[This Transcript is Unedited]
Hubert Humphrey Building
Room 505-A
200 Independence Avenue, S.W.
Washington, DC 20201
DR. LUMPKIN: Good morning. We're going to get started now. We are operating a little bit behind schedule because we have what in Chicago we would call a minor precipitation event. I think that translates into a major snowstorm for Washington, although compared to a few weeks ago this is also minor. However, the schools are all starting two hours late, Marjorie and Karen are stuck in traffic, and we will be adjusting our agenda as we go along, but we do have a quorum so we need to get started since we do have a full agenda and we're only going to be meeting for about a day and a half.
For tomorrow, as I understand, this weather is supposed to continue through tomorrow morning, so the wisdom of us having our meeting extend until tomorrow is quite appropriate. I do want to suggest that it probably would not make too much sense if people have flights that they've scheduled so they can stay for the meeting to try to get an earlier flight because you would just go to the airport and sit and wait until it cleared up in the afternoon anyway. So I think we're well scheduled to finish out our work tomorrow. And if we all get stuck here at this building, there's a spot on the floor on the fourth floor I've already got staked out. Unfortunately, my brother who lives on Capitol Hill is out of town so I'd have to break into his house in order to stay there, so I'd have to stay here with the rest of you.
We're going to start off with introductions. My name is John Lumpkin and I'm chair of the NCVHS and still director of the Illinois Department of Public Health for the time being, not for a whole long time. Why don't we go around the table and introduce individuals, members and staff at the table, and then we'll go around and introduce those who are guests. So why don't we start off with Mark?
MR. ROTHSTEIN: I'm Mark Rothstein from the University of Louisville, and I'm a member of the Committee.
MR. LOCALIO: I'm Russell Localio. I'm from the University of Pennsylvania and I'm a member of the Committee.
MS. HANDRICH: I'm Peggy Handrich, I am from Wisconsin, I have been the Medicaid Director in Wisconsin for the past six years.
DR. HARDING: I'm Richard Harding, I'm from the University of South Carolina, I'm a member of the Committee.
MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member of the Committee.
MR. HOUSTON: I'm John Houston with the University of Pittsburgh Medical Center and I'm a member of the Committee.
MS. BEREK: I'm Judith Berek and I'm with the Centers for Medicare and Medicaid, representative to the Committee.
MS. ADAIR: My name is Jared Adair, I guess I'm on the agenda today, I am with the Centers for Medicare and Medicaid Services, I'm director of the Office of HIPAA Standards and also work on a Consolidated Health Informatics project.
MS. KAMINSKY: I'm Stephanie Kaminsky, I'm with the Office for Civil Rights, and lead staff to the Privacy Subcommittee of the Committee.
DR. STEINDEL: Steve Steindel, senior advisor for standards and vocabulary, Centers for Disease Control and Prevention, liaison to the Committee.
MR. BLAIR: Jeff Blair, Medical Records Institute and member of the Committee.
DR. ZUBELDIA: Kepa Zubeldia with Claredi Corporation and member of the Committee.
DR. HUFF: Stan Huff with Intermountain Health Care and the University of Utah in Salt Lake City, Utah, I'm a member of the Committee.
DR. COHN: I'm Simon Cohn, I'm a practicing physician and the national director for health information policy for Kaiser Permanente, and a member of the Committee.
MR. SCANLON: I'm Jim Scanlon, I'm the executive staff director for HHS for the Committee and I'm the head of the Office of Science and Data Policy in ASPE.
MR. LUMPKIN: Great, let's start off --
MS. BATH(?): I'm Debra Bath, I'm an attorney, and I'm here as an observer.
MS. JONES: Katherine Jones, I'm staff to the Committee.
MS. CRUTE: Sherrie Crute, I'm a writer for the Populations Committee.
MR. RIAPEL(?): Chris Riapel, chief privacy officer at Gambril.
MS. CANAAN(?): Susan Canaan, writer for the Committee.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, Committee staff.
MR. FANNING: I'm John Fanning, HHS privacy advocate.
MS. WALWORTH(?): Shelly Walworth, Unicorn Medical.
MS. EPSTEIN: Anita Epstein, Joint Commission on Accreditation for Health Care Organizations.
MS. MONICO(?): Carole Monico, American Osteopathic Association. I'm here as an observer.
MR. ASTON: Phillip Aston from the Institute of Medicine.
MS. BEBEE: Suzie Bebee, NCHS.
MS. ROTH: Dominica Roth, NIH management intern, I'm here as an observer.
MR. RHODES(?): Tom Rhodes, National Institute of Standards and Technology, member of the Consolidated Health Informatics group.
MR. EDINGER: Stan Edinger, AHRQ, and lead staff to the Quality Workgroup.
MR. HITCHCOCK: Dale Hitchcock, HHS, staff to the Committee.
DR. LUMPKIN: Ok, thank you very much. I'd like to remind everyone that we are going live over the internet, so I will be asking you to continue to speak near your microphone, closely, so it can be heard by those who are attempting to telecommute and appreciate this meeting. And for those of you have taken the opportunity to listen to that you know that it is very helpful that everyone can be heard.
We're going to have to play around with the agenda a little bit just because of timing and arrival of various individuals. Marjorie as I mentioned is stuck in traffic, she has communicated, and as we understand it the people who live in this area, no matter where they may have come from, even if they come from Minnesota, North Dakota, those kinds of places, they forget, and they start taking on the characteristics of people who have never driven in the snow before. And Karen is also stuck in traffic coming from Maryland.
So we're going to switch the agenda around. Jared has been kind enough to, since she's here early for her to time slot to start off, which will allow her to get back against traffic and so we're going to start off with the CHI. We're then going to move into updates from the Department and we're going to kind of flip those around a little bit to give Karen time to make it. Jared, welcome.
MS. ADAIR: Thank you, and perhaps it's my ten years of working in the Department of Social and Rehab Services in Montana that allowed me to get here on a timely basis this morning. But thank you, and I don't want to steal any of Karen's thunder having to do with HIPAA and the regulations that we put out, so I will move directly into a report on the Consolidated Health Informatics Project Initiative.
Let me just refresh people's memory a little bit about what we're doing on that effort. It is an effort to adopt, I want to emphasize the word adopt, a vocabulary and interoperability standard that the federal government can be using. And obviously when we do something like that it's important for us to acknowledge to our business partners what we're doing so that they can appreciate where it is we're moving.
What I wanted to talk about today was a little bit about our approach so that people can see the progress that we're making. And what our plan is is to come up with the domains, what we're referring to as a portfolio of domains, that we would like to be adopting standards in. And once we finalize that in the federal government we want to share it with you all and we want it to be shared outside. And they would be the areas that we'll be looking in. And in each domain, for example, there will be things in there along the lines like physical exam, immunization, etc., etc., that we will have teams of folks that represent HHS, DOD, VA, whatever, that will go off in a very structured approach and take a look at what the vocabularies, what the standards are out there, and come up with an opinion as to what the best for the federal government to adopt is. Those groups would then come back, make a presentation to the CHI council, we will then come up with what we believe we should be adopting.
I think it is important to know that none of us will be surprised that if the opinion of the group, of the team, there may not be a standard out there that is mature enough for adoption at that time. So what we would want to do is to come out and publicly with you all and say to the industry we would like to have adopted something but we do not find a standard that is really at that point, and kind of work through well what do we do. How is it that we, obviously something we all felt strongly should have had a standard, but what is it that can be done within the industry to move those standards along to a point where it would meet the vast needs that we have? So we'll want to be having conversations about that.
But we are moving, we are having groups right now taking a look at some of the domains that we want to be working on, as soon as I get a final listing I will share it with the Committee, so that we can have conversations about what the areas are that we would like to take a look at.
I'd also like to bring you up to date a little bit about where we are on our OMB business case. As you all may remember, we are one of the e-Gov initiatives, and we have a business case that we have to prepare for the Office of Management and Budget. I believe that we're very close, we got some final edits from them, we're working on those, people like Jim Scanlon and some of my staff are taking the modifications that were suggested and trying to improve it. I think everybody at the face value says wow, that's an important project to be doing, and now we really find ourselves in a position of dotting the I's and crossing the T's to move that business case forward.
So what I would like to leave you with is that we're working very hard. I'm very encouraged and very thankful, the participation that we have notably by DOD, VA, HHS, as well as our partner from commerce of NIST, National Institute of Standards and Technology, so that it really is as we look around the table we feel like we have good representation to be doing the work that has been put in front of us. So I think that's really what I wanted to leave you with.
DR. LUMPKIN: Ok. Are there any questions? Well, we'd like to thank you very much for coming. We all appreciate that there are a lot of things going on and there's a tremendous amount of momentum that has been building around this initiative, and we look forward to, hopefully you'll be here at our next meeting with additional things to say.
MS. ADAIR: Well, better weather would be nice.
DR. COHN: I actually just wanted, as chair of the Subcommittee on Standards and Security, I actually wanted to thank Jared for leading up very good work. Obviously everyone sort of needs to know that we're closely partnering with the work of the CHI and we're sort of expecting that at least for the near term future that CHI will be a standing agenda item for all Subcommittee hearings coming up. So I just want to make sure the public knows about that.
MS. ADAIR: And my appreciation also Simon and to Jeff, we have called on them on many occasions to kind of say could you help us, and they have been both forthcoming with their thoughts as well as their time, so thank you, it makes our job a lot easier. Thank you.
DR. LUMPKIN: Thank you and safe travels. We're going to start off with the follow-up with the updates from the Department. Jim?
MR. SCANLON: Thank you, John, and good morning everyone. Since we met in November I guess it was we've actually had a lot of very positive developments in the data policy and the NHII generally. There's a lot of interest in the recognition in HHS clearly about the importance of the NHII and the potential it has to improve health and preparedness and a number of other areas.
In terms of the report this morning, Stephanie Kaminsky is going to update you on where we are with activities related to the privacy reg. Karen later this morning is going to update you on where we are with the HIPAA Administrative Simplification data standards, and there we've actually got a fair amount of progress to report since the last meeting. And I'm going to try to focus on some other activities including the President's ‘04 budget and sort of how it looks at NHII and information technology issues as well as a couple of other things that we've reporting to the Committee.
So let me start first of all on the President's budget for HHS for fiscal year 2004, the President sent the budget up a couple weeks ago and it includes in the HHS budget some very interesting and positive initiatives relating to the work of the Committee and the National Health Information Infrastructure, our data standards and data policy generally. And as I said I think it is increasingly reflecting an understanding of the potential that the NHII and data standards and so on can make to the health sector generally in public health. And I think it also reflects sort of an increasing federal role, at least for certain kinds of activities.
And let me start with a couple of things that are in the '04 budget. In terms of overall perspective, the HHS budget for fiscal year '04 is about a little over $500 billion dollars, which is a seven percent increase over the President's '03 budget, but most of that, in fact probably three quarters of that, is really related to a mandatory side of the budget, the entitlement programs, Medicare and Medicaid, and welfare and reform. The discretionary side of the HHS budget is around $65 billion, and that really is the budget for most of our programs outside of Medicare and Medicaid and welfare, the NIH, FDA, CDC and so on.
