[This Transcript is Unedited]
Crowne Plaza Silver Spring Hotel
8777 Georgia Avenue
Silver Spring, Maryland
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway
Fairfax, Virginia 22030
(703)352-0091
Agenda Item: Call to Order, Welcome and Introductions
DR. COHN: Well, good morning, everyone, and welcome to beautiful downtown Silver Spring.
DR. STEINWACHS: Why did we get kicked out of the building? Was is that we haven't been behaving well, is that how we ended up in beautiful, downtown Silver Spring?
PARTICIPANT: I think there were security risks.
DR. STEINWACHS: That's probably ending right now.
DR. SCANLON: Actually, I can answer that question.
Our Emergency Preparedness and Pandemic Preparedness folks have taken over and expanded the operation center. So they are using our usual conference room --
DR. STEINWACHS: I see.
DR. SCANLON: So it's nothing personal.
DR. STEINWACHS: Thank you.
DR. COHN: Well, despite these comments on space and location, I do want to just acknowledge how beautiful the weather is, is likely to be, and I would just contrast that to our February meeting where there was an emergency snow closure of Washington, D.C. So I think the good news is that we should be able to deliberate and meet today and tomorrow as planned, which is important.
Now, with that, I want to call the meeting to order.
This is the first day of two days of meetings of the National Committee on Vital and Health Statistics.
The National Committee is a statutory public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I'm Simon Cohn. I'm Associate Executive Director for Kaiser Permanente and chair of the committee.
I want to welcome committee members, HHS staff and others here in person and also welcome those listening in on the internet, and I do believe we are being broadcast. OK.
Let's now have introductions around the table and then around the room.
For those on the National Committee, as always, I would ask if you have any conflicts of interest related to any of the issues coming before us today would you so publicly disclose during your introductions?
I want to begin by observing that I have no conflicts of interest.
Marjorie.
MS. GREENBERG: Good morning. I'm Marjorie Greenberg from the National Center for Health Statistics, CDC, and Executive Secretary to the committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina. Member of the committee. No conflicts.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center. Member of the committee. I have no conflicts.
DR. TANG: Paul Tang, Palo Alto Medical Foundation. Member of the committee. No conflicts.
MR. LAND: Garland Land, member of the committee. NAPHS. No conflicts.
DR. STEINWACHS: Don Steinwachs. Johns Hopkins University. Member of the committee. No conflicts.
DR. GREEN: Larry Green, University of Colorado. Member. No conflicts.
MS. MC CALL: Carol McCall. Humana. Member of the committee. No known conflicts.
DR. FITZMAURICE: Michael Fitzmaurice. Liaison to the committee and staff to the Subcommittee on Standards and Security.
DR. CARR: Justice Carr, Beth Israel Deaconess Medical Center. Member of the committee and no conflicts.
DR. SCANLON: Bill Scanlon. Health Policy R&D. Member of the committee. No conflicts.
DR. FRANCIS: Leslie Francis. University of Utah. Member of the committee and no conflicts.
DR. STEUERLE: I'm Gene Steuerle from the Urban Institute. Member of the committee and no conflicts.
DR. WARREN: Judy Warren. University of Kansas School of Nursing. Member of the committee. No conflicts.
DR. STEINDEL: Steve Steindel. Centers for Disease Control and Prevention. Liaison to the committee.
MR. BLAIR: Jeff Blair. Lovelace Clinic Foundation. No conflicts that I'm aware of.
MR. SCANLON: Jim Scanlon, HHS. Executive Staff Director for the Full Committee.
(Introductions around room.)
DR. COHN: Okay. Well, welcome, everyone.
I should also comment that we'll be seeing Mark Rothstein later on today. I think, as you all realize, he has -- he's on special assignment from his law professorship at University of Maryland, and I think is sort of trying to figure out ways to make all of this work.
Marc Overhage will also be arriving, I think, tomorrow morning. Unfortunately, he has a conflict this morning.
Now, before we move into the agenda review, let me make a couple of opening remarks.
We have a very full meeting today and tomorrow, so we'll try to be as brief as possible, because we really do have a lot to discuss and a lot of action items to go over.
I think, as you all would observe, given our summer, the activities of the committee continue at a very fast pace, reflecting the increased importance and federal attention being placed on health information technology and the role it can play to improve the quality and reduce the costs of healthcare, as well as, obviously, improve the health of all Americans.
Within HHS, Secretary Levitt continues to consider promotion of interoperable HIT, one of his key priorities, and, of course, in all of this, NCVHS continues to play an important role advising the Secretary and the department directly, as well as providing expertise and liaisons to other HHS initiatives moving forward the vision of an NHII, including such things as AHIC workgroups.
I do want to particularly note the major recent work products of the NCVHS, which are being actively utilized within HHS, specifically, the excellent report on privacy in the NHIN, and our report on defining a minimum but inclusive set of functional requirements for the initial definition of the NHIN.
Both are being used within the government. ONC with recent RFPs identified both and referenced both.
We are also aware that ONC -- to develop a framework for privacy and confidentiality and security, is also considering our document on privacy and confidentiality one of the base inputs for that document and work.
Now, today and tomorrow, we will spend considerable time discussing the draft document developed by the ad hoc workgroup on secondary uses of health information.
As you all remember, we kicked this effort off in June. This work was undertaken at the specific request of the department, and, in particular, the Office of the National Coordinator.
Specifically, we have been asked to develop an overall conceptual and policy framework that addresses secondary uses of health information, including the taxonomy and definition of terms, as well as develop recommendations to the department on needs for additional policy, guidance, regulation and/or public education related to expanded uses of health data in the context of the developing nationwide health information network.
And, of course, all of this with an initial emphasis on uses of data for quality measurement, improvement and reporting.
Now, I want to just take a moment and thank Harry Reynolds and Justine Carr for their leadership on this activity and as Vice Chairs.
I've been depending on them significantly and, really, both have my sincere thanks, which, of course, we'll see another piece of that today in our discussions.
I, of course, also want to thank Paul Tang, Bill Scanlon, Marc Overhage, Mark Rothstein and Kevin Vigilante for their participation in what has been a -- really a summer of activity in Washington on these issues, and, of course, the many of you who have been willing to be reviewers, our staff, including Cynthia Sidney(ph), Debbie Jackson, obviously, Marjorie and Jim, who have participated and been helpful in this regard, and, or course, our consultants, and Margaret already introduced herself, but also Aaron Grant and Christine -- Anderson from Booz Allen, who have also been very helpful and instrumental in this activity.
Now, I mention this to you both for the individual contributions that everyone has made to this effort, but also as an example of the flexibility of the national committee and the ability of our infrastructure to rapidly respond to department needs.
It is a great example of how we've been able to leverage our broad expertise in standards, privacy, security and population health, which, of course, is represented on the committee, and do it in a rapid fashion.
DR. COHN: But, of course, as I mention all this stuff, we have, obviously, a lot of other action items to discuss over the next couple of days, and so let me briefly mention what we're going to be doing today.
We will be spending a little more time at the end of the day today talking about tomorrow's activities, but let's at least take a look at the agenda, noticing that it is being modified a little bit, partly because of car issues and other things like that by some of our presenters.
This morning, we begin with a department update from Jim Scanlon. Jim, thank you for being here to present.
Your agenda shows that after that, Karen Trudel was supposed to be presenting the CMS update and also talking about HIPAA.
My understanding is that her car is being towed as we speak, and -- we will, hopefully, be seeing her later on today, and if not today, we'll get that update tomorrow morning first thing.
Following the morning break, we begin a discussion of a letter being brought forward by the Subcommittee on Standards and Security, proposing modifications to the current HIPAA transaction standards, which will be an action item for this meeting, either today or tomorrow.
Then, we are pleased to have an update from the Office of the National Coordinator. We have Charles Friedman and Kelly Cronin, who should be arriving, to both talk about the current activities of the department as well as providing an update on future plans and relationship to AHIC, and, obviously, there's a set of activities that the government is engaged in trying to identify sort of successor and transition planning regarding that.
Before lunch and extending into the mid afternoon is a discussion of the draft report being brought forward by the ad hoc workgroup.
I want to emphasize that this is for discussion and not for action either today or tomorrow.
And let me just talk about the purpose of it. And I know that Justine and Harry will also review this. But the purpose of the conversation has to do with, one, assuring understanding, and given that this is about a 30-page document, we want to make sure that everybody sort of understands what's in it. So that's number one.
Number two is is that we want to identify areas of agreement and disagreement as it relates to observations and recommendations.
And, then, three, we want to understand sort of what we're missing and what else needs to be included in the document to sort of bring it up to NCVHS standards.
Now, what I will tell you is is that as much as we all love wordsmithing, today and tomorrow is probably not the time to wordsmith the document, except as it relates to content. I mean, if the meaning is unclear, we do have to talk about really what the meaning is without getting into that.
We, of course, always accept and welcome redline versions of documents, and it really does help improve the document, but I just want to sort of set that up as an expectation of the discussion of the day.
Now, later on this afternoon, we begin a discussion of a letter report being brought forward by the Workgroup on Quality for action at this meeting, and I think you've all received a copy of that.
Now, at about four o'clock, we will prepare to adjourn into our subcommittee breakouts, and we have, I believe, Populations and Privacy and Confidentiality, which will be meeting between four and six.
At that point, we will talk about the next day's agenda, sort of expectations for the conversation, as well as the pre-meetings which will occur tomorrow morning.
Now, as I say that, I do want to make sure that everybody does have a chance to look at, even though we will not be discussing today, Tab 4.
Tab 4 was developed at member request, and it sort of relates to sort of protocols and guidelines of functioning of workgroups and subcommittees.
As I said, we will not be discussing it today, but we will be discussing it tomorrow morning, and if it's something that everybody generally agrees with, we will put it sort of into our protocol packets. It'll be part of the new briefing for members.
Oh, yes. OK. And I also, for tomorrow, want to mention what I thought was excellent, which I read on the plane out -- one of the nice things of long plane flights -- is the 2005-2006 NCVHS report, which we will also be talking about and will be an action item for tomorrow.
I will tell you I've read a lot of these ones and I thought that the way it was framed was actually exceptional. I mean, there may be some additional wordsmithing that members want to engage in, but I thought the framing as well as the fact that the document actually began to allude to and include activities that we're now engaged in sort of give it current life, as opposed to just being a document that is sort of dated from the get go.
So --
DR. STEINDEL: Felt like we had a life.
DR. COHN: Felt that we had a life. Yes. Well, maybe after the ad hoc committee, you will have a life again.
MS. GREENBERG: Unlikely.
DR. COHN: Yes.
(Dinner discussion.)
DR. COHN: Okay. Well, Jim, with that, why don't we begin our department update and go from there?
Agenda Item: Department Update -- Data Council
MR. SCANLON: Okay. Thank you, Simon.
Well, let's see. Since we met in June, a number of developments have occurred.
Let me bring you up to date on a couple of policy developments, including updates to the Secretary's priority areas, which I had mentioned previously.
And, in addition, HHS has just revised our strategic plan, which will be 2007-20012, and I'll talk a little bit about the goals there are as well, and, then, I'll update you on some other projects and activities.
I think you have at your place a description of nine priority areas. This is the revision and update of the Secretary's priorities for healthcare largely dealing with healthcare.
I won't go through each of these, and we've gone through them before, but the -- you'll see they're slightly modified from previously, but let me give you the titles at any rate.
And, remember, these are what the Secretary regards as transformational kinds of activities in which, if progress could be made in these areas, a lot of other activities would improve in public health and healthcare, and social welfare as well.
The first one deals with health insurance access for every American. There are different ways to do this. Some of these involves state health reform. But the goal would be access to health insurance for all Americans.
Second is insurance for children in need. This is specifically related to the state children's health insurance program that's currently awaiting authorization in Congress. There'll probably be some action this week.
A third initiative is called Value-Driven Healthcare. Here, the focus is on providing quality -- information about quality and cost to support better choices in healthcare.
Information technology, obviously, that remains a secretarial priority.
Personalized healthcare really refers to probably the care -- the potential we see on the horizon in which the fruits of research, including genomic research, are translated into research, development, diagnostic and therapeutic tools and are brought to the bedside in everyday medical practice.
So I think we have a number of genomic diagnostic tests now, not a whole number of therapeutics at the moment, and it's fairly narrow. But I think everyone looks at this area as a number of tests and therapeutic interventions in the pipeline.
And the idea here is that rather than everyone getting the average approach to treatment or prevention, clinicians would be able to tailor healthcare treatments based on the genomic structure.
Health diplomacy. This refers to using public health to -- in support of national objectives, typically in developing countries. So Africa, South America and so on.
Apparently, there are just very specific projects here.
Prevention has always been a major area, and, here, this refers to a lot of healthy behavior and prevention activity.
Interest continues on helping the Louisiana and the New Orleans healthcare system to be restored.
Actually, a different sort of a healthcare system that's not so much hospital based.
And, finally, preparedness, both pandemic and emergency preparedness. Focus continues there as well.
So those are the areas that the Secretary is willing to spend a fair amount of time on. And so he's traveling a lot and he's providing leadership in those areas.
And, as you see, health IT and data play a big part in all of those, and, in fact, health IT is one of the priorities as well.
In addition, as I said, HHS has just gone through a process of revising our strategic plan. Again, you have the summary paper in front of you.
This covers the next five years, and it -- these are fairly high-level goals, strategic goals focusing on basically affordability, safety, quality and accessability of healthcare, prevention -- a whole range of prevention activities.
On the welfare side, on the social welfare side, promote the economic and social well being of individuals, families and communities.
And on the research and science side, to advance scientific and medical research.
And you'll see specific sub-objectives in each one of those.
And, again, I think you'll see that health IT and data are a big part of all of these objectives.
Let me turn now, just briefly, to the legislative front.
As you all know, there has been for the past several years and continues to be interest in health IT bills in Congress. And there are a number of them now. But in the Senate, the Wired for Healthcare Act, I guess it's called, would include several activities in health IT.
Partly, it would codify the Office of the National Coordinator. So it would place it into statute.
It would also codify the American Health Information Community, which is actually problematic, since the idea at the moment in HHS is to transform that into some other kind of a body.
But, in addition, that bill would -- if enacted -- would establish a number of grant programs and loan programs for health IT. And it would also include some studies on privacy as well, and some recommendations on privacy.
So, again, we don't know how -- whether that bill will get further attention in Congress this year, given all the other activities that are underway.
On the budget side -- and this applies to all of our HHS agencies and most other cabinet departments -- we're winding down this current fiscal year, ‘07. Basically less than a week left. Very few federal agencies have any appropriations for ‘08, which begins October 1st. So we will probably have a continuing resolution at which we can obligate funding at about the same amount we did previously. So it may slow things down a bit in terms of undertaking new projects.
But on the Hill, where Congress is considering the fiscal year ‘08 budget, there are a number of health IT investments.
There is one concern, the Office of the National Coordinator -- and they can speak for themselves later -- would actually be funded at a reduced level than what the President requested. It would be between $60 million and $70 million, rather than the amount that was requested in the President's Budget. So we'll have to evaluate that.
At the population health data side, in general, most of our core statistical systems would be funded at current levels. It's not a growth budget, by any means.
And the one concern there will be NCHS. We'll have to see where exactly that turns out as well.
And let me just -- a couple of projects that our office and the Data Council have undertaken in the past few weeks, let me just bring you up to date on those.
I think I reported previously that the Data Council, working with NCHS and CDC and others, sponsored a workshop on the potential utility of electronic health record information for survey, healthcare provider surveys and health statistics. And several of you were speakers and participated as well.
I think, generally, the conclusion was that there -- for the purpose of surveys -- physician surveys, hospital-care surveys -- the penetration of electronic health records, at the moment, was not sufficient to support representative sampling -- we all knew that -- though, there were clearly providers and plans and so on where the capability is such that they can support research and other kinds of activities.
We discussed this at the Data Council earlier this month, and we're looking at areas in which we could follow up.
So even if it's not possible to do a representative survey of, for example, a hospital -- hospitals or physicians' offices, based on electronic-record information, there may be pilots that we could undertake to see what would we have to resolve, what would be the nature of the content and so on to begin along this way.
And the National Library of Medicine has offered some of its grantees as potential pilot sites. So we'll be following that up in the fall.
A couple of interesting projects our office has just taken up.
We have supported a survey at the National Center for Health Statistics. This is a survey of hospital emergency departments. We'll be -- of hospital emergency preparedness.
It'll focus on pandemic preparedness as well as sort of all hazards preparedness. And we'll be getting some updated information on measures that -- we originally took a survey in 2004.
So we'll be looking at what -- the capability and standards and plans, regional agreements and so on. I think we have some questions on diversion as well -- hospital diversion, emergency-room diversion.
So that will begin in January at the National Center for Health Statistics.
In addition, working with CMS, we are undertaking an assessment of electronic personal-health records. These are pilot studies that CMS is doing for the Feefer(ph) Service Medicare Program. So we're just about to start that.
We'll be looking at the pilots, the suitability, the capability, functionality, privacy protections and so on for electronic personal-health records.
We are also -- with some of our healthcare safety-net providers, we are undertaking an assessment of health IT and health information exchange in community health centers and the public healthcare safety net. And we'll be starting that in the fall as well.
And, finally, I think I reported previously, we have a study underway. It's really an assessment of the needs, requirements, competencies and projections for the health IT workforce.
And let me stop there.
DR. COHN: Okay. Any questions?
Jim, I guess I'm understanding why I haven't seen you much recently. Sounds like you've got a lot on your plate.
MR. SCANLON: These are end-of-the-fiscal year --
DR. COHN: Marjorie, did you have a comment?
MS. GREENBERG: I just wanted to note, regarding -- as part of the update of the department that, in Tab 7, we have a very nice response from the Secretary to the CHI recommendations. And this should be posted by now, I think, on the website.
And we're going to try to -- when we get, you know, really substantive responses like this, we'll try to be posting them along with our letter, I think. There's been some requests for that, and I think it's a good idea.
MR. SCANLON: Yes. I think that was the final set of CHI recommendations and standards.
DR. COHN: Yes.
DR. STEINWACHS: I understand that I guess both the House and the Senate passed the FDA bill that would strengthen capacity for post-market surveillance. And I assume people are hopeful the President will sign it.
And I was wondering if you had any comments about that, because I understand that part of that would be to build a sort of data consortium that would not only be a resource for FDA, but maybe a resource for researchers, too, that might draw out both electronic health records, but also administrative records --
MR. SCANLON: Yes, my office was involved a fair amount in the reauthorization of the Food and Drug Administration. And the bills were passed by both Houses of Congress, and the President will be signing it shortly, just in time, because, actually -- part of FDA depends on user fees, and, basically, if it was not reauthorized, the agency would almost have to -- would have to just close down, which is a periodic threat --
But, at any rate, the FDA reauthorization bill contains a number of revisions. One of them is really an attempt to get better -- really using information infrastructure to get -- to help with monitoring safety after the drugs approved and so on.
So part of this will be -- and, again, we'll have to see where this goes, but this would be a project that tries to pull together large-scale databases that are already available from health plans and others that would be marshaled for analysis to monitor any potential drug-safety problems.
As you know, now, it's largely -- after the drug is approved, it's an adverse-event reporting system. And it's -- while it certainly works -- it can identify adverse events -- this is a more systematic way, and this is probably a more modern way to approach it as well.
In addition, there is something -- a concept called Sentinel, which would include, probably, a sample or a small number of emergency departments and physicians offices that would agree to report affirmatively, rather than passive surveillance on drug-safety problems as well.
MR. BLAIR: I saw two articles just recently, and maybe you could help me understand them a little better.
One was the funding, which was nice to see. And, then, the other one was an FDA announcement that it was going to start to hold hearings on the standards that it should use.
And the essence of my question is that does the funding or the hearings on standards relate at all to FDA -- increasing FDA capacity or speed in being able to support the information for National Library of Medicine to do RX Norm or the sigs that were part of the e-prescribing standards?
MR. SCANLON: Well, you're right, Jeff. There are a number of other -- FDA really has -- you know, as budgets allow -- has -- really understands the role of health IT and standards and so on.
And, as you'll remember, it was a consortium of funding that helped with RX Norm and Daily Med and the National Drug Code revision.
So there should be -- I'm not expecting a large infusion of funds for FDA for those purposes, but I think we would have at least the amount we've had previously to move the standards along.
And to the extent -- I think you're exactly right. To the extent that FDA could rely on modern information technology, including standards and classification systems, to support adverse reporting and to support even the initial drug application, it just makes the system more effective and more efficient.
DR. GREEN: Jim, could you just elaborate a little more about the thinking of strategy and timing related to the personal health record to sort of clue the committee in what we might anticipate coming down the pike there?
MR. SCANLON: Yes, that's probably the newest of the secretarial initiatives, and, in many ways, it's a very high-level concept.
But the Secretary, last week, gave a talk in which he -- he released our HHS report -- which I'll make available to the committee -- on what the concept is and the framework for personalized healthcare, and the activities that we have underway in HHS, again, with what we hope to be the outcomes.
And so this concept, again, includes taking the fruit of scientific discovery and research, much of which NIH supports, but not alone, and hoping to move the process from the discovery of the information into tests and understanding therapeutic products and so on, so moving it through the technology development chain, which would largely be pharmaceutical companies and device through the FDA process and then into everyday medical practice and reimbursement.
Now, we do this anyway, and this will happen anyway, obviously. But I think folks have estimated that an innovation in healthcare often takes the average time with somewhere like 15 to 17 years before even a widely-recognized innovation makes it into everyday practice.
Now, that's not true in every case, but it does take a fair amount of time for obviously beneficial developments to make their way into everyday practice. So that the idea here is to use whatever levers HHS has to promote and accelerate that process.
And from what I understand from FDA, there are already a number of -- and the focus, though not the sole focus, is the genome, what the studies and what the research and what the discovery in genomic structure, and, then, what the manifestation of the gene structure is in the body, will that information be used to support diagnostic tests, therapeutic interventions, and, in some cases, even to measure whether -- what your response to a medication will be.
We just had an announcement from FDA last week of a look at Warfarin and how individuals respond differently to Warfarin.
As you know, better than I, in some cases, it's quite dangerous for individuals. In others -- others tolerate it. It works very well. Well, there are specific genomic indicators about how to differentiate there.
And from what I understand from our FDA colleagues, there are a number of -- in the pipeline, there are a number of tests and measures on the horizon, and, hopefully, they'll make their may through.
But the whole idea would be to -- it's referred to as personalized healthcare in the sense that it would be predictive. It would be preemptive in the sense that it would, hopefully, intervene before the condition develops or gets worse. It would be personalized in the sense that it would be based on your makeup, to the extent possible, and participatory, in the sense that the patient would have more discussion and more counseling and more say about it, you know?
Details are just -- you know, will have to come out of the research enterprise.
DR. COHN: Yes, and there's a variety of reports.
Larry, let me just clarify, though. I wasn't clear whether you -- were you asking about personalized or personal health records?
DR. GREEN: I was talking about the personal health record. You know --
DR. COHN: Okay Fine. I didn't want to break in, but I think that this actually points out the interesting terminology issues that we're beginning to face where everything sort of begins to sound the same.
PARTICIPANT: Yes --
DR. COHN: Yes, and I just wanted to clarify, because I wasn't -- I thought you gave an excellent answer on that one.
PARTICIPANT: Never mind.
(Several participants at once).
MS. GREENBERG: Is there anything in here about the personal health --
MR. SCANLON(?): No, we haven't discussed --
DR. COHN: Let Jim answer personal health --
MR. SCANLON: Do I have a minute?
(Several participants at once).
MR. SCANLON: Well, again, this is -- you're all more aware than most of the -- besides electronic health records in the clinical setting and information exchange, there's great interest now, and, actually, a fair number of products coming on the market that are electronic personal health records.
So this is really geared for the patient and the client, rather than the clinician solely.
And, in fact, the NCVHS did a nice evaluation, I guess, almost two years ago of the -- what are the desired characteristics and functionalities of electronic personal health records.
Well, now, we have, in HHS, the Medicare program will be supporting pilot studies in the managed-care part of Medicare for the folks -- for the beneficiaries enrolled there and in the fee-for-service part of Medicare.
And we and AHRQ and ONC will be working with CMS, at their request, to conduct an evaluation of sort of what are the -- what's the actual functionality, how is privacy and confidentiality protected, what is it that clinicians like or don't like about them, what is it that the beneficiaries actually like or don't like, so that it will provide the basis, hopefully, for -- and I think the first step will be to look at the products on the market and the -- sort of an environmental scan. What's the capability of the markets now -- of the products on the market now.
A number of health plans have already -- are already offering these, and they range everywhere from just a little bit of information about your benefits to some consumer-health information, and others actually provide the basis for appointments and other information, and some of them contain clinical information as well.
I think Carol's group has some. Simon, I think you guys have had as well.
So there are beginning to be more -- a lot of health plans are now marketing these to beneficiaries. Blue Cross Blue Shield as well.
But we'll be looking at it from a fairly -- again, this is -- we're not trying to be cheerleaders here. We're going to have to look at it in terms of what's really useful and what do consumers like and use and what they don't.
So this is the end of the fiscal year. It's when we award our contracts. So we're just awarding contracts for evaluations now.
But it'll be fee-for-service Medicare. It'll be the managed care part of Medicare, and it'll be looking at sort of what the offerings are, how do they work, what's the functionality, what do people use and not use, things like that.
DR. COHN: Yes, and I'm sure that we'll be able to get updates as the work progresses and we can also decide if it's time for us to update our earlier report on this area.
DR. TANG: In addition to the functionality and what works and doesn't work, one of the specific areas when it's pretty populated, which I think is one of the intentions with billing data, is how that affects the value to the consumer.
In other words, because the claims data may not be in concert with the clinical data, how does that affect their understanding of their health and questions that may arise. Is that an explicit part of the evaluation?
MR. SCANLON: Yes, we're basing the evaluation -- and, again, the first step will be to make sure that we've covered all the variables, but really to look at all of the factors we would like to look at.
And you're quite right -- and, in fact, we will get the clinician view as well.
You see, as these PHRs are being advertised now -- I actually heard a disclaimer on one of them that the information here would not be the sole information for -- you know, for -- should not be used as the sole information for clinical decision making.
So you can see -- what does the clinician think the information is versus what -- it's often claims data. It's usually consumer health information and it's sometimes -- sometimes goes beyond that to other functionalities as well.
So we'll try to encompass the full range. We'll look at a lot of products and capabilities and then see sort of where this all comes out.
We are including focus groups. I think there's the potential for a larger survey, though. Though I think the survey might not make that much sense until our measures are a little bit clearer.
We'll have a technical advisory group as well.
DR. COHN: Others? Don and then Larry.
DR. STEINWACHS: Just quick.
A meeting yesterday, I understood from Google, the Vice President for Health, that they're going to make available a free PHR, and they're hoping to link that to all the payers. And so that -- what may be interesting about it, one, is how they design it and whether or not they follow our principles.
But the other, I guess, it makes it so it's not an issue where you change health plans and lose your PHR. This would actually allow you to, supposedly, keep changing health plans and keep your PHR, which I thought was possibly one of the limitations of sort of the health-plan approach.
DR. GREEN: Well, I just wanted to clarify again. These studies about utility, the way you described that, could you clarify, are those studies going to include people of all ages or just Medicare beneficiaries?
MR. SCANLON: This is just Medicare, Larry. This is a Medicare only.
DR. GREEN: Oh, that's a topic for discussion sometime or another about the utility of --
MR. SCANLON: Well, we could certainly look at -- This one was focused on Medicare pilots. We could certainly look at the applications more broadly in a related evaluation.
DR. FRANCIS: This is really a question to link this to our later discussions, but I notice a bunch of these initiatives raise questions about secondary uses of health data, and I want to be sure that we are as -- I wasn't on the Secondary Uses Committee, but I want to be sure that we're as fully responsive to the way the ground might be changing on this.
And, in particular, I'm interested in surveillance of the personalized healthcare and the ways in which secondary uses might be --
Is there anything you think particularly we need to know or will you be --
MR. SCANLON: Well, what we -- at the moment, we're just starting, and I think the first step will be what our researchers call an environmental scan. It's just basically looking at what is the -- what does the situation look like currently.
And you're right. It's changing fairly quickly. These products -- offerings of PHRs not only did they range in functionality from one extreme to the other, but they're actually changing in who's offering them and who sponsors them and whose data is it exactly.
So we'll have more, I think, as we go along. The first step, though, in about two months, will be an overall review. We could provide that to the committee.
DR. FRANCIS: I was actually interested in the personalized healthcare and secondary uses PHRs and whether the Secretary's priority --
MR. SCANLON(?): Well, but let's -- have to think of a different name.
DR. COHN: You can talk to the Secretary about that.
But why don't we reflect on your question after we've gone through the report and see if it begins to address your needs?
Now, one last -- I was actually going to let Paul have a last question or comment. Marjorie, do you -- you have to --
MS. GREENBERG: I have a very quick question.
DR. COHN: Okay. So, Paul, Marjorie, and then we will be moving to the next topic.
DR. TANG: So maybe the question is whether -- since NCVHS has had some recommendations on both the PHR and the secondary use and privacy, is there any role for interaction with this HHS project?
DR. COHN: Sure. Sure.
