Washington, D.C.
The National Committee on Vital and Health Statistics was convened on February 26-27, 2002 at the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public. Present:
Mr. Scanlon updated the group on three activities the Committee has been following: 1) the National Academy of Sciences study on the adequacy of race/ethnicity data in HHS and private sector health information systems; 2) the HHS initiative on a Department-wide gateway to data and statistics; and 3) new OMB guidelines for ensuring the quality of information disseminated by federal agencies.
Ms. Frohboese reported on the Department’s privacy activities and the implementation of the privacy rule, overseen by the OCR. She noted that the Office now has a strong privacy team. The date for release of the proposed modifications to the final rule has not yet been determined. She assured the Committee that the Department is acutely aware of the timing issues, and that modifications will be aimed at protecting patient privacy while correcting unintended consequences of the rule that impair patient access to quality health services.
Ms. Trudel said that HIPAA delay legislation - which was signed by the President on December 27 and allows a year extension for implementation of the transaction and code set standards if a compliance plan is filed - has had the effect of mobilizing the industry to consider how the rules apply to them. October 2003 is now a “date certain.” Implementation has been delegated to CMS, which will post a model plan on a Web site, followed by an extensive rollout strategy. NCVHS members expressed concerns about CMS having adequate funding to play this role.
Dr. Cohn presented a “very early draft” of the Committee’s 2001 report to Congress, and he asked for feedback from members and other subcommittees. The goal is to submit the report to Congress by March 2002.
ACTION: The Committee passed a motion that a near-final draft of the report, prepared by the Subcommittee on Standards and Security, will be circulated to all members, who will have an opportunity to comment in writing, to be followed by a full Committee conference call to approve the final document. |
Dr. Rippen described a RAND initiative to develop a framework for the information technology infrastructure for bioterrorism. RAND is bringing together stakeholders to identify this framework, identify policy issues, and evaluate options. Dr. Rippen pointed out that bioterror involves multiple sectors and multiple stakeholders who must interact during a crisis. This calls for a seamless, integrated IT infrastructure. The meetings held to date have produced nine recommendations.
Mr. Hauer described HHS activities and the issues it is facing in this area. There is a new Office of Public Health Preparedness (OPHP), headed by D. A. Henderson, who reports directly to the Secretary. IT is a key component of the Secretary’s goals, and much of the money budgeted for this effort will go to states for this purpose. Connectivity is a key goal - among plans, hospitals, and health departments at state and local levels. Mr. Hauer noted the debate about syndromic surveillance versus data mining, and said he favors emphasizing the latter. He said the Department will work to ensure that funding is not used to “buy toys.”
Ms. Schulman is a member of AHA’s hospital disaster readiness team and chair of its resources subgroup. Her presentation focused on the central role of hospitals in the effort to strengthen emergency readiness. The AHA believes hospitals must broaden the scale and scope of their existing disaster plans to link with community partners, building on existing re-sources, programs and relationships. After offering several recommendations regarding the need
for improvements in and funding for disease surveillance systems, surge capacity systems and interoperable communications systems, Ms. Schulman voiced the AHA's concern about a "serious conflict" between HIPAA privacy regulations and efforts to improve hospital disease surveillance capabilities.
Dr. Loonsk said that one component of CDC’s work pre-October 4 (date of the first anthrax attack) was supporting bioterrorism surveillance, with emphasis on making the bioterrorism infrastructure an integral part of the broader infrastructure. Key activities involved enhancing connectivity, diagnostic capacity, and professional education. The anthrax attacks taught many lessons and both intensified and highlighted the need to get, share, link, and manage data. He sketched an ideal situation in which detection and possible threats would lead to data management around possible cases, contacts, facility and geo-spacial data, leading to analysis and presentation to decision makers, and thence into alerts, prophylaxis and vaccination in a continuous manner. He then presented an outline of the IT specifications and functions to the recently-released bioterrorism cooperative agreement guidance. The appendix incorporates and extends standards from CDC’s National Electronic Disease Surveillance System (NEDSS).
Discussion with the Committee focused on assuring coordinated system development rather than the creation of separate systems. Dr. Broome said CDC is developing a NEDSS-compatible system that implements NEDSS standards and includes implementation guides, called the NEDSS base system. It is being pilot tested in Nebraska and Tennessee, and there is funding to deploy it to at least 20 states in 2002. Time is of the essence in having the system ready, as states have already received substantial funding and will soon be building their systems. Members expressed hope that CDC would be given adequate funding to play the needed leadership role, along with encouragement that HHS monitor conformance. On another subject, it was noted that a major gap is the lack of funding to encourage clinical care providers to use automated clinical information systems. Dr. Broome asked the Committee to think about what kinds of incentives would be effective and realistic. The Committee agreed to draft a letter to the Secretary on its concerns.
ACTION: On day two, Dr. Lumpkin read a letter to the Secretary, drafted by an ad hoc group, offering four recommendations aimed at a major Administration commitment to support and expedite the activities reported on by the panel. After suggesting a few revisions and amendments, the Committee passed a motion approving the letter. |
(NCVHS member Kepa Zubeldia, M.D., who helped put together this panel, participated by telephone.)
Mr. Marshall focused on the kind of transactions that would be amenable to the health care PKI, which is a way of managing records of identities of people who participate in health care, making possible digital signatures. PKI supports automation of processes to identify participants and maintain authenticity over time. This is expected to reduce health care administrative cost, improve efficiencies, and lower the risk of medical fraud and abuse. He and other panelists described PKI as the only existing technology that provides all three attributes - authenticity, integrity, and non-repudiation. He called for two “essential ingredients”: affirmation of a standard framework for health care PKI for HIPAA conferment use, and support for digital attribution certificates (i.e., a digitally signed reference to an identity certificate).
Ms. Gilbertson described the work of an NCPDP/SDO task group that identified what health care business cases might need electronic signatures. The project produced a white paper, a draft of which was provided to NCVHS members. Ms. Tucci-Kaufhold, who chaired the task group, further described the analysis and report as well as several questions raised by the group. She stressed that education, both technical and operational, is an important element of this process.