At any rate, within that discretionary side of the budget, there are some interesting NHII kinds of activities. First of all, overall at the Departmental level, in my office, the budget includes an increase of about $3 million dollars, it's basically called the National Health Information Infrastructure Initiative. This is Department wide, the purpose is to accelerate the development and adoption of the technology and the standards necessary for electronic health record systems and their use by the health care and public health sector, as well as support for the National Health Information Infrastructure broadly. So this is actually a very positive thing. I think we look upon this, should the money actually materialize in the appropriations process, this would serve some of our functions of overall strategy and planning and coordination, some of our leadership and convening activities, and I think we could use some of it as well to field some cross cutting and sort of gap filling activities across Departmental level on the NHII.
It would include coordination within HHS and with other federal agencies, as well as states, local and industry groups, to promote and accelerate the NHII. And again, there's a large focus on the adoption of voluntary standards, but not only that. So at the overall Departmental level we have an NHII initiative, and I'm, I think the direction and the policy is at this point almost more important than the amounts of money because the amount that ultimately is allocated can change.
Within HHS this is a joint initiative between AHRQ and ASPE, my own office. There is a proposal and a request for about $12 million, the initiative is from the following, accelerate the adoption and use of information standards and technology to support health care quality and patient safety. So along with our other efforts devoted to improving patient safety and overall health care quality, we now have a request for about $12 million dollars to support the standards side of this. And it would include many of the vocabulary standards that we've talked about, that Jared alluded to as well. It would include support for some of the standards activities, and more continuing support for some of the standards activities, some of the standards themselves. So again, that's a very positive effort. It would actually enable us to promote and support some of the standards work on a much more continuing basis and on a much more substantial basis.
Again, in the AHRQ budget, this is the secretarial initiative, it was developed by our office along with AHRQ, again, focusing on patient safety, obviously patient safety was a big part of the Secretary's theme in the '04 budget.
There's another initiative of about $50 million dollars that is focusing on improving patient safety through hospital information technology. And here AHRQ is requesting funds that would support a variety of activities aimed at improving health care quality and patient safety by promoting and accelerating the development, adoption and diffusion of health information technology in a variety of important health care settings. And specifically HHS was asked to, if not exactly a set-aside to give to preference for about half of the money for small and rural hospitals. I think the belief was that the small and rural hospitals don't necessarily have the resources that some of the other hospitals may have. And then the remaining half, roughly $25 million would be used to support traditional research and demo projects in the patient safety and health care quality across a variety of practice settings.
So those are overall initiatives in the budget. In addition there is a $10 million dollars increase proposed for the public health information network, which I think we've briefed the Committee on before. This is basically the infrastructure backbone that CDC has been working on. It includes NEDS(?) and a number of other public health information infrastructure capabilities as well. That would get it up to about $60 million per year.
There's also a $10 million dollar increase for the National Library of Medicine. And one more initiative that actually was announced in November, I think I've left or will be leaving a press announcement at your places, it's an integration effort relating to patient safety. We have underway in HHS an initiative that would try to integrate existing patient safety reporting systems really in a web-based kind of a framework and it's really integrating these at the front end. So some of the FDA reporting and some of the CDC hospital reporting would be now able to, when completed, would be able to report through kind of a one-stop front end web-based capability. For the '04 budget, about three million dollars is requested for that activity. So at that point the design work would be over, some of the testing would be over, and soon there will be some implementation as well.
There are some other additional NHII activities that are not related to the budget, and let me describe those quickly as well. In our HHS convener role, we are planning a national meeting on the National Health Information Infrastructure, June 30th through July 2nd here in Washington, I think Bill Yasnoff has briefed some of the subgroups as well. The theme will be NHII '03, developing an agenda for the NHII. The goal is to identify the consensus that does exist, and to try to come up with an action agenda for, a national agenda for the NHII, not just a federal agenda.
There are plenary sessions planned that would begin with expert presentations and then there are a variety of breakout sessions planned to consider recommendations in eight areas, and let me describe what those areas are. The first is research and population health, public health, the second is homeland security. The third is consumer health, the fourth is financial incentives, the fifth is patient safety and quality. Sixth is standards and vocabulary. Seventh is architecture, data architecture, and eight, I think this is eight, privacy and confidentiality. The breakout sessions would have an expert who would be the facilitator and then each of the breakout sessions would report back. And the hope is to be able to identify consensus and pull together more or less in one place the kinds of steps that everyone thinks could lead us to the goals and then the steps leading to progress on the NHII.
We're also pulling together an inventory or portfolio of all of our NHII related activities in HHS and we have someone working on a web-site for communications purposes to let everyone know what's going on on the HHS web-site.
Related to the NHII again, and again this is with the point of pulling all of this together, you'll recall when you had a chance to review and comment on our HHS strategic plan revision that we were including several goals and objectives relating to the National Health Information Infrastructure. The strategic plan is now sort of going through its final revision, we were trying to incorporate all of the comments that many of you sent in. And we have actually under the overall goal of improving the quality of health care services we still have some objectives relating to accelerating the development and use of the National Health Information Infrastructure with several sub-goals which I can provide to you later. So these areas, threads and activities are beginning to come together for an overall part of the Department's way of doing business.
I wanted to update you on one more thing that we talked about in November. Recall that I described to you what initiative to develop a statistics, a data and statistics gateway, in essence a one-stop web-based gateway, user friendly, that would pull together all of the web-based statistics and research and evaluation information that our HHS agencies have on the web, basically pulling it together into one overall web-site for HHS. So that if you were looking for information you didn't have to know exactly what that survey was called or what agency did it, you're looking for information on state health insurance coverage, you could come in and if you know exactly where to look for it we provide some easy ways to get there. But if you don't we have a user friendly search capability so that you can probably find it. It basically takes you to all of the major holdings that we have in HHS on the web. It's only federal and public activities, we didn't quite extend it to other activities, there has to be some federal support or federal sponsorship of the activities.
I think I've left at your places the first page of the statistics gateway as well as some of the relating pages as well. The gateway is now operational. It's relatively plain, it's like that google, nice plain google first page where there's a lot of white and you just go in and search. There's not a lot of spinning globes or compasses or anything like that. You go in and you do your business and we help you find that. It's now operational at www.aspe.hhs.gov/statinfo, and here we also have, we really attempted to pull together pretty much all of our resources and statistics that are available on the web. We include access to our policy information center, which includes virtually all of the HHS sponsored evaluations and policy research, going back to the ‘70's. We have our metadirectory of HHS data systems, which not only describes the system but usually has a link to the data system as well if there is one on the web. We have shortcuts to the web pages of our major HHS data systems. There are probably two dozen major data systems that are the workhorses of most of our statistical activity.
And we also have links, this is really for convenience, to the published literature through NLM pub med. So really if you're looking for the published literature, we sort of get you out to NLM quickly. If you're looking at research grants and progress, we're using the NIH crisp(?) system which has a description of virtually all the project grants that are underway at any given time. We now about 2500 URL's, we're updating them and they're continuing to grow. And finally, we have updated our metadirectory of HHS data systems. There are about 200 of them, these are actually data projects and systems, and probably by the end of next week we'll have that available and up on the web as well.
And just quickly in terms of NCVHS recommendations, we've actually caught up with most I think of the moment. The Secretary has answered the Committee's November 25th letter that outlined a number of concerns about the implementation of the privacy reg. I think that's in the agenda books. And I think the most recent activity is the vision, the completion of the vision for health statistics report and I think we're going to schedule a presentation to the data council on that report probably in March, if not then, in April. So let me stop there and take any questions.
DR. LUMPKIN: Any questions for Jim or the report on the Department? Richard?
DR. HARDING: I'd just like to offer appreciation for those who in the one area where there was a $50 million dollar initiative of hospital information technology, to designate some for the rural small hospital, that was a very wise thing. One of the things that we heard in our testimony at Privacy was the difficulty that a little hospital in rural Utah had getting any kind of help and that's a very important issue, symbolically if not with tremendous amounts of money to initiate. So we appreciate that.
MR. SCANLON: I think to some extent a lot of our research demo money in information technology goes to the high end, as it does in biomedical research generally, it goes to the academic medical centers and clearly the high end centers that actually have informatics staffs and research staff and actually have a lot of resources to begin with. So there really was a desire here to certainly continue that, but to also begin to focus on applications that would be useful for regular community hospitals or small and rural hospitals as well. And that's what I think some of that was focused on.
DR. COHN: Jim, obviously, thank you. I agree with Richard about the 2004 plans. I was just reflecting that for various reasons, obviously we just recently passed the 2003 fiscal year budget as I understand, and I was wondering if you could reflect at all on, not what the plans were for asking for money but how some of this has turned out for 2003.
MR. SCANLON: Well, let me try. The '03 budget was just signed by the President last week and it's an omnibus bill, which means that everything was kind of thrown together, and I think we're still trying to sort out what the details are. So far we have sort of the, we know what the amounts are for our various agencies but we're still getting the text. So we're still sorting that out. But there is, interestingly, in the '03 budget there is a $4 million dollar amount, I don't know the mechanism yet, to the e-Health Initiative Foundation. It looks like it will come out of our Office of Telehealth, I think that's probably where it will come, and it's basically for some, it looks like demo projects, to support the NHII. So we'll be working with that office to see how this could all make sense. I'm not sure what the mechanism will be. That was something that the Congress added, it added a lot of things, obviously, and that was one of the things, but that's actually a very positive thing.
In terms of the actual legislative language for our agencies I think we're still, Simon, trying to sort that out. But obviously we're looking towards continuing the HIPAA activities, we'll be moving into the implementation and enforcement mode later this year. Most of our research and statistical activities I think have, are actually moving ahead with some increases, but I think at the next meeting we'll do a little summary across down the '03. We're actually still trying to sort out '03 and in fact most of the agencies are still putting together their spending plans based on what the final budget looked like.
MR. BLAIR: Jim, congratulations for getting all of these items into the budget, I'm really pleased. Could you clarify something for me in terms of the way it was characterized? For example, the initiatives to accelerate the development of standards was for quality and patient care as part of the National Health Information Infrastructure, which of course is appropriate, but I was wondering why it was focused on those two goals and not the additional goals of being able to respond to bioterrorism, public health, and addressing efficiency in health care.
MR. SCANLON: Well, the NHII initiative at the Departmental level is focusing on all three, Jeff, and that is meant to be some discretionary funding at the Departmental level to sort of move things ahead. And that will focus on quality and safety and effectiveness, protecting and promoting health, and strengthening the nation's public health preparedness through improvements in the NHII. But specifically with AHRQ, the Agency for Healthcare Research and Quality, there clearly was a Secretarial interest in moving ahead on patient safety and quality, and there the focus was, and this is really interest really at the Secretarial level and higher, that we wanted to move, this is the same information infrastructure obviously, these are the same standards that will support, this is the same information of structure, I think that's the point we keep making to everyone. At least we have to make it that way. But the theme there was, the highest priority I think for that agency was to move ahead in the patient safety and health care quality area, so there's this $50 million dollars, it's basically a grant program. It includes as well additional $12 million that again provides us some way of supporting some of the general standards activities. So in that sense, Jeff, it applies to all of the, the whole NHII, and standards across the NHII, voluntary standards across the NHII. So efficient quality and safety was clearly a thematic priority.
MR. BLAIR: So this is the President's budget and do we anticipate that it will be September or October before we get Congressional approval for this, is that the process?
DR. LUMPKIN: Jeff, which year do you mean?
