Testimony by John Loonsk for the Dec. 14, 2001 NCVHS Subcommittee on Stnadards and Security

The Centers for Disease Control and Prevention (CDC) would like to thank the Subcommittee for Standards and Security of the NCVHS for the opportunity to present our comments on implementing Patient Medical Record Information (PMRI) systems. I am John Loonsk, MD, CDC’s Associate Director for Informatics. In this capacity, I have had the opportunity to interact with many in this room, and also with those implementing programs in public health, concerning the need for standards that allow for comparable data and interoperability between systems.

Public health and the CDC look forward to the widespread adaptation of PMRI systems wherever patient care is delivered. Public health’s mission and the CDC mission of “Safer, Healthier People” will be better performed if we have timely access to well structured care data, with appropriate privacy and confidentiality protections. Public health has the responsibility for protecting the public from infectious diseases, preventing chronic diseases, prompting healthy behaviors, preventing environmental exposures, understanding injury prevention, preventing workplace injuries and tackling toxic exposures. Additionally, our National Center for Health Statistics (NCHS), a national statistical agency, has the responsibility of providing data on the overall health of our population along with access to and use of health care resources.

In addition to our monitoring of natural events, CDC has worked closely with our governmental and public health partners in developing a response to the recent bioterrorism attacks. We are fortunate that the number of people infected by the mail-delivered anthrax appears small. Even so, the number of people and places potentially impacted and the data management needs are both large. The incident has made more apparent the need for more complete and timely data, interchanged by secure communication systems that involve clinical care and all levels of public health. We believe that the proposed PMRI standards will help with some of these needs.

CDC with our public health partners is also now developing the National Electronic Disease Surveillance System (NEDSS). Like the PMRI system envisioned by the NCVHS, it is based on identifying and promoting appropriate national standards. CDC has funded 50 states, six cities, one territory and six public health partner organizations this year at various levels for NEDSS related activities. NEDSS uses standards that function at the site of data generation, and also allow information transfer without change in meaning though the system. This data reaches CDC programs, generally thorough our state and local public health partners, where our epidemiologists perform their function of understanding the distribution and determinants of health-related states in specified populations and apply this knowledge to control the health of populations. Public health sees clinical data systems originating data needed by NEDSS and transmitting it in a timely and secure fashion to appropriate parties. The product of this interchange will better case coverage, more complete and timely data and reduced provider burden.

CDC is working closely with HL7 to advance the above processes by, among other things, developing Public Health Notification Messages using the emerging Version 3 XML based HL7 standard. Initially, these messages will be used within public health for case reporting. Our intent, however, is to expand use to cover more reporting needs within and to public health. We are urging all PMRI developers to include these messages as they develop their systems. Widespread use of the Public Health Notification Messages will allow public health to receive, in an understandable and secure fashion, information extending from individual case events to aggregate statistics about the health of the population.

Our recent experience with bioterrorism (BT) has increased the attention on the data needs and the clinical – public health exchange of data. Detection of a BT events is still investigational, but here is new emphasis on monitoring presenting diagnosis, vital signs and other syndromic information. There are needs for admission and discharge data, laboratory order and diagnostic study information and results, and treatment/medication orders. Even radiological information can be an important early indicator of an event. Analysis and pattern recognition systems will become more important to prevent our being over-whelmed with routine data and allow us to react to the truly adverse event.

We see and ongoing and growing need for vocabularies and semantic understanding of concepts among various systems and organizations and hope that these issues will be prominent in the committees future activites. We are looking at various vocabularies, primarily SNOMED and LOINC but we find our data needs are not limited to these clinically oriented vocabularies. We commonly use such diverse concepts as occupation, industry, country of origin and language. We are looking toward code set such as the North American Industry Classification System (NAICS), the Bureau of Labor Statistics Standard Occupational Class (SOC) codes, and various ISO code sets to meet our needs.

We have found that a BT event has a complex monitoring component that allows for the identification of new cases in the exposed population and a huge subsequent data management need. Possible exposures and contacts need to be tracked. Generally, those exposed will be followed by private health and the needed information will need to be transmitted in a secure and confidential fashion to public health.

To fully achieve this goal, we must have standards for the encrypting/decrypting, including the associated concepts of authentication, addressing and enveloping of messages so that we may securely and confidentially exchange data with our clinical care, state and local public health and other federal partners. We see the specifications developed by ebXML, now maintained by the Organization for the Advancement of Structured Information Standards (OASIS), based on the Simple Object Access Protocol (SOAP) and possibly involving the Security Assertion Markup Language (SAML), as the basis for our developing secure communication infrastructure. These standards provide the needed flexibility to work equally well through hardened, fixed cable connections, and over the Internet

Many of the needs expressed above are commonly encapsulated in discussions of a Public Key Infrastructure (PKI). We are aware of the difficulties now being encountered in developing a nationwide PKI system.

To achieve some of these objectives within public health, NEDSS incorporates a directory of public health workers based on the Lightweight Directory Access Protocol (LDAP) and using the LDAP Data Exchange Format (LDIF). Aside from demographics, the directory will contain contact information (e-mail, fax, telephone, pager, etc.) and security information. While the Health Insurance Portability and Accountability Act (HIPAA) calls for the development of a practitioner identification number, it stops short of requiring an authenticated electronic directory system similar to that of NEDSS and we see as required for a PMRI system to inter-connect.

Before the events of October 4th, CDC had an interest in the coordination of standards. Now, the emphasis is even greater and the needs are shorter term. We need to be able to detect an adverse event, natural or man-made, when it occurs. We need precise and timely information describing the event and its follow-up. We need to also respond with precise and clear messages. Among other things, better coordination between ANSI standards used by HIPAA: X12 and HL7 is important. We urge those groups to relate their messages to a common information model so that we can relate data received using either standard unambiguously.

We also recognize the need for an extension of metadata standards beyond the description of the data contained in a PMRI system. For public health purposes, a need exists to electronically describe the ability of a system to present, retrieve and analyze data. Retrieval capabilities could allow us to interact with the system to extend the knowledge about an event or a person.

Our emphasis on format is HL7 and that is currently limited to the Observation Reporting Transaction Set. Both CDC and our public health partners now have several years experience in implementing this transaction set and we still do not find it automatic. We, like many others, are having difficulty expressing our clinical needs within the message framework of Version 2 and await the promulgation of Version 3.

Selection and implementation of PMRI standards is a complex task. Public health and CDC needs include getting as well structured data as possible and seamlessly exchanging those data in a fashion that preserves the privacy of the individual’s health data while achieving public health goals. The NEDSS effort has a long-term objective of developing closer integration between public health and the health care systems and can serve as a basis for developing these vital links. We thank you for the opportunity to comment on implementation process.