MR. SCANLON: I'm the -- I mean, it's out of my office. So we could -- we've already given them -- in our write up of the scope of work, we've already provided the framework from the NCVHS. So -- and we expect that to be part of the very framework itself -- and we can see if there's a way to perhaps -- we'll probably have a small technical advisory committee, not that any of you want to be on another group, but we'll use the fruits of NCVHS.
DR. COHN: Yes, and I think just maybe also we could also arrange a November -- which probably things will be up and running by that time, we could get a briefing for the full committee at our November meeting, since it's literally two months from now. Hard to believe, but true.
MS. GREENBERG: This is on the personal health record or the --
DR. COHN: Yes, it's personal -- No, no, no. It's personal health --
MR. SCANLON: PHR. PHR.
DR. COHN: It's the PHR project being sponsored by the --
MR. SCANLON: ASPE.
DR. COHN: By ASPE --
MS. GREENBERG: I just wondered if -- I should probably know this, working for the department -- but if there's a more expanded version of the strategic plan that does explicitly mention health IT or -- because I know health IT has always been one of the priorities, and I didn't see any mention of it in here.
And, as you said, clearly, all these goals can be enhanced by health IT, but, sometimes, it's helpful if the actual strategic plan also mentions it. So --
MR. SCANLON: It'll be -- Yes, this is just the outline of the goals and the objectives, but the full plan will be going up on the web this week --
MS. GREENBERG: And it will mention the role of health IT?
MR. SCANLON: Yes.
DR. COHN: Jim, thank you very much. So, as usual, lots going on and lots of intersections between the work and the NCVHS.
Now, let me just ask everybody. Right now, we are scheduled for a break. I think maybe the -- Do people want to go into the first action item and -- I mean, first discussion and then continue -- have a break afterwards?
Okay. I felt it was a little early as I looked at the agenda, and I'm checking with Harry and I think he is prepared to move into our first letter.
So what we'll do is begin to discuss the first letter. We'll take a break after that prior to the ONC presentation.
So, Harry.
Agenda Item: Subcommittee on Standards and Security Letter, Action September 26
MR. REYNOLDS: Standards and Security is bringing forward a letter today that -- you have a letter in your packet. You're getting a new one. Don't use the one that was in your packet, please. That was an earlier draft with comments in it that --
(Several participants at once).
MR. REYNOLDS: OK. You had what you thought was a new one that was an old one. And, now, you have the new one that is the official one. So --
MS. GREENBERG: And it has nothing to do with personal health --
MR. REYNOLDS: And it has nothing to do with personal or any other health record.
Just a very quick background. This letter is really focused on the first major change to existing HIPAA transaction standards.
So, as we go through the initial couple of pages, we're giving you a background in the original HIPAA and then a background as to what this changes for it, so that you at least have a sense as to what we're doing, and, then, you'll see the extent of the change, and then our observations and recommendations.
So I'll start by reading the letter, and I'll read each section, the background, and, then, each of the sections and stop for any questions.
And then the process will be is if there's any changes or significant questions we need to deal with, we will deal with them later today and tomorrow morning in our breakout session for standards, proposing that we get this approved in this session of the committee today or tomorrow, and we'll go from there.
So, “Dear Secretary Leavitt, Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics studies and recommends healthcare information standards. To fulfill this responsibility, NCVHS' Subcommittee on Standards and Security held hearings on proposed new revisions of the HIPAA transaction standards on July 30 and 31, 2007.”
As background, “The original HIPAA transaction standards were adopted in 2000 and amended in 2002. Since that time, hundreds of requests for changes have been submitted to the National Council for Prescription Drug Programs (NCPDP) and the Accredited Standards Committee (ASC) X12N, the Standards Development Organizations (SDOs) responsible for maintaining the transaction standards. Both have developed and approved new versions of the existing HIPAA transaction standards, and NCPDP has also developed and approved a new transaction.
“The HIPAA regulation process for reviewing and adopting proposals for modifications and additions to the transaction standards flows through Designated Standards Maintenance Organizations (DSMOs), consisting of SDOs and content committees, such as the National Uniform Claim Committee. They review the proposed standards after SDO approval, and make recommendations to the NCVHS regarding adoption. On July 30 and 31, 2007, the Subcommittee on Standards and Security heard testimony from providers, health plans, vendors, SDOs and others on the need to implement new standards forwarded in May 2007, the impact on the industry and implementation issues.”
Michael.
DR. FITZMAURICE: I have a suggested sentence to the first paragraph. I would add to it, “The purpose of this letter is to summarize the hearings and to make recommendations to you based on our findings.”
MR. REYNOLDS: Denise, you got that?
MS. BUENNING: Repeat that, please.
DR. FITZMAURICE: I would add --
MR. REYNOLDS: Michael -- Yes, if you'll just -- you have it written down there, if you'd just give that to her.
DR. COHN: Yes. You know, I would suggest, for the purposes of this conversation, that wordsmithing on this level, whatever we pass, will be subject to wordsmithing. This is not substantive change. So, yes, Michael, and we can take it off --
MR. REYNOLDS: Yes. Marjorie.
MS. GREENBERG: Oh, I just wanted to remind the committee that we have agreed that all of our letters will have a tag line, so we'll expect that from you all.
MR. REYNOLDS: We will tag it appropriately.
MS. GREENBERG: I think it was a good innovation.
MR. REYNOLDS: No, no, no, that -- No. Well said. Well said.
Under the ASC X12N Standards, “ASC X12N has developed a modified version of their standards, Version 5010, to replace the current HIPAA standards, Version 4010 (as modified by Version 4010A1) for the following transactions:”
And just sidelight for a second, as you listen, you see that we are listing every HIPAA transaction that has come out so far. So the changes that we are -- in this letter, affect all of these different transactions that are already in place.
So moving to the first bullet, ASC X12 834, which is health plan enrollment; ASC X12 820, which is premium payments; ASC X12 270/271, which are eligibility inquiry and response; ASC X12 278, healthcare services -- request authorization; ASC X12 837, which is the healthcare claims/encounters or institutional, professional and dental; ASC X12 276/277, which are healthcare claims, status request and response; and ASC X12 835, which is healthcare claim payment/remittance advice.
“There are four basic types of changes in Version 5010: structural, front matter, technical improvements and data content changes. Structural changes include the physical components and either add new data elements; modify length of existing data elements, data type, optional status; or remove data elements. Front matter changes are organizational revisions to ensure that each technical report covers the same topics in the same location, and that the standardization of topics is clear, more instructional and accurate. Technical improvements better accommodate the data collected and transmitted. Specifications for Implementation Guides reduce ambiguities from the same data having multiple codes or qualifiers or from appearing in different segments. Loop and segment repeat counts that were not always logical and sometimes excessive were reduced or removed. Unnecessary data content were removed and redundancies lessened. Needed additions of new information occurred, as in the ASC X12 and 278 healthcare services request authorization transaction, where a lack of data content for medical decisions about authorizations limited significant industry implementation.
“New 5010 functions, added in response to industry requests, include additional audit controls in enrollment transactions; qualifiers when adding or deleting dependents; support of ICD-10-CM for reporting diagnoses and other health conditions and support of ICD-10-PCS for reporting inpatient procedures; privacy issues, such as drop-off locations for other than home residences; a place to report additional deductions to payments; indications of the remittance method used by health plans; added support for 38 patient service type codes; support for reconsideration requests, made prior to the formal appeal; present on admission indicators; ambulance pick-up and drop-off locations; remaining patient liability; national health plan ID (when an identifier is adopted); alternate search options; requirements for the health care eligibility response that improve the value of the transaction and tighten situation rules; and information on the patient's portion of the payment responsibility. Certain functions such as ‘purchased service provider' and ‘referring provider specialty' were removed.”
Lot going on. Lot of changes.
Moving to the next one, the NCPDP Standards.
“The NCPDP HIPAA standards currently in place are the Telecommunications message format standard, Version 5.1, and its equivalent NCPDP Batch Standard Batch Implementation Guide, Version 1.1, used for transactions involving pharmacy providers or their authorized billing agents for pharmacy drug claims, and the main transaction between pharmacies, payers, pharmacy benefit managers and clearinghouses/switches. NCPDP has developed a revised Telecommunications Standard, Version D.0, to replace Version 5.1, and an equivalent batch standard, Version 1.2, to continue support for eligibility verification, claim, service, information report and prior authorization transactions.
“Version D.0 modified field and segment defined situations to be ‘not used', ‘required if', ‘required' or ‘optional', addressing the situational versus optional requirements from the HIPAA privacy regulations. Segment usage matrices now clarify which segments and fields are sent for each transaction type, and segments and fields within each transaction type. Enhancements to accommodate Medicare Part D include the addition of a ‘facilitator' entity and eligibility transaction, to provide coded patient eligibility information for Medicare Part D; and enhancements to identify and process Medicare Part D long term care claims. Medicare Part D enhancements include additional segments for processing of Medicare certificates of medical necessity; and new data elements for processing those transactions and assistance in the crossover of claims from Medicare to Medicaid.
“Version D.0 also supports coordination of benefits and collection of COB and collection of rebates for compounded claims; clarification for pricing guidelines; the addition of new data elements that give more specificity to the COB process; a new section on prior authorization added to the implementation guide; a prescription/service reference number increase to 12 digits; and transaction codes for service billing.
“A new Medicaid Subrogation Standard Implementation Guide, Version 3.0, addresses the business need for a standard that addresses the process whereby a Medicaid agency has reimbursed a pharmacy provider for a covered claim, and is pursuing reimbursement from other payers for these claims. Some states may choose to ‘pay' all claims in full, through a federal waiver, at the point of receipt, and ‘chase' reimbursements from responsible third parties after the fact. In the absence of such a standard, the proprietary interpretation of the Batch standard or other proprietary standards often are used. This is a new HIPAA transaction.”
Comments before we get into the observations and recommendations?
Leslie.
DR. FRANCIS: I didn't understand the first sentence in the section called, “NCPDP Standards.” Maybe a verb was in the wrong place, but it just didn't make sense to me.
MS. GREENBERG: It's kind of a long sentence, I guess.
DR. FRANCIS: Well, I guess it was what are -- Is it meant to say that the format standard and its equivalent NCPDP are the main transactions between?
It just didn't make sense to me.
DR. FITZMAURICE: Suppose at the very end we put a period after “pharmacy drug claim” and start off the next phrase with “These are the main transactions”?
DR. FRANCIS: That's what I thought --
MR. REYNOLDS: Okay. Fine.
DR. FRANCIS: That's what I thought it meant, but I just wanted to clarify.
MR. REYNOLDS: Right. That's fine.
Denise, if you'll note that, please.
MS. BUENNING: Got it.
MR. REYNOLDS: OK. And let's move on to Observations and Recommendations.
“Observation 1: Industry supports transition to X12N Version 5010 and NCPDP Version D.0 and adoption of NCPDP Medicaid Subrogation Standard 3.0.
“Based on the testimony to the Subcommittee from providers, vendors, clearinghouses, pharmacies and other industry segments, the industry supports the move from X12N Version 4010A1 and NCPDP Version 5.1 to Version 5010 and Version D.0, respectively. The majority of the changes and modifications to these updated standards are a direct result of requests by industry to address demonstrated business needs and, in their totality, reflect a long list of positive changes. There appears to be widespread consensus on the business case for adopting D.0. While there is less clarity regarding the overall business case for adopting Version 5010, there was general industry support for the move. Moreover, there are specific business drivers (the need to accommodate ICD-10 codes) that justify its adoption. There is support for adopting the new Medicaid subrogation transaction, which will standardize the subrogation process across states.
“While business rules (specific data) for Version 5010 are defined, business cases (return on investment scenarios) are not. Version 5010 is also complex. The Workgroup for Electronic Data Interchange (WEDI) conducted a cost-benefit survey, but due to an extremely low response rate was unable to provide statistically valid results. Without well-defined business rationale and return on investment data, the industry will be reluctant and/or unable to make the systems upgrades to implement Version 5010. However, it was clear that without the impetus provided by a Notice of Proposed Rulemaking, there would be little if any movement by the industry to begin planning for the adoption of these updated standards.
Recommendation 1.1.
“The Secretary should develop and issue a Notice of Proposed Rule Making (NPRM) to adopt NCPDP D.0 and its equivalent batch standard as modifications.
“Recommendation 1.2: The Secretary should develop and issue a Notice of Proposed Rule Making (NPRM) to adopt the ASC X12N Version 5010 suite of transactions to drive the industry toward standards harmonization and enhanced code standards.
“Recommendation 1.3: The Secretary should develop and issue a Notice of Proposed Rule Making (NPRM) to adopt the NCPDP Medicaid Subrogation Standard Version 3.0 as a new HIPAA transaction.”
Comments?
DR. FITZMAURICE: Just real quick. Before the first recommendation, two sentences up, “Without well-defined business rationale -- “ the point you're making -- I was trying to link that to the proposed rule making. So that is going to be addressed by rule making, is that what you're saying?
MR. REYNOLDS: No --
DR. FITZMAURICE: That'll be a persistent problem even after rules, even --
MR. REYNOLDS: That is --
DR. FITZMAURICE: -- new rules are adopted.
MR. REYNOLDS: That is correct.
DR. FITZMAURICE: There's really no answer to that other than --
MR. REYNOLDS: Well, yes, the point is that, as you see, it's a significant list of changes.
DR. FITZMAURICE: Yes.
MR. REYNOLDS: Will improve the standard, but, as of yet, we have received no significant testimony that talks about a stated or identified ROI, other than, as we've said earlier, to continue this process --
DR. FITZMAURICE: Yes.
MR. REYNOLDS: -- of making the standards better and continuing a journey towards things like ICD 10 and other things. So --
DR. FITZMAURICE: I guess the only comment was that sort of left me hanging as if, you know, was there a need for more information about this? I was just wondering -- and maybe you'll come back to it later, but I didn't remember that -- about trying to look at return on investment or is it just -- it is what it is?
MR. REYNOLDS: It is what it is.
MS. GREENBERG: On that point, an NPRM does have to include an impact analysis. So, I mean, there maybe should be some reference to that.
First of all, you said without an NPRM nobody's going to pay any attention to this, but, also, the NPRM will have to include an impact analysis and will engage responses on that, I guess.
MR. REYNOLDS: I think that would probably be a real good addition. Yes.
MR. BLAIR: Maybe it would be clearer if we -- we came very close to indicating this -- matter of fact, I think in earlier wording we might have had it in there -- that it was the testifiers from the industry that requested we move forward with the NPRM to get the process moving and get feedback.
So it was an industry request that we move forward and not just an NCVHS request.
MR. REYNOLDS: Yes, that was in there, but you're exactly right. We may want to make it clear.
DR. FITZMAURICE: Jeff covered my main point, but, still, as I read this sentence, as Don reads it, one would say, if this doesn't have a business rationale or a return-on-investment rationale, why are we making the recommendation?
And the answer would be the industry requested it, but more data is needed.
So I think maybe the sentence should be rewritten to emphasize the need for more information not to prejudge the industry. Because the industry asked for it.
DR. FRANCIS: This may be wordsmithing, but I'm not sure. “Business case” is used both in the singular and in the plural, and after it's used in the plural, the one example, you say, “that is return on investment scenarios.”
So I'm wondering is that one business case? Are there other business cases? What are the business issues? Is there a pretty clearly-defined set of what those are that -- or is part of the reason you're not getting data or responses that it's too defuse?
MR. REYNOLDS: It's too what?
DR. FRANCIS: Too defuse; that is, what I'm curious about, when you say, “businesses cases are not defined” -- right? -- what I'm curious about is is it one business case? Because elsewhere in the discussion there is a reference to one business case.
Is the business issue that you have in mind return on investment or is there some other business issue that you have in mind? And, I mean, that is, are the questions being asked business clearly defined? Is it just return on investment or is it something else that's a possible worry?
MR. REYNOLDS: Well, we heard that there are business reasons. OK. That's -- and your point is well made, because we tried to play with these words, because there are business reasons, and that's exactly why the industry came forward.
However, building a business case that includes an ROI was what we did not hear.
MS. MC CALL: A couple of thoughts -- and I'm trying to put -- while I wasn't at any of the hearings, I'm trying to put on a payer's hat.
And what I would say is that it's -- to me, it may not be about business rationale -- I think you heard that in industry's request -- but it may be industry saying that there's not a set of compelling circumstances for adoption right now or an overwhelming or obvious evidence of an ROI.
But what I hear your comments are that industry does recognize the need and the Catch-22-ness of the situation, and what they've asked for and requested is that we begin.
So it may be wordsmithing, but there's something about the core idea.
There is a business rationale and they ask that you start. It's just there's no compelling event.
MR. REYNOLDS: That's a good point.
DR. STEINDEL: Harry, I think Carol's point is very well made.
I think we specifically worded the recommendation not focusing on a business case, that we said we should move forward with an NPRM because there are other compelling reasons to do 5010 that we heard.
We did not hear the business case coming across as a compelling issue.
If the government is going to go forward and issue an NPRM just to find out information, the government has other ways of finding out information without going through the tremendous expense of the regulatory process of an NPRM.
So I would be reluctant to say that the reason we want to go forward with an NPRM is because we need more information.
So I think we have to be very specific that we did hear reasons, and Carol brought these out a little bit. There are other compelling reasons to move forward with 5010, and that's what we really said in Recommendation 1.2.
DR. SCANLON: My question is whether there's a need for another recommendation here, given our earlier discussions and entire meetings about the length of time it takes to revise HIPAA standards, whether or not we should be suggesting that it's more than just an NPRM. It's having the NPRM and then responding in sort of a relatively reasonable amount of time to the comments and issuing a final rule.
And the question is whether there's enough belief in sort of what these revisions involve and their value that we want to say that -- I mean, that we're anticipating that the comments are not going to come back and say don't do this and that the conclusion's going to be don't do this, but that we would say -- well, why don't you just -- the comments, but we'll act on them quickly.
MR. REYNOLDS: I would want to discuss that with the subcommittee, rather than add another one right here. But so we will take that as -- in consideration.
DR. FITZMAURICE: Part of it might be cleared up by wordsmithing the sentence to read, “WEDI conducted a cost-benefit survey, but, due to an extremely low response rate, was unable to provide statistically valid results on business rationale and return on investment.”
And then I would strike the part of the sentence that reads, “The industry will be reluctant or unable to make the systems upgrades to implement Version 5010.”
So, in other words, it focuses on they tried, but they couldn't get the data needed.
MR. REYNOLDS: I would hesitate. I think we heard plenty of testimony on the business rationale and business reasons.
If we were to add ROI there, I would feel a little -- I would personally feel a little better, because I believe we heard a lot of testimony on business rationale, business reasons.
But due to our other letters that we've sent forward talking about trying to really focus on making sure that these -- some of these things have an ROI, that would be my only comment.
DR. FITZMAURICE: So if we heard business rationale, then -- we probably shouldn't say, “without well-defined business rationale,” because we heard some business rationale, and that's persuasive to at least some members of the industry.
MR. REYNOLDS: I would agree with that.
DR. TANG: I guess I don't understand why we would have a cause for concern if the industry says there's a business case for doing this.
In fact -- HR has a poorly-substantiated -- quote -- ROI, but there is a true business case that fits with our mission of supporting patient care.
So, clearly, these folks, presumably, have business rules and business case for doing this. I don't know why we wouldn't leave well enough alone.
In some sense, you establish the rationale for doing it in the early part of the paragraph, and then interjected some of these questions, which I actually don't even understand in the latter part.
Does that make any sense?
MR. REYNOLDS: Well, I think -- well, let me answer your initial comment. We are recommending moving forward.
DR. TANG: I understand, but -- so I don't understand why we interjected a -- in some sense, this superfluous requirement of the -- there is no ROI. Well, there doesn't have to be if there's a business reason for doing it that fulfils their mission.
MR. REYNOLDS: Well, but we have -- this committee has sent letters forward, and one of the reasons that HIPAA has not been as successful in our previous letters was that there hasn't been a return on investment.
And, for example, we are going back and modifying some of the transactions that have not been fully implemented, which would actually return the ROI. So we're trying to keep in front everyone that we're still kind of focusing on ROI.
DR. COHN: Yes, I think, Harry, this one, without undue conversation, needs clearly -- the sentence needs to go back to the subcommittee. And I think we're all in agreement on that. And I think we've all -- even in earlier versions, many of us have commented that this is discordant with the recommendations.
I mean, if we believe this as it is written now, we probably shouldn't go forward with the letter. And I think most everybody is looking at each other and saying this isn't really -- that something else --
So, obviously, the subcommittee will be discussing it tomorrow morning. Paul, you might want to join in the conversation.
DR. TANG: Well, is there a philosophy that the whole ROI thing that we should discuss regarding any of our recommendations related to HIPAA?
I think HIPAA has to make business sense and it has to fulfill a mission.
I wasn't clear that it has to have an ROI the way it is discussed in economics or financial terms. It has to have a positive impact, those kinds of things.
MR. REYNOLDS: If it had to have had an ROI, we would not be bringing forward this recommendation to go forward.
DR. TANG: Then, I guess I would just recommend dropping that parenthetical expression, perhaps. I don't know why I'm --
MR. REYNOLDS: The subcommittee will take that under consideration.
DR. STEINDEL: I think that's the best statement, the subcommittee will take it under -- but, actually, in the administrative simplification act, the clear statement of it was to reduce cost. So it has to have an ROI.
DR. TANG: But an ROI -- it's very hard to prove the ROI -- But we do know that society benefits, but it's very hard to measure.
DR. STEINDEL: But in this particular case, the HIPAA act stated that administrative cost is now X percentage of health-care costs. I forgot what it was there. I think it was 26 percent, and, by enacting this, we will reduce that cost -- that percentage.
MS. MC CALL: I would support discussions that looked to remove explicit ROI components. And the reason is these are all things that enable other things, and they then beg not only the definition, but the knowing of what those other things are and the measurement thereof, many of which don't even exist yet.
And so it's -- talking about an ROI on a technology enabler just seems very premature. And to force that type of work just continues the Catch 22.
DR. SCANLON: Yes, just a question of how we're defining sort of reducing cost and thinking about the ROI here because in the context of HIPAA overall, it's the reduction in healthcare costs which are defused among providers, patients, as well as sort of the insurers that are going to be processing some claims.
And so there's a question of whether that's going to be taken into account and calculate some kind of major -- or aggregate ROI or we're talking about here a much narrower concept of ROI.
And I think they're potentially -- while the industry may not see an ROI, we don't know what's happening if we change things for providers, we change things for patients.
MS. GREENBERG: I guess since this conversation is going on, I feel like I should mention that -- I mean, as was noted, the 5010 enables the transition to the ICD 10 code sets. And this committee is already on record with a cost-benefit analysis that says that the benefits will exceed the costs.
Now, everyone may not totally agree with that, certainly in the industry, but, I mean, that is a major aspect of the 5010 and you're already on record with that statement. So this may be contradicting that as well.
DR. WARREN: I just wanted to make one comment to make sure that my memory of testimony is accurate or if it's something that I wanted to hear.
But it seemed to me that when the testifiers were there, one thing that was made abundantly clear is they all wanted 5010 to go forward. They saw the need for it.
They also told us for them to go to their boards and get the budgets to implement 5010 would be impossible until the NPRM was passed or issued.
So I think that's what we're trying to capture in the sentence.
MR. REYNOLDS: And, also, let me just say just a very brief history. If you remember, we did a review of HIPAA as a committee. We submitted a letter going forward as to whether there was or was not any return on investment and what were the key transactions and other things that would add to that return on investment.
This effort that we're putting forward here changes every one of those again. And there is nothing been put forward that says that return that we said was not there as a committee will be enhanced.
Yes, it is a glide path for future things. But some of the things that are going to be redone, which we already reviewed, are not, in fact, going to be enhanced from any kind of a return that we heard from testimony.
Remember, we deal with testimony. We deal with the industry. We don't just make this up. So that's one of the things --
So we will take this under consideration as a committee. We've heard everybody's input, but it's one of the things --
So we have to look at our own history also, just like we do with the privacy letters and everything else, which you'll see when we come forward this afternoon.
You know, if we're going to contradict ourselves or go back on what we thought was important, then, we need to have that as a discussion, so that we rechange our own history as to how we viewed things, not just make it news.
Okay. Moving on to Observation 2. “Various types of testing are needed.”
“Testifiers acknowledged that there was a need to test Version 5010 in real-life settings to ensure its interoperability and ability to support the transactions for which its adoption is proposed. The process of pilot testing and the parameters of that testing remain to be resolved. Three types of testing needs were identified: Testing of the standards themselves for workability; conformance testing of products and applications that send and/or receive the transactions; and 3) end-to-end testing to assure interoperability among trading partners.
“NCVHS recognizes the value of compliance testing services as a precursor to end-to-end testing of the software mechanism for Version 5010, and the need to pilot the use of the standard within organizations, as well as between partners as was done with claims attachment transaction standards. We also recommend that CMS and industry stakeholders work to standardize commonly used terms such as ‘pilot testing' and ‘compliance testing' so that all entities can make decisions based on universally-accepted definitions.
“Recommendation 2.1: HHS should develop a plan to work with the industry and the standards organizations to collect and analyze requirements related to testing (including defining the process of pilot testing) determine under which conditions pilots should be conducted, and when this testing should take place.
“Recommendation 2.2: HHS should advocate the use of compliance testing services for software and/or applications that would demonstrate a covered entity's ability to create and receive compliant transactions.”
Comments?
You'll see that we build on this in Observation 3 and further recommendations. So let's go to Observation 3, and then we'll come back, if we need to, or, actually, Observation 4 really builds on it.
“Observation 3: Outreach to all stakeholders is critical.
“The Subcommittee heard from stakeholders that the need is great for education and outreach regarding the adoption and implementation of Version 5010. Taking lessons learned from its experience with the National Provider Identifier (NPI), testifiers reiterated the need to cast a wide net to better inform and educate all industry segments as to how Version 5010 will impact their workflows, operations and other aspects of their respective businesses, as well as critical implementation dates. Special initiatives, such as a joint CMS/SDO/stakeholder Version 5010 education summit, may be needed to target small software vendors and other hard-to-reach groups.
“Testifiers proposed that HHS should undertake steps to collect and analyze data about the Version 5010 process, business impacts (both cost and benefit), return on investment and other information and make it available for dissemination. Another need identified is that of talking points and/or slide presentation to summarize this information. The presentation should be made available to stakeholders to assist them in building their business case and return on investment justifications relative to the expenditures of Version 5010 implementation within their organization. As this is the first update of the HIPAA standards and NCVHS also heard testimony in favor of streamlining the process to adopt modifications to the standards, possible changes to the modification process could be examined.
“Recommendation 3.1: HHS should identify communication approaches and strategies to educate and inform interested constituencies by partnering with responsible persons and organizations.
3.2: “HHS should develop materials to educate the industry regarding these standards, and in particular Version 5010 to enable industry and stakeholder implementation efforts.
“Recommendation 3.3: HHS should consider a summit or other similar event for gathering input regarding the adoption of these standards, as well as ‘lessons learned' exercise at the conclusion of this implementation process to identify best practices as well as issues/concerns to be applied to future standards adoption efforts, which also could include ways to streamline the adoption process for modifications to the standards.”
DR. COHN: I just have a comment that there needs to be something here that relates to the NCPDP D.0 standard.
MR. REYNOLDS: Yes.
DR. COHN: I mean, and I -- you know, you can choose what you want to put in, but this is fully on the 5010.
MR. REYNOLDS: They've been so good at what they did, we need to add something in there, yes. You're exactly correct.
DR. COHN: Well, I mean, for example, I think Recommendation 3 -- I mean, right now, it appears that the only thing that -- on is implementation of the 5010.
MR. REYNOLDS: Yes. No. Exactly. Well said and --
Yes, Bill.
DR. SCANLON: I think our explicit recommendations are fine and sensitive from a prior environment to hidden recommendations, and the potential hidden recommendation is another need identified as that of talking points and/or a slide presentation.
I think that gets kind of too much into micromanagement for us talking to the Secretary. We should be talking about this whole idea of developing information and disseminating it kind of at the level that we have in recommendations and not sort of imply that there's a format or anything that the Secretary should follow.
MR. REYNOLDS: Okay. Moving on to Observation 4. “The timing of standards implementation is complex, and critical to success.
“Testifiers expressed the need to test and verify Version 5010 before the implementation of ICD-10. Stakeholders testified that concurrent implementation of the Version 5010 standard with the changeover to ICD-10 would be burdensome to industry and result in errors, escalating system change costs and other barriers.
“Because implementation of the ICD-10 code set is depending on the implementation of Version 5010, it is critical that the industry is afforded the opportunity to test and verify Version 5010 a minimum of two years prior to the adoption of ICD-10. In addition, the compliance date for the new Claim Attachment standards, for which a Final Rule has not yet been published, will also necessitate significant system changes, and should not be done at the same time as Version 5010 or ICD-10.
“Testifiers discussed lessons learned from prior HIPAA implementations, and identified potential barriers and resource issues. The importance of vendor compliance was stressed, as practice management system vendors are key to provider compliance, and delays in vendor rollouts of compliant products have delayed end-to-end testing. The resource-intensive nature of testing, particularly end-to-end testing, was also noted.
“A variety of options for staggering the implementation of Version 5101 and D.0 modifications were offered. For example, the compliance date for plans and clearinghouses could be a year before the date for providers in order to facilitate end-to-end testing. Alternatively, different compliance dates could be assigned to different transactions (for example, implementing the claim and related transactions first.) Testifiers also attested to the importance of allowing dual processing (old plus new versions) for a sufficient period of time to allow end-to-end testing to occur.