MR. SCANLON: You never really know, hearings have started already but it's really hard to predict how the appropriations process will turn out and when it will turn out. This year, for example, we were quite late, we didn't really get an '03 budget. The fiscal year begins in October, we just got an '03 budget last week, so it's hard to predict, that's a different branch of government.
MR. BLAIR: Well, congratulations again for having it be reflected in our budget.
MR. SCANLON: And these are all ideas, actually, that came out of the Committee's work, I think all of you will recognize that a lot of these themes and certainly a lot of the specifics came right out of the Committee itself, so I think we can all be proud that we're actually making some progress.
MR. LOCALIO: I have one last comment that I hesitate to make but I want to put the funding in perspective. $50 million dollars for patient safety focus is certainly a vast improvement over the type of funding that was available a couple of years ago, but we're talking the equivalent of ten seriously injured patients, and the cost of taking care of them if those injuries occur. So $50 million dollars is not a lot of money in perspective of what the Institute of Medicine says when they say between 40,000 and 100,000 people die every year as the result of errors. So I think when we talk about investment in this area, we have to consider that whatever is invested may benefit people immediately, and I'm not sure that $50 million dollars is adequate given the numbers we're hearing from the Institute of Medicine.
MR. SCANLON: Remember, Russ, this is only on the health information technology side, and to be honest, this is to run the prevention side. If health information technology could be marshaled to actually help prevent and mitigate some of the errors in the first place, then I think that's really what the goal here is. But you're right, this is just a demonstration project, this is not a general assistance or general support kind of program.
DR. LUMPKIN: Thank you. Maybe we should move on to the next section. Stephanie?
MS. KAMINSKY: I'm here to update you on OCR's activities since we last met, and there have been many.
DR. LUMPKIN: Do you have any deadlines coming up that we need to know about?
MS. KAMINSKY: Is that a trick question? The countdown is on to April 14th when the compliance deadline will hit. And in preparation for that let me tell you some of the activities we've been involved with. First and foremost, in the last month, we have been putting on, we are in the midst of putting on four large scale national privacy conferences across the country. We have been working closely with regional directors in four different regions, and with university cosponsors. The first conference was February 5th in San Diego, the second one was February 18th in Atlanta, which I'll talk about in just a moment. And then this coming weekend on Saturday, March 1st, we'll be doing a conference in New York, and on Sunday, March 2nd, we'll be doing one in Chicago. And actually I wanted to mention that we've been pleased to have the participation of CMS at the table, at these conferences to assist us.
The conferences have been broad based, they have been an initiative really not targeted to a particular audience, but meant to hit a wide audience, and in fact we have had wide audiences, coming from different parts of the industry and with different levels of sophistication attend. And we have tried to balance providing basic information with providing clarification and answering as many questions as possible to these audiences. We've really filled these conferences and we have conducted these conferences as opportunities for folks to speak to the experts, and we have put our best folks forward to be there to help with these types of clarifications to assist people to get ready for the compliance deadline.
And I just wanted to mention with respect to the Atlanta conference, which was scheduled and actually happened miraculously last week, that actually was on February 18th, which was at the tail end of President's Day weekend when everyone was marooned here in Washington, so the faculty couldn't get there and it was quite an ordeal. It was amazing, an amazing amount of finesse went into having the conference occur but through amazing teamwork and Pictel and great technology we pulled off the Atlanta conference I'm very pleased to say.
Anyway, in addition to these privacy conferences that have been going on, we continue to do the routine outreach activities that we have been doing all along. Staff are busy out there making numerous presentations, both central office staff as well as regional office staff, all of whom have been trained at this point in detail on the rule, of course. And all the operating divisions are very busy doing their own sets of presentations to their own stakeholders and constituencies as well as assisting in developing some technical assistance materials.
And speaking of technical assistance materials, we are working on the targeted technical assistance materials that we reported about last time we met. These are going to be targeted, or they are targeted to various sectors of the industry, unlike our guidance which kind of talked about various issues, broken down by issues, these documents that we're working on now are meant for non-institutional health care providers, institutional health care providers, health plans, clearinghouses, and they are trying to give these soup to nuts explanation of the privacy rule for these audiences and what these particular groups need to do in order to be in compliance. So that is a great project and I think we'll create some very helpful materials.
In addition, we are working closely right now with CMS coordinating activities regarding the enforcement rule. There have been some stepped up activities recently to develop an enforcement rule and we are working in a very tight timeframe, and again, trying to work very closely with CMS to make sure that this enforcement rule is something that will work for both, all of the enforcers of HIPAA, and that will be applicable to all of the pieces of HIPAA.
In addition, we are currently bulking up on our staff in anticipation of the onslaught of complaints that may be coming through the door come April 15th. We have, the notice has been published and I think it's already closed and we're in the midst of reviewing lots and lots of quality applicants for slots both in central office and around the country, and that should really help with stepped up activities as we move forward.
And then last but not least a couple of publications in the Federal Register I just want to mention. In December there was a publication with a sample or proposed electronic complaint form, this was for all of OCR activities, including the privacy rule, actually there may have been two different complaint forms, I apologize, I can't recall now, but there certainly is a privacy rule complaint form that was submitted to the Federal Register, it would be an option for submitting a complaint. Certainly, anybody who wanted to submit a paper complaint still could do that, so we've received comments on that, and we'll be finalizing that shortly.
In addition, we are about to publish in the Federal Register information about how to submit exception determination requests, the address to submit these if a covered entity, or I suppose anybody who wants to submit a request to OCR to make an exception determination regarding preemption of their state law, there is a provision for that in the statute and in the reg and we are moving forward with the process about how to do that. And that should be, as I said, we are to submit that and the conditions around that, even though they're already out there, will be restated in this Notice in the Federal Register which will go out shortly.
Soon we will be publishing in the Federal Register as well as on our web-site the addresses, the address to submit complaints. And last but not least, because of the publication of the security rule, which I'm sure we'll hear about soon, the final security rule changed, this is sort of technical, but it changed where some of the definitions are in the whole HIPAA regulatory paradigm, and so what this means for us is we'll be updating our combined reg text soon in order to make it accurate with the placement of where certain definitions currently fall based on the changes from the security rule.
So that's the short and sweet version of everything we've been working on.
DR. LUMPKIN: Great. I don't see any questions, Simon.
DR. COHN: Stephanie, I'm obviously delighted to hear that obviously things are progressing forward. As you begin to talk about the enforcement piece I was obviously reminded that we are talking about one enforcement rule with two enforcing agencies, and for privacy it's going to be OCR and the rest of it's going to be CMS as I understand. Do you anticipate that there's going to be any overlap confusion or issues around the enforcement? I'm just sort of thinking that pieces of privacy are obviously privacy, other pieces are actually security, and how is this all going to be untangled as we move forward? Do you have any thoughts on that?
MS. KAMINSKY: Those are the kinds of issues that we're working on closely right now. There are sort of two sets of issues and I'm not sure which one you're referring to. There are substantive issues that we need to kind of work through together in terms of defining certain key triggers about when an enforcement action is going to be happening, and then there are some procedural kinds of issues that need to be worked out in terms of what the process will look like to the public and even internally, and those are the kinds of issues that we are working on right now. There will be overlap because there needs to be overlap because it's going to be a rule that applies to both agencies.
DR. COHN: Maybe just a comment, that probably we need to consider having maybe joint hearings between Standards and Privacy on the enforcement issues later on this year.
DR. LUMPKIN: My understanding is that enforcement rule is also going to cover transaction standards, ok, so that I think would be good timing to do that. On the list I have Mark, and Kepa, then Jeff.
MR. ROTHSTEIN: Stephanie, just one brief question. Do you have an idea of how many new staff positions you're seeking to fill?
MS. KAMINSKY: I am not quite sure, I will try to report to the Privacy Subcommittee on that question sometime tomorrow, I don't know what the actual number ultimately will be.
DR. ZUBELDIA: Stephanie, one of the documents that your office has produced is extremely useful, and that's the consolidated regulation text. I would like to see more promotion of that document so when people see the privacy regulations they have one place to look at what all the privacy regulations mean after the amendments and all that. But I have a concern with the document in that it says unofficial. Is there any plan or any possibility of removing the word "unofficial" from that document? Since it's been produced by your office and it's just a copy of regulations?
DR. LUMPKIN: Let's see, that's a doctor asking a lawyer if the hedge words can be removed.
MS. KAMINSKY: I'm not aware of any plans to remove the term "unofficial", I think it has to do with the fact that it's not what's been published in the Federal Register and what's in the Code of Federal Regulations, but I will --
DR. ZUBELDIA: It is the CFR.
MS. KAMINSKY: Yes, it will be ultimately, I'll take it under advisement and discuss it with some of the folks at OCR.
MR. BLAIR: Stephanie, I remember back in September in the Privacy Subcommittee we wound up talking a little bit about how we would wind up reaching out to the small ambulatory practices to help them have a better understanding of what the privacy regs are and are not. Are you able to kind of brings us up to date a little bit on that particular focus?
MS. KAMINSKY: Well, yes, I think that the most targeted way that we'll be doing that is through these targeted technical assistance materials that I mentioned earlier, that we will be having a segment for non-institutional providers and that will cover this group that I think you're talking about. And in addition, as we have been conducting these privacy conferences, as well as some of our activities with CMS on HIPAA roundtables, and in particular there are physician open-door forum phone calls. We have tried in little ways to reach out to these communities and again, in lots and lots of small scale presentations that have been going on throughout the organization.
MR. BLAIR: Have the professional associations begun to take advantage of these additional information resources and get them disseminated to the target market?
MS. KAMINSKY: I'm not sure, I'm not sure, we're doing them, I'm not sure what the take-up is.
DR. DANAHER: Stephanie, it's a little bit of follow-on to Jeff's points. I think that there were a couple of themes that came out of the Subcommittee meetings, and I just want to, let me just go back and say I do think that these roundtables are very, very useful. I would just say I think that there were a couple of themes that I'm not so sure a couple of months later now we've made as much progress as I guess perhaps I would like us to have made. One of them is really kind of demystifying the whole state preemption analysis piece. I don't know whether people are any more clear on that, especially organizations that have multi-state operations. I know that we heard a lot from the universities and hybrid organizations and they were pretty flummoxed in how to move forward. And I understand that some of this targeted guidance will help them.
And then just to Jeff's point, I'm not getting a sense that these privacy roundtables are particularly getting a good draw, maybe I'm wrong, from the small providers. And so I don't know whether we've done a good enough job of enlisting the state medical societies. So I guess, just to, the point of my comments I think would be I would just encourage people to go back to I believe some of the good observations we made from those hearings, because I thought they were quite useful, frankly, and just, to ask, I mean here is my fear. April 14th 2003 is going to be here any day and there's going to be about two percent of the small providers who really have done, I'm just being theoretical here and throwing out that number, but really kind of have done anything in terms of HIPAA. So anyway, it's just a plea to go back and look at those recommendations and ask OCR to make sure that they really focus in on some problem areas and make sure that we continue to be proactive in our initiatives.
MS. KAMINSKY: Ok, thank you.
DR. LUMPKIN: J.P., since there are three John's I'm going to get confused here.
MR. HOUSTON: Maybe I missed, could you just simply restate what the targeted guidance is going to be, what were the focus groups again?