Mr. McFaul discussed two DEA initiatives: one on electronic prescriptions for controlled substances, and a controlled substances ordering system. The electronic system being developed will be an additional means of accomplishing required functions, not a mandatory means. Because DEA is a law enforcement agency, a key issue for it is legal admissibility with respect to the possibility of legal action against participants in the system. Mr. McFaul described the operational requirements of the planned system, noting that it is designed to be application neutral. DEA does not mandate the use of any standards.
Offering the DEA contractor’s perspective, Mr. Bruck noted that development of PKI must move forward in three areas: technology, policy, and accreditation. For DEA, policy considerations drive the others.
Ms. Reed-Fourquet, who is vice-chair of ASTM E31.20, focused on the policies needed to support digital signatures in health care. The ASTM group has a near-final version of the health care model policy intended to guide health care PKI policies. She also described the work of the ISO on the secure exchange of health information across national boundaries. She noted the security risks with PKI and what must be done to minimize them.
In the discussion, NCVHS members questioned the panelists about the multiplicity of tokens needed in the short term, the “hard parts” of PKI implementation, and the costs of implementation for industry. The Subcommittee on Standards and Security was asked to develop a work plan in this area.
After describing the development process, Dr. Cohn and Mr. Blair presented a draft letter to the Secretary addressing message format standards. These follow up on several recommendations in the Committee’s August 2000 report to the Secretary on PMRI standards. Members read the letter and suggested minor modifications.
ACTION: A motion was passed to adopt the letter, as revised, and send it to the Secretary. |
Dr. Harding presented background and a rough draft of a letter and recommendations to the Secretary, a more refined version of which will be presented for action on day two of this meeting. The letter, under development by the Subcommittee on Privacy and Confidentiality, concerns the marketing and fundraising provisions of the final privacy rule. Members discussed the concepts underlying the letter.
ACTION: On day two, following discussion and a few revisions, the Committee passed a motion approving the revised letter, with Dr. Harding abstaining. ACTION: Also on day two, the Committee adopted a process for interim decision-making between meetings. It passed a motion authorizing the Subcommittee on Privacy and Confidentiality to recommend a response to the NPRM on the privacy rule when it is released. The Subcommittee will confer and prepare its recommendations, and then the full Committee will hold a teleconference to act on the recommendations. |
DISCUSSION WITH NCHS DIRECTOR, EDWARD SONDIK, Ph.D.
Dr. Sondik sought the Committee’s advice on the challenges the Center faces as a result of tightening resources. In recent years, appropriations to NCHS nominally increased but after inflation were static. He summarized the major accomplishments made despite these constraints, but said trade-offs are now needed, raising the question of how to continue to make advances in light of tightening resources. Re-engineering of the surveys and vital statistics is a continuing priority. He noted the synergies among NCHS endeavors and the visions for 21st century health statistics and the national health information infrastructure.
NCVHS members and Dr. Sondik reviewed various possibilities for tightening NCHS spending, analyzing costs and benefits, and generating more active support for the Center’s budget and activities. Members praised its products, notably NHANES and the analytical “value-added” it contributes. It was noted that many data users want more, not less, from the Center. Dr. Sondik asked the Committee to help him elicit input about priorities and trade-offs from the users of NCHS products. Dr. Lumpkin referred this question to the Subcommittee on Populations.
BRIEFING FROM OFFICE FOR HUMAN RESEARCH PROTECTIONS
The Office for Human Research Protections (OHRP) was created, and Dr. Koski, was appointed director, in June 2000. OHRP is bringing about a paradigm shift in the approach to human research and the protection of subjects, from vesting the institutional review board (IRB) with sole responsibility to a model that focuses on shared goals and responsibilities. Another shift is from a reactive to a proactive system. The Office is also simplifying the structure to make it more effective. Dr. Koski enumerated the many facets and levels of activity in this area and described the structure and operational approaches of OHRP. A new program focuses on quality improvement; there is also a broad education effort to the research community as well as to the general public. The creation and use of the National Human Research Protections Advisory Committee (NHRPAC) is a critical development that provides for broad public input, and there are several other high-level sources of advice. OHRP has worked to revitalize the Human Subjects Research Subcommittee, which operates out of the Office of Science and Technology Policy at the White House. Its “SUEE (simplification, uniformity, efficiency and effectiveness) task force” is looking for opportunities for simplification and greater uniformity.
Members talked with Dr. Koski about OHRP’s position and actions on the privacy rule, the common rule, and efforts to sensitize researchers to the issues for racial and ethnic minorities.
Workgroup and Subcommittee chairs briefly reported on their groups’ activities and plans (see minutes). A few items were identified for the June and subsequent meetings of the full Committee.
Dr. Lumpkin welcomed those present and on the Internet. He noted the trying times experienced by the nation in recent months, leading to a significant reevaluation of the national commitment to public health and strengthening the public health infrastructure. He asked everyone present to introduce themselves, and welcomed the Committee’s new member, Brady Augustine, M.S., Corporate Director for Special Projects in Gambro Healthcare and president of Tiger Solutions, Inc.
Mr. Scanlon began with an update on three activities the Committee has been following: 1) the National Academy of Sciences study on the adequacy of race/ethnicity data in HHS and private sector health information systems; 2) the HHS initiative on a Department-wide gateway to data and statistics; and 3) new OMB guidelines for ensuring the quality of information disseminated by federal agencies.
On the first, he reported that Ed Perrin will serve as chairman of the National Research Council panel that will study the issue. The panel will be asked to hold a workshop with representatives from the health care sector, to get the private sector’s perspective on obstacles and ways of moving forward. The government has no control over the kind of information collected in private sector data systems, and there is confusion in that sector about what is allowable related to race/ethnicity data. The Department hopes to set up a liaison between the NRC panel and the NCVHS Subcommittee on Populations.
On the second activity, Mr. Scanlon said the goal is to integrate and improve access to HHS data and provide user-friendly entry points and shortcuts. A single webpage is being developed covering the entire Department as well as state and local data on health and human services. The prototype is being beta tested in the Department. The features include the following:
Mr. Scanlon said the gateway, which provides a way to link the hundreds of HHS Web sites, includes data, reports on data, methodology, and questionnaires.
