apply. So, that would be a way I would identify the challenge of trying to figure out quality information going outside, one example.
DR, VIGILANTE: In terms of the recommendation I need to understand our charge. I mean is our charge to make recommendations that will help guide the use of, secondary user of data in a way that maximizes benefit and reduces risk and/or the perception of risk to consumers, patients, individuals, however, you want to characterize it?
DR. CARR: I think step 1 is define the problem. Step 2 is identify --
DR, VIGILANTE: Is it assumed to be a problem?
DR. CARR: Identify the challenge. I am not going to call it a problem but why is this outside a different set of issues? It is outside and it is being sold. Why is that an issue? It is outside and we don't' know how to de-identify it. Why is that an issue? It is outside and there are three different regulatory bodies overseeing it and on any given day any given testifier is following somebody else's rules when we might think that they would all be following the same rules.
So, I am just saying that as sort of an intermediate step to say what is it that we are trying to address. First we are going to say that here is the issue and then we can come up with here are some things that we heard that would mitigate or address what --
DR, VIGILANTE: So, we have the introduction where we set this all up and we talk about the -- I guess I am jumping to kind of the bottom line here to the recommendations, you know, putting that first because I know we can write all the other stuff and at the end of the day I am trying to think you know, okay, what genus and species of recommendations are we proposing to be making here and is it around mitigating, and my hypothesis and it could be wrong is about mitigating risk and whether there is perceived to be risk because there is inadequate guidance, policies, procedures in the current environment to address that risk. Is that right or wrong?
DR. COHN: I agree with you and that is I think the endpoint of what we are trying to get to and how quickly we get to it is I think the conversation we are sort of having.
Now, Harry, you had wanted to comment and Marc and then we will figure out how we actually move forward.
MR. REYNOLDS: I am trying to listen, but listening to what Marc had to said earlier it appears to me thinking of that we have heard care, which is one bucket. We have heard operations which is a second bucket and we have heard research which is a third, okay, three buckets?
What I just showed Marc was under care you have quality, efficiency, safety, public health. Under operations you have the same things. That is where he was trying to say these things may fit in each one. So, let us take an example of care and quality which he just made a quick comment that maybe it didn't belong there. Having been heavily involved in e-prescribing when you are doing care you are getting quality data about what are the drugs the person is or isn't on and it has given you warnings and other things. So, that is adding to the quality of what is going on right there.
If you go to operations and you talk about quality, back to our earlier point, Paul's innie and outie you have got is it internal ID'd, internal de-ID'd? Is it external ID'd and then the same thing with research because when you get to research we have talked about if it is totally deidentified, back to the risk, back to the trust, back to the other things. Maybe that is not as high, and I showed it to Marc. So, making some of these other things that we have heard a subset of each of these not at length just whether you mention them or not is different than maybe what we had done because we had quality as its own thing and maybe it is permeated in each of these as a subset with other things. Just a thought.
DR, VIGILANTE: Going back to my sort of paleolithic conception of things I see care and the activity of care and the intention to seek care as the way primary health care information is generated and the patient, most patients don't expect it is going to be used in any other way. They get the notice of privacy but they probably don't read it and even though they are being told it can be used for operations. So, that is primary, and everything is secondary to that and I think that quality, the Venn diagram of quality there is a large overlap with the operations bucket because a lot of the quality work that is done is done in the name of operations quite legitimately and then there is the public reporting and I think that you made this point in your presentation to distinguish between internal operations and external reporting of quality measures and so I do think that can stand on its own as a separate bucket and I think that is not without guidance, at least part of it certainly from the HIPAA perspective there is some regulatory coverage there. Research I think is a separate area and certainly from the common rule there is a large segment of regulatory coverage there although there may be some areas that are not quite adequately covered because they are outside the common rule for some reason.
I think what is least well covered is what leaks out of operations or other appropriately covered secondary data sources into tertiary, quaternary, particularly those that are paid for.
So, I don't have a problem with care but that is primary. Quality is often secondary and research is also secondary.
MR. REYNOLDS: If you listened the one presentation today when it talks about, and I will just use e-prescribing because I will tell you right now e-prescribing is secondary use of data.
DR, VIGILANTE: How so?