MS. KAMINSKY: You know I don't have them with me but there's institutional providers, non-institutional providers, health plans, group health plans, clearinghouses, consumers, it may be just those.
MR. HOUSTON: Was there any decision or thought to try to break up some of the institutional providers by size?
MS. KAMINSKY: There's also some public health materials coming out but I can't remember how they're classified, I'll take that with me, again, to the Privacy Subcommittee meeting tomorrow. But, sorry?
MR. HOUSTON: I guess one of the concerns that I have is that it seems as though OCR and some of the guidance that has provided to date is focused towards maybe some of the smaller or mid-size providers, and I think it wasn't meaningful for some of the large integrated delivery systems, academic medical centers. And I think that in talking to individuals from the OCR and other forums that they were most concerned about providing guidance to some of the organizations that maybe didn't understand their obligations, maybe a little smaller, less sophisticated. Yet I think the complexity issues is magnified compounded in the large IDN's and integrated delivery systems and academic medical centers, yet I still don't see that void being filled. We've got some fairly complex questions that just don't seem to get answered. And I think at the same time even those, since OCR is going to be doing enforcement on a complaint driven basis, we're likely to be, large systems are likely to be the first that are going to get engaged there. Again, I think we're really asking questions and I think it would help to have some type of focus towards these large, focus on guidance for some of these large, complex systems.
MR. LOCALIO: Stephanie, in spite of the many statements in the Federal Register and in the guidance documents about research and how research should not be adversely affected by the privacy rules, there is panic in the research community because of the reaction that is coming from potential participants that say they can't participate, they don't want to participate because of the privacy rules. And the fear not of transgressing the privacy rules but of litigation. So I know you've talked about providing specific guidance for those entities that are subject to the regulation, but what about providing guidance to the research community on how those people can get their work done? Because, you must understand when I go home, if I make it home tomorrow, I will be placed in a very different forum and from the perspective there it's how are we going to get our work done? We can't recruit patients, we can't do multi-center studies, nobody's willing to give us access to the patients even to get patient consent, because of the privacy rules. So I think OCR should understand that although the best of intentions, and although fair reading of the privacy rules would indicate that research can be done, the research community must have the understanding of the regulated entities in order to do their work. So we have to educate the regulated entities, we have to educate the hospitals and health systems in order to be able to convince them that they can release information. So the research community therefore has to be educated on how to educate the regulated entity. And I know it may seem like guidance twice removed, but that's really where the education has to occur, at least from the perspective of the research community.
MS. KAMINSKY: It's my understanding that the folks who work on privacy at NIH are very tuned into this need and this problem and we have been working collaboratively with the NIH privacy team. They themselves are working on special technical assistance materials right now, comprehensive technical assistance materials for the research community that I kind of glossed over when I was going through the roster of materials that are being developed right now. And I think that certainly OCR is quite aware of this anxiety in the research community and takes every opportunity it has to educate all the covered entities that it does outreach to about how the rule works with respect to research and the fact that it's not the intention of this privacy rule to clog up the information flows necessary to conduct research. But again, your points are well taken and I'll share them.
DR. LUMPKIN: If I could just add to that suggestion, if the NIH is working on something with OCR it's going to be important that it comes out with OCR's name on it along with NIH, because while the research institutions look to NIH for guidance, the non-research institutes, if they're going to look anywhere, it's going to be to OCR and they'll want to see that moniker on there.
DR. DANAHER: Stephanie, if I could just put in one plug. This is one man's opinion, I think that there's going to be a tendency and undoubtedly public pressure for the nature of the work that OCR does to radically shift kind of pre-April 14th, post April 14th. I have this scenario of that you're going to be inundated with complaints and the process is going to be complaint driven, etc., and I guess what I would just really ask you to take back, at least my opinion is, this educational campaign and this addressing of all these problematic areas, as much as possible needs to continue on past April 14th. In other words I'd hate for there to be a kind of educational mindset pre-April 14th and then an enforcement mindset, you get what I'm getting at. I just think that you just have to keep pushing education and clarifying these areas, etc., long past April 14th.
MS. KAMINSKY: I do get what you're getting at and you state it very well. I will say, though, that for me one of the most interesting pieces of the privacy conferences that we have been delivering publicly in the last month, has been to hear the director of OCR, Rick Campanelli, talk about his vision for how enforcement is going to work. And we have been talking publicly repeatedly about a voluntary compliance stance that that will be really the approach that we are taking, I mean certainly if it comes to a point where voluntary compliance doesn't work we will take the appropriate actions. But there will be a very large focus on continuing to give technical assistance and helping covered entities understand what they're obligations are and sort of bringing them up to speed. So I think that while your point is very well taken, don't forget to continue to generate guidance as needed --
DR. DANAHER: Provide technical assistance.
MS. KAMINSKY: -- that technical assistance component and education component will be part and parcel of the enforcement work that will be going on.
DR. DANAHER: It's part of that, and I'll stop after this point. It may behoove you to up front put a triage system in place in the sense that what, not only are you going to get, I perceive you're going to get inundated with complaints coming from different things and you're going to have some obligation to respond in a timely manner to these things. I mean I think that they're clearly going to be those complaints that technical assistance and education will be called for, there are also obviously, it would seem to me be a hierarchy of things that immediate intervention or interaction will be necessary. So some way of up front kind of keeping, to triage these complaints I think will be go a long way to enhance your effectiveness. Thank you.
DR. LUMPKIN: I think we're going to take a 15 minute break.
[Brief break.]
DR. LUMPKIN: Let's get going again. Karen, welcome, and we thank you for your Herculean effort. I think sometime in the first hour and a half of your three hour trip some of us might have been inclined to sort of bag it and go back home, but we appreciate your persistence in coming to join us.
MS. TRUDEL: Thank you. I'm Karen Trudel, I'm with the Centers for Medicare and Medicaid Services, and staff to the Subcommittee on Standards and Security. And I'm here this morning to do two things. The first is a brief update on HIPAA in general and the second is to provide the Committee members with an overview of the security final rule, which was one of the ones that was published just within the last week or so.
First then to the HIPAA update. I think everyone is aware that we have published both the security final rule and the final rule that adopts the modifications to the transactions and code sets.
MR. BLAIR: One second. [Applause.]
MS. TRUDEL: Thank you. Thank you. They were both published on February 20th, and the modifications final rule then will be able to go into effect on October 16th 2003, so that covered entities don't need to implement first one version and then another version of the standards. So that's a really significant undertaking and one that I'm sure, that I know the Committee and Subcommittee were both very concerned about happening. We have been, three additional regulations that are in the process in the Department, the provider identifier final rule, the plan identifier proposed rule, and the attachments proposed rule as well, and we are working with the Department's Office of General Counsel who has the lead on developing regulations on enforcement of both privacy and non-privacy aspects of HIPAA. So that's my update on regulations.
Let's start by talking a little bit about the security final rule. It was printed in the Federal Register on February 20th and the citation information is here on the screen. The effective date will be April 21st, because again it is a major rule that requires Congressional review, that makes the compliance date April 21st 2005 or April 21st 2006 for small health plans, which as we know all get an additional year for new standards. And we do have a PDF version of the document on the CMS/HIPAA web-site.
Just to recap, the purpose of the security rule was to ensure integrity, confidentiality and availability of electronic protected health information, protecting against reasonably anticipated threats or hazards and improper use or disclosure. The scope of the security rule is all electronic protected health information, and that's a little bit different than the proposed rule because the proposed rule had expanded it a bit and we have now synced up the definition of protected health information with what is in the privacy rule. It covers data that is at rest and in motion, and it applies to all covered entities. And what that means is that if a covered entity performs electronic, if a provider performs electronic transactions, that makes them a covered entity, all of the electronic protected health information that they have, whether it has to do with transactions or not, becomes covered. Conversely, a provider that has electronic protected health information but does not conduct electronic transactions is not a covered entity and the security and the privacy regulations don't apply to them.
The security and privacy are very closely linked. The security is what enables privacy to be implemented and enforced. The security scope is larger in that it addresses not just confidentiality of data, but the standards also address integrity and availability of data, is the data there when you need it, is the data correct or have we made sure that it can't be inappropriately altered. Those are things that are outside of the scope of the privacy provisions. But the privacy scope is larger because it addresses paper and oral protected health information and security is only looking at electronic. So if you look at it as a vin diagram, the center part is security's confidentiality standards and the fact that privacy applies to electronic health information.
DR. DANAHER: May I just ask a quick question?
MS. TRUDEL: Certainly.
DR. DANAHER: Those last two slides, this is my ignorance, in terms of privacy I knew that once you qualified as a covered entity, then it was all forms or all paper electronic, I guess I was, again this is my public acknowledgement of my ignorance, I thought security also had to do with paper charts and paper records, etc.
MS. TRUDEL: Let me explain why it doesn't, and it's strictly a matter of timing. When we published the proposed security rule we were at that point in time, we did not have privacy regulations at all, and we did not foresee that the privacy regulations were going to cover electronic, oral and paper. And therefore the proposed security regulations covered only electronic PHI. And we felt that adding on requirements for security of paper was going to increase the scope of the regulation to a point where we wouldn't be able to go forward and just publish it in final form. So what we did was to at least put out there security requirements for electronic PHI with the acknowledgement that if there is a need in the future to provide some additional guidelines for paper, that we would have to do that again by regulation.
DR. DANAHER: Thank you, that was very helpful.
MS. TRUDEL: Ok. The general concepts that have to do with security standards are the need to be flexible and scaleable, in other words that the standards have to be something that can be made to work for the smallest covered entity to the largest covered entity, and to acknowledge that everyone's risks are different and that the way to mitigate those risks may be different as well.
They need to be comprehensive. They need to cover all aspects of security, behavioral as well as technical. It's great to have a system that requires you to enter in a user ID and password but if your staff does not know that they can't leave their password underneath their keyboard on a little yellow sticky then you haven't really addressed the whole concept of security. So we're trying to go for all of the aspects. And it needs to be technology neutral because heaven knows these regulations took long enough, and technology is changing incredibly especially in the area of security, we want to make sure that any technological breakthrough that occurs in the next month, six months, a year will be something that will mesh with our standards so that people can take advantage of it.
The public comments that we got were generally widespread support, they said we didn't go far enough in providing flexibility to covered entities, and that we basically just had too many requirements, that we had gotten, in some aspects we had gotten too far down into the weeds. So what we did was to consolidate and tighten the requirements, we had some overlap, we had started with four major categories and in some cases we had access requirements that were physical access requirements that were administrative. We just rolled them all together. We added additional flexibility by introducing the concept of addressability that I'll get into later, and we did spend a lot of time making sure that we were coordinated with privacy. Only one of the things that was an upshot of that was that what originally began as a chain of trust partnership agreement is now handled by a business associate agreement.
Ok, we have standards and implementation specifications. Standards are the general requirements, there are 18 administrative physical and technical safeguards, so we've gone from four general groups to three. There are four organizational standards that relate somewhat to privacy concepts. Those are conditional upon you falling into one of these categories, like a hybrid entity, affiliated entities, group health plans, etc. So there are specific organizational requirements for those. And then there are two overarching standards that cover policies and procedures generally and a requirement for documentation.