“Testifiers indicated that it is important to engage industry in end-to-end testing as soon as possible. It was noted that widespread use of compliance testing services, which allow entities to test products and applications to assure they can create and accept compliant transactions, could simplify end-to-end testing by assuring that individual products are compliant in advance. An alternative to staggering implementation would be to phase in compliance by establishing consecutive periods for compliance testing and end-to-end testing.
“Recommendation 4.1: HHS should consider establishing implementation periods for two different levels of compliance. Level 1 compliance would meant that the covered entity could demonstrate that it could create and receive compliant transactions. Level 2 compliance would demonstrate that covered entities had completed end-to-end testing with all of their partners. HHS should also take into consideration industry feedback indicating that for Version 5010, two years will be needed to achieve Level 1 compliance.
“Recommendation 4.2: The implementations of Version 5010, ICD-10 and claims attachments should be sequenced so that no more than one implementation is in Level 1 at any one time.
“The NCVHS appreciates the opportunity to provide these recommendations.”
DR. GREEN: I'd like to ask for just a little further clarification of the implications here of the sequencing and the timing.
If it takes two years to get Level 1 done, an unknown amount of time for Level 2 to be done and nothing else should happen until that's done, someone do some arithmetic and say when do we think the United States might have the ability to do this.
MR. REYNOLDS: Okay. I think you misinterpreted what we're saying.
What we're saying is at the end of the -- let's say a two-year -- whenever -- we're saying that none of these can be in Level 1 at the same time.
So let's say that you give -- as we heard testimony -- you give everybody two years for Level 1. Immediately upon that you could put your next regulation out.
So every two years, you can start rolling new regulations out. It's just that it's overlapped by the actual rollout period. But we're saying that every two years, you can put out a big new change is the way this thing is set up.
DR. GREEN: So let me go back to the issue of adopting ICD-10. When might that happen?
MR. REYNOLDS: If you did a reasonable math on this, you're looking at 2013 or so.
DR. GREEN: Well, I mean --
MR. REYNOLDS: Whoa. Time out. Just remember, we're talking about a structure. Let's take NPI as an example, which we oversee.
We had a two-year implementation period, and then everybody said, “We're not ready.” And, now, we're still trying to get it done, because there is no good way to have any jurisdiction --
DR. COHN: Yes, and, Harry, it could actually be 2012.
MR. REYNOLDS: It could whatever it is. Yes, I was using that --
MS. GREENBERG: How did you get to 2013? Because this is the first time I've heard that date, and I must say --
DR. COHN: Well, I think we've gone out of our way to not actually name dates in this --
MR. REYNOLDS: Fine. OK. I'll --
MS. GREENBERG: Well, I think it's important, though, in relationship to Larry's question is to what are we really talking about here.
DR. GREEN: Simon, this is -- I mean, you're asking for substantive discussion here as opposed to wordsmithing. This strikes me as a very substantive issue to send a letter that when you do the arithmetic of it, basically, is tantamount to saying we should not be anticipating implementation of ICD, then, until 2013 --
DR. COHN: Well, while I think we can certainly discuss that, I do want to just reflect on previous letters that the NCVHS has written which talk about -- and this is back -- I think -- back to 2003 when we actually recommended ICD-10 going forward that we talked about the industry needing a two-year implementation at that point. That's my memory of that letter.
MS. GREENBERG: Talk about what?
DR. COHN: We talked about a two-year implementation -- back in -- recommended in 2003.
So I guess it's a question of trying to figure out how to do the math on this one.
But you're right, it is a substantive conversation the committee needs to have.
MR. REYNOLDS: Yes, let me make one other comment. Regardless of -- using history and using the testimony of wanting two years, at least, for each entity to be ready with the next big change -- and there are over 1,000 changes to 5010 across all these things -- the way this is worded, the Secretary could say that Level 1 is one year and Level 2 is a second year. Then you start moving things faster.
The point is that right now with the way it's structured and the way it's happening, we end up with contingency periods that seem to go on and there's no way -- there's no jurisdiction over a contingency period.
And so this allows that covered entities have to be ready at a certain point, and we're not saying using reasonable math, not -- right, wrong or indifferent. And I'm not for or against whatever we're -- I'm talking about the structure of implementing standards.
Whatever those dates are, it's an industry moving together. We have already written numerous letters about that the industry doesn't move well together, and so we're trying to add more structure with having people have to answer to certain levels of things, rather than right now we say everybody be ready in two years, and then we go -- everybody's not, and then we go into a contingency period which kind of leaves things open.
So we're trying to build a structure --
The Secretary, if you noticed, it does not talk about any dates and times. The Secretary has a right to, obviously, deal with that in whatever necessary way that's appropriate to allow the industry to actually implement these large situations.
DR. STEINDEL: Harry, if I can comment directly on Larry's point, this was something that concerned me greatly during the hearings, and there's several of us who are aware that there are just specific structural changes that could be made in the existing HIPAA transactions that might expedite the introduction of ICD-10.
And we did question the industry at length on this. And, generally, what we found, from an industry-consensus point of view, that, in actual fact, it would not speed up the introduction of ICD-10 significantly.
It has to do with the testing period, that even if we just make small changes in the existing transactions, we still have to test them and verify them. And while it may shave a year or so off the process, the net effect would be that it would actually increase the cost of introducing the whole system.
And that's why we decided to go this route, 5010, and then ICD-10, because we just didn't see any gain in introducing anymore expedited method. So we did investigate it in testimony.
DR. FRANCIS: I was puzzled by, first of all, the way you said, “should consider,” which is a really sort of fuzzy word there. I'm not sure what that means.
But a more specific question: Do you intend to have -- to recommend to the Secretary that these time periods should or should not be part of the notice of proposed rulemaking?
That is -- that's something that could be, you know, what are the -- what's the timing for implementation could be part of the notice of proposed rulemaking. The Secretary would propose implementation time periods. And then there could be comment on that. That would be a much stronger way of trying to get some discussion of what makes sense on the timing.
MR. BLAIR: If we look at our recent history with respect to HIPAA dates for promulgation, the industry hasn't -- despite the fact that they're listed as mandates, the industry has missed those deadlines a couple of times, and it's backed up a year or even more than a year.
One of the things in this letter is an attempt to try to respect what the industry is telling us about the time that they need, but, at the same time, invoke a milestone.
So what we added to this structure is two levels of compliance and certification, so that the industry doesn't wait until a year or six months or three months before a mandated date and says, “Oh, gee, we don't have enough time.”
So the addition of the Level 1 certification is an attempt to try to at least ensure industry ability to meet the time lines that they tell us -- that they tell us -- they can make.
So I think all of us are frustrated with the time frames, but it's pretty hard to go back to the industry and say, “I know that you testified that you need these time frames, but we want to shorten them.”
On the other hand, what we try to do is constructive to say, “Okay. You've given us these time lines. Then if you're doing -- if you've given us these time lines, then you should be at a stage a year before it's mandated for use to have Level 1 certification.”
MS. GREENBERG: I think the idea of the staggered or the two compliance levels is good. I think the idea that, first, everybody sort of -- systems are set, and, then, they have to then go through the testing process, as I understand it, I think that's positive.
What I don't think, though, is that the subcommittee, at least -- and I think I attended the hearing -- the relevant hearings -- heard any testimony about what would be the impact of not implementing ICD-10 codes sets until -- for, say, another six years.
It's my understanding that ICD-10 -- ICD-9 CM, Volume 3, is so broken, at this point, that -- I mean, to continue with it for another six years maybe you don't even want to collect it at all. I don't know.
It's completely -- it's supposed to be -- run out of codes by -- I think it's 2009 for it to be a sensible classification at all.
Not to mention that other countries -- all the other countries that we would associate with and exchange data with have been collecting ICD-10 for morbidity since the early 2000s.
So I think -- you know, you do have to do the math, and I don't remember hearing any testimony about the impact of going that long with the ICD-9 CM code sets.
DR. COHN: Yes. I guess I'm reflecting on your comment, Marjorie, first of all, that it may be very appropriate for Standards and Security, as part of the next phase of activities, to go back and ask the industry about some of the issues.
And we spent a number of years, in the early part of this decade, going through some of these. And, admittedly, we did come up with recommendations, which are now four years old.
I guess my thought is is that we probably don't want to necessarily adjudicate this particular issue in this letter. And I think it's really an issue for sort of a subsequent letter.
I guess I was sort of taken that probably in Recommendation 4.1 making some sort of a comment in the last sentence, which talks about the peer implementation as being something that they should consider. I think it was Leslie who sort of commented that we should also probably put in something that says this should be something that we should ask. We recommend that they verify that as part of the NPRM process, just because, obviously, we heard something, I think we need to make sure that the industry really has heard, in terms of time frames, that makes for implementation.
But, as I said, my own concern, obviously, and when I began to see this letter, you know, I mean, it could take a considerable length of time for us to go back and completely revalidate the ICD-10 process. And I think we wouldn't want to see 5010 held hostage in the process, only because I think most of us think it's a precursor to moving towards any of these things that we've all supported previously.
MR. REYNOLDS: The other thing --
DR. COHN: I'm sorry, Harry. That's my comment.
MR. REYNOLDS: Another quick, it took five years to implement the first HIPAA transactions. It's taken four, by the time it's all done, to do NPI, which will be the easiest standard implementation that we've had to date.
The industry, in general, is also -- we all know about AHIC. We all know about the other things. Those things are also going on at the same time.
So regardless of what we do or don't individually believe, being an implementer at home, regardless of who you do or don't work for, these are 1,000 changes that everybody has to do with everybody in their state and everybody that they do business with.
So no matter who does the math or how they do the math, the point is we're trying to put a structure down that says -- which is different than right now. There's a two-year period, and, then, whoops, we're not done, but we'll kind of keep it going ‘til you get done.
We're trying to establish a process, whatever the timing is, to put a little more kick in both of those phases, so that people could complain if somebody they want to do business with is not done at the end of Level 1, which, right now, we get to the end of two years, everybody says, “I'm personally done,” but we're not done with each other.
So remember the process. We all have individual issues that we deal with, and, trust me, all these are far out, unless you happen to be handed the assignment. Then, they're pretty close.
DR. COHN: Yes.
MR. REYNOLDS: So businesses have to decide. They have to get the money. They have to get the resources. They have to put it in place. Then, they have to test, for example, with 15,000 providers and other people.
So it's just -- it's the reality of changing this whole industry, which we underestimate sometimes, because of a subject. And so that's what --
DR. COHN: Yes. Harry, Harry, what I'm going to suggest is got two more people with issues or questions.
We need to get back -- we need to give everybody a break and try to get back to some semblance of schedule.
What I would also recommend is that those who have ongoing issues with us that there is a meeting of Standards and Security tomorrow morning at 8:30, and, obviously, that would be -- I'm sure that the subcommittee would be more than happy to have additional attendance to help adjudicate some of these issues.
MR. REYNOLDS: This is setting a structure for the future that tries to put even more order to it than it has. And we need help in any way we can, because this will be a major move forward one way or the other.
DR. COHN: Yes.
DR. TANG: I have sort of more of an uber comment that I think just as a way -- because, in a sense, what I heard is a compelling case of an industry-requested, an industry-endorsed revision to HIPAA transaction standards that's a prerequisite for carrying out an NCVHS recommendation that addresses delivery of high-quality healthcare in this country.
And I think actually you introduced a little bit more doubt than you needed to, that if you went forward with this kind of an approach, you could lay out a series of steps and your new framework that would just fit your compelling case that you essentially laid out, only planted seeds of doubt that were perhaps unnecessary and confusing. Because by the end of reading the specifics, I then had some doubt that I couldn't cope with.
Yet, after listening to all the discussion, you have a very compelling business case. And that's sort of what I heard.
DR. STEINWACHS: Just one comment. I found very helpful the discussion we had that you were talking about why this two-phase approach is important to remedy the past problems.
It would be great in the text if there was a line or two that just said, in the past, there have been failures to be able to get -- reach full implementation, and that this approach -- you know, what's being proposed is an approach that this committee feels could help alleviate that problem in the future. And I think that would help the reader understand those recommendations.
DR. COHN: Larry had one final --
MR. REYNOLDS: Larry, you had a comment?
DR. COHN: And then we'll wrap up.
DR. GREEN: Yes, well, I wanted to go back to my question and indicate two things.
First, I take your points very well about the need for structuring as saying that this is the intent.
And, Simon, I take your point about this is not the letter to adjudicate a lot of other things in.
That said, the word “industry” is an ambiguous term in this letter. And I want to repeat, as I did at the beginning of the meeting, I have no conflicts of interest here.
But there are other industries that need this structure and need this to happen yesterday to achieve the aims of healthcare, to build the information highway, to do what we want to do.
So what I believe to be the substantive issue pertinent to this letter is to establish the structure, stay on task with the 5010 issue, but avoid creating opportunity for further delays.
I heard histories of there already being delays. And I'm concerned that we should not set this letter up with the notion that by being methodical and careful this will go well and it'll get done and it turn out that we find ourselves -- well, I guess someone else will be sitting here six years from now, won't they? -- looking back at this letter and saying --
MS. GREENBERG: Including here, yes.
DR. GREEN: -- “What the heck were they thinking?” You know, I mean, we need to get on with this.
So that's what I believe to be an important thing for this letter is to avoid recommending to the Secretary that a system and a structure be put in place that will guarantee delay.
MR. REYNOLDS: Any other comments?
Thank you -- and you were all awake --
DR. COHN: That's right.
And you were all wondering a) why we let Harry go through the whole letter. Also, you were also wondering why we were going to not adjourn ‘til 2:45 tomorrow, and this is obviously part of the conversation.
Anyway, with that, why don't we take a 10-minute break. We'll reconvene at 11:05.
(Break).
DR. COHN: Our next session leads off with an update from the Office of the National Coordinator, and we're obviously delighted to have both Kelly Cronin and Jodi Daniels joining us.
Congratulations to both of you, one of you on your intending marriage and the other one on a child and being back at work. So congratulations to both of you. We're obviously very pleased to have you joining us.
Obviously, I think the purpose of this conversation was to talk some about current projects and initiatives, as well as we know you wanted to brief us on the -- sort of the -- what's going on with AHIC and the successor plans and all of that.
Now, from there, what we're going to do this morning, before lunch, is to begin to have discussions around the Secondary Uses Report. And the way we're going to sort of organize this is that, hopefully, before lunch -- and we have overheads as well as paper for discussion -- but, before lunch, what we're going to try to do is to get through sort of the background common themes, all of that stuff, using overheads.
And, then, after lunch, what we're going to do is begin to drill down into observations and recommendations.
The end of the day, you know, it's not just us talking about them from an overhead, but people need to be comfortable with the actual wording and the way it's discussed, knowing, as I've said, that we don't want to do wordsmithing, but that people -- you know, that there is, obviously, always some sort of a dissonance between people trying to do shorthands of recommendations or observations that wind up not being quite what people thought it was going to say.
So what's going to be the purpose on that is to make sure -- you know, finding out where people are aligned, where there are significant differences or issues, not so much at the wordsmithing level, unless it deals with content. And that will obviously move us through much of the afternoon.
Agenda Item: Office of the National Coordinator
DR. COHN: So, with that, Kelly, did you want to lead off? And thank you.
MS. CRONIN: Sure. Thanks for the nice introduction, Simon.
I often tease David about, after his departure, all of a sudden, everyone in our office seems to be having babies and big things are happening.
So while we can't claim to have normal lives now with our office, at least we have moved on personally.
Anyway, I thought you all probably have been updated by Rob and John Linsk(ph) over the last six months with a lot of the activities going on in the office, but we thought we'd spent at least a few minutes to give you an update on where we stand with the American Health Information Community in terms of transitioning to a public-private partnership --
We thought we'd give you an update on what's happening with the planning to transition the American Health Information Community into an independent public-private partnership that will be a new legal entity and touch base on where we stand with the -- trial implementations.
And, then, Jodi can also give updates on other work in the office, particularly that related to privacy and security or our state-based efforts.
So starting off with the AHIC, what we're referring to now as 2.0, since that's an easier way to sort of brand this before it gets a life of its own.
Over the last six months, we've spent a lot of time trying to conceptualize how this might work, and we started this through letting three different contractors look at how such an organization could be designed from an organizational structure perspective.
So how would a board be structured? Should it be a membership organization? If it is, how might you represent various stakeholders in the healthcare and public health communities? And how would you create a sustainable business model that would be viable over time, in particular through transitions of administrations or -- you know -- as we know that -- as the market will evolve, hopefully, for health-information exchange, and as the HR adoption increases?
So in getting some input from Booz Allen Hamilton, Avalier and a small -- consulting firm that convened sort of a network of healthcare leaders, Alchemy, we had a lot of good ideas presented in June to AHIC and the Secretary around how this might be achieved.
And so with that input, we then did a lot of internal planning and had the expert advice from Dee Hock, who, many of you know, is the founder and former CEO of Visa, who has really extraordinary experience to bring to this effort in that, even though the banking analogies are often not directly relevant, the organization that he created, both nationally and internationally, and how it evolved is quite illustrative.
And he had a lot of insight into how to deal with the political complexities, the legal complexities and how to make this, perhaps, viable from a business perspective over time.
So we had the advantage of his guidance and advice over June, July and August, and also had some senior legal subject matter expertise outside of government helping us with some of the legal aspects of how this might be structured and how can you ensure a definitive role for government, since we are committed and realize the importance of having the federal government, and, really, government at all levels, an equal partner in this effort.
This is not really an effort to privatize governance, per se. It's really an effort to make this more of a truly meaningful partnership across the public and private sector such that decisions can be made and there could be actions taken to realize a lot of the vision that we've all been articulating over the last five or six years.
And I think, now, we all recognize -- I mean, advisory functions are very important. Not only has this organization played a really important function in -- you know -- for conceptualizing the NHIN -- and AHIC has done its part more recently to try and engage people at a higher level and doing a lot of work at a workgroup level, but it is just advisory.
I mean, technically speaking, you can only advise the Secretary and what HHS agencies could potentially act on. And, in spirit, AHIC was designed to be more of a public-private partnership where there would be an informal agreement among those represented through private-sector committee members that they could also be taking action. But, again, you have to think what are the boundaries of such an organization.
And, if, eventually, what we want to evolve into is more formal governance that could potentially play a governance role over the nationwide health-information network, then we need to be sort of reevaluating what is the appropriate type of organization to do that.
So in thinking through a lot of these issues, we have proposed some key attributes and functions that we think the organization should take on or at least putting it out there really for food for thought. So we released a white paper in August.
We have received, I think, 52 or 53 comments, and many of them very thoughtful. So we're still in the process of really reviewing those and trying to synthesize those and plan to release a summary.
And, then, we also had two public meetings in August, one led by the Secretary on August 17th and another one on September 5th that was really more targeted towards potential applicants for a cooperative agreement to actually get this whole effort started.
So a notice for funding availability for this cooperative agreement was published back in August, along with the white paper, and really spelled out sort of what we would hope a potential applicant might consider in coming forward to do this work, not really specifying how they should do it, but more the process and the expectations of how they would come together and represent different interests in the form of a collaborative.
So we expect that there'll be sort of one trusted and neutral convener that would sort of do all the heavy lifting in what we're calling Stage 1, which we anticipate will be from November to March or April.
And they really will -- not only the grantee and the neutral convener -- doesn't have to be one and the same, but it could be -- would be convening a planning board representing the different interests.
And they would actually be doing the organizational design. So they would be thinking through what does this look like? Who should be represented on the board? How should membership -- if it is a membership model -- be pursued? How should people vote, both at the board level and the membership level? How do you make money? How do you sustain this effort over time? What are the core functions and the mission of this organization? Are they in agreement with what has already been proposed in the white paper and in other public discussions?
So they'll really have a lot of work to do between November and March and April to really get this off the ground.
And, then, at the end of that time period, they'll be expected to set up a new legal entity, and that means articles of incorporation and all the formal governing documents would have to be created and submitted.
And, then, under Stage 2 of the cooperative agreement, we, then, have the funding from HHS going to this new legal entity.
So it really would have to be operating by the spring of next year, and, at that point, we'll really be more deliberately transitioning some of the work that AHIC is doing now onto this other group.
So we would hope not to lose the current priority areas that we're taking on, but, instead, figure out a trajectory to transition them.
So there's a lot that would have to be worked out in terms of how exactly that will happen as the planning phase really gets underway. So we may not know who specifically will take on, for example, quality and health IT issues.
And we're also expecting that, in part, HHS will be providing up to $13 million over two years, but we would hope that -- and have explicitly said this in the cooperative agreement or solicitation -- that we expect the resources that will be required will go beyond that amount, and we would like to see private-sector contributions to match that initial HHS investment.
So that's more or less where we stand now.
We expect to have applications in for the cooperative agreement by October 5th. And then we'll have a fairly quick turnaround in terms of an expert-based review panel, and then expect to award the cooperative agreement and get this all started by the AHIC meeting in November, the second week of November.
So we're doing that meeting in Chicago, in conjunction with the AMIA annual meeting, and should have everything wrapped up, in terms of the agreement, by that date, and then the hard work will get underway.
So I can answer questions if people have questions on that.
DR. FITZMAURICE: Just a quick -- how many millions of dollars did you say that ATHS will start off the 2.0 with?
MS. CRONIN: Well, it's, as you know, Mike, you can't necessarily commit to future budget years, but --
DR. FITZMAURICE: You mentioned a number. I didn't --
MS. CRONIN: Yes, it's up to $13 million. So we'll start off with -- you know -- whether it's under CR or whatever our budget situation might be for ‘08 --
DR. FITZMAURICE: We won't hold you to it.
MS. CRONIN: Yes. No. No. So I think, yes, that the intent is to make it a multi-year commitment and that cooperative agreement will be multi-year, too.
DR. COHN: Yes. And maybe -- I'll just ask it -- maybe an additional question is is part of that -- is that intended also to fund efforts around HITSP in terms of its evolution or is that a separate piece?
MS. CRONIN: Very good question.
We have contemplated -- I think Rob has also said this publicly -- that we would have contract dollars that -- for the option years of HITSP, CCHIT, at least for CCHIT, those that would be targeted towards developing the criteria that that could be funneled through this new organization.
Now, a lot of that could play out in terms of -- or be impacted by how the organizational links are determined in this planning phase. So it would really be up to the planning board to figure out what kind of organizational links will be either more formal or less formal between HITSP, CCHIT and AHIC 2.0.
I mean, there's pros to make them all part of one umbrella, in one fashion or another, and there's cons to that.
So I think, clearly, CCHIT has -- you know, starting to develop a sustainable business model. And they're perhaps more mature, in some ways, but we do recognize the importance that if AHIC 2.0 continues to sort of set priorities for the national agenda that those priorities actually, then, can follow and guide a lot of the activities. So having some kind of explicit link between the organizations will probably be necessary. How that plays out legally and from a governance structure perspective has yet to be decided.
DR. FRANCIS: I'm curious about how -- what kind of thinking is going on about how certain public priorities -- say, if you think of privacy protection as a public priority -- will get represented in the structure.
MS. CRONIN: That's a great question, and I think, again, the scope and mission of the organization will be finalized during this planning phase.
But I think many people recognize that you can achieve interoperability with appropriate privacy protections.
And the Secretary has been very clear in that policy development -- federal policy development will always be the responsibility of the federal government.
That said, there may be some role, in terms of complying with federal and state laws and making those perhaps -- have them implemented in such a way that there is greater privacy protections or appropriate privacy protections. That clearly could be considered by this planning board and the organization as they mature.
It has been sort of -- what's been proposed is really more focused on achieving interoperability, and, in the short term, trying to take on this role of really setting priorities and trying to coordinate standards harmonization and certification.
But as we start to see an emerging NHIN fostered by these trial implementations over the next couple of years, and other market activities, and there is more of a governance function, then, I think that the organization is going to have to contemplate what is their role, not to replace or to develop policies, but perhaps to make sure that there's compliance with.
And in terms of representation of consumer interests, there is definitely a very -- I think a keen awareness of how important it will be to represent different consumer groups. And there's been a lot of thought about how that might happen, how many board seats, what kinds of organizations, how do you get the expertise and knowledgeable people to be voting on behalf of consumers. These are all challenging issues that will be contemplated by the planning board, and, in fact, I think some of the people who are actually interested in applying for the cooperative agreement are actively thinking through that now.
So it's definitely an important point, and no matter what the scope of the organization, consumers will have to be well represented.
DR. STEUERLE: I'm just wondering, as you debate this new structure, I mean, I see so much of what we work on is dealing with interoperability, coordination, often very much avoiding violating privacy concerns, making sure various consumer groups are representative.
But when one looks at the technological advance, there's also sort of a competitive version of this, which means you get competitors out there really jumping out there, taking risk of violating concerns that others might have, jumping ahead of the game, often, in some of these areas, creating natural monopolies, because, in some areas, it's -- you know, that's what IBM did and that's what Google does and that's what -- And we haven't really got that because we keep dealing with a lot of constraints.
And I guess I'm just struggling to think of how -- how does this structure not just promote cooperation? But I think that competition that's going to allow people to make some of these leaps ahead, as opposed to always worrying about all the --
I mean, for instance, standards, I think we'll be dealing with standards for 100 years. We should be, because, hopefully, we'll be developing them. But we can't let that constantly be a constraint on what I think some of us think are some abilities to leapfrog ahead.
So I'm just curious how this structure is going to deal with that struggle, which is, by the way, the same struggle I think this committee has at times.
MS. CRONIN: Yes. It's a great question, and I don't know that anyone has the right answer right now, but I think, clearly, we've thought a lot and tried to communicate, you know, this idea of being a very nimble organization and allowing for a lot of ideas and innovation in the marketplace.
In fact, one of the ideas that came out of the original three contracts was to create an innovation fund, sort of like a social capital fund. And we have done some more thinking on that. It'll be up to the new organization to decide if they want to go down that road.
But there clearly -- there could be a lot of very creative things that could be done to allow for innovation at the local community level or local market level, and, you know, what works and perhaps could thrive in a larger market.
I think that -- you know, we're so early on in experimentation on a regional or state level that we don't necessarily see how it's going to play out yet exactly.
But this organization would really be, perhaps, playing a role of accrediting or qualifying organizations that would play on a national level if they're going to connect to the NHIN in some way, but, in doing so, not be creating a barrier to health-information exchange or connecting, but, rather, sort of making sure that there's good actors in the system and that people are acting responsibly and able to share data that we all think is sort of a responsible way and an effective way of doing so.
So our hope is that this will allow -- it'll allow for enough flexibility to really encourage the emergence of an NHIN, and probably think through some creative options on how to best get there.
Another thing that we've all recognized, and the Secretary and Rob has said this many times, we are, in many ways, very restricted by our budget process. I mean, you know, we're totally at the whim of the -- you know, what happens in the Senate and the House this next year is a very good example of how we got -- we'll probably get close to half of what we've requested for our budget, which makes us very limited to do the kind of trial implementations and get the kind of experience across communities that we originally thought we would have.
So if, in fact, there's real excitement and agreement across sectors on how to make this real, you could end up perhaps having a much more rich set of resources to make this happen, if you're creative about it.
DR. COHN: OK. Mike, Jeff, and then we need to move on to Jodi's presentation at that point.
DR. FITZMAURICE: I had asked about how much would go to this committee, and you said, oh, roughly $13 million you were thinking of, without being very specific that would be the number.
And, then, Simon asked, “What about HITSP funding?” and you said, “Well, there are pros to making them all part of one umbrella.”
“Them,” I assume, is AHIC, HITSP and maybe CCHIT.
So that one possibility, out of the many possibilities, could be that the $13 million wouldn't go just to one committee, but would be used to cover all three entities. Am I right about that?
MS. CRONIN: Yes, I mean, that would be pure speculation at this point. We haven't really --
DR. FITZMAURICE: But that's what it means.
MS. CRONIN: Yes. I mean, sure. I guess it could be one potential alternative.
I think that it's really going to be up to those who are going to lead this organization, and govern it, to decide how they want to use their own funds.
But if there were contract dollars that were filtered through in future years, so let's say the ‘08 option year, fiscal year ‘08, we have option years for both CCHIT and HITSP.
If the money were to be funneled through the organization, it would likely be funneled directly through them, and so there would be -- it wouldn't be part of the $13 million. It would be a separate amount of money.
And in terms of how they would use up to $13 million, it would be up to them to figure that out.
DR. FITZMAURICE: You answered my next question. I have no more. Thank you.
DR. COHN: Okay. Jeff, final question on this one before we move to Jodi.
MR. BLAIR: Yes. Thanks.
Kelly, on the NIHN trial implementations and on the accelerating public health situational awareness from CDC, they're on the same time frames. They have many of the same tasks. Many of them are identical.
One of the use cases for the NIHN trial implementations is bias surveillance.
Could you give us some idea of how these -- they're obviously -- they were obviously prepared in coordination with each other.
Now that there's about to be selections of those, what's being done to coordinate overlaps? Where you have some states or entities that have been granted one from CDC and the other from ONC, how are you going to be coordinating that?