MR. REYNOLDS: If I have three drugs for the care and now I haven't gone back for a month and I come back in again and using technology you go out and get if you are going to use that data that you did for my care the first time and you the secondary use of it is e-prescribing for my care again, okay, it is not data that was so -- and it is in the database, and it is in all these things where we talk about you call operations or I don't know what you operations but all I am saying is as we look 5 to 10 years from now --
DR, VIGILANTE: What about data that you use to pick up your prescription?
MR. REYNOLDS: That might be one. There might be that I did pick it up. There might be that warning that comes back --
DR, VIGILANTE: Let me try to understand the example. I may not be understanding. So, let us make it extremely concrete. I come see you. You prescribe digoxin, lasix and cataxin(?) for me and then I leave and I come back a month later and you are saying what?
MR. REYNOLDS: When you prescribe a drug for me I go out --
DR. VIGILANTE: You are prescribing for me.
MR. REYNOLDS: Good. Okay, when I do that and I put it through e-prescribing it is going out to a database that exists that has your drugs on it and comes back and says that there is a warning. Is that a primary use or is that a secondary use?
DR, VIGILANTE: That is neither. That to me is something that you know that is decision support that is a functionality that theoretically you could have figured out with your own brain.
DR. STEINDEL: I look at that as primary use. I think most of us would look at that as primary.
DR. CARR: If we are going with the belly button model of innies and outies I would just put care on the inside and the areas that we are focusing on I don't think care is there. I think it is quality reporting, public health, research and other and then trying to, I go back to what I was saying before about trying to define the challenges. So, quality reporting is understanding more about de-identification and sale of data.
Research is how do you get from quality data to published data. Are you crossing the line, and then what is the oversight body if you are federally funded or not? I mean these are the kinds of issues but I would leave care on the inside and not needing to be addressed.
DR. COHN: I think we are sort of agreeing that care is probably on the inside on this one.
Mark is next.
MR. ROTHSTEIN: I want to comment about the growing acceptance of the interior/exterior dichotomy which I don't think on reflection is nearly as clean as it might seem and I think these are factors to consider but I don't think they are necessarily determinative and let me give you an illustration of the kind of problems that I am thinking about.
Now, when Kaiser, its multi-locations shares data on outcomes at its different sites with central Kaiser research somewhere okay is that internal or is that external? I would argue just for the sake of argument that it is internal, okay? So, if say that it is internal now, what is BHI which collects data from affiliated but not identical or self-contained one self-contained organization; is that internal or external and how are you going to make the argument that let us say Kaiser's use of the data is internal and BHI's use of the exact same data is external? I think whether it is acceptable or a registry for that matter if you want to get a third model, I think whether it is acceptable without any sort of patient permission depends on what the use is of the data not just whether it is deemed to be quote, internal or external.
So, I can envision all three of those sample entities doing things that I would consider quite acceptable and whatever the loosened rule that we are just sort of generally applying internal ought to apply but I could also envision all three of those doing other things that I might not want them to do without some level of patient permission.
So, all that I am saying is that I think it may be more complicated than simply if it is internal, however defined it is okay and if it is external, however defined, it is not okay.
DR. COHN: Marc, thank you.
Justine and then Steve?
DR. CARR: You raised a very good point, I think but I think if we were to begin to parse that data and we say, "Internal to where the data was generated," that takes care of Kaiser, whether you are part of a hospital or a system or so on.
MR. ROTHSTEIN: But you mean it has to stay within the four walls?
DR. CARR: I mean if it was generated by a Kaiser affiliate and it is being used by Kaiser that could be considered internal and off the table but your point about, so BHI thinks of it as internal because it was submitted to them but it wasn't generated by them. So, that represents another category and how we deal with that then, we think about that but was generated in your facility.
DR. COHN: Maybe I will jump in before Steve goes on. Obviously without going through models or whatever but obviously there have been associate agreements. I am not sure that I would for example consider what I mean of course I can talk about my colleague here dealing with the Blues but given that they are talking about business associate agreements that actually sounds sort of what I would typically describe in the vernacular as internal. It is sort of when it gets beyond business associate agreements. As I say that I thought part of the conversation was do we need to strengthen or clarify business associate agreements. So, I don't know that we, you see, I mean I think that there was some value for us to look systematically through the pieces because some of the issues you know we may want to recommend some strengthening of things.