The implementation specifications are more specific measures that pertain to a particular standard, they provide additional guidance in detail. For the administrative physical and technical safeguards there are 36 implementation specifications, only 14 of them are mandatory, the remaining 22 are addressable. So implementation specifications may be either required or addressable. Well what do we mean by that? Required means a covered entity must implement the specification in order to successfully implement the standard. You can't do a security analysis without doing a risk analysis. The addressable specifications must be considered, you have to think about whether it makes sense for you to do this. Whatever the specification is, does it respond to a risk that you have? Is it an appropriate way to address that risk? Is it something that is cost effective or is there a better way that you can do it? Implement the specification if it's appropriate, if it's not appropriate, document why it wasn't, and what you did do in its place in order to implement the standard.
So a standard can have, and this has turned out to be a little bit confusing to people, a standard can have no separate implementation specification. The standard is pretty much obvious and there's no need to provide additional guidance. So the implementation specification is basically the same as the standard. It can have one or more specifications, all of which are required, one or more specifications all of which are addressable, or a combination of required and addressable. But the bottom line is that all standards must be implemented using a combination of required and addressable specifications and other security measures that we don't go into in the regulation. We have not set out every possible security measure that people can take and we expect that people will look at the full range of options that are open to them. Covered entities need to document their choices and this arrangement of the addressable implementation specifications really transfers the judgment making process to the covered entity and gives them the maximum flexibility in figuring out exactly what the most effective thing to do would be.
Because this is a little confusing I've provided some examples, and you can see these if you look in the matrix at the back of the regulation. The first example is when there's a standard with no implementation specification, one of those is assigned security responsibility. We didn't think we needed to tell anybody how to do that, you need to pick a person, tell them they're responsible for security, and make sure everybody else knows who it is, and document it. I mean that's kind of, we didn't think we needed to say anything more about that one.
Here's one where all the implementation specifications are required, and that is the security management process. And this particular requirement really is the bedrock of all of the other requirements and specifications, because this is where you do your risk analysis, risk management, sanction policy, information system activity review to set up the policies and procedures for looking back at your system, to find out whether people are putting their passwords on little yellow stickies underneath their keyboard, and whether anybody's trying to hack into your system. So this is the standard where all of the implementation specifications are required, because we felt that you just couldn't do a comprehensive good security management process without doing every one of those other things, which is not so that there aren't a whole bunch of other things that a large organization like Medicare, for instance, would feel that it had to do in order to really do a good job on that standard.
We have another one where all the implementation specifications are addressable, and this is the one that causes the most consternation. Security awareness and training is the standard and the addressable implementation specifications are actually topics that that training could cover. The topics are things like security reminders, virus alerts, log-in monitoring, password management procedures, all of those things are to be covered in the training if they're appropriate to the covered entity. But even if none of the topics are relevant, you still have to do training, and so the covered entity has to figure out how they're going to do it, are they going to do it when people enter on duty, which is how we do it at CMS. Are they going to provide computer based training? Would there be formal classroom training? Would they just do updates at staff meetings? Would there be combinations of all of the above? And what would be the relevant content for the particular covered entity in mind? So even though all the implementation specifications are addressable, you still have to implement the standard, and I think that's probably the best example of how those two things link together.
In terms of a combination, the devise and media control standard requires policies and procedures for disposal and media reuse because unless you have procedures in place for disposing of used media and how you reuse it and what you do with the media before you can reuse it, we don't think that you can have a good devise and media control standard.
Accountability and data back-up and storage, though, are addressable because data back-up and storage really talks about a large organization that might have a data center, it might be moving data and moving equipment and needing to get data off certain hard drives before they transfer them to others, and so a small provider really wouldn't find that relevant to their situation.
Other changes that people have considered noteworthy is that we initially required encryption over an open network. It is now addressable, and there was a great deal of debate about that and what caused us to do that was really several things. One being that there is a great deal of communication now over the internet between health care providers, physicians, who are consulting over a patient's care. We did not want to chill that kind of communication by requiring that it all be encrypted. There were some concerns about how that would fit into telemedicine in the future and might there be a chilling effect there. And there was also a concern about patient to provider and vice versa email communication, and web-based communication.
We also changed a requirement for certification to evaluation and it is addressable. Rather than tell providers and all other covered entities you have to go out and hire somebody to come in and give the seal of approval that you've done all of your security work, we changed it to an evaluation which can be internal or external and is less for the purpose of proving that you did it and exercising due diligence to allowing you to periodically reassure yourself that things are going well. So those are two fairly noteworthy changes.
One thing we've been asked a lot is outreach, what are we going to do about it. In the process of looking at the comments and having the internal HHS discussions, there was a lot of concern about especially small providers who don't have security staffs, who don't have internal audit departments, who don't necessarily have management consultants who can come in and do this for them, and for whom the concept of doing a risk analysis is very much foreign. How can we provide materials for them?
We will be developing technical assistance materials similar to the ones that we've provided for transactions and code sets. And we have started to work on a script for a video that would be security only, and our special target audience for a lot of these materials will be the small provider.
That's it. Any questions?
DR. LUMPKIN: [Inaudible.]
MR. HOUSTON: I actually have read through the security rule and I think it actually does a very good job of really simplifying and make more clear the rule as opposed to the proposed rule. One of the things, though, that I guess I am concerned about is sort of one your last slides which related to guidance. I think that it's very important that though the small providers need guidance, the large integrated delivery systems are the ones that are going to have the most demanding compliance requirements of this rule. There is going to be an enormous amount of confusion because unfortunately most people won't take the time to read through the rule and the preamble and who will understand what you're really trying to get across. And I think there is going to be a lot of questions about technology and deployment of technology and encryption and internal encryption versus external encryption.
So I think that to make everybody's life reasonable who have to work in this field, including myself, I think it would be really helpful to have an extremely aggressive communications plan and to really focus on some of the big providers because they will be the ones who will hammer you with the really technical really detailed questions. I mean I see it will happen and I think if you're looking towards the small providers I think you're missing, you're going to find yourself being inundated by questions by the other end.
MS. TRUDEL: Point well taken and I didn't mean to imply that our only focus would be the small provider, it was just that we needed to have a special focus for them to make sure that we translate this into language that's meaningful to them.
MR. HOUSTON: I think the rule does a good job of allowing people to understand what they need and what their environment is and apply these standards, I mean it really is, I think you did an excellent job and made things more simple but yet more meaningful. But I think you're going to find a lot of high-end questions and really, you'll find them almost to be detail ridden, you'll have a lot, I think you need to be prepared so that with a month or two left in the compliance period we're not still sending out guidance documents, that's going to problematic, so I think the first couple months is where, six months is really where you have to try to hit hard on guidance, especially towards some of the larger providers, that's really, that's going to take 18 months if not longer to implement.
MS. TRUDEL: Understand. I think to address that point we do have something of a head start because we've got a fairly good outreach infrastructure in place and we have a number of partners that were used to going to, so I think it's going to be more a matter of coming up with the appropriate material and just putting them into the pipeline, whereas with transactions and code sets we had to start from square one and build that whole infrastructure. But I do thank you for your compliment on the regulation, I have to confess that I did an interview last week with a reporter and after the half hour was over he said I really have to compliment you, you really simplified this for me, it was much better than the way the regulation was written. And my kind of mental response was you're telling me that I talk better than I write.
DR. DANAHER: Karen, I just a few number of quick small questions. First of all, may we get a copy of this presentation?
MS. TRUDEL: Absolutely.
DR. DANAHER: Great. When will that be after, somehow, or how should we get that through?
MS. TRUDEL: I'll talk to Jackie to figure out how to do it.
PARTICIPANT: Electronically if at all possible.
DR. DANAHER: On your slide about the security management process, remember the one that said risk analysis, risk assessment, etc? And this is kind of a nitpicking question, why didn't you have in there development of security policies and procedures? Is that where that kind of step exists or?
MS. TRUDEL: That's an interesting question. Actually I think the development of the policies and procedures occurs throughout, so that for each of the standards and implementation specifications you probably need policies and procedures. And you'll see in the rule, in a number of different places, it will say establish policies and procedures regarding blah, blah, blah. I think where those all come together is partly in the security management process and partly in the standards that cover documentation.
DR. DANAHER: Just so I can understand this, you changed the requirement, the privacy training requirement has a number of stipulations. Originally we said you had to be documented and trained every three years, now new employees, change in the regs, etc. Do those same guidelines carry over for security, in other words that people have to be trained within a reasonable period of time and if the reg changes, so on and so on? Do the same things that govern privacy training also govern security training?
MS. TRUDEL: We didn't require it but certainly as organizations look into how they're going to do this, it almost would make sense to do the security and the privacy training together if at all possible, and then the kind of the documentation just kind of rolls from that.
DR. DANAHER: For privacy --
MS. TRUDEL: We didn't require it.
DR. DANAHER: Ok, great. So is that a little bit of what you mean when you say you changed it from requirement for certification changed to an evaluation, that you don't require documented training or --
MS. TRUDEL: No, we do require that all of the policies and procedures be documented. What we don't require is that periodically you pay a consultant to come in and do an audit and look at your documentation and go through and do walkthroughs of your facility to make sure that you're doing all the things that you say you're doing, that that is really a matter of the covered entity having its own comfort level that is doing that.
DR. DANAHER: So my last question, so CMS is going, I'm just trying to think about the enforcement, and especially for large integrated delivery systems or something. So CMS is going to require, if they did a site visit to UPENN or Pittsburgh or something like that, they'd require that you had security policies and procedures in place, but you're not required to demonstrate that you've trained anybody on those?
MS. TRUDEL: I would say that as part of your policies and procedures with respect to security, you would want to keep records.
DR. DANAHER: Ok.
MS. TRUDEL: And let me just say a word or two about enforcement, also. We've done some thinking, initial thinking about this and it's at least my own personal belief that we aren't going to get an awful lot of complaints, and again, security enforcement will be primarily complaint driven. We don't think we'll get complaints that are not also linked to a privacy complaint. In other words, it's not likely that someone is going to submit a complaint and say I think my doctor's office doesn't have very good security unless they have been harmed by some kind of a disclosure. The other possibility would be an internal complaint, I'm working in this hospital and there's something wrong and I just feel that I have to report it because the security is so lax that even though there hasn't been a privacy breach it seems like there could be one. Those are the kinds of complaints that I'm anticipating we'll receive, and so I think we're going to have to work very closely with the Office for Civil Rights to make sure that any security complaint is looked at for a privacy component and vice versa.
DR. DANAHER: Thank you.
MR. BLAIR: Karen, let me add my compliments, too, I didn't have a chance to read through the whole document, my reader helped me kind of glance through it and it just looks so much better organized than the NPRM did, and able to find things a lot easier, except for one thing. And maybe you felt like it wasn't necessary or maybe it's just that we couldn't find it in the time that we had available to glimpse through the document. In the NPRM, and I remember it was one of the last couple of pages in the NPRM, you sort of had a reference where you listed a number of security standards that had been developed by ISO, ASTM, CPRI, as references. And I didn't see anything referencing some of the existing private sector standards for security.
MS. TRUDEL: You're absolutely correct that that document is not in there. What we did do, because we felt it was really critical, was to make sure that the matrix that is sort of the all the standards and implementation specifications in two pages, kind of a cheat sheet, that was in there and actually that will be codified in the code of federal regulations, in other words that's part of the regulation text that will always be there. The preamble part of the document is not put into the code of federal regulations, it's used as explanatory material, it's used for guidance, but it doesn't actually wind up permanently in the CFR. The addendum that you're referencing was almost a laundry list of various industry standards and we felt that we didn't need to repeat it in the final rule. But in many places where a standard was specifically related to an industry standard we noted that in the discussion of the standard in the preamble.
MR. BLAIR: I noticed you wound up identifying where you picked up definitions and things like that.
MS. TRUDEL: Yes.
DR. ZUBELDIA: First of all, my congratulations for a very clear, very well written and very readable rule. It's much easier and much better defined than the proposal, I think it's very, very good. I have a couple of questions and perhaps a suggestion. The privacy rule has specific language suggested for the privacy part of the business associate agreement, and those business associate agreement sample language tidbits in the privacy rule have been reflected by the entire industry in their business associate agreements. I would recommend that you put out some guidance or something as to what additional language should be part of the business associate agreement to cover security as soon as possible. Because right now is when the flurry of business associate agreements is hitting the mill.
MS. TRUDEL: Understand. That's already on my to do list.
DR. ZUBELDIA: It would help to just have to sign the business associate agreement once rather than having to go through privacy and security. The question I have is the addressability of encryption in open networks. Does that affect at all the CMS policy of requiring encryption over the internet? I understand that's not HIPAA.
MS. TRUDEL: No, it does not.
DR. ZUBELDIA: So, there's still the requirement to encrypt over the internet even though under HIPAA it's addressable?
MS. TRUDEL: Right, it's addressable and again, as I said, what the covered entity does with an addressable specification is to determine whether it is appropriate to implement and to do so if it is appropriate. And we at CMS feel that we're held to a much higher standard than some other covered entities, and we respond accordingly.
DR. STEINWACHS: This may reflect my ignorance for not having read the rules, so I apologize. You can tell me to go back and read, that's a very appropriate answer. For research organizations, some are part of covered entities, some are hybrid, some are business associate relationships, some are outside of that I assume. Does the rules considering confidentiality or security end up applying differently possibly depending on where you sit as a research organization?
MS. TRUDEL: Privacy and security pretty much go hand in hand, so if you are a covered entity, if you've already decided for privacy purposes that you're a covered entity and you need to implement the standards, then security is right there with it. And if you're a business associate then whatever you were doing for privacy as a business associate, you would look at security the same way. So I would say that it does not change anything and if you only have just a few little moments to look at the regulation those sections that have to do with the organizational standards, those four standards that have to do with hybrid entity, etc., those would be a good place for you to start.
DR. LUMPKIN: Final question, Russ?
MR. LOCALIO: Karen, when I read the regulations last Saturday, I was along with others here very pleased at how easy they were to read. But what worries me is that although we have two years to comply with them, are you going to change them? One of the problems with the privacy rules is they seem to change every six months, for those of us who are unlucky enough to read the first version we kept having to go back and change guidance with every new release. What are the plans about modifications between now and the expected effective date in 2005?
MS. TRUDEL: It's really hard for me to kind of look into my crystal ball on that one, and I won't speak to the factors that caused the privacy changes. My personal belief is that these standards are flexible enough and not onerous to an extent that I don't think we're going to have hopefully no surprises in terms of unforeseen consequences. I would think that only unforeseen consequences at this point would cause us to consider revising the regulations prior to the effective date.
DR. LUMPKIN: We're a little behind schedule and Dr. Sondik is here for his presentation. I'd like to thank Karen for the Herculean effort in getting here and I wish you well on your way back. Ed, welcome.
DR. SONDIK: Thank you, the sun is out. Somewhere the sun is shining.
DR. SONDIK: Well it's a pleasure to be here. When I was here giving an overview, I think it was about a year ago or so, one of the comments that I received afterwards was well, you know we know a lot about NCHS, really sort of get to the issues if you will, and don't give a broad overview of the program. Well, I'm going to try to do both, I'm going to try to go down the sort of salient news and then I feel that I would be remiss in not giving you a bit of sort of an overview of what's happened over the past year, because I think it's been a particularly productive year and so I'll try to cram all of this into about a half hour or so. Mr. Chairman give me the high sign if it's going too long. I know you will.
These are the topics that I'd like to cover today, more on some than on others. And let me start first with this red book that you all have and say that I'm really pleased that we've actually reached this point where we have a document, I think it fits well within the National Health Information Infrastructure. I think the recommendations, both the broad and the more narrow ones I think are very important for us to pay attention to, and to try to implement. And I hope that this is something that we can revisit on a periodic basis so we can see exactly where we are with respect to this. It's very appropriate that we have a document like this, that we have this thought.
As you know, and I guess there may have been discussion earlier that there's a book that will in effect accompany this, no not that book, not the report, but there's actually a more scholarly book with a variety of topics all very pertinent to health statistics and actually goes beyond that I think to epidemiology more broadly and the editors and authors of the various chapters are very busy on it and I don't know when the projected date is but I think the deadline is sometime this summer for everything to be done if I recall. So I'm really looking forward to that as well. So I thank NCVHS as well as the National Academy and the Data Council, all of whom were involved in actually bringing this to fruition.
The next topic on here said new building. And what I have on the screen is a picture of believe it or not our brand new building. We actually over the great blizzard of 2003 moved from our location in Hyattsville to Palm Beach, no, actually we moved about 150 feet to our new location in Hyattsville, which turns out to be really a beautiful brand new building that is believe it or not all ours. We don't own it, we only lease it, but we are the only tenant in the building which is great from a security point of view, and it seems to be working out really well, lots of conference space. And I would invite this Committee to hold a meeting, one or more meetings there, just as soon as we find chairs and so forth. Now we have a few things yet that are on order, they're coming in, we have makeshift tables in the conference rooms and no chairs, which makes for very quick meetings. So maybe this is the style of the future, I'm not sure.
The building looks like three buildings the way it was designed very cleverly actually, but inside it doesn't feel that way. In fact, inside I think it really feels kind of nicely compact and people have all, haven't had one negative comment, not one so far. The people say that it seems to improve the conversation in meeting people and all this sort of thing, so we're looking forward to many, many years in this new home in Hyattsville, Florida, no.
Let me talk about one area where we we're very busy with for the last several years, and in particular this year. And I want to spend a little bit more time on the budget, which I'm getting to, but I wanted to put it in the context of reengineering, which we've been doing a great deal of. In vital statistics it's very important that as I quipped here that we lose DOS and we enter the internet. And the enthusiasm actually on the part of the state vital statistics offices for doing this is really encouraging. Actually from the word go they all felt, maybe because it was a little late in coming perhaps, but everyone seemed to feel that this is the time, we need to be doing this. And the NEDS effort came along from CDC a little bit after that and this fits exactly with that. And I would see these two things being somehow meshed together in the relatively near future.
It is not an inexpensive process, though. This means lots of changes in every state and when I say losing DOS, I'm not kidding, as you all know, that there are some states that are still running on those types of those systems, DOS based system, and they've really got a long way to go. And in vital statistics it means networking the entire process from the hospitals and birth registration all the way to the mortuaries and medical examiners and so forth for death registration. So it is a, it's a significant effort, we're involving the private sector in this of course because they're playing a key role in the system as it stands. And I'm looking forward to progress here over the next several years. Particularly, as I said, based on the enthusiasm that we have from the states and from NAFSIS(?), the professional organization of the vital registrars.
In HIS we have developed a new sample as I've explained I think many times before, but I think it really, it's an important point is that we draw the sample for the Health Interview Survey once a decade. I think perhaps when in the future and we're all in the internet age and the information age, we'll be able to do this on a much, let's say once a year basis. But at this point, based on the way the Census is conducted, we really can't do that, so we draw it on the basis of once every ten years based on the most recent Census. In drawing the sample for a survey as large as this, which is 40,000 households a year, more than 100,000 respondents a year, is a very expensive proposition. And a significant amount of resources that would otherwise have gone to actually conducting the survey have gone to the development of the new sample and also gone to the development of a new survey computer program in which the program is actually based and delivered and preliminary analysis is done, and then on new data processing procedures, which are going to change things quite a bit. It's really a plus and things have been going very well with respect to that process.
A number of redesigns in the health care area have taken place over the last year and I'll mention those briefly. And in terms of NHANES, NHANES and its reengineering took place a few years ago, and as you know the trailers and so forth are highly automated and in fact you may have an opportunity depending on when the next meeting is, when is the next meeting of this group? June. Well, if you want an interim meeting you may have a real opportunity to see NHANES in action right here, outside the Humphrey Building, in April and May, March, April, and a little bit in May. I'll talk about that a little bit more.
But NHANES has reached a point where we need to take another look at what it is we're actually collecting at NHANES. And several years ago, I think 1997, we held a series of fora or forums, whatever it is, a prize later for those who are up on that, to bring together members of the multiple communities that NHANES serves, and give us ideas and also give our federal collaborators ideas on where we should be going with NHANES. And a number of innovations in NHANES over the last several years came from that. It's now time to do this again. NHANES is now on a two-year cycle rather than the old three-year cycle and in addition, we're able to get data from NHANES on an annual basis. But our nominal cycle, although we can change this, our nominal cycle is change the content every two years, not necessarily in a major way, it could be in a minor way, but it's every two years that we take a hard look at what should leave and what should come in. We cannot do that by ourselves. We should not do that by ourselves, so it's important that we bring the community into that. And we've been talking to the Institute of Medicine on a process for this, we didn't do that prior, we carried out the process, but we've been talking with them about the possibility of involving them in this process. And they're very excited about doing it, it is an expensive proposition, though, and that is an issue. In any case, we will do it, one way or another, involving the IOM in a major way or perhaps in a somewhat smaller way, but certainly in giving us advice. And we seek your advice as well on how we should go about this process.
One thing we did over this past year, it's only one thing but I thought it was particularly important to bring up and many of you probably know about it, is the development of a bridge file that relates the data as it was collected under the old 1977 race and ethnicity standards to the way it is now collected under the new 1997 ethnicity standards. The first time those were actually put into the field in a major way was in the 2000 Census. And the more recent data, the more recent standards, allow for multiple race reporting in five race categories. The old categories had four, there were four old categories from 1977 and you could only report one race. Now the question is how do we bridge the data, how did we develop, use that bridge to develop for example county estimates of population figures? And we in working with the Census and others have developed that file and in fact it's on our web-site and this is a picture of the web-site, highly non-informative other than to say it is there, with a variety of other information, things that I'm not going to get into. We've talked in here before about the new standards for information quality, I'm very proud of the role that NCHS and the Department and Jim Scanlon had in really leading the federal establishment in developing these standards and implementing them, and they're also outlined on the web-site.
It seems like several years ago and actually it's probably about three years ago, I came to you and said that in addition to the guidance that you give us, I thought it would be very useful for us to have a board of scientific counselors that could hone in on the individual programs and deal particularly with the science of what we do and how we do it. We put in a request for that, an application for that, and it has been approved. Now I'm not sure exactly who is sitting on it, because the Department makes the selections from the suggestions that we submitted, and I know they've been considering that and they have I think accepted ten of our suggestions and suggested five. I understand, I don't know who's chairing because I believe they will give us their determination of who the chairperson will be, but I'm very pleased about that and I see these two groups working hand in hand together with the red document there, the health statistics vision and the NHII in giving us the guidance that we need.
Let me mention about where we are with budget. Now this is three graphs, three line graphs that show you where we are with respect to the budget. If we look at the top figure on this, the top figure is a little less $160 million dollars. That's based on our 1994 budget, and then using the biomedical R&D price inflater, bird pie just has the wrong sense of connotation. So that would take our budget from in 1994 in the mid '80 close to $90 million and bring it up to a little bit less than $160 million. The red figure on here, purple on the screen, is what our appropriation has been, and what it's slated to be for 2003 and 2004. You can see that it's a bit over a $120 million for these years, it's actually, the President's budget is slightly less for 2004 by about a million dollars, and for the period 2002, 2003, and 2004, the figures have been pretty much constant.
Now the green figure below that is the figure that actually we're able to actually use. The difference between the red figure, which is what's appropriated and the green figure which is what we actually can use has to do with a variety of overall costs of running CDC that simply need to be paid to, if you will, central CDC that have to do with the support of a variety of central functions. This brings us down to a net available budget to NCHS of something over about $100 million. The point from this graph I guess as in all graphs, is to sort of see the general trend, and the general trend here is that there was a period of time where our budget was increasing, and over the last several years it's been relatively constant.
Now it's been constant, but I must tell you, I think this past year has got to be one of the most productive years that the Center has had. It just seems to me every area of the Center has been incredibly productive despite the fact we've had a number of people retiring, and I think it's sort of the fruits of a variety of labors have come to be picked over these last few years. There are significant implications, though, from working with a budget that's constant, and not constant with respect to inflation.
Let me just tell you what some of those are. Let me say that this is the situation that we're in, this is the realistic situation we're in in terms of these budgets being relatively constant for many of the agencies, and we have to find ways of making judicious changes in order to meet these constraints. So in HIS what we've done is we've experimented with reducing the sample size and we're doing that by small changes eliminating a week at a time, although we may be doing somewhat more than that. This of course changes if you will the pixel size, it's the way I like to look at it, the number of pixels if you will. But we're still able to meet the significant demands on the Health Interview Survey. It is in many ways the core survey on health in the Department. I still think of vital statistics, always think of that as kind of the base on which all of these are built, but the HIS gives us an enormous amount of information about HealthePeople and also a lot of information about the GPRA, the GPRA goals that, not only for NCHS of course but for the Department. So we'll do that, and maintain that, but clearly reducing the sample is not without some cost.
This past year we really would have been in trouble, 2002, if it hadn't been for the support in NHANES from our collaborators. We have collaborators across the board in everything that we do, there are probably more on a percentage basis in NHANES than any other activity other than vital statistics, in which we have more than 50 collaborators. They were very generous in the dollar support that they gave the Center for their specific components in 2002 and we look forward to that support as well in 2003. But the thing with the support like this, in effect it needs to be negotiated on a continuing basis.
In vital statistics, what we've done is we've made some accounting changes if you will, as opposed to contract modifications. It's more in the way we pay these, and we've been able to stay ahead of the game in this, and we'll continue to do that up to a point. But we're going to have to take a fundamental look at how vital statistics is actually supported.
In the health care surveys, that's NCHS, the health care surveys, what we've done in the past is we've judiciously chosen the ones that will be in the field and the ones that will be out of the field, and we have a disturbing trend, but we still have been able I think to get very good data from this of having survey's out of the field more often than they probably should. Despite that, we've had a very aggressive effort at developing new surveys and evaluating the data, the content of the existing surveys.
So in 2003 and 2004 what we're going to be doing is taking a hard look at what the priorities are for data, I mentioned GPRA and HealthePeople, but of course that is to say it's the tip of the iceberg in terms of the use of all of this information is putting it mildly, really, these surveys form the basis for research, not only across the U.S. but across the world, epidemiology is based on these clinical trials. So it's very important that we with your help and our collaborators help and the federal and outside the federal establishment, make some very prudent choices here. And part of that may be identifying those data systems in which we are able to collect data's less frequently. We need to continue to search for greater efficiencies. I feel that over the last decade we really have picked the proverbial low hanging fruit, and I think we've also used step ladders as well. It's one of the reasons why the reengineering is so important because we see efficiencies in the longer term, if not in the shorter term, from reengineering and making better use of technology and informatics.
The challenges that we're facing are one of the things that goes when you're very tight is the support for R & D. Now there's a diagram in the front of the report, I won't dwell on it, simply to say it's the health, it's called the Health Statistics Cycle, it's figure 2. And if you wander around that, a lot of that has to do with, doesn't have to do with the actual collection of the data and the publishing of the data. It's got to do with much more than that, it's got to do with the evaluation of where we are, it's got to do with development of new methods, and so forth. And that takes resources. And what we have to be very careful on, and I say this to remind myself let alone to make the point to you, is that we do not skimp in that area, because the foundation for all of this is the quality of the data, and we have to maintain that.
So through all of this we have to expand how we're getting our support, and if we need to find new ways of supporting this than we're more than open to doing that. Training and recruitment, not only for NCHS but also for the vital statistics systems around the country is very important, and as I said, overall we have to maintain the data quality. So that's the budget very quickly.
Let me spend if I can just a few minutes, and I'm going to go through this very quickly, hitting some of the high points with respect to some of the programs over the last year, and I really am only talking about some of the programs. Despite all we hear about problems in doing surveys, NHANES had a terrific year in terms of response rates. It wasn't quite as high as the year before, but it was still way up there. I think it's the letter that I write inviting people to, joke. Really, I know what it's due to, it's due to the fact that more and more resources have gone into recruiting individuals while not being obnoxious, which is very important. And we've done, they've done extremely well, and I compliment the staff and I compliment WESTAT, who's the contractor for NHANES. And I hope that they actually write up what they've been doing into a journal article so that it can be shared widely because I think, while not a clinical trial of response rates, the proof of the pudding is it being able I think to maintain these very high rates.
The data actually from the most recent year got out within a year, which is incredible considering that this used to take four or five years, and that was due to technology in large part, and the zeal of the staff. But if we hadn't changed the design and the use of the technology, it simply would not have happened. There's more data coming out this March, a variety of things have been published, I'm showing a slide here of an article on obesity which got a lot of play. But here's data, this is a slide of the report, cover of the report to the second national, it says Second National Report on Human Exposure to Environmental Chemicals. We do this in partnership with a number of people but principally the National Center on Environmental Health at CDC. And a report was published two years ago, it had 25 chemicals in it. This has over 100 chemicals and there is more to come. We could not do this with out the design of HANES, which is the vehicle for collecting all this information, and then the analysis of our staff, by our staff and NCHS's staff, so this should be very useful in the future.
We are having, the luck of the draw is that Washington has come up, Washington, D.C., has come up as one of the sites for NHANES for this year. And it is the luck of the draw. And Dave Larson of our staff and Lisa Broytman(?) of our staff have worked with the GAO and the people in this building and the city of Washington so that we're actually going to have the NHANES trailers set up between this building and the old FDA building, which is if I'm pointing in the right direction, behind us. So one block off of Independence, in that short block that looks out on the House side of the Capitol. And we're planning an open house and we're going to take advantage of this so that the Secretary among others will have an opportunity to actually visit, and I invite you all to do that, and you'll be hearing more about this.
And we're very excited about this. This was no small task, it's one thing to set it up in a K-Mart parking lot in Kansas City, and it's another thing to do it here. I wanted the Mall, but it turns out the problem with the Mall is that you need sewage, we need for this sewage facilities, and believe it or not, there are no sewage connections on the Mall. This is the main hang-up, so we had to do, I know that's hard to believe given everything that happens on the Mall, but it turns out it's not there. No, with this we don't do port-a-potties.
This is a picture of one of our more portable trailers for HANES, and we're getting a lot of interest now from a number of areas in the country for applying this, and I hope that I'm able to tell you in a year that we actually have more, at least one, but I hope more than one project involving community HANES.
In the Health Interview Survey the speed up of the data release has been really like other areas in the Center, quite phenomenal. In fact we're producing now measures from, that come out within six months, actually they've been coming out within three months, after they've actually been collected in the field. And these are important measures which include for example health insurance measures, overall, and that is percent of the population who are insured or uninsured, and a variety of other measures as well. These are released on the web just as soon as we get them, but to be able to do this in such a short period of time, it's a great testimony to the staffs involved, staff include not only our staff but the staff of the Census Bureau who actually conduct the Health Interview Survey for us.
This past year we had a supplement on complementary and alternative medicine as well as children's mental health, very important topics. And when we do this we do receive support from the other agencies, but it's never quite enough to cover all of the work that needs to be done. 2003, more measures related to HealthePeople and additional information on children's mental health. That's just one of the slides on the insurance status.
In vital statistics, again, the releases have been even more rapid than they have been in the past, we are using new population estimates for the analysis of the birth and death data. And I wanted to let you know that Mary Anne Friedman, who's been the director of this program for the last eight years, is retiring on Friday.
-- so if you have any suggestions, please do let us know. This is some reports from the vital statistics program, and the birth report was the earliest release in the last 35 years, so I'm very proud for them that they've been able to do that.
In the health care survey, an incredible number of publications and articles this year and electronic releases including the emergency room crowding, increase in the use of prescribed drugs, and decline in antimicrobiol(?) use. In 2003 we're going to have in the field the hospital discharge survey, the ambulatory care survey, the hospital ambulatory care survey, and we're planning on putting a nursing home survey in the field in the fall, which will fall into a new fiscal year, that's why I say in the fall. What is on the sidelines are the survey on ambulatory surgery and the home and hospice surveys.
Now a number of activities going on and I know we're starting to run late here, but for example, a supplemental sample of rural and proprietary hospitals for better facility estimates, we've implemented in 2003, and the emergency pediatric services and equipment supplement which continues from 2002. So despite the tightness of the resources we're still able to do quite a bit. We're working on a redesign, very important redesign given the importance of long term care of our nursing home survey, and as well as the home and hospice care survey redesign, as well.
Just some statistics on dissemination. In 1995 our web-site had 6,500 user session. That's not hits, that's beyond hits, where people actually spend time there, send out for lunch and browse through. In 2001, 350,000. In 2002, 550,000 user sessions. And our web-site now is the principal way that we release our data. And everything that we have, and this was a Herculean task, whether we have or did have, is available in PDF or Acrobat format. It's very, very useful.
Other things going on. We developed a new index of disparities over the last year and that's being used particularly by the HealthePeople programs. In fact these HealthePeople progress reviews are underway and the Center plays a very significant role in that. The Research Data Center is receiving increased use which is very important as issues related to the protection of the micro data become even greater.
So all in all I think we have in my biased view, we're producing more data, it's being distributed more widely, certainly more timely. We need more R & D and we need to continue with this reengineering, even if it means we have to sacrifice some data over the next several years. And the bottom line is, and again going back to this cycle and figure two here, it's all toward planning and meeting future health data needs. And when I look at this picture here, of this cycle, I'm struck by the fact that many people when they think about statistics, health statistics, think of something that doesn't move very much. Somehow isn't particularly dynamic, but when you're in the middle of this and you look at this you realize just how dynamic and changing it is.
Thank you.
DR. LUMPKIN: Thank you. Don?
DR. STEINWACHS: I want to congratulate you on what you've accomplished, because I remember all those years where you waited years to see the data on the history of health care in America, and so it really is exciting. Part of what's always struck me and I guess this may be a strategy question, it may go outside and John can tell me it's not part of the Committee. But a lot of what you produced doesn't always come back and people identify that it was NCHS who produced it and somehow it becomes part of just a broader organization of the government. I was wondering as you talk about dissemination strategy, and I was very impressed by the numbers that are hitting your site and using it and so on, is there a way in which you also feel that you're getting out there so more and more people know to turn to you, or know that when they see something that comes out of HIS or NANSIS(?) that it is you? I guess I'm talking a little bit about the branding but also access. I mean if someone wants health data do they always know where to turn?
DR. SONDIK: Well, branding actually has been an issue if you will, and what I found over the last few years is that the reporters know where the data comes from, even if it doesn't say, if it says the Department produced this data, they knew where it comes from. And the press releases are sufficiently generous in making that clear, even if the Department is releasing it or if it may appear that way. I mean sometimes you'll find USA Today, for example, I noticed just the other day, whatever they call those little graphs they have at the bottom of the front page, and there was something that we hadn't recently produced, but there it was, something was NCHS. Other times it might say CDC or the Department. We've been making a very significant effort over the last couple of years to talk to organizations that are principle users of the data, just to fill them in on what we're doing, and we've got a variety of handouts that are much more user friendly than what we've had in the past. I've started, I've, we, but it's under my name, are producing a newsletter which was only an occasional thing in the past but now we're doing this on a more regular basis. I hope everybody in here received it, if not, our mailing list wasn't right. Wouldn't that be terrible if you didn't? Marjorie is looking at me like you didn't, well, we'll revise the mailing list. It went to lots of people, well, then you should get it, and we're going to be doing that on a very regular basis and bringing people up to date, not only on the highlights if you will, but also on what some of the data are actually showing, which I think is very important because this is what I think really captures people's attention. The fact that ok, there's another file available from HIS, the HIS files if you will, EHILES(?) say oh, that's wonderful, I'll run to it. But if we don't have something with that, something that substantive that that data is telling us, then I think it doesn't really capture the broader audience. So it's very important in these times that we do that and we're making that effort. And any suggestions you all have like receiving the newsletter, would be greatly accepted.
MR. HUNGATE: I had a quick question. It's impressive to see what you're doing with the web-site, but it sounds to me like it's mostly on the dissemination direction. Is there also a program to use that same tool for collection having others do the survey of special populations and getting it back in some way?
DR. SONDIK: Yes, in fact we're, probably the best place for us for that would be in the health care surveys, and we're strongly considering that. But you know that's exactly where R & D is critical. Everything comes back to me in the sense in terms of quality, so if we're going to implement something like that, we have to know that we can do it well and we have to have been able to experiment with it, which says that we need the resources to be able to that. But I think that's an area we're strongly considering doing that, that's an area where I think we will.
There have been a number of efforts as you know, a number of people are doing surveys of one sort or another using the web. This is not wholly satisfactory, and there are a lot of issues, particularly with some of the questions we ask in which it may be that people will answer them differently through the web, through their own computer, than they would in person to someone. Or for that matter, over the phone. And that's the kind of thing, again, that we need to be doing. We're doing a very interesting study that I have mentioned, it's not on here, that we're doing with Canada, to look at differences in the way questions are answered in Canada versus the United States. And you might think there might be no difference, which would be terrific to know. But in our meetings with our counterparts in Canada, that's not entirely clear to us, and so we've actually got a survey in the field now, it's a telephone survey in the field, and it's been carefully designed so that we can make these kinds of comparisons. And also to assess the health of Canadians versus the health of Americans. And again, that's again, an R & D type of activity. Very important. And then we hope to expand this and do this with other countries, other OECD countries, England, the Nordic countries, and others.
DR. LUMPKIN: Is North Dakota part of the Canadian sample or the United States sample? Russ?
MR. LOCALIO: I just want to voice my concern about the size of the pixels. For example on page four in your slides you have the bar graphs as a percent of persons uninsured and you have very nice tight 95 percent confidence intervals. But what happens if you want to know the percent uninsured of disabled Hispanic Americans living in rural areas and you want to track that over time to see what's happening in an under served and disabled population? What's the implication of the increasing pixel size for that type of comparison?
DR. SONDIK: Well, it's not good. But it may mean that there are perhaps other ways that we can get at questions like that. If someone poses a question the way you did, then we have ways of answering that, we can develop a survey to do it. But the problem, though, with that, is that you sort of have the idea in mind, and say alright, I want to go out and do a survey. The great benefit from these national surveys with as many respondents is that you're able to cut them in a variety of ways and look for relationships. I mean this is the great benefit from NHANES, it's terrific to have this report on chemicals and now know the distribution, the exposure across the country from that. But the real benefit from that is that every data point that's gone into that, every individual who's exposure to herbicides is included in that, also has 5,000 other variables associated with it.
And we don't know how to use all that information, not to mention DNA's for that matter. We don't know how to use all of that, but it's an enormous resource. So when we talk about the uses and the tip of the iceberg like ok, we're using it for GPRA and we're using it for HealthePeople and we're using it for that particular report, maybe you can tell me how to say it, but we're losing the enormous value of these resources for research, which is I think the major value from all of these things.
And with research you don't necessarily know where the investigation of these data sources is going to take you. The mental health data, for example, coming from HIS, the fact that this is coupled with the rest of HIS and the data that's collected from that, and conceivably could be linked to other information, is enormously valuable. And it's hard to represent. And so whenever I say alright, this is the talk about HealthePeople or GPRA or something being the tip of the iceberg, it really does bother me because I don't think that I'm expressing adequately the value of this information to the research community, and for that matter to the people who are just evaluating health and tracking health status.
It doesn't have to be the hard core research community involved in biomedical research or clinical trials. It can be the public health community who are more concerned with tracking the health of populations, specific populations over time, and identifying key factors in that, such as the question you just raised.
DR. MAYS: I'm actually going to build on your question, because one of the implications, of course, in terms of cutting the sample of the NHIS is exactly what you were saying, which is we kind of lose our ability to do research on some of the vulnerable populations in particular, the disabled, racial and ethnic minorities, etc. Typically then what you want to do is to think about well how else will we get this data. And in the past you've had the opportunity to do things like say the Hispanic NHANES. Do you have any plans, for example, of what you might do knowing that we're going to kind of lose some of the data for some of these populations by the reduction?
DR. SONDIK: My plan is that we discuss it in this forum right here, plus we discuss it in wider forums than this. Because if we need to make these choices, which we do, we simply cannot, we've picked the low hanging fruit, and we either, there are no doubt still some efficiencies, and I hope some of the reengineering will give us some efficiencies. I don't expect efficiencies like 50 percent, it's just going to cost of 50 percent to get the same amount of information. Certainly using information technology to better advantage it may even cost us somewhat more, but we get great benefit from that like turning around the HANES data inside of a year, or these quarterly estimates that come out from HIS. But I think in the long run it certainly will save us money.
One of the things that we need to look to other sources of dollar support for this, to do things like, for example, an Hispanic HANES. When I'm thinking of an Hispanic HANES at this point, I'm thinking more of the community HANES, and using those resources focusing in on specific communities, whether it's the Hispanic community in Los Angeles or it's an Indian reservation in the Dakota's, or wherever it might be, we have a tool that we can apply but we simply don't have the resources to do the R & D and then the actual implementation of it. But we actually are talking about some very I think really exciting application with some, I don't want to state it publicly, but with some individual organizations that would be able to put significant support into it for that, and I think that could then lead the way for others.
But we have, I can't say to you that there's an easy way to do this sort of thing, it means that rather than having if you will a discretionary piece of the budget that we can focus on one area such as whether it's Hispanic HANES or an Asian HANES for that matter, it means that we need to pose this as an alternative and then seek out the resources to conduct it. But we need assistance and guidance in our overall agenda as to where something like that actually fits.
DR. MAYS: Well, my second question was actually one on resources. In NHANES you talked about that there were collaborators who put resources in. Do people buy time? I mean do you accept, for example, if they were foundations, etc., that wanted to buy time on NHANES, is that something that's a possibility?
DR. SONDIK: It is a possibility. The way I would do that, though, the way we have been doing this is through federal collaborators, so that a foundation that worked with one of our federal collaborators, I think that would be fine. I am not positive about saying that we've got three and a half or four hours in a trailer and we're going to put it up for the highest bid if you will, and I know that's not exactly what you're suggesting. But I think it's very important that what be done be done with the idea that it's the, in terms of priority it's the most important thing that can be done with those resources. So that we have had one commercial concern that was interested in this and they did work through the CDC Foundation to work with a federal collaborator and we were collecting information that was of use to them, something that they stimulated but something that we felt was of significant priority.
But I would hate to have a commercial interest, if you will, win out over something that would be considered a broader public health interest. If the two coincide, terrific, and we can get that support then that would be wonderful. But it's very, but we cannot accept that money, that needs to go through another organization.
But at this point, I shouldn't say at this point because that makes it sound as if there's a change, but we have always been open to that and certainly are open to that in the future. I think it's very important, though, that between this organization and the forums we were talking about and the board of scientific counselors, that we have a well defined agenda that we're working toward and we say we want to do this at this point.
One idea that I continually bring up and I know I've brought it up here and I'll bring it up once again, is that one possibility for us, for the country, is to look at populations across the U.S. and say that we need a certain amount of information on that population, let's say once a decade. Define what that is. That doesn't mean that's the only information we get, but it's information that we know we can then build on. So if we have that information and we know it's a solid as it can be, then we can use a variety of other means to collect information from that point on. It may not be as solid, but we know we have something back there that is solid, then periodically we can go back and redo that. That would be part of an overall say decade long strategy for how we use these resources.
DR. LUMPKIN: I think at this time we need to break, we're well into the lunch hour. I'd like to thank you for coming. Perhaps, I know we have recently sent a letter raising concern about the budget for NCHS --
MS. GREENBERG: It's under review by the Executive Subcommittee, I think on Friday.
DR. LUMPKIN: Ok, that will be going out very soon and very timely. But also if, I know the agenda's probably full, but if the Populations Subcommittee could, if there are any issues that may derive from this report, I think that would be the place to try to process them to bring them to the full Committee. Once again, thank you very much for your partnership and we're finally getting this out, and all your hard work for the nation in health statistics.
DR. SONDIK: Thank you. And again, I want to thank the NCHS staff which has really been just terrific. And I wanted to give credit to someone you don't know at all with respect to, I'm expect you don't know, for our new building. The person who has been our chief administrative officer, Doug Zin, actually took this on and we would not be moving into this building if it weren't for his ideas and his enthusiasm and energies that went into this and saved us from moving to Dakota, new name for North Dakota I understand. No, that wouldn't be so bad. But really, it was a terrific thing that he did and deserves the, and many, many other people of course worked with him to do this but it was his idea that got us into this new building, so I give him great credit.
DR. LUMPKIN: I'm sure it was a moving experience working with him. With that note, we'll break for lunch, we'll get back at roughly 1:00.
[Whereupon, at 12:15 p.m., the meeting was recessed, to reconvene at 1:00 p.m., the same afternoon, February 26, 2003.]
DR. LUMPKIN: Well, good afternoon. We're going to work our way through the agenda starting off with the Subcommittee on Populations. There are a couple of housekeeping things we want to take care of first. The first is that the Subcommittee on Populations is meeting in Room 425-A, we incorrectly list 405-A, which is as Jim tells me right next door, so if