[This Transcript is Unedited]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
March 3, 2005
Hubert H Humphrey Building
200 Independence Avenue, SW
Washington, D.C.
Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091
TABLE OF CONTENTS
Agenda Item: Call to Order, Welcome and Introductions
DR. COHN: Good morning. I want to call this meeting to order.
This is the first day of two days of meetings of the National Committee on Vital and Health Statistics. The National Committee is the main public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I am Simon Cohn, the Associate Executive Director for Health Information Policy for Kaiser Permanente and Chairman of the Committee.
I want to welcome fellow committee members, HHS staff and others here in person, and I obviously want to welcome those listening in on the internet, and, as always, I want to remind everyone to speak clearly and into the microphone.
Now, what we will do this morning is to start with introductions, and we'll ask the new members to briefly introduce themselves in the course of these introductions, and we'll talk about them more a little later on.
For those on the National Committee, I would ask if you have any conflicts of interest related to any of the issues coming before us today would you so please publicly indicate during the introductions?
Marjorie.
MS. GREENBERG: Okay. I'm Marjorie Greenberg from the National Center for Health Statistics, CDC and Executive Secretary to the Committee.
DR. LUMPKIN: John Lumpkin, Senior Vice President, Robert Wood Johnson Foundation.
DR. WARREN: Judy Warren, University of Kansas, School of Nursing and a member of the committee, and I am not aware of any conflicts for today.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, a member of the committee and no conflicts.
DR. TANG: Paul Tang, Chief Medical Information Officer, Palo Alto Medical Foundation, Center of Health, a new member of the committee and honored to be here.
DR. STEINWACHS: I'm Don Steinwachs, Johns Hopkins University, a member of the committee and no conflicts I am aware of.
DR. CARR: Justine Carr, Health Care Quality, Beth Israel Deaconess Medical Center, member of the committee, and no conflicts.
MR. HOUSTON: I'm John Houston with the University of Pittsburgh Medical Center. I am a member of the committee, and I don't have any conflicts either.
DR. VIGILANTE: Kevin Vigilante, Booz-Allen, Hamilton. No conflicts that I am aware of.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and Quality, liaison to the National Committee and staff to the Subcommittee on Standards and Security.
MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, staff to the Subcommittee on Standards and Security.
MS. MC CALL: Carol McCall, Humana, with our Center for Health Metrics. I am a new member to the committee. Thank you for the invitation. I have no conflicts that I am aware of.
MS. BEREK: Judith Berek from the Centers for Medicare and Medicaid Services. I am currently the liaison to the committee. I am retiring on April 30th, and Karen Trudel will take over as liaison.
DR. SCANLON: Bill Scanlon. I am a new member of the committee. I'm with Health Policy R&D here in Washington, and I am very happy to be here, and I have no conflicts for today.
MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member of the committee and no conflicts.
DR. HUFF: Stan Huff with Intermountain Health Care in Salt Lake City and the University of Utah, and a member of the committee, and no conflicts for today. Thanks.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the committee.
MR. BLAIR: Jeff Blair, Medical Records Institute, and a member of the committee, and there's no conflicts that I am aware of for today.
MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of Medicine, member of the committee. No conflicts.
MR. SCANLON: Good morning. I am Jim Scanlon from the Office of the Assistant Secretary for Planning and Evaluation here in HHS. I am the Executive Staff Director for the full committee.
MS. FORITO: Michelle Forito(?), Drug Enforcement Administration.
MR. BRUCK: Steve Bruck, PEC Solutions.
DR. DEERING: Mary Jo Deering, National Cancer Institute and lead staff to the NCVHS workgroup on the NHII.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, committee staff.
MS. BERNSTEIN: I'm Maya Bernstein(?) from the Office of the Assistant Secretary for Planning and Evaluation, and I am also the new privacy lead in HHS.
MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics, CDC.
MS. LUKE: Marilyn Sigmund Luke(?), America's Health Insurance Plans.
MR. KYLE: Frank Kyle(?), American Dental Association.
MS. FRIEDMAN: Maria Friedman, CMS, lead staff to the Subcommittee on Standards and Security.
MS. PICKETT: Donna Pickett. National Center for Health Statistics, CDC and staff to the Subcommittee on Standards and Security.
MS. BOWMAN: Sue Bowman, American Health Information Management Association.
MS. JONES: Kathryn Jones, CDC, National Center for Health Statistics, staff to the committee.
DR. MAYS: Vickie Mays, University of California, Los Angeles.
MS. LAVIN: Kelly Lavin, American Osteopathic Association.
MS. WATTS: Patricia Watts - Veterans Affairs.
SPEAKER: Maria - National Institutes of Health.
DR. COHN: Okay. Well, thank you for joining us today.
Now, normally, at this moment, we move right into talking about the agenda, but being the new Chair, I am going to take the prerogative of spending a couple of minutes just talking about the transition and change. It will not be the last time we talk about it today or tomorrow.
Obviously, I, first of all, want to comment that I think we all believe that the achievements of the last several years for the NCVHS have been nothing short of spectacular, and I really want to thank our previous Chair, John Lumpkin, for helping make it all possible. I mean, as we think about what has been going on - the guiding of the initial HIPAA implementation, the visioning of the NHII, the creation of the first set of recommendations for e-prescribing that are now part of the proposed rule, which I know Karen will be talking a little later, as well as letters of great import coming out on quality of populations - I mean, we have - here, we have really the committee to thank for all of this. There clearly is a lot to be proud of, and I want to just take a moment to acknowledge our departing members - John, Vickie - Vickie, I'm not sure why you are back there, as opposed to at the table. Can we have - Can we have you sit at the table, please? We're transitioning. I don't think we think you have left the committee yet. Gene, who I don't think has arrived yet today. Obviously, you will be missed, and we, obviously want to celebrate your contributions, obviously, today and this evening.
In addition, we also want to acknowledge Peggy Handrich, who, while not here, has resigned from the committee, and we, obviously, will miss her. I think that she has provided a lot of valuable input.
