[This Transcript is Unedited]
Hubert Humphrey Building
200 Independence Avenue SW
Washington, DC
MR. REYNOLDS: Everybody ready to get started please. I'd like to welcome everybody to the first of two days of the meeting of the National Committee on Vital and Health Statistics. The National Committee is the main public advisory committee to HHS on national health information policy.
I'm Harry Reynolds from Blue Cross Blue Shield North Carolina, and the Chair of the Committee.
I want to welcome Committee members, HHS staff, and others here in person, and also those listening on the internet. I would like to remind everyone to speak clearly and into the microphone.
Let's now have introductions around the table and then around the room. For those on the National Committee, I would ask if you have any conflicts of interest related to any issues coming before us today would you please so publicly indicate during your introduction.
I have no conflicts.
MR. SCANLON: Good morning, this is Jim Scanlon, I'm the Deputy Assistant Secretary for Planning and Evaluation here at HHS, and I'm the Executive Staff Director for the Full Committee.
MR. BLAIR: I'm Jeff Blair, Director of Health Informatics at Lovelace Clinic Foundation. There is one relationship that if the subject comes up might be a conflict of interest. Lovelace Clinic Foundation is one of the recipients of NHIN trial implementation contracts for the NHIN.
DR. WILLIAM SCANLON: Bill Scanlon, Health Policy Research and Development, member of the Committee, no conflicts.
DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the Committee, no conflicts.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and Quality, not a member of the Committee but a liaison to the National Committee, and staff to several subcommittees.
MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, liaison to the Committee.
DR. SUAREZ: Walter Suarez, I'm with the Institute for HIPAA/HIT Education and Research, and also a member of the Health Information Technology Standards Panel, a board member, and a chair of one of the subcommittees or technical committees. I think that if anything comes up with respect there might be some potential conflicts, although I am a volunteer member of that committee. I am also a member of the Technical Advisory Panel to the Health Information Security and Privacy Collaborative, and a member of one of committees of the Certification Commission on Health Information Technology. So those three projects might come up today might create some potential conflicts.
MS. MILAM: Good morning, I'm Sallie Milam, Chief Privacy Officer for West Virginia's Executive Branch Healthcare Authority. And I'm also the Executive Director for West Virginia Health Information Network. And we are also, like Jeff, a prime contractor with the NHIN.
MS. MCCALL: Carol McCall, Vice President of Research and Development in Humana Center. No known conflicts.
MR. LAND: Garland Land, National Association for Public Health Statistics and Information Systems, member of the Committee, and no conflicts.
DR. FERRER: Jorge Ferrer, Veteran's Health Administration.
DR. GREEN: Larry Green, member of the Committee, University of Colorado, no conflicts.
DR. OVERHAGE: Marc Overhage, Regenstrief Institute, and Indiana Health Information Exchange, member of the Committee, and we too are an NHIN contractor should that come up.
DR. HORNBROOK: Mark Hornbrook, member of the Committee, Kaiser Permanente, no conflicts.
DR. CARR: Justine Carr, Caritas Christi Healthcare, member of the Committee, no conflicts.
DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of the Committee, no conflicts.
DR. FRANCIS: Leslie Francis, University of Utah, member of the Committee, and no conflicts.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, and Executive Secretary to the Committee.
MS. WISEMAN: Jennifer Wiseman, Personalized Healthcare Initiative here at HHS.
MS. KANAAN: Susan Kanaan, writer for the Committee.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, Committee staff.
DR. KYLE: Frank Kyle, American Dental Association.
MS. MILLER: Laura Miller, Executive Director for the National eHealth Collaborative.
MR. WANG: Wang, Social Security Administration.
MS. JAMISON: Missy Jamison, National Center for Health Statistics, CDC.
MS. BUENNING: Denise Buenning, CMS, Office of eHealth Standards and Services, and lead staff to the Standards Subcommittee.
MR. DECARLO: Michael DeCarlo, Blue Cross Blue Shield Association.
MS. VIOLA: Allison Viola, American Health Information Management Association.
MR. REYNOLDS: Before we start the rest of the agenda, I'm going to let Marjorie talk a little bit about movements throughout the building. Most of us who were here yesterday for the hearing understand that, and the rest of you will shortly.
MS. GREENBERG: This is mostly for the benefit of people who don't have federal IDs. I just learned that a few of our members have just had theirs confiscated, because I guess they had expired. So please let Katherine Jones, who is here right now, or Cynthia, know if you do not have a valid or unexpired federal ID, which you would need in any event in any federal building. Since we last met here we have learned really only on Monday that there are new upgraded security procedures, I guess you might call them upgraded, in this building. What impacts us most significantly is that the guards will no longer sign people in or call up here if someone needs to be signed in and escorted up. We have somebody posted full-time. Unfortunately they're behind the guard station, so I myself had trouble finding them. But in any event, you have to be obviously signed in by somebody we provide, and in addition we have been told that if you do not have a federal ID you must be escorted at all times when you're in the building including going to lunch, going to the restrooms, what have you. That if you are not wearing your federal ID and are unescorted you are at risk of being escorted out of the building. This we ask your forbearance on this, and I think, although we'll confirm this later, we probably will not be meeting in this building the rest of the year. We do have backup reservations at NCHS. I know people like to meet down here, but like my secretary is downstairs the entire week, and it's not exactly a good use of her time. So I apologize for any inconvenience, and particularly to our non-federal if there are any visitors. I know we had quite a few yesterday, and we'll just try to work it out. But if you run into any additional problems just let us know, we'll try to work them out.
On a happier note, you see we are having a dinner social. Can I have a show of hands as to who is planning to go to that tonight? Okay, great. If anyone of you decides later they want to go, just let us know. We usually can accommodate additional people. I think that will do it. I do want to thank my staff in particular. This has been a challenge for them.
And if you'll just let me, I would like to thank Judy and Jeff for the outstanding hearing that they organized yesterday, and you'll be hearing more about that.
MR. REYNOLDS: Next thing we want to do is turn it over to Jim Scanlon to give us the department update, and start our journey through all the changes that are going on, all the opportunities that are available, so it would be a good time to start taking notes, because this is going to be a full day.
Department Update; Transition Update; CMS Update
MR. SCANLON: Good morning, everyone.
Since we met in I guess November, a lot has happened, a lot of very big things. Let me update you this morning on the transition and new leadership in the new administration and where we are, and then I'll talk a little bit about the Recovery Act, which actually contains funding for almost all the things the Committee has been advocating and promoting. A lot of money there for health IT and other things. Then I'll bring you up on the budget normally, and a little bit about health policy and health reform.
First, just a quick update on transition. Obviously, the President was sworn in on the 20th and the transition was officially over. Cabinet heads have been named and been confirmed for many of the departments, obviously. For HHS we are still awaiting a nomination, so we may be one of the last cabinet departments to actually get a secretary. But in the meantime, probably two dozen political staff and leadership are already here in HHS. They are taking over some roles, and obviously we consult with the political leadership before we do anything.
In addition, all of the agencies and offices within HHS are headed now by the senior career deputy official, so really in most cases it was the deputy of the agency. These are very highly qualified experienced folks who run things anyway, so from an operational programmatic point of view there's no interruption in operations or services and so on, and all of that continues. We will just look to the weeks ahead in terms of a secretary designate, and then following up from that.
Secondly, the budget process is a little more complicated this year than normal. There are probably three budgets going on at any one time. And, of course, we have the Recovery Act, which provided for a large infusion of funds to HHS and other agencies. In many cases it's a one-time infusion, but I'll go through some of the provisions here. Many of them are areas that the Committee has worked on and made recommendations in for quite a while.
Just quickly on the budget. As you know, we are now in fiscal year 2009, and we basically had a continuing resolution until March 6th, so we will technically run out of money on March 6th. But the Congress is acting on an Omnibus Budget Bill for the rest of the year that will provide funding. We don't have details yet, but it probably will be somewhere between what the Senate and the House versions previously for '09 were, and it looks fairly reasonable for HHS.
Again, it's hard to predict what happens. This is the House bill, the Senate has to have its own bill, they'll go back and forth about where exactly the numbers should be. You don't win any bets predicting how this is going to turn out, but at any rate that process is under way.
For 2010, which begins in October, the President last night gave – this will be the first budget for the new president – the President kind of gave an overview last night of not so much a detailed budget but an overview of what will be initiatives in the 2010 budget. A more detailed budget will follow, and the full budget submission I think will occur in April, just catching up to the budget, and then Congress will have to deal with that. Then before long we'll be working on the 2011 budget. So we're always dealing with three budget years at any one time.
The biggest budget news probably though, and certainly the biggest health IT news, is the American Recovery and Reinvest Act, or the Recovery Act. That has provided a large infusion of funds to HHS and other agencies. Let me take you through that, and let me take a little bit of time there.
The Act, and it's abbreviated apparently as AARA, so we call it the Recovery Act, for HHS it actually gives us about $137 billion. Some of this is one-time spending, some of it is a couple years spending, but the whole idea of the Stimulus obviously was kind of a one-time infusion of funds that would create jobs and otherwise do good and otherwise be transformative. So I think those are the criteria that we're looking at.
Tremendous pressure now that it's passed to get the money out to the states. Much of the Recovery Act is geared towards state fiscal relief, but like other parts, these are all to do good and preferably it will be transformative as well. In many cases you could view some of the health provisions here as the first stages of health reform or health systems change. These are things that have been proposed for a long time.
Back to HHS, roughly $137 billion total over a couple years, at least until the following September. Of that $22 billion is on the discretionary side, and the rest of that money is associated with entitlement programs like Medicare and Medicaid and the welfare programs.
On the health IT side, the Act provides a total of $20 billion dollars, that's billion, not million, $20 billion, unheard of numbers previously. Let me take you through that carefully here. $2 billion dollars would go to the Office of the National Coordinator for various activities, and the rest of that for the most part, $17.6 billion I think it is, would come downstream a bit through Medicare and Medicaid. This would be incentives to hospitals to doctor's offices on the Medicare side and then on the Medicaid side to adopt and implement electronic health records. There is a scale that would provide funding over a three or four year period, and then would drop down to zero, and in fact you would be penalized if you didn't have some sort of system at the end of that period. And I will take you through that. But that is a little downstream. It begins in 2011, those incentives begin in 2011.
Prior to that obviously a lot of work would need to be done. Again, the details would need to be worked out, but the idea would be for qualified or certified electronic health systems, not just anything you could buy, but there would be some criteria about what makes – and there are some features in the law that say what's in mind in terms of criteria for such systems.
In addition, we have about $85 in the Indian Health Service. Actually, it's more than that, it could be used for health IT enhancements or for construction. We will have to see how that's divided up. And in the HRSA, the Community Health Center Program, I think there's about a half billion there too, $500 million for health IT enhancements with community health centers and other safety net providers. Those will probably be grants. Again, I think the Department will be looking at what exactly qualifies if you get this assistance what kind of a system are we talking about. It's not just anything you could buy, it would have to meet certain standards of interoperability, and meet the standards adopted, and so on.
The Act also, number one, codifies and establishes the Office of the National Coordinator. So it would be officially in the statute. In addition, it sets out a process to promote and adopt standards in a number of other areas. Again, you have seen earlier drafts of this bill, but essentially it creates a process whereby HHS recognizes standards. I think the assumption is that this is cumulative, so all of the work done previously relating to standards would be part of that foundation. Hopefully we don't have to start all over again there.
It creates a policy committee, a health IT policy committee, which would be a FACA. It creates a standards committee, which would be a FACA. And it provides a number, probably half a dozen grant programs, loan programs, demonstration programs and so on, to assist states and others in the adoption of health IT. It also provides funding that was mentioned to Harry previously, it provides funding for the education of clinical and health workers in using health IT and in developing curricula, and it also provides funding for training in health IT. This is really everything from certificate programs to courses to doctoral degrees. So this is looking at the workforce as well.
Also, $300 million is earmarked for regional or sub-national efforts. We made health information exchange, so again we'll have to work through what the mechanism is there. And $20 million is transferred to NIST in its role of kind of working with the industry on testing capacities and capabilities and so on. There is also funding to create this concept much like the agricultural extension service for health IT assistance. How that will look in the health sector we'll have to see, but there's funding to create an extension service and research centers as well.
So it really cuts across the whole board in terms of assistance and to promote interoperable electronic health records and health IT. It also includes some additional provisions in privacy and security. For example, it expands HIPAA, it establishes a federal breach notification requirement. Again, there would be some threshold there. It applies HIPAA security standards and privacy rules to business associates, and there are some other details there, so we'll have to work on that as well. It also provides for education relating to health information privacy.
The Department has already started, obviously, working through these provisions, what would the mechanisms be, what would the amounts be, and how would we actually accomplish this.
Jeff, I think you had a question there?
MR. BLAIR: Should I save it to the end until you're finished?
MR. SCANLON: Let me finish. I have one more thing, Jeff.
Let me turn to the population public health side for a minute. There is, let me look at my summary table here, we have in terms of public health some ideas that have been talked about for quite a while. There was created a prevention and wellness fund in HHS for $1 billion. Some of that money goes to CDC directly and other places, but some of it is in the Office of the Secretary too, to work out. It includes some earmarks for healthcare associated infection reduction strategies program and a number of other things. But basically this is a concept that a number of folks had proposed in the past, a health prevention and wellness fund that would be used for a variety of purposes.
Comparative effectiveness, $1.1 billion. Some of the money goes to AHRQ and NIH, and $400 million stays in the Office of the Secretary for the priorities that might be developed there. This is, again, the focus is actually on the comparative effectiveness research, comparing one treatment, one intervention, with another, that sort of thing.
There is money on the welfare side, $10 billion goes to the National Institute of Health. Some of that money will go to buildings and facilities, instrumentation and extramural lab construction renovation. Remember now that one of the focuses here was on job creation and getting the money out right away, shovel-ready projects for the most part. And literally at the NIH campuses, in pretty much every state and county has some NIH facility, there would be funds available for construction and renovation as well. Again, the NIH structure is generally through grants. Grant opportunities are announced and people apply for those.
As I said, the Health Resource and Services Center, there is money there for community health centers modernization for health professions and for health IT. On the welfare side we have a couple of other things as well.
This is a very broad infusion of funds. I think the idea here is that some of these things, the prevention and wellness fund, comparative effectiveness, and health IT, are probably elements of health reform change anyway, and I think many folks view that as essential to and probably prerequisites to some sort of health reform.
Again, the President announced last night that among his priorities were health reform. So we should see in the 2010 budget at least a down payment on some of the elements of health reform there, and the details will emerge over the next few days. Let me stop there. A lot to absorb, for the public health and for health IT, I think this is really a quantum leap. It's not just more of the same, but it actually provides some of this as new territory, the amount is so much larger that it could be transformative. I think the idea here is that you can always spend money, obviously. That's not the issue. HHS can spend money, all of you can spend money. The idea was to do some good with it and do something transformative with it if possible, in terms of public health and health reform.
Let me stop there.
MR. REYNOLDS: I have Jeff, Jorge, Garland.
MR. BLAIR: Of the $300 million distributed to health information exchange networks, originally that was a line item that was listed under immediate funding under section 3011 in the House Bill, it was Item 8 under B.
MR. SCANLON: I'm impressed, Jeff.
MR. BLAIR: And in the conference report Item 8 was gone, but you still referenced the $300 million is still there?
MR. SCANLON: Yes.
MR. BLAIR: Is it now under 3013, which is under state funding? In other words, do the funds go through the states under the states designate who the HIE is? Or what is the process for that?
MR. SCANLON: We are working on it, you're right, we've gone through several versions of this bill that it went into a conference, and we kept track of all of the titles and so on. Some of them, I'm not sure what happened.
But in terms of the implementation of the parameters of that program and some others, we're working on that within HHS. We are working on implementation plans for every title and subtitle, what's the program created, is it an existing program, and how would we do it.
MR. BLAIR: I would express an opinion on that, and that is if the intent is for immediate funding if it does go through state governments there could be significant delays in getting the money out. So I just expressed that thought.
MR. SCANLON: Sure.
MR. BLAIR: The other thing is could you explain the significance of codifying ONC? What actual changes in the operations of ONC or its authority is implied with codifying ONC?
MR. SCANLON: Number one, remember the office was created by an executive order. Any president can reverse an executive order or do another executive order. It is always preferable for a federal agency to be based in statutes, and to have specific authorities and budgets, just as a general principle.
I think what it does is it creates statutory authority for the office. It probably gives them more things to do as well, and probably gets them on more solid budget footing. Again, that's sort of a year to year thing. In general, otherwise, Jeff, it's administrative discretion. A president could eliminate that or change it. The secretary could just decide they're not going to do it anymore. For something of a high priority, it's not unusual to codify it and say this is the way, this is how it operates, this is how it organized, this is what budgets we have in mind, this is what the functions are. Then most agencies would want to be there. It is much preferable to have a statute for your establishment.
MR. REYNOLDS: Jorge.
DR. FERRER: Jim, are the funds for the – is that just for an adjustment, or is there actual – for -
MR. SCANLON: Karen, you can help me here. We're working through this. But basically this is a little downstream. You're talking about the Medicare and the Medicaid provisions?
DR. FERRER: Right.
MR. SCANLON: We actually have a workgroup working through these, but Karen will probably have the details. There is a formula for meaningful use of the EHRs, there is some threshold, and it actually provides funding for those hospitals and those professions. Harry, probably has -
DR. FERRER: But the initial cost is borne by the hospital and the physician's office, correct?
MR. SCANLON: Karen is going to answer that.
MS. TRUDEL: The incentives are not based on amount expended; they're based on a formula that's in the statute. Now, the logistics for computing and pushing out those funds are still very much under discussion.
MR. REYNOLDS: We have Garland.
MR. LAND: I understand that there is a potential for the National Center for Health Statistics to obtain some of this money for national surveys in vital statistics. Can you speak to any of that process? I know that CDC is going to be reviewing National Center requests, and somebody here in the department is going to be reviewing their requests. Can you speak to that process? That is question number one.
And then secondly, I know the President referred to there will be a website to track whatever is coming out of this. Will that be specific enough for what's happening within the Department, or will you have your own website? How can we find out? You know, you're talking about twenty-some billion dollars in discretionary money, and how do we find out more about where that's going and how that's going, and so forth?
MR. SCANLON: Let me answer the second question first. The website is recovery.gov, and that will be the central government website for all the money in the Recovery Act. It is going to be fairly detailed in terms of what the amount was, what the purpose. The intent is to track, and we're certainly working on this already in HHS. Literally, every grant dollar in terms of what was it for, who got it, and how was it used. Sometimes it's the state, and sometimes it's not governmental organizations, and sometimes it's contractors. All of that should be on recovery.gov. That is already active, so there is some information on there already. And it will be populated with further detail as the money works its way through.
We've already announced through HHS, for example, for the Medicaid assistance, the increase in Medicaid match for the states. We announced that on Monday, so that is going to be going out, and we'll be announcing some others right away. We're trying to get this money out if it's going to serve the Stimulus. But anyway, recovery.gov will be the main website.
If we have one, Garland, it will be supportive of. I don't think every agency is going to create its own website, but we may. If we create one it will be supportive of the main website, recovery.gov.
On the other side in terms of spending, there were some versions of these bills that actually mentioned money for the National Center for Health Statistics as part of the prevention and wellness fund. That did not make it in, from what we could see, in any language. But again in HHS we are now implementing these provisions. For the prevention fund, for example, we are entertaining proposals consistent with the intent of the Act and the purpose, for how the funding – some of it is earmarked, so there's no question it has to be immunization or hospital acquired infections, and so on. But there is still a pool, and those proposals are being – folks are developing proposals, they go to workgroups and so on and there will be decisions made about how to allocate that money, if not fairly quickly.
MR. REYNOLDS: Leslie.
DR. FRANCIS: What's your understanding about how it's going to get worked out about who does what, both in terms of – I mean there's an incredible possibility for reduplication of efforts on all of this, and obviously privacy is one place where that could happen, standards is another. With the codification of the Office of the National Coordinator, will they be doing that? Should each of us as subcommittees just be thinking about what interesting input we could give on these questions, running the risk of being voices out in the wilderness? I don't have any sense of that at all, and any wisdom you have on that would be much appreciated.
MR. SCANLON: For our parts of the bill, HHS, we are deciding in terms of implementation who exactly carries out that provision, and who is associated with it, in terms of the agencies. If it's privacy, there are specific offices that are either mentioned in the statute or it would be the logical place in HHS.
So I think in HHS we have processes under way, and they're moving very quickly, that will basically go through every provision in the statute, we know how to do this in HHS, and what we think the dollar amount associated, what we think the mechanism is, what's the deliverables the regulation is – announcement, and so on, so we have folks doing that right now. A very high priority, probably the highest priority in HHS at the moment.
In terms of the agencies, and maybe working with another agency, that will all be, if it's not already stated in the statute, it will be very clear, and there will be accountability for these things.
In terms of how you work with these things, it's a little bit like it's clearly a fast moving train here. I think there are provisions in the statute that indicate that, and the process standards and adoption part of the statute, the first subtitle, for the overall process of how standards are proposed, adopted, and so on, there are provisions that indicate that the secretary can consider the recommendations, so the NCVHS in these matters.
The other thing is, again, I've always urged the Committee, you know, don't go off on tantrums unless we have the client, unless somebody's asked for or we can anticipate that somebody will ask for it. We're not a regulatory body, we're not a government agency, but there are numerous things here I could see where there will be regulations, for example, on these privacy provisions, there will be some policy development before that, and I think there I certainly would urge the Department to ask the Committee to provide the input wherever they can. It is just the specifics I can't give you now, because we're just sorting it all through.
MR. REYNOLDS: I would like to make a comment on that, too. Obviously, I spent some time with Rob Kolodner, and Jim and I spent some time, and we had a hearing on standards yesterday where everybody was talking about the same things. Laura Miller's going to talk about NHIC. You are going to hear from Rob and Charles Friedman on ONC. Then you notice we have a little bit of time to discuss some things afterwards, and throughout the next couple of days. So I think that's part of our assignment, and I think we can list some notes of how we see some of our subjects playing, and so on. I think that's going to be key.
So I would ask you to listen intently this first part of this, and a lot of us got to listen all day intently yesterday, as to how things are going on. Then we have Karen and some others who can help us.
I think having jumped to the conclusion this morning, listen intently, and then we'll see how it plays as we go forward.
DR. FRANCIS: Could I just follow up? The reason I asked that question right now is that there are plans going forward to put some hearings in place and it feels a little chicken and eggish. So the more guidance we can have -
MR. REYNOLDS: You will get guidance, that's what I'm trying to say. Just listen through this morning, and then we'll all work some guidance. That is part of the job.
Okay. We have Walter.
DR. SUAREZ: Thank you. I have three quick questions. The first one is about the $300 for HIEs. I believe that is part of the $2 billion allocated to ONC, so ONC would be the one responsible for dispersing the money and working with the states?
MR. SCANLON: It would be the administrative home. There are workgroups thinking about what that means, what those provisions mean and how -
DR. SUAREZ: The second question is about the research center. There are two I can't understand, one created by NIST, or that will be created by NIST, the Healthcare Information Enterprise Integration Research Center, a long confusing name, Healthcare Information Enterprise Integration Research Center, mostly a testing facility approach, correct?
MR. SCANLON: Yes.
DR. SUAREZ: The other one is Health Information Technology Research Center located or created by HHS, and then the corresponding regional research centers, the extension center, regional extension center is what they call it. Those last two, the Health Information Technology Research Center and the Health Information Technology Regional Extension Center, is that also or has that been – broadly - Secretary Shaw(?), so is that an activity that will be headed? I know that probably hasn't been decided, but is it going to be headed by ONC, is it going to be headed by another group within HHS?
MR. SCANLON: The NIST statute is very clear. NIST gets, and this relates to the committees on the Hill, NIST gets $20 million. We will be providing $20 million under an agreement of what they're to do, and it's in consultation with HHS, for some of that work, for the testing and so on, and possibly for some of the other work as well.
We're sorting that out now, Walter, so what part is of the extension centers and overall research centers, we're still sorting that out. But within HHS, again, I think ONC is where the $2 billion is placed in ONC, and basically they'll get a lot of advice. A lot of folks are working this through in terms of what's the best thinking and how do you do this.
We have grant programs, we have contracting, we have research grants, assistance grants, and so on, and the likelihood is we would use those systems to carry this out. We would not be creating entirely new processes and procedures, particularly if we want to get the money out fairly quickly. But, again, we're in the middle of sorting this out now. We are literally going through all of those provisions, some of them are not clear, as you know, you could interpret them in different ways, but all I can describe is the process, it's all being sorted out.
MR. REYNOLDS: I'm going to hold you at two for right now, because I have four more people, okay, so I want to make sure everybody gets a chance. We have Mark, and he gives his time to Paul.
DR. TANG: As you mentioned, Jim, this is an unprecedented and I think a welcome investment in the HIT part that we've talked about for a long time. And I think now it's possible for the community to live up to the responsibility and the challenge to find a way to, as you say, do good and be transformative. I think we have to be very deliberate about that.
Can I ask a couple of questions? They may be more detailed, but it's sort of figuring out where the levers are, and it has to do with the incentives. One is the progressive or the incentive, these are presumably that's to Medicare providers, and I'm guessing there's some threshold of what patient population is covered by Medicare and Medicaid, and I don't know how much detail there is about that right now.
The other is in releases in media the ranges specified is 44,000 to 64,000. I can easily find a 44,000 in the 18 to 12, etcetera, I can't find the other 20,000, and I'm wondering whether those are adding up 2 percent here and that kind of thing. So just a little clarity, if that's available.
MR. SCANLON: I'll defer, Karen probably knows the details. Again, there are sections in that title of the Act that it is for Medicare, number one, hospital providers, and then I guess the professional providers, and then there's a Medicaid section. Then, again, the figures are in the statute.
Karen, I don't know that we have other figures. We will be using those in the statute in terms of what the formula is.
MS. TRUDEL: Right. And the formulas aren't a flat amount. In many cases there are upper limits, and in some cases, like for instance with hospitals, the hospital can receive both Medicare and Medicaid incentives where the professionals have to select one or the other.
There is an awful lot of detail that is still up in the air, and it's those details will have a significant impact on the formulas and the amounts and how the money is distributed.
MR. SCANLON: Remember now, these incentives take in 2011, obviously you don't wait until then if there's not a lot of preparation -
MS. TRUDEL: We would be really clear for professionals, it's calendar year 2011, for hospitals it's fiscal year 11, which begins in 2010. There's even less time than we think.
MR. SCANLON: That's what I think, it's downstream in a sense, the Medicare and Medicaid incentive, it's downstream compared to the $2 billion immediate, but it's not that far.
DR. TANG: One clarification on the 2011, it sounded like the incentives would be paid in 2011, presumably then that's about your efforts and accomplishments in 2010. If that's true then, wow, it's right around the corner. But maybe clarification on that?
MS. TRUDEL: Again, these issues are very much up in the air. The way the statute is written it is for those years. Then the question is how quickly do we compute the incentives, do we do it at the end of the year, do we do it periodically through the year, exactly how that works is going to be critical.
MR. SCANLON: That is left to us in terms of regulations, and we'll figure it out, don't worry. But I think it's not that much time, I think the main point is you need some of the developmental work. The interesting thing is though that the assumption for the incentives, I think to some extent, is the first title of the Act, which is the process and the standards, the standards are adopted, systems are qualified or certified and so on, so there is theoretically this timeline, but actually it all happens together unfortunately.
MR. REYNOLDS: Is that both your questions? Okay. So we got Larry, Carol, and Mark, and that is going to shut it down. I want to give Karen time. Again, intermittently throughout this we're going to have plenty of discussion.
DR. HORNBROOK: Harry, can I have a clarification on Paul's?
MR. REYNOLDS: Yes, go ahead.
DR. HORNBROOK: I talked to our lobbyist and the interesting thing is that they have in the bill there are provisions of course for systems and have already purchased HIT -
MR. REYNOLDS: Say that one more time?
DR. HORNBROOK: There are incentive payments for systems that have already converted to EMRs. So Kaiser spent $5 billion, they're still going to get incentive payments. There is a way to get Medicare incentive payments through risk contracting programs. So if you're a risk contractor and you already have an EMR you will also collect bonus payments through your ACE ECC(?) payments. The incentive is covering both fee for service and capitated systems, and it rewards people who have already purchased health information systems because they will get them certified and then qualify for the bonus, which is capped, and then the systems that are still not on will have to buy a qualified system and then submit that in their billing, and it will come across as a fixed payment for their bill.
MR. SCANLON: As Karen and I have said, all of this will be made clear.
MR. REYNOLDS: Let it be known that the Committee will get much closer to HHS and - the lobbyist, no matter who they are. Larry and then Carol.
DR. GREEN: It is interesting to me how the Committee is rapidly gravitating in unison towards acceleration of our vision of getting the country national information network. Virtually all of our questions are unified around that theme. Mark's last comment was really about capitalization in this regulatory environment. These issues that Medicare has to deal with, if there's not – it's not going to happen for a big bulk of the system, and we know this.
Our interest here as NCVHS is quite clear, it seems to me, and we're looking for the enablers to move this forward.
One thing that no one has asked about, Jim, that I wish you could say more about, is even with privacy help, even with the hardware and software, even with the standards adoption, widespread adoption is a pretty huge barrier that we've learned a lot about over the last couple of years, and you mentioned something like the cooperative extension agency. A few questions, where in the budget did that money land, whose office, or where is that located? And is there any read on what part of HHS is going to be accountable for that?
MR. SCANLON: Again, I don't think I have a definitive answer. The money will start off in ONC, I mean that's where the money is being placed administratively. And this needs to be sorted out. This concept, as you remember, goes way back, the idea of why is there not a locally based service of providing technical assistance and advice to the healthcare community at a local level. Much like the idea is sort of the USDA extension service. I'm not personally sure that's the analogy I would have looked for, but at any rate, we understand the idea. It is having that capacity in the market area, the local area, where the boots hit the ground. So we'll be working that through. That along with the Health Information Exchange Fund, as well as the money that goes to NIST, we're sorting out what that looks like exactly, where is the base, you know, where is the unit that extension service actually resides locally. The USDA is sort of university-based, as you know, extension service, and that's why many of the state universities have them and then counties have it as well in rural counties. So I'm not sure that was exactly the model, but that was the notion I think. And we will have to think how would you do that in health, so just think that through.
Clearly we'll work with other agencies, but the funding will be, the $2 billion, that will come out of the $2 billion, and it's here in HHS, and it's on the ONC line. There are a lot of folks who are from virtually every agency and staff office in HHS are working through how this works. These will be secretarial level decisions ultimately about how do we want to spend it, does that make sense. So it will be kind of collective decision making in terms of what does this process look like.
We'll have more details later, but we're only at the stage now where we're taking each of those provisions and figuring out how it would work.
MR. REYNOLDS: Carol, last question.
MS. MCCALL: First a comment, then a question. A comment for you. This is just moving so fast. I'm hoping that you can stay on for the full eight seconds, so good luck with that.
Your comment about - and then I think we will do well to heed both don't do things unless a client asks for it, and also do a lot of listening, but for us I think it's going to be pay attention to what we need to focus on to add the most value.
My question for you, Jim, are there any specific monies for what we'll call the Health Statistics Enterprise for the 21st Century? The reason that I ask is that I think there's always an assumption that in the science and technology world what we need is a technology, and that everything else takes care of itself, when the data is there and it flows. And I know this not to be the case, and it's going to become extreme.
I think one of the things I would add to the list is to look for discussion around the health statistics enterprise, and it's a 21st century one, which will be even different than our vision for it in the 20th century, then the computational science and all of that. So is there any money there, is there any discussion there specifically around that?
MR. SCANLON: I agree with you, Carol. I think health statistics for the 21st century is a lot different. I mean it builds upon, but it's a lot different, and it's not an agency so much – it is an agency, there is an infrastructure, but it's more than that.
If I remember, there is no mention specifically for health statistics. It's implied in a number of cases. You couldn't do these other things without having it. The way we're approaching it, and I don't have this, it will come out, but the folks who are looking at the various provisions, and to some extent this fits in with the comparative effectiveness and the Prevention and Wellness Fund, particularly, not so much the health IT, you could see where the interface would be, folks are looking there for opportunities for activities there that would support health statistics methodology for how you actually use the data from large databases, claims databases, electronic health records, and of course the Foundation for Health Statistics as well. But, again, that's very early planning across it.
There is nothing specific that I could see on the bill that deals with that specifically. It is implied, I think. And, again, remember, these bills are written as the Kaiser lobbyist and others come in, and they help write this bill. It's written at a fairly high level and in many cases the provisions are there so that you know how you would fit in. Actually getting this done is another matter, and that's what we're here about, that's how the Committee has helped in the past. A lot of the work of this Committee, a lot of the work of our agencies, can be seen, can be recognized in this bill.
So, again, we'll have to figure out how, the Prevention and Wellness Fund, for example, is that it's written at a fairly, other than a couple of earmarks, it's at a fairly high level about how you do this. That is the process for how these proposals would be entertained.
MR. REYNOLDS: To play off that, I wish now we had some of the thought leaders that we had for the Standards Subcommittee yesterday, maybe even be part of today, because I think exactly what you just said, Carol, came out loud and clear even in the futuristic look at standards. This whole idea of adoption in communication and the value-based, and what are the outcomes, and so I'd say probably 30 to 40 percent of the discussion kept moving back there, not just the exact standard that would happen, because the standard's a record, the standard is a format. So it was a wonderful discussion both from a thought leader standpoint and then from how do we roll this out, how does this happen faster now, so I think that was great. Your point is absolutely on.
I think the thing that was exciting to me is that it's also now showing up in the other discussions that were more specific discussions in the past. If you talk about a HIPAA claim you talk about the HIPAA claim, you didn't talk about the ecosystem around it. I think yesterday what we heard with the new standards and the things that are going on, discussing the whole ecosystem that's going to have to be in place to make all this go, was a dramatically different discussion. Again, I would echo that I think Jeff and Judy put together a great group to come in and discuss that. The thought leaders up front kicked that off, and then we happened to – so Don Detmer and Carol Diamond were up near the front, and then Bill Stead was near the end. So we kind of had what we called bookends, we kind of had bookends of future thinking, and then we went into the HITSPs and some of the other stuff in the middle then some of the standards. All in all it was a good discussion about how this was going to ebb and flow, not just make a standard and then as you said you buy a system and everything works great. I think a lot of that was discussed at great length yesterday, and was very helpful to those of us that were involved, and we need to get a lot of those notes and data out to everybody, I think would be very, very helpful.
MR. SCANLON: If there are no more questions, I would just end with looking forward to Friday, the Populations Subcommittee will be holding a panel on looking at our capacity for modeling for health policy data, health policy analysis data, relates some to this point as well. I think we're getting virtually all of the modelers within HHS and the private side, and what the capacities are where our strengths lay, and where some of the gaps are in looking forward for the future. Internally we've been doing that in the Data Council as well, we've been gearing up for health policy in terms of where our data and statistics capacities stand, our modeling our actuarial support, our policy research, our capacity, so we're already well into that and we'll look forward to the Subcommittee's recommendation. We've invited a lot of folks to come to the discussion, and many of these folks have already – many of these models have already been used in health policy impact analyses, so the Department is certainly looking forward to seeing the results of that as well.
MR. REYNOLDS: Okay, Karen, in our goal today of continuing to show you new and fast things of things that have gone on.
MS. TRUDEL: I can take a hint.
MR. REYNOLDS: No, I said you're handling things very quickly, I didn't say you have to speak any faster.
MS. TRUDEL: Okay, thank you. I'll start out by talking about e-prescribing. And I'll apologize in advance, because for some of you who were appearing yesterday, some of this was covered by Doug Bell's testimony.
But we are working on a pilot right now to test two of the three remaining three standards that were identified as part of the original suite, but where the standards were not ready for primetime after the last round of pilot tests. We are looking at RxNorm terminology, which is the description of the drug at the clinician's level, and the structured and codified sig, which actually structures the blank section of the prescription form where the physician writes in his instructions, take two as needed for pain, take one every twelve hours, whatever.
And we are working with Rand, and they have pulled together a consortium to – both lab tests and real life test, both of the standards. We're making good progress there.
The electronic prior authorization, which was the last of the group of standards, we've done some additional work on the prior authorization, and have looked at the original standard that was put forward, which was seen in the pilot test to be in need of significant restructuring. We have come to the conclusion after some research that we've done in partnership with AHRQ, that we need to start over again and begin to look for another standard to develop a standard that will actually do this work. So we are beginning to have some discussions with AHRQ and others to find out how to sponsor some of this work.
We are also working with the DEA. They are working on responding to the comments they received on their proposed rule about e-prescribing for controlled substances. Received a great deal of very, very useful comments from industry in terms of what was needed, in terms of what would work, what wouldn't work, safeguards that were already in place that could contribute to improved capabilities around controlled substances. And we're working in concert with DEA and the Office of the National Coordinator and others in HHS to help them step through those comments and try to develop responsive and potentially alternative solutions in the final rule that can maintain what they need in terms of control, and also be workable and scalable in the industry as a whole.
Moving on to personal health records. We've been doing a lot of work in that area and it is very exciting. The personal health record project we have that is piloting in South Carolina, which is called MyPHRSC, is approaching the completion of its first year of operation. We have 4,000 registered users, which is quite a bit more than my mental number for success. We're finding that the users are very engaged, they're very excited about it, and we're actually hearing input from folks who are not residents of South Carolina, or are in managed care plans, or are outside the area where we've been targeting with our outreach efforts saying we'd like to have this too.
We just in January added a partnership with TRICARE, the ability for a TRICARE beneficiary to load their active net from the TRICARE file into their PHR along with their claims data from Medicare. So we now have Part A and B claims and active meds for the TRICARE beneficiaries. We're starting to hear a lot of interest from folks about that.
We also in January rolled out a new PHR pilot called PHR Choice. It's in the states of Arizona and Utah. And it differs from my MyPHRSC in that instead of contracting with one PHR vendor we basically pre-qualified four PHR vendors, and our Medicare administrative contractor in the states of Arizona and Utah are providing the Part A and B claims data to those vendors based on which ones the beneficiaries select. So the fee for service beneficiaries in those states have the ability to select either NoMoreClipboard, Passport MD, Healthtrio, and Google Health. Those four PHRs were pre-qualified, as I said. Some of them charge a nominal fee, some of them don't, they all have different capabilities, but we're giving the beneficiaries the ability to select which capabilities work for them, and that will give us a basically whole new perspective on this notion. Since we rolled it out in January we have 700 registrants.
Then I move onto HIPAA.
MS. MCCALL: Quick question on that. If I choose one of them and I don't like it, is one of the qualifications that you insist the vendors allow portability from one of them to the other?
MS. TRUDEL: We did not require portability. But what we can do is if the beneficiary wishes to cease their association with one vendor and start up with another, we will just reload the data with the new vendor.
MS. MCCALL: So they can get a do-over?
MS. TRUDEL: Exactly, they can get a do-over. However, some of the capabilities on these PHRs are that you can enter your own data, and if that happens then that's –
MS. MCCALL: I understand.
MR. REYNOLDS: Is this a clarifying question?
DR. OVERHAGE: Just a quick fact. You mentioned some adoption figures. Of the 7,000 in the Carolina work, how many beneficiaries were offered the opportunity to participate in this, and same for the western states effort? In other words, the -
MS. TRUDEL: It is 4,000 in North Carolina.
DR. OVERHAGE: Right. But how many were offered the opportunity to participate?
MS. TRUDEL: They can't, they –
DR. OVERHAGE: How many people, of the 4,000 how many who knew about it and had the option to participate?
MS. TRUDEL: Oh, oh. All Medicare and fee for service in South Carolina, and I'm sorry, I don't have that number off the top of my head.
DR. OVERHAGE: The ballpark?
MS. TRUDEL: It's a lot.
MR. SCANLON: Susan in our office has the evaluation.
MS. KANAAN: 100,000 in the seven counties.
MS. TRUDEL: 100,000 in the seven counties in which we concentrated our outreach, and that is where most of the beneficiary who enrolled are. Thanks, Susie.
DR. OVERHAGE: So, 4 percent adoption, something like that?
MS. TRUDEL: Uh-huh.
MR. SCANLON: I might just add that ASPE is working with Karen's office on the evaluation of the South Carolina pilot. So we are looking at functionality, preferences, usage, and so on. It's amazing what you learn when you actually provide these services. We're working with Karen's office on the western PHR choice project as well, on the evaluation. We'll try to learn something from all of these. We like to learn something from all.
MR. REYNOLDS: Leslie.
DR. FRANCIS: This is actually a follow-up on the question about the pickup rate. Are you talking to people who didn't register to find out why?
MS. TRUDEL: Susie says yes.
MR. REYNOLDS: Okay, Karen.
MS. TRUDEL: I would offer if the Committee is interested in more information about the evaluation metrics, my office can partner with Jim's and we can develop a short one-pager and just send it out to the members.
MR. REYNOLDS: I think it would be helpful, because just taking Carol's comment earlier, and some of the things we heard yesterday, that whole socialization and whole communication and whole structure around it and the results are more important than just the facts. That would be great.
MS. TRUDEL: Let me move on to HIPAA then. Although many other things have eclipsed this accomplishment, in January we did publish the final rules adopting the ICD-10 and the new 5010 transactions. The amount of depth of analysis in terms of the industry comments we received was quite extensive. It was a very interesting process balancing and weighing the different perspectives from all different parts of the spectrum. I would say that a large, large number of the commentors did references the NCVHS recommendations to bolster the positions that they were bringing forth. So those recommendations were widely read and carefully considered.
We did in the final rule significantly change the timetable to move the 5010 transactions from April of 2010 to January of 2012, and the ICD-10 implementation dates from October 2011 to October 2013. We have gotten a certain amount of feedback in the industry that points that people think that that's a lot more workable. It may not be what everyone wanted, but we are beginning to see a coalescence around those dates and a willingness to roll up sleeves and begin to work towards them.
The other thing I would mention though is that those regulations, because those effective dates will have not yet occurred, are subject to the regulatory review for the administration, and that discussion is still under review.
Let me move onto the Recovery Act. I think Jim said almost everything that -
MR. REYNOLDS: Wait a minute. Justine has a follow-up.
DR. CARR: Two questions. One is, do we have an estimate of what it will cost to implement ICD-10? Also, do we have a sense of when ICD-11 is coming in and how that integration will happen?
MS. GREENBERG: You take the first part and I'll take the second part.
MS. TRUDEL: I can even do part of the second part.
There were a few comments about why don't we wait until ICD-11. And when we went back and basically projected an entire timeline for ICD-11, when you went through the World Health Organization version, which is not really close at this point, and then you look at the time it takes to do an American clinical modification, then any testing implementation regulations you get out towards 2020. So that was not because of that reason. When you look at the whole timeline, not really a viable option considering the fact that we're running out of – very soon.
In terms of the cost, I'm sorry, I should have that number right on the top of my head, but I don't. It is in the final rule. There is an extensive impact analysis that is re-published in the final rule, and it basically explains all of our alternatives and assumptions in terms of the cost benefit.
DR. CARR: Will there be any money for infrastructure for that implementation?
MS. TRUDEL: Again, the HIPAA statute is not written with appropriations attached to it. So in terms of implementation, covered entities need to work this into existing activities upgrades, whatever. And are you asking if it's in some ways an unfunded mandate? Yes, it is.
MS. GREENBERG: You did a great job. I'll just add one or two things. One is that as people are developing electronic health records, I think it's very helpful for them to know that the country's moving to ICD-10 code sets, because a big part of what needs to be done obviously is making sure that those – the timing actually turns out to be quite nice, for 2013 and 2014. So I think the funding for electronic health records could certainly facilitate the whole mapping issues with SNOMED and other things. Although I agree completely with what Karen said, but I don't think that should be ignored, because they really need to work together.
And the other thing is that what she said about the timeline for ICD-11 is completely true. But what I can tell you, that there are now more than a dozen I think technical advisory groups working on the different chapters or the different components of ICD-11, and many of them are starting with ICD-10CM and the other clinical modifications, which also have been considerably informed by ICD-10CM, even though we haven't adopted it.
I think that our goal is to have a much more seamless transition from 10CM to 11 when that happens, because 11 will be greatly informed by the enhancements that we've already made. But I encourage the Committee to continue to stay engaged on that.
MR. REYNOLDS: And I spoke to Tony Trenkle last night, and we will need to probably in the third quarter start taking a hard look at this and maybe even frame it around the thought of how do we make ICD-10 some kind of a strategic advantage.
And a lot of the seminars and everything that you'll see coming out this year, because a lot of us are on the planning of it, are trying to focus on that. How can we all not make this just another conversion? So trying to make people come to the table and talk about what things could come out of this. Information is going to be one of them, so back to your earlier comment.
Carol, you had a comment.
MS. MCCALL: I agree 110 percent about how to make it a strategic advantage. My question to both Karen and maybe to Jim, have there been any discussions about creating an incentive around early adoption, not about adoption at all like health IT. But, as we all know, there are so many things in the ecosystem to make all these things valuable, there's externalities, standards are one, and there's a discontinuity between ICD-9 and 10, 9 to 10 is big; 10 to 11 hopefully is smaller. Has anybody talked about having some sort of incentive that falls off and becomes a penalty? And maybe their incentives maybe not for – and that would be for early adoption. Or maybe an incentive to novel use or different uses that actually has value that – I'm just so painfully aware that there are incentives for the adoption of health IT, but there's nothing that's going to make me want to do it at all, let alone early, for things that are absolutely vital to actually put through the pipe.
MR. REYNOLDS: Paul, do you have a comment on this?
DR. TANG: Maybe to pickup on your making it a strategic advantage. May I open another question, which is from an EHR point of few, or a clinical concept point of view, could we consider looking at SNOMED or discuss the use of SNOMED in the EHRs of the future? It clearly will have a map that's built in the ISDO to ICD-10. So we would not be implementing billing or classification terminology set, we would in fact be implementing a concept terminology, which is appropriate for an EHR, so thinking strategically.
MR. REYNOLDS: And, again, playing off of yesterday, SNOMED and other things were mentioned yesterday, and as people look at EHRs, using your point, if people look at EHRs and then making sure that that's part of what's going to come out of part of EHRs.
MS. MCCALL: As a follow-on. I'll confess, I was not thinking about clinicians or SNOMED. I was thinking about all the other covered entities where this is an unfunded mandate, and why do I want to pay now, and thinking about health plans. Have there been any discussions around creating an incentive for early adoption? It's simple, have there been any discussions around that?
MR. SCANLON: I'm not aware of any, but Medicaid programs for changes like this that are systems related, health IT related, I think it's a 9010 match, if I'm not mistaken, for everyone else. I have not heard of any incentive for -
MS. GREENBERG: I do want to comment on the issue of early adoption. I mean, the thing is there is a date certain, and because the DRGs, everything, will be based on the new code sets I don't think there's really a desire to have people – I mean adopt early or at different times. I mean certainly encourage people to be starting early, but to have some on ICD-9CM and some on 10CM and some on 10PCS, I mean it could be a nightmare. It's not what the rule calls for, and I don't think the community supported that either. I think the main thing is not to delay it beyond when it is.
What you mentioned about the SNOMED, the thing is it will still be an imperfect mapping because that's what it is, but the goal, as you know, for ICD-11 is to have it be much more seamless in that regard too, because there will be a terminological underpinning to ICD-11. I know yesterday there was some talk about the SNOMED coming up with the core sets in a sense, as opposed to the whole thing. There you could actually make changes in 10CM and SNOMED to make them work better together.
But I really think that this is, you know, everyone's been talking SNOMED and now there is real money, and I think this is going to be a huge challenge.
DR. TANG: Can I tie these ideas together? We are basically putting forward an incentive to implement early, as we said, 2011 or 10 is around the corner.
The proposal is to try to move up and to reward those people who do adopt earlyish. The logical choice in terms of a terminology would be SNOMED for the clinicians. And because there is a built-in both a mapping and a transition to ICD-10 and 11, if you were to adopt SNOMED as part of your EHR it seems that would be the most strategic roadmap to get from here, early adoption accurate coding of clinical concepts, to the future classification scheme.
MS. GREENBERG: There is a mapping that we're doing in the U.S. to 9CMs between SNOMEDs.
DR. TANG: Well, just the transition.
MS. GREENBERG: That's a work in progress with the National Library of Medicine. But I think all of this is worth exploration.
MR. REYNOLDS: I've listed this as some for further discussion later in the day, too. I got Bill, I got Larry.
MS. TRUDEL: And I'm not done yet.
MR. REYNOLDS: I noticed you're not. Judy, I'm still working across. I got you, you're in the official one, the rest are jumping in.
MS. TRUDEL: You know, if I could finish it might tie some things together. Because the last thing I was going to talk about was the Recovery Act.
I think Jim covered the high spots very ably. We are looking in particular of course at the incentives where eligible professionals and for hospitals, both on the Medicare and the Medicaid perspective. There are some very interesting issues that we're going to have to tackle, for instance, what “meaningful use” means, how we are going to compute and distribute and audit these large amounts of funds, how we're going to be able to report back on what kind of progress we're making, how to make sure we have metrics to express our success or lack thereof, and progress.
One of the other things I think it's important to point out is that there are – I'm not considering the incentives as a one-time shot. They start in 2011, but it was very clear that Congress intended us to raise the bar over time in terms of meaningful use, and that the EHR landscape, the products capabilities in certification terms in 2011 will not necessarily be where we ultimately want to go. They were very clear about raising the bar over time and redesigning meaningful use, and redefining what a certified EHR is. I think we have to think about opportunities similar to the one that Paul mentioned, and link up with things like ICD-10, because people that we talked to yesterday about the Recovery Act and standards all said the HR adoption and incentives this is all happening at the same time as ICD-10, and the point I think they were trying to make is limited resources. But I would flip it around and say possibilities for synergy over time.
MR. REYNOLDS: Is that it?
MS. TRUDEL: That's it.
MR. REYNOLDS: I've got Judy first, Walter and Bill and Larry.
DR. WARREN: What I wanted to comment was back in the e-prescribing pilot, and it really kind of wraps up with the Recovery Act.
One of the phenomenal things that Dr. Bell reported yesterday in the pilots about e-prescribing is that as they began to find difficulty in the standards in implementing those, they immediately reported back to the standards development organization that developed the standard and gave feedback as to the testing that they did. As a result, those organization immediately went to the standard and changed it where it worked within the pilot. Again and again, what we heard when Harry said earlier about the ecosystem of standards development, this is what we're talking about, because that feedback loop has not really been around before.
So I think that as we start looking at incentives and grants and stuff like that, one of the things HHS looks at is whether or not people who are writing these grants have that feedback loop to feed back into really creating the standards. We are really coming into a really exciting time.
The other thing that was about that was this whole notion of as we worked on our standards, and so you looked at HIPAA and looked at e-prescribing, a lot of the work was really focused on the standard itself and IT, and we were really kind of pushed, enlightened, I'm not sure exactly what the adjectives are, to also think about communications standards. Again, looking at the context these standards are operating in, and start using that to really take a look at them.
So I think we're kind of coming into a whole new way of us thinking about standards that this Stimulus package is really going to support. But that was one piece that really kind of excited me that I think we really need to look at a lot more.
MR. REYNOLDS: Walter.
DR. SUAREZ: With respect to the comments on ICD-10, I think that one of the preconditions to allow the ICD-10 is to go to 5010 first. Then as much as we want to talk about how to integrate ICD-10 EHRs by doing the priority for the industry is to go first to 5010 and adopt 5010, without ICD-10 - is not going to happen.
I wanted to highlight and point that out because I think the critical path is really to start with 5010. I think it's interesting going into the EHRs, and then just integrate the financial aspect of healthcare into the EHR is going to be a much larger and longer term interest. I mean 2014 is the goal to get most of the electronic health records out there.
One of my questions to Karen was about the other HIPAA regulations. Do you have any updates on the claim attachments and help on ID?
MS. TRUDEL: I don't right now because the change in administration the regulation agenda is being reassessed and redefined, and I don't think we've seen the new version.
DR. SUAREZ: So the final rules on claim attachments are not yet? Right now we have the proposed rules?
MS. TRUDEL: Right. The regulatory agenda, which is agreed to by the Secretary and OMB, is our marching orders in terms of what we're planning to publish within the next year. And we don't actually have a new one in place yet.
DR. SUAREZ: The other question I have is on PHRs. I don't think that there was much on the Recovery Act on PHRs. There was a lot of discussion about certified EHRs, actually certified electronic health records, not electronic health record systems. Which is a point that is creating some concern about what is it that we're exactly looking at when we talk about certified electronic health records, defining is what people informatics electronic health record systems, or software applications.
That aside, do you see or what do you see the affect of the Recovery Act will be on the PHRs, particularly in light of the pilots that are being done by Medicare? Is there going to be expectation that the incentives on EHRs would extend to PHRs or some other mechanisms to promote the adoption of PHRs?
MS. TRUDEL: Again, the way the incentives are structured, they are directed to physicians and healthcare and hospitals. So I guess to the extent that those entities have environments that contain both EHRs and PHRs there would be some synergy there.
What I think would be the largest factor though would be that the more providers you have with electronic health records the more likelihood there is that they could establish a standards based interoperable link to push clinical data into PHRs. And if you add to that the information network grant, then you establish a way to get that data from point A to point B.
I think basically it is a significant step forward in terms of -
MR. REYNOLDS: Bill, Larry, and then break.
DR. WILLIAM SCANLON: This is a comment. It's about what I think what expectations we should be having. As far as the idea of the ICD-10 being an unfunded mandate, and I'm not sure technically whether it is an unfunded mandate, because participation sort of in the public program is all voluntary. So anything we have asked of providers and plans is in prior circumstances I think is regarded as not an unfunded mandate.
I think this goes more broadly, particularly this week, since we have had this White House summit on how do we deal with this spending over time, and if the simple projection of health spending is that it's going to reach more than 100 percent of GDP, we have an issue here. Then we'll be healthy, right.
So there's this question of how do we go forward, and what can we ask of participants in the health sector, and I think the answer at least on some parts is we can ask a lot, because the revenues in this sector has been significant enough that it's not unreasonable to say do more. You know, the $20 billion going into health IT is one way to get to the objectives that we've had in mind for a long time. There is another camp that had a similar objective that said all we should be doing is saying you can't participate unless you do this. You can make it happen out of the revenues you already have. That was not an unreasonable position either. We've now made a decision, but the issue is as we think in the future about how we're going to turn this into our advantage, let's not be timid about what we're asking for.
MR. REYNOLDS: Larry. I know there's other people that might want questions later. We have some time for discussion. I have to keep in mind the other speakers. We got people that have tight schedules, so I need to defer to them and not just us.
Okay, Paul has to make a statement.
DR. TANG: Well, Walter asked about PHR in the Recovery Act. There is one piece of it that could pertain to NCVHS. That is the Secretary must make a report within eighteen months about the need or lack of need for additional privacy statements and regulations about concerning PHRs. So the Privacy and Security Subcommittee could take that on to participate in that.
MR. REYNOLDS: Okay. With that we'll take a break. Be back at 10:50, 15 minutes, and we're going to start promptly at 10:50.
(Break)
MR. REYNOLDS: We're going to move onto our next presenter. We are welcoming back Laura Miller, who is going to give us an update on the eHealth Collaborative.
Laura, thank you very much for joining us, and we're sorry for the little bit of delay, but the richness of the discussion was hard to cut off. Please continue, and thank you.
National eHealth Collaborative Update
MS. MILLER: Good morning, everybody, and good morning to those online. It's a pleasure to be back here again, and to be back here with the new name, which is the National eHealth Collaborative.
I was interested in the early morning discussion. Obviously there is a lot going on, and I'm impressed with how quickly HHS is moving things along in a period of some uncertainty. We have had the mandate from our President and from the administration, and the National eHealth Collaborative is certainly ready and willing to help with that mandate.
This is a reminder of our mission, that we are an independent, trusted, and collaborative public private organization. I note that the term public private has come up more frequently in the last few days, we maybe we have some additional cache around that phrase.
We were created to accelerate the momentum and progress being made with the implementation and effective use of health IT. We are a voluntary consensus standards body, and are charged with bringing together across the healthcare industry consumers, professionals, the public health community, government and industry, to establish in a transparent way the priorities for moving forward and to leverage the knowledge and resources of the private sector while collaborating with the government.
As I said, we are trying to focus that expertise and resources in prioritizing and addressing needs, and at the same time assuring that the solutions are sensible and that they can be integrated across the healthcare enterprise.
We are a membership organization, and these are just some of our current members. We actually started accepting membership applications only a few weeks, and we are pleased with the interest and the involvement of a number of our partners. If you are interested in that possibility, I would encourage you to visit our website, which is www.nationalehealth.org.
Our organization is in terms of three committees, and I'm laying them out here for you and for those online. We have a policy committee, and this is not intended to be policy in the sense of government policy, but maybe with a small ‘p' which addresses overarching obstacles to adoption and implementation, and that promotes health information policies and technical approaches.
The policy committee is chaired by Lori Evans from New York, with vice-chairs of Lisa Simpson from Cincinnati and Jody Daniel from the Office of the National Coordinator. We also have a mission development committee, which monitors the impact of health IT adoption. It's to take a strategic view of the requirements for health information exchange, and is charged with continuing the work that was begun and wasn't yet completed by the American Health Information community. The chair of that committee is Charles Kennedy from – Point, and vice-chaired by Debbie Summers.
Then lastly, the value cases steering committee, which is charged with identifying strategies to increase interoperability by prioritizing what are submitted from stakeholders as value cases, and chairing that committee is Paul Tang, who is on your advisory committee, and I think will be adding some comments after, and co-chaired or vice-chaired by John Glasser from Partners Health.
What we call the national interoperability prioritization process is an opportunity for stakeholders to collaborate together to submit value cases that would increase interoperability and basically prioritize their own needs, and submit them for national action. In the process we would emphasize the value of each of the proposed set of interoperability initiatives in our review of it.
There can be various types of value cases. A lot of your discussion yesterday was on standards. In our organization, as we've talked about it, we've identified that there are many barriers to implementation that go beyond the focus on standards per se. So value case types can go beyond standards harmonization to other elements, to model processes, to best practices such as how to incorporate e-prescribing and provide a workflow, and to frameworks which could include the service oriented architecture based model for an HIE.
This slide is a walk-through of the process. I'm not going to read through all the individual steps. I just want to comment on three elements. First of all, there would be a letter of intent element to the submission of a value case in order that the National eHealth Collaborative and staff could support the thinking and perhaps involve other who might have an interest to collaborate in that specific value case.
Secondly, there would be a solicitation for public input in order to help understand other parties, comments, and interests about the value of the particular proposal.
Third, there would be due diligence subcommittees who would be convened to evaluate once the full proposal is submitted. Those would be people who have subject matter expertise in the area who can use criteria that have been developed to determine whether the proposed value case should go forward as a priority.
The due diligence criteria would address both the value overall, what is the value proposition for the health community, what problems does the proposal solve? It would include feasibility criteria, can the submitting organization or organizations complete the proposed initiative? Then finally, what are the business criteria, can the health industry readily implement and absorb the successfully executed value case?
We have developed a template for what a value case proposal should include. As you might expect, executive summary requirements justification, the value and impact, how it would impact the health information exchange scenario, the technology assessment if that's relevant, stakeholder committee, and industry adoption readiness.
Let me pause there and say since we are fortunate to have Dr. Tang on our AHIC Board, and as the chair of the value case steering committee, and see if Paul wants to add any comments before I move onto another topic.
DR. TANG: Sure, thanks, Laura.
I think the value case is one of the most important propositions for this new organization, which is a public private entity. The reason is because it's, as Laura mentioned, a stakeholder initiated feet on the ground driven by clinical and business needs kind of approach. So these folks are working at this interoperability interface, and they have run into major problems. We anticipate it's not going to be mostly about standards. It is probably going to be all the other things, and Carol started talking about it, that prevent people from either adopting EHRs or sharing the data from their EHRs. Because as we all know, that is a major stumbling block for small or large organizations.
That is the problem domain we're looking to address. And what we want to do is find the people who exemplify something that's going to be generally applicable to many of these local and regional initiatives, and try to solve them as a nation, as a community. We would put out this call asking for people to come forward with a broad group of stakeholders involved in that particular effort, and either asking or proposing breakthrough strategies to get through the problems and advance something that can be used more widely throughout the country.
Where standards are involved it may go through the pathway of going through HITSP and CCHIT. Where it is policy or best practice or implementation strategies such as the extension program we've heard about, that might be something we bring in other things. We could convene meetings, convene summits, convene parties together as one of the possible, I mean we still have to work this through, what are the ways NHIC can provide value to the regional efforts.
Let me just give another couple of ideas, not that they're coming forward, but the things that NHIC might deal with as far as national priorities. One might be quality measures derived from EHRs. That is something that NQF is working on. It was working on this trying to anticipate what might be needed, and suddenly with the Recovery Act there is a real need I think.
So the three elements let's say of incentives, one is the certified EHR, and another is you have to exchange information with other people than yourselves, and the third is you have to report on quality. And the language talked about clinical quality reporting, which you could interpret as being more than administrative, more than reports based on administrative data. Most of the NQF endorsed measures, the vast majority, are all based on administrative data. What we'd like to do is skate to where the puck is and say how can we get data and make use of data from the EHR. So that might be an example of quote, “value cases.” It has to do with standards of a sort, you have to incorporate standards, but it's a new kind of standard of the kind that NQF is dealing with.
Other things could include policy frameworks, because when you work amongst organizations some of the work that Mark has done, how do you use that? That is offered to the community, but how do you take advantage of that and bootstrap your efforts in the region?
Those are sort of the things that we're thinking about as far as what are value cases that could benefit services – to be an example.
MS. MILLER: Thanks, Paul.
Moving on to another major topic that we've been dealing with, and it has to do with NHI and governance framework. I am pleased to see Jeff here, who is a member of a workgroup that we have jointly convened with ONC. NHIC has a contract with a supporting legal firm to help develop a white paper on the issue of a governance framework.
A governance framework is really essential at this point. The NHIN is evolving, and the organizational infrastructure needs to support both the emergent NHIN as well as eventually the mature NHIN. So we are trying to strike a balance between not too broad and not too narrow in terms of what the framework should look like initially. We want to primarily support the needs of the participants in the emerging and the evolving NHIN. And this is going to be an iterative process and an open process, with multiple opportunities for stakeholder involvement.
The core principle, however, is that the governance is going to need to support the needs of the participants, and it must be deployed through an open process that involves stakeholders. Consequently, we expect it will be a collaborative framework.
We also note that until the final governance decisions, which according to the new legislation ONC has the responsibility for establishing right now and continuing, ONC has the overarching responsibility to ensure appropriate governance.
So the NHIN governance framework planning workgroup, as I said, was formed jointly by NHIC and the Office of the National Coordinator. It is comprised of representatives from HIEs, the NHIC Board of Directors, from consumer organizations and not only ONC representatives but other federal representatives. It was established to build on the preliminary functions that were identified for the NHIN. And it is charged with developing what the structure would look like that would meet the needs of the operational or the, quote, unquote, “production in NHIN.” There will be a collaborative process and a public comment period.
These are the workgroup members. As you can see, they're membership from across a broad range of organizations. Most recently we've added two additional federal members, Jim Garvie from the Indian Health Service, and Henry Chao from the centers of Medicare and Medicaid. We also have involved additional consumer representatives who I think bring a unique perspective to our Board.
Our objectives are to preserve the privacy and security of all health data exchanged through the NHIN and to foster the effective use of interoperable health information, bottom line, to improve the health and well-being of all and reduce health disparities; to initiate and facilitate health IT strategies that lead to the improvement of the overall performance of healthcare and related systems; to establish trust among stakeholders, and this is a key element. And one of the reasons why it's important to have both consumers and public comment periods and opportunity for input throughout the process, because the HIEs and their participation in the NHIN requires an ongoing trust agreement. And finally, to look toward the creation of a sustainable business model for NHIN operations in governance.
We have some foundational principles. We have started with the idea that we do not know what it should look like, and so we're going to evaluate the functions. And from the functions and our understanding of how those work to come to a better understanding of the formats required to support them, we do acknowledge that it's likely to be a distributed governance process. It should include the ability for the participating HIEs to be represented, so likely it will also have representative components.
Again, because of the need for the trust element and the importance of the agreements going forward, it has to function with transparency and openness. We will need to be responsive to not only the participating HIEs and their needs, but also to the broader healthcare community and to those whose data is being transported across the national health information network. And it needs to finally be accountable, because again those who are responsible for this data occupy a position of public trust.
Here is a listing of the seven major functional areas that we envision will need to be accomplished by the NHIN governance structure.
The development of the strategic directions. Both the hands-on development for to realize its growth and to expand, but also its strategic thinking about the future.
The development of the operational infrastructure. There will need to be policies and procedures both operational and technical standards-based interface data specifications, test plans, and methods that can support the NHIN.
The development of the legal infrastructure. Right now there is the continuing development and management of the DURSA for those who are the initial participants in the first production NHIN, which is just starting up between MedVirginia and the Social Security Administration. But there will likely be other legal elements as we move forward that we'll need to support the data exchange.
Participant Management. The admission and enrollment of new NHIEs and their oversight of existing NHIEs to ensure compliance and enforce performance standards.
Next is dispute resolution. There will need to be active management of a multi-tiered dispute resolution process that can help the NHIN participants to avoid any litigation. There could very well be disputes between participating organizations. And those organizations may answer to other legal entities, state or federal, or corporate, and so we want in some ways a mechanism to ensure that we don't need to go very far down the path of a dispute before we have resolved it.
Next is the authority to engage support services for the NHIN. The NHIN itself may need to have multiple supporting entities, contractors, or other entities to assure its operational efficiency.
Lastly, managing security incidents. The prevention and management of security incidents and follow-up or oversight of any improvement or correction activities after a data breach would be something that the NHIN would have to address.
These are the seven major functional areas that have to be fleshed out for a governance structure. Under each of these are multiple specific functions. And our next steps are in the steps we've been involved in, are to take these seven areas, expand upon them with some specificity, and then begin to look at what attributes an organization would have to have in order to support these seven areas.
Our anticipated next steps. There is for the National eHealth Collaborative a group called the Interim Interagency Coordinator, which includes members from across the various federal departments and agencies. And those members and other federal representatives were asked to provide some initial feedback to the first draft of this paper, and have given us some terrific feedback that is currently being incorporated. There are special briefings for key stakeholder groups that are available.
As we continue refining the governance framework, including what the competencies will be for a governance multiple or distributed governance authorities, we will be seeking input from the NeHC Board and a public comment period before all of that comes back to the Office of the National Coordinator, presumably for review at the level of the Secretary and others in the administration.
I think John Halamka said it well, now is the time to invest, we're at the tipping point. Wise investment with accountability for use of electronic health records and incentives to achieve coordinated quality care is needed to transform healthcare in the U.S.
In working jointly to this point with HITSP and CCHIT we see a shared vision on how to move forward to build on the momentum and trust and leadership that's been established. We recognize that we're in a time of transition and change, and that there may be decisions that impact the way we envision moving forward, but right now we are one stop. Our momentum and are anticipating that we can bring some value, as Dr. Tang has talked about, with the value case, and are prepared to release the call for value cases before the end of the month likely
With that I will stop and see if there are any questions or comments. I'm glad that both staff and Paul are here in case I need help.
MR. REYNOLDS: Are you able to stay with us until noon?
MS. MILLER: Yes.
MR. REYNOLDS: What I thought I would do - Rob, you go ahead and talk, because I think the subjects are so interwoven that I'd rather hear both like we talked about earlier, and then spend some time discussing it.
With that, Dr. Kolodner, the actual National Coordinator, is going to be presenting this.
Linda, thank you, that was excellent. I'm not pushing you off, I think it's kind of hard to discuss, I mean we're likely to pull Rob into three-fourths of the questions that you got asked. It might be easier to just do it all at once.
ONC Update on the NHIN Conference
DR. KOLODNER: Good morning, it's delightful to be with you all again. And I bring regrets from Chuck Friedman who is not here, because I've asked him to help coordinate our staff as we develop and spend time on other things that are a result of the Recovery Act that we'll be talking about in just a moment. So I get to talk with you and have fun.
One thing I noticed in your material that may need updating, since I'm the National Coordinator, although as we'll see in the Bill the National Coordinator function now that it's not under Executive Order but under statute. In fact, it needs to be appointed by the Secretary, so when we have a Secretary the Secretary will then appoint a national coordinator that is now transitioning into statute.
What I would like to do is to briefly run through a few areas and then Jodi is going to also follow the areas I was going to cover, was the HITECH Act the America Recovery and Reinvestment Act – but I understand that Jim covered some of it, so I wasn't able to be here, so I'm not sure how much you'd like me to spend on that, but I can spend as much or as little as you like.
MR. REYNOLDS: It might be helpful to cover it maybe from the opinion of how you're going to approach it. I think between Karen and Jim this morning they really took us through all of the pieces. I think what would be really helpful for us is how you're going to approach it, and then obviously Linda, how your group fits in. That would probably be a good way to do it.
DR. KOLODNER: Then I was going to briefly touch on some previous business that is the acceptance of some standards that occurred, so you can see that. There was on the original agenda some request about a summary of the NIHN from December. Again, I can cover that if you'd like.
MR. REYNOLDS: I think the business of the day would be what you just previously talked about. Because I think a lot of it is the outcome of what you've been driving. Having been at the conference I think that would be good.
DR. KOLODNER: And then Jodi will catch you up to date with the privacy activity we did in December and the framework and toolkit, and also briefly touch on the privacy aspects of the Bill if Karen didn't do so already.
The Bill at a high level has really five major sections. Without drilling down too much, one essentially establishes the Office of the National Coordinator, and actually sets up the standards promotion and the policy and the standards committee, HIT policy and standards committees, and a process for accepting or adopting the standards, a new term that we'll be using, which will be by rulemaking. And we would be interested in understanding a little bit the issues of how one does rulemaking and provides the maximum flexibility for version updates and things.
There's a section that has to do with NIST. There are two parts, one is the testing that goes with the standards, the other is a grant function. There is that particular grant, plus five other grants that really give great flexibility to the Department in terms of how to roll out the funds, and this is where most of the funds will be distributed.
There is a section that has to do with infrastructure, and it's entitled Immediate Funding. Some includes some funding that may go within the Department to be able to get ready to respond or to help foster the exchange. But it mentions, for example, tele-medicine, among other things.
Then there is a section on privacy. And finally where the biggest bucks, which are in the incentives for Medicare and Medicaid, which won't get started until 2011. So those are the sections.
In terms of how we're planning on proceeding, we do have to set up two FACAs. So we have what was one FACA under AHIC now is two, one of which the policy committee has a very defined who gets to nominate the different members. And the second, the standards committee, has a distribution that's identified but not is essentially set up by the Department. Now, within that there are statements about the role of NeHC, with NeHC making certain changes, and those the Secretary then has the option to recognize the NeHC for either the policy or the standards committee, which may be some of the – that's there because now that the policy committee is kind of assigned by different people it's a little harder for the Secretary to do that, given the way the law is written.
There is need to set up very quickly, because there is also the charge to have an initial set of adopted standards by the end of the year, by December 31st. Because it's rulemaking, we did say that we could use the interim final rulemaking in order to meet that deadline, rather than the full rulemaking. There is also the statement that that can draw on the existing standards that have been promulgated before and recognized before.
What we're looking at at this point, and obviously we need to get the committees together and get advice from them, but as you know, we have a broad range of standards, and let me just go to those slides. You see here on the screen this roadmap that we had of three use cases in 2006, four use cases in 2007, six in 2008, and then there was one use case and a bunch of gaps and extensions that were submitted to HITSP that we're working on now for 2009.
The standards from the first two that fall into consumer, provider, and population channels, the ones from 2006 and 2007 have been recognized by in this case Secretary Leavitt, and the ones in 2008 were accepted as we see on these next two slides those that were updates to existing interoperability specifications that were accepted, biosurveillance, and consumer empowerment and access to clinical information via networks, emergency responder EHRs, and consumer empowerment and access to clinical information via media.
There's then a set of new interoperability specifications that map against those use case areas, medication management, personalized healthcare, consultations and transfers of care, etcetera. Given the change in process, these are then ones for us to draw on. The recognized status from before has been replaced by a different process, but these do constitute ones that we can draw from as we go forward.
In addition, there were a few specific areas that Congress said the standards had to address, both in terms of certain functions, but also specifically needed to have fields for not only gender, which we do have in the standards, but for race, ethnicity, and primary language of the patient.
Those exist in a stubbed-in form, in talking with HITSP, and knowing that there are standards sets that can be drawn on for that we believe that that's not an issue in terms of being able to get that through and in a form that can be brought forth and with enough time for vendors to be able to respond to it and include it in next year's certification cycle.
So we will be looking through the standards, getting input from the policy and standards committees as they're formed, which obviously has to happen pretty rapidly for them to guide us, then we'll have to go through the rulemaking process, or the modified rulemaking process to get those through.
Where the money is is in the five grant areas, actually six counting the NIST. The NIST grant, which we will be working closely with them, has to do with sparking innovation through and for inter-exchange or exchange of health information, and that will go out to institutions of higher learning, but also federal laboratories and other types of nonprofit on a tentative basis, and will come out of the $2 billion funding for those centers, in addition to $20 million that we'll be giving them for their testing activities.
Of the rest of them, and let me pull up here these other grants just so that we can be looking at that, actually I don't have that on the slide, I'll do a dynamic reshuffling of the agenda we were talking about.
I mentioned the immediate funding to strengthen health IT infrastructure, and basically that just allows us to use the different agencies as vehicles to invest through. We're not intending to set up a whole grants office in ONC, given that there are very good grants offices that do similar types of grants that match these. In other agencies we'll work hand in hand and pass money through them, staff them up as they need to handle it, and then have a smaller grants office that looks at accountability and the reporting that will in the office, but will go out I would expect through agencies such as HRSA and AHRQ, and maybe CDC or others for that.
This is one section that gives a little broader perspective in terms of what we can use the funds for, and the way the bill was written. The few billion dollars are specifically for what's written in the Bill, so if it says for the HITECH Act then that describes the authorization section. Here they do broaden it and talk about the HIT architecture training and dissemination of information on best practices to integrate IT and other types of interoperability of clinical data repositories, registries and other things. So they paint a broad field which gives us some of the flexibility that we need as well, to make sure that the rest of the money that's spent really has its full impact, that we don't have pieces that lack that last 5 or 10 percent that will allow us to pull it together.
There is set of grants, or one of the grant sections, that's basically setting up a regional extension center, a parental center above the rest, and then regional extensions that is modeled after the agricultural extension centers that really help farmers. In this case it's really providing the support and training, the installation, guidance, to the frontline commissions and providers, in a way that is meant to speed up if there's an improved technology or improved solution or improved process that it's meant to rapidly disseminate that out, rather than the fusion of that which often takes years. The number of those, the structure of those, are yet to be determined. And part of that is also to foster innovation, so there's a research center looking for new innovative ways of helping to get adoption.
There are state grants that are for the exchange of health information. You might think of it as support for HIV and RIOs, but the question there is are there also other models that we should be looking at over parts of the country where more of an ISP type, a health ISP, may be adequate and at a lower cost. Those are things that I think we need Steve to still explore.
The grants themselves, community plan grants or implementation grants, and they go to either states or to what are called Qualified State Designated Entities, so many of the state level health information exchanges are those types of entities.
There is a required match with nonfederal participants starting in 2011. There are certain restrictions or qualifications, that is that the strategic plans that those entities submit need to be pursued in the public interest. These are not for-profit entities. And that what they propose needs to be consistent with the strategic plan developed by the National Coordinator.
Let me stop there for just a second. As you know, last June we did release a copy of a federally coordinated strategic plan. I think one of the questions early on during the election and even in December and early January, was what's going to happen to all this effort. Certainly lots in the press, but was it going to be set aside and start over, was it going to be built upon. I think the answer from the Bill is clearly that it's being built upon and moved forward, accelerated even more with both the availability incentives and resources. So the strategic plan itself is explicitly referenced, and the National Coordinator is told to update that, so we'll be doing that.
Back to the grants then. We have a third grant type, and that is for states and Indian Tribes. These are competitive grants, but they're really just setup loan programs, revolving loan programs, that facilitate widespread adoption of the certified EHR technologies. In talking to a couple of the states, one of the problems is that since it requires state matching, unless they match it with state funds doing this in the state is actually difficult. And we're going to have to work through this and work with the administration and even maybe with Congress, because we certainly want to do the intent of this, but the issue is if it's not workable we really need to find something that meet the intent of Congress.
Then there are a couple of education programs fortunately. One is called a demonstration program to integrate information technology into clinical education. And this really is one that's broadly integrating health IT and the use of health IT tools into the education of health professionals. These are a broad sweep of professionals that are covered by this, and this particular one I believe requires that there be two disciplines involved in the grant. It can't be just nursing or just medicine, and it explicitly has a broad range of health professionals fortunately. There is a report back, and how we can improve that.
The next one is really the investment in medical informatics education. And this is one where the Secretary gets to put out these funds in consultation with the Director of NSF. But it's really establishing a medical informatics education for either health professionals or for IT professionals, with a priority given to existing programs and ones that are designed to be completed in less than six months. So there are different levels here. Obviously, you can fund both the two-year type of informatics where that's needed, but there is a priority also if you try and get some people who can service that frontline group that can understand – arena and help in the workflow changes, and help that out.
Those are really the grant areas that we have. The mix across them, there is one, this is the only area whether other than money to miss there is a specification that $300 million will go to helping setup the information exchange in the communities. In reading this we're still looking to get guidance as to whether that's just the one that goes out to setting up the HIEs, or whether it includes the extension centers. It's either one or both, and we'll be getting clarification as we go through. But the mix of that is still something that needs to be determined by the administration, and in particular, $2 billion, which is a huge amount, more than anything we've ever had like this before in the area, is still very small compared to what's needed for all of this. And frankly, what we need to do is figure out how to structure these so that for every dollar we put out we get ten dollars of impact.
And we also want to see what we can do in working with the standards, that's why they're so critical, and the vendor community, provider community, to recognize what we've done before or since the pilot. Pilots are usually more expensive than operationalize the whole thing. The question is how do we drive down the installation cost per office, the new installation cost, the maintenance cost, how do we foster competition among the vendors so the new, more agile, more adaptable or configurable software that's a lower cost to infrastructure, it's more secure, and can be updated quickly, that that's actually what we're favoring so that we bring about some movement of market to favor a lower cost higher quality faster adoption model. In particular what we're looking for is to really find the outliers who have done it, and then see if we can replicate that. With the HIEs we are seeing that they're now the models where some of the more successful HIEs can franchise their knowledge, their technology, their support, and bring up a new community faster and less expensively. So rather than going into a new community and starting from scratch, what can we do to foster this type of model going forth that will stretch our dollars further.
I think the key part here is that we've got to make sure we have the standards, that we have the adoption, that we have some communities, and that we will be moving forward with NHIN as being the area that completes what we didn't have at the beginning or years ago where we put out standards but we couldn't test them, or if we did they were three entities together. We found in NHIN testing that if we just gave clusters together of three or four of the communities or with the feds, those groups could talk together, when we got them all together they actually couldn't talk together. So the idea of allowing standards to be tested by having small groups doing that really doesn't work, and we need to have something that builds towards a more common structure.
With that, let me stop and let Jodi talk about some of the important things in the privacy arena, and summarize what we did in December.
MS. DANIEL: Good morning, or I think we are getting close to noon here. Did you get an update on the privacy pieces, privacy and security pieces of the statute? Okay. I'm not going to go into a great deal of detail on it. I'm just going to briefly explain sort of the high points. Obviously folks from OCRS CMS can do a better job of getting into the weeds on how that might impact the existing rules and where they might go with that. But just to give a little bit of a flavor for what's in there so folks know what may be coming down the pike from HHS, particularly from OCR and CMS.
The provisions in the Act, there are kind of a handful of different things. Mostly there are modifications to the existing HIPAA rules. So they are in the flavor of specific changes and specific provisions. There are a couple of areas where it appears that Congress wanted to take a different approach than had been taken previously by the Department in the areas like sale of PHIs, accounting, things like that, request restrictions. So there are some specific changes in the statute on particular rules.
Then there are some additional things that were added in, particularly breach notification. There are specific requirements about covered entities being required to notify individuals in the case of a breach, and also business associates being required to notify covered entities in the case of a breach of information they hold.
Then what I think was probably the most significant change as far as the HIPAA rules were how they applied. There are provisions both for the security rule and the privacy rule where certain provisions of those regulations would now after the fact apply to business associates, both directly as well as having them beyond the scope for enforcement directly. So that is a significant change. Obviously the Department will be digesting all of this and trying to figure out how to incorporate these new changes into the regulatory structures that we currently have.
But one thing that was interesting from a health IT perspective is that it explicitly stated that health information exchange organizations, RIOs, e-prescribing gateways, and PHR vendors would be business associates under the current HIPAA regime. That is not an absolute, but it talks about particular types of PHR vendors and that sort of thing. But it does specifically clarify, I know that was an area that folks were somewhat confused about, and it does explicitly state that particular types of entities are in fact business associates, and therefore the rules on business associates would apply to them.
There are other provisions about PHRs, particularly again PHR breach notification. The statute didn't make all PHRs covered by the HIPAA rules, but it did explicitly provide this breach notification requirement for PHRs, and it requires the Federal Trade Commission to come up with regulations and to be an enforcement arm with respect to the PHR provisions. So we will obviously be working a lot more closely with our Federal Trade Commission partners who we've been – both OCR and ONC have been working very closely with them on a couple of different issues in this area, so we will be continuing in that role.
There are provisions in the privacy section for enhanced enforcement of HIPAA, as they call it, or strengthening enforcement, I forget what the exact term was. They are in a couple of different flavors. They seem to do a lot in this area. They both address the approach to enforcement, how the Department actually enforces the rules, and what our approach is when there is a complaint that comes in, and when we impose penalties and our approach in that way. It also affected the penalty structure. Interestingly, it included the ability for State Attorneys General to enforce, that that's something we're also looking at. We want to make sure that we don't have more confusion where we have each state interpreting the federal rules differently, and then also have the feds interpreting those differently, so we're going to have a lot of work to do in that area as well to make sure that that is done in a way that is most effective and causes the least bit of confusion for folks who are trying to apply these rules.
Then there are a couple of areas where there is one provision about education. There is a requirement, an affirmative requirement I think it's within twelve months that the Department does some specific education on privacy of health information. And we hope very much to work closely with OCR on that to make sure that its use of health information and privacy provisions for health information, but also as they apply to health information technology, electronic health records, health information exchange and the like, and make sure that the education is one that is helpful in the current environment given the context in which that came under this HITECH Act.
Finally, there are some requirements for guidance, particularly in the areas of defining what unsecured protected health information for purposes of the breach notification provisions, as well as guidance for the most appropriate technical safeguards for the rules. That latter guidance is actually an annual guidance requirement. Again, we'll be looking to be providing a lot more information in that area as well.
Generally, it's using the HIPAA structure, and Congress basically made changes based on the structure that already existed for privacy and security protection, trying to enhance it in certain ways, add some protections in certain ways, provide ability for greater education and guidance, then added some particular provisions particularly in the area of breach notification. But it's really following the existing model that there is.
Then the transition from that into what we did recently and what ONC is working on with respect to privacy and security. We in December put out a privacy and security framework, and I think people should have copies of that, I brought a bunch of copies to pass out. You've got it, great. So I don't have to read through the specific provisions in there, which is helpful. For anybody who doesn't have it it's available on our website, www.hhs.gov/healthit/privacy. So it's easy to find, all the privacy provisions are on that one page, all the privacy tools and things.
When we first set out to come out with this framework, the context was that we needed to have this trust infrastructure, we needed to have a set of high level principles that folks were trying to establish health information exchanges, that folks who were trying to figure out how to exchange health information could use so that everybody was talking from the same page, that everybody was thinking about the same issues that they needed to deal with, the same principles they needed to focus on, etcetera. And particularly when we did put this out, there was a concern that there were certain entities that were not covered by existing laws, the existing statute helps in that regard, although there are still we expect folks that would not be covered by the HIPAA rules, and this framework was designed to be a broader infrastructure, a broader framework for folks who were engaged in health information exchange. What we tried to do was actually talk about these principles in the context of health information exchange.
The purposes relates to establish a baseline, a clear and uniform baseline that folks who are engaged in health information exchange, all players who are engaged in health information exchange, could follow. It was designed to kind of overlay the patchwork of federal laws, the patchwork of state laws that exist, and provide just that one context for people to look at.
In developing this we are always, as I know you all are well aware, are sort of grappling with that tension between appropriate access of information and protection of information. And that is something that we really struggled hard to get the right balance on when we were designing this. Obviously, on the one hand you need to have the appropriate protections so that people trust that their information is safe and secure, and will want to participate in electronic health information exchange. On the other hand, having that information available at the time and place of care, having the information available to the consumers in a timely fashion, and being able to improve the care coordination and consumer involvement in their own care, are critical. So we tried to strike a balance in the development of these principles in those few regards.
What we did as a methodology is we looked at what was out there. We looked at all of the different types of principles and fair information practices related specifically to healthcare, related more broadly to information. We looked at the HEW, Code of Fair Information Practices from 1973 I believe it was, we looked at the OECD guidelines, we looked at the Markle Foundation, we looked at some consumer principles specifically related to health information exchange, we looked at some international principles that were brought to our attention as well. And what we did was we tried to digest all of this and come up with a uniform one set of principles for health information exchange based on that.
If you look at these principles none of them will be shocking to you, you will have seen all of these terms before. They are the basis for the HIPAA rules. They are the basis for a lot of others, the Privacy Act and other work that we follow. The way we set this up, this is very high level, it's a set of principles, we have the principle, a very brief description of the principle, one sentence description, and then we have some explanation of how we expect this to work in health information exchange environment.
We explained that our expectation of the scope as it applied to all healthcare related persons and entities involved in electronic health information exchange, so it doesn't apply to individuals. Individuals don't – we weren't assigning responsibility for the individual with respect to their own information. We were trying to identify either principles that apply to those who are holding information on behalf of others, holding other people's information and what they need to do with that information. That seemed to be a point of confusion for some folks who read this.
Then we're hoping that this would guide the actions of folks involved in health information exchange. So if a new HIA is being considered or performed in a particular region or a particular state that they would look at these principles to get a sense of the things that they need to be focusing on thinking about, and doing to make sure they have privacy and security policies and practices in place that are sufficient to establish trust for consumers.
The principles themselves, I'm not going to go into great detail, I'll just read through them. There is individual access, this is an individual's access to their own information in a format that is understandable to the individual. Correction, the ability of individuals to be able to dispute the accuracy of their information and to make corrections or have a dispute documented in their record. Openness and transparency is a big one. Making sure that people understand what the policies and procedures and technologies are for collecting, using, and disclosing their information. The technologies was an interesting one. We heard a lot of people saying they're concerned about databases or that folks are collecting information and they don't know how they're being held or what kind of security methods are being used to protect the information. So transparency not just about policies and procedures, but also about the technologies in place.
The next two I see this as going hand in hand. Individual choice, that individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their information. This wasn't designed to be an absolute, but it was designed to say that wherever possible consumers should have a role to play and should have choices with respect to how their information is used and disclosed. But we think it's important that that needs to be hand in hand with collection, use and disclosure limitations, that the entities that are holding the information have rules of the road they have to play by, and that information is used only to the extent necessary to accomplish a particular purpose. If de-identified information is perfectly adequate to use for a particular purpose, then encouraging folks to check out identifiers and that sort of thing.
Data quality and integrity was important, another principle that information be complete, accurate, and up to date, and not be altered or destroyed in any authorized manner. Then safeguards, the security protections that need to be in place to protect information.
Last but not least, and importantly, underlying all of these is accountability, making sure there's a means and method to report, mitigate, and adhere to the policies and procedures. Again, this is to sort of explain how we anticipate this being used or the context, this is not a regulation, this is not any kind of mandate to folks where expect this to be guidance. We hope it's useful, and we hope that it's used universally so that folks are talking from the same song sheet. But we have encouraged, I've just met with state leaders, the State Alliance for Health, encouraging them to use this back in their own state efforts. We expect to identify ways in which we can link this framework and these principles to other federal health IT activities that may be coming out in light of our new authorities and responsibilities.
You will see these coming up over and over again. And what we're hoping to do is actually go to the next step and come up with more specificity and implementation guidance, to help people actually make these principles and this framework more useful to folks who are trying to implement it.
Very briefly, we came out with some tools as well at the same time, worked very closely with OCR and HIPAA guidance to help clarify some misunderstandings, and some areas of confusion about the relationship of the privacy rules and health IT and health information exchange. We came up with a security guide to help providers, mainly non-technical audience, small healthcare providers that are adopting new technologies, to help them think about their risk assessments, the issues they need to think about from a security perspective, and to help them think through the policies and the technologies that they should be putting in place in their office to secure their information. We worked closely with CMS on that.
Then we put out a draft PHR model privacy notice. What we're hoping there, particularly in light of the fact that there are PHRs that may not be covered by federal laws, is to help on that transparency principle, to help PHR vendors communicate to consumers how information may be used and disclosed, what rights they might have with respect to that information, so that they can make informed decisions about choosing a PHR. We are in the process of putting out a draft, we're in the process of getting feedback, and we will be doing a number of rounds of consumer testing and hope that we will have a final product next year that we would encourage PHR vendors to use. There have been several conversations with PCHIT about using the model notice in their certification criteria.
I'm trying to do this quickly because I know we're short on time. The model privacy notice, the context here was or the vision of this was like the nutrition facts label on a soup can, there is a mandate for a food product that you have that nutrition facts label on disclosed particular types of information about what's in the soup. The government doesn't tell the soup maker how much sodium they can or should put in the soup, it just tells them they have to disclose how much sodium is in the soup. If you're concerned about your sodium, the sodium content in the soup you can look at your Campbell's label and your Progresso label, and I have no idea which one has more salt, but you can determine which one has more salt and make a determination based on the facts that you have. It's again about not necessarily setting the policies for PHR vendors, but making sure they clearly communicate those policies so people can make informed choices about how they want to use those and which PHR vendor they may want to use.
That's quick in a nutshell.
Committee Discussion
MR. REYNOLDS: Great, thanks to all three of you. Linda, if you could move over, as long as you have a microphone there.
I'm going to ask one question, and then I'll start the list. My first question, Jodi, maybe you could help out, is I kept seeing the words ‘business associate,' but what I couldn't draw is everything about a business associate up until now has been based on that it was working with a covered entity. And I sensed that this removes that umbilical cord, because not all HIEs and not all this stuff necessarily has – I'm struggling, and you may have said it, but I just couldn't see where it really snapped in like a Lego block and said ah-ha, here's who the covered entity is.
MS. DANIEL: The language about PHRs and business associates, it said that if they're providing a service for a covered entity. That actually was very clear.
MR. REYNOLDS: So that leaves them out. So if they're not?
MS. DANIEL: That doesn't mean that all PHRs will all of a sudden become business associates. That is not what the statute does. To answer your question, it doesn't change the definition of business associates. I'm 99 percent sure, I haven't read it in a little while, but the HIPAA guidance that came out in December did clarify how the relationship of HIEs and covered entities and HIEs as business associates, typically HIEs will have a relationship with a number of covered entities. My understanding before this came out is that was already the case, that most HIEs were already business associates with a number of covered entities. This makes it clearer that that is the case, but it doesn't necessarily take away that tie from covered entities.
And I don't want to speak too much out of turn, the definition of business associates is in the HIPAA privacy and HIPAA security rules, and CMS and OCR will be the ones who make the final determination on how that is defined, but I don't think that there is the concern that you've raised. And I don't know if, Karen, you have anything to add to that or not.
MS. TRUDEL: I think it's possibly not a covered entity model that we're used to thinking of, in terms of a covered entity, a health plan, or a health provider hiring a business associate to do a piece of work. That there are still contractual relationships, and I think one of the things that is probably going to be discussed in a bit more detail is how does the covered entity keep itself aware of what its business associate is doing, if that business associate is an HIE that has contractual relationship with lots of covered entities.
MR. REYNOLDS: Okay, thank you. All right, let's go down the list. Walter.
MS. DANIEL: I am going to have to leave very shortly, because I have another commitment at noon. I can stay for a few questions.
MR. REYNOLDS: All right. Walter, Leslie, Jeff, Larry, Sallie, Paul, who wanted to talk to Jodi? Questions for Jodi, go in that order. Walter.
DR. SUAREZ: Hi, Jodi.
MS. DANIEL: Hi, Walter, how are you?
DR. SUAREZ: My question is about opening of the HIPAA regulations based on – is there going to be an expectation that the current HIPAA regulations will have to be quote, unquote, “open” for modifications based on this? Are they going to be new rules that will have to be issued? The timeline for the compliance for those regulations based on HIPAA statute that says two years after a new standard gets adopted is going to be the compliance. So are new rules on HIPAA about privacy going to happen, or are there going to be modifications based on this, or is the statute enough to guide that?
MS. DANIEL: Again, OCR and CMS are going to be the ones who will make those final decisions. I would expect that there will be some things that we may want to clarify or articulate through regulations. But as far as the timeframe, if it's modifying an existing standard, for instance, if there's something in here about right to request restrictions and we're modifying the right to request restrictions, it's an existing standard, so it may not necessarily require that two-year delay.
DR. SUAREZ: I think it gives the Secretary basically a new modification of the existing standard, it can be required to comply with up to six months, and then after that whatever time. So, for example, it can give two years or more to the budget -
MS. DANIEL: None of those decisions have been made at this point. We're still digesting, so we're coming up with our plans right now.
MR. REYNOLDS: Leslie?
DR. FRANCIS: I'm with John Houston, the co-chair of Privacy and Security Subcommittee of this Committee. My question for you is over the next year or so it would obviously not be smart to reduplicate efforts, that is it wouldn't be sensible for us to work on something that you were working on on the front burner, and then leave something else completely unlooked at. At the same time we may have different views about certain kinds of things from what you all do, and might want to push certain points or might want to take down more on certain points than say the privacy framework does, and I know it's meant to be a very high level framework. There is a lot to work on underneath it.
So the question is sort of half a process question and half a substance question, which is how do we try to figure out - I almost feel like it's chicken eggish, because we're meeting now – we need to plan what we're going to be doing over the next three to six months, how do we try to plan wisely so that we work well with you and don't leave the worst gaps. I'm sure you're asking the same question.
MS. DANIEL: Yes, we are. It's a fair question, though. Like I said, my plan, and don't have a Secretary yet, we don't have a lot of folks in place, so obviously this is subject to change, is to try to dive in one level deeper on the framework. It still will be a high level document, it won't be at the level of the HIPAA privacy and security rules at any event. But to try to get one a little deeper and give people some more guidance on how they would consider these principles and how they might implement them in their own policy, the hope is we would do that for all of them. We might do it, I'm not sure, again it depends on the bandwidth and everything else we have to do.
It might be worth sort of brainstorming offline a little bit and sort of figuring out what we might need to do, because like I said, we're just developing our plans now given that this act has just passed, and there are some things that are kind of a little bit later in time, we're trying to figure out the roles of policy committee, there are some things in there about privacy and technology related together. We need to kind of carve that all out and think about where things might be helpful. And I would be very interested into your insights into where you are all both interested and where you think you might be able to fill an open gap, like you're saying.
DR. FRANCIS: So that is what we ought to do then with our meeting this afternoon, and then we ought to talk offline.
MS. DANIEL: That sounds like a great idea, yes.
DR. KOLODNER: I just want to mention that throughout the Bill there are references to the fact that, for example, the policy committee should take the recommendations that have come forth from NCVHS and that we're to make sure that there's a link, and certainly that was part of what guided the framework.
MR. REYNOLDS: Reiterate to everybody on our standards hearing yesterday was in close conjunction with ONC and the kind of things that they need to think about and do. So we have had a good partnership for a long time, we need to continue that, and we need to discuss along the way, because everything is moving in new and different ways, and that's a good opportunity. Jeff.
MR. BLAIR: Hi, Jody. I'm not sure whether the framework will include this type of new thing as we evolve. For the most part we've defined the covered entities and there was providers and there was payers and there was clearinghouses, and their roles fit into the entities and organizations that we call the organizations the same names as the roles. When we get into areas, and I think we're moving more towards in terms of wellness, preventive care and disease management, we have areas where the payers or health plans are providing those services. From the folks I've conferred with the guidance I've received, is if you are providing wellness or preventive care or disease management that those functions, those roles, are those of a healthcare provider.
However, those services may be provided under the auspices of a health plan. Now, I could come up with some simplistic guidelines to help reconcile that, if I go by the role, but if there's other legal issues that will come up down the pike I think we're going to be facing that a little bit more in the future. I don't know if the framework will provide guidance for that or not, but it's a topic area I would like to see the framework provide guidance on, if you can do it within a reasonable timeframe, or within the timeframe that you have to with these other priorities.
MS. DANIEL: I hadn't necessarily been thinking about this. I'll have to think about how we can divide up for doing some more detail guidance in particular types of either entities or functions. It's a very good point. I'm not sure if we'll get into the level of detail for those particular types of activities as you're talking about, but I will bring that back and consider that. Thank you.
MR. REYNOLDS: Larry, was yours for Jodi?
DR. GREEN: Yes. I want to keep pushing on Walter's question again. I will self-identify, that I'm enormously skeptical that HIPAA is ever going to get us to where we want to go. And its initial purpose which was to facilitate information transfer, as far as I'm concerned, has never been met. It's about ten years later and my skepticism grows from your report, and Dr. Kolodner's diagram, from the on the ground observations of 27 projects at about 350 practices where they're trying to do things like link their diabetic patients up with the YMCA, and using information exchange to do so where the owner and address moves from one place to another. When I hear the discussion about we need a contract with a business associate, I just sort of wonder about this.
Then the IOM comes out February 4th or 5th, was it, with their report about the inadequacies of HIPAA and the entire IRB thing. It's riddled with recommendations that blew my skepticism right out of this planetary system we're in. You get my drift.
MR. REYNOLDS: Could you narrow that down to be a real point?
[Laughter]
DR. GREEN: Pressing Walter's question further, are we just not paying, or don't we have to have a HIPAA fix that aligns with what we're about to accelerate?
DR. KOLODNER: You may want to leave now.
[Laughter]
MS. DANIEL: I have to go. That's a very interesting question that I would love to have a debate with you about. It is something that would require a Congressional discussion as opposed to an HHS discussion. We have the authority that is granted us by Congress, Congress has written the HIPAA rules and wrote the HIPAA changes, and we are charged with implementing those. So while I think we could have a very lively discussion about that, I don't feel that in my current capacity I could opine on that.
MR. REYNOLDS: One thing I'd like to do is this afternoon we'll be talking about the stuff we're putting together to further forward our thoughts on data stewardship. Let's add this to that discussion. Because, again, as we've said before, we can make recommendations in alignment with ONC to the Secretary and so on. So I think that's a good way for us to pick up that subject. How far we go with it, we'll have to decide.
MS. DANIEL: In the interest of now that I've just said that, putting my foot in my mouth, the concept, the privacy and security, we've heard some concerns about the HIPAA privacy rule. And the privacy and security framework was sort of designed to not talk about specific relationships and contracts and specific detailed requirements, but sort of get at least a level above that and try to start from the broad perspective, what do we need to have in place, what kind of trust framework do we need to have in place. So that was sort of the motivation behind this. I believe we are going to continue our work on the privacy and security framework, despite the privacy changes and the statute, I don't think that necessarily impacts the work and path we're going down. We will be continuing to think about privacy and security and health information exchange at a broader level, and also working very closely with our colleagues at CMS and FCR on the specific requirements that we need to implement for HIPAA.
DR. SUAREZ: This is something we can talk about in the Security and Privacy Subcommittee as well.
MR. REYNOLDS: Sallie's got a question.
DR. KOLODNER: Harry, if I could just add one thing using this as the key. We know that articulating the roles and differences between NCVHS's role and these two new FACAs is something that needs to be done, and inside the Department we need to work that through and we need to be able to communicate that clearly, and I would hope with input from all of you as well.
You have statutory authority in the area of HIPAA and in the area of e-prescribing. As we move forward with the infrastructure that we need and the clinical, e-prescribing clearly is something you have responsibility for, but it is in the heart of what will most likely be some of the effective use criteria that CMS would be putting out in the future for reimbursement.
In addition, at some point when we have an infrastructure that really is reliable, operational, beyond just the development stages, we need to also have the discussion about how does that – what's the relationship between that and the movement of claims data and other things that really is part of HIPAA. So there are discussions that will need to happen clearly that ties into some of this, and the question is whether there will be something new in this technology that has to do with the clinical data that comes and actually in essence delivers the kind of changes that might be useful, or whether statutes need to be changed, and I think those are just -
MR. REYNOLDS: And I think that's a great point, because if you study claims data it many times has as much health data in it as some of the other things. So, again, we can use those ties where we have statutory authority.
DR. KOLODNER: Jodi does have to leave. Maybe this will be the last question?
MR. REYNOLDS: Okay. Sallie was in line next.
MS. MILAM: I think this is for Dr. Kolodner. I did just want to thank Jodi for the work and the framework and OCR guidance. They really clarified the gray areas. Thank you.
MS. DANIEL: I think I'll leave on that note.
[Laughter]
MR. REYNOLDS: Paul, was yours to Jodi?
DR. TANG: Jodi as well, but the last question – and it's friendly and constructive.
MS. DANIEL: Thank you.
DR. TANG: I like your framework. Is it your opinion that the Recovery Act has privacy provisions that help oversee the privacy on the NHIN versus covered entities? I assume probably not. And if not, then how would you like to work with – this is a little bit picking up on Leslie – do we need to do much further with what we call our data stewardship piece or the privacy and security letter to the Secretary? Or is one avenue of working, I asked this of Karen as well, and I don't know which jurisdiction it is, the PHR report that the Secretary has to provide about whether those vendors who are not covered entities or business associates need to, do we need to do anything further with respect to privacy? Is that something done out of the ONC office, and is that something where we can contribute? I'm just trying to find where -
MS. DANIEL: Yes, as far as who's doing what, like I said, we're working on our plans, and I expect very much that these will be collaborative efforts, that it will not be owned by any one of us, but that we will have some cross-office teams. And if I can be so bold as to saying that as the Office of the National Coordinator, that's our mantra. I think you raised a couple of places where there might be some opportunities, the data stewardship, and I don't know exactly what you've been doing on that, but I think that there can be some interesting conversations there. I think PHRs, the statute in my personal opinion seems to focus primarily on technology in a clinical setting, getting doctors connected, and doesn't spend as much time on personal health records and tools for individuals. So that might be an area where – and there's still going to be personal health records vendors that are outside of the current provisions.
So that is an area that I think is still ripe for greater discussion and greater thinking and input.
MR. REYNOLDS: I'm going to give Carol the last question for whomever.
MS. MCCALL: These are more comments for you to take into your thinking. First, thank you for being here. And I want to play off of something that Jeff said, and actually, Harry, something that you said.
There are going to be new players on the field, new, quote, unquote, “entities.” And it's more than just recognizing that fact, I think it's learning to anticipate and even embrace it. So as we take a broader view of the health ecosystem, what is actually in it, in that web of different players, that we anticipate that. And whether or not HIPAA has done what it is that we want, I think we can all recognize that the concept of entity as found in HIPAA is too narrow.
I would also encourage us that there is something that we can do specifically within our work on a primer, that there may be a concept of a data steward, I create it, I use it, or both, that that then becomes a layering upon a legacy of what we already have, kind of a higher level concept. There may be some new concepts we need to create, those may take on regulatory authority in some way shape or form, and there may be actually a gradient.
When you think about entities, you either are one or you are not, it's either yes or no, it's on or off, there's no dimmer switch. So when you start thinking about the diversity of data for measuring health, creating it or using it, that people will be closer or farther away from the nexus of the individual.
So these are concepts that I think we should charge ourselves with discussing and exploring, and that folks who have the responsibility for enacting begin to take into account.
MR. REYNOLDS: Great opportunity this afternoon.
Laura, I'd like to ask you just one question, we didn't get anything – and I apologize for calling you Linda a little bit ago. You are obviously working in the same space, so as you see synergies and if you have any off the top of your head right now or as you continue along this same kind of thing, because we're all working in this same space. And when you say you want to go fast, six people in the same bag in a sack race, it isn't quite the same as six sprinters across the field running full speed. So I think if we're really trying to get fast we got to make sure we're not having a multi-person sack race here. Anything you can see, if you have any comments now, or anything as you go along, those are the key things I think are going to be important. We're going to be working hand in hand continually with Rob, and we already have been. I want to make sure that we don't lose sight of those efforts either.
MS. MILLER: I appreciate those comments. I think we're in a sorting out phase, and without a Secretary there are decisions to be made. We have a collaborative that has a board with a huge amount of expertise in this space that wants to help and move forward. Hopefully we can all figure out how that path forward is together.
MR. REYNOLDS: And Paul is going to be given a new assignment right before we break for lunch, he's going to be the translator. Since he is important enough to be on multiples of these things, he has to be our translator. So welcome and congratulations, it's a unanimous vote, I'm not even going to take it. And we'll go from there.
Thanks to everybody. I really, really appreciate it. And, Rob, thanks again for coming in, and Laura.
With that we'll break. I'd like you back at 1:15 please. We do have some time after the first presentation to talk about a lot of this. Thanks everybody.
(Whereupon, a luncheon recess was taken)
A F T E R N O O N S E S S I O N (1:15 p.m.)
MR. REYNOLDS: All right, take your seats, please. Some of you remember that Justine had represented us at a conference with the Center for Democracy and Technology. They introduced a paper on de-identification of health –
DR. CARR: We are producing a paper.
MR. REYNOLDS: Right. So we have asked Deven McGraw, since this was such a big item as we dealt with privacy, and as we all continue to deal with privacy, and we heard it again this morning or yesterday in the hearings quite a bit about information and structure of it and so on, that we've asked her to join us today and give us an overview. So, Deven, please.
De-Identification of Health Data/Center for Democracy and Technology
MS. MCGRAW: Okay, thanks very much, Harry, I appreciate it.
I did bring some paper copies of the slides. I'm sorry I did not get them done in time to make them into your packets before the meeting. A few too many things going on lately.
Let me just give you a few minutes on CDT and more specifically the project that I direct there called the Health Privacy Project. We really believe very strongly that health IT has tremendous potential to improve healthcare quality, reduce costs, and save lives. I feel like I'm speaking to the choir when I say this.
We know that consumers have some pretty significant privacy concerns, and in fact you all have made some of what I think are the most cutting edge recommendations along those lines. So, again, I still feel like I'm speaking to the choir.
Part of what we do or are trying to do is to develop and promote workable privacy and security policy solutions for electronic personal health information that are protective of privacy, but also allow us to move the information for the purposes that we want information to move better, faster, and more efficiently for quality of care, treatment, public health, research, etcetera.
Part of what we also do along those lines is to try to explore in a little bit more depth some of the more challenging issues. And one of the things that we have already done is put forth a paper on what we think the appropriate role of consent is, and how fair, because not too long ago there was a lot of discussion with people saying what we need to do to fix privacy and health IT is to tell patients that they need to consent for each and every use of their information. We put out a paper fairly recently about what our position is on that issue, which is actually consent is when you over-rely on it is provides very weak privacy protection, and a framework of rules is a better approach that consent can be part of.
And then the other issue that we have been looking at more recently is this issue of de-identification of health data. The way that we started to go down this road was really just looking at de-identification. And when I say de-identification I don't mean it as a general term, I mean the HIPAA standard for de-identification. Is it still possible to de-identify data given that on a daily basis we make more information publicly available through databases or that lots of people can get access to if it's not publicly available.
What are some common uses of de-identified data? Is the HIPAA standard sufficiently rigorous? And by this I'm talking more to what people often refer to as the safe harbor standard, which requires the removal of certain categories of data, versus the statistical model, which is I think designed to be flexible over time, because statisticians basically tell you whether or not you have no reasonable probability that data can be re-identified.
Then are the general policies surrounding use of de-identification still sound? Because when it qualifies as de-identified it's not protected by HIPAA, and in the view of some of us there are really insufficient legal mechanisms to ensure at a minimum accountability for re-identification, because once the data qualifies as de-identified there certainly is no legal requirement for entities to make a binding commitment to do so, although I do know that there are lots of healthcare entities that do bind data partners to non-reidentification, but that's certainly not required in the law.
We had a workshop on this. It took place September 26th, 2008. We pulled together some panels of leading experts, of which Justine was one. Then we invited a fair amount of people, we probably had about 40 people in the room. It included folks who were in our informal health IT working group, which includes vendors, employers, consumers, some provider groups, and some academics. We try not to have the group get too large, because we like to be able to discuss these issues. Then we did invite some Hill and administrative staff. There were folks from ONC, and the Office of Civil Rights in attendance, and I think there was one Senate office there, but as usual, they're often too busy to attend these things, but that doesn't make them off the hook with me. Coming to them later with our report when we're ready to make conclusions, being closer to press, and we did not record it, in part because we wanted to make sure there was a free flow of dialogue and that people didn't feel constrained to say anything in particular. Not that I think there was anything necessarily controversial that came out, but we just wanted to make sure of that.
So I wanted to give you a little summary of really these are the key points that are going to get raised in the paper that we are developing post-workshop, and it's very near completion, so I was comfortable raising these top-line issues with you. But we at a minimum need to circulate it to the workshop participants to make sure that they're comfortable with what we said in the paper before we finalize it and release it to the public. But I think we're this close.
The HIPAA de-identification standard, and in particular this safe harbor method which requires the removal of certain categories, really needs to be reviewed on an ongoing basis, and updated to reflect the fact that the data that's available either to the public or to significant sectors in healthcare is changing and morphing, and it never according to at least one HIPAA drafter who was in the room, it was never intended to be something that was static and that would never be looked at again. So it really should be something that is continually viewed. And whether or not we still should have a safe harbor, I think the general sense in the room was not every entity that holds data is going to be able to afford a statistician to give them the assurance that they need that the data is in fact de-identified. And some will still need a sort of easy to apply standard to meet, so there probably is still viability to having a safe harbor.
Uses of de-identified data should still be permitted at a minimum for those that generate public benefit. I think when I talk in a little bit more detail about what some of the workshop panel experts shared with us, we don't even know the entire universe of how de-identified data is used today, because it doesn't have to be tracked. Again, once it's not covered by HIPAA it can go out the door for any reason whatsoever from a legal standpoint. Again, institutions certainly have their own policies in that regard.
We do need better methods for holding data use at the ends accountable. At a minimum, on the re-identification standpoint, there just isn't a legal way to get beyond contract enforcement in those cases where the entities have signed contracts with their data recipients. There isn't really any public accountability if that data has been re-identified and used for purposes that were not originally intended.
The current de-identification standard, unfortunately actually has limited utility for many data uses. And the same is actually true for what I like to call de-identified data's close cousin, the limited datasets. Those are the only two data anonymization set options that are currently in HIPAA, and neither one of them really serves very many purposes. That basically leaves two or three options for entities that would like to use data for a range of purposes, and that's identifiable data or data that qualifies as protected health information, a limited dataset, or de-identified data, a little bit on two polar ends. As opposed to a range of data anonymization options that can fulfill a number of broad purposes, and that can be more privacy protected, because many of the common identifiers have been stripped out. So those are rally the top-line.
Who was involved in this workshop? We had it moderated by Peter Squire, who is a professor at Ohio State University now, but most of you know him because he had a role on privacy issues, an important one in the Clinton administration, and he's still very much interested in these issues.
We had three panels. The first one was talking about current de-identification practices, and we had IMS Health come and talk to us about how they take data that they receive in an already de-identified form from covered entities, then continue to scrub it pretty vigorously to use it for the various analyses that they can perform. Depending on what their clients' needs are, that's a pretty wide variety, and also includes a number of commercial uses.
Latanya Sweeney, who is at Carnegie Mellon University, and Cynthia Dwork who is a research scientist at Microsoft. The two of them talked about, well, Latanya, if you've ever heard her speak will tell you how easy it is for her to basically re-identify just about any point of data. But both of them presented some models that they have been exploring both in the academic and in the commercial context for creating more anonymized data. I could not replicate those presentations if I tried. But I am glad that there are people like that out there doing that work.
What are some common uses of de-identified data? We heard from Justine, we heard from Linda Goodwin, who is at the Duke University School of Nursing, we heard from Stan Crosley, who does research work at Eli Lilly, and we also heard from Shaun Grannis, who is at Regenstrief.
Then our last panel was our policy implications panel. Our panelists were Bill Braithwaite, Marc Rothstein - we really from NCVHS, we probably could have added all of you guys on this panel – and Kenneth Goodman, who is a bioethicist down at University of Miami. So we had a long day, 10:00 to 3:30, and honestly we didn't have enough time I think to go into all of what we would have gone into.
So just to give you a little more detail about some of the outcomes of the workshop beyond the top-lines that I've already talked about. There is a wide variety of common uses of HIPAA de-identified data, notwithstanding that it's not as useful as some would want it to be for certain purposes. There is still a fair amount of use being made of it for quality improvement, public health, research both on the clinical and epidemiological side, and as well for commercial. Folks were quite upfront about there is high commercial value to de-identified data. Again, because this data is not regulated or required to be tracked, the complete universe of uses of de-identified data really is unknown. Both the patients as well as to regulators, I would assume that entities that are releasing de-identified data for certain purposes would know the range within their own institutions, but certainly there has been very little examination across multiple providers.
Ensuring that this low risk of re-identification, which is what you want if you're going to release data from a number of protections, is getting more difficult in part because of the increased availability of data. And somebody actually made the point that Congress makes it increasingly difficult to maintain this viability because more and more data is being released for public access. In some ways we are our worst enemies sometimes in this regard. A statistical method for de-identification, again it's meant to be flexible over time, but the safe harbor may in fact lose its potency. As I mentioned before, it was never intended to be set in stone.
Some of the other discussion points that came out, I mean does it still make sense to allow de-identified data to be used for any purpose whatsoever? And if so, is there at least a credible rationale from a public policy standpoint for requiring more transparency to the public about how that data is used? Should we be tracking or monitoring it more closely? In that regard, is there a role for data stewardship entities, for example, in determining what are and are not appropriate uses of data, even in de-identified form. Our paper is not necessarily going to provide answers to these questions, more to sort of tee them up for a more vigorous debate in policy spheres.
How do you ensure accountability for misuse of data? Again, because this data can be used for any purpose, when I say misuse I mean use that was beyond what was intended when the data was released by the covered entity that was holding it. And how can we ensure data that re-identification won't happen, especially when we don't have a data protection law in the U.S. We have these covered entities, and we have business associates, and once data migrates beyond those spheres it's unprotected, as you all have identified and crowed for, but we didn't get that data protection law in this last round, and I don't know whether we will get it.
How do we ensure that people who get de-identified data won't re-identify it? How do we hold people at least accountable to the data holder that gave it to them in the first place, if not to the public?
There needs to be an ongoing review of this safe harbor, it probably doesn't have to be every year, but to suggest that now it's five years old and it still is as viable as it was then I think is a bit disingenuous. Then, do we need to ensure more rigor in the statistical method? Again, that's the one that's meant to be flexible over time. But is certification by any statistician sufficient? Do we count on the covered entities who hold the data to be sufficiently careful with who they hire to make those certifications?
Then on the point about do we need more options? I think there was some general agreement in the room that yes, in fact we do need more options. Again, de-identified data is not as useful for many important purposes. Fully identified data can actually be used for many of the purposes where we care about people having access to data for quality improvement, for research, and for public health. But that's not as privacy protective as it would be if in fact that data were used with at least some identifiers stripped from it. Again, the limited dataset preserves more data, but it's pretty rigid.
One of the suggestions that came out of the meeting, and it actually came from Marc Rothstein, was some sort of requirement in HIPAA to use the least identifiable data for a number of purposes under HIPAA. This may not work very well in the treatment context, it may not work very well in the payment context, but certainly for a range of uses that today are permitted under HIPAA using what is least identifiable given the purpose for which you need to use the data was appealing to those of us who were at the workshop. It is leading me to wonder whether this could possibly be accomplished actually through more guidance or regulation under the current minimum necessary standard in HIPAA, which applies to all uses of data except when it's for training purposes.
Are there any opportunities in what just happened in this Stimulus legislation to probe this in more detail? Yes, actually there are. HHS Secretary is required to examine and regulated specifically in several areas of HIPAA. There is a required study on de-identification, in three short provisions, so HHS has a fair amount of leeway with how that study would be conducted, but they have to do it.
They also have to put out guidance on minimum necessary, which to me I'm seeing opportunity for some data anonymization models that can be used for a variety of purposes, but I'd be very interested to get feedback on that. Then there are requirements that the new health IT advisory committee and policy committee and the standards committee consider your recommendations. They have to specifically be told to do this. I think there was no discomfort at least with the professional staff that I talked to. Certainly the consumer advocacy groups that I work with have long wondered why so much of what you all have put on the table has not yet been taken up for more active consideration. So our hope is that that will actually happen.
We are releasing our paper. I almost put early spring, but I should learn not to promise with deadlines. We were working on that consent paper that I referred to earlier. We started work on that in August and we released it in January. I hope we're not talking about that kind of thing, that was a very difficult paper to write. I think this one will be a little easier.
What else will CDT be doing on this issue? We are going to do our best to contribute to this ongoing regulatory and guidance process that's been put into place. And then we would love to continue to work with you all on this. It clearly is something that you're interested in, too.
So I'll stop. What I did in the paper packet was to give you not just the slides, but there is also the agenda from the workshop, which has more information on who was on our panel and their complete titles and institutional affiliations. Then we had passed out to folks excerpts from the HIPAA privacy rules, which has both de-identification and limited dataset language, and then did a little comparison chart, because this was really an interesting exercise for me in realizing just how little difference there is between what qualifies as a limited dataset and what you need to qualify for, I mean at least in terms of the category. There is a fair amount of overlap, very interesting.
MR. REYNOLDS: Okay, Devin, thank you. Yes, Justine?
DR. CARR: I would like to just first say what a wonderful, terrific conference you put on. I mean it was a short amount of time, but the amount of territory we covered was tremendous. So tremendous congratulations and thanks to you.
I also want to observe that this is a great way of working together. When we were working on the uses of data we came to de-identified data, and we had this tendency to want to make some proclamation, but we kept getting little additional pieces of information telling us we didn't know all we needed to know of who was using it, in what ways. So we opted to table it with an eye toward holding hearings. But I think this sort of reminds me of Paul's model, or the new etech model that talks about a due diligence subcommittee. This was a great example of a due diligence subcommittee where all of the relevant parties were represented and there was a rich discussion. So I think you've done a marvelous job of summarizing it, and I think the way you put the table together and all that is very helpful and probably in some ways now back to us to do the part that we do. But I'm just impressed at how this synchronization of the expertise, the high level and the expertise can work very well together. So thank you.
MR. REYNOLDS: Walter.
DR. SUAREZ: Hi, how are you? I wanted to bring up something I'm not sure if you're aware of, but it's important for the Committee and others to become aware of.
HITSP, the Health Information Technology Standards Panel, has produced two constructs, specifically establishing the harmonized standards for anonymizing data and pseudo-anonymizing data. Those standards are published and have been recognized by the Secretary, and are incorporated into the interoperability specifications published by HITSP. Those two constructs are detailed constructs that define the data elements that would be needed to be eliminated or taken out of the data in order to de-identify the data. They are built on international standards, ISO standards that define anonymization of information, personal information, not just health information. That is a point of reference for how technical standards need to be brought into the discussion. I think it will be important for now we're in the HIPSP for us to learn more about this, because this I didn't know about personally. I think it will be helpful for you to learn more about what HITSP has done as well.
MS. MCGRAW: Absolutely. I'm glad you said that, I mean I'm actually kind of surprised that it didn't come up, but given that the workshop was back in September we may have been off on our timing. But certainly having a standard that gets adopted in electronic health records that can help entities with anonymization of data actually helps me to argue that the policies should require that kind of consideration, as opposed to if it's just the technical standard and nobody is required to use it, or if it's just a technical standard works for de-identification but doesn't necessarily give you the same sort of range of options that I think we were really looking for.
DR. SUAREZ: And just very quickly. We have built actually specific constructs to anonymize data on this specific use case applicability, so we have an anonymization construct for the public health case reporting use case, and one for communication registry, and one for the various use cases that call for the need, quality is one of them, biosurveillance, that call for the need to anonymize data. We actually created a generic anonymization structure construct standard, and then we looking at the specific use case map which type of data element would need to be built into the construct that applies specifically to that use case to do an anonymization.
MS. MCGRAW: I will definitely look at those. I think to the extent that there may need to be some options available where someone's use of the data doesn't fit the particular use case, I know our work will try to be broader, but I certainly want to incorporate what's going on at HITSP. So thanks for that.
MR. REYNOLDS: Leslie, Don, and then Justine.
DR. FRANCIS: First of all, thank you so much. I'm Leslie Francis, and I'm the co-chair with John Houston of the Privacy and Security Subcommittee. Nice to meet you.
MS. MCGRAW: Nice to meet you.
DR. FRANCIS: I'm looking forward very much to reading the final report. But I wonder if you could just comment a little bit about whether there will be anything in it on the – it's tantalizing to have you mention public benefits and then note core different types of uses of de-identified data, QI, public health, research, and commercial. And particularly in light of the recent report about HIPAA and data and research, I'm wondering whether there was any discussion or thinking about whether these categories are crucially different, that is whether the kinds of ways to think about in Mark's suggestion about least identifiable data possible, whether that looks different when you're dealing with QI or whether the kinds of arguments for allowing more identifiable data in QI? There was the study of QI that the Hastings Center put forward that argued that patients in some way could be thought of as having consented to participating in improvement of the – I mean I'm not defending any of that. But I was just wondering whether you thought there was any or whether there had been any talk about some of the differences.
MS. MCGRAW: A little bit. I don't think we mined it in quite the amount of detail that probably needs to happen if you're going to draw some more clear lines either with respect to whether it's permissible to use it at all, and then if so, then what is the level of anonymization or identifiability look like for various contracts. That's not going to be an easy thing to do because it's probably going to need to be somewhat flexible depending on the need.
We could probably spend another six to eight months paper researching it a little bit more rigorously, but the thought was to at least try to get out the proceedings of the workshop, and then if there are areas that need sort of further more in-depth review, whether it's some sort of literature review or whether we do another workshop that's just on the research report that just recently came out, I think we want – I'm just really anxious to get this thing out. But it definitely doesn't answer all the questions. The hope was to sort of continue to stimulate this dialogue, and generate more work for me.
MR. REYNOLDS: Don.
DR. STEINWACHS: That's the kind of strategy the government is trying to use, which is called data centers. You don't release the data, but essentially they're using people as part of this, but I mean you could think of technology solutions where you could run tabulations and do things but what you got out would never be at a fine enough grain level that you could identify. The reason for raising it there's a lot of interest in linking datasets, and as soon as you link, which we have a set of hearings immediately coming, are more identifiable. So de-identified data is in theory non-linkable unless you de-identify it, link it, and then proceed down that pathway.
I was wondering whether anyone raised that idea of instead of making the data available, having some way that you had access into the dataset but you never had the data. It seems to me that may be an option we need to explore out there, instead of the idea that we're going to keep trying to play around this edge of how do we make it de-identified with a kind of certainty, and you've already challenged the fact that this is a moving target.
MS. MCGRAW: Is this the certified data stewardship type entity, or is this a different riff on that same sort of concept?
DR. STEINWACHS: We had I guess it was two years ago now we had a hearing on linking datasets, and brought together the government agencies. And part of this was the realization that even within the government you can't get data linked and used within the government for things, much less the other purposes out there. But the solution the government is taking is fundamentally data centers, so you can analyze like datasets but you can never get them if you're a researcher.
MS. MCGRAW: Does someone else perform the analysis?
DR. STEINWACHS: No. You lay out the analysis, you may actually be able to submit it and run it, but the output is checked to make sure that you can't. But in theory you can actually probably find the technology to scan output that would give you confidence that none of the cells are combinations of tables that allow you to identify a person or entity. It was just the idea that you never have the data, you only have tabulations off the data. Just to encourage you to think about is that some area that you would be interested in going, and I think this Committee some interest in trying to figure out how to make that work better.
MS. MCGRAW: Okay, thank you.
MR. REYNOLDS: Justine, Mike and then Carol.
DR. CARR: I was just going to ask Walter to define anonymized and pseudo-anonymized, as opposed to de-identified.
DR. SUAREZ: There's no standard body data and use the word de-identified, they use anonymized and pseudo-anonymized, and those are defined terms. I can't recite them right now, but they're defining our construct. Then they draw a line or they drew a line with some of the basic concepts of de-identification. There is a reference of course of the HIPAA 18 plus data element for safe harbor de-identification process, and they are included actually in the data elements as a double-check, but there are international standards for anonymization of data, and those are the ones that were built into the construct, and the definition of the terms are there. It's HITSP.org if you would like to review the various documents.
MR. REYNOLDS: Mike.
DR. FITZMAURICE: Just to respond also with Walter that to my thinking is that anonymized means you can't re-identify it, try as you may. Pseudo-anonymized means you can't re-identify it, except it has a key that permits you to re-identify it. That's just the way I think about it in my mind.
On the last page, I guess you can see the last page, and I'm not a lawyer but I'm looking at the limitations on uses. It says it can be used by a covered entity only for research, public health, or healthcare operations. Might that it can be disclosed by a covered entity only for those purposes because it can be disclosed by somebody else who uses it, like a researcher, under those conditions of the use agreement.
MS. MCGRAW: Right. What it should be, a user disclosure is covered. I mean the limited dataset is for any HIPAA access.
DR. FITZMAURICE: Response to Justine, a category of things in my mine - oh my gosh -
MS. MCGRAW: No, it's both use and disclosed, access use disclosed.
DR. FITZMAURICE: Thank you.
MR. REYNOLDS: Carol.
MS. MCCALL: Thank you for your comments, they are wonderful. Actually, I'm going to play off of something that Don mentioned. When you were talking about Don called them data centers, but in this concept I could imagine a type of service entity that may or may not exist today that does this kind of linking. But you can imagine that basically let's say you are the service provider, and say I want to link my set to Don's. We both come to you, I'm okay, he's okay, you do the linking, and what you then say is all right I'm going to give you something back, and it actually a physical dataset, but it's going to have been scrubbed to different level. And depending on the level to which it has been scrubbed and anonymized, there are different requirements and accountabilities and restrictions, including transparency of what I've done, including needing permissions along the way given what I'm attempting to do.
What we may want to do, again back to this gradient of responsibility, that the more I want to do, the more I want to tie, the more I need to share, and the more constrained my follow-on uses are. So that's a concept, and so I don't know if that was discussed at all or not, but I offer that up.
The other one was in the least identifiable data possible, was there any discussion about the fact that that's very much what I call a hypothesis driven paradigm. I kind of know what I'm going for, right, in that world. If I don't know what I don't know, and a lot of the methodologies now are very much kind of a knowledge discovery approach, was there any discussion about how that would need to be treated?
MS. MCGRAW: We didn't go into it in too much detail, but I completely see what you're saying. What that suggests to me is any sort of – I totally agree by the way with the construct that you laid out about not just a commitment to use the least identifiable data possible, but by the way the more identifiable it is the more we get to scrutinize it, hold you accountable, the sort of rising levels of expectations and accountability depending on the kind of data that you've asked for and that you hold.
I think what your comment suggests is that not only would it be difficult to lay those standards in stone because different purposes that need data are necessarily going to need a different response, that response might actually, in fact, also have to have some flexibility built into it because either at the front end you want to have more identifiability of the data because your hypothesis is not quite as well formed, and in fact part of what you're using the data for is to continue to formulate your question better. And maybe it's the case that you start to see something in the data that you get under one set of questions that suggests that actually you need an increased level of identifiability.
I don't think this is an easy thing to do, because policy wants hard and fast rules, it wants a very clear standard, and the people who are regulated under it would prefer to have certainty. But I'm not sure we can get there necessarily. So I think we have to have a system or process in place that allows for some kind of flexibility, including on the question that you just raised, which is I don't necessarily know at the front end how identifiable the data needs to be for me to answer my query, because that is in fact part of what I'm looking for.
I know we have not fully thought this out, but that is I think a very good point, and yet one more thing to add to the consideration of what would that process look like and who would get to decide.
MR. REYNOLDS: I think playing off of Walter's comment, playing off of some of yesterday and some other things we've discussed, as well as what Deven has said, the whole ecosystem around setting standards, I know there's a construct and you've come up with three or four new terms of how to define data, and then we'll use Mark's comment, which is the least identifiable. So basically we may have just dropped from de-identified down to one of the items that Walter said, which means you may have moved all data from – that was de-identified all the way as far as they can within that construct. And the problem is we're still struggling to teach a whole industry what de-identified is, and what HIPAA is. So now we come up with three or four new nomenclatures that structure, and again I'm not voting for or against anything, I'm just talking about the process. And that's kind of what we have to continue to keep an eye on, and then the minute you do that – and we don't teach ecosystem what that means and when the most appropriate uses would be, and oh by the way how are you going to ever tell a person what those uses are, that's when we kind of fall down.
So standards and some of this stuff can get way ahead of the rest of the ecosystem on how we explain to people who have the data, people who will use the data, and people whose data it is, really can buy into it. I think that's the message we heard yesterday, and it keeps playing through. This whole idea of everybody's for continuing to more forward, but we got to move everything forward, not necessarily just because one committee's ahead and picks something, and it might be for a wonderful reason, and it's probably a right reason, but if we don't turn it into the understanding of everybody then all it is is one more opportunity to keep this thing going back and forth.
That's not a derogatory or positive statement to anybody, that's just understanding the overall process of us moving a whole country forward a piece at a time, and a data element at a time, and a dataset at a time, and that's a struggle right now.
Larry, you had your hand up.
DR. GREEN: At this conference and in your continuing work where does the idea of risk to the person attached to these data – does that come up? Or alternatively, is this a discussion about de-identification and security, is it independent of the potential consequences that re-identification, for example, might precipitate?
MS. MCGRAW: I think those considerations are woven into the concerns that we've raised about de-identified data. I mean what we have today is an assumption that there's no risk, no risk to the individual who's the subject of the data, when in fact it's been fully de-identified under the HIPAA standards.
DR. GREEN: I just realized I didn't ask the question I really wanted to very clearly at all. Let me go around the corner here on you for just a second.
Let's assume that we impose on all healthcare providers, all researchers, and every public health department, a definition, and we have a rulebook for how it has to be operationalized, and we teach it to everybody and that's how you do it, and now we're all compliant and we're protecting everyone's privacy.
What if that set of requirements gets applied to a dataset that everyone – you get 100 percent of the U.S. population's vote that they wouldn't care if they were re-identified in that dataset because there was no risk to them as an individual for being re-identified? Or what if that population said the risk is so low for me being violated, but I don't care if it's re-identified? That's what I meant by levels of risk.
The context, the ecosystem for my question, to go back to Harry's word, this is dangerously close to trying to get to a one-size fits all. And everybody that does quality improvement or healthcare or research knows that sometimes the steps and work necessary to comply, all people of good faith and good effort and good intent look at and says we've destroyed the potential good to serve the requirements, and by the way, no one can identify how anyone could have come to harm otherwise.
This is a part of daily life in the United States, in my opinion, and health plans, healthcare delivery systems practices, and universities, and each time I see another one of these I sort of want to know if we shouldn't possibly be considering stratification of these strategies according to what is understood to be the risk to an individual to be re-identified. Was that talked about at all?
MS. MCGRAW: Well, yes and no. I mean I think what we're proposing is in fact a flexible standard based on how the information needs to be used, not in fact a one size fits all. I mean arguably actually two sizes fit all, or three sizes fits all, is in fact what we have today.
What we didn't talk about specifically was whether we would put some sort of balancing standard in place that would say not just sort of what – really the HIPAA de-identification standard on a statistical method is what are the risks of re-identification, it's exactly how you implement it. So in fact arguably that's something we already have today, and we're not actually arguing that that be dispensed with. Instead we're arguing de-identification is so rigorously strict that in fact sometimes you need some identifiers on data in order to do what you need to do. And in fact we're open to talking about that.
DR. GREEN: Again, my concern is not the risk of re-identification, I'm trying to use the word risk to be a risk of harm to a human being.
MS. MCGRAW: That is an issue that maybe you and I might disagree on, because harm in the context of information research is very different from harm in the context of clinical research. What does sometimes tend to happen is not always a strong valuation of people's privacy interests and information, because the concept of harm unfortunately too often gets defined as did the information get out and you lost your job, or did the information get out and there was financial information associated with it and therefore you lost money.
You know harm is very subjective in the healthcare context, which is why it's so difficult to come up with a standard for breach of health information, for example, that isn't just well as the information goes out the door you have to be notified, because what is sensitive to me about my healthcare information is not necessarily going to be sensitive to everyone.
I want to say one more thing about that ending that you said. One of the things that Cynthia Dwork proposed, and she was the scientist from Microsoft who talked about the ways that they quote, unquote, “de-identify data.” She proposed a method for de-identification which I can't, Justine, if you can remember the name that she attached to it, but essentially what they measured was if your risk of being in the data is no – of being identified by being in the database is no better than it would be if you were out of the database, in other words it's sort of a neutral proposition, then essentially there is no risk to you being in, and so therefore there's no heightened risk to your privacy by being there. I think that's a very interesting thing to – and please don't ask me any detailed questions about this, this is Cynthia Dwork's hypothesis, it was very interesting, and there was some complicated math associated with it that I'm going to have to admit that I don't fully understand.
But, again, because we have so much data about ourselves out there already in the public sphere, my understanding, and Justine, you can correct me with that, what she was saying is if there's no greater risk you being in this particular dataset than out necessarily, because there is no greater risk of re-identification for being in and out, is basically it.
I see Maya nodding her head.
MS. BERNSTEIN: I was also at this meeting. What I remember her saying was, and I'm glad you made this point, because I was sitting there going you need to talk about Cynthia Dwork's point, that if there's no greater risk of you being in the dataset then your risk in being in the general population, that the risk of somebody finding out this information based on the fact that you're in the general population, whatever public information might be available about you or other information about you, then that risk is low enough. Basically you've protected them enough if you get down to the point where it's the same risk as somebody being in the general population.
Was that your sort of understanding of what she said? [Overlapping voices] It was in a way complicated mathematics, which I also -
MS. MCGRAW: No, it's not a safe harbor.
DR. SUAREZ: Exactly, that's not the safe harbor, that is the statistical.
MS. MCGRAW: It's just a methodology to meet the statistical prong.
DR. SUAREZ: It's an approach to meet that statistical requirement.
MS. BERNSTEIN: It doesn't directly, I don't think, get to Larry's question either, which is what is the risk of some harm coming to the person from the information being out there. But I think it's very hard to measure risk to your reputation, I mean financial risk is relatively easy to measure, but risk to your reputation or embarrassment are the other kinds of things that a privacy breach might come to pass are very hard to measure.
MR. REYNOLDS: I got Mark, Carol, Paul.
DR. TANG: On this last point though, I don't buy that argument because the risk of somebody else identifying you based on being in this database doesn't take into account a couple of things. One is, as Deven said, more and more information databases are being made public, so you risk will change over time. And the other is it doesn't take into account the private databases that any one entity such as Microsoft has. It's just like cookies are anonymous until you have registration data from one person, and you have doubleclick.com who happens to have contracts with all the other parties and instantly you're identifiable, yet Mark wouldn't be able to pick you out.
So I'm not sure -
MS. MCGRAW: I thought it was somewhat illustrative.
DR. TANG: You know it's not a criticism or you.
MR. REYNOLDS: You could also have the same argument as to whether or not you would want somebody, certain companies being the ones who decided this.
No, not being ugly just being - Mark and then Carol, and then we're moving onto the next.
DR. HORNBROOK: At the conference did anyone pursue the notion of how much data specific to health and health status and healthcare is already out there? The registries doing data, STD reporting, immunization, public school, life insurance, disability insurance, the vendors that support all our health plans and doctors, birth certificates, any outbreak investigation by public health authorities, motor vehicle accidents with injuries, interpersonal violence on a police report, workplace injuries, these are all things where you data moves out of your record to someplace else. That is quite a bit.
Did that come up at all among the theory of this issue of privacy?
MS. MCGRAW: Well, yes. I guess I'm not sure what your question is.
DR. HORNBROOK: Did people actually get into the notion that there is a way to start thinking about the fact that how much data is already out there presumably for good purposes. All these data releases are to help somebody to benefit.
MS. MCGRAW: Right. And all of them authorized by some law somewhere.
DR. SUAREZ: Sorry to jump in, but some of them is protected from being accessible. You mentioned public health, nobody can access the AIDS database in the state of Michigan in public health unless they made a mistake.
DR. HORNBROOK: But the public health department comes to Kaiser and by simply asking they do find out about you, because we disclose it because it's a public health request.
MS. MCGRAW: That's right. But that's exactly what the scope is, in other words, all of those uses that happen today with fully identifiable data or whatever is the pieces of data that need to flow in accordance with what you're legally required to, or what you get asked to, and then there are numerous allowed data uses and disclosures under HIPAA.
That's actually the point we were trying to get at, is in some cases you do need to know who the person was attached to the data. Obviously, anonymizing, pseudo-anonymizing, de-identifying, you know, that's out the window when we really need to know who that person is, but for so many of these other purposes you don't need to know it's me, you might need to know my age, you might need to know my condition, you might need to know in fact exactly where I live depending on what the investigation is. But that is essentially why at this point what the report says is least identifiable as possible to actually still meet the purpose.
But today there are neither incentives nor requirements to think about the release of data in that way.
DR. HORNBROOK: One footnote, as a person who uses large datasets and merges them in my research every day, when you think about asserting the quality and integrity of linked datasets using every single one of those variables you just mentioned, is that necessary to make sure that you haven't been caught by a datapunch error, by somebody fraudulently using a health plan card, or fraudulently using a social security card.
MS. MCGRAW: And that is actually given that we're also an organization that doesn't think too kindly about unique patient identifiers, and we want people to be linked by using other data points, we wouldn't want a recommendation to get in the way of that.
MS. MCCALL: Firstly, kind of a general comment. I think we're going to have to have work we have to do on defining what we mean by privacy. It is thrown around a lot. It tends to be thrown around in the field as kind of a stink bomb to slow everybody down. And it's there for a reason, and we need to be cautious, we need to be clear, we need to be intentional. But we're not doing a very good job yet of defining what we mean by it, privacy from what or for what, and I just think that's work.
A question for you about the time you spent together. Was there any discussion around data itself? And let me tell you what I mean by that. There's data and there's, for example, Medidata, where the fact that certain data may need to be made private, notwithstanding what I just said, but that the Medidata on it may not be. So I may be on five different medications and I am loath to tell you what they are, but the fact that I'm on five is a nice little piece of Medidata that could be valuable.
So was there any discussion around that as a concept?
MS. MCGRAW: I think we were narrowly focused, I mean we got through this doorway initially by looking at the HIPAA de-identification, so it was a pretty narrow inquiry, it was an inch wide and a mile deep, but still we got into it through this de-identification door. Then when we were exploring sort of is that standard still rigorous, does it still work, that's when we started to stray into the territory of well it doesn't actually work for as many purposes as we might want it to.
Therefore, in areas where today identifiable data is used, which I wouldn't characterize as Medidata per se, although if you say you are on five prescriptions and I know it's you, Carol McCall, then that's different from -
MS. MCCALL: We kind of think about data today as every field with its real value and not some sort of a Medidata field.
MS. MCGRAW: No, it wasn't discussed in a lot of detail and that's a good point.
MR. REYNOLDS: Okay. With that interesting thought, maybe the problem is we don't know how to explain to the general public how we do or don't want to use their data in ways we might want to use it for. So we keep coming up with ways to police ourselves, and how we're going to use it, but maybe we ought to get a whole lot better explaining what we're trying to do, it might be more helpful.
So, Deven, thank you. Obviously you have us stirred up, and we look forward to your paper. And after you put it out, you can't hide.
MS. MCGRAW: No, no, like I said, I mean there's more work. This in no way mines this field. It is obviously rich with lots of issues and things to consider. So it won't look much different, I suspect.
MS. GREENBERG: Thank you. I might note that the Privacy, Confidentiality, and Security Subcommittee is meeting the last part of today, and there is no other subcommittee meeting at that time as I see it. That gives all of you an opportunity to continue the discussion.
MS. MCGRAW: And I've sent my policy counsel Sheele(?) is coming back to keep an eye on you guys during the conversation.
MR. REYNOLDS: Thank you, Deven, appreciate it.
If everybody will now turn to Tab 5 in your book, please?
Compendium of Data Stewardship Efforts
MR. REYNOLDS: If you remember at the last full committee meeting, Justine, myself, and Susan said that we would put together kind of an outline of a primer on health data stewardship that could be produced by the Committee, obviously with some preface and context on key things that we've learned, key things that we understood as we went through our effort, and then oh by the way making sure we point to all the appropriate industry papers, writings, and so on that try to develop the subject.
Again, a good aspect of NCVHS is that we many times take very complicated things, put them into some kind of structure, and then as we said before, when we talk about our audiences, at times I don't think we focus quite enough. One of our audiences is the whole industry. And I'll give you an interesting example that I think you would appreciate as we go through this. I'm teaching a class now, a Ph.D. class, and as I have some of our readings out there for them to read on the health IT subjects I keep getting comments back, and these are doctors and COOs, so these are not just 21 year olds, and they make the statement that well I read all the readings and boy NCVHS makes it clear, NCVHS at least listed in a way I can think about it and then I can actually debate it.
DR. STEINWACHS: You certainly do a lot of wordsmithing.
MR. REYNOLDS: No, but I'm saying taking that as an example, this idea of putting this together, especially at this time when things are moving so fast, and the idea of data stewardship to those of us who went through it now becomes an important thing, and some of us will actually implement at home. I think that's the kind of thing as you look at this we're not trying to fix the world, we're not trying to come up with a complete and total definition of what a data steward is, we're helping people be able to take one set of learnings and use them to build how they think about it. And oh by the way that group may be as this Stimulus and other things move faster, and as things as we just talked our discussion earlier, where we want to use data in more and different ways these are the kinds of concepts that go horizontally across everything we've been hearing, and can in fact make a universal difference even though it doesn't have the universal answer. So that's what I want you to think about.
If you'll turn to 5, and hopefully most of you got a chance to look at it. Susan, why don't you just briefly walk through the layout of what we've done, and Justine and I and Susan have kind of put this together, and Marjorie and Debbie and others I know have seen it. We brought this back, and again it's not the complete paper, it is the structure of the paper, and what we would like to do is get your sense if it's a good structure. If you have specific comments I'd like to make sure you get them to me, Justine, and Susan. We're not going to spend a lot of time today beating this document up.
Then we're going to take especially where we talk about tentative report comments about two-thirds the way down the page, we're going to use some of our writings and others to blow that out bigger and have some more things to say. Then, more importantly, the key documents on data stewardship, which is on the second page of what we gave you, look through there because a lot of you are working on a lot of things, around the country. You may have a particular paper that you're aware of done by a group, done by yourself, done by somebody, that also continues to drive the knowledge of the subject, and if so then we would want to make sure that we include that as a good reference document. So that again we become almost a library card, we become the primer of how to do this. And I think that's a great service that we could add to an entire industry, not just thinking about one particular group. That is when it gets kind of fun when you start raising the water level, for those that don't understand you raise the water level, for those that do understand you give them a structure to go ahead and take it and put it in.
So with that, go ahead and make your comments.
MS. KANAAN: Just to kind of reinforce a couple of things you said, Harry talked to me about the 500th car in the train not knowing where the engine is going, and that kind of helped me get a mindset in thinking about this. This is not for the likes of you, this document. It is appropriate probably that I came to this with kind of a beginner's mind. I heard the discussions here, and I did this summary of your big report, but basically I went to Google to try to understand what is this concept and what are people saying about it, and who are the thought leaders, and I had some initial guidance from Justine and Harry, but it was a very interesting and kind of eye-opening experience to go to Google and Google data stewardship and find out it's not useful at all.
I began to think of this a little bit as a primer, it's the canon on some level, that's a little bit presumptuous to call it that, but just to review – yes, this is the Kanaan canon. I am totally an instrument here, I mean I'm certainly no kind of expert, so I really need your input.
Just again to reiterate what Harry just said, there are three components to this little two-page paper that you have here. The first is just an attempt to articulate the key concepts, to make sure that I'm getting them right, that my thinking is right and that the language is right. Then there's a very high level outline. There you need to be looking at are the key concepts or key issues, topics, addressed, are they on the list. Then the third, as Harry said, are the specific documents, and there's a list of what seemed to be the undoubtedly key ones. And then there's a list of possibilities, which I need some guidance about, a thumbs up or thumbs down. Then there is the possibility of others, and I think two were probably identified at this meeting that need to be on the list, the loose framework. In any case, this is by no means a complete list.
This is going to be a pretty short primer, I think, because there aren't going to be a whole lot of words in any of those categories. That is my background.
MR. REYNOLDS: All right, Carol.
MS. MCCALL: One question, two suggestions, and in reverse order. First suggestion is in the what is data stewardship and why is it important, I'd put that first. And I would add one more piece, why now. I believe we need a sense of urgency that actually accelerates with HIT and actually runs past it, so it can be there when it gets there. That's just my personal opinion.
Second, I think that there needs to be a call to action for the reader. I think that they need to think about, I think that they need to start talking about doing, taking into consideration.
Then the third is who is the reader, that's my question, who's the audience.
MR. REYNOLDS: I'll answer the third one, and I think we've both kind of tried to touch on it. It can be anybody right now, from somebody in a small doctor's office, somebody in a large institution, somebody that's on one of these policy committees, us continuing to use it. When you do a primer, this is kind of like data stewardship for dummies, is its whole idea of this should play anywhere, and the thing I know looking at it myself, and I spent the whole time on all of our secondary uses of data, I can still go through there and now that Susan has spent some time looking at some other documents, I've looked at a few of those just to see because it was done by another group that I respected, so I looked at it to see how's that different than what we were doing.
It is really the general industry.
MS. MCCALL: Right. My point is that if the reader is a naïve reader, they may not appreciate, let alone understand, some of the things that we take for granted in terms of both the value, but also today's difficulty. So the question is whether or not to educate on those. Sometimes yes, sometimes no, but also why.
DR. HORNBROOK: I think those of us in this industry have been meeting with privacy and privacy protection without looking at the other side of the mirror, and that is you can harm somebody by sending the wrong data. You need to think about data stewardship both in the sense of keeping data safe, but also when data used to be sent they're right because you can harm somebody by sending the wrong data or sending it to the wrong place. So data stewardship is actually a much broader and a much more important concept than privacy. Privacy is part of it, but also benefit entitlement. When you're entitled some benefit and people interfere with that entitlement because they don't recognize you, you don't have the data about you, or they don't use your data correctly, that's just as harmful as breaching your privacy.
MR. REYNOLDS: Yes, Leslie.
DR. FRANCIS: This is I take it the kind of point John Houston would make, so if I get it wrong it's all my fault.
John uses the term “governance,” and I think what he means by that as far as I understand it is a different level. So this report, or the focus of this, is what a good holder of data does basically. I think that's the level that Mark – or so this is aimed at health organizations, payers information, all those sorts of folks.
But it seems to me there's another question that maybe is a stewardship question, which is how do we try to assure that a holder of data is being a good steward. For example, one way is disclosure or transparency, another is some kind of oversight, and that's what I think John is talking about in governance, I mean obviously there's also sanctions and things like that. I didn't want to bring up the nasty side of it. But it seems to me that it could be we want a part 4.
MR. REYNOLDS: Let me stop you there for a second. We are where we are because we held some hearings, and we discussed data stewardship. And I think we don't want to go outside what we discussed. So the reason I'm hesitant to go any further than that now – we are willing to point at other documents. For example, if you know of other documents that would explain what that was and somebody spent the time, the effort, the time on it, then I don't think we would have any problem adding that, because again we're a primer. We're saying here are all the things you need to consider. We are not taking a stand on what you should or shouldn't do, because we don't have the jurisdiction to do that. We're second not taking a stand that says if you don't do this you're wrong. And then somebody could come back later in some kind of a lawsuit or point back and say, look – so we have been very cautious as we wrote this to make sure we stayed within what we already knew, because we did have a lot of discussion on this, and all of our documents are clear on this. So I'm hesitant to go outside that comfort zone except to point at whatever we want to point at.
DR. FRANCIS: Again, I said this is what I took John to be saying in those discussions, which is that there's another layer on this which is not just being a good steward but how do we generate the kind of trust that we need to have that people are being good stewards. We don't know about how to do that; we certainly didn't have hearings about that. But pointing out that it's an issue seems to me to be -
MR. REYNOLDS: In the beginning I don't have a problem pointing that out as a consideration. Again, I want to stay real careful as we talk about what to do or not do, and we don't go outside what we're already on record doing.
So I got Walter, Judy, and Sallie.
DR. SUAREZ: I'm a little confused here. Are we trying to write a document that says the position of the Committee on data stewardship?
MR. REYNOLDS: No, no.
DR. SUAREZ: Are we trying to create a resource for people that will be dealing with data stewardship?
MR. REYNOLDS: What to think about, just like the same kind of things we're talking -
DR. SUAREZ: Okay. So there's no intent of creating a set of recommendations?
MR. REYNOLDS: No, absolutely not.
DR. SUAREZ: Okay. Just one point then. The Recovery Act calls for the appointment of a chief privacy officer by the Office of the National Coordinator, whose functions are to advise the privacy officer on privacy, security, and data stewardship of electronic health information. So there is a direct responsibility of that person.
Now, it sounded to me like ONC requested, so that's what it says in the agenda, or whatever it says, ONC has requested us to do something about data stewardship, help them -
MR. REYNOLDS: That was part of our secondary uses of health data.
MS. TRUDEL: We held hearings and generated a report at their request.
MR. REYNOLDS: Now, in that report there are recommendations.
DR. SUAREZ: Okay.
MR. REYNOLDS: In that report our secondary uses report has recommendations, there's no question about that. This though took the subject of data stewardship, and again, what we're trying to do is how do we help an industry learn, and so that's what we're trying to do with this now.
If that privacy official is appointed, then we should point them to our whole discussion of secondary uses of health data of which data stewardship was a piece. If somebody were to take that job that would be a great document for them to take a look at to understand all the ways that that data can be used in the nationwide health information network or any other things in context of what our assignment was, that's where we were going.
All right, I got Judy and then Carol.
DR. WARREN: I would just like to speak to when I went through this initially this is a document that I have been trying to put on PowerPoint slides for my students. When I have them read the paper and letter that we wrote there's a lot of information in there, and we wrote that because there was a lot of things coming out from HNA, from AMIA, we had hearings on it, we made recommendations. There is a lot of information in there, but most people don't know how to take those letters and then know what to do with them.
When I saw the primer this is exactly what we need. So I am going to quit making my slides and wait for the primer to come out, because there are other things I need to be doing. These are the kinds of things I would like for us to consider. I know when I first came to the Committee I told Simon once, I said a lot of the stuff that comes out of this Committee I make my students read. And Simon's thing was why are you making them wade through all this stuff, it's not there. And yet I can't think of a more up-to-date targeted source for the key issues in health IT or in health communications and stuff that we discuss and adjudicate out of this committee.
I do think there's another kind of market niche for us that when we take these very high level heavily wordsmithed kinds of documents and make a primer, not just for the students that are out there. When I also worked with some of the hospitals in our area, they have a very difficult time really looking at this, and what they want is a very simple kind of as short as you can make it primer with references of where to go.
The suggestion that Leslie made, that would be where to go next. If you added all the stuff that she talked about in this primer it would turn people off, because it's too complex for them to think about, there are too many ways to go. But if you keep with this kind of outline and really kind of walk your reader through it, that's why your comment about going to Google and coming in as a naïve viewer of this I think is critical. But this may be something the Committee wants to consider for future products that we produce that we might want to have a primer as a subset of that, because I think it would be very useful.
MR. REYNOLDS: Sallie then Carol.
MS. MILAM: Just an idea for your consideration. Leslie and John raised the issue of how to include governance. What you might consider doing is adding another box here, key documents and data stewardship, that has a reference to some of the privacy frameworks that you see around the world. They have governance inherent within them, ONC's does that they just issued. There is a group called the ISTPA, and they put out a report on every privacy framework that has ever existed and exists in the United States and around the world. So that would be a way you could just add to the chart I think and maybe address that issue.
MR. REYNOLDS: Sallie has just been added to the Committee to give Susan that box and what should be in that box. That's part of what we're doing today. There are things that can have this. No, we don't want a casts of thousands, but if you can pick a couple that will take somebody trying to figure out how to think about it, let them learn how to think about it and then obviously they can branch out from there as sophisticated or other as they want to be. So, Sallie, that would really be great if you would do that.
Carol and then Mike.
MS. MCCALL: A comment on just extending where Judy went. I think, first of all, the idea of a primer is great. Second, I do think it needs to come in multiple forms, and also it's not a one size fits all in terms of what the readership actually reads, whether it's a PowerPoint slide, whether it's a one-pager slick, good God, maybe it's a refrigerator magnet that goes on and slaps on the side of a PC that says because – this is just think about an organization that's trying to socialize the responsibility of data stewardship, and give them the kit that they need to then actually run a program.
You can think about what it means to say, look, if you're serious as an entity here's what it means to begin to start training your organization and your responsibilities, and that includes links, that includes slides, maybe magnets. And here is a thought, does it include a website that is www.datastewardship.gov that says we love to hear from you, because it is about feedback.
Now, those things may become the job of the chief privacy officer. My question is, and I think we should do it anyway, but did the client ask for this primer?
MR. REYNOLDS: Did the client? No, we have decided that the industry is our client.
MS. MCCALL: Very good. I'm just curious, I'm just going back to -
MR. REYNOLDS: However, everything that we put out many clients look at. It may not have been the client that originally asked for it, and in fact Walter's comment, if somebody gets appointed.
All right, I got Mike first.
DR. TANG: Let me just answer her challenge to have a refrigerator magnet: “Do unto the data of others as you would have done to yours.”
[Laughter]
MR. REYNOLDS: I'm sure Susan listed that. Okay, Mike.
MS. MCCALL: Math illiteracy affects 8 out of every 5 people.
DR. FITZMAURICE: Would you please not put that refrigerator magnet on my computer.
Secondly, the way I think about data stewardship is suppose I'm walking along the street and I find your medical record down at my feet. I'm not a covered entity, I'm not a physician, maybe I don't even know you, but I got your record in there. What would you have me do with your record, which is kind of like what you said, Paul, do unto others.
So the principles of data stewardship should guide what you do when you find yourself with that record, or any kind of a record about another person. It's the same as you're in a cubicle and somebody next is fighting with his or her wife, talking with his or her stockbroker, sometimes it just runs in one ear and out the other, but you have principles that govern how you handle information. So the data stewardship paper I think should appeal to a reasonable man, that these are reasonable principles.
I actually think a privacy law would be good if it were just data stewardship law. If you find yourself with this data, say medical data, here are principles that govern what you do, and then state law if somebody is harmed could prosecute you, and if you didn't follow those principles your case would be a lot weaker than if you had followed good principles and something bad still happened to the patient.
MR. REYNOLDS: Susan.
MS. KANAAN: You may not want to go here, but in a way this goes back to the issue that Leslie raised. When I started looking into this, and indeed when the idea for this primer first came out, there was still a lot of talk about the national health data stewardship entity. So that kind of shaped my initial thinking, and explorations, was that this was all headed toward an entity, a governing entity I guess. But the more I learned the more I discovered that the comments to whatever it was called that AHRQ posted, we're not going to do that right now.
So in the question if the entity or national policy is in the outline, and the question is -
MR. REYNOLDS: The idea that that was discussed is in there.
MS. KANAAN: It's a part of the story, yes.
MR. REYNOLDS: But there's no selection.
MS. KANAAN: And it's one of the issues. So I guess everybody's comfortable with talking about it that much. I mean it is part of the history.
MR. REYNOLDS: I want to make sure everybody gets real comfortable here with the whole thing shortly. So, yes, you're exactly right.
MS. KANAAN: Okay.
MR. REYNOLDS: Justine, and then we're going to close it down.
DR. CARR: I think that that debate isn't closed; I think that's still a discussion in many venues. I think just putting everything out there, the thoughts over these couple of years. I just want to reiterate what Mark said, that data stewardship is not just about privacy. This is really about, I know Bill hates it when we use this word, integrity of the data, and it's integrity in terms of its accuracy and application and all of that. I just want to make sure that's in.
MR. REYNOLDS: Larry.
DR. GREEN: My comment is about the structure of the report again. I'm extremely comfortable with that, I think it's a great idea, and I really like the suggestions I've heard.
Mike Fitzmaurice's comment triggered this off, in many of our IOM reports we struggle with using examples, the human interest story, the something that takes these pretty nerdy headed concepts for your students and for others. I would urge us to look at our audience list, by the way clinicians isn't listed on the audience list there and it probably should be explicitly, but we could think about examples that would galvanize our audience into understanding what this is about by something just like well if you're walking along and you happen to -
MR. REYNOLDS: That would be good. So you kicked off the process. So the point to me is that we're showing this as a group, we would like the opportunity to build it out, run it through the Executive Subcommittee and bring it back. I'm asking each of you that if as you hear these subjects, whether Sallie just added some things for the governance or some of the other, whether anybody around the room has an example that they would put together. Again, we're trying to build a primer, and I don't want it to be through the eyes of those of us who are on the small subcommittees. I want it to be something that helps generally.
Again, I just implemented data stewardship as part of our Sarbanes-Oxley effort for all of our controls of all our data in our company, and I will tell you it is something that it's very hard to get across to people. People want to use the word data ownership, and nobody wants to own the process, they want to own their piece of the data, that's why you call them stewards. Because within a company you can have nine people touching something, and each one of them is a steward as they move it along.
This whole idea of how you would do it yourself and what it means in different situations is what this primer is really helpful. And you can take it in your own world and you can make something of it, because literally I just finished implementing this with people kicking and screaming all along the whole way on how far they have to own or be involved in what they did.
So, Walter, last comment, and then we're done.
DR. SUAREZ: Thank you. I just want to add perhaps one of the dimensions or aspects that is not explicitly stated in the outline is security. We reference privacy issues and talk about HIPAA, but I think part of the stewardship responsibility is ensuring that some secure procedures and policies are in place, and that's translating to the confidentiality of health information protecting the privacy and security mechanism. So I think it would be helpful to explicitly identify security as one of the areas.
MR. REYNOLDS: Carol.
MS. MCCALL: We can add security, but then let's not stop there. Because data stewardship, if you go back and read things, it's a lot of things, it's also ensuring not just that it's private, secured, and all locked up, but it's actually useful. I think your intro actually talks about these coexisting tensions. I would agree that it needs to be included, but that it not be limited to that, and that you really talk about the coexisting tensions. And, again, I would personally just reemphasize and talk about why this is important, and also why now, because there are a lot of these readers who don't understand its value or they take for granted that it's easy, or something else is being assume in us because we are so close to this that our readers will not.
MR. REYNOLDS: Again, that's why we have done very little to lead our writer. We have given her a framework and we have asked her to go out literally as a lay person in this subject and write it at that tone. So the same things we have tried not to do I want to ask the Committee not to do, which is if we turn it into our document and our knowledge we did it again, you know, we may have just left three-fourths of who might read this out.
We sometimes know too much when it comes time to teach, so I want to be careful.
Last comment, and then absolutely we're done.
DR. HORNBROOK: There is the whole concept of communication behind stewardship. That is if you're going to send something somewhere to make a benefit, you have to make sure the recipient receives it and understands it and uses it correctly. So this notion of stewardship is also the principle of successful communication, and of course successful communication also means respect for people at both ends of the communication line, which means private stays private, and you have permission to send something forward, and permission from the person to receive it.
MR. REYNOLDS: So the recommendation is we continue to work with Susan to build it out. Some of you have assignments, if you could help us with some of this we'll bring it forward, hopefully before the next meeting we'll try to bring it forward to the Executive Subcommittee. Then bring it in here, and if you have any other comments please get them to us, because when we bring it back in let's don't tear it apart again. It's a primer, if you read it with your knowledge you'll probably want to change it, and you're probably the worst audience we could bring it back to, being honest, because you know too much.
So help us now with what you would like said, and then let us work with Susan and then maybe even some others who could turn that into language that most people would understand, not something that we might necessarily want to do because we know what we know.
DR. HORNBROOK: Do you want to publish this?
MR. REYNOLDS: Yes, we're going to send it out, yes.
DR. HORNBROOK: No, I meant do you want to publish it in a journal?
MR. REYNOLDS: Well, we'll worry about that. let's get something done, then we'll figure out where we want to put it.
DR. HORNBROOK: I think it an appropriate place to put it in Health Affairs.
MR. REYNOLDS: We'll get it done and then that will be the first – you get to ask that first question when we get it done.
I would like to spend the last 15 minutes of today, and, Susan, thank you so much, you've been a wonderful asset for us.
MS. GREENBERG: As always.
Committee Discussion – Strategic Planning
MR. REYNOLDS: We heard a lot today, we heard how fast things are moving. I wanted to make sure while we still have the full committee together to have some people's thought on how do we play, what do we play. I know there's been a lot of discussion, we're discussing with ONC, we're discussing with CMF, we're discussing amongst ourselves, with Jim, Marjorie, and we're trying to understand where does NCVHS play, what do we play. I have some feelings, and so do a number of us, the deal is supposed to be looking at this, and I'd love to have some input from the group on where you see us playing, how you see us doing it, so we make sure we at least have some of that discussion before we get too much further along and how we're going to do that.
So the floor is open. Justine.
DR. CARR: As Jim told us a year ago when we had our February meeting last year, stay tuned for the next big thing. So I think we heard a lot of big things today. And his point was not to get locked into various agendas until we saw what was unfolding, so I think that's what we're seeing today.
It is interesting the themes that have reemerged, HIPAA for one, stewardship for one, and PHRs, and I guess those were things we thought we had done. But do we need to revisit any of those?
MR. REYNOLDS: Larry and then we'll go around this way.
DR. GREEN: From the strategic and organizational point of view, I would like to use my experience yesterday as an example of what I've begun to think about, about the way to go forward.
I was an interloper yesterday at the Jeff and Judy show, and it was terrific. I sat here this morning trying to imagine what it must be like for everyone else on the Committee who wasn't there to keep up or to be informed, to benefit from it. What it has done is precipitate a little crisis of confidence from a strategic perspective about our ability to subdivide ourselves up into small groups and go off and do our work and then come back together for relatively short periods of time and make sense out of it and do it. And from the very practical point of view, last night after having this positive experience on a committee that I'm not, it just made me think that when you take the curve, and the word accelerate has only come up about forty times, so the curve is really steep, and we're structured to sort of go off and think in small groups, and then three times a year get together sort of as a larger group.
To cut to the chase here, I'm coming to sort of an 80 percent formed opinion that we're at a point where we need to function much of the time as a committee as a whole in order to bring all these perspectives into play. That is not to say we have to take work assignments and go off and do stuff. I so wish the whole committee had been at the Jeff and Judy meeting yesterday, it would have benefited all of us I believe in our mission.
DR. WARREN: Larry brings up an important point. It was actually something I was thinking about last night and also this morning while Rob was talking, is that we did cover a tremendous amount yesterday and there were some really good slide sets and papers that were there. And I haven't discussed this with Jeff, so he can throw in his two bits. But I do think it would be worthwhile for us to probably put together a summary of yesterday, and I want to do that, but the caveat was it's the first of four days. We're holding ourselves open not to make any opinions or summaries or recommendations, and we're trying very hard not to do that. But certainly we can put together something and email it out to folks if everyone's interested. Yes, I am working with Susan Kanaan to put together kind of a summary. But I was thinking of the raw data. We had some tremendous source documents and stuff that were out there.
Like with Larry wanting to educate himself, should you want to read this stuff, or maybe it's like a primer, here is a reference to these source documents, websites, things that were mentioned. I'm just throwing that open because several people have commented to me today about that meeting. So we can throw that open.
And I know from other subcommittees that have met, I have kind of felt the same way about the material in the hearings that they've had, that it would have form, especially now from standards since we're hearing so much more about testing, communication, and the infrastructure or the context in where they live that we've not paid that much attention before.
MR. REYNOLDS: Debbie. I'm coming right around.
MS. JACKSON: Just structurally I'll add that we have some copies of some of the slides from yesterday, and that even in the books we have been trying to be more conscientious of putting the agendas for what we're calling the tag-along meetings in the book. That has been a new feature for us, so anything we can do to send material out in advance to help galvanize this consensus is really growing this Committee, it's really palpable, it's really exciting to see. So we'll be very glad to help how we can.
MR. REYNOLDS: Walter, I saw your hand up.
DR. SUAREZ: Yesterday I mentioned how being an unprecedented decade basically for health IT, and we're about to embark on an even greater one. And I think we have a unique opportunity to make some bold statements about some of the things that need to be done to take full advantage of this opportunity.
I think over the last five years we've struggled with the little amount of money that the government had to put in place all the things that they did with all the volunteer work that has been done on all the different activities from AHIC to HITSP to CCHIT to the NHIN efforts. Then here all of a sudden we have 100 or 1,000 times more money than what we had originally. So we need to consider this opportunity as a way to making some bold statements about how we proceed with everything, with standards, with health information exchanges, with privacy and security.
The challenge we have is time. In 90 days, or less than that now, since the enactment of the law, the two new advisory bodies have to be established, and they start supposedly to be providing some feedback or input. I don't think that's realistic or whether it's going to happen, I'm not sure. But if you line up some of the deadlines, we need deadlines for people at ONC and others and HHS to comply with, it's moving – I mean it's not like the train is moving, it's the train left last Monday and is already in New York, and we're still here in Washington.
I'm concerned with some of the opportunities that we have if we take too much time, and I'm talking about a few months, that's too much time. If we don't move faster than that in some fashion, some of the things that we will be suggesting or recommending will come into a second wave, if you will, of actions. The first wave of action is starting to happen in the seventh floor here, and is already moving.
I think we need to find a way to over the next six to eight weeks take some recommendations, some ideas, even if it is draft ideas or in any form that is informal or whatever, but if we wait until we deliver final reports to the Secretary, whoever that's going to be, things that are going to be already in place and moving. The effect that we might have on those might not be necessarily what can be done at that point, because all the pieces are already in motion.
That is my point, and I think we have indeed the opportunity to make some bold statements about some of the things that are in place and that can be done in different ways.
MR. REYNOLDS: I'm going around. Carol, did you have your hand up?
MS. MCCALL: I apologize, I have a hard stop, I have to go.
MR. REYNOLDS: That's fine. Jorge.
DR. FERRER: It is still unclear to me with the new FACA committees where actually NCVHS actually plays. Is it going to be advising them, is it – so that structure is completely unclear to me. So if somebody were to ask me, okay, give me a brief, and we know there's two committees coming out, NCVHS is going to do what with whom, and who is going to do what?
MR. REYNOLDS: I will make some comments, Marjorie will make some comments, and I'll try to put you in contact. I'm letting everybody have a sense of asking their questions, and I tell you what we're all trying to do right now -
DR. FERRER: It would be good if we knew that before we left the meeting. Carol was just – before she leaves.
MR. REYNOLDS: I understand that, we're doing the best we can. There's a lot going on right now. Jeff.
MR. BLAIR: Walter, one of the things we discussed with ONC was that we would be sharing information with them after each of the four days as soon as we are able to get transcripts.
And, Marjorie, I think you need to be part of this and hear this.
MS. GREENBERG: Excuse me, I was having a little sidebar with Harry, and I apologize.
MR. BLAIR: One of the things we sort of have an understanding with ONC with respect to the four days of hearings because they're stretched out over such a long period of time is that they will try to be present during as many of the sessions as possible to hear directly. Then as we wind up getting our information not just transcribed but organized, so that people could wind up looking at it from different perspectives, that we would share with them as we go along. So we're not waiting, as you were saying we can't wait until September or October or November to pull this all together, we're providing the information to everyone as quickly as we can about what was said in the hearings, and then after that we'll try to pull together to see if there's themes or issues or recommendations that we could make.
The other thing is that – and Harry, I'll leave it to you with respect to the roles of ONC and NCVHS.
Then the third thing is that we have a secret plan, and that is all of us will clone ourselves five times over to be able to be in all the committees we need to be on in the next three months.
MR. REYNOLDS: I'm going to make a comment and put it in context for everybody. Let me make one other comment, and I'm going to play off all the comments today. There is a privacy group meeting at 3:00, I'll play off of Larry's comment. If you don't think you're going to be involved in the privacy of what we're doing, you're crazy. And if you have an opportunity to go and you don't go, you chose to miss out. I'm not being ugly, I'm being serious. We're moving and things are happening, and this is a perfect time to do that. I want to make sure all the co-chairs here, I'm hearing a lot of pleas about how we could make a difference, well, you all got meetings between now and tomorrow when we get back together.
We had Standards yesterday, we got the other three in the next short period of time, come back and say how we make a difference. You've heard a lot, and I'm going to give you a little more information about it. But remember, it's us deciding the difference we can make, I mean there's nobody else in the room helping us. So we can't yell help, we should yell help to ourselves, so I want to make sure we do that. Judy.
DR. WARREN: I just wanted to make one plea, and it's in response to Walter's sense of urgency. One of the things that I've learned about this committee is we have the ability for the long vision. And I don't want us to give up the long vision because we're concerned about what's happening in the next 90 days. I think that's a very easy thing to get into, that we need to really deliberately take a look at where we think things need to go and to choose those projects that really move forward the vision of health information, health data, and all of those, and not get caught up in the craziness that's going on in Washington, D.C. right now. Because this happens every four years, and yet we still have the ability to contribute to that. I just want to put a plea in for that, that we don't make ourselves crazy and wear ourselves out in the next 90 days.
MR. REYNOLDS: Marjorie, and then I'll make my comments.
MS. GREENBERG: As the usual mother of this group I want to thank my co-mother here. I agree absolutely with both of you, or as usual I agree with everyone, even when you contradict each other I guess, that's like a real mother, because there's something good in everything, in whatever you say.
But on the one hand, maybe because I'm sitting here planning the 60th anniversary, although it is true these new advisory committees are in law which always for a long time did differentiate NCVHS from others that come and go, the fact that we are in legislation, of course we're mentioned in that legislation too so it may just be two times but it was two times I was happy to see. I was sitting in yesterday's meeting, I mean I had no doubt that there was a role for the National Committee on Vital and Health Statistics, and I think not only are we here for the long term but we also have the long view going back, as well as the potential of going forward. And the view that is if you recall what the Committee agreed it was going to focus on as a sort of touchstone or whatever it was, it's person-centered health.
Larry raised this yesterday, and certainly I think Don Detmer did, and Carol Diamond, but when you looked at all this stuff from the eHealth Collaborative, most of it said patient, most of it said healthcare, even though they're not the eHealthcare Collaborative, the eHealth Collaborative, it's still true that most people are thinking healthcare and most people are thinking patient rather than this broader view. Yet, people were saying if these standards and even these electronic health records don't contribute to health, not just healthcare but health, it's going to be a problem. So I think that is an area where the National Committee because of its membership and because of its history, etcetera, does have that view, that health view, whether it be population health or personal health, whatever.
I agree with all that, but on the other hand, and I want to hear what Harry is going to tell us and I may have more to say after that, but I do agree with Walter in one regard. There are two areas in which the train is moving, oh yes one is all of the actual work and stuff and the recommendations related to all that, and I don't think all that is going to happen in 90 days. Frankly, I'll be amazed if these committees are established in 90 days, particularly the policy committee includes members named by the Congress. We have been trying for three years to replace Richard Harding, who is the Senate representative to this Committee. Maybe if they are going to name them to these other committees maybe at least they could name one for us too at the time, you know, while you're at it. But I'm hoping that the people in this building who will be communicating with them will point that out. It is kind of ridiculous, I shouldn't say that, but it makes you wonder.
But this is a good time I think, and June will not be as good a time or a good time at all, to be saying to the Department okay there are all these things that these new advisory groups are supposed to be doing, not to mention the new groups that you just transitioned from an advisory group. And we see, you know, these are the things that we have so much experience with or that we are already working on or whatever that we are prepared to take the lead on, we're happy to take the lead on. I mean I think even if it's – that doesn't mean that each of these groups will be formed and they'll have limited bandwidth just as we do. So this would be the time between now and the next month or so it seems not after June to say what the Committee feels – what part of this – even if it wasn't assigned to us, not to mention the things that have already been assigned to us, and we'll keep doing those and they relate in many ways – but what pieces of the pie we feel we've already been shopping, we've been mixing up the ingredients, you know, and that could be a great relief to those who have this whole responsibility.
MR. REYNOLDS: Garland, I think you had a question a little bit earlier and I went around there and missed you.
MR. LAND: I guess I want to pick up on Walter's concern about we need to watch that train getting away from us. I am concerned about the question I raised earlier, in terms of health statistics, which we don't talk too much about, that train is leaving very fast, maybe in the next week or two, and there is potential money to, you know, we talked in the last meeting about how national surveys are being cut in half, how the vital statistics system is being eroded. There is real potential that money from the Stimulus Package could help that situation. I'm wondering if we could prepare a letter even for tomorrow to go to the Secretary or whoever to reinforce our concern about the national health statistics system, and help to support the use of the money for that purpose.
MR. REYNOLDS: And the way I'll approach that and Walter's comments is I heard the word “bold,” I'd like to see a list of them. No, I'm being serious. I mean if we say we want to make some bold statements, then let's list the bold statements. Because if we've already done the work on them –
DR. SUAREZ: Let's do it. No, I think we should.
MR. REYNOLDS: All I'm saying to everybody is there are committee meetings between right when we walk out of this room and tomorrow where the process of this Committee is that the subcommittees bring forward recommendations to the full committee. If you guys want to write letters tonight, want to write letters in the morning, you want to pick a letter we have already kind of messed around with in the populations I believe on asking for more money for some of these things, and you want to dust it off and you want to change it and make it more apropos to current, the process of this Committee is that we have subcommittees so people can prepare things, you bring it to the full committee. What I'm saying is, it is moving fast. If there are things that we want to redo or change a little different, bring back things we've already said that looks – they might not have seemed so important when we said it six months ago, my gosh it plays right in the middle of the sweet spot now. Let's do it, that's what subcommittees are for. So I'm challenging each of you, please put them down, take them to the right subcommittees, so that's what I'm looking for.
I'll make one comment on the standards yesterday. That was done in total concert, 100 percent concert, with ONC. I will promise you that anybody from ONC that was in here yesterday walked out different. You have heard Larry's discussion about his transformation and how he thought, Rob Kolodner sat here the whole day. So everything he did yesterday all the way from, and some of the statements that were made in there were not overly excited about the current direction by the thought leaders. We're not necessarily saying that that was going to be the right thing or the wrong thing. I'm saying we had thought leaders in yesterday, and we also had people talking that were on other committees that were doing standards as to how they'd be left out and everything else.
What I'm saying is we had a seat on the train yesterday. Even though we might not have exactly where the destination is, we helped move them forward, and I know Rob would say that if he was sitting in the room. That discussion was quite dramatic, and it was a discussion that NCVHS can hold. It would not have necessarily been a real exciting meeting if it had been driven by ONC, because there were some pretty strong statements made in there about what's going on, because you're talking to thought leaders. Remember you're not asking people to stay just on the train.
So there is a train leaving, but there will be more trains leaving, and there will be all new railroad systems in some cases. So I just want to make sure that we maintain with what we have and the time we have and the resources we have, is that we keep a focus on where they might go. I can say to you that I've spent an incredible amount of time with Rob, probably more time in the last week by a multiplier of 20 then I have since I became a member of NCVHS. We are all over it.
And we're working with Marjorie, we have X amount of things we can do, you guys will be working with her, I've spent time with Jim Scanlon. I spent time last night with Tony Trenkle about the things that CMS is doing, and oh by the way CMS is now is the Stimulus Package. I'm saying we're getting connected into all the places where we can help, because none of these groups are going to be – we're actually probably going to be faster out of the gates on anything, whether it be assistance with the standards discussion yesterday, whether it be some of the other statements we made in most of the other groups because there is still going to be a struggle as to how to create some of these FACA committees to even get together to do something.
We have subcommittees, we have a structure, we have a whole lot of people that have opinions and have good direction and know where this is going. Please engage, please engage now. If there are things we can do right away let's do them. I can comfortably tell you that we are marching now.
The other thing is we have to also as a committee take into consideration that we do give our recommendations to the Secretary. There is not a Secretary at the moment, so we're working through Jim, we're working with everything we're doing, but a letter can be prepared and that letter can be carbon copied to Rob Kolodner, that letter can be carbon –
MS. GREENBERG: There's an Acting Secretary.
MR. REYNOLDS: Yes. So I'm saying there's things we can do. We are tightly connected into the players and what they might or might not need. So please continue from your subcommittees to tell us what you think you want to do, and we've already got all the connections to start working what would be the best way to do that. None of us are waiting, I can comfortably tell you. We're all over this and we're ready to move.
But you got to go through our regular process which is when Privacy meets this afternoon if there's something that they want to do they got to say it. If Standards, which yesterday I think we kicked Standards a whole lot forward in its thinking in general than it has been in a long time. And I've been on the Standards Subcommittee for five years now. Because the game changed, so all of a sudden we changed, and oh by the way we happened to be the group that had the thought leaders in the room at the time as soon as the game changed. So boom, one thing good about this you can jump to the front, you can get on a helicopter and go in front of the train, and that's kind of what I think we got into yesterday. That's what we have to think about.
So please go through your process, please if you have a passion put it down into action. If you have something we've already done and you think it makes a more important point now, pull it out. If you don't, then we're just victims. I have no intention of just being a victim. Oh by the way with everything we got to get done maybe there should be three FACAs, because they all better go like crazy. If you add it up there's all kinds of stuff going on right now.
I just ask you to help. One thing great is you guys own this Committee. So good, own it. Write down what you want to do, tell us how we're going to do it, and honest to God, we'll make it happen. We'll take it forward to the right places because we've been spending an awful lot of time doing that. We got between Marjorie's experience, Jim, CMS working with them, working with Rob, and then obviously touch some bases as soon as we get a new Secretary, we're ready to go. Let's decide what go looks like. And I think we can really make a difference. I ask you to be very aggressive about that this afternoon and tomorrow morning, and come back in. Then if we need to call some conference calls to move a letter along faster, some things to do we think we ought to make up, let's do that.
MS. GREENBERG: I just was going to note, because I'm looking at tomorrow's agenda, obviously in the morning we have Population Health, they've got some things they've already put on the table they want to do, not to mention things they were already going to do. Standards is reconvening, and Quality. That goes until 10:00. Then we have outside people coming in, and I think it's going to be a great day. But if you look at the agenda it leaves precious little time for committee discussions, particularly if people are bringing forward letters to consider, etcetera.
I know that there are some people who know they have to leave whenever, and there is no flexibility. But if you're wondering are we going to end early, I'd say no way. And even we may end up eating lunch around the table, I don't know, something. But it's very tight, and sometimes we have a kind of open day the second day, but we actually don't tomorrow.
MR. REYNOLDS: Again, if we get some letters, I mean we'll have to work out ways to make this stuff happen. I'm saying please bring forward what needs to happen. Be aggressive about it. I totally agree with what Walter said, the game's on. But guess what, we're the only FACA in place. We're the only group that's been working on this on a continuous basis, and we know how to do our thing. That would be front row. There's no other road, and that's not a bad place to be. So let's go. That's what is exciting to me about this, we're ready to play.
MS. GREENBERG: That's what our President said.
MR. REYNOLDS: That's right, let's go.
DR. FRANCIS: Before we break up into subcommittees, I just want to be sure there isn't something that we all believe in but that isn't likely to be owned by any particular subcommittee, because there's a risk that that won't get surfaced. I was sitting here worrying about whether Garland's – that's the Populations.
MR. REYNOLDS: Jorge.
DR. FERRER: What I'm hearing you say is that you basically have - you have offered the services of NCVHS to help Dr. Kolodner put together some of these frameworks.
MR. REYNOLDS: No. Here's what we have done, is we have clearly spent a lot of time talking to him about how does he see what they're doing, what we're doing. He also knows obviously the whole standards thing is a perfect example. Now, if they're going to hire us like they did a few other times then there's got to be money. If we're going to be use our normal process, which we are doing exactly right now with standards, to allow them to walk beside us and more forward faster, we'll do that.
I'm saying we have lots of ways to do it, but we got to understand what they think do it is, and that's what we're doing. Then we got to figure out how we would ever make that happen if we could. That is where we're going.
So, no, I'm not presupposing anything. Jim is not sure what to do, I haven't had enough time to spend with Marjorie because we've been going full speed on this. And understand, this all happened between last Thursday and today. This isn't like something we've been talking about for months. Because we happen to be in the right place in town at the right time, and had a lot of opportunities.
MS. GREENBERG: It's impressive that our Standards Subcommittee planned this hearing well before there was any Stimulus Package, or well before there was even a new administration.
MR. REYNOLDS: We know the right stuff, guys, that's the fun part of this, we know the right stuff. So let's step up and go with it, because it's going to play, however they paint that train it's still going to play on that train.
Jeff, last comment and then we're done.
MR. BLAIR: Jorge was asking about the division, at least my understanding of your question was who's going to be responsible for what between ONC and NCVHS -
MR. REYNOLDS: I hope you don't have an answer.
MR. BLAIR: That's the point, that's exactly the point. But what we do have, and this is reinforcing emphatically reinforcing the point that Harry just made, I'll just put maybe some slightly different words on it, which is we really have I would consider a partnership relationship with ONC, is that a fair word, Harry?
MR. REYNOLDS: Yes.
MR. BLAIR: It's a working relationship where Rob understands what the statute has said, he's trying to figure out what he can do, and what he can't do, and he I think regards us as a partner where some of the statutes, like for HIPAA and e-prescribing identified as NCVHS as having the lead. If we were sitting down in the same room with Rob and we were writing the law instead of Congress we might not have crafted things exactly the same way, but that is the statute, that's what we need to work with. So how do we work together, because we have a very trusting relationship to build on, and what we need to do is look forward to how do we address the needs of the country in terms of healthcare. We have in some ways this Stimulus Package gave us resources and things we didn't have before, and in other ways it set boundaries that we didn't have before. But we have a partner to work with, so these will be worked out over subsequent months.
MR. REYNOLDS: Let me quote Rob from today, if you were listening very closely, which I'm trying to do with every word he says so I understand how we're playing.
He made the statement with HIPAA it's pretty clear that you have the jurisdiction. With e-prescribing you have the jurisdiction, but remember e-prescribing is part of everything that is being thought of, considered, and implemented in the NHIN.
We're in, guys. Let's decide what “in” is. Let's decide what we want to work on. Let's decide what we want to say. We got a great body of work already. We have been talking about the NHIN and some of this for a while. We talked about the NHII a long time ago. As a matter of fact, I will confidently tell you that Rob touted that quite significantly at the session we were in in Tampa.
So, let's go. If we don't go, shame on us. I'm just telling you, we're going to figure out how to make go work, once you tell us what you want to go with. You can count on that. Let's go do it. I expect this ought to be fun tomorrow. Thanks.
(Whereupon, the Committee adjourned at 3:00 p.m.)