MS. CRONIN: That's a great question, and I think that there's a strong desire, in particular on behalf of the folks in ONC, to coordinate as proactively as possible and really try to connect these communities in a sort of social and technical perspective, because we see an awful lot of opportunity to facilitate a lot of lessons learned and sort of work through issues real time if the CDC trial implementations can be part of the NIHN cooperative.
So I think it's our hope that this will be very well coordinated and that as workgroups get together and the NIHN cooperative gets together that everyone will be able to figure out some of the really tough issues with sharing data and mapping and interfaces and data-sharing arrangements.
I think we're very hopeful that we will be able to work closely together and that CDC will be willing to encourage all their contractors to be part of that process.
And I think -- I know John Linsk has had a few conversations with folks at CDC about that. I'm not exactly sure where the plans stand at this point, but I'm sure he could report back with any progress.
MS. DANIELS: OK. I'll be as brief as possible, so that there's time for questions and that I don't hold up the agenda too long.
I was just going to give some brief updates on some of the state-level work, particularly the areas of privacy and security, but also some other policy and legal issues that are being addressed at the state level and that ONC is encouraging along.
The first is the Health Information Security and Privacy Collaboration, the HISPC, which I've briefed you all on before, just to give you the update on where that stands and where we're going to be going with that.
There were 34 states and territories that were involved in the effort to look at privacy and security policies and practices in underlying state laws regarding privacy and security, look at variations, look at where there are challenges and identify solutions and implementation plans to address whatever challenges they face that they identified with respect to these policies and practices and laws and the effect on electronic health information exchange.
The 34 states did all this work, and our contractor, RTI, presented final reports of the variations, solutions and implementation plans in a nationwide summary.
A couple of the -- I just want to highlight some of the challenges that were identified in those reports that seem to be some themes that came out.
The first was before you even look at what the variations are and where there are challenges, there was a lack of awareness among the stakeholders and a lack of sufficient knowledge about health IT and health information exchange, even to understand what the implications were of some of the privacy and security practices.
They identified that consumers were unaware of some of their legal protections under state law and that providers frequently didn't understand the state-law requirements because they would be multiple in various places within the laws, and they had difficulty understanding the complexity of the state-law structure.
So some of the solutions that some of the states identified were to do some education and outreach to various communities, to consumer communities and provider communities to educate them on what -- on health IT and health information exchange as well as on the existing privacy and security structure that's out there. And so some of the states have begun to look at those as far as implementation within their states.
Second challenge were variations created by state privacy and security laws. This is sort of what we expected to be the bulk of the discussion, although it was only one piece of the discussion that they had.
Many of the states identified, again, that there were various state laws dealing with privacy and security and they were sort of all over the code within the state.
So there were privacy laws that were just directed to particular sectors of the healthcare industry, like insurers or like hospitals or mental-health professionals, and there wasn't one place that a provider or a consumer could look to understand what the laws were.
And there was also inconsistent or contradictory laws. There was confusion about how to apply those laws. So that was a challenge that folks identified.
And some of the states are cataloguing -- as far as their implementation plans, they are looking to catalogue what laws they have, are looking to try to reform their state laws to at least put all the privacy laws in one place so people can figure out what they are required to comply with. And some are looking at proposing some new legislation to bring some more harmony to their state laws on privacy and security of health information.
The third challenge was obtaining and managing patient consent. This is a recurring theme that comes up over and over again when you talk about state laws.
There is clearly a lot of variation in consent laws related to health information across the states, and there is a variation not only at the state-law level, but also within practice of organizations and how they obtained consent, what kind of consent.
And this was identified as a challenge when entities are trying to share information and they have different consent forms, either because that's just their policy or they're trying to share information across state lines and there are different consent laws.
So some of the solutions that were identified and included in implementation plans, we're looking at how to standardize patient consent. Some of the states, we're looking at coming up with model consent forms, looking at the issues that I know you all talked about in great detail on opt in and opt out when you were talking about electronic health information exchange and trying to come to some consensus on those issues and things like that.
The fourth challenge was variations in methods for implementing authentication authorization, access controls and audits.
At the organizational level, looking at organizational policies, everyone had varying approaches to addressing these issues, and it really impacted the trust that a provider would have in sharing information with another organization if they had different practices for authenticating individuals for auditing disclosures of data and things like that. So this was a challenge that was consistently identified as well.
Some of the states are looking at coming up with minimum standards for these things from the standpoint of how to set policies so that there's at least a baseline that folks would comply with, so that they can have a minimum level of trust when information is being shared from one organization to another, and also specifically looking at role-based access and try and see if they can come up with some guidelines for that as well, so that there's some consistency in policies.
The fifth is privacy and security oversight.
There was some identification by many states of lack of state-level authoritative governing bodies to oversee development, adoption and enforcement of privacy polices and practices for health information exchange at a state level, and that was something that folks wanted to address as well.
As far as where we are now, we've extended -- the first phase of the contract ended this summer and we have the fund report identifying the variations, solutions and implementation plans.
We wanted -- there was such good momentum and such a desire for more collaboration and bringing more states into the fold that we wanted to continue this work and keep that momentum going because there's some real opportunity, I think, for the states to address some of the issues that -- within their state as well as start collaborating across states.
So we've extended the contract until December 31st of this year. The 34 states and territories are continuing to do their work. The funding -- the continued funding is to focus on the foundation piece of the individual state implementation plans to get them started on implementing their plans as well as to foster multi-state collaborative workgroups among the states and territories.
And what we've done there, there's been a meeting with all the states that were participating as well as any other state that wanted to join, and we had nine states and one territory that had not participated in HISPC who joined that meeting as well. So we're now to 44 states that have -- are actively engaged to start looking at the areas where collaboration can help move their implementation along.
And they started talking through some of those projects. They're all in the same areas that they identified challenges -- consent, consumer- and provider-education, harmonizing state laws and the like.
And what we're hoping is there will be a HISPC 2.0 in 2008, and we're going to try to focus that more on the collaborative efforts across the states, rather than the state-by-state efforts, so that we can start bridging some of the -- of the differences across the states and assure that information -- that privacy and security laws and practices are appropriately addressed for sharing of electronic health information across state jurisdiction lines.
So that's it on HISPC. I'm just going to do the two-minute update on state alliance for e-health.
This is an initiative that OMC has begun with -- in collaboration with the National Governors Association to identify and come up with consensus on solutions to resolve state-level issues that require state coordination.
One of the things that came up in the HISPC work was this was all fine and good, but we're -- each state is looking at their own issues, and it's hard for the state to spend time and money to collaborate with the other states, and if we could help foster that and foster those dialogues, so that they can come to some common consensus on how to approach some of these challenging new issues that they face, that there'd be more commonality down the road.
The other goal was to increase efficiency of the state effort, so that if one state has gotten farther along in looking at some of these issues, this -- states that are trying to address health IT and health information exchange issues can learn from some of the experiences of the other states. So it's both a consensus body as well as a communication effort.
The state alliance is made up of high-level state officials. There are two governors that chair it, Governor Douglas from Vermont and Governor Bredesen from Tennessee.
There are legislators, attorneys general, state health officials on board, and they have three task forces that report recommendations -- that deliberate and report recommendations up to them not unlike NCVHS. And they have received some recommendations from some of those task force in the area of health information protection, as well as healthcare practice, specifically focused on licensure of healthcare professionals and trying to coordinate the state licensure processes across the nation, so that it would make it easier for telemedicine for providers who are practicing in multiple states to deal with the licensure requirements in various states.
There is the state alliance meeting coming up in -- I think next week actually. It's in Tennessee, in Governor Bredesen's home state, and they will be getting recommendations from the third task force, which is the Health Information Communication and Data Exchange Task Force that's looking at how public programs can participate in health information exchange and what the state's role could be in helping to facilitate health information exchange.
I'll stop there and let folks ask whatever questions you have.
MR. LAND: When you talk about the states that are identifying these issues, is there a particular state agency, the governor's office or is it -- what do you mean by the state?
MS. DANIELS: That's a very good question. Let me clarify.
What we did when we asked for participation in the health information security and privacy collaboration is that we required the entity that participates to either be the state itself, like their health department or some state authority or that if it was a private organization that they have the endorsement of the governor's office, so that the state was engaged in what was going on and endorsed this private entity in doing this work for the state.
So there was only one entity for each state that could participate and they had to get the sign-off for the governor's office.
It's about half and half. Half of the states that are participating are the state government itself, and about half are private organizations that are engaged in health information exchange efforts within the state. So it's about half and half.
The state alliance -- the committee members on the state alliance are all government representatives. It's governors, legislators, attorney generals. So it's all the government representatives, and they have technical advisors who are from the private sector as well to give them advice on health IT and health information exchange issues to make sure that they have the knowledge that they need to deliberate.
DR. TANG: NCVHS is the federal advisory committee. We're here to help you.
MS. DANIELS: Thank you. And we're the government and we're here to help.
DR. TANG: So, to be serious, how can we best help this effort in the policy area? And a lot of what you talked about first, obviously, was in the privacy area, an area which, of course, we do a lot of work in. How do we be most helpful to you?
MS. DANIELS: That's a good question.
I think, with respect to the state efforts, a lot of -- I think what's helpful is trying to tease out which are issues that the federal government can legitimately take on and which are issues that are really state-level issues, either state-government issues or issues for public-private partnerships within the states, as opposed to the federal government.
A lot of these issues, particularly in the area of privacy and security, are really hard. I know you all know this, because you -- you know -- struggle over these all the time, and we do as well.
With respect to -- I'm going to be a little bit broader -- our privacy and security efforts generally, if there are -- we obviously have to deliberate on whatever recommendations come out of NCVHS or AHIC or state alliance or whomever it is. But the more concrete the recommendations are, the more actionable they are, and the more you all can really start teasing into some of the really hard questions that there's huge public debate over, I think the more helpful that could be to us.
I know the next conversation is about secondary uses, and I think, in that area, for example, the more that the recommendations can be focused on concrete suggestions for how to deal with challenging issues and how to reconcile the varying opinions and how to balance the need for information and the need for protecting the information, I think that could be very helpful to us as we are trying to set federal policies in these areas.
DR. TANG: So a tactic that NCVHS has taken with some of its letters is to say, well, there's people thinking on this side and there's pros and cons, and it's a hard issue.
Are you suggesting that it could be even more helpful if there was a stand taken where there's a clear sense in one direction, even though it's not unanimous, because many of these issues couldn't be unanimous?
MS. DANIELS: Yes. I do think that that would be helpful, because there's not going to be -- you know, on all of these things, the debates are very -- they're very charged. There's always going to be dissenting opinions when you're talking about privacy and security issues.
And I think the only way we're going to really resolve those is to understand where there is at least a vast majority understanding of where the issues should be resolved, and understanding what the difference is.
If you all are deliberating and there's a strong dissenting opinion, it would be helpful to know what the majority thinks, and then what the dissenting opinion is that we can consider that.
And, specifically, if there are concrete recommendations, we have the trial implementations for the NHIN that are coming up, and if we can -- those can be test beds for some of these recommendations. If there's a majority opinion -- say from NCVHS -- on how to deal with use of information for quality purposes, which I know is the debate that's been going on here, then we can try -- we can test out the majority opinion in NHIN trial implementation and perhaps we can even test out the dissenting opinion, so we can get some real experience for how the approach may work in the real world, rather than just what people think around the table.
So I think the more concrete -- if your recommendations are concrete, we can then try to translate that into a trial implementation and real-world experience that we can get more data in coming up with an ultimate policy decision.
DR. COHN: Now, I'm going to let Jeff ask the last question on this one, just so we can get into things.
Though I guess I should comment, Jodi -- and I think we all see the world maybe a little differently on this one.
I am reminded of the dissenting opinion that came out of MedPAC somewhat recently, and that I don't think did a lot to help move Federal Advisory Committee recommendations or Federal Commission recommendations forward.
Probably, in areas where there isn't consensus, suggesting pilots to help testing is probably really what you're talking about as opposed to eight to five recommendation, recommendations with five dissenting opinions all on different issues.
So I think be able to clearly identify where there isn't consensus, but still things to move the ball forward would probably be the way we could be most helpful on that one. Just a thought on that.
MS. DANIELS: Yes.
DR. COHN: Jeff, final question, and then we'll move into the other areas.
MR. BLAIR: Thanks. I'll do it real quickly.
And, in a sense, it's a partial answer to Paul's, because, in New Mexico, we're one of the HISPC states that have the original contract and the follow-on contract, and what we did with our follow-on contract is we're reforming state laws to protect the privacy of healthcare information when it is stored or communicated electronically.
And, in terms of -- you were saying how can NCVHS help? I think that it already has.
I suspect what we're doing is probably not that much different than a lot of other states, but the privacy recommendations that NCVHS made for use in the NHIN, even though it doesn't say, “Here's a consensus on every issue,” it's been extremely helpful to help discussions within a state which otherwise might ramble among a lot of issues, and where there are strong opinions, for them to see -- to get focused on the things that NCVHS has identified as areas and to see that, on a national level, there's not necessarily consensus and to craft the state legislation in a manner that is a little more careful, because they could understand that there are appropriate concerns on all sides.
So I think NCVHS has already -- and I've spoken to another -- you know, many other states in the HISPC process, and they've been doing the same thing. So I think that we're already part of the process.
DR. FRANCIS: Simon, could I just ask how we could get a copy of that report?
DR. COHN: Sure.
MS. DANIELS: It is on our website.
DR. FRANCIS: Website.
MS. DANIELS: And I can give you the website. Well, it's on actually the AHRQ website. We did this collaboratively with AHRQ. It's HealthIT.AHRQ.gov/privacyandsecurity, and is written out. And that's the nationwide summary report from the HISPC project.
DR. COHN: OK. Well, Jodi and Kelly, thank you very much.
Now, what we're going to do now is to move into the -- as you commented -- the secondary uses conversation.
Obviously, we would invite you both to stay around as long as you can for the conversation.
What we are going to do is to -- I mean, we are well aware that we're getting towards noon. We would observe that there is a -- right around noon.
What we are going to try to do is to go probably for a half an hour or so, going through some slides.
Once again, you know, the first piece is understanding, and what we want to do is to go through a set of slides to move us through sort of common themes, premises, setting sort of the context for moving into observations and recommendations.
Now, at that point, we were going to, hopefully, take lunch between this higher-level piece and then moving, actually, into the observation and recommendations, which we'll take up right after lunch, and we'll be moving, at that point, between both slides and actually looking at the text of the observations and recommendations, observing that we -- when we really get into recommendations, as I commented, everybody needs to be okay with what it is that's actually being said and that that is really an important outcome, so that we understand where people are agreeing, where people are having differences of opinions, sort of how we need to move on from here.
Now, I do also want to remind everybody that we actually have time tomorrow afternoon -- probably late morning, early afternoon, depending on when we get to it -- where we will talk about some of these things further. So this is going to be the major phase this morning and this afternoon, but, then, there will be some substantive conversations about next steps, recognizing where we are by about four this afternoon or by three this afternoon.
So, with that, I think we're going to hand it over to Justine, who will lead us through the early conversations. Margaret will provide support and assistance, and, then, after lunch, we'll turn it over to Harry to sort of move us deeper into the observations and recommendations.
Everybody okay with this?
Okay, Justine.
DR. CARR: Thank you, Simon.
I'm struck by the timeliness of the topics that we heard this morning, how many of them are tee-ing up this as a perfect segue, beginning with Jim talking about the FDA post-market drug safety data sets, electronic health records for populations studies, personal health records, personalized health, Kelly talking about data sharing issues, Jodi talking about lack of awareness about current regulations over privacy and security, also asynchrony and contradictory laws, and also patient consent variation across organizations and states. It's very much consistent with the hearings that we've had this entire summer -- June, July, August and September and October.
So I'm going to do the background, and, after lunch, then Harry will begin with the recommendations.
Just -- I think you all know the group that has been active this summer, tremendous participation and particularly special thanks to Simon for leading us.
What we'll talk about this morning will be the scope of work, the premises, the process, the term “secondary use,” and the current state under HIPAA, and challenges, and then we'll stop for lunch.
I think that our scope of work involved, one, developing a conceptual policy and framework that provides guiding principles clarifies terminology and includes a taxonomy.
Secondly, we are aiming to develop recommendations for HHS on policies, guidance and regulation, and, of course, the focus of this is particularly the use of quality data.
This began with a request that came from ONC, and the particular stated interest there was HIT and quality, and the areas of focus included developing clear policies and an initial set of recommendations for the quality-use case, clarifying roles of various entities, consider the requirements around identified, anonymized and de-identified data, and also clarify how health-information exchanges and other entities of end users of the data relate to each other and obtain appropriate disclosures and consents, as needed, to e compliant with current law and to protect privacy and confidentiality.
Early in the discussions, there was concern that HIT was driving the process of uses of health data, and, after discussion, we wanted to articulate these premises that clarify that HIT is a tool in the service of quality healthcare.
And so the premises are as you see them, that the common good for all Americans is served when health data collected in the practice of caring for individuals can be optimized to advance the quality of health and healthcare for the nation.
Secondly, appropriate uses and protections for health information must be transparent to individuals in order to reassure them that their privacy is protected.
And, thirdly, application of health information technology affords an opportunity to optimize use of health information for improvement of the nation's health and healthcare delivery system.
Our process was we had three sets of hearings, 58 testifiers, multiple meetings, weekly phone conferences and we've worked closely with ONC.
Related work and documents, we've called upon earlier documents from NCVHS, from AHIC, from AHRQ, from AMIA and from HISPC.
And, finally, you'll notice that the title of this presentation was “Enhanced Protections for Uses of Health Data.”
And we felt that it was important to talk about uses of health data and not secondary uses, and the reasons are stated here.
One is that it's difficult to define. There is no standard reference.
Second, grouping all uses under a single rubric may result in all of them being treated the same, which might not always be the right decision.
And “secondary” connotes a lesser importance than other uses, and we don't believe that to be true. So we're avoiding the use of the term “secondary,” and we're attempting and encouraging others to explicitly and uniquely describe each use of health data.
OK. So why address uses of health data now?
There are a number of points that have come out in the process of our investigations and hearings.
First, with the vision of NHIN, health information exchange is expanding beyond what was envisioned by HIPAA.
Second, health information available for electronic transmission is increasing with electronic health record, so no longer is it just claims for billable services with ICD-9 CM codes and CPT codes and prescription claims.
Now, we have much more granular health data elements, vital signs, lab data, discrete elements.
A third issue is that the sources of electronic health information is expanding beyond HIPAA entities.
Fourth, linkage of large databases of health information creates a need for stewardship for accurate and appropriate use.
And, finally, electronic solutions for patient consent following their data are now becoming possible.
So what I'm going to do in the next few slides is just walk through HIPAA, the privacy rule and security rule and show where we are and then what are the gaps or issues that have been identified.
So if we start with Health Insurance Portability and Accountability Act of 1996, this was developed first to promote electronic exchange for administrative simplification, and, as part of that, it mandated HHS to establish federal standards for safeguarding privacy of individually-identifiable health information.
So it regulates covered entities, and these are -- covered entities are those who electronically transmit health information in connection with transactions for which HHS has standards, and these are payers, providers or healthcare clearinghouses.
It also regulates the covered entity's use of business associates, and, to a lesser extent, their agents. So business associates or persons or entities that are acting on behalf of a covered entity to perform a function regulated by HIPAA or providing a service involving individually-identifiable health information.
So just to repeat, the covered entities are people who exchange claims data electronically.
The HIPAA privacy rule covers all personal health information in any form -- paper, electronic or oral -- that could be used to identify an individual.
And there are two exemptions identified. One is that personal health information that is used for treatment, payment or operations, and a second exemption is de-identified data, and this has been specified by HIPAA that there are 17 designated identifiers that must be removed to make it deidentified, and, also, the eighteenth point is anything else that would identify the data. So those are exemptions, then, not covered.
With regard to research, there is the common rule, and the common rule addresses systematic investigation, including research development, testing, evaluation, designed to develop or contribute to generalizable knowledge. And research, under the common rule, requires IRB approval and informed consent.
HIPAA requires authorization for research, unless it's waived by an internal review board or privacy board.
Research may also be covered by the FDA human subjects protection regulations.
We talked about treatment, payment and operations being exempted from the HIPAA privacy rule. So I want to give a few examples of what operations includes.
MR. HOUSTON: “Exempted,” is that no patient consent is necessary for the use of data in those three areas?
DR. CARR: Oh, exempted from authorization, right, right, right. Thank you, John.
MR. BLAIR: That still could be very misleading.
DR. COHN: Well, I'm glad it's here.
PARTICIPANT: (Off mike)
DR. CARR: Sure. Let's see. So exemptions from the need for specific authorization, right?
MS. GREENBERG: And then it should obviously mention research as you went to in public health.
DR. CARR: Yes. From changing slides around over breakfast. I apologize.
MR. BLAIR: Yes, and I guess I feel really uncomfortable with winding up in a privacy presentation indicating that there's this group that's exempt, and I think I'd like to phrase it a different way, rather than saying a group is exempt from authorization.
PARTICIPANT: Not required?
MR. BLAIR: Pardon?
DR. CARR: Would it be helpful to say --
MR. BLAIR: You can get to it later. We don't have to solve it right now. I'm just sort of -- you know, I just sort of wanted to be on the record that we should find a different way to express that because there could be some negative misinterpretations.
DR. CARR: Thank you, Jeff.
MR. BLAIR: Yes.
MS. GREENBERG: Also, there should be some reference in that first bullet to covered entities.
DR. FITZMAURICE: It only covers covered entities.
DR. CARR: Yes. Okay. So we say that it covers covered entities. Okay.
DR. FITZMAURICE: In the hands of -- the information in the hands of a covered entity.
DR. CARR: OK. Thank you.
Examples of operations, and so these are areas that are permitted without a written authorization from an individual for operations.
And so these are quality assessment and improvement activities, which is the focus of what we're -- a lot of what we're talking about. Also, population-based activities, arranging for medical review, legal services, business management, general administrative activities, establishing payment levels, pay for performance, related efforts. Those are all examples of operations.
The security rule. So we have HIPAA and HIPPA has a privacy rule, also has a security rule, and the security rule applies to electronic-protected health information. So where the privacy rule applies to any information -- oral, written or electronic -- the security rule applies to electronic-protected health information in covered entities and business associates, and it addresses confidentiality, integrity and availability. So challenges within and beyond HIPAA. Covered entity and business associate challenges.
One, individually-identifiable health information is also collected by entities that are neither covered entities nor business associates, and that -- a second challenge is the accountability of covered entities and business associates for uses of individually-identified health information.
This is not tracked, tested, audited or reported in a standardized fashion.
Treatment, payment and operations are challenges related to operations. Definitions of what is included in operations is open to interpretation.
Second, boundaries of what constitutes quality within operations may vary, including the distinction between quality and research.
DR. COHN: Yes, Justine, do you want to give an example of that very first sub-bullet that you have there, just to make sure -- See if you can go back there. The very first sub-bullet.
DR. CARR: This one? Covered entity -- individual --
DR. COHN: Yes.
DR. CARR: Can you read it?
DR. COHN: Yes. So give me an example or two of what you're thinking of on that.
DR. CARR: Personal health records, for example, things that Carol brought up, new -- yes. Well, personal health records --
DR. COHN: Okay. So that's primarily what you're talking about there.
DR. CARR: Yes.
MR. HOUSTON: But you could also --
PARTICIPANT: Under covered entity.
MR. HOUSTON: Yes. You could have an entity that has a physician office that's not covered by HIPAA, because it doesn't electronically bill.
(Several speakers at once).
DR. CARR: Okay. More challenges within and beyond HIPAA, and this relates to de-identification of data.
HIPAA allows for release, without authorization, of data that is de-identified in one of two ways.
One is the safe harbor method that we mentioned that lacks the 17-odd designated identification elements plus anything else.
And a second is the statistical method which is a demonstration that there is a very small risk of re-identification.
So the challenge is that there are also alternative de-identification methods that are being used, and their definitions are unclear. So the term “anonymized data” and “sud-otimized” data, for example, are used.
A second challenge is the safe-harbor method. Removing the 17 identifiers may not always de-identify or may not adequately de-identify in certain situations, we heard from Latonia Sweeney(ph).
Another issue is de-identified data may undermine utility in a quality analysis where identifiers may actually be very relevant to the assessment.
And another issue is that the statistical -- when you de-identify using a statistical method, there is not a quantitative target or requirement that you must report. So -- leaves open to variability.
The next slide talks about sale of data and HIPAA.
And so HIPAA is clear about criminal penalties for wrongful conduct and specifically states that if wrongful conduct involves the intent to sell, transfer or use individually-identifiable health information for commercial advantage or personal gain or malicious harm.
A question that has come up is de-identified data, which would not be protected under HIPAA. Is it acceptable to patients that you sell their data? Is it acceptable to providers that you sell their data in the de-identified fashion?
Data stewardship. This is my last slide.
HIPAA includes principles of data stewardship in addressing privacy and security of data.
AMIA describes data stewardship in the following way: It encompasses the responsibilities and accountabilities associated with managing, collecting, viewing, storing, sharing, disclosing or otherwise making use of personal information -- personal health information.
An issue that was raised is there is a need for more attention in relation to data aggregation and analysis when personal health data is used for quality analysis.
So I think that was our breakpoint.
MR. REYNOLDS: Simon, if you want to, we have a couple of slides on common themes, and then -- what our observations -- at least list the categories of observations and recommendations, then break. That would give everybody a kind of a complete warm up before we come back and actually go into the details. So why don't we go to the next slide.
DR. COHN: Sounds good.
DR. CARR: Okay. So what I just completed was a quick trip through HIPAA security and privacy, trying to identify where we have coverage and where we have gaps.
The next slide is going to talk about some of the common themes that seem to appear in the testimony of many individuals.
And one is just understanding the benefits and potential harms in the enhanced use of health information technology.
So, as we said at the beginning, there is the tremendous benefit opportunity to improve health and the healthcare system. Healthcare quality measurement reporting and improvement is enabled. There's an enhanced ability for public-health surveillance and responsiveness. There's new opportunities for meaningful research. These are all benefits that we hope to achieve.
And the concerns that were raised about potential harm, so that erosion of trust in the healthcare system's protection of personal information could -- would undermine the benefits.
A potential harm might also be a person's experience of discrimination, a personal embarrassment if their data were released inappropriately.
A concern was raised for group-based harms and also concern about misinformation resulting from unsophisticated aggregation of data, a stewardship issue.
Additional themes. Uses of health data for quality measurement reporting improvement enabled by IT and HIE yields new benefits and potential challenges.
I think this is just saying more of the same. You know, measurement and reporting address the IOM Quality Chasm aims.
I think the challenges, again, that the uses of personal health information for quality are -- although allowed through TPO -- are not well known or understood necessarily by individuals whose data is being used.
A second challenge is the concern that linkage of information must assure privacy.
A third challenge, vendors who link data must not violate trust.
Fourth, data for performance improvement may evolve into research without the protections of the common rule(ph). So looking at that boundary between what is performance improvement and what is research was very often raised.
And, again, the issue about the data quality and the data -- is essential for data aggregation.
So what we will hear after lunch are observations and proposed recommendations in the areas of privacy legislation, covered entities and the chain of trust, covered entities and data stewardship, business associates, health data uses for quality measurement reporting and improvement, health data uses for research, cross-cutting data stewardship principles and exercising choice within the NHIN.
DR. COHN: Paul, do you have a question?
DR. TANG: No, I would just put a period at the end of that and say it was really a beautiful rendition of the issues and the statement of where we are. I just thought it was wonderful.
And there's one particular passage in the text that I particularly like, and the reason is I think it's a great operational test, each one of these questions, and the way they wrote it is --
DR. COHN: Do you have a line?
DR. TANG: It is page 9, line 341 in the remainder of that package, and it basically says, “Trust erodes and privacy concerns may increase, however, when there's a divergence between what the individual reasonably expects health data to be used for and when uses of health data are made for other purposes without the knowledge and permission of the individual -- “I don't know what happened to this sentence or the way I read it.
But it's really when the subject of the information doesn't expect something to happen, whether for commercial or other reasons, there's a lack of trust and there's an erosion of trust.
And so for each one of these things, I think we should ask the question, and so that's particularly helpful when you get the de-iden, well, should you let it out of its de-iden? If that's not where the patient expects it to go --
MR. BLAIR: That's the issue.
DR. TANG: That's the problem.
MR. BLAIR: Yes.
DR. TANG: And so, anyway, I thought that was very well articulated, and just the whole thing leading up to this point which is sort of like page 10, well done in the document.
DR. FITZMAURICE: I also think it was well done, and on the previous slide, I wonder if instead of the common rule was meant the privacy rule.
MR. REYNOLDS(?): No.
PARTICIPANT: No, it is the common rule.
DR. CARR: So, in other words, it is if it were in TPO, it would be under the privacy rule.
When it becomes research, it's no longer quality under TPO. It's actually research under the common rule.
DR. FITZMAURICE: That's true, but that's more protected by the privacy rule. Common rule usually refers to things that are federally funded clinical trials as opposed to any use for quality improvement that then evolves into research ought to go in front of an IRB to get privacy-rule permission, if you haven't gotten authorization from the patient.
DR. STEINWACHS: But, Mike, what happens, frequently post hoc, is that you do the quality-improvement study. Then, you decide you want to publish it. Then, you go to an IRB and say, “Well, we didn't ask consent. We didn't do all these sort of things. We want your approval to use the data.”
And so it provides a kind of loophole if someone is a little bit sinister by orientation to say, “We always do quality improvement. Oh, but by the way, we want it in the New England Journal.”
DR. COHN: Yes --
DR. FITZMAURICE: That's not my point. My point is that it's covered by the privacy rule as opposed to being a common-rule violation, most often.
DR. COHN: Well, it isn't -- Yes, it's not a violation of either.
DR. STEINWACHS: No, is the problem.
DR. COHN: Is the issue.
DR. STEINWACHS: If you undertake research. It's a gap.
DR. FITZMAURICE: Without patient authorization?
DR. COHN: No, no.
OK. If you're doing quality improvement and subsequently it turns into something that has to do with generalized knowledge, sort of slips through, that there be a problem.
Want to talk about this after lunch. So why don't we hold that particular issue, recognizing that this is one of the areas where there's just been a little bit of conversation.
Now, Jeff, you had a question at this point or a comment?
MR. BLAIR: Justine, I think you made the statement that after you go through the de-identification process that there's still a question of the use of the patient's data. And so this is just an open question just to think about. I don't know if there's going to be a specific answer at this point, but I don't know that the patient still -- quote -- owns their data after it's been de-identified. So that's the question I had.
DR. CARR: Well, I think maybe does that get back to what Paul was saying about trust, that if you've taken data you've de-identified it. Now, you're selling it.
MR. BLAIR: Right.
DR. CARR: I mean, I put it as a question, not as a statement. It's a question that we heard.
MR. BLAIR: Oh, OK. OK. I'm sorry. I didn't catch that.
DR. COHN: Yes.
DR. CARR: Yes.
DR. COHN: It's a question because we're going to try to answer it in our observations and recommendations.
MR. BLAIR: Okay. Great.
DR. COHN: Because I think that there is a -- at least some level of discomfort about the multiple different ways that de-identified data seems to be being sold, utilized or whatever, and is there some issue there.
MR. BLAIR: Thank you.
MS. GREENBERG: Or whether it's really de-identified.
DR. COHN: Well, there's also that, whether it's de-identified.
But I think that this gets into the nubbins of the observations and recommendations.
Other questions and thoughts that you can all think about -- begin to think about this one over lunch?
MS. GREENBERG: Chew on it.
DR. COHN: Chew on it -- OK.
Now, Justine, I want to thank you, because we're actually just at 12:30. So this is good. So we'll adjourn for one hour.
(Luncheon recess taken at 12:35 p.m.)
A F T E R N O O N S E S S I O N (1:45 p.m.)
DR. COHN: This next couple of hours will be spent talking more, moving into the observations and proposed recommendations for the secondary uses report.
Harry's going to review them -- these basically at sort of the slide level.
We know some of you haven't probably read the report. Others of you actually have, and so what we're going to try to do is to allow for sort of each recommendation time for discussion.
Certainly, those of you who have actually read the recommendations and have particular opinions about them, this is the time to get them on the table.
As I said, really, the purpose here is to understand where there's general agreement and where more work needs to be done or whether there's divergent opinions or whatever in terms of all of this.
Now, after we're done with that, assuming that there's some time, we may very well go back through the earlier parts of the document and talk about that.
But, anyway, but I'm expecting this will take much of the afternoon to do all of this.
My understanding is we do have one other action item today, which is a quality workgroup letter, and that we'll spend probably the last half an hour before we break for our subgroups going through and talking about, and we'll be primarily just looking at the recommendations there.
So, Harry, with that, I'll turn it over to you.
Agenda Item: Secondary Uses of Health Data, continued discussion
MR. REYNOLDS: After the applause for Justine, next time, I'm going first.
Moving right along.
So you see that the observations in the areas of proposed recommendations that we have.
I'm going to go through them one at a time. We have eight recommendations.
If you're following along in your letter, we start on line 737, which starts the observations and recommendations.
DR. COHN: Page 18.
MR. REYNOLDS: Page 18. So if you want to do that.
So let's talk first about the subject of the privacy legislation.
You can see on the lefthand side that we list a number of problems, such as increasing privacy concerns in HIE.
The HIPAA privacy rule only has the force of regulation and is not comprehensive.
Definition of HIPAA-covered entity limited to relationship to financial and administrative transactions. New users not covered.
New users being some of the other entities that we've talked about as we've gone through this, since this is somewhat of a changing environment, other than the administrative transactions, and going into other things.
And then the root cause of -- it's the root cause of many potential harms and uses of health data is a lack of comprehensive discrimination legislation and regulation.
Then, if you go to the right-hand side and you look at our recommendations, and I'll go through those.
1.1 is -- we talk about comprehensive federal privacy legislation, and a lot of that is, in fact, based on what we did with our previous privacy letter out of this committee where we talked about how we would like to see that dealt with.
1.2 focuses on enhanced definition of covered entities.
As you notice right now, it's only providers, payers and clearinghouses, but there are significantly more entities that will be dealing with this data as we go forward.
And, then, 1.3 being focused on the anti-discrimination legislation and regulation.
So under those first three -- and what we want to do is you have the letter and some of you have read the letter. So if you feel better making comments about that --
But, first, if we could have everybody have some discussion on kind of what we call as our Recommendation 1, and the observation that we have in the letter as to where -- you know, what you feel about it, where you think it goes, where you may or may not have issues or concerns, and those types of things.
So let's start with there.
DR. TANG: I think I would support the three recommendations.
Under Recommendation 1.2, which I guess matches your enhanced definition statement, there is a statement here that I agree with. Just wanted to make sure that that -- included, “Included in this legislation or regulation should be a clear statement that personal health information includes any health data that may be individually identifiable or de-identified.”
DR. COHN: The line that you're referencing?
DR. TANG: 774.
MR. REYNOLDS: Through 776.
DR. COHN: Are you adding -- making a change here?
DR. TANG: No, I'm just saying that is a topic that came up when Justine was presenting her overview. It is included -- I'm just pointing out that it is included in your recommendation 1.2.
It's not as clear in your summary statement, but I think it's an important topic, and I would support that.
MR. REYNOLDS: Also, it is also discussed in 7.3 or it doesn't still point there, does it, Margaret?
MS. AMATAYAKUL: Yes, it does.
MR. BLAIR: Could you just help us understand why de-identified data is still protected?
DR. TANG: Is it a question you would like me to respond to, Jeff?
MR. BLAIR: Or whoever in the task force --
MR. REYNOLDS: No, agreed, but Paul's got an answer, good, he can start.
DR. TANG: So if I use my primary filter, which is what would the patient expect, then that statement would be consistent with my impression of what a patient would expect.
MR. REYNOLDS: Margaret, can you tell me the reference now? The one that I have references 7.3.1, and, in this document, there is no 7.3.1. So what I'd like to do is make sure people see where this points to as I mention again.
MS. AMATAYAKUL: Yes, I think that's because we moved these things around and I didn't --
MR. REYNOLDS: I know, but that's why I want to make sure --
MS. AMATAYAKUL: It's 2.3.1.
MR. REYNOLDS: Which one?
MS. AMATAYAKUL: 2.3.1.
MR. REYNOLDS: OK. 2.3.1.
MR. BLAIR: Paul, your answer to my question was because that's what the patient would expect, and --
DR. TANG: So there's two parts to the answer. It's -- one part may be actually it's an assumption that was discussed in the workgroup, which is calling the question is there really de-identified useful data.
So almost -- I mean, here may be a personal opinion, an interpretation, almost any data that can be useful will contain information that can lead to its re-identification.
If that's true, then, a patient would not expect information, period, to be going somewhere for any other purpose than the care purpose or things supporting that care.
And so that clause is just making explicit de-identifiable or what may be labeled as de-identified --
MR. REYNOLDS: And it all works together. You'll hear us later talk about definitions, because one person's de-identified -- as we heard in testimony -- is not somebody else's de-identified. It's a term of art, but not used that way.
The second thing is as you look at 2.3.1 -- which we'll get to in a minute, but it's what we reference -- it talks about how easy it is to re-identify, and we heard a number of testifiers actually talk about how you can take data that somebody says may or may not be identified, de-identify it and actually turn it into something identifiable.
So, again -- and that's why it was good -- As you remember Justine's themes, you know, we're going through these linearly, but the problem is all of them really intersect with each other and interact in many ways. So that's why I want to make sure any reference we make, you'll understand, and then when we get to that one --
MR. BLAIR: Now that I understand the definition, it makes sense, but the corollary of that is that if the patient's identification is anonymized, does this still hold true?
DR. STEINDEL: We actually heard from Latonia in that particular case, and it does hold true. You can re-identify.
MR. BLAIR: Even with anonymized?
DR. STEINDEL: As long -- depending on what the data set looks like.
And we also heard cases where you could create a truly de-identified data set if you modified some of the variables to variables that might be useful in another way.
MR. BLAIR: Well, going down the spectrum, how about when you have aggregated patient data? Is that still protected?
PARTICIPANT: Statistical? You're thinking of statistical?
MR. BLAIR: Yes.
DR. STEINDEL: Yes, and in that case, it depends on the degree of aggregation and the cell sizes that you're looking at.
DR. COHN: Well, I actually just want -- for a minute, just want to get on -- obviously looking at this one, and I think I understand what it is, but I'm not quite sure.
So I'm going to ask for a little bit of clarification, perhaps from our co-chairs as well as other committee members, because I guess the question that I'm listening to with Jeff is, I think, fear that he can't use it at all.
And I guess I'm sort of just trying to think through, as I'm thinking through this, what we mean when we say the personal health information includes any health data that is identified or de-identified means that it -- and, then, once again, help me -- I just want to make sure if I understand what it means. It means that it can be used, but needs to be used under --
DR. TANG: It cannot -- So there is an assumption that -- quote -- de-identified data can be used without any restrictions.
So one point is that we don't believe there is such a thing as de-identified data that is useful. So, therefore, it's of no interest to anybody.
And, second, so this statement is saying all data should be under the regulations of -- should follow the rules that apply to a covered entity.
DR. COHN: OK. So let's think about what that means in relationship to de-identified in this context.
I mean, I think it would mean that, obviously, that this is that business associate agreement pieces that we'll talk about --
DR. TANG: Well, later.
DR. COHN: Well, no, but I mean that there's a sort of change of trust, but, also -- So what sort of cases would this allow de-identified data to be used without --
DR. TANG: It's not so much permitting things to be used. It has the -- once you have personal health information, you have responsibilities that are similar or maybe the same as a covered entity.
MS. GREENBERG: I think in personal -- an individual form is what you're talking about. I don't think you're talking about -- although cell size is an important factor, but, in response to Jeff's question, I don't think you're talking about aggregate data at the regional level or whatever, unless there happens to be only one person and there are a few people in that region who have a particular diagnosis and everyone knows who it is.
But you're really talking about record-level data. I mean, individual --
DR. TANG: So another way -- so pretend a covered entity that lives by all the rules over covered entity created aggregate data like you described that could be used by anyone for any purpose.
One of the important loopholes we're trying to cover is to give somebody, a non-covered entity, the ability to access all these identifiable data and then create an aggregate report, they still have access to all of the PHI, and that's what we're trying to get addressed.
DR. STEUERLE: I'm not sure this has helped, but I deal a lot with this question of de-identifiable data with the IRS Statistics Division, which, in the end, often concludes that I can't release any data at all.
I mean, let me give you an example. If John has a -- you know, one of his patients in the hospital spends $433.33 for a particular procedure, and somehow or another they send -- he puts it on his Master Card, his $433.33, and somewhere there it says, “Sum statement,” like it went to that hospital there, and somebody else has another data set that identifies the hospital, and he's the only person in the world who's paid $433.33 in Pittsburgh or Pennsylvania, that person might -- you might be able to link that to another data set and determine things about them.
So, at some level, any data that has any specificity to it is re-identifiable if merged with the right data set, and that's the dilemma that statisticians deal with.
And so you have to be very careful as you write these rules that you don't prevent certain natural things from happening, which, by the way, goes all the way -- all the time. And I don't know whether there's a capability of showing this to people in the finance field. That's one of the huge debates in finance. We know that all of our personal information is all over the lot out there with the finance companies, and the finance companies fight against a lot of these rules that prevent them from using the information, in some cases, incorrectly, but, some cases because they couldn't even operate if they had to worry about this re-identification.
And I don't know if that helps or not, but it is a dilemma we have to deal with.
MR. REYNOLDS: Yes, and I would remind everyone around the room, it's us. So those of you who haven't been on the committee -- hearings, welcome. We'd like to welcome you right now.
DR. SCANLON: Gene's point is very valid. I mean, but I think we also -- we have to be very careful about terms, and aggregated is a very imprecise term.
You know, NCHS has rules in terms of releasing survey data, and they will aggregate it and they will suppress cells when they are below a certain threshold.
Now, the question is what is -- we're not specifying that there is that kind of a standard for what is going to go on with covered entities or anybody else.
And so when you talk about sort of aggregated, if I am a covered entity and I have claims from all the hospitals in my area and I do an aggregation -- and I start to report on an individual hospital basis by diagnosis what happened -- there's a question there of what are the risks.
And this, I think, is the kind of thing we need to think about, because this is the reality we're dealing with today. People are interested in reporting at the individual provider level. Hospitals are actually big providers, compared to people wanting to report at the physician level about what's happening with respect to certain types of care, and when the care becomes more narrowly defined -- it's this diagnosis, this type of treatment, this provider -- we're suddenly down to small -- very small sample sizes, and that's where the risks start to increase.
And I'm not convinced that we have any ability to draw lines, but it's what we have to be aware of as we use terms that may -- I mean, aggregated fits, but the aggregation can be very, very sort of small.
DR. WARREN: Okay. I have a clarification question. I thought I understood the recommendation until Paul explained it. Sorry, Paul, because you put a spin on it I had not thought about.
So that last line, includes any data that can be individually identified or de-identified.
Is there any other kind of data besides those two?
MS. GREENBERG: Only aggregate data.
DR. WARREN: So it includes all data, regardless of whether it's identified or not.
MR. BLAIR: Or de-identified or --
DR. TANG: Regardless of how it's labeled, because, again, one of the assumptions is you cannot adequately de-identify data that remains useful.
DR. WARREN: Then, I think that needs to be kind of recrafted a little bit, but I don't know how to do that, because this gives -- I mean, we have the impression under HIPAA that there's de-identified data we can do stuff with, and, now, we're coming back and saying not really.
MR. REYNOLDS: The other thing we may want to say throughout the document, when we use de-identified, we tie it to the HIPAA definition of de-identified, not the imprecise definitions that we heard as we heard --
DR. WARREN: That's why I wanted to clarify with Paul, because if you've got identified data and de-identified, and those are the only two kinds we have, then we can really just say all data, unless there's a third kind of data that's out there that we're talking about.
DR. TANG: Being explicit, using the term that HIPAA uses, which includes -- quote -- de-identified, that's to bring that into this restriction.
DR. STEINDEL: Yes, Harry, I just would like to make a comment that may organize this discussion a little bit better, because I think we've taken off on a complete tangent.
What we are talking about in Recommendation 1 specifically are the attributes for a new piece of privacy legislation, and once we're introducing a new piece of legislation, what we're just saying is we think these are three attributes that should be in there.
If they pass new privacy legislation, there may not be such a thing as a covered entity. There may be all sorts of things that are changed.
And, now, when we start discussing these attributes with respect to the HIPAA definitions, we have I don't know how many pages of recommendations that go into it with respect to HIPAA in gory detail, and I think we should refrain from discussing, in terms of this recommendation, those details until we get to the specific recommendations, because I think we've found that most of the points --
MR. REYNOLDS: I think that's a good point.
DR. STEINDEL: -- have been covered.
MR. BLAIR: If I understand your thinking correctly -- and, Paul, I'm kind of looking to you, because you clarified, the boundary isn't whether it is de-identified or anonymized or aggregated. The boundary is whether the data can be re-identified from what I heard you say, in which case if you simply use that as the qualifier for this sentence, then I think it would be consistent with the explanation or clarification you gave us.
DR. TANG: I think that's a fair interpretation of what I said.
And, also, the Recommendations 1.1, 1.2, 1.3 are actually three separate recommendations.
So 1.1 -- what you said, new privacy legislation.
1.2 is a way to cover what was called -- well, sort of a loophole of HIPAA-covered entity.
And 1.3 is to try to address the harms that can happen outside of the context of HIPAA.
MR. REYNOLDS: We do mention legislative or regulatory measures, not just legislation.
MR. SCANLON: Three quick points.
I think it would be good to include such language like based on a gap analysis of HIPAA and other privacy legislation and where gaps remain. Otherwise you're throwing the baby out with the bath water and what you get might be much worse.
And we're not saying that it should be HIPAA legislation, particularly. We're saying that it should be privacy protection, whatever is the suitable level of protection there.
Number two, there are uses of information that I think were alluded to -- Justine alluded to that are not necessarily privacy issues, but they're appropriateness issues, and even de-identifying data. So it may be more of a data-stewardship issue.
There's an example given of the Framingham study where de-identified information was going to be made available for drug firms and others for profit-making purposes, and the community board was very upset with that. Not that it was a privacy issue. It just was an appropriate issue. That's not why they were participating in a Framingham study.
And, then, third, I think you may be throwing the baby out with the bath water when you add the de-identify concept into this term, because you're trying to -- you're working on nuances that no one else will see, and you'll literally shut down virtually any record-level information by throwing -- and it's just an impracticality to implement or design.
It's a very useful concept in HIPPA. It provided a nice balance between legitimate public uses and protection, and I wouldn't design a policy on the resources available to one person at a big university who can spend all day checking records. I think you sort of have to do it for the likely threat, the more reasonable risks.
MS. GREENBERG: Amen. I mean, you would be saying -- I mean, you might be implying -- couldn't be any record level public-use data tapes or whatever, even if they met those requirements of HIPAA certified by a statistical agency and what have you.
So I agree completely with Jim that it goes too far.
MR. LAND: I am concerned that with this 1.2 there's an exclusion for public-health agencies, and I'm reading this right now, this would eliminate that exclusion. That will just eliminate vital statistics completely.
MS. GREENBERG: Yes, that's exactly what I was thinking of.
MR. REYNOLDS: Okay. And that was not the intent.
MS. GREENBERG: The use of vital statistics.
MR. ROTHSTEIN: I just want to say that the re-identification is one of the concerns, but there are other concerns that underlie this kind of recommendation, and Jim's point, I think, is a good one, but it goes beyond the unusual study like Framingham.
If you have patients who don't authorize or don't sign anything and don't receive anything besides the notice-of-privacy practices, and the -- let's say a hospital takes their information and de-identifies it, and, now, suddenly, sells it, just because it's de-identified doesn't mean that the individual has given up all interest in that information and wouldn't feel that -- and this goes to Paul's point earlier -- it exceeded the reasonable expectation of what sort of rights, if you will, you give up.
And so I think there's another side to this. It doesn't -- as I sort of go -- and to a larger sense on this -- it's not necessarily that you couldn't use the information. It's that there might be some higher level of permission -- not necessarily an authorization or some higher level of notice that you might have to give to individuals before you can use this information, even in a de-identified form.
DR. TANG: So to put the sense that I took out of context into context, what it said, in making recommendations on expanding definition of covered entity under HIPAA, they should consider personal-health information as all of this data.
So it would be discussing the responsibilities of dealing with personal health information, identifiable and de-identified. So it's really not an exclusion. It doesn't necessarily change anything that HIPAA has to say. It just has to include both things.
DR. FRANCIS: I have what I don't think is really a wordsmithing question, but it's a question about what the function of these recommendations are.
The first two start out by saying HHS should work with other agencies, and that's not a very strong recommendation. That sort of sounds like HHS should cooperate, not take the lead.
And I don't know what's meant there, but it seems to me that what these recommendations should do is say something like, HHS should, in cooperation with other federal agencies, propose or develop or something like that, rather than the more minimalist, “Well, if somebody else wants to do it, we'll cooperate.” It just doesn't sound like we're urging that something be done, and I'd like to see us urge that.
Then, there's another small point. I think 1.3 needs to be reworked a little bit, so that it's consistent with the ADA. I'm not sure it is in its present form.
MR. REYNOLDS: Right.
Margaret's taking notes on this. So if you don't see the rest of us taking notes, it's not because we're remembering everything.
DR. COHN: Can I just ask a question of clarification?
Leslie, what do you mean consistent with the ADA?
DR. FRANCIS: Well, actually, if you look at it, I think the ADA -- the last sentence -- I think the ADA's language is actually stronger than what's in the last sentence, because there's no comment about reasonable accommodations and so on.
MR. HOUSTON: This maybe is -- We spoke at lunch. So I'm not sure where we insert this in the dialogue regarding the issue of covered-entity coverage. Do we wait to the business --
MR. REYNOLDS: Yes. And, then, if you need to tie back to this, that it didn't do something that --
MR. HOUSTON: And do we want to simply just tee it up just the first --
MR. REYNOLDS: Yes --
MR. HOUSTON: Yes, I mean, I think the point that I had made to Harry before was is that I think there is some opportunity to look at trying to merge the concept of a covered entity as well as a business associate and provide a framework for the privacy rule directly providing some type of regulatory framework over both, rather than having a business associate simply be an animal that the covered entity has tried to manage.
But that's really where I was going with my comments, and I'll wait ‘til the -- later.
MR. REYNOLDS: Yes, because we talked more about data stewardship and we talked more about the business associates and so on, and, again, in the end, then, if everybody needs to come back, we can tie it back.
DR. DEERING: And I apologize that I'm only now seeing this, having participated in these discussions so long.
My question gets to the relationship of 1.1 and 1.2.
1.1 appears to imply that this new privacy will supersede HIPAA, because the only clarification there is that it will cover all entities, including those not covered by HIPAA.
And, then, the second one it says, at the same time, that we're going to go ahead and strengthen HIPAA.
And so I'm just asking more in the form of a question, is there a need to harmonize those two recommendations more fully so that -- because if you have 1, do you need 2?
I mean, clearly -- I mean, 2 is one particular issue that we meant to address, but it's a question of --
MR. REYNOLDS: Steve, do you have a comment on that?
DR. STEINDEL: Yes, I have a comment on that, and, basically, this goes back to what I said earlier. I've always read 1, 2 and 3 -- 1.1, 1.2 and 1.3 -- as being in the context of new federal privacy legislation, healthcare privacy legislation.
Now, if we think about the HIPAA process, originally, HIPAA called for that law, and regulation was only introduced if Congress failed to pass that law after a certain date.
So HHS did not craft the regulations until Congress said, “We're not going to do the law.” And what I've always viewed this section as, as another call to Congress to go back and revisit the issue.
And, then, when we used the term, “HIPAA,” in 1.2, what we mean is that there are certain things that you defined in the HIPAA regulation that we find problematic, and if you're going to craft new privacy regulation, we want you to avoid those problems.
DR. DEERING: So it's all subsumed. So there's an omnibus privacy legislation, which includes all three of --
DR. STEINDEL: Yes, that's the way I've always read this.
DR. DEERING: .1 subsumes 2 and 3.
DR. STEINDEL: Um-hum.
DR. DEERING: In your view.
MR. REYNOLDS: OK. I think we're out of people that were commenting on this.
DR. COHN: Well, yes, you know, I'm not -- you know, this, obviously, is a nuanced conversation at this point, but I guess I am reflecting that I think that there are -- there is legislation on the Hill currently that talks about 1.2, and there's not legislation that talks about 1.1 or 1.3.
So, you know, I mean, we can describe this as omnibus, as Steve is describing, or this needs to be somehow nuanced that these are potential separate elements and separate initiatives and all of that. And so there's just that observation that it isn't an all-or-nothing piece here.
DR. STEINDEL: Yes, there's nuances there, and, actually, what we're talking about, the bills on the Hill actually modify the HIPAA Act. They're not separate.
DR. COHN: Right. Exactly.
And so we probably just need to make --
MR. SCANLON: I was going to say, it's really -- 1.1 could be interpreted as based, again, on a gap analysis. It could be for whatever legislation is necessary to fill in the gaps at HIPAA, not necessarily superseding and replacing HIPAA. And, then -- so it fits in where there appear to be gaps.
But, again, it should be based on language suggesting a gap analysis, so that it's a fairly nuanced and targeted kind of an effort.
DR. DEERING: But if I could only just point out that there is a difference between the committee recommending an approach based on a gap analysis versus the committee making a recommendation for new comprehensive privacy legislation. Those are very distinctly different approaches.
And I just wondered whether the committee wanted to be -- to make -- come down, you know, on one side or the other.
DR. GREEN: I agree with that point. I agree with that last point, and I wish to come down on one side of it.
I think this discussion and the work of the summer, all the stuff I've read leads to -- me to the following conclusion. It's 10 years after HIPAA. We know more about it now, and it's time to do something fairly substantial with it.
And we have also got tucked into here Paul's issue that the substantial shift cannot be based on the assumption that we can sort data into identified and de-identified data.
And that's the thrust of this thing that it seems to me is worth doing, particularly given where we're about to go next to the stewardship idea, because my reading of this is where we're headed is saying, you know, this idea of data stewardship is crucial to the next phase, and that's what we really want to emphasize.
So the gap-analysis approach on HIPAA, I think that's a mistake for us to put our recommendations there.
I agree with -- your other point is it's time for some serious legislative work here, folks, if we're going to get to the HIT infrastructure and the healthcare system we want.
MS. MC CALL: I guess I want to add on to some of Larry's comments.
I would agree that -- you know -- on a tenth anniversary, with all of the evolution that we're talking about in healthcare IT and uses, that we come down on the side of needing something substantial.
However, I don't want to throw the gap baby out with that bath water either.
I think it's important that we take a point of view -- I think we need to take a point of view that our opinion is based on two things simultaneously, that there are, in fact, gaps, and I think we need to acknowledge them.
I also think that we can take a point of view that says merely addressing a gap and filling it is necessary, but not sufficient. All right?
And I think it allows us to do a couple of things, and one may be this whole bit about all the different pieces under -- you know -- this first area, 1.1. through 1.3.
1.2 seems to me temporary, but moves us forward, and, yet, 1.1 says we'll go farther, right?
And so I just don't want us to think of this as an either/or proposition.
DR. TANG: So my question back to Jim and Marjorie, then, is why would removing the concept of de-identified hurt your purposes? Because you are covered by public health.
MS. GREENBERG: Well, it doesn't mention public health at all here.
DR. TANG: No --
MR. HOUSTON(?): This one says all entities --
DR. TANG: Will be included in a discussion of personal-health information, and we have very explicit clauses about public health, research, et cetera.
MS. GREENBERG: Doesn't say anything about that here.
DR. TANG: Well, but it just isn't in this section. That's all.
It is trying to raise the notion that, as Larry said, we've learned that we actually can't -- quote -- de-identify data in a useful form.
However, there are a lot of good uses for data. We heard a lot in the testimony, and they're all basically being handled in a responsible manner as with public-health data.
I'm not sure I see why this new distinction of whether there is or isn't de-identified data would hurt the public-health cause, as long as that was still an exclusion.
DR. OVERHAGE(?): My issue is the way this reads is that all entities --
MS. GREENBERG: Any entity.
DR. OVERHAGE(?): -- any entity will now be a covered entity. That means this is one example that a doctor cannot report a communicable disease unless he gets permission from the patient to report a communicable disease.
DR. STEINDEL: No.
MR. ROTHSTEIN: Even covered entities today can report that information, even in an identifiable form. So if you include more people as covered entities, they would, presumably, have the same rules apply to them that apply now.
MR. SCANLON: If you keep the same framework as HIPAA.
PARTICIPANT: Yes.
PARTICIPANT: Yes.
MR. SCANLON: -- about throwing HIPAA out, then --
DR. TANG: No, just the concept of that there is a useful way of having -- de-identifying data.
DR. FRANCIS: I was going to say I think part of what's a little troubling here is that if you go back and read the beginning part of the report, one of the really good things that the report does is it distinguishes various kinds of secondary uses, and it makes clear that different standards might apply to different ones.
And so if you bear that in mind, this is just saying these data are within the purview, too. It's not saying what ought to be done with the data, but that these are data you need to think about, too, and they are, for the reasons Mark and Paul have been --
MR. REYNOLDS: And for purposes of today, I think, as we move on to the next recommendation, I think we've heard real good things.
I think the public health is clear. We need to look back and normalize as to whether we have actually -- we can look back and decide whether or not we need to normalize this to the rest of the discussion and whether or not we're actually hurting things that HIPAA allows, because there are things that HIPAA allows, some of the public health and others. So I think that's what the subcommittee is hearing.
So rather than putting all the words -- I think it's documented. It's on the list. It's on the parking lot. I mean, we got more work to do.
And so I think all these are great, great inputs to us making sure that we put this down so that it doesn't hurt something that was there okay, and then and/or supersedes something that's already agreed to, whether we call it HIPAA or whether we call it new legislation or anything else.
DR. COHN: Well, I was just going to suggest that, actually, there's been a fair amount of language in the various privacy letters that talk about these things are not meant to preclude traditional relationships --
MR. REYNOLDS: Right.
DR. COHN: -- that deal with public health and all of that.
MR. REYNOLDS: Yes, that's exactly right.
DR. COHN: And I think it's a question of just pulling that out --
MR. REYNOLDS: No, no, and that's -- I think that's what we're hearing, and so --
Gene, you had one other comment, and, then, I'd like to move on.
DR. STEUERLE: I mean, I've raised this issue before. I think of this issue between privacy and improved health through things like electronic health records is statistically involving Type 1 and Type 2 errors, and, generally speaking, if we reduce Type 1 errors -- Type 1 errors being we're not getting the improvements in health we could get through things like electronic health records, we're going to increase Type 2 errors, which are the threats of privacy and vice versa.
And, of course, the political out is we always talk about the standard. Well, given a given amount of Type 1 error, less -- Type 2 or given a minimum amount of Type 2, -- Type 1, that gets us into the political out that the politicians want to deal with. We're never creating losers.
But what I liked about the first part of this essay was it's really talking about the tradeoffs.
And I wonder if we really want to be a little more explicit and talk about these tradeoffs, because, at times, it gets to a level of abstraction.
I think members of this committee -- I'm not sure everybody agrees with this, but I think most do. I'm probably thinking of a lot of things I've heard Mark say over the years -- is I think we have real concern --
We talk about improved health. We're not just talking about improved health. I think we need to be very clear. We think that there are probably thousands, maybe tens of thousands, of people who are having worse health or perhaps even dying prematurely because we are not improving in areas like electronic health records, public-health sharing, and those costs to society, I believe, we generally believe are much higher, that Type 1 error, than are these dangers of privacy concerns.
So if we're going to try to go towards expanding the spreading of information, we know that we will increase privacy risk.
And I think sometimes we need to make that fairly clear. We want to minimize that, but we're not -- you can minimize privacy risk altogether by never sharing any information.
But I think we gotta make clear, ultimately, that one of our objectives here really is the -- it's not just improved health, but, I mean, I think we need -- some examples of why this improved health is so important.
And I'm just -- I'm not sure, by the time we get through everything, that just talking about the tradeoffs quite makes that quite explicit.
And so we get down back to these arguments in the end of trying to -- of worrying about every -- worry about every privacy loss we're going to have.
We are going to increase privacy concerns, and we are going to -- if we expand the spreading information, we are going to violate -- through accident, through error, other things -- some people's privacies, and that's the tension we're dealing with.
But I think worry that we spend too much worrying about minimizing this Type 2 error, and then -- and it's got a real cost, and I --
MR. REYNOLDS: Can you recommend to the subcommittee either some wording or where you would see something like --
DR. STEUERLE: I think the first part doesn't -- the tradeoffs --
MR. REYNOLDS: Yes, but I'm saying if you --
DR. STEUERLE: -- making it a little more explicit --
MR. REYNOLDS: Feeling your passion, you could -- a few of those words down --
DR. STEUERLE: I'm not sure I'm speaking for other people here or not.
MR. REYNOLDS: No, no, no. Understand. Understand.
I think what we've done -- and we've got X amount of time to get this done. What we're trying to do is put it on the table today, have good, open discussion, and if people really think they can improve a section or an issue, we've already had red line from a number of people. We'd love to have some other comments.
So that's what I'm saying. I'm really not -- I'm hearing what you're saying, but we need to get it in our process.
Paul, do you have a comment on this --
DR. TANG: I do. I think there's -- the elegance of the solution is I think there is a way to decrease the Type 2 error without increasing Type 1, and it's actually the heart of the matter, which is people are afraid of the commercial uses of data that do not contribute to their or society's health, and that is actually the problem we're trying to deal with.
That's a Type 2 error that does not impact in a negative way the Type 1 error.
And so if we focus our attention on closing that loophole of basically the commercial gain that is not productive to --
PARTICIPANT: Well, who's to say?
PARTICIPANT: Who's to say?
MR. REYNOLDS: OK. Well, let's do this: We're going to -- we have plenty of time to wordsmith exactly what that is, so we won't have a give-and-take across --
(Several participants at once).
MS. MC CALL: I guess I would not describe commercial use as a Type 2 error.
(Several participants at once).
MR. REYNOLDS: As I said, Gene -- Going back two comments earlier, Gene, if you would give us some input --
OK. Now, as we move on to the next slide, Margaret --
Again, one of our goals today is to make sure we get a good thorough discussion of each of these.
I would draw your attention to line 788 -- All right. Listen up. I would draw your line to 788 in the document, please.
PARTICIPANT: Where?
MR. REYNOLDS: So that you -- 788. So that you understand the transition between Slide 1 and Slide 2.
OK? We knew, as a subcommittee, that 1.1, 1.2 and 1.3, as Larry said and so on, may or may not occur in the next --
So, therefore, we have tried to come up with a transition that said, in lieu of that, and, actually, in inclusion of that, even if that happens, then what we're going to talk about next, we believe, is important.
OK? So I wanted to make sure you saw that transition, so that it's not one or the other. You see a smooth transition that we're including, because, again, not to be victims of the fact that legislation may or may not happen, but actually go ahead and move forward.
DR. COHN: I just have a slight question. I think we're on Recommendation 3, it looks like. What happened to Recommendation 2?
MS. GREENBERG: It's up there. 2.1.
DR. COHN: Do I have an old copy in front of me?
MR. REYNOLDS: No, I got -- Recommendation 2 is Cross-Cutting Data Stewardship Principles.
DR. COHN: Right, and Recommendation 3 is HIPAA Covered Entities and Chain of Trust.
MR. REYNOLDS: There we go.
(Discussion of numbering).
MS. AMATAYAKUL: I think the numbering is wrong. We'll get it fixed. Just worry about what it says.
MR. REYNOLDS: Yes, hang with us.
All right. So we are on -- for those of you who have a written copy, we are on number 2.
For those of you that look up, it'll be number 3. Work on the translation. You don't need the Standards Subcommittee to help you translate that. OK? We got it. Good point. OK. We'll let you do that.
OK. So covered entities and data stewardship. And if I draw your attention to the slide.
Our problems are --
DR. WARREN: I still can't find what we're talking about.
(Discussion of where they are in the document).
MR. REYNOLDS: We are on the letter. We are on page 19. We are talking about number 2, which is line 797, and that's where we're starting, and so we'll --
MS. GREENBERG: Do you want to read that transition sentence?
MR. REYNOLDS: Yes, I will read -- actually read 788 on.
“In the absence of comprehensive privacy legislation and regardless of the scope of such legislation, the following recommendations provide practically possible solutions for the near term. Recommendations for guidance, such as the HIPAA Security Guidance distributed by CMS on December 28, 2006, and/or further enhancements of regulations are made that would serve as a means for covered entities to demonstrate good faith efforts in compliance with applicable regulations. NCVHS commits to monitoring the usefulness of this guidance and offering further recommendations as may be needed.”
So what we're talking about in number 2 is really getting down to the idea of regardless of what occurs, and I'll play off of Larry's comments and some others.
We are entering a new world and that new world is moving quickly.
The stewardship over the data which entity, regardless of what they are called, regardless of the form of the data, regardless of what their purpose is and regardless of what they do and don't do is really about as we care about the individual and care about people knowing what's going on with their data, it's all about the stewardship.
And so we tried to capture that in looking at this, because -- and that's why we call it cross cutting because whatever you're termed as an entity, you get into that environment. There are those key things.
So what I'd like to do, then, is if we could go to -- and let me read the two recommendations that are here, 2.1 and 2.2, and then we'll go back and anybody can anything they want to say about the actual -- the verbiage in the observation. Let's go to them, so that they're on the table, and then we'll move accordingly.
So Recommendation 2.1, it reads, “Recommendation on guidance for data stewardship principles: HHS should facilitate the establishment of guidance for data stewardship to ensure fair information practices for all uses of health data, including those for all forms of quality measurement, reporting and improvement.”
2.1, “The Health Data Use Risk/Benefit Analysis Framework below should be tested for use in informing HHS in its guidance development.”
And if you'll look at the bottom of your page and -- are we back on the slide?
So our problems. Our large databases increasingly have richer data, enhanced data-linkage capabilities, as we've heard others mention already a little bit ago, and fully automated data-collection process, so data can be transformed from one company to another company instantaneously. So it moves in and out of place.
But despite enhanced data-protection techniques, heightened concerns about -- there's heightened concerns for the potential for risk.
So our recommendations are, one, data stewardship guidance.
2.2, data collection should require a risk-benefit analysis with the intentionality of use involved.
And, then, 2.3, the identity protection, where we're talking about statistically-determined and published and data-linkage intent.
Whoa. Go back, Margaret. I wasn't finished right now.
Data-linkage intent and processes established.
Now, you can go on.
Data security management, role-based access, continual improvement, retention and deletion of metadata.
Why are those numbers?
MS. AMATAYAKUL: I only changed the 2. I didn't change -- I didn't have time to change all the --
PARTICIPANT: I know you can do it.
MR. REYNOLDS: It's a long way from North Carolina, and I'm tellin' ya. Okay. Good.
Moving right along, acting like we're altogether here. Go back -- Go back, Margaret. Don't take it away now. I just got the 7 figured.
7.4.4, accounting for disclosures, including breeches by business associates or agents.
And then 2.5, and it's subsequent sub-bullets on release of data. Data-release agreements, correction medical identify theft, and minimum necessary for appropriate data aggregation.
So what we're talking about, as we go through this is building a framework.
And, then, Margaret, before we take any questions, can you put the chart up that we referenced, please? You have that chart?
And, again, the reason -- what we've done with this chart -- and this came up in some discussions some of us had earlier -- this whole idea of this is a long document. It has a lot of pieces and a lot of parts, but the idea is who is the user? What is their intended use? What kind of analysis are they going to do?
And you can see the four bullets or four buckets that we have there.
And, then, what are the data-stewardship-type approaches -- Jeff, I gotcha -- that they would need to consider and include as they are doing this.
So the reason this is in here is, as we continue to debate this and deal with this document, this might be a chart that we go back to on a consistent basis, as we are -- so if we'd have taken some of the other subjects we did and we'd have put it up there, then you might be able to better walk it down and at least keep some order to the discussion, not necessarily make that an end product, not necessarily say that's the best chart you ever saw, but at least it allows some kind of an honorable bucketing of a discussion as we go forward.
So, with that, Jeff, I saw your hand up first, and then --
MR. BLAIR: Yes, the first comment --
MS. GREENBERG: Let Margaret --
MR. REYNOLDS: Margaret, do you have a comment?
MS. AMATAYAKUL: I just discovered that this slide deck is not the latest slide deck. So I -- Justine added slides, but not to the latest one. So I'm going to switch while you're talking.
MR. REYNOLDS: Good. Well, we'll act like we don't notice that, and then we'll be right back on track as we -- this is --
All right. We have Jeff, and then we have Paul, and then we have Mark.
MR. BLAIR: Despite the fact that this may not be the latest slide set, I really want to commend this framework. I'm finding this framework very helpful to build upon.
And, as I start to build upon it, I have one set of questions -- there'll probably be more later, but -- and the set of questions that I have, Harry, you pointed out or I heard somebody point out, which I also thought was part of the framework and very useful, was risk-benefit considerations.
So my question is when we talk about risk, obviously, we think of the risk of violations of protected health-information privacy.
Do we also include as a risk patient safety? And do we also include as a risk the health of the population as a whole?
There's three areas of risk, and I'm just wondering if the framework has been expanded to include that notion of multiple risks.
MR. REYNOLDS: I think when we listed the potential harms in the slides that Justine showed, and as we go through this, yes, Jeff, I think we list --
MR. BLAIR: Great.
MR. REYNOLDS: A couple of places we list benefits and potential harms, and I think this chart, as we go through the buckets, does, in fact, touch on that.
MR. BLAIR: Thank you. Great.
MR. REYNOLDS: Maybe not completely to your satisfaction, but it does.
DR. TANG: I'd just like to propose that we delete the allowance for statistically -- use of statistical methods to de-identify information for the reasons that Gene mentioned earlier.
MR. REYNOLDS: What are you saying?
DR. TANG: It's on -- well, I don't know what -- it's on -- 2.3.1 said that we would -- I don't know if you can show it, Margaret.
MR. REYNOLDS: We will. OK. Can we -- let's hold you ‘til she gets it set up. All right?
Let's go to Mark.
MR. ROTHSTEIN: I have a question about the scope of this entire set of recommendations, the 2.1, and follows.
This isn't a section that is prefaced by the language that Harry read that said in the event that or until there's new legislation, so we're basically --
MR. REYNOLDS: No, and even if there is new legislation --
MR. ROTHSTEIN: Right.
MR. REYNOLDS: -- these things --
MR. ROTHSTEIN: OK. But, for the time being, we're still -- these would apply in the HIPAA era.
MR. REYNOLDS: Right.
MR. ROTHSTEIN: And so my question is do these recommendations on data stewardship apply to both covered entities and, currently, non-covered entities?
I mean, they could apply to non-covered entities in the sense that they're only recommendations and sort of standards or guidance that the department is setting out, but if the department wanted to, at least as to covered entities, it could make them more of a requirement.
And so the question is should we have the same language or the same approach with regard to the stewardship issue apply to covered entities and non-covered entities -- maybe that was the intent -- or do we want to consider the possibility or put in here the possibility that there would be different levels of requirements?
MR. REYNOLDS: Simon, do you have a comment on it?
DR. COHN: Well, I was actually just going to try to answer it, and, then, obviously, part of the issue, I think, is we've been playing around with the ordering of all of this.
And what I think we're trying to do, and I think we see this later, is really tightening up the chain of trust, so that non-covered entities that are touching all of this would effectively become business associates, by and large.
And so my view, in a sense, they -- if they aren't fully-covered entity, they at least become quasi-covered entities, and, therefore, would be covered by the --
So I guess I would say the answer is yes, and I think we were trying to figure out a way to sort of tighten that up.
MR. ROTHSTEIN: Yes, as to which question?
DR. COHN: Well, yes to both, that it should cover equally the covered and non-covered entities. Though, obviously, the strength may be a little different.
MR. REYNOLDS: And I think, as I listened to a lot of the comments, this whole idea of business associates -- covered entities, business associates, the whole idea of the stewardship, as we're listening, I think your question brings us to where we have to knit this altogether at some point --
DR. COHN: Yes.
MR. REYNOLDS: -- and say, so -- because next you'll hear us talk about a chain of trust and you'll hear us talk about what covered entities should do with business associates and so on, and, in the end, your question fits well.
So when we step back and say, “OK. How do all the pieces really fit together, so, in the end, if all this happened, what have we got? And I think that's maybe something we need to make sure that we cover in the subcommittee, because I think every one of these points taken alone is good. Knitting them together is even better. So do we really help somebody see what -- you know -- what the end game is not the end pieces.
MR. ROTHSTEIN: So at some point --
MR. REYNOLDS: The end game.
MR. ROTHSTEIN: So at some point, at the end, we're going to go back and make sure that each section, it's clear what they --
MR. REYNOLDS: Well, and I think your question reinforces that further, that we go back and knit it together, you know, so there's a flow, and that's why we've been moving stuff around in the letter, too. If we move this up sooner, then it would fit. Then, when you went to the rest of the letter, and I think that would be helpful. So -- yes, Carol.
MS. MC CALL: In terms of the concept around data stewardship, I'd like to discuss expanding the concept a little bit.
I see a lot here about it's protection, the housing of it, you know, the movement of it, but not anything here, in this framework, about the quality of it.
And, for me, when I look at data stewardship and the role that I play, stewardship includes the quality of that which we are collecting, and it's going to be a vital component. When I start thinking about the report on quality, it becomes a garbage in, garbage out. I may have great protection and collection mechanisms, but if it's still junk, we can't do anything that we want.
So I'd like to open for discussion the concept of including a responsibility to that within the concept of data stewardship.
MR. REYNOLDS: Right. And I think if you remember Justine's presentation, we had almost that exact statement in there. So we need to normalize from what we said up front, and it's probably in the front of the report saying that the quality of that -- and then we talked about aggregation, whether the quality of aggregation or the quality of the data itself, we said that, and I think --
MS. MC CALL: Yes.
MR. REYNOLDS: So we've actually stated it. It was on our charts earlier.
MS. MC CALL: Right. Because I think the framework's great.
MR. REYNOLDS: It's just not -- it has just been not dropped -- been forward here. So I think --
Now, do you have a question on this?
DR. SCANLON: No, it's on --
MR. REYNOLDS: OK. Then Judy's next, no matter what anybody else wants to talk about. Judy's been patient for me.
DR. SCANLON: I think we came up against quality in another perspective, too, which is the issue of when somebody does the analysis and does it right and people are harmed or when somebody does the analysis and it's wrong, they're harmed, that these are harms. OK?
And there's also -- there's harms that are coming from good data or bad data.
But there's a question of what's government's role in providing the assurances that data are always good, that an analysis is always right, and that right analysis is suppressed when it's going to harm somebody.
I mean, those are all seemingly beyond the role of government, because it involves a pervasiveness that we would not find tolerable.
So the question is we've identified these as issues, but is there anything for government to do with respect to them? And I'm, at this point, not sure there is.
DR. WARREN: I have a question about 2.3.1. It's about the first sentence, and I don't know whether this is the one where Paul wants to throw it out or not.
But when I look at the entity be required to statistically determine the ability to re-identify individuals in the data set, what I wonder about then is if a hospital is running an EHR and they're going to make the data in the HR available for educational use and research use, are we now going to require them to certify what the possibility is of re-identifying these patients and their data.
And the reason I ask that is that's putting a huge burden on future research in that they'll have to account or pay for out of their research grants for hospital to do that or it's going to put the cost burden on the hospital to do that or it's going to make our schools have to come up with the money to run these statistical studies or am I reading this wrong?
MR. REYNOLDS: These hands that are up, are they comments on that? John and then Kevin and then -- OK. John.
MR. HOUSTON: When I read that, my first -- I didn't think that there was much of a -- an enormous amount of burden associated with it, but that I thought that if it was done on the front end, in terms of being able to provide some quantitative value to the quality of the de-identification --
DR. WARREN: Which would require the ability of whoever hosts that original data to have a statistician who can do that.
MR. HOUSTON: I don't know if you can get information that could help you determine that or how you do it, but if you knew it up front and when you submitted it to an IRB or whatever, then I think that there's a value in determining whether that risk is sufficiently low, in conjunction with the type of work you were planning on doing to allow that research to go on.
DR. WARREN: So, then, let me take this to the next conclusion. I mean --
MR. HOUSTON: If I can answer your question.
DR. WARREN: -- we're already facing a lot of places that will refuse researchers access to data, and, in some cases, refuse students access to data, because of HIPAA regulation. Whether it's accurate or not interpretation, it's out there. So I just don't want to add another hoop to some of this.
MR. REYNOLDS: Let me comment on the testimony we heard is that de-identified as defined by HIPAA as a threshold -- was it 0. --
PARTICIPANT: 0.4 percent.
MR. REYNOLDS: .4 percent. So that is already in place. That already exists as the threshold for de-identification.
PARTICIPANT: What is 0.4 percent --
MR. REYNOLDS: Possibility of having it re-identified.
PARTICIPANT: That's the statistical -- I never heard that.
MR. REYNOLDS: Yes.
DR. WARREN: But it says here, “to statistically determine the ability to de-identify the individuals.” And so do we know what statistics to use to determine that?
PARTICIPANT: No.
DR. STEUERLE: But -- matching data sets you have and you might not even know what they are.
PARTICIPANT: Depends on what the --
MR. REYNOLDS: OK. Hold on. OK. OK. Good point. OK. Kevin, you had a comment on this, and, then, Paul, you have a comment.
DR. VIGILANTE: So a comment on three levels. I am concerned about the burden this would impose to actually determine that.
Concerns about what the threshold would be above which you would rise that would deem it inappropriate.
And, thirdly, it's the statistical capability varies -- as you were just about to point out -- on the other data sets to which you may or may not have access which serve as the intermediate bridges for identification.
So when Latonia -- what's Latonia's last name?
PARTICIPANT: Sweeney.
DR. VIGILANTE: Presented to us her work at Carnegie Mellon, she happened to have access to voter-registration lists, which were the intermediate step that enabled her to start to sort of form this bridge, but suppose she had access to Visa financial data. Then, it would be probably much more robust.
So the ability to do this is so variable that I don't think one can make definitive judgments about what the statistical capability is or is not to re-identify the data in any given case.
DR. WARREN: I just wanted to rebut Kevin.
I'm trying to read this the way that --
DR. VIGILANTE: I'm agreeing with you.
DR. WARREN: Oh, you're agreeing with me?
MR. REYNOLDS: Thank you.
Paul, will you please continue? Judy doesn't recognize who's for and against her. So we gotta work with her. Paul.
MR. HOUSTON(?): Judy, we're all against you.
DR. TANG: Okay. So two comments.
One is that is the --
DR. WARREN: Shows you how confused I am.
DR. TANG: So the first is -- I guess I'm in agreement with you -- that is the sentence that I proposed to delete. So that would have solved your problem.
DR. WARREN: Yes.
DR. TANG: And then the second even higher level is to say that all of these bonafide, acceptable uses that are overseen -- public health, research, education -- already have a bi, in a sense. So I do not think that it imposes any additional restrictions or burdens on top of HIPAA.
So I think, in both cases, they are not doing the harm that you were reading into it.
DR. COHN: So, Paul, what are you recommending?
DR. TANG: I'm sorry?
DR. COHN: -- about what Paul's recommending.
DR. TANG: Well, I'm saying that she -- her concern is not -- the way she's reading it, creates a concern for her that isn't present, and, further, if you delete the sentence that I proposed deleting, it would also remove her concern.
MR. REYNOLDS: Which one are we reading?
DR. TANG: 2.3.1.
MR. REYNOLDS: Thank you.
DR. COHN: The whole section or just the first sentence?
DR. TANG: It's the whole section that her question's about.
MR. REYNOLDS: All right. We got Steve. We got --
DR. WARREN: I want to rebut Paul.
MR. REYNOLDS: -- John. We got Judy and we got Justine.
PARTICIPANT: Point of fact. What sentence does he want to delete?
DR. COHN: Yes. Was it the whole thing or --
(Several participants at once).
MR. REYNOLDS: One conversation.
Paul.
DR. TANG: I was hoping to delete the following words --
MR. REYNOLDS: On what? 2.3.1?
DR. TANG: 2.3.1.
MR. REYNOLDS: What line? What line?
DR. TANG: 903.
MR. REYNOLDS: Thank you.
DR. TANG: The sentence, “be required to statistically determine the ability to re-identify individuals in the data set, based on whatever method is used to obscure identity and publish that information as part of its collection process.”
PARTICIPANT: You're going to delete that line.
DR. TANG: Yes.
PARTICIPANT: Then there's no recommendation.
PARTICIPANT: There's no recommendation.
PARTICIPANT: There's no recommendation.
DR. TANG: I would take it out.
DR. COHN: That was what I was trying to get to. So --
DR. STEINDEL: Yes, and I'm opposed to deleting that sentence, and I also -- I feel that it also does not add really that large a burden over what -- Yes. I'm serious on that, Larry.
MR. REYNOLDS: Keep going. No, just -- Steve, state your case. Keep going.
DR. STEINDEL: Yes, and this is because it just says, “be required to statistically determine the ability to re-identify individuals in the data set based on whatever method is used to obscure identity and publish that information as part of its collection process.”
Now, if you de-identified your data set using the HIPAA requirements, that level is 0.4 percent. You don't have to determine anything.
DR. WARREN: Yes, you do, according to that statement.
DR. STEINDEL: No. It says, “be required to statistically determine.” I determined it using the HIPAA de-identification method. That has been published as 0.4 percent, and it's against the voters' list, Gene.
So you are totally correct. If you go to multiple linking, but that's part of what this says is use whatever method is used to obscure it.
So if you're saying that this is de-identified, it's pseudo-anonymized data. It contains birth dates, birth date and sex of the people in -- of the pseudo-anonymized group, and you are running it against the population of the State of Mississippi.
Demographers can tell you, just based on what that piece of information is, what's your chance of re-identifying a person.
So it's not really statistically burdensome, because you are saying exactly what you are basing that statistic on.
Now, other people who look at that -- and that's the whole purpose of this. Other people who look at that may say, “But you've included the date of treatment and the credit-card charge for that treatment, and if I link it against the Visa database that has that charge, I can find the person.”
That's totally correct, but, now, they have some understanding of the level of de-identification that exists in that data set.
MR. REYNOLDS: Okay. We have Mark and Simon. Mark and Simon.
MR. ROTHSTEIN: Me Mark?
MR. REYNOLDS: Mark.
MR. ROTHSTEIN: OK. Thank you.
MR. REYNOLDS: I don't see another Mark.
MR. ROTHSTEIN: I understand. I was just looking around.
MR. REYNOLDS: I got the wrong numbers on the slide, but I got one Mark.
MR. ROTHSTEIN: OK. In 2.3, the word, “entity,” is that intended to mean a HIPAA-covered entity or any user of information? I'm in line 900.
MR. REYNOLDS: My understanding is it's any.
MR. ROTHSTEIN: Well, that's what I would think, because, based on my -- the answer to my earlier question.
So maybe we need to, instead of the word, “entity,” any user of information or something like that.
And the other question I had was in 2.3.1, Steve, would it satisfy your concern if a new sentence were inserted in line 905, before the word, “it,” that basically says what you said?
In other words, compliance with HIPAA -- and we can put in the section number with the 18 elements -- will satisfy this requirement, and, under those circumstances, we would not have to do any additional work.
DR. STEINDEL: I have no objection to a clarification like that.
DR. COHN: I'm just -- this moment of grace and delight that we actually were able to come to a solution on that one.
MR. REYNOLDS: We need to keep going --
DR. COHN: Well, I actually just had a quick question about on line 900 whether the word, “de-identifying data” -- I guess I'm getting a little confused about all the terms we're using in the sense of de-identification I thought had a particular meaning that we were using under HIPAA, and I don't know whether we're throwing in de-identification, pseudo-anonymization, anonymization, Jeff's way when he does something and all of that stuff or are we just talking about HIPAA de-identification? I guess that was just a question.
MR. REYNOLDS: Yes, I think -- yes, I think it's a good point. I think -- and that's why I said earlier, we have to be very --
DR. COHN: Careful with our words.
MR. REYNOLDS: -- pragmatic that when we say de-identified it means the HIPAA de-identified, and if we are talking about any of these other numerous definitions --
For example, we actually heard testimony on scrubbed de-identified, which has to be an empty data set. I'm not sure how else you would determine it, but seriously.
So the other thing I ask the group to do -- we, in this room are fairly knowledgeable and can come to a discussion on de-identify, but if you heard the testimony we heard and the significant numbers of definitions, so that the envelope could be pushed, and the envelope was being pushed further and further and further out as we heard it, that's the other thing to keep in mind.
So we kind of get ourselves into a little going back and forth on de-identified, but there's a world out there that if you had sat and heard all the testimony and heard the definitions so that somebody could use it, but still say, “But I'm really -- I really care about the person,” or, “I really care about this,” or, “I really care about that,” that's why a lot of this has to be -- we have to be very pragmatic exactly what word we use.
MS. MC CALL: Is that worthy of an appendix --
MR. REYNOLDS: We talk about definitions a little later, but I'm saying, you know, we've got a lot of this in here. It's just as we go through them one at a time, you feel like you gotta sweep all these other things up to bring them up.
But the definitions is a major theme that we saw that there is no -- Other than de-identified by HIPAA, there is no other definition out there that is a term of art that is used by anybody, except whatever their intended use.
And back to our chart that we have for you, remember the intended use has a lot to do with, “OK. So what are you intending to use it for? And, now, you're saying it's pseudo-anonymized or something else. Well, does that fit -- “
So that's why this whole practicality of where this stuff plays is really the hardest thing that we're all trying to put together, because we only have one definition, but we got an industry that's using 12 or 13 of them.
MR. LAND: I just noticed that in this 2.3, it says -- that it's qualified for the purpose of longitudinal data aggregation. So it's a very specific, limited reference that relate to these two recommendations, and I'm not sure I know what longitudinal data aggregation really means -- use the word “data aggregate” -- “to data aggregate” means that there is no de- -- I mean, you're talking about statistical data.
Where this -- it implies that it's aggregating personal information into a longitudinal history of a person.
So I'm not sure what that phrase means, and if you really want to have it as a limiting factor.
MR. REYNOLDS: And what line are you on? I'm sorry.
MR. LAND: It's line 901.
MR. REYNOLDS: Any comments by the subcommittee?
Justice.
DR. CARR: I think you raise a good point.
I don't think that belongs there. I think that there is a -- one of the interests of the AHIC Quality Workgroup is to be able to link data about a patient longitudinally to understand their care over time, and there was discussion about that, but I don't recall that it was the intent that that would be a modifier of that recommendation.
So we're saying HHS stewardship guidance should include that the entity de-identified data, and then it says, “for the purpose of longitudinal data aggregation.”
So longitudinal comes out, but, I mean, you don't need to de-identify data to aggregate it, because, otherwise --
MR. REYNOLDS: I think we need -- Thank you. We have that as a note.
DR. WARREN: I have two points. One is just a quick one about the longitudinal, I would leave that in there, because I think we are looking at the data to understand what happens to people over time, and it's the over time that's critical, which is the longitudinal.
But the main thing I wanted to come back to is when you take a look at who reads our reports and the recommendations, the whole issue that I brought up, one of the reasons I'm bringing it up is I'm involved in, right now, working on some grant writing, where some hospitals and researchers and things are going to start collaborating, and I can just see that if the hospitals are required to statistically determine the ability to re-identify individuals from the data sets that they provide, that's going to be a huge requirement in that.
Now, if it's been modified the way that we just said, that the de-identification is done the way HIPAA is, then the next thing I can imagine going on in these dialogues is, “So what is the official process for de-identifying data? Is there an official one?” or, “Can you use any process as long as it accounts for the 18 variables or whatever it is that's in that?”
And so I think we get into a huge area of understanding what the words mean.
MR. REYNOLDS: I agree.
DR. WARREN: In this particular area, almost every word, as you put it together, is just loaded. So I really think we need to work at this.
And, again, I apologize for not thinking about this earlier when I read it and reviewed it.
MR. REYNOLDS: No, that's why we're --
DR. WARREN: I wasn't thinking --
MR. REYNOLDS: All right. We've got Steve. Larry, did you still have a comment?
DR. GREEN: No.
MR. REYNOLDS: OK. We got Steve and then Leslie and I want to move on to the next recommendation --
DR. STEINDEL: In the comment, based on what Judy's just said, you know, for instance, if you undertake a research study, and a multiple-institution research study, and it's covered under an IRB and has approval -- it's under the common rule, et cetera, you know, all those good words -- and you have totally identified data, then, you're required to statistically -- the ability to re-identify the individuals. The answer to that question is 100 percent. I can re-identify every one of the individuals.
But it's okay, because it's covered under all sorts of other provisos, and when we go through what we're talking about data stewardship and --
PARTICIPANT: (Off mike)
DR. STEINDEL: We do later on.
That we talk about the risk benefit of the re-identification, and, in this particular instance, while the risk of re-identification is extremely high, well, that's the way we set up the study, because it was approved by the IRB, we justified the reasons for the study, the benefits are considered acceptable for that level of risk.
MR. REYNOLDS: Okay. Leslie, did you have a comment that would move -- I want to go on to number 3 then.
DR. FRANCIS: I just wanted to ask about 2.5, because it wasn't clear to me what exactly you're talking about there about forms of consent management, and it seems to me some illustrations would be helpful.
MR. REYNOLDS: Those would have to do about individuals, what are the type -- Justine --
DR. FRANCIS: Well, what I was interested in was whether, by consent management, you meant substantive standards for consent or whether you meant things like when you use the phrase, “management,” it sounds to me like what you mean is documentation, and I wanted to be sure it was the --
MR. REYNOLDS: Justine, did you want to comment on that?
DR. CARR: I believe that was -- that represents the discussion about there are models right now about opt-in, opt-out, how many people use it and how often, and we heard testimony at least on a couple.
So the idea was, as Kelly had raised, take existing models and learn what you can from these funded models.
MR. REYNOLDS: And that was mentioned in Justine's slide this morning.
DR. FRANCIS: Yes. No, I think that should be specified here.
MR. REYNOLDS: Okay. Margaret.
MS. AMATAYAKUL: I would just add to that that there were also different technologies that we heard about for consent management. So I'll add both.
MR. REYNOLDS: OK. I've only got 45 minutes. We're going to move on to number 3, so that we can, again --
Again, a key thing is we're together for X amount of time. We want to make sure -- we've had good discussion on these. We want to make sure that we at least get some discussion on each one of them, because, then, when the subcommittee picks this back up again, we've at least heard some of the will of the full committee.
So let's go to number 3.
DR. COHN: Well, Harry, just to clarify, not to rush anybody -- Seriously. We obviously need to make sure we have full discussion about these, but we also have time tomorrow, and so, you know, we don't have to do everything that's wild, but we do want to have -- I mean, I think 3, it's critical that we discuss this and get people's perspective, and, then, probably from there, you can review the other recommendations with everybody with the idea that we'll take that on in depth tomorrow, if that's --
MR. REYNOLDS: Yes, I think if there's any way we can get through 3 and 4, I think that will be very, very helpful, very helpful, because that's -- it's all this same thing on stewardship and covered entities and business associates, and I think if we can kind of get through part of that, that would be good.
So let's go to number 3. And our slides are actually in line with what we're going to talk about.
So problems. There's an increasing erosion of trust as more uses of health data are made further from the nexus of care. That's why we were talking using secondary uses over -- a while earlier.
Second is confusion and lack of clarity surrounding HIPAA. Adherence to the letter of the law does not mean trust is assured.
We also heard discussions about what level the current privacy notices are written at, which is right around the twelfth-grade level, in most cases.
Covered entities have only a weak relationship with businesses associates and their agents. We heard testimony that many of them are contracts rather than relationships.
Oh, under recommendation, 3.1, business associate contract enhancements, and you can see the details for those in the letter.
3.2, require agents to have business-associate contracts with business associates. So this is really a chain of trust. You know, if you just look at it as it kind of sits, it says you got a covered entity and they only got one layer deep of business associates.
On the other hand, it can go ad infinitum for lots of reasons, and it gets further away from the covered entity, and it gets further away from the actual person whose data is involved.
3.3, explicit requirements for when and how identity protection is required.
3.4, attestation of business-associate contract compliance. The idea that once a year or once periodically, rather than just signing a contract and then for three -- not doing anything for three years, that the covered entity does some kind of an attestation. A little bit like CMS does right now for most people that are Medicare contractors. They send out an attestation each year saying, “Are you still doing business? Are you still following the same things?” And here's -- what we do.
3.5, de-identified data use by business associate or agent, only if identified in a business-associate agreement. In other words, not necessarily letting them take that data and then start using it in whatever way they would choose to. That's what it's --
3.6 is enforce FTC requirements for privacy policy statements.
Those are the ones that we have there.
DR. TANG: I think we've talked about it in the past in this forum that the business-associate agreements are completely ineffective, I think in principle and in practice, and so hinging any of these recommendations on that, I think, is also likely ineffective.
The strongest recommendation up there is the one to try to use the FTC requirements and its ability to enforce its regulations by if an organization publishes their privacy policy, then they are obligated to follow it and FTC can pursue that.
Your mention of the CMS attestation has an enforcement, an accountability backup that Attestation 3.4 does not have, and that's why I think it would be ineffective.
But if we could construct an attestation of accountability, sort of like the Sarbanes-Oxley, where you did have culpability and accountability, that would be powerful, but we almost need that or the FTC, things that can use existing legal mechanisms, and I almost think it's not worth doing anything about business-associate agreements, because --
MR. REYNOLDS: Just a quick clarification, though, most of the business-associate agreements are contracts.
DR. WARREN: Yes, you don't believe in contract law.
MR. REYNOLDS: Yes.
DR. WARREN: Yes.
DR. TANG: Well, as Harry pointed out, it quickly -- I mean, then you have subcontracts -- I guess it's subcontracts with all their associates, but the requirements are probably infeasible to accomplish and unenforceable.
So the requirements are that somehow the covered entity has an ability to follow all the things that the business associate is doing, even have awareness, let alone --
MS. MC CALL: We actually talked a little bit about this on one of the phone calls I was able to join, and my understanding was this, that what we wanted to do for a person was actually have a single accountable party, that being the covered entity.
However, when I look at what's up here, I actually see that as increasing my covered-entity responsibilities and how I manage every single business-associate agreement, whether it is one degree of separation or n degrees of separation, but that it's being explicit about what the expectations are on me as a CE in how I do that.
And because of that, I think that they do have power, because I think they're explicit.
DR. TANG: Well, the contract law, you're saying, there is no -- there is not a contract between the party about whose information we're -- the party whose information is being discussed does not have a contract with that who can violate my privacy.
MR. HOUSTON: This might take a little while to completely describe, but -- and I think the business-associate concept, I think, is very difficult to manage.
I think that covered entities were all supposed to have separate business-associate agreements in place with each one of these organizations that's doing something on our behalf.
Yet, you know, each business associate, I suspect, has many covered-entity relationships -- you know, business-associate agreements in place with many other covered entities.
And the thought that I'm going to have specific terms that I want that business associate to agree to, and then another covered entity has their set of terms that they want them to agree to, and the thought that anybody's really, in earnest, able to comply, I think, is probably naive, especially when you're talking about business associates are doing high transaction -- or transaction volume type of services, such as billing services and the like.
And the reason why I bring all of this up is that I'm almost of the opinion -- and it dovetails into some of the other conversations that, really, what we almost need to have is some type of statutory business-associate agreement or status and that -- like there's a covered-entity status, and that it wouldn't -- you know, even though there had been a recommendation about trying to expand who's a covered entity, I wouldn't want to give organizations that are business associates today covered-entity status, because that gives them a lot of rights to do things that they don't necessarily have today.
But what I think would be much more feasible and supportable and enforceable would be if you said, “There's a set of business-associate requirements that fall under HIPAA -- or, you know, HIPAA 2 or whatever -- that all business associates must comply with, that there are certain statutory-enforcement principles that would allow not just covered entities, but the government to be able to ensure that they're doing appropriate things, and that there's some teeth to it.
It would also make it consistent, so that it wouldn't be that I, as a covered entity, have a set of terms I'm going to impose upon you and another covered entity has a set of terms, and, again, almost to the point where they're not enforceable, because there's so many different varying terms that how does a business associate even know what their obligations are in total with respect to all of their covered-entity relationships?
So, again, I think you can streamline it, simplify it, but, I think, also make it much more supportable by doing something like that.
MR. SCANLON: Sort of a model set of --
MR. HOUSTON: But we've tried -- there was a model that came out when HIPAA came out, and, unfortunately, every covered entity in the world went out and changed it, and I think that became problematic.
MS. GREENBERG: That gives a lot of power.
MR. REYNOLDS: Yes, I'm a little -- I'm troubled by not the discussion, but if you look at how this is being administered -- using those words -- so covered entities and others are throwing their hands up because the data is going somewhere and they don't know where it's going and they don't know what it's doing.
So if you're looking at the eyes of it from an individual, wow. Business has thrown its hand up and said, “Have a nice day. I don't know what's going on with the data,” and I got a problem with that.
MR. SCANLON: There's hundreds --
MR. REYNOLDS: No, but I mean, I'm using the premise -- using the words in the premise, it says it's too complicated and nobody's accountable, and I think that's the troublesome --
MR. SCANLON: So let's regulate more. I don't think that's the answer either. So create more --
MR. REYNOLDS: No, no. I know, but that's -- no, so that's what I'm saying. So I don't think we can -- I worry about taking that as a position for us, because, then, we're basically just kind of throwing the needs of the individual or what their data kind of --
We got Gene -- I got a whole list, but I know on this particular -- is this on this comment?
DR. STEUERLE: Yes, yes.
MR. REYNOLDS: Yes.
DR. STEUERLE: When I think of this issue in the context -- and I'm not a lawyer, so John and others, the lawyers can correct me, but it seems to me one of the issues is ultimately if something goes wrong, who's going to get sued and for what, right?
And there is a tendency among lawyers, if something goes wrong, you sue every point of the chain of the axis, especially if you're the plaintiff lawyer.
In certain tart law, you know, if they've got some expectation of getting something from anybody, it's worth doing.
And so then the thread is that all along the chain the people -- say it's a hospital providing data for research to a university might decide, “You know what, there's no real gain for us outside of for the public good, and, now, there's an expected cost. Let's just forget it,” even if the law sort of mainly excuses them.
And what I see happening is going on with the business user and with actually the earlier chain where we identified the users.
It seems to me the logic of a lot of our statements are is we'd like to put a lot of the onus of responsibility -- we know we can't put it entirely, but -- comes through this document on the ultimate user that maybe it's the business user or maybe it's the researcher where we really need to put on whatever are the fairly strict requirements we want on the use of the data for the right purposes.
And then the question is is the way -- can you back up the chain, so that the entities further up the chain, the hospital that provides the data to the consortium that provides the data to the university or the hospital that provides the data to Visa, Master Card that provides the data to a group that analyses maybe medical data across the board for purposes of saving money or something, somehow or another you back up the chain, we're not putting the provider of the data in a situation they just can't monitor, because they don't really know. They don't have the ultimate protections over the people down the chain.
It seems the logic of what John is saying and the logic of the earlier diagram, which identified the user, even though all the later statements talked about the provider, was trying to put as much -- can't put it all -- but as much of the onus, the fiduciary responsibility, the threat of the suit for doing wrong on the ultimate user, and trying to be a little bit -- to the extent where you don't think we can enforce further back up the chain, deciding maybe the chain just has to make sure that that user has in place the proper IRB techniques or proper things, so that when they send the money off to Visa or they send the money or they send the data off to the university, they've done their fiduciary responsibility by making sure that university has in place -- not they, the provider, has to examine research the university's going to do or whatever else --
MR. REYNOLDS: And that's why, in privacy, we had talked about anybody that touches it.
DR. STEUERLE: But I wonder if there might -- ultimately -- my ultimate point is maybe the weight of the emphasis here needs to be more on the user, whether it's the business user or the researcher or whatever, in terms of these requirements we think we need in place.
MR. REYNOLDS: Okay. We got -- Simon, do you and -- I saw you and Jim. Do you have a comment on this piece?
DR. COHN: Yes.
MR. REYNOLDS: Okay. Then, good, and then I've got Mark, Mike and Leslie.
PARTICIPANT: My comment's on this, too.
MR. REYNOLDS: OK. Go ahead, Simon, please.
DR. COHN: Oh, OK -- And, actually, it's really more a question for John Paul, just for getting -- trying to get some further clarification.
You know, the concept, and I think the important view here is chain of trust. I mean, to my view -- maybe it's a little different than Gene's -- but you don't want to have just sort of things happen that no one knows about that no one takes any responsibility for and just sort of happen, regardless of whether you have civil rights a penalty or not.
I guess the question, John, I would be asking you is, you know, there are many ways to construct a chain of trust.
MR. HOUSTON: Right.
DR. COHN: I think we have one right here.
You were proposing almost sort of another way of doing that.
MR. HOUSTON: Right.
DR. COHN: And, now, of course, I tend to think simply, not being a lawyer, but I tend to think of things that require legislation as being -- if it's legislation, we should put it in Section 1, and it not likely happening anytime soon.
If it's regulation, it goes 2 to 7, and we might have some chance, just because it's secretarial discretion and the NPRM process and all of that.
And then there's the issue of guidance, which is, you know, ways or models or --
MR. HOUSTON: Best practices.
DR. COHN: -- the practices or whatever, things that may be a little softer, but recognizing that the security guidance recently was not among the softer things I've ever seen that happened.
But I'm not a lawyer, so I don't know where what your proposal fits into all of this. I mean, is it a better tool and --
MR. HOUSTON: I'm just thinking -- I don't know the answer. I understand some of the dilemmas associated with having to use the different avenues to address this issue, and mine's probably -- what I propose is probably the most difficult, because it involves a legislative change.
DR. COHN: Oh, it is?
MR. HOUSTON: I would think so, I mean, because you're really creating a new class of entities under HIPAA that were previously called “business associates.” Now, they're called -- I don't know what you'd call them, but they're not really covered entities, but they're something under HIPAA, and there's a statutory obligation, then, for them to do something, rather than having a contract with a covered entity in order to obligate them to do something. That's the issue.
DR. COHN: Can I respond? Because, in that case, what you're talking about, I think that that actually is covered in 1 as our hope for the future, but not one that, based on my observations of history of privacy legislation in the U.S. recently, that I would necessarily bank on.
I guess the question is what can we do that is sort of real -- what is it called? -- practically possible?
MR. HOUSTON: Yes, that's --
PARTICIPANT: Actionable.
DR. COHN: Actionable. Practically possible, even if not perfect, and this is one of those things where perfection gets in the way of good here.
So what can we do here?
MR. HOUSTON: But, see, the problem with what I think we're talking about as recommendations here is they all still come down to a private contract, a chain of contracts that occurs, and they're difficult to deal with today, at best.
And, as I said, whether we use model language or whatever, we're still dealing with a covered entity trying to manage a business associate who has an agent, and that is -- it's difficult in the best of circumstances.
And it's not a bunch of covered entities not willing to do the right thing. It's, you know, when you have literally hundreds, if not thousands, of those relationships, try to ferret out the issues or when an issue comes to your attention trying to deal with it, it is not something that I think is really working well today.
And I think -- again, I think that these business associates may take a different view, different tack, if they recognize that they have a direct statutory obligation and that somebody somewhere down the road might enforce something against them. That's my only reason for looking at a different model.
MR. SCANLON: Just a couple of observations, and, remember now, every time you add or recommend another requirement, whether it's legislation or regulation, it's the covered entity, whoever it is with this associate, you're adding regulation on them, and you're probably lessening the availability of secondary uses. So, again, you've got to balance this.
Secondly, though, even -- rather than regulation or legislation, you know, in regulatory policy, there are different ways to look at things, and sometimes it's best practices, which become a standard. Even if it's not a requirement in statute, it often becomes the standard by which courts and others would judge the behavior of that entity.
And the concept of stewardship is actually very appealing because they don't have to be requirements necessarily. Could be best practices. They will become standards. They'll become standards. They'll become the standard against which behavior of organizations will be judged.
But, again, every -- we just have to be careful here that we're pulling everything together in overall gestalt.
If we're just adding requirements here, it's becoming a house of cards, and, as a practical implementation matter, you won't have to worry about secondary uses, because there'll be so little of it, no one will ever want to change it.
So just keep in mind the balance, and, clearly, we don't want to suggest that major structures within HIPAA are or are not working, unless we know that they're working -- or not working.
And I wouldn't dismiss the concept of business-associate agreements, unless you have very strong overwhelming evidence that that's the case.
Otherwise, it just creates -- well, I think it just creates credibility problems and seriousness problems.
MR. ROTHSTEIN: On that last point, Jim, I think we did hear ample testimony from a variety of witnesses that the business-associate agreement is really a problem, and I don't recall hearing testimony from anyone who said that business-associate agreements are working well now.
I'm not sure we could make a quantifiable statement, but we did hear this.
I would like to -- and based on my view that business-associate agreements are not working well, I would propose that we make Section 3 a requirement for covered entities, instead of providing guidance. I think we should write HHS should require covered entities to blah, blah, blah, blah, blah.
Now, let me explain why I say this. First of all, if you look at the requirements, I don't think there's anything in there that is really onerous. They're already executing business-associate agreements anyhow.
Now, what this would say is in those agreements you need to have certain information in there, perhaps directing that your business associates follow the data stewardship guidelines that already have been set forth in this document.
The covered entity, statutorily, is the only hook that we have to, at the moment -- it may not be the best, but it's the only hook that we have to enforce these requirements, and I think an annual attestation, a requirement that there be something in the contract -- I would go further and, in fact, require that covered entities post on their website a list of their business associates that handle protected health information, perhaps annually or something like that, and I don't think it would be burdensome.
And as to Gene's point, regarding liability, I think what this would do would be to set out the standard of care that's required, and, as a practical matter, covered entities would require -- and perhaps some already do in their contracts -- hold-harmless clauses which basically would say that in the event that the business associate violates the terms of this and releases information, and the covered entity is sued, that the business associate is going to have to reimburse the covered entity for any litigation costs or expenses or whatever that are paid out as a result of the business-associate's error.
And the result of that is that covered entities will not do business with fly-by-night operations who don't have the wherewithal to reimburse them in the event of a breech.
So I think, overall, it would not be onerous to make what I think are very good recommendations of requirements, and I would suggest that we think about that.
DR. FITZMAURICE: I agree fully with what Mark just said.
What I see is that business-associate requirements are spelled out in the HIPAA privacy rule. The business associate cannot do anything with the data that the covered entity cannot do by law, by the contract. You have to have a contract.
So the business-associate contract can lead to a chain of subcontracts that get further and further away from the covered entity, and it's said, “Gee, they're difficult to manage.” So if they're poorly managed, it causes a burden on the covered entity to manage them.
Well, what the covered entity has to do, under HIPAA, is we find something out, you tell them to stop that practice. If they don't, then you're supposed to terminate the contract. If you can't do that because it would threaten your viability -- your accountant has all this data and if he goes bankrupt or he stops doing it, he walks away with your data.
So, then, what you have to do is tell the Secretary, and then your liability is ended, and leave it to the Secretary to find out how to get the problem solved.
If sued, you want to have, in your business-associate contract, a hold-harmless clause that the business associate agrees to hold you harmless if you are sued. The only hook is the covered entity being sued.
So where should the burden fall, if not on the covered entity who is entrusted with a patient's data to get care? It properly should fall on the covered entity. At least the framers of the privacy rule felt that way.
So what's needed? If there are egregious examples of agents and subcontractors doing things that the provider or the covered entity couldn't do -- I have not seen an awful lot of that, but if there are, they should be taken to court.
You could argue, then, there ought to be better enforcement by HHS on the covered entity to monitor that, but it's not a requirement that it be monitored. It's a requirement in HIPAA you do something if something is brought to your attention.
So are you saying that HHS is not doing its job, that covered entities are not doing their job? Because the job seems to be fairly clear to me.
DR. FRANCIS: I want to add my voice to the suggestion that there should be, at a minimum, certain standards that have to be built into contracts, because contract law is about private enforcement, and if you say a contract has to meet certain standards, then you've got a regulatory hook.
So I think we should push that, but I also think we shouldn't forget that minimum standards are a separate question from chain-of-trust questions. So, I mean, I would urge proceeding on both fronts.
MS. MC CALL: Yes, I like what I'm hearing. I'm not going to take a lot of time, but I would agree with what I've heard Jim say and Mark say, and, I think, now, Leslie say, which is I think that covered entities should be able to demonstrate that every single agreement adhered to a set of guiding principles.
And I also agree that that canon should become part of data stewardship.
And in that first box, transparency and education, but also best practice.
DR. TANG: Well, I like what Leslie proposed, because it creates an obligation that really the covered entities didn't have before, when you traded in statute as amendment. So I really like that hook.
What I wanted to ask Jim for further clarification -- you know, I respect your counsel as far as we do not want to throw the regulatory book at this -- I'm trying to figure out actually -- if that isn't actually the good news.
OK. So --
PARTICIPANT: What's the bad news?
DR. TANG: Well, okay, because you said, well, actually, so if we did that, we wouldn't have any secondary use anymore.
I think the modifier to that clause is of the kind that's not already protected by HIPAA. So if I think through HIPAA does protect taking care of patients, paying for claims, doing research, doing quality, doing public health.
And if I've prevented all the other stuff or made it really hard on regulatory constraints, why wouldn't that be a good thing?
So that's an open question. I didn't -- I'm not trying --
MR. SCANLON: Can I just say quickly, we, in HHS -- and you probably do, too -- we hear every day from providers and plans and hospitals and researchers and everyone else that this is a big regulation and it's diverting resources away from all the other things we should be doing, but everyone understands it's an important value to protect.
And we have heard from researchers who say, “We can't -- there are institutions that won't work with us anymore, particularly those inter-site collaborative studies. It just becomes -- when you add on all the regulation, it just makes it complicated.”
Now, again, you hear this on both sides, but I think the idea of adding regulations without some sort of a clear threat or risk-based approach -- and we do this in regulatory policy generally.
You don't just say, “Well, let's regulate this. Let's stop people from doing this,” unless there is some obvious threat, evidence-based threat, and it's proportional to what the risk is and it's proportionate to what the existing burden is and it's proportionate to what the outcome expected is.
And so, again, every time you make a recommendation for a new requirement or a new statute or something, you're building on the regulatory burden already on the health industry, and, again, you may reach the point where you just -- people just won't do it anymore. It's just more trouble to do it than not to do it.
DR. TANG: So just to follow up on what Mark said, in terms of the testimony we heard, as one example, we heard about Mayo talk about their research and what they do about protecting the data, and all was good in the sense of they got to use the data, they protected it, and their patients also agreed with it. That sounds like a good world.
And so if it's true that all the -- what we would think of are the productive -- you know, the health-productive uses are, one, being allowed to happen, and, two, are being handled in a responsible way, and what we are really trying to do -- because we heard the opposite story about the ones that are -- quote -- unexpected and face no legal or regulatory restrictions, that's actually what we're trying to control. So, ironically, your statement might be a good thing --
MR. SCANLON: Or is the cure worse than the disease? I mean, are you laying on a level of regulation for everyone to get at the potential relatively low-risk or maybe high-risk bad actors?
DR. FRANCIS: If you clarify what's in the contract, what needs to be in the contract, though, it might actually help.
MR. SCANLON: Oh, absolutely. I think the expectation --
DR. COHN: And, obviously, this is sort of in the interest of trying to move us forward, I actually think that we're -- it feels like we're getting pretty close together here in terms of increased clarification of model laws. I mean, model business-associate agreements --
PARTICIPANT: Not models. She said a statutory minimum --
DR. COHN: A statutory minimum. OK. Statutory minimum. Whatever.
You know, I guess I'm sort of thinking that this is something that we should have Margaret work with both Leslie and Mark around trying to put together, framing it the right way, and that that might get us to where we need to be.
PARTICIPANT: And John Paul, maybe.
DR. COHN: Well, and John Paul. Are you willing to go along with this one?
MR. SCANLON: I was talking to Mark about --
MR. REYNOLDS: He is.
DR. COHN: Yes, he is. OK.
MR. ROTHSTEIN: That's what he's telling me. He'd be happy to work with --
MR. SCANLON: Right. Absolutely.
MR. REYNOLDS: OK. We're going to Steve and then Kevin, and, then, we're going -- you think you got it -- you think you're feeling good, we're going to 4. Going to number 4.
DR. COHN: And, then, we're going to try to deal with the other letter and then break up into subgroups.
DR. STEINDEL: I just have a very brief comment, really, and that's concerning Mark's language on using “should require” instead of “should provide guidance.”
And I think the only reason in crafting this we said “should provide guidance,” instead of “require” -- I think everybody is in agreement that it should be “require,” but we used the language “provide guidance” in hopes of giving HHS maybe a means to do this and a suggestion to look at doing it without regulation, to do it through guidance.
MR. ROTHSTEIN: But that's not mandatory.
DR. STEINDEL: That's -- you know, but when you say, “require,” then, there's a very strong sense that we wanted them to go through the regulatory process, and there was also a strong sense, from the crafters of this letter, that we would like it done in this millennium.
MR. ROTHSTEIN: No -- I'm not sure that's right, and I would defer to Jim on this.
There already is a provision, of course, in the privacy rule that spells out the requirements for business associates, et cetera, et cetera, et cetera.
So what I am suggesting could be done without amending that, but providing an interpretation or a guidance of the existing rule of what that requires in a contract, and, then, that would be enforceable against --
DR. STEINDEL: And I was just explaining why we used “provide guidance,” and if Jim is in agreement that the stronger word, “required,” actually fits into what you're talking about, I think that's perfectly acceptable.
What we're just trying to do there is we wanted to avoid regs.
MR. REYNOLDS: We're almost expanding current requirement.
OK. Now, Kevin, and, then, we're moving to 4.
DR. VIGILANTE: (Off mike).
MR. REYNOLDS: Kevin -- we wore Kevin out. We keep them long enough on the list -- .
Let's go to number 4. Margaret, if you'll put it up there, please.
And this follows along that same line, and it might be interesting to look at this from a standpoint as to whether or not -- just how different 3 and 4 really are, and whether or not we -- they may not end up together, just looking at them quickly.
So the problem, potential for personal and group-based harms. Enhance the ability to achieve benefits of HIT and HIE.
And, again, back to some of the earlier comments, our goal is to really enable some of these things by putting some things in place, not to shut them down, as some of the other discussion was on research -- We got these new things that we really want to continue to grow.
And then misinformation from poorly-aggregated health data. And if we added poor quality and poorly-aggregated, we'd get to what Carol had kind of mentioned earlier.
So recommendations for the guidance for enhanced privacy and security protections.
Strong sanction policies and heightened self-policy -- policing. I'm sorry.
Aggressive enforcement of HIPAA by HHS.
Multi-faceted national education initiative.
Transparency, especially clarifying notice of privacy practices and including availability of additional information on business-associate agreements and public-health reporting.
And, then, state law guidance for harmonization and mapping variations.
So this is kind of where this fits. So I'll be happy to open it for discussion.
DR. TANG: Since God made us with only 10 fingers, I would like to take this opportunity to propose perhaps that this is encompassed in set 3 recommendations, and since all these things were -- provide guidance on this and that, that it might -- we could just strike these.
MR. REYNOLDS: So is that a second of my earlier idea?
DR. TANG: Yes.
MR. REYNOLDS: OK. No, it's a thought. I think one of the things we can do is make sure that -- well, let me ask first, rather than just wiping it out --
PARTICIPANT: (Off mike).
MR. REYNOLDS: Well, I know, but what I'm saying is are there any up there that people feel are significantly different than what we talked about already and that would move us forward?
DR. COHN: Huh?
MR. REYNOLDS: No, what I'm saying is his recommendation is to get rid of this whole thing.
I'm saying rather than just go there, we spent a lot of time on 3, and an awful lot of these things just follow on to the covered entity. So it's like we had covered entity 1. Now, we're doing covered entity 2.
And so the point is is there anything that really jumps out there that has to be there or is it the will of everyone that that's complete?
Larry, I saw your hand up.
DR. GREEN: Yes, it's to ask for people who heard the testimony to interpret and explain just a little bit further 4.2 and 4.3.
What are we talking about here about strong sanction policies and aggressive enforcement? What's the idea? What's involved?
(Several off-mike participants at once).
MR. REYNOLDS: Anybody on the committee want to comment on 4.2?
And, again, I think part of what Paul said and part of what we did, these are good words, but back to the earlier comment, does stating this, when, as we all look at it now, again, stepping back from it, does it really add anything to it?
So, Steve?
DR. GREEN: Could I just observe that, to my reading, 4.2 has two rather remarkably divergent ideas in it.
MR. REYNOLDS: Right. OK. Steve and then Leslie.
DR. STEINDEL: Yes, I think both -- first of all, I disagree with deleting Section 4, but I think that's --
MR. REYNOLDS: Give us some words on that.
DR. STEINDEL: -- Larry's point first.
MR. REYNOLDS: Because then I've got one vote for and one against.
DR. STEINDEL: Yes.
MR. REYNOLDS: But give us some words.
DR. STEINDEL: And Larry's point first, but I think both of those were reactions to comments that we heard throughout the testimony that, right now, the enforcement of HIPAA privacy -- and this is one thing we've observed constantly through privacy hearings, et cetera -- right now, the enforcement of the HIPAA privacy regs can be politely characterized as weak, and I think there's others in this room who would like to drop that level down even further.
And, you know, these are in reaction to that that we do have a regulation on the books that actually can do a lot, and that what we would like to do -- and this addresses the point why I would like to keep it as well -- that if we start really enforcing the regulation, but we also teach people about the regulation and what it means, and that we change the notification of privacy to be something that's actually useful, and that -- what was the first one? Well, whatever the first one was -- that we would gain a lot of ease within the current structure of HIPAA in making a lot of the changes that we want to make easier.
We find that the present privacy reg, a lot of people were commenting, it's not understood. It's not used. When you get a notification of privacy, you don't look at it. Everybody is blind to it, that it's either over-enforced by institutions or ignored, and so we'd like to institute some consistency in this.
DR. FRANCIS: It seems to me that, logically, where, at least the recommendations for enforcement, education, transparency and the relation with state law, they don't belong in something that's just about covered entities.
They belong, early on, maybe, in between where the first part of -- You know, the 1 series is about on beyond HIPAA.
Then, the next bit could be, “Well, let's make the most of what we have -- “
MR. REYNOLDS: Which already had one piece, and this could be a second piece.
DR. FRANCIS: Yes --
MR. REYNOLDS: That's what I think --
DR. FRANCIS: -- which would be the next thing.
And, then, the third thing is all the 3s and 4s, which are about the gaps -- which is -- Yes. So anyway.
MR. ROTHSTEIN: I'd just like to quote from our letter to the Secretary in June of 2006, in which we specifically addressed this issue.
We said, “When the privacy rule was promulgated, HHS recognized the business-associate relationship and imposed some limitations to protect the privacy of financial transactions, but the current rule is inadequate to deal with relationships in which personal health information is shared directly between covered entities and their business associates.
“If the privacy rule is not amended, the new system of EHRs and the NHIN would permit domestic and overseas business associates to be able to attain much more personal health information without any more oversight.
“Indeed, in the case of” blah, blah, blah, blah, blah.
And our recommendation, R-23, specifically says, “NCVHS endorses strong enforcement of the HIPAA privacy rule with regard to business associates, and, if necessary, HHS should amend the rule to increase the responsibility of covered entities to control the privacy, confidentiality and security practices of business associates.”
So I think we all already are on record, and, therefore, 4.3, I think is an important part of this document, but it's not anything that's different from what we said before.
MR. REYNOLDS: Nothing new. Which, again, may be a reason to -- necessarily have to say it again.
MR. HOUSTON: It's good that Mark actually read that to us.
I guess my reaction -- and maybe I'm getting a little teeny bit personal -- is that, you know, me being one of the people in the room that actually does very directly deal with the privacy rule -- and I'm a privacy officer and deal with it at an extremely large organization -- I guess that when I look at things like enforcement of HIPPA by HHS and strong sanction policies and things like that, I hate to say it, but I believe that the enforcement program that's in place actually works, and that some people may say there are problems with it, but, yes, I deal with OCR periodically, and we deal with privacy complaints on a weekly basis and more often that that, and I'm very much involved in those things, and, frankly, the process that is in place, I think, though it involves typically OCR working with you and asking what you're going to do about it, often it's -- we've already investigated the issue before they even contact us.
But my point is is that it gets us -- we take these things very seriously. I think most covered entities take these types of things very seriously, whether they get a complaint from a patient or a call or a letter from OCR.
People -- I think covered entities, in a large measure, really do understand their obligations and really do take those things seriously.
So when I see things like enforcement of HIPAA by HHS, I really think their enforcement strategy actually does work, and it does cause us to improve our privacy and look at processes that have failed. We do it all the time.
MS. MC CALL: Yes, I want to go back to your original question, which was kind of a Sesame Street one if one of these things is not like the other, right? And there are a few things that are different.
The things I think that are unique here, and worthy of saving out, are education and transparency, and the states, working with state guidance.
And when I look at those, my eye is then drawn back to the data-stewardship framework, and what I realize is that we've made explicit families of recommendations around everything that's in the middle, but not enough, perhaps, around the very first one, around transparency and education, and the last one, around consumer empowerment.
And then what I then further realized is that the title of this is not about enhanced protection. It's about data stewardship. It's more than just protection.
If we do everything to protect, but don't educate and make it transparent -- You know, where's the J.D. Powers award for how well I do? Where are the irreverent and delightful commercials on TV?
To borrow a line that we heard in our quality Workgroup testimony, you drive a safer car, because Consumer Reports exists, whether you read it or not. And so where are the things that must exist that know that I drive a safer, personal-health-information car? And so I think that can get drawn in.
MR. REYNOLDS: And to concur with that, I like those three also, and I really like if you listen -- you heard the testimony that we heard on 4.5, where it talks about the transparency and the level.
I would agree with John that when somebody is challenged on their privacy, they care, but, for those of us that have read an awful lot of privacy notices for an awful lot of different reasons, I'm not sure that they help in the up front as much as we take them seriously if we have somebody say something about us.
So I think that alone, and the testimony we saw, and the actual writing of some of those that we saw when the people came in to testify to us is a very important point.
MR. BLAIR: I'm kind of resonating to Carol's comments, and, before that, to John Paul's comments.
And my thinking is that, in terms of this framework, which I really like, if we emphasize the transparency, we almost could do away with other specificities, because if transparency is there -- and I'm getting to Paul's comments from before lunch, where Paul said the key issue is the trust of the patient.
So rather than all of the details about what somebody can and can't do, in terms of using the data, it just seems to me transparency gives us an opportunity to dramatically simplify the framework.
DR. SCANLON: I was just going to say that, I mean, I think, John, you're sitting in an institution with a good conscious, and having seen sort of the difficulties of enforcing regulations, sort of another context that I think we have -- we have to worry about sort of the enforcement side, because, even though the vast majority of covered entities may be sort of good actors and take this seriously, it doesn't take a very large fraction before you're talking about a lot of entities that are misbehaving.
I mean, probably, on the provider side, we've got maybe 800,000 sort of providers, sort of -- that are involved here, and so 10 percent is 80,000 that are -- you know -- saying, “Oh, yeah, you caught me. I'm going to correct it,” and, then, tomorrow, it's another story.
So I think we have to be focused on this and not rely sort of on the good character of the majority, but, still, that there's a minority to worry about.
MR. HOUSTON: Back to the issue of transparency in the notice, a little bit.
You know, having drafted the notice for my organization, too, I -- you know, it's -- in a complex healthcare environment, it's difficult to make something as clear and precise as possible that can be read by a certain majority of your patients and contain everything you want to tell them, you know, it becomes pages upon pages upon pages, and we're talking about adding more pages to this.
That concerns me because I don't know how you do this. I don't know how we do this. How we make it more transparent.
If somebody wants to really understand what our obligations are and what our commitments are, it takes some reading, and people say, “I don't want to read this thing. They throw it in the garbage can.” Yet, we want to try to -- you know, we're saying here we want to try to tell people what the rights and obligations are. That's a problem.
And I think that -- you know, in addition to that, we get questions every -- It's funny, last week, I got a question from the Pennsylvania Department of Health about why didn't we have something in our notice of privacy practices on a very, very -- to me, it was -- I won't say a nit, but I was surprised they asked us. “Well, we think you should have this in your notice of privacy practices.”
And so, literally, the reason why I bring that up is that people question every day, “We should add this.” “Should we add this?” “Should we add this?”
We could go on forever adding things to these notices, and it becomes even that much more difficult to get something that the patient population can go through, can understand and people just simply don't throw in the trash.
How do we do this? I don't know. But when I read things like 4.5 and talk about clarifying notices of privacy practices, I really get troubled, and I'm maybe reacting a little bit, but, boy, I'll tell you, you know, if somebody could figure this one out, they could make a lot of money, because there's a lot of people who've tried to make these things very clean and very concise and very legible, and when they do that, they drop off content like the Department of Health wanted us to include.
But when you put the content in, people complain it's so darn long, they can't read the thing. “It's in 2-point font, and I can't read it,” and, you know, they get mad. Where's the balance?
And you almost want to say, geez, there should be a national standard, and, then, if there's any deviation above it, maybe that's what you should put in your notice. I don't even know if that would work -- do it because what we've got today, I'm not sure that 800,000 covered entities -- and I don't' think anybody's figured it out any better than I think what we've done --
MR. REYNOLDS: But we had testimony showing how it could occur.
MR. HOUSTON: I'd love to hear it.
MR. REYNOLDS: Well, fine.
Again, our responsibility is to also hear the testifiers and make sure that we take into consideration what they have to say.
DR. DEERING: I think you actually -- I initially was going to respond to Jeff and then make a comment, and, now, if I might, I would respond to Jeff and John Paul and then make my comment.
And in responding to Jeff's point about transparency being sufficient, I'm going to channel Mark Rothstein, because I think we've been through this before --yes, but you can be transparent about bad policies, and, if, in fact, there's no recourse, then the fact that you've told consumers that you're going to do X, Y and Z, and, in fact, it's unacceptable, then, you've been transparent, but you haven't necessarily rectified the underlying situation.
So I think I'm quoting Mark on that.
MR. ROTHSTEIN: If I didn't say it, I endorse it.
DR. DEERING: From years past. And, actually, Harry, I think you did answer John Paul, that, in fact, there are efforts underway to do this. There are serious efforts underway. People are taking -- it's not easy, but, then, writing privacy legislation isn't easy either, and so, you know, it's not a reason not to try it, but whether to enforce the efforts underway.
I had a very specific comment, though, about Recommendations 4.4 and 4.5.1, at least, which is to endorse what someone said -- and I don't know if it was Leslie -- but that that at least -- and I think we raised this -- or at least I raised it -- in an earlier meeting -- that that does not belong under covered entities and that it be brought forward almost on the same level as one of our other cross-cutting, high-level recommendations, because we were even asked specifically by ONC. Education was one of the very specific things that they asked us to address. It wasn't --
MR. REYNOLDS: You're saying a common theme, rather than a --
DR. DEERING: Something higher, and certainly not buried under the section where it is.
And I do see that 4.5.1 sort of goes with it. I'm not sure that 4.5.2 is quite as clear a link, but, anyway, it could be, but I would be willing to work with Margaret on 4.4. and 4.5 and anyone else who cares about it to see if there's an acceptable way to elevate it.
MR. REYNOLDS: OK. Mark and then Paul, and, then, we're actually going to have another part of the meeting, something else.
MR. ROTHSTEIN: Just two quick comments.
Number one, I think transparency is necessary, but not sufficient basis --
PARTICIPANT: I just said that to him.
MR. ROTHSTEIN: -- for policy in this area.
PARTICIPANT: I violently agree.
MR. ROTHSTEIN: And, number -- you could just agree.
And, number two, transparency should not necessarily be equated with a notice of privacy practices. I mean, that's only one way in which that can be done, and there are all sorts of other methods for transparency, and even though that's in this recommendation, and I don't propose to change it, I think we're going down the wrong path if we view the notice of privacy practices as being the document that's going to bear all this weight of disclosure.
And I think John is exactly right. People with a pain in their gut are not going to read to page 16 before they get their hospital room.
MR. REYNOLDS: OK. Paul, you have the final comment, unless you stir everybody up -- rebut you.
PARTICIPANT: That's a challenge.
MR. REYNOLDS: So please, be gentle.
DR. TANG: So to answer John's questions, I have two statements we could make an either/or.
So one statement would be to apply the filter we talked about earlier and just plain don't do bad things that would surprise your disappointed patients, and if we had laws that would make us do that, that would suffice.
If that doesn't happen, point two, which we've said we wanted, if we could just write to the patients and say, “Everyone who has access to your data has an authorized purpose, a responsibility and accountability prescribed by law to protect it,” I think it would be easy to understand.
PARTICIPANT: The Golden Rules --
MR. REYNOLDS: With that, Simon, I'll turn this back over --
DR. COHN: Well, thank you --
MR. REYNOLDS: We'll be back tomorrow. By popular demand, we will see you tomorrow.
DR. COHN: Yes, and I am thankful in that last context that we do have experts in education and educational theory, Paul, not to anyway disparage your remarks.
DR. COHN: Now, we have one thing that we want to do before we break into subgroups -- and I do realize we're running just a couple of minutes late. Actually, we're about an hour late -- but Justine already knew that I took some of this time.
Well, there is an item for action at this meeting that we actually haven't had a chance to discuss yet, and it is a report coming forward from the Quality Workgroup.
I think you've all received this. Hopefully, you've had a chance to review it.
I do want Justine to review the recommendations, and I think then the question is is this an action item for tomorrow, something you want to deal with today? Exactly where are we on this? And I will take sort of all of your perspectives and views.
DR. TANG: I could repeat something I said earlier, what Justine just said.
DR. COHN: Oh, but don't.
DR. TANG: Put a period at the end of it and approve it.
DR. COHN: Justine, please.
Agenda Item: Quality Workgroup -- Upcoming Report on Quality Measurement, Action September 26
DR. CARR: Thank you, and I will be brief, because so many of you have worked on this, it's not a surprise.
But I just want to thank Carol and Larry, Don, Paul, Marjorie, Bill, Mike, Mary Beth and Susan Canon all gave great -- and Simon as well -- gave great input on this. So I feel like it's been well vetted.
Just briefly, last January, we met with Carolyn Clancy and discussed what role NCVHS Quality Workgroup could play to amplify activities ongoing and be helpful.
And we arrived at the idea of holding a hearing on current state of quality reporting, running the gamut from administrative data to electronic data and sort of the hybrid world in between.
And Mary Beth Farquar helped us tremendously in putting this together.
So we had a tremendous hearing, and there were four themes that came out of it, and then we have a number of recommendations.
So my inclination would be to read the themes and then the recommendations.
I would add that this is not in the form of a letter, because Carolyn asked that we combine -- that, ultimately, these recommendations be combined with recommendations about future states(ph) that are coming out of AHIC Quality Workgroup, and that it be one letter to the Secretary. And so we are working -- pondering and working on the logistics of how this collaboration happens. So today's work is simply to approve the content.
And so there are four themes.
One was that an organization's commitment to performance measurement and public reporting is a major factor in improving quality of care, some of the observations, but we really heard very powerful testimony about how transformative public reporting was.
Second, quality measures must be reliable, accurate, valid and comprehensive, and we heard from an array of models. We heard particularly interesting and exciting testimony about the fact that many institutions are relying and will rely for a long time on administrative data. We saw some very elegant work by Anne Elixhauser and others on doing risk adjustment on administrative data to at least be able to make comparisons more valid.
The third theme is quality measurement must not unduly burden administrative infrastructure. We had heard a few years ago from AHIMA, heard again that in the current hybrid state we still have a substantial administrative burden related to data abstraction and that we want to alleviate that as much as possible.
The fourth theme was quality measurement and data sources are continually evolving, and we heard about two major themes.
One is our understanding of how to think about quality, what to measure, what to look at.
And, secondly, the tools for measuring quality are becoming more sophisticated.
And so you can read the details on that, but I'd like to move to the recommendations.
So with regard to public reporting, one recommendation, which is promote public reporting of quality, in a standardized format to promote consumer understanding and otherwise enhance comparability and learning.
PARTICIPANT: (Off mike).
DR. CARR: Yes, and I think the sense was the perfect should not be the enemy of the good, that we have things today, we have evidence of how transformative it can be.
All right. Under data quality, we have five recommendations. One is support the standardization of specifications of quality measures and their widespread acceptance by a consensus of users, and, parenthesis, as the National Quality Forum has already begun.
Under data quality, I'm going to -- it's going to be called 3. It's the third recommendation of the report. Number 3, define a core set of data elements for assessing quality.
Number 4, work with CCHIT and the National Quality Forum to ensure that electronic health records certification criteria includes support for capturing and reporting these core quality measures.
Five, accelerate U.S. adoption of ICD-10 CM and ICD-10 PCS by publishing the required notice of proposed rule making.
Any objections?
Six, support research for improving measurement accuracy and validity, including risk adjustment of administrative data by the addition of clinical elements.
That's on data quality. Kind of ties in with what we've been talking about today.
Moving on. Performance measurement reporting infrastructure. So this becomes Recommendation number 7. Provide incentives to providers and health plans for reporting quality measures that include additional clinical data of proof and utility.
Number 8, support research for A) specifying, updating and maintaining core measure sets, including prioritization of target areas and modification of measures to align with evolving evidence, cost benefit of ongoing measurement and criteria for retiring unproductive quality measures or reducing the rates of collection and reporting.
B) of recommendation 9 is developing and testing tools that can be used to search free text for easier abstraction of quality measurement data from the medical record.
And, finally, the last theme, evolving landscape of performance measures and electronic health records. Two recommendations, number 9, accelerate adoption of electronic health records as an integral part of the quality reporting and improvement functions of healthcare organizations.
And, 10, develop a roadmap for migrating from quality measures that rely on administrative data to ones derived from clinical data in NEHR with provision for research and development as well as pilot testing.
Questions?
DR. WARREN: Eugene's hogging the microphone.
Could you describe a little bit more on number 3 about how we would go about identifying this core set of data elements and what kind of granularity are you talking about for the data elements?
DR. CARR: Well, some of that work is already underway, under AQA.
To come up, for example, on the ambulatory side, there are, I think, 15 measures that are perceived to be evidence based, relevant, value added, and standardizing those is part of it, that we ask for the information in the same way that each requesting organization can ask for A1C in a different way, for example.
So I don't know. Paul, would you want to say anything more about that, the core data? In other words, Judy said, say more about define a core set of data elements for assessing quality of care.
DR. WARREN: And I guess the question, too, would be would there be a core set for each quality metric or would you standardize the elements among the metric?
So like if one quality indicator has -- I was looking at the same thing as a data element, would it be standardized between the two?
DR. TANG: It's more the latter. So there's a set of data elements that go into measures that clearly are higher quality, and quality of the data element is defined as accurately obtained, accurately recorded, reliably there, et cetera, all those kinds of things.
And if you had that high data quality data element in your measures, you're liable to have a more reproducible, comparable, et cetera, measure. And so that's a core data set that can feed multiple measures.
DR. WARREN: OK. So you're not talking down to the level of a standardized data dictionary for these.
DR. TANG: It could include that or it seems like it should include that.
PARTICIPANT: Ultimately, I think you want to get there.
DR. TANG: Yes. Yes.
DR. COHN: Yes.
DR. TANG: Yes. Why did you say you aren't -- why did you start out saying you aren't --
DR. WARREN: Well, like hemoglobin A1C, we know there's multiple ways to report that. Are we going to say there's only one way to report it, and so every EHR captures it the same way, so that it can then be -- you know -- queried from the EHR and sent on?
DR. TANG: I think, on the one hand, it's yes. If you're saying that everybody has to use the same analyzer, that answer is no, but, yes, everybody should understand what a hemoglobin A1C percent is.
MR. REYNOLDS: Who does this go to?
DR. CARR: Ultimately, to the Secretary, but through a blend of a report from AHIC.
DR. COHN: Yes, and let me clarify this -- it's less than clear how this is all going to work out.
I would observe that this is formatted this way this moment, but also works very well as a letter. So I think the conversation will be, which Jim will take the lead on, as well as the Executive Subcommittee, is exactly how this finds its way to the Secretary.
MR. REYNOLDS: Yes, because -- OK. So -- that's good.
Now, second, in both the letter we were just discussing earlier and in the standards letter, when we use words like, “provide incentives,” are we asking HHS to pay for this --
DR. CARR: Good point.
MR. REYNOLDS: -- or when we say, like on 8B, we say, “developing and testing tools,” are we saying that we want HHS to develop and test tools?
In other words, the reason I'm asking who it goes to is -- I totally agree with the comments, but once you tell me who they're going to, then, it becomes a different vehicle asking different things, and so that's what I -- I'm not quite clear of yet.
So I don't disagree with any of it, and I think they're all good, but soon as we say who it's going to and what we're asking them to do --
DR. CARR: Right. No, very good point, and Paul might want to speak to this as well, but I think the idea was, as part of the incentive to adopt an electronic health record and clinical element reporting, and also the provision of clinical elements, allows for risk adjustment of the administrative data sets.
So -- I mean, I don't encourage provision of through or P for P or --
MR. SCANLON: But it's not just HHS. I think it's any -- I think you're referring to the more general situation of payer, payers. It could include HHS, but other payers --
DR. CARR: Yes, encourage payers to --
MR. SCANLON: Including HHS, I guess.
DR. CARR: To incentivize provision or -- All right. We'll work on it. Yes.
DR. SCANLON: I was just going to say -- HHS responsible for about 600 billion in expenditures, and so --
DR. COHN: That's right.
MR. REYNOLDS: No, no. I know -- Yes.
DR. SCANLON: That's a lot of carrots, potentially --
MR. SCANLON: And we're already paying for reporting --
DR. STEUERLE: I'm reminded of a debate that also goes on all the time that I'm involved in peripherally, but it's on reporting of educational quality, which is an ongoing debate, and, you know, and there are all sorts of issues.
So you finally do test and you measure the level of proficiency of certain students, and you find out, well, that's not really good, because you want value added. Then you get into debates over how do you measure value.
I mean, basically, you know, there is no pure ultimate standard for quality. Basically, we do so badly in measuring quality that we can quickly identify things that should be standardized and compared across hospitals.
But even if we had them, we'd quickly think about 500 things we might otherwise want and other things.
I'm wondering if some of the recommendations ought to be more along the lines of funding groups, and I'm not quite sure what those groups are, but I'm thinking whether they're the consumer reports groups or the watchdog groups or something that actually go out there and try to access reporting by hospitals on quality, given that some of them might come up with a different standard or a different way of reporting quality that might be better than others.
I just wonder whether that's not one way to get at improved quality, as opposed to trying to impose sort of a uniform system of quality reporting, even though I recognize that's needed, too, but I just wonder if that's missing.
And I don't know if I expect you to respond, now, but --
DR. CARR: Yes, I don't think we heard testimony, but it's an interesting idea.
I will say that a milestone happened today. New England -- this week -- New England Journal had an editorial called, “Eulogy of a Data-Measurement Element,” and, apparently, beta blockers for myocardial infarction were something that was about a 30 percent -- the lowest -- the tenth percentile had only 30 percent compliance with that, and, as of this last year, the lowest percentile -- the lowest tenth percentile has 90 percent compliance.
And so, with that uniform compliance of that life-saving intervention across the country, they've decided to retire that as a measure of quality, because we have nationally achieved that level of quality.
More questions, sorry.
DR. COHN: Aaron, Leslie, Steve and Larry.
MS. GRANT: For those of you who don't know me, I'm Aaron Grant with Booz-Allen, and I sort of act as the liaison between the AHIC Quality Workgroup and NCVHS.
And we may be beyond this point, but just to clarify something for Judy with regards to the data elements, that recommendation was based off a recommendation that the AHIC Quality Workgroup made to the Secretary in March with regards to funding a panel to define the core data elements, and I think Paul helps chair that panel that's NQF. It's an NQF panel, and once those core data elements have been defined, they're going to be turned over to HITSP to define the standards.
So, in terms of your question about standards, they're sort of trying to close the loop there, and, then, once the standards have defined, it then goes to C-CHECK(ph), for certification.
DR. COHN: Aaron, thank you.
Leslie.
DR. FRANCIS: I just want to make sure that the header of this clarifies that this is not about the issues about the use of data in quality. This is about how to do quality or about the spillover QA research questions that are -- all the stuff that's taken up in the secondary uses discussion.
And the only reason I say that is you don't want this to look like -- because of what it writes about and what it doesn't write about -- that it's by a kind of negative implication suggesting that it's not as worried about those issues.
Just a line in the title that makes clear that this is not about the problem about getting data or when quality becomes research.
DR. CARR: So this is within TPO.
DR. FRANCIS: Yes.
DR. COHN: We'll think about that one.
And I think, actually -- let me maybe even more generalize that that -- for example, I noticed in Recommendation 5, we need to reference -- assuming there's a letter that comes out tomorrow on 5010, we need to be referencing that other HHS letter that relates to that.
Similarly, there needs to be -- I think what you're describing is something that frames that this is one of a set of recommendations that relates to quality, et cetera, et cetera. I mean, that's what you're saying, right?
DR. FRANCIS: Yes.
DR. COHN: Okay. Good. Steve.
DR. STEINDEL: This is just dovetailing a little bit on what Aaron just said.
You make no mention of HITSP, and HITSP is developing an interoperability specification that really is focusing mostly on 2, but somewhat on 3, as well, and I think there should be a reference to HITSP --
DR. CARR: Okay. Will do.
DR. GREEN: I have a comment and a question.
The comment is I wish to applaud Justine Carr. She has given me an operational living definition of patience and resilience as we rewrote this thing. I was very impressed.
DR. CARR: I'd like to acknowledge my mentor, Harry Reynolds, who's taken me --
MR. HOUSTON: This evening, at dinner, we're going to do a Justine Carr roast.
DR. GREEN: My question rose from my satisfaction with this document. I have no complaints about it. I'm quite happy with it.
And I know that we started off focusing on hospital data, and it's titled, “Hospital Data,” and our testimony was from hospitals and about that.
But now that it's nearly a completed document, it strikes me as how it's really not about hospitals, and that it's really about quality measurement in public reporting in the current healthcare environment.
And we do have these threads that came through the testimony in our hearing. Case in point, needing point-of-admission data, that half needs to come from another source.
And this little document, seems to me, is delightfully positioned now between all that care that happens before you get to the hospital and all that care that comes after you leave the hospital and that this is sort of like our entry point to the real agenda about quality.
And my question is is there a way to -- as it's clarified whether this becomes a letter to the Secretary or a part of something else -- is there a prudent or useful way to position it as a good starting point in this conversation in the continuum of care about public reporting?
DR. CARR: Trilogy.
I agree with your comment. I think you're right. We can -- although, our testifiers were from the hospital environment, our report recommendations go beyond that. So I agree. We should take that out of the title.
And I think we'll speak tomorrow at the workgroup meeting about the -- as you suggested -- other venues and other avenues.
DR. COHN: Yes, and, actually, one way to handle this one, given that you actually only did hear testimony from the hospital environment, so be careful about expanding your scope without having data to support it.
But, certainly, I think there's framing language that you could put in here that I think maybe almost says what Larry was just saying about -- with hospital and we would observe that most of this also applies across the spectrum or part of the spectrum or whatever. So --
DR. GREEN: To my ear, our strongest support for doing this was -- were those comments made in the hearings about how it's not fair to hold a hospital accountable for certain quality issues that are really not reasonable or feasible for a particular patient, because of the circumstances under which the hospital received them or because of the circumstances into which the hospital sends them.
And it's sort of -- I'm just looking, Simon, for a way to sort of continue on the quest for the quality enterprise and getting the information that we need to advance it, and this is good, and it seems to me like it's got two hands that can sort of reach both directions if we could just figure out some way to do that.
DR. COHN: Well, I think we're talking about wordsmithing or framing language also on all of this, which I think would hopefully deal with what you're describing.
You know, I guess I'd say a couple of things, and I'm undecided exactly what we should do as a next step on this one.
A) I think it's very good.
I would observe that I think what people are sort of asking for is is that the recommendations sort of lack sort of like who and exactly what, and they're more along the lines of truth and beauty and the American way, and, “Go North, young man,” and -- you know -- and things like this.
Having said that, given that we have this sort of funny -- you know, funny sort of dance right now that we're doing about what happens with this thing, it's hard to know whether we should be trying to get to that level of specificity at this point.
I'm just -- we don't exactly know exactly how this is going to be packaged exactly to the audience.
So I guess I'd ask the -- rather than voting on this right this second -- maybe the Quality Workgroup could confer about that in the morning -- knowing that you do have a meeting -- come back and provide us guidance about, you know, given that, I think, Mary Beth will be joining you tomorrow morning and, hopefully, will help provide some guidance about all of that.
You know, it would be nice if we could pass this tomorrow, even though we may not have all of those pieces settled, maybe allowing the Executive Committee the leeway to modify some of that with guidance.
But I would defer to all of you on how we want to proceed on that.
But, fundamentally, I think we all look at this and go this is a very good document that's had a lot of polishing and is very thoughtful.
Does that make sense in terms of moving forward on next steps?
I'm not hearing anybody having any major issues. People are only having the desire to make it better.
DR. CARR: And thank you, again, to all of the committee members who participated. It was a very excellent collaboration.
DR. COHN: Yes.
Now, having said that, 26 minutes late, at this point, and we do need to break into subgroups.
(Whereupon, the plenary session was adjourned at 4:30 p.m.)