Also, I think I should comment that Aldona Robbins, who has a name tag here, but isn't here yet, will be also transitioning off in her role. I think she is finishing off her term on the Bureau of Scientific Counselors, but I think this, at least likely, will be her last time representing the bureau - the board on the committee.
I guess we should also comment about Judy Berek, who has already commented about her retirement, so congratulations.
So, clearly, this is a time of transition, to put it mildly, but, clearly, there's lots more to be done and challenges to face.
You know, we talked about HIPAA. Well, in some ways, the identification of the initial standards may be the easy part. I think the hard part now is to work with HHS and the industry to figure out how to maximize the value of the implementation.
For the NHII, there is an ongoing set of tasks that relate to further visioning out the NHII as well as identifying - I mean, really solidifying it, making it real.
For populations in quality, large issues remain, and we'll be continuing to come forward relating to information needs for the Twenty-First Century.
Obviously, these are just a few of the challenges before us. I think for all of us who will continue on after today I have to say that it is truly an exciting time to be a member of the NCVHS, and we obviously welcome the new members.
And speaking of that, obviously, we are delighted that Paul Tang and Carol McCall - McCall – McCall. I apologize. It is 6:00 a.m. in California. So - (laughter). McCall - and Bill Scanlon, we are obviously delighted that you could join us and we are looking forward to your active participation.
You are obviously joining an elite group. I think the NCVHS - and I think we comment about this as well to staff sometimes when we drive them crazy - but we are really known within the federal government as one of the most productive and hardest-working federal advisory committees.
As you know, we all have important day jobs. So we don't do this because we all have a lot of free time on our hands. The reason we have taken on this additional responsibility is our commitment to a better healthcare system, a healthier citizenry, and, really, a better America, and, obviously, at the end the day, we all have the satisfaction of having our deliberations and recommendations make a difference, and I think that may be one of the defining characteristics of this committee. By working hard, we actually typically do make a difference in terms of the activities of the federal government and the private sector.
Now, when I was appointed Chair a month ago, the first thing I did was to talk to each of the committee members, and I really do want to thank you for taking time to - in your busy schedules - to talk with me about how the committee was functioning as well as opportunities for improvement; and, obviously, we talked to the new committee members also to at least begin to orient you to the workings of the committee.
What I heard from all of you in my discussions was very positive. John, if I were giving you an evaluation - and I have to say this is sort of interesting, because John has provided evaluations from my performance in the last several years - but I did want you to know that we would all be giving you an outstanding in all categories.
DR. LUMPKIN: And a raise?
DR. COHN: And a raise. That's right. (Laughter).
You know, John, as you say that, I did notice that there was something about - that I have always been missing about those evaluations and the final step, but thank you for pointing that out. (Laughter).
Clearly, the suggestions we heard from the committee members were really focused on making things better. They were modifications really around really our central activities to make things more productive, to make things work better, recognizing that we have limited resources. I am not going to go into them a lot today. We'll be talking about them, I think, as they begin to appear sort of over the next couple of committee meetings related to sort of specific changes that we'll likely be making - around the structure and functioning of some of the committees, but, you know, I think these are, once again, just sort of changes, not of mission, not really primarily of organization, but really more along the lines of style and all of this. So we'll, as I said, be talking about them. The Executive Subcommittee will be working on them, and we'll be talking about them more at future meetings.
And, actually, speaking of the Executive Subcommittee, I think you all have updated copies of the agenda, but I just want to sort of announce officially new subcommittee members and members of the Executive Subcommittee.
First of all, we have Don Steinwachs, who is going to be taking over for Vickie Mays as Chair of the Population Subcommittee, and thank you for being willing to do that, Don.
DR. STEINWACHS: And those are very big shoes to fill. I'm a little bit scared about my evaluation, Simon. (laughter).
DR. COHN: Okay. Right.
Now, I have also appointed Jeff Blair and Harry Reynolds as Co-Chair for the Standards and Security Subcommittee. Want to thank you both for being willing to do that. I mean, that's, once again, yet another big task.
Now, they will all be joining the Executive Subcommittee.
Now, as has been the tradition, I will be assuming the chair of the NHII workgroup, and this is a tradition that started with Don Dettmer(?) and continued with John Lumpkin, and, obviously, I will take that on, obviously, with all of your help.
Now, one of the things that I will be doing is to be working closely with all of the subcommittees and workgroups and the chairs to make sure we are developing well-articulated, agreed-to goals and work plans that are timely and relevant, and so you'll likely see me jumping in out and out of some of the subcommittee and workgroup meetings over the next couple of days, but I think, in this transition, it is really a time to reflect on the goals, the work plans. In some of our cases, we'll be likely to be holding hearings to get public and governmental input as we begin to develop these work plans, and, once again, it's just a time of reflection and change.
Finally, I do want to tell you how appreciative of the contribution from both Vickie and John.
Obviously, Vickie is our departing Chair on Populations. Obviously, I want to thank you for being willing – I mean, the good news - both of them - is that they are not going to go away very quickly. Vickie, in her case, is going to remain as a consultant to the committee to help us move forward with the very important Populations Report, which we'll begin to hear about today and we'll, hopefully, be acting on in June.
I have also asked John to continue as a special consultant and advisor to the Executive Committee, though I was actually, this morning, mulling about whether we needed to include the NHII as part of that, but he and I will have to talk about that, but I think we have all benefitted from his involvement in the NHII, as well as the NCVHS, over the years, and I, obviously, think that the committee would be well advised to ask for his continued counsel and guidance.
Now, there is honestly a lot more that I can say, and probably will as the day proceeds, but, obviously, we have a full agenda. This was actually taken out of the first part of our agenda, and so I want to return to the agenda and just sort of review what we are going to be doing today just so that everyone is aware of what the schedule is going to look like.
DR. COHN: This morning, we begin with an update from the Department. We'll have Jim Scanlon from ASP, Karen Trudel from CMS and Susan McAndrew from OCR providing an update, and, obviously, thank you for joining us.