Committee members were enthusiastic about the new gateway and offered suggestions for optimizing it, which were welcomed by Mr. Scanlon.
Dr. Newacheck noted the variability of definitions in different surveys and administrative data sets - for example, of health insurance and disability. He suggested that the HHS gateway include statements about definitions and perhaps the reason for each, at least for the key indicators. Dr. Mays suggested indicating the size of data sets for various ethnic groups, and providing links to useful roadmaps for NCHS data sets, which are now available only on CD-ROM. Answering a question from Mr. Augustine, Mr. Scanlon said the limitations in the data sets will be addressed in several ways in the Web sites. Eventually the Department may consider guidance for the agencies on what to include with their postings. Dr. Lumpkin suggested providing links to data sets now available only at the state level, along with a key contact in each state.
Turning to the OMB guidelines on the quality of disseminated federal information, Mr. Scanlon said the guidelines are required by the Shelby Amendment. Following a comment period, OMB published the final guidelines on January 3, primarily calling for agencies to develop their own quality guidelines on a wide range of information disseminated to the public. Quality is seen as including utility, integrity and timeliness. Different types of information require different standards, with a high standard (substantial reproducibility) for influential statistical or financial information. The Data Council has formed a work group to put together the HHS framework, with a deadline of getting a draft to OMB by May 1, followed by public comment, with a final draft by July, to take effect in October.
The guidelines establish an administrative mechanism to allow members of the public and affected communities to contact an agency with questions, complaints or corrections, and for the agency to address the issues. Agencies also have to report to OMB on the process. The guidelines apply to all information whose dissemination the agency initiates or sponsors.
Mr. Scanlon then commented on the $1.1 billion budgeted for grants to the states for public health preparedness. He described some of the specific mechanisms and sources. The money is expected to improve emergency preparedness as well as core public health functions, and to improve the national health information infrastructure.
Ms. Frohboese updated the Committee on the Department’s privacy activities and the implementation of the privacy rule, overseen by the OCR. The Office now has a strong privacy team, with Sue McAndrew heading the policy effort, Kathleen Fyffe heading public education outreach and technical assistance, and Stephanie Kaminsky staffing the NCVHS Subcommittee on Privacy. The date for release of the proposed change to the final rule has not yet been determined. A new Privacy Council within the Department is advising on modifications to the privacy rule. Input by NCVHS and through its hearings also has been important. Over the next six months, OCR is focusing on developing additional guidance and technical assistance materials for covered entities. It will be processing comments on the NPRN when it is released.
Ms. Frohboese invited recommendations on how to focus on and assist state governments regarding their role.
Dr. Cohn noted the industry’s concern about the timeline, given that implementation is to begin in 14 months. He asked for advice on how to proceed on implementation. Ms. Frohboese assured him of the Department’s acute awareness of timing issues, and its attention to helping covered entities come into compliance. She noted that the modifications are aimed at assisting in this process and minimizing burden, while correcting unintended consequences of the rule that impair patient access to quality health services.
Ms. Trudel said that the HIPAA delay legislation - which was signed by the President on December 27 and allows a year extension for implementation of the transaction and code set standards if a compliance plan is filed - has had the effect of mobilizing the industry to consider how the rules apply to them. October 2003 is now a “date certain.” She described compliance plan requirements of the legislation.
The Act also provides a role for NCVHS, to review a sample of the compliance extension plans, identify barriers to compliance, and publish solutions. WEDI convened a work group to develop proposals for a model plan, and the Committee’s Subcommittee on Standards and Security has expressed support for the plan with minor modifications. Implementation of the provisions has been delegated to CMS, which will post the model plan on a Web site. This will be followed by an extensive rollout strategy.
Dr. Cohn said industry will be encouraged to use the Web site to request extensions. New NCVHS member Brady Augustine, a statistician, will look at the methodologic issues regarding taking a sample.
Dr. Fitzmaurice raised the possibility that there will not be adequate funding to CMS to help with HIPAA implementation. Ms. Trudel said this is being discussed in the context of the Department’s budget. Asked about the status of other standards, she said they are all moving forward, but nothing is imminent.
Dr. Cohn presented a “very early draft” of the Committee’s 2001 report to Congress, and he asked for feedback from members and other subcommittees. For the first time, this report is a joint effort of the Subcommittee on Standards and Security and the Subcommittee on Privacy and Confidentiality because the privacy rule was a major activity center in the last year.
Mr. Scanlon explained that the report is sent to all committees in the Senate and House with jurisdiction over HIPAA.
Ms. Greenberg suggested that a revised report be circulated to the full Committee for comment, and that the Executive Subcommittee be delegated to finalize the report. The goal would be to submit the report to Congress by the end of March. She pointed out that when HIPAA implementation begins, the report will be increasingly important as a source of information on the status of implementation.
A few members offered comments on style, organization, and content. Dr. Lumpkin asked subcommittees to review the report further and offer any comments representing their perspectives.
A motion was passed that a near-final draft of the report will be circulated to all members, who will have an opportunity to comment in writing, to be followed by a conference call of the full Committee to approve the final document.
Dr. Lumpkin noted the timeliness of the Committee’s report on the National Health Information Infrastructure, in view of the heightened concern about bioterror. He welcomed the panelists:
Preparedness, HHS
Association
Dr. Rippen described a RAND initiative to develop a framework for the information technology infrastructure for bioterrorism. RAND is bringing together stakeholders to identify this framework, identify policy issues, and evaluate options. Following three “summit meetings” (co-hosted with several stakeholder organizations), RAND will develop a blueprint. Two have taken place, and the third is scheduled for April 3-4. Dr. Rippen pointed out that bioterror involves multiple sectors and multiple stakeholders who must interact during a crisis. This calls for a seamless, integrated IT infrastructure. Responsibilities must be distributed seamlessly because a bioterror event actually takes place over a period of time and involves detection, early response, sustained response, and recovery.
The components of the foundation being built are objectives, capabilities, data needs, and stakeholders; each of these has multiple elements. For example, the objectives to be supported by an IT infrastructure include strategic planning, deterrence, surveillance, communications, resource management, education, and research.
The groups in the meetings held to date have produced nine recommendations, including the following:
Mr. Hauer described HHS activities and the issues the Department is facing. There is a new Office of Public Health Preparedness (OPHP), headed by D. A. Henderson, who reports directly to the Secretary. No funds are released until OPHP approves it, to ensure a coordinated effort among federal, state and local governments to rebuild the public health infrastructure and protect against bioterrorism. (Mr. Hauer said such money in the past has sometimes been used to “buy toys” and to create disconnected “nexuses of expertise” that don’t work together.)
IT is a key component of the Secretary’s goals, and much of the money budgeted for this effort will go to states for this purpose. Connectivity is a key goal - among plans, hospitals, and health departments at state and local levels.
The merits of syndromic surveillance and data mining are the subject of a vigorous debate in the country now. Mr. Hauer does not believe syndromic surveillance is feasible, given the data collection burden it imposes on primary care providers. The feasibility of timely data mining to detect results following release of a biologic agent is also questioned. While noting the critical role of physician education, he said he believes data mining will work. This requires two-way connected systems and the rehabilitation of the public health systems that have been allowed to fall into disrepair. The idea is not just to get information from health departments but to put information in their hands on an ongoing basis. HHS will convene several summits in Washington, D.C. on surveillance, IT, and connectivity, partly with an eye to improving local-state-federal communication.
Ms. Schulman is a member of AHA’s hospital disaster readiness team and chair of its resources subgroup. Her presentation focused on the central role of hospitals in the effort to strengthen emergency readiness. The 9/11 attacks have redefined the meaning of disaster readiness for hospitals and represent a scenario in which the resources of individual hospitals or even an entire community’s health care system may be overwhelmed. Bioterrorist attacks differ from other types of disasters in that the effects may manifest gradually and take time to be recognized or distinguished from common illness. The AHA believes hospitals must broaden the scale and scope of their existing disaster plans to link with community partners, building on existing resources, programs and relationships. A common information architecture is optimal, but Ms. Schulman noted the problems with community linkages. She offered a number of recommendations, including the following:
Ms. Schulman voiced the AHA’s concern about a “serious conflict” between HIPAA privacy regulations and efforts to improve hospital disease surveillance capabilities. For example, state hospital associations are barred from sharing certain disease surveillance data with contributing hospitals. She asked that HHS either reform or clarify the rules to permit the sharing of key data elements, preferably by carving out the data from the list of identifiable data in the rule.
Dr. Loonsk began by describing CDC’s activities prior to October 4, the date of the first anthrax attack. The Center was rebuilding the national surveillance infrastructure as part of the National Electronic Disease Surveillance System (NEDSS), which he described as a vision and a process for integrating and connecting public health systems and clinical data systems. CDC also promotes national standards for developing those systems. One component of its pre-10/4 work was supporting bioterrorism surveillance, with emphasis on making the bioterrorism infrastructure an integral part of the broader infrastructure. Key activities involved enhancing connectivity, diagnostic capacity, and professional education.
Many lessons were learned from the anthrax attacks, which “were not executed as expected.” Dr. Loonsk stressed that while bioterrorism detection is “still investigational,” the need for case data management exchange and communication is not. Getting data is a top priority. One initiative related to this is the e-Health Initiative, in which providers and clinical information systems are working to get appropriate data out of their information systems and move them to public health. The attacks taught a major lesson: that data must be linked. He sketched an ideal situation in which detection and possible threats would lead to data management around possible cases, contacts, facility and geo-spacial data, leading to analysis and presentation to decision makers, and thence into alerts, prophylaxis and vaccination in a continuous manner. Another experience from the attacks was the difficulty in getting specific information rapidly to the point of need and not overloading people with information they did not need.
Dr. Loonsk then presented the outlines of the appendix to the recently-released bioterrorism cooperative agreement guidance. The focus area relating to Health Alert Network, information technology and communication is broader than it used to be. The appendix is titled “IT Functions and Specifications,” all of which link to aspects of the guidance and address the need of exchanging comparable data between public health partners. Each specification identifies a need, the industry standard involved, and the specifications that have been written into the guidance. Many are not new but are part of NEDSS. The nine areas for the IT functions and specifications are:
Dr. Lumpkin stated his growing conviction that the place to begin with automating the electronic medical record is in emergency departments, which could serve as the proof of concept and meet a national need by advancing real-time surveillance. He then asked how CDC planned to ensure coordinated system development rather than the creation of separate systems. Mr. Hauer said HHS is trying to emphasize a regional approach. The first goal is to get hospitals talking with city or county health departments, counties talking with states, and then building links across state lines. Dr. Loonsk agreed that national data standards must be promoted, with clear specifications about the content of the data. Dr. Broome noted that time is of the essence in having the standards ready, as states have already received substantial funding and will soon be building their systems.
To another question, Dr. Loonsk said CDC would provide direct assistance to state and local health departments to deal with such things as transmitting standardized messages and establishing information security. Dr. Lumpkin and Mr. Blair expressed hope that CDC would be given adequate funding to play the needed leadership role. Dr. Broome called this a “very relevant question,” noting that the latest billion-dollar funding went directly to states with nothing for CDC for coordination; however, other funds are going to CDC for bioterrorism preparedness. She added that CDC is developing a NEDSS-based system that implements NEDSS standards and includes implementation guides. It is being pilot tested in Nebraska and Tennessee, and there is funding to deploy it to at least 20 states in 2002.
Mr. Blair pointed out the need not just for information flow but also for the ability to readily interpret the data, especially in the event of a disaster with a great volume of sudden data. He suggested that the biggest missing gap is capturing usable information at the point of care, and asked what was being done to provide incentives for this to happen. Dr. Loonsk agreed that this is a major gap: there has been no funding to encourage clinical care providers to implement automated clinical information systems. Dr. Broome asked the Committee to think about what kinds of incentives would be effective and realistic.
Dr. Starfield observed that the nation has done a poor job of providing ways to report presenting problems that are not resolved through a diagnosis. She observed that the core data elements recommended by NCVHS include an item for presenting problems.
Mr. Scanlon asked Mr. Hauer about whether the national standards being developed in other arenas could be used as a framework for public health data, as well, to ensure interconnectivity. Mr. Hauer responded that the Department is encouraging commonality, and hospitals will be “encouraged” to use the standards developed by industry, SDOs and CDC. Dr. Rippen commented on the lack of clarity about what is needed with regards to a “true requirements document.” Mr. Hauer agreed, and said his goal is to have passive systems that collect data at the point of care; this must be combined with knowing what to report and to whom, which depends on education.
Dr. Cohn endorsed Dr. Lumpkin’s idea of starting automation in the emergency setting. He applauded CDC for its standards based approach, but urged more specificity and questioned whether merely “encouraging” a standards based approach would be enough to prevent stovepipes. Mr. Hauer said HHS would not “prescribe how local public health agencies do this.” Ms. Greenberg expressed support for requirements, noting that Congress enacted HIPAA because industry did not go forward with standards when they were only encouraged to do so.
Mr. Hauer agreed with Dr. Shortliffe that necessary short-term approaches should be taken in a context of a vision for, and efforts toward, standardized medical records and “smart systems, properly integrated into a seamless public health environment.” It was noted that a great deal of valuable information is already being recorded but not captured.
Dr. Lumpkin asked Drs. Friedman and Cohn to work with him on a letter from the Committee to the Secretary, urging that standards be mandated, that the role of CDC be enhanced and adequately funded, and that the movement toward standards happen on a tighter time frame. The letter is to be presented to the Committee on day two of this meeting. He thanked the panel, offered the Committee’s support and advice, and said it would be following the issue closely.
NCVHS member Kepa Zubeldia, M.D., who helped put together this panel, participated by telephone.
Mr. Marshall focused on the kind of transactions that would be amenable to the health care PKI. PKI is a way of managing records of identities of people who participate in health care, making possible digital signatures. It supports automation of processes to identify participants and maintain authenticity over time. This is expected to reduce health care administrative cost, improve efficiencies, and lower the risk of medical fraud and abuse.
The primary data, digital identity certificates, enable participants to receive encrypted data and electronic signatures with the attributes of authenticity, integrity, and non-repudiation. PKI is the only existing technology that provides all three attributes. It can be used in three types of transactions: messages where the data have relatively short value over time, persistent data with long-term value, and credentialing. Mr. Marshall described all three, likening the first to bank checks and the second to recording the results of a lab test. He pointed to the benefits achieved in e-commerce and electronic banking through the use of PKI, and asserted that health care financial transactions could achieve comparable benefits provided they use standard digital signatures. The security of the data is a function of the controls over access. Through digital signatures at every step of the process, the potential for medical fraud, abuse, and forgery can be minimized compared to paper records. PKI use simplifies and streamlines the credentialing task. Credentials can be easily revoked, and the validity of an identify or attribution certificate can be queried online.
Recent updates have created a framework for sharing the cost of PKI technology among those who will benefit from it. This lowers some of the barriers to acceptance of PKI technology in the health care provider community.
Mr. Marshall said much of what he had described is already widely used in e-commerce, and experimentation has begun in the health care information technology industry. Two “essential ingredients” are still needed: first, affirmation of a standard framework for health care PKI for HIPAA conferment use; and second, support for digital attribution certificates (i.e., a digitally signed reference to an identity certificate).
Ms. Gilbertson noted that Mr. Marshall leads an SDO signature/security endeavor in which she participates for NCPDP. Its work products include a scope and a project plan and implementation guides. Other SDOs are involved. NCPDP work group 12 formed a task group, consisting of providers, software vendors, health plans, payers, and others. It is led by Ms. Tucci-Kaufhold, and was tasked with identifying what health care business cases might need electronic signatures. The project produced a white paper, a draft of which was provided to NCVHS members. She said this was somewhat a “brainstorming” exercise.
The task group began by classifying the transactions/business cases as more likely for (1) immediate use, (2) moderate benefit, or (3) future benefit. Group 1 included requests for new prescriptions or refills from a prescriber to a pharmacy; the credentialing process; and enrollment from a pharmacy to a health plan. Future benefits (group 3) include consumer requests for information, prescription transfers between pharmacies, and obtaining formulary lists.
The task group identified several unanswered questions, including these:
Ms. Tucci-Kaufhold stressed that education, both technical and operational, is an important element of this process.
According to Mr. McFaul, DEA has two separate initiatives aimed to “drag ourselves out of the regulatory Stone Age and into the modern electronic age”: one on electronic prescriptions for controlled substances, and a controlled substances ordering system. The industry had asked for a more efficient way of doing things. The electronic system being developed will be an additional means of accomplishing required functions, not a mandatory means.
Because DEA is a law enforcement agency, a key issue for it is legal admissibility with respect to legal action being possible against participants in the system. This requires the highest possible standard. Mr. McFaul confirmed a point made earlier, that PKI is the only existing system that assures authentication, integrity, and non-repudiation. Authentication is a key issue for DEA, and PKI will satisfy pharmacists’ liability.
He noted that a grey area is whether DEA is subject to the Electronic Signatures and Global and National Commerce Act. It takes the position that it is not, but is in discussion with OMB on this question. Either way, however, as a federal agency DEA has the authority to establish standards on record integrity. This is key because it underlies non-repudiation.
DEA will not issue certificates, but rather establish a hierarchical PKI in which DEA will set the standards and then let industry forces drive who will issue the certificates. DEA is a closed system, whose participants are all DEA registrants. Registration is based on state licensure.
Mr. McFaul described the operational requirements of the planned system, noting that it is designed to be application neutral. DEA does not mandate the use of any standards.
Giving the contractor’s perspective, Mr. Bruck agreed with Mr. Marshall that PKI technology is the state of the art. His company looked at attribution certificates, but concluded that there is little commercial implementation of that technology. He noted that development of PKI must move forward in three areas: technology, policy, and accreditation. In carrying out DEA’s project, PEC Solutions has stayed focused on the mission, to PKI-enable electronic prescriptions for controlled substances. Policy considerations have driven technology choices. They have engaged industry from the beginning.
Ms. Reed-Fourquet, who is vice-chair of ASTM E31.20, focused on the policies needed to support digital signatures in health care. The ASTM group has a near-final version of the health care model policy intended to guide health care PKI policies. Ms. Reed-Fourquet is also the U.S. technical representative and co-author of the health care PKI document coming out of ISO, which deals with the secure exchange of health information across national boundaries.
Digital signature can be used in such health care scenarios as consent, medical record content accuracy, authorization for prescriptions, and medical orders. There are many security risks with a PKI, including identity fraud, credential fraud, and stolen identity. One requirement will be meeting the reliable secure binding of unique and distinguished names to the subject. A professional’s health care role will be bound to the individual’s professional certificate.
ISO has defined several policy types. End entities certificates will be for an assortment of individuals, organizations, devices, and applications. The analysis also identifies high grade and low grade assurance levels. The former, which is required in Europe, is the goal in all cases; but in the short run, the latter is a compromise in some areas. No token is required in these areas. Ms. Reed-Fourquet described the means of authenticating identities for organizations and individuals, and for verifying “active” status.
After noting that attribution certificates are recognized as a goal for assertion of authorization information, she concluded that strong policies are needed to support digital signatures in health care, that health care-specific standards have been defined that enable strong policies, and that this makes it possible to establish a trustworthy infrastructure for digital signatures in health care.
Dr. Lumpkin noted that a health care provider such as himself could end up with several tokens, much as one has several keys. Several panelists responded affirmatively when he asked if it is expected that the field will eventually migrate to attribution certificates. Mr. Marshall said it is imperative to speed up the migration and reduce the number of individual identity certificates to one, using attribution certificates to associate other factors. He said what is needed is “a regulatory starting gun.”
Dr. Cohn expressed appreciation that DEA is developing litigation-strength digital signatures. Mr. McFaul said DEA is building the infrastructure and the system at the same time.
Dr. McDonald observed that the panelists portrayed a more rosy view of PKI than that held in “the world.” He asked them to comment on “the hard parts.” He also cautioned DEA against providing too many hoops for physicians to jump through with respect to pain medication, operating as it does in the country’s “fierce” atmosphere of narcotic control. Dr. Zubeldia supported the panel’s assertion that “PKI is good,” if new. However, he questioned how it could actually work in health care, in view of the complexities. He cautioned against “laying PKI tracks without understanding how the engines will run on them.” Mr. Bruck stressed that DEA is establishing “the trust framework” that is the first step.
Mr. Augustine expressed the concerns of many in private industry who are currently “balking at PKI” because of the cost of deploying it. Mr. McFaul agreed that PKI can be expensive and complicated, and said attention must be paid to economic factors. Ms. Gilbertson affirmed that there also are operational issues, such as keeping up with revocation lists and interoperability. Health care professionals must be sure the technology works for health care business. She cautioned that DEA’s project could produce a silo because it is designed only to meet that agency’s business need. Dr. Zubeldia added that proprietary schemes by pharmacies could obstruct interoperability.
Dr. Cohn thanked Dr. Zubeldia for taking the lead in this area, and suggested that the Committee refer it back to the Subcommittee on Standards and Security for determination of next steps, which may include a hearing in the summer. Picking up a phrase used by Mr. Bruck, Dr. Lumpkin said the Committee should approach this as “complicated but not difficult.”
After describing the development process, Dr. Cohn and Mr. Blair presented a draft letter to the Secretary addressing message format standards. These follow up on several recommendations in the Committee’s August 2000 report to the Secretary on PMRI standards. The Subcommittee is recommending a paradigm change from mandated standards to “recognized standards.” The letter calls for clear leadership from the Department in moving the standard development process forward. It proposes departmental “guidance,” which implies that compliance is voluntary. The Committee perceives that there is growing consensus in the industry, and it is trying to catalyze this process. The idea is to use a “carrot” to induce change; if in a year or two the incentives do not prove to have been strong enough, it will be possible to strengthen the recommendations.
Members read the letter and suggested minor modifications. A motion was then passed to adopt the letter, as revised, and send it to the Secretary.
Dr. Harding presented background and a rough draft of a letter and recommendations to the Secretary, a more refined version of which will be presented for action on day two of this meeting. The letter, under development by the Subcommittee on Privacy and Confidentiality, concerns the marketing and fundraising provisions of the final privacy rule. Dr. Harding expressed appreciation for the Subcommittee’s staff support, and welcomed Ms. Kaminsky. He reviewed the steps leading to the current “final” version of the rule, and called attention to key issues and concepts. The key issues for this letter are whether marketing and fundraising should be considered as health care operations with respect to patient consents and authorizations. The Subcommittee heard a range of views on this question at its hearings and will come back with recommendations following its morning meeting on February 27.
Members asked clarifying questions, commented on the complexity of these issues, and offered a few preliminary editorial suggestions. Interest was expressed in separating marketing from disease management and other health care operations, and also from research. Dr. Lumpkin pointed out the relevance of state law in defining treatment.
The Committee then recessed, to reconvene in subcommittee and workgroup meetings and then in full session the following day.
Dr. Sondik noted that his presentation to NCVHS in November had generated some questions. Before opening those for discussion, he sought the Committee’s advice on the challenges the Center faces as a result of tightening resources. He reviewed the Center’s advances over the last decade with respect to data collection and timely release, as well as through its research data centers, which make data available while preserving confidentiality. Strides also have been made in international activities, recently focusing on laying the groundwork for international comparisons using summary health measures and disability statistics. The Center also played an important role in the development and adoption of the International Classification on Functioning, Disability and Health (ICF).
Turning to resource issues, Dr. Sondik said appropriations to NCHS nominally increased but after inflation were static in the last half of the preceding decade. Despite these constraints, much has been accomplished - for example, NHANES has returned to the field; both it and NHIS have been revamped; and vital statistics collection has been revamped; and reporting has been made more timely. Now, however, tradeoffs are needed, raising the question of how to continue to make advances in light of tightening resources. Re-engineering is a continuing priority - e.g., a meta data system for drawing information from the HIS, and continuing upgrades of NHANES. Possible ways of saving money include fielding the HIS fewer weeks of the year and making adjustments in vital statistics.
Health care surveys have suffered in the last decade: the entire family of surveys has not been in the field at the same time in the last year, and getting the surveys back in the field and doing them more frequently is a priority for him. He summarized the tradeoffs, posing to the Committee the question of how to balance the Center’s resources so it can continue to supply critical information on health status, vital statistics, and the health care system, along with research and methodology, while finding new, more cost-effective ways to do these things. Finally, he noted the synergies among NCHS endeavors and the visions for 21st century health statistics and the national health information infrastructure.
Dr. Friedman expressed concern that the Center spends less than 10 percent of its funds on analysis, epidemiology, Healthy People, research, and methodology. He asserted that analysis and epidemiology are areas of unique value-added from NCHS. Dr. Sondik said the “bang” from that small percent is greater than it appears, and he agreed that research and analysis are critical areas.
Dr. Newacheck asked about justification for the proportion of the budget going to NHANES and asked if this has been analyzed in terms of relative utility. In general, he suggested an analysis of the costs and benefits of each of the surveys. Dr. Sondik noted the value of the insight into “the fabric of health” afforded by NHANES data, and said NCHS will indeed have to consider doing a formal analysis of its surveys’ costs and benefits.
Dr. Harding was the first of several members to comment on Dr. Sondik’s “exceptional stewardship” of NCHS; Dr. Sondik in turn gave credit to the Center’s staff for its accomplishments.
Dr. Starfield enumerated the reasons for keeping NHIS, the health care surveys, and others, and concluded that “NHANES sticks out” as something that might be cut. Dr. Sondik described modifications that could be made to NHANES. He noted that an investment has been made in community HANES, which is ready to be sent to specific communities and populations, supported by resources from several agencies. Among other things, NHANES is the proving grounds for community HANES; but it could be taken out of the field again in a few years. He said these decisions need to be made with reference to what areas of health and health care are undergoing the most change.
Mr. Blair asked whether the NHII might be a framework in which to lower costs and increase data, in collaboration with other agency heads, by re-engineering the entire infrastructure. Dr. Sondik said that kind of thinking is underway. He also noted the broad relevance of the activities around bioterrorism, as described by the earlier panel.
Dr. Mays endorsed the re-engineering efforts and observed that in terms of data, “people want more, not less” - for example, on contextual factors, mental health, and race/ethnicity. She stressed the need for advocacy to try and get funding increases and to point out the contributions of the surveys - for instance, to Departmental programs such as Healthy People. Dr. Sondik agreed about “mustering the best arguments,” and he invited guidance and recommendations about the content and focus of NCHS budget requests.
In response to another question, Dr. Sondik said NCHS would be soliciting input from other agencies as part of its evaluation of budget components and program tradeoffs. He again invited the Committee’s help in how to elicit input from the user community regarding priorities. In that context, he expressed interest in the recent hearing sponsored by the Subcommittee on Populations.
Dr. Friedman observed that with a web-based system in which data come in on a real-time basis for case management and bill payment, support for the vital statistics system may come from CMS programs. Dr. Sondik said this has been discussed, and the Social Security Administration has been a significant supporter of re-engineering.
Dr. Lumpkin thanked Dr. Sondik for meeting with the Committee and asked the Subcommittee on Populations to follow up on this discussion. Calling NHANES “a national jewel” and the gold standard for other surveys, he urged Dr. Sondik to protect it as much as possible.
Dr. Koski said the process to remodel the nation’s system for protecting human research subjects can be traced back to a 1988 report by the Office of the Inspector General that observed, among other things, that while the research environment had been changing over the preceding 3 decades, the system to protect research subjects had not been changing and had been challenged by the other changes. However, little significant action was taken until the death of research subject Jesse Gelsinger in 1999. Secretary Shalala then announced an HHS initiative, and in June, 2000, the Office for Human Research Protections (OHRP) was created and he was appointed director. The Office has had several reports and recommendations to consult in addition to the one by the OIG.
OHRP is in the process of bringing about a paradigm shift in the approach to human research and the protection of subjects, from vesting the institutional review board (IRB) with sole responsibility to a model that focus on shared goals and responsibilities. Another shift is from a reactive to a proactive system. The Office is also simplifying the structure to make it more effective. Dr. Koski enumerated the many facets and levels of activity in this area, including a host of agencies, levels of government, and sectors, and multiple combinations thereof. He noted that increasingly, federal and private/corporate domains overlap in their research support. While this creates additional challenges, the opportunities for partnerships between government and the private sector are critical. Another level is the international one, with U.S. research conducted in other countries.
The Office began by reorganizing from the structure that existed as the NIH Office for Protection from Research Risks. There are four operational divisions: policy and planning, compliance oversight, education, and assurances and quality improvement. These are linked with interdivisional committees, and there is also a cross-cutting “virtual office” for international activities. The reorganization includes process redesign, stressing simplification and collaboration with other agencies, notably FDA. Steps such as simplifying the assurance process and a unified federal registration program are freeing up resources to be redirected to new programs, especially one on quality improvement that stresses prevention of harm rather than waiting for something negative to happen.
Increasing budget support demonstrates the Department’s commitment to this effort and makes possible new programs, notably a broad education effort to the research community as well as to the general public. An awards program is aimed at generating “headlines that say people are doing it right.” Along with the quality improvement program is a surveillance program; the two will interact with every program in the U.S. over a 5-year cycle, with up to 60 quality improvement consultations and 10 or more surveillance evaluations a month.
The creation and use of the National Human Research Protections Advisory Committee (NHRPAC) is another critical development that provides for broad public input. Under the leadership of Executive Director Kate Godfried and Chair Mary Faith Marshall, the group has already provided valuable advice. It will be taking up issues of informed consent, redefining it as a process that leads to an informed decision by an individual about whether or not to participate in research. The Department will also get advice from a trans-NIH bioethics committee, FDA, and other federal agencies, leading toward harmonized policies across the government. Other advice has come through a commissioned study by the National Academy of Sciences on accreditation as a mechanism for strengthening the system for protection of human research subjects. The report, “Preserving Public Trust,” was released in April 2001; a second part, presenting outcome measures for the effectiveness of the process, is expected soon.
OHRP has worked to revitalize the Human Subjects Research Subcommittee, which operates out of the Office of Science and Technology Policy at the White House; Dr. Koski described it as “a critically important group.” In 1991 this group’s predecessor body promulgated the “common rule,” the federal policy to which 17 agencies subscribe; it has now come together again to work toward harmonization within government on this issue. Under the auspices of that committee, the “SUEE (simplification, uniformity, efficiency and effectiveness) task force” is looking for opportunities for simplification and greater uniformity. The hope is that the group will carry forward a task force to look at research safety on a broader scale, with the aim of creating a continuous process of quality control and improvement.
Finally, Dr. Koski named at least a dozen groups with which the OHRP is interacting as part of its effort to develop “a true public-private partnership.” They include research ethics groups, professional and academic associations, organizations of administrators, members of the social and behavioral sciences community, and the Association of Independent Review Boards.
Asked about connections to the pharmaceutical industry, Dr. Koski reiterated the collaboration with FDA and said the only research that might be missed currently would be that supported solely by private money and conducted solely by entities that do not receive federal support or will not lead to a marketable product. He noted two legislative initiatives, by Senator Kennedy and Representatives Daggett and Greenwood, to strengthen and support national protection of human subjects in research.
Asked to comment on the HIPAA privacy rule, he said his Office had hired a staff person who knows this area very well and will help OHRP provide guidance and support to the research community in meeting its obligations. There has been a lot of discussion around the research provisions, with input from OHRP, NIH and other bodies. The Department is still considering the research provisions.
Asked about seeking change in the common rule, Dr. Koski said his Office had received advice from multiple commissions and panels on this. He stressed that the immediate challenge is to take advantage of the flexibility in the common rule while assessing the need to change it or parts of it, something that could be done in a variety of ways.
Regarding what would be done to ensure that researchers become more attentive to research-related issues for racial and ethnic groups, Dr. Koski affirmed the importance of continuing the efforts already underway in this direction, including NIH T32 grants and educating researchers and the wider community. OHRP will be working with the Office of Minority Health and other program offices to this end.
Dr. Lumpkin thanked Dr. Koski for his presentation and said the Committee would continue to monitor these efforts.
Mr. Rothstein read the proposed revised letter on privacy related to marketing and fundraising, which contains seven recommendations regarding marketing and three on fundraising. Members discussed each of the recommendations, spending considerable time on the concepts and wording calling for simplified opt-out procedures for persons wanting to opt out of future marketing contacts. The letter concludes with a statement emphasizing the Committee’s belief that public education and outreach are essential in promoting compliance with the privacy rule and allaying concerns about its effects. (Dr. Harding explained that education is made especially necessary because of disinformation campaigns to stir up anxiety about HIPAA and another piece of legislation, NTALA.)
The Committee passed a motion approving the letter, as revised, with Dr. Harding abstaining.
Mr. Rothstein then asked the Committee to adopt a process for interim decision-making between meetings, whereby it authorizes the Subcommittee on Privacy and Confidentiality to recommend a response to the NPRM on the privacy rule when it is released. The Subcommittee will confer and prepare its recommendations, and then the full Committee will hold a teleconference to address the recommendations. A motion approving this process was passed.
Dr. Lumpkin read a letter to the Secretary, drafted by an ad hoc group following the previous day’s panel on bioterrorism. It offers four recommendations aimed at a major Administration commitment to support and expedite the activities reported on by the panel, including bioterrorism cooperative agreements and NEDSS-based standards. The final recommendation stresses that implementation of the standards in state disease surveillance systems and other federally funded public health information systems should be mandatory. After suggesting a few revisions and amendments, the Committee passed a motion approving the letter.
Ms. Greenberg reported that the Subcommittee will hold a conference call on April 11.
Dr. Friedman reported that the Workgroup has drafted the first four chapters of its final report. He welcomed further comments on the draft from the Committee. The Workgroup hopes to present the full report to the Committee for action at its June meeting.
Dr. Lumpkin reported that the final report on the NHII is out. The Workgroup will have a conference call soon to discuss its new focus - monitoring the health information policy issues related to national preparedness-and to consider the possibility of a hearing.
Mr. Scanlon reported that Dr. Lumpkin presented the findings of the NHII report to the Data Council in February; it is now being reviewed within the Department, and Dr. Lumpkin will probably brief the Deputy Secretary in March. The report, including its structural recommendations, was well received. Mr. Scanlon stressed the need to ensure that the envisioned NHII is not assumed to be a “regular IT function or office.”
Dr. Cohn reported that the Subcommittee plans two hearings before June, both on code sets.
Dr. Mays reported that the Subcommittee is looking at past products and activities and identifying relevant recommendations made over the last 15 years or so. It will review these and analyze the barriers to implementation and the reasons for the lack of movement. The Subcommittee held a hearing on February 11-12 on the measurement of health disparities in racial and ethnic groups. Another hearing will be held in the Spring to fill in the gaps in the testimony, and then the Subcommittee will develop a report, which will also have a cover letter to specific institutes or groups highlighting pertinent contents.
Ms. Coltin reported that the Workgroup held hearings on December 12 with organizations involved with measures of quality related to patient safety, and it met briefly on February 26 to review a draft outline for its report. The report-projected for completion in early 2003-will summarize all the testimony to the Committee on data issues and gaps related to measuring quality. The Workgroup has identified subjects on which it wants to learn more - namely, measures of quality for mental health and substance abuse services, and activities to measure quality at the level of the individual practitioner. A panel is planned for the June full Committee meeting, and a hearing is planned for July 25, in Chicago. AHRQ has asked the Committee to hold hearings on a proposed list of topics and measures to be included in the National Quality Report, and these questions will also be addressed at the July hearing.
These items were mentioned for the June agenda -
A panel on issues and options related to code sets is likely for the September 2002 meeting.
Dr. Lumpkin then adjourned the meeting.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
| /s/ John R. Lumpkin, M.D. | 06/10/02 |
| ______________________________________________ | ____________________ |
| Chair | Date |