MR. ROTHSTIEN: I wasn't suggesting any sort of model or where to put each of those organization. All I am saying is I think it might be more complicated than simply saying internal/external.
DR. STEINDEL: Actually you didn't convince me that it is more complicated than saying internal/external but I think we are saying the same thing an this gets to what we said earlier. Just because something is external that first of all doesn't make it bad and second of all doesn't mean that we are going to ignore it. We are going to look at it. That is all it means is we are going to say that we want to spend a little time discussing it. I think your registry case is interesting because the way I would look at it at an internal cancer registry that is doing the cancer registry work within the facility of the hospital I would look at that as operational quality control and it is internal but once they send that data to a state cancer registry then it becomes external and we need to ask the question okay, is there anything we need to say about the data once it leaked outside and in this particular case I would say, "No," because we have good state laws of covering it and it has been considered to be a societal good, but we did stop and say, "Look at it.'
In the case if BHI and Kaiser I think those are two very good examples but I think in one case Kaiser actually used data that was to draw their Vioxx example. They used data that was collected for clinical care and derived their inferences from that whereas BHI may derive the same inference but it is using data submitted outside for payment and that is why I said that it leaked through the membrane.
MR. ROTHSTEIN: But, Steve, even treatment information that is used internally within the same four walls of let us say a single entity hospital, right, there is just one hospital that doesn't mean that we shouldn't take a look at what is being used and maybe even though it is primary use we say that there should be role-based access, right? So, it is disclosed to the billing clerk. It is disclosed to the dietary department but they don't get the same thing that the treating docs get.
DR. STEINDEL: I will accept your clarification because we were just making the presumption in our discussion that okay we are talking about this data that is being used for operations and quality internal within the hospital and we have to really realize that that is a big domain and we do have to talk about data restrictions in that domain, and we need to reference that material.
DR. CARR: Is that secondary? I mean is that within our purview? I agree that role-based access is important but if we are talking about secondary use and I am in the cafeteria waiting for the order for your lunch and you are a patient that is primary as far as our routine or you are coming to the OR and asked to look up what floor you are on and that is operational.
DR. COHN: I would worry if we spend all of our time in the next 4 weeks talking about what is internal versus external or what is primary versus secondary. I think we need to see as we look to areas, see where the recommendations lead us and what we think are the risks which is one of the reasons why we have put a page up there that talked about care delivery, whatever only because yes we can spend all of our time trying to dissect out or we can talk about it and see if there is a valuable recommendation there/
Kevin and then Margaret?
DR. VIGILANTE: The choices people make are based on the calculus of benefits versus risk and I think it is pretty clear that the benefits of secondary data can be extraordinary and I think we will point that out.
So, I think our role is to identify those areas of risk and I think from what I have the biggest risk comes from data leaking out of the operations bucket into other uses than people would have expected in particularly the same of that data.
So, I think that is a big area of risk in this whole calculus that we need to focus on. Now, the, oh, I jut lost my point. Why doesn't' somebody else talk. I am sorry, I forgot what I was going to say.
DR. CARR: Outside should be risk versus no risk. Risk is already covered whereas outside there are outside uses that I know we are not doing inside/outside but if we were --
DR, VIGILANTE: Go on, and I was going somewhere and I forgot where I was going.
MS. AMATAYAKUL: I think that it is really important to go through an exercise and try to come up with internal/external, is it care delivery, is it research quality, those kinds of things because there certainly are differences but I am also sort of mindful that I sat down an made a lit of recommendations totally outside of any attempt to bucket them and I am wondering if for tomorrow with all of this good information and we shouldn't throw it away but maybe we just take a look now at some of the recommendations and then say is that really a global recommendation? It doesn't matter what use or that is really for this specific use.
DR, VIGILANTE: I would like to do that. I remember what I was going to say.
So, if one particular area of concern is about the unforeseen sale or the undisclosed sale of data then I think the buckets that we talk about whether they are quality research, public health, is there another bucket called commercial or is it sustainable model or does each one of them have a corresponding quality model or commercial component of each of those rather than commercial being on the side, but we need to address in some way I think as a bucket the quality of the commercial component of each of those rather than commercial being on the side, but we need to address it in some way I think as a bucket.
DR. COHN: I think that issues are defined by the purpose and the executor or the user.
DR. VIGILANTE: Put that on the "to do" list. I think we need to come up with something there.
DR. COHN: We need to think about how we are going to frame that. I mean it is a general concern of exactly how you bucket it.
Now, Harry has been absolutely patient and you can see how brilliant he is. We all ought to listen very carefully.
MR. REYNOLDS: The other thing I would like us to use as a filter is I thought we heard an excellent presentation from Joel Goldwein about what they are doing with the oncology situation because if you look at what he had to say they are going all the way from to all the way to selling it.
So, that is the one example that we have had so far that kind of took it because it was owned by people that cared for them and then it was sold.
So, I think it was an excellent testimony as we heard as we talked about what type of data it was and what happened to it and I think that is a good one to use as a filter also because we are starting to focus on just particular players and I would say to you that this both now and in the future, the players will blur as to who is who and what is what and what is our capability.
So, I think it is very important that we add some other testimony. You know some of today's is fresh but I thought his was probably the most complete we have got all the way from end to end and so I think that is also another good filter whatever we decide is to overlay that one on top of there.
DR. COHN: Now, we are going to change topics just slightly but I want to give you a chance if you have anything more to say on this.
DR. STEINDEL: Where would you put Northern New England? I mean except in the early days he did sell his data but today he is not.
MR. REYNOLDS: I am saying that we have had a number of excellent examples that we can, yes, that is what I mean that we can put in there.
DR. COHN: I want to give everybody a deep breath here because I think we have talked, I mean I think we are trying on models and we are trying to figure out how to put this together.
I mean there are issues that I think we have identified and this innie/outie, the research quality sort of conundrum or area that has some permeability but also sort of process and everything else.
Probably there is an issue around and I don't know if we want to get into it or not but this issue about non-federally-funded research and we obviously have had testimony on that but I think it continues as sort of an issue knowing that at least as far I think most of us are concerned federally-funded research has exceptional protections.
In fact, people get confused because there are so many protections there. So, maybe it is the opposite problem and then public health which I think we have heard pretty adequately about.
Now, I now that between now and 11 o'clock tomorrow morning we have a couple of things that we want to talk about. One is that we do want to I think hopefully based on this conversation go through and begin to look at some of the recommendations that seem to be sort of seeping up at least you know maybe holding our word smithing about is this exactly the right bucket but just to give a flavor of the types of things that I think we are all thinking or at least the questions we have and I think if we can sort of give our input to Margaret it will be immensely helpful in terms of sort of moving us forward because I know Margaret wants to spend some time beginning to try to put things together and as you remember we do have a conference call scheduled on the fourteenth of August from 12 to 3 eastern time where hopefully if we can provide appropriate input we can begin to sort of see how things may begin to come together.
Now, another piece is that we have a hearing scheduled, hearing and meeting scheduled for the twenty-third and twenty-fourth and of course it is already beginning to get filled up with various presenters and I think maybe we can just take a minute and sort of wander through that but the other piece that we need to reflect on today and tomorrow is really and I think Margaret is obviously, I think we are all sort of concerned about what have we missed that we need to hear about and I will tell you that obviously my desire would be for us to finish off at twelve noon on the twenty-fourth but given that we may not have additional hearing dates or sorry, there are no more planned which of course we can talk about tomorrow as well as on the twenty-third and twenty-fourth of August. We want to make sure that we are not missing something that we need too hear about.
Now, Steve, you had a comment. You have a very worried look on your face.
DR. STEINDEL: Yes, I would like to touch a little bit on the question of non-federally-sponsored research and what we need to hear about it or from what because obviously we are thinking about future things and this was one of the things that you mentioned.
As I understand it, well, first of all the federally-funded research coming from I think most arms of the Federal Government even though I think NIH is probably the only on that is really required to do the IRBs but CDC does and AHRQ does, you know, require this high level of approval and from what I also understand and Marc is probably the one I am going to rely on the most on this even if it is non-federally-funded research if it is done in an institution that gets federal funds it still needs to go through IRB approval and then in the non-federally-funded area, so we are talking about a sub-segment of research, you know that is done out of institutions or places that receive federal funds and correct me if I am wrong because I am talking about my understanding and then when we have non-federal dollars going into it we have people like RWJ and the Gates Foundation and you know people that we generally think about as good and then we have people like the pharmaceutical companies whom we may or may not think about as good but I think they have very high standards in the way they do research in a lot of areas as well and so there is really just I think and people can correct me a very small sub-segment of non-federally-funded research that would fall into the area that we would want to question and quite frankly I don't know if we can identify those people or if we would get them here, and please correct me if I am wrong.
MR. ROTHSTEIN: I am not sure we need a witness on this. What I think we can do is we have had Julie Conasharo testify previously. I am sure we can ask her to describe the kinds of entities that would qualify as non-federally covered and it is very small because as Steve suggested the federal regulations not only apply to recipients of federal funding but institutions that receive federal funding execute what are called multiple program assurances with the Federal Government which says that any project that is worked on by that institutions regardless of the funding source or it could be not funded at all will adhere to federal research guidelines and in addition then you have got the pharmaceutical research which is the human subjects part is done in contemplation of an FDA drug submission and they are covered by the research rules of the FDA.
So, there are some theoretical and some practical researchers that escape through the net but it is very small and I don't think it is really worth wasting a lot of time on.
DR. COHN: That may save us then and so, I think your idea of just asking the question to her might be very appropriate.
Justine, do you have something on this point?
DR. CARR: No, it was a suggestion for testimony.
DR. COHN: Oh, okay, I was going to go through what we have so far, but do you want to --
DR. CARR: I am just looking over the notes from John Loonsk yesterday. He talked about the commercialism better definitions of commercialism.
DR. COHN: Loonsk?
DR. CARR: Loonsk and then last hearing we talked about technology that can help address privacy and we heard about that again today, too. So, I just wanted to put those two out.
DR. COHN: Where you need to reflect on the question is and I agree with you, I think that this is, we need to make sure that we are hearing about or hearing further about these sort of mitigating approaches which include tools, technology as well approaches to reduce risk.
The question of course is whether or not we have them in here already or not and I don't have the answer to that one but I thought we could at least take a look through, and give you a chance to sleep on them tonight to see if there is anything that we are missing.
Harry, did you have a comment?
MR. REYNOLDS: Yes, I had asked Dr. Peel if she would give us a list of what she mentioned in her testimony today. I wanted to make sure that that was --
DR. COHN: Yes, but I certainly agree with you that we do not want to leave stones unturned on that one.
So I think everybody has a copy of at least the proposed agenda for the August meeting and I think part of this is people who aren't able to participate previously and some of it is also this issue of moving into the litigation issues.
The first hearing I think we were talking about of our HIE experiences which include a good sound health alliance, hopefully Santa Barbara and some experiences from the UK.
Do you want to go through this Margaret?
Okay, Margaret, why don't you go through what we really have?
MS. AMATAYAKUL: I am going to, yes, I will go through it and Aaron and Mary Jo have been e-mailing all day long today as well. So, they will have some updated information.
Rachel Quinn from Puget Sound, that is the value exchange and we are uncertain whether she or somebody else or anybody can come or be by phone. We have to find out about that.
Robert Reed from Cottage Hospital I think if we can't get him and there was some possibility we could for later we have a fair amount of information from the conference that was held yesterday where David Braylor presented about the issues there and Monica Jones from the UK, Mary Jo?
DR. GRANT: She basically confirmed. I don't know the date and time.
MS. AMATAYAKUL: And the purpose of this would be to focus a little bit more on health information exchange, get an international perspective, get a perspective of the lessons learned and to look a little bit more at this value exchange concept.
The second panel on health data protection solutions needed in health information exchange we are still trying to get John Santa or maybe somebody else from the Prescription Project and then we are trying to get somebody either from Kaiser or PBM to talk about secondary uses of pharmaceutical data and then David Hopkins from Pacific Business Group.
For consent we are still looking at trying to find an HIE vendor who can give us some technical perspectives. John White has told us that he will not have the data storage of RSI completely finished but --
DR. GRANT: They are currently looking through their responses they received. I think they received about 75 responses but they won't be completely summarized by the end of August. So he can provide us with some information but it won't be a complete report. So, when I spoke to him he just wanted to make sure that the group was comfortable with sort of limited information.
MS. AMATAYAKUL: Dan Macies and his entire crew is going to be in Australia and for automated consent management we have three companies, one of which is in New Zealand. So, I strongly recommend we just go down there.
There is one company that we may be able to get and then Rick Peters was also suggested as somebody who might be knowledgeable in that area if we are going to the other companies first. I don't know.
DR. STEINDEL: I believe the security and privacy work group of HITSP is undergoing public comment on their security constructs which contain a lot of these elements. We might be interested in hearing them. I think they should be pretty far along by then.
DR. DEERING: There is a tool for the managing of tissue specimens that we have and that tracks consent for use of specimens across use and we could identify someone to speak about that if that were considered an interesting model.
DR. COHN: I would that agree would be, is everybody in agreement that that makes, you know, okay.
DR. STEINDEL: We actually have the same sort of projects going on at CDC where we track consent for use of specimens and I think it is a very focused area.
DR. COHN: I don't care if it is a focused area. Is it a generalizable approach?
DR. STEINDEL: I think what I am saying is I am not, based on what I know about the CDC tool I am not certain it is a generalizable approach.
DR. GRANT: Steve, your point about HITSBE just saw the most recent schedule yesterday and they are doing public comments through August 17, and then they will be doing comment resolution and panel approval August 20 through October 15.
So, to the extent that they will have summarized what they receive through public comments by the time we have our panel I am just not, I can check on that.
DR. STEINDEL: But I think they probably could talk at least about what they sent out for public comment.
DR. GRANT: Yes.
DR. DEERING: Actually, Steve, it did occur to me that maybe the use case isn't necessarily generalizable but the technology is. I mean the underlying technology of how you capture and manage and track this is open source technology and it is certainly to the extent that I think the Committee wanted to hear you know is it doable, is it technologically doable not necessarily a specific use case, I think it would be generalizable but again I am not going to push it.
DR. STEINDEL: No, you just said an essential difference between what you are doing and what CDC is doing and the key word is open source. So, it might be worthwhile.
DR. COHN: Good thank you.
MS. AMATAYAKUL: The next panel on potential trust communication solutions our main focus here is plain language health literacy and Mary Jo has got some contacts there. We also thought it might still be worthwhile to look at some of these Health Grade, Choice Point, physician certifying boards. We do have an invitation out to one of the certifying boards but we still haven't heard back from them.
Health Grades declined. Choice Point is another option for us but I think we are going to focus on plain language health literacy over the other two and then finally Tom Penno from Indian Health Information Exchange and Elizabeth Belmont from Maine Medical Center in the American Health Lawyers Association are only available on the twenty-fourth. We don't have either one totally confirmed but we are close I think.
DR. GRANT: Yes, I will hear back from Elizabeth next seek whether or not she is available but what she did say was she and a colleague can pull together written testimony. It is just whether or not she would be here to walk us through it.
DR. COHN: So, I would have you all think about this.
Yes, Margaret?
MS. AMATAYAKUL: So, two open questions are do we want to have somebody like Litanya Sweeney or somebody talk about the de-identification process and I heard Justine say definitions of commercialism.
DR. COHN: I was looking at the notes from John Loonsk's presentation or discussion yesterday. He said, "What needs to be defined going forward, better definition of commercialism, commercial ventures, doing public good," and then also --
DR. COHN: It may be a discussion topic. I don't about testimony other than I think we are very well aware for the record that there are a significant number of commercial entities that are trying to do public good and we support them all.
DR. CARR: As you had said, are there any gaps that we haven't heard you know thinking about that as the last thing? Are we ready? Will we be ready at the end of that to make recommendations? I mean I think we have got a lot of background and a lot of information about where the challenges are but in terms of recommendations have we heard enough?
DR, VIGILANTE: I think one of the things I guess is when we go back to increasing transparency at the point at which permission is given to use data if it is going to be used in unexpected ways is really understanding what mechanisms we would use to resolve that issue and talking to communications experts about that might be a useful thing and this guy that I mentioned earlier, Peter Salmon from Princeton you know he probably knows nothing about what we are talking about at all in terms of the specific application, but I just wonder if he would be like just an expert in risk communication would be somebody who could help us think about that if you want to ultimately do things that will decrease the outrage factor.
DR. COHN: I would use a different term. I think I would talk about mitigating risk. It is probably a nicer way and I think communication, I mean I think we all recognize it is a key part of it. So, yes, I think your idea is a good one.
DR. DEERING: When you talked about do we or do we not need any more testimony about commercialization, etc., before we seemed to have been sort of saying, "Well, no, it is a point," and we moved on but I would like to sort of at least keep it on the table to make sure that we have considered this aspect. You will recall that when all four of the NIM(?) prototype contractors stood up and said, "What is your business case going forward," it was data mining an so I am sure that that is partly not just for quality but I think that concern is that is this assumed by many of the RIOs(?) to be the only bona fide business model going forward.
I am going to ask a question. Is there something about that assumption an that issue and that challenge that we should be looking at from the point of view of a prototypical RIO because it would serve ONC and it is secondary use but is there something about that particular use case that is special that just to be due diligent to our clients we should be looking at?
DR, VIGILANTE: I think the corollary to that is what does this market look like? How big is this market from an economics perspective? How big might it be and what damage may be done or how important is that market to sustaining the collection of secondary data, you know, a revenue source to actually do the work that needs to be done in the future to actually make your quality measurement a feasible financial enterprise and the public reporting of it? Is it all going to be publicly funded? Can docs and providers bear the burden on their own financially or do info-mediaries have to be, does there have to be a thriving market of info-mediaries to provide this information in order for this business model to continue and thrive?
Now, there is probably nobody who can give us those answers but it would be a useful thing to think about in this context.
DR. COHN: I agree. Do you have thoughts about who could help us think through this one?
DR, VIGILANTE: I don't know who has studied it.
DR. COHN: I think it is a very good question though.
Marc?
DR. ROTHSTEIN: I think that might be taking us a little far afield. I think we all understand that the current funding mechanism and the business plan for the NHIN components is sort of up in the air but even if that were resolved there still would be commercial entities unconnected with the NHIN that would be interested in doing data mining.
So, I think it is fair to say that it is a significant problem and it is unlikely to go away and therefore we are recommending the following steps to deal with it without being, I mean this is so difficult and we are so far from resolution that I am afraid to get us going into a different direction.
DR, VIGILANTE: You are probably right. I guess what I am trying to think of, I guess what I am trying to get at is you know in the future it may be important to have a thriving sustainable marketplace that can actually support the aggregation of data in order just for the general good and that caution has to be, at the same time that you need transparency there also needs to be caution in the exercise of regulatory power so as not to undermine the possible development of such an industry and I think that we have to consider that.
DR. COHN: Marc O, did you have a comment?
DR. OVERHAGE: No.
DR. COHN: Okay, Harry? Okay. Anyone? Okay, I know we have sort had a long day. It was intended to be. I think we have actually had a very good conversation and I don't know that we have necessarily moved the ball but we have exhausted couple of things.
I think this is obviously, you know, we have gone through this process a number of times now and the purpose of models which is what I said at the beginning is not to fall in love with them but more a question of, and I am reminded yesterday that one of our presenters, I think it was Wendy who sort of was like so what. I mean the purpose of these things is to help us tell a story, to help clarify the issues for us, to help us develop recommendations. There is no intent at this moment that we have the final model and there may not be one, but on the other hand if the conceptualizations help us move forward I think that is really the intent here and so we will just take it as such, recognize that they are all draft and we are sort of bandying around and batting them around but I do agree with Margaret that tomorrow morning we would be very well served if we suspend belief a little bit and start looking at actually what recommendations seem to come to us that make sense and that hopefully will be what we use most of the morning for.
Now, tomorrow morning does start at eight-thirty. This is one of those mornings where to get you out at around eleven I would hope everybody will be prompt and let us do some work.
With that the meeting is adjourned and we will see you all in the morning.
(Thereupon, at 5:30 p.m., a recess was taken until 8:30 a.m., the following day, Friday, August 3, 2007.)