Then, we'll be considering a letter on medical devices. Mark Rothstein will be bringing that letter forward for discussion and possible action.
After the morning break, we will begin the discussion of the second set of recommendations on e-prescribing. Jeff Blair and Harry Reynolds will be bringing that letter forward for discussion.
After lunch, there will be a review of a draft letter coming from the committee of comments relating to the proposed rule on e-prescribing.
Then there'll be a brief populations report, which I think, Don, you and Vickie are going to be sort of reviewing briefly, where we are with that, and trying to prepare the committee for further action in June. Correct?
Okay. And we'll spend just a couple of minutes on the 2003-2004 NCVHS biannual report.
Then, we are pleased to have David Brailer, who is the National Information Technology Coordinator, joining us for an update on current initiatives and issues.
Now, from three to five, we break into subcommittee sessions. We will talk about those rooms later on, but Subcommittee on Populations and Subcommittee on Standards and Security meeting at the same time. Then at five o'clock, we'll have a shortened meeting of the workgroup on the NHII, maybe from probably 5:00 to 5:30 or 5:45.
With that, let's start into the agenda for the day.
Again, we want to thank our departing members for their major contribution. John, you in particular. The committee is much better off through your chairmanship over the last number of years and we want to thank you.
SPEAKER: Here. Here.
MS. GREENBERG: Here. Here.
(Applause).
Agenda Item: Update from the Department
DR. COHN: Now, with that, Jim, do you want to - (laughter). Sorry, Jim -
MR. SCANLON: Good morning, everyone. Thank you, Simon.
Since we met in - I guess it was last November, obviously, a number of changes have occurred, both at the Department and with the committee itself, and let me go through a few of those things and talk a little bit about where we are with budget planning and some of the data initiatives across all of the Department.
Karen will talk about where we are with HIPAA, and Susan will talk about where we are with the HIPAA privacy regulation, so I won't be dealing with that.
But, first, I would like to add my own welcome to the new members. I spoke to most of you in the recruitment process, and we are very pleased, not only that you could come, but that you could actually make it for this meeting as well. Actually, the wheels turned fairly quickly once we got to that point. So we are very happy to have you here.
And, again, I wanted to add my own thanks and appreciation to the members who are Vickie, John, Gene and Peggy, who are rotating off of the committee, and I hope, again - as the Secretary always says in his appreciation letter to members who are retiring, we would like to be able to feel free to call on you as the need arises in the future, and I think we probably will do that in these cases as well.
We have actually had a couple of other personnel changes that effect the committee as well. Well, first of all, I should start at the top, I suppose. We have a new Secretary here at HHS, Michael Leavitt. Secretary Leavitt comes to HHS from the Environmental Protection Agency, which he headed for the past couple of years, and, before that, he was the Governor of Utah for a number of years, a number of terms; and, actually, by all accounts, he is actually quite savvy in terms of information policy, information technology, and he is actually quite interested in moving this whole agenda forward. So Utah, I think, has had a number of - Stan - was associated with a number of health-information technology developments, the Utah Health Information Network, and a number of other very positive and very pioneering efforts in Utah. So, hopefully, the Secretary will help us push these forward as well.
In my own office, and associated with the committee, I am happy to announce that we have hired Maya Bernstein as our privacy expert, privacy advisor at HHS. She is the successor to John Fanning. She'll be - I didn't say she "replaced", I said- (laughter). Maya.
MS. GREENBERG: Maya's got a big shoe.
MR. SCANLON: Yes. But Maya, actually, is quite capable in her own right. Maya is well known at the national and federal level for privacy expertise. She has been - held senior privacy positions at OMB. She was the privacy advocate at the Internal Revenue Service - talk about sufficient training for HHS - (laughter) - and she has had a private consulting practice and a law practice in information policy and privacy policy. So we are very happy to have Maya join us here. This is really her second week, and she'll be transitioning in as the lead staff for the privacy subcommittee.
A couple of words about our budget, where we are with the various budgets, because they effect a lot of what we can do, generally. We now have, as you know, an appropriation for Fiscal Year ‘05, and I'll talk a little bit about what that includes.
The President sent his budget up a little more than a month ago, and this is the ‘06 - Fiscal ‘06 budget, and it actually contains a number of the health-information technology investments that we had begun earlier, and let me just mention specifically what they are. There's a $125-million investment for health-information technology. Seventy-five million is requested for the Office of the National Coordinator for Health Information Technology, David Brailer's office, and that would include authority for grant and contract programs as well.
The focus would be to provide strategic direction for the development of a national interoperable healthcare system to encourage clinicians to collect and collaborate with international health information technology network.
And, again, the ‘06 budget will continue the $50 million initiative we began in ‘04 at the ARQ(?), at the Agency for Healthcare Research and Quality. This is a grant program, demonstration planning and implementation grants to accelerate the development, adoption and diffusion of interoperable information technology in a range of healthcare settings. So that is also included in the ‘06 budget, and the ‘06 budget also includes, I'm happy to say, a continuation of our $10-million data-standards - again, which we began in ‘04. This is funding that really allows us to do a number of the developmental work on a number of data standards in the prescription-drug area. It provides support for a number of mapping activities that the full committee has recommended, and this is administered by the Agency for Healthcare Research and Quality.
Mike, I think we had some good investments last year, and we'll be looking at what the ‘05 investments will be, and we'll be asking for the committee's advice there as well.
DR. FITZMAURICE: And thanks to your advice and partnership.
MR. SCANLON: On the population statistics side, I am happy to say that the budget that was actually enacted for Fiscal Year ‘05 included some good news for population statistics. It included a $25-million increase for the National Center for Health Statistics. I think I briefed the committee on this previously. This was the amount we estimated was needed to sort of maintain and protect and transform some of the core data systems at NCHS, everything from vital statistics to the health interview survey, provider surveys and methodology research. So without that, I am afraid we would be in fairly dire straits this Fiscal Year. Now, I believe we are on a fairly good footing. I think Dr. Sondik, tomorrow, will brief the committee on the state of the center when he comes before the committee.
This particular reinvestment was the Data Council's highest priority, recommended, included in the President's budget and Congress enacted that. So we are very pleased that everyone saw that as a very high priority, and, even better, that has continued. It wasn't a one-year kind of initiative. It actually continues at that level for Fiscal Year ‘06. So it is a boost that goes on for NCHS.
Within HHS, this is the time of year - February and March - where the Data Council does its more or less program review of where we are with the various surveys and major data systems across HHS. So at our March meeting next week, we'll be looking at - across all of the agencies about where, for planning purposes, the various surveys and major data systems are.
Again, this is just within HHS. We'll be looking at are there any enhancements, are there any retrenchments, are there more or less - services, operations planned for most of our major surveys, but we do want to get a sense of where we are now that the budgets are clearer and where we are heading in the next year or two.
The budgets for ‘06, in general, are fairly tight for all federal agencies, but, in general, it looks like our major statistical activities are being supported, for the most part, at the current services level, which is actually quite an accomplishment.
Let me quickly go to a couple of things the Data Council is looking at. There are four areas that leadership in HHS asked for a departmental kind of a perspective on, how are we doing in these areas in our data activities and what kind of gaps are there and what kind of enhancements and collaborative opportunities do we see in the months ahead.
The first area that we were asked to look at is in the area of prescription-drug data. This is associated somewhat - largely with the Medicare Modernization Act, Part D Program, but beyond that as well, we have a working group looking at what is our current capability for statistics, research and programmatic data on prescription drugs, and then what are some of the gaps and what are some of the enhancements that we could move forward on, and we have actually got a couple of enhancements moving forward in terms of prescription-drug data collected on surveys. We have some improvements going on there.
A second area is to look at national health insurance data and related data, but largely national health insurance status data, and, as you know, a number of our surveys here at HHS, and one at the Census Bureau, provide more or less annual estimates of the national health insurance coverage in the United States, the uninsured population - coverage exists as well. We don't always get the same estimates from those surveys, and so we have been - and this has been known for a long time. They actually measure somewhat different things when you look at them more closely, but we are looking at can we get a better understanding and a comparative framework across the surveys? Do we understand why the variations occur? Do we understand what the measures are, and are there opportunities for collaborative research in analytical work, modeling and so on in those areas across our various surveys? And we've actually got a number of good projects that are being considered in those areas as well.
And in these we include - in these discussions, we include not just the HHS agencies. We include the Census Bureau, the Treasury, the GAO, the CBO and the Congressional Research Service and other agencies that use the data and even collect some of the data.
Two other areas, quickly. We have begun to look at - after looking at the national-level data estimates for health insurance, we have begun to look at what capabilities we have for state and local data. The initial focus is on survey estimates for health insurance data, and, again, we have a little bit of capability in HHS, and the Census Bureau has some of this capability as well. We are not as far along there, but we will be looking at what might make sense for enhancements.
And, then, finally, really, at our December meeting of the Data Council, we - and, again, this was at the request of HHS leadership - we began to look at how we measure income and wealth and related data in our major surveys.
In most cases, we are measuring income and wealth as a correlate to understand health and human services, not to make - HHS doesn't make estimates of national income particularly - and how the various surveys compare in their measures, what the strengths and the weaknesses are, and, clearly, there are a couple of opportunities there for some enhancements and improvements as well.
So let me stop there and I'll see if there are any questions.
DR. COHN: Well, actually, I think Sue McAndrew has to leave shortly. So I think - if it's okay - can we hold the questions until after Sue has had a chance to present? Is that okay? Great.
Sue, why don't we let you go and then we'll come back to questions?
MS. MC ANDREW: Thank you very much. I apologize to the committee. I wound up with a conflict this morning so will have to make this relatively brief.
I did want to let you know that there are three new areas of FAQs that have gone up on our website recently. The first is a suite of FAQs attempting to clarify the permitted uses and disclosures of health information in the context of litigation and what the differences are between requests that come to a covered entity as a third party and what the permissions are if the covered entity is itself a party to the litigation. So we have tried to work out those clarifications, and, last week, Rick Campanelli(?) was down in Florida speaking to the American Bar Association's health group and that was one of the things that was on the agenda for them. So we were quite happy to get that set of FAQs up.
We also have just recently posted two other FAQs, one on clarifying how health plans can continue to provide information to the child support enforcement agencies through the National Medical Support Notices; and the newest FAQ concerns the permissions surrounding the use of interpreters, largely language interpreters or interpreters for the hearing impaired, and the various ways in which those interpretive services can be provided to patients.
This presented us with an interesting crosswalk within - because we had a chance to merge the privacy side of the office with the civil rights side of the office because they also do the LEP guidelines and we were able to crosswalk the two provisions.
On the compliance front, just briefly, we are up to 11,258 complaints and we have closed 63 percent of those - my rough count this morning. This is through the end of February. The nature of the complaints and the entities against who they are filed remains pretty much the same, and so I won't go back over that.
I would just also like to say that we have - we enjoyed the hearings that the NCVHS Privacy and Confidentiality Subcommittee had, which I guess was also last week. Oh, my God, yes. How time flies. What happened last week? And we are really - we found those to be very - provided a lot of good information, and we are looking forward to the hearings in March out in Chicago.
One of the other things that is causing all my calendaring issues is that we also - there are going to be changes in the privacy team. We are doing a good bit of hiring, and there will be - we are looking for - looking to put people in some leadership positions. I believe there was just posted that there will be an SES position in the office for privacy at the deputy director level. So there will be changes a-coming for the privacy team.
DR. COHN: Let's take a minute for questions. Michael.
DR. FITZMAURICE: Yes, I wondered how many cases have been referred to the Department of Justice for criminal prosecution and have there been any convictions? I know that there was a case, I guess, in Washington. Somebody used information for credit cards. That question arose. He pled guilty to the privacy rule, but they are not sure whether it was a privacy-rule violation because the person might not have been a covered entity.
I probably am muddling all of this. I wonder if you could make some sense of how many cases have we referred and have there been any convictions?
MS. MC ANDREW: I didn't get the most recent count. As of the end of January, we had referred 170 cases, and, in addition to those referrals, we also - Justice advised when there are stories - pressure - other events that come to our attention, so we do informal referrals as well.
With regard to the Washington case, that was - as I understand, that was a guilty plea which was entered and approved by the judge, and so -
DR. FITZMAURICE: There it is.
MS. MC ANDREW: There it is. Hands going up.
MR. HOUSTON: Any movement on trying to get the statistics we talked about and will this hiring help us at all?
MS. MC ANDREWS: The hiring is going to help us because there hasn't been much movement to date.
DR. COHN: John Paul, good question.
Questions?
Michael, again.
DR. FITZMAURICE: Are there any proposed changes in the privacy rule coming that we could expect in the next year or year and a half? Is somebody looking at proposed changes and might you be coming out with something in the next year, year and a half?
MS. MC ANDREW: We always are looking at changes. I think now that we are up on our second anniversary, it is time to consider what those issues are and to look at them in terms of much more experience. In the early - in the first year and a half or so, it was a little too soon to figure out whether this was just initial compliance glitch or something that was really troubling with the way the rule was written. So I think we now have enough experience that we can begin seriously assessing whether or not additional changes need to be made in the rule.
DR. TANG: Is there any thought about exploring how this might impact PHRS, Personal Health Record Systems, particularly when their data is contained in systems that are owned and operated by a third party that is not a covered entity?
MS. MC ANDREW: We have been working closely with Dr. Brailer's people, in terms of all aspects of the rollout of the electronic health record and the national health information infrastructure, and, to the extent personal health records are a part of that, we have been involved in those conversations.
Right now, we are more or less statutorily constrained to the extent those third parties that are operating personal health record systems are doing so in connection with - as an outgrowth of a plan. I would expect that there would be a business-associate relationship between those entities under the rule as currently structured, and even to the extent they become involved in some sort of network, I would also expect that there would be a business-associate arrangement that would protect the information that they hold, to the extent that they are, right now, independent vendors that are largely dealing directly with consumers to set up these accounts. Then, to the extent they are getting the information directly from the consumer, they really are outside of the rules purview and a statutory change would be needed to change that relationship.
DR. STEUERLE: Hi, Susan.
I have sort of asked this type of question before, but I am wondering if there is any progress within HHS - I realize this is not necessarily your purview necessarily - but over trying to examine a bit more some of the various costs as well as benefits of the various - not just the specific privacy, really with the privacy concerns in general and how they play out. I mean, it plays out - probably play out in one sense with personal health records, but I can think of a whole range of other issues.
I am just wondering whether there is some systematic way or rigorous way within the department to try to get at the cost as well as the benefit side of it, not so much legislative proposals, but at least to outline the extent to which - what we know or don't know about how these things are playing out.
MS. MC ANDREW: I suspect that that is more of a Jim question than a me question, but -
MR. SCANLON: I can answer some. Did you want to say anymore?
I think what we started to do is - and I don't know how - there is thought being given to how would you - I'm not sure it costs so much as how would you - what kind of metrics and measures and data would be needed is the first step, Gene, I think, to even assess. Obviously, the first two years were focused on just getting HIPAA simplification and privacy rules in place and getting some experience with the actual operation.
We actually have some - for our research and evaluation plan, at least within my office, and this would be an interagency effort.
We have a proposal to begin to look at what measures and metrics and data would be necessary to go in that direction. So it's the - it's not even - it is the step that would precede that, and we probably will be seeking some advice from the committee on how do we even conceptualize how you would measure benefits, costs and progress and indicators.
MS. MC ANDREW: I think teasing costs for this function out of all the other costs that effect the industry.
DR. COHN: Yes. Yes. Richard is next, but I just had a clarification on your comment. Is this something that your new staff is going to be taking the lead on?
MR. SCANLON: Possibly. Possibly.
DR. COHN: Okay. Thank you.
MR. SCANLON: Yes. We are doing our research planning within ASPE - this is our policy research plans, and so, at the moment, it is a proposal.
DR. COHN: Okay. Great.
Richard, and then Mark.
DR. HARDING: Gene has mentioned that it was a repetitive question, but I, too, have the same repetitive question, because everywhere I go, when people find out that I have something to do with HIPAA, they ask me the same question - that is, providers - and that is around the issue of these 170 cases referred to Justice are any of them because of omissions of HIPAA regulations?
That is, doctors come up to me, if I don't have the screen on my television that is directional or on my computer monitor that is directional, am I going to jail? And I have been able to kind of comfort them a little bit that certainly you should have those kind of things, but that isn't what Justice is all about right now with HIPAA. Is that still an honest answer?
MS. MC ANDREW: Yes. I mean, first of all, Justice is really only taking cases and they only have jurisdiction where there has been an impermissible disclosure. So, to the extent that the screen is not perfectly tilted, that is more of a safeguard issue, and it'll take several other things to happen before it would be even something that would come to the attention of Justice.
DR. HARDING: You would still describe these 170 cases as being rather egregious?
MS. MC ANDREW: They are quite - they are the most serious types of breaches of confidentiality.
DR. HARDING: Thank you.
MR. ROTHSTEIN: I just wanted to clarify for some of our new members that Gene's question earlier and Jim's response about the studies that are needed to measure the costs and effectiveness of HIPAA, the NCVHS already is on record and has sent a letter to the Secretary recommending that such a system be established. So we are committed to that as a committee, and I am pleased to hear from Jim that we are finally going to be moving forward on that.
DR. COHN: Sounds like Gene might have to join another subcommittee. (Laughter).
Okay. Well, Sue, thank you very much. We appreciate your time, and I know you've got multiple things going on.
MS. MC ANDREW: Thank you, and I apologize for the shortness of the presentation.
DR. COHN: Oh, no. We appreciate it. Thank you.
Agenda Item: Data Standards, Including Clinical Data Standards Adoption CHI Update
DR. COHN: Karen, I think I am going to suggest that why don't we let you go forward and then we'll handle questions for both you and Jim sort of together in discussion for the remaining period.
MS. TRUDEL: That's fine. Thank you.
Actually, I am going to spend most of my time here providing a little bit of an overview of the e-prescribing proposed rule, and I'll start with some important dates.
The proposed rule was announced by the President and went on display on January 27th. It was actually published in the Federal Register on February 4th, which makes the 60-day comment period ending on April 5th.
So I would like to talk a little bit about what is in the proposed rule.
First of all, I would remind you all that the NCVHS had a very specific role that was set out by the MMA, and, in the regulation, we do talk about the NCVHS role, the process, the hearings that went on with scores and scores of stakeholders through the spring and summer of last year, and the regulation does track very closely with the committee's recommendations, and as I have said before, I think that hearing process stands as a model of public-private consultation and probably sort of a shining example of what a federal advisory committee is supposed to do and look like.
The MMA does state that standards for electronic prescribing will be pilot tested before adoption, and that the Secretary is to announce the initial standards that will be pilot tested by September of this year.
The law also leaves us with a little bit of an escape hatch, because it talks about an exception for providing - for going straight to adopting final standards in situations where there is already adequate industry experience with a standard, and that is a very important concept in this regulation. We very definitely hung our hats on that big time.
So what this regulation does is that it sets out a number of what we are calling foundation standards. They are building blocks that will allow us to enter into an electronic-prescribing environment. They don't have all the functionality that we will need, by any means, but they are a very good place to start and to build on.
The regulation talks about what those foundation standards are. It also explains our incremental strategy that we are starting with these foundation standards, that we will layer other functionality on the top, and that, ultimately, we do not expect to be developing these standards in a vacuum, that these are not to be a Medicare Part D e-prescribing silo, nor are they intended to be an e-prescribing stand-alone that never links up with an electronic health record. So we are standing at the beginning of a road. We know where the end of the road is, and we are soliciting comments very specifically on our strategy from getting from Point A to Point B.
The other thing we discuss in fair detail is state preemption. We know that is a significant issue. A number of presenters have talked to us about the fact that various state laws and regulations, because of their differences across the states, can serve as a barrier to e-prescribing on a national basis.
Let me talk a moment about the foundation standards, and there are three of them.
First of all, obviously, you need a standard to get prescription data to and from physicians and the pharmacies that they are sending the prescription to, and, for that, we have proposed the NCPDP SCRIPT standard for a variety of uses - new prescriptions, refills, changes, cancellations, and there is some ancillary messaging acknowledgments, et cetera, that are necessary to make those transactions run smoothly.
We are not proposing the standard right now for the fill-status process where the pharmacy can tell the physician or the prescriber that the prescription was not filled, was not picked up. The reason that we did not propose that was that we found, during the testimony, that nobody felt that there was adequate industry experience with the use of the SCRIPT in that context. So that is something that we'll be reserving for the pilot-test process.
And I would point out also that the SCRIPT standard is an already-identified standard under the Consolidated Health Informatics Initiative. One of the things that the committee recommended was that, to the extent possible, we stay consistent with CHI and HIPAA standards that are already in place.
The second foundation standard is for eligibility and benefits inquiries and responses going between the prescriber and the sponsor - you'll note, not the pharmacy and the Part D sponsor - and for this we are proposing the X12N270/271, which is already a HIPAA transaction and is already in use in the industry, including any prescribing applications.
And the third foundation standard is for eligibility and - I feel like I am doing the Academy Awards - (laughter).
SPEAKER: And the winner is -
MS. TRUDEL: And the third nominee is for eligibility and benefits, inquires and responses between dispensers, pharmacies and Part D sponsors, and, for that one, we are proposing the NCPDP Telecommunications Standard which is, again, already adopted under HIPAA as the transaction for the retail pharmacy drug claim and ancillary messaging. So that one is very definitely in extremely widespread use throughout the industry.
Now, we hit a kind of a hybrid because we looked at formulary and benefit information and medication history information, and, again, these are absolutely critical in that they get information to the point of prescription so that the physician is aware of any formulary restrictions. They are aware of any tears in the formulary, and they are aware of not only the medications that they have prescribed for the patient, but that other physicians may have prescribed for the patient, which is critical to patient safety.
When we looked, however, at the existing mechanism for communicating that information back and forth, we found out that, while there was at least one standard in fairly widespread use - these were proprietary formats in use developed by RxHub - that they were not accredited by any ANSI-accredited SDO, and we were not absolutely certain that there were no other candidate standards out there.
So rather than proposing to adopt these non-ANSI-accredited standards, we chose to instead propose some criteria that we would use, characteristics that we would use to adopt or to identify standards for formulary and benefit information and medication history.
One was that they be accredited by an SDO and also that they permit interfaces with multiple products and vendors to make sure that they would work, again, on an industry-wide basis and that we were not building up some sort of a silo that would prove to not be interoperable at a later time.
We also set out some other criteria, both for formulary and benefits and for medication history. There's an awful lot of verbiage on that screen, but the bottom line is that for formulary and benefits, we wanted a uniform means to communicate a wide range of formulary and benefit information; that is, that we did not want the standard to constrain how a plan might structure its formulary - whether or not it had tears, how it expressed the formulary. We wanted the standard to be flexible enough that it could take any structure that was there and communicate it accurately.
For medication history, we wanted, again, a uniform means of requesting and providing listings of drugs, and we also wanted to make it possible to restrict the prescriptions to certain time frames, so that you would not necessarily get back two, three, four or six, eight, 12 months of information, if all you wanted was the last three.
So we also solicit comments on these criteria, and, again, on what specific standards, including RxHub, might meet these criteria. So we are open to potential other candidate standards, although I must say that in the course of the very detailed testimony that the subcommittee heard, no other potential standards kind of bubbled up to the surface.
And, again, just sort of a postscript to this, the industry kind of got where we were going with this very early on, and RxHub volunteered to donate, essentially, its proprietary format as a basis for a standards development organization and SDO-accredited product.
They had been working with the National Council on Prescription Drug Programs and have been working to potentially get those RxHub proprietary formats for formulary and medication history through the SDO-accreditation process, which would then meet the one criterion especially that these proprietary formats did not previously meet.
A word of caution there. This process is still ongoing, and the subcommittee is committed to continuing to monitor that progress. If the standards come through the process, however, and they have changed significantly, there is a need to go back and look to see whether, at that point, the product that comes out at the final analysis continues to meet the requirement of adequate industry experience, because the standards, as they now are, do have adequate industry experience. If they change too much, we may be back to the drawing board and those standards may wind up being part of the pilot test and would not go into effect until 2008, 2009, rather than being part of the Part D program in general coming up in 2006. So that is a critical one that we are watching very, very closely.
Okay. The first set of standards, as I said, does not represent the full set of standards necessary for e-prescribing, and that we will - HHS will identify, as required in the MMA, a set of initial standards to be pilot tested in 2006; and, again, the committee's initial recommendation letter from last September already identified for us a number of potential standards that we do need to test, and we will be - once that process is finished - then going through a separate rule-making process to build those new standards on top of the foundation standards; and, again, we request comments on this incremental approach.
The state-preemption issue, which, as I said, was rather critical, in the regulation, we talk about the fact that there could be several ways to do preemption, one that would only apply to transactions and entities that are part of an electronic prescription drug program under Part D - in other words, it would be Medicare Part D limited - or we could apply it to a broader set of transactions and entities and say we are preempting just about everything for just about every e-prescribing application.
In the proposed rule, we take that first narrow interpretation and, again, invite public comments.
Another issue that is discussed in the regulation is the use of the National Provider Identifier, which is a HIPAA standard to identify both prescribers and pharmacies that are actually dispensing the prescriptions. We are in a sort of a time crunch as far as that is concerned, and I'll talk a little bit about the NPI later.
In terms of the NPI-enabling regulation, covered entities would not be required to use their NPIs until 2007. If we were to adopt and implement the NPI in e-prescribing, it would have to occur initially in 2006, and so we are asking for comments on the potential impact of accelerating that by a year or more.
And, again, there was a lot of discussion about the use of standards within an enterprise. For instance, a staff model HMO that has a pharmacy, the entire prescription transaction could be taking place within one entity where the physician who writes the prescription, the pharmacy that dispenses the medication and the plan itself that is bearing the risk are all part of the same umbrella organization.
The NCVHS recommendation was to exempt those transactions within an entity because, in many cases, entities of that sort that have already implemented e-prescribing have done so with HL-7 standards rather than the ones that we are recommending.
In the NPRM, we communicate that recommendation, but we note that the notion of standards within an enterprise is inconsistent with the way HIPAA administrative simplification treats that issue. Under HIPAA we require that a standard be used even within an enterprise as long as it meets the definition of what that HIPAA transaction is. So we are soliciting comments on that issue.
Let me talk a little bit about pilot testing. As I said, the pilot tests are required in calendar year 2006. We will soon be soliciting applications. We are working on a Request for Proposals right now, and we expect that we will provide some criterias to what will be included in the pilots. We will do this in full and open competition, and, again, the participation in pilots is completely voluntary.
The structure of the pilots will probably follow, in many ways, the NCVHS recommendations, and we have already done an analysis of existing e-prescribing programs that are in operation. That will inform the discussion as well, and, at the end of the pilot process, we will be required to do a report to Congress in 2007, and then promulgate final standards no later than April of 2008.
So those subsequent milestones we finish, hopefully, in 2008, and that completes my presentation on e-prescribing.
Let me talk a little bit about the security compliance deadline that is coming up on April 20th of this year. I am sure that, again, security compliance and enforcement, because it is very closely linked to privacy enforcement, is, again, probably raising the same kinds of concerns that Richard mentioned earlier among practitioners, and I want to state, again, very clearly, that the security process, like the privacy process, is complaint driven. It is not audit driven. We realize that many security complaints may have a privacy aspect to them and vice versa, and we have been having very intensive discussions with the Office for Civil Rights to sort out how we are going to collaborate on processing dual complaints and how we are going to decide which complaints have privacy or security implications.
We are looking at a one-stop-shopping kind of perspective where the complainant doesn't have to work out, well, this is a privacy complaint, so it should go to CMS or it is a - OCR or it is a security complaint and it should go to CMS. Wherever the complaint is initially submitted, we will all take a look at it and the service will happen from the agency that receives the complaint, but we'll take care of sorting out who needs to do what, and, hopefully, that will make the process a little bit smoother.
Also wanted to say that we are in the process of final clearance of a number of technical materials having to do with security, some frequently-asked questions that have been cropping up over the last months and some technical papers on security - a whole series of them - not dissimilar to the ones that we developed for HIPAA transactions and code sets.
Let me talk a little bit about the NPI as well. The effective date of the regulation is coming up in May. You remember the effective date of the regulation was put off so that we could make sure that we were able to assign NPIs as of that date. So the compliance date is now in May of 2007.
We have selected an enumerator contractor. It is Fox Systems, and so they are on board. We are working on system testing on the system itself. The enumerator is there, and we are in the process of planning some fairly intensive outreach over the next two to three months to make sure that providers are aware of what the NPI is, what the deadlines are, how you get one, what does it all mean, et cetera.
And I think that is all I wanted to report, and I would be happy to take questions.
DR. COHN: Well, Karen, thank you very much, and I would comment that while we did not choreograph this, at least I don't think we did, we were wondering how to give everybody a little bit of a background on e-prescribing. So, thank you very much.
Questions or comments from the committee? Harry.
MR. REYNOLDS: Karen, security is probably the quietest of the HIPAA implementations, at least it appears. Are there any areas – well, first, do you think that - are really moving forward, and, second, are there any particular areas where the rule that you think are the biggest problems?
MS. TRUDEL: Yes, from the industry surveys that I have been seeing, I clearly can't say that 100-percent of covered entities intend to be compliant by the deadline, but the number is fairly high and it is moving in the right direction, I think.
I guess the implementation is quiet because a security violation will not stop cash flow, and because security, from a patient's perspective, is a little bit harder to assess than, for instance, did I or did I not receive a notice of privacy practices. So I think that that kind of contributes to this.
I think, in terms of potential hot spots, that the main one that I see is just communicating the concept of risk analysis and risk management and making sure that covered entities, especially the smaller ones, understand what benefits we have provided to them by the flexibility and the scalability and the fact that solutions don't have to be technical and that they don't have to be expensive. Those are some of the things that - messages that we are trying to get across.
DR. COHN: John Paul.
And I should actually comment that since Jim Scanlon missed his chance for questions, he is fair game, too. (Laughter).
John Paul.
MR. HOUSTON: A couple of comments.
The tech papers that you talked about being made available for the security role, are any of them going to relate to medical equipment?
MS. TRUDEL: Specifically?
MR. HOUSTON: Yes.
MS. TRUDEL: No, not specifically.
MR. HOUSTON: Okay -
MS. TRUDEL: They are fairly general.
MR. HOUSTON: Okay. Thank you. That is the first question. The second question, you had talked about the complaint process and how you are going to manage inflow of complaint. There has been a lot of discussion about JCHO and its desire to potentially involve itself in assessing organizations' compliance, the security role or looking at security-related - healthcare provider.
Is that going to be an avenue for complaints or information coming back to your organization or would that be separate and distinct and -
MS. TRUDEL: I would see that as being separate.
We have not had any discussions with the joint commission on an official role for them. We do have some contracted resources, but they would be what we would use to actually do assessments should we exceed the capabilities of our own staff resources, and we don't communicate information to anyone on open complaint. So we are certainly not going to communicate information to the commission.
MR. HOUSTON: Right.
MS. TRUDEL: And unless the commission were actually to file a complaint, we would have no way of knowing that there was any kind of a violation.
MR. HOUSTON: Thank you.
DR. COHN: Okay. Mark, then Jeff, then Mike.
MR. ROTHSTEIN: Thank you.
My comment flows from Jim's statement, but only indirectly, and I would like to propose a change in our committee website that I think will make it easier for committee members and the public to follow what has happened as a result of the recommendations that we make, and so what I would propose is that where we list the letters that we send to the Secretary we link to the responses that the Secretary has given to the letters and put the date of the response, et cetera, and, if it is easily achievable, link to other things that have occurred as a followup to our letter. So it may be a guidance document that was issued by CMS or OCR or FAQs or something.
There are practical limits to the extent to which we can keep updating all of our letters, but I think, based on, for example, press calls that I get and inquiries from colleagues, it would be very helpful if we try to do a better job of documenting what has happened as a result of our recommendations.
MR. HOUSTON: I second that. I think -
DR. COHN: Well, I guess we should ask Jim about that, since we are directing it towards him. I think - the initial idea seems to be - should be very doable, I would think.
MR. SCANLON: I certainly think we'll look into it.
Now, we do publish on the website the responses from the Secretary, but, you are right, they are not linked, Mark, necessarily, to the incoming, but we can certainly look at that. Any way to make it more user friendly.
Now, there may be a practical limitation on when we begin linking to related actions, as a practical matter that may not be -
MR. ROTHSTEIN: Right. I understand.
MR. SCANLON: But, certainly, directly related papers, reports and guidances and so on, we'll try to do that. So we'll look at that.
DR. COHN: I would just say, to follow that one up, I think that, certainly, the first step sounds very easy. I think the Executive Subcommittee will have to monitor, discuss that sort of next step, because, conceptually, I think we all agree, it makes sense, but a lot of times, you know, we influence actions. We don't directly -
MR. SCANLON: It's not a one for one.
DR. COHN: It's not a one for one, and so I think we just need to be a little careful, because, in some ways, that is beginning to take credit for things that we may - (laughter) - may be inappropriate to be taking credit for.
But I think that is an Executive Subcommittee thing and we can sort of monitor that and report back to you.
Okay. Jeff.
MR. BLAIR: Thank you.
I'm not sure whether this question is most appropriately going to be addressed by Karen or by Jim, and I'm going to just say a couple of words for some of the new committee members or folks that may not be familiar with some of these things.
You know, we went through kind of several years when we were very focused on the standards as directed by HIPAA, and then we had a few more years where we were very focused on NCVHS as we got to clinical data standards where the Consolidated Health Informatics Initiative was kind of the main group that we worked with, and there's been a few references now to the emergence of the Federal Health Architecture, and I was wondering if either of you could help us understand what role that will be playing and how does it relate to - and, also, in specific, does it replace CHI? Does it - it compliments CHI or is it just a next step?
MR. SCANLON: Should I take a crack, Karen?
MS. TRUDEL: If you want.
MR. SCANLON: As usual, Jeff, you ask a very good question. (Laughter).
I think we are planning - we actually talked about this in the Executive Committee. I think we are planning to - the Federal Health Architecture is an interagency federal group that includes DOD, VA, a lot of our HHS agencies and a lot of the other agencies that have - that are involved somehow in the federal health and public health enterprise, and it is - certainly, OMB looks on it as kind of an interagency way of coordinating and helping with the broader issue of coordinating health information technology in the federal sphere.
It includes the CHI. The CHI is an element within the Federal Health Architecture.
But I think you are raising the question that we are all sort of beginning to consider again. I think David Brailer, in a way, alluded to this in one of the letters to the committee. I think maybe what we - Because the Federal Health Architecture is now an interagency activity, we may want to have them come in and brief the full committee on what the scope and the nature and plans and the deliverables for that whole effort are.
I think David Brailer was actually asking the committee to serve in a review capacity for recommendations that would be coming out of the FHA.
The CHI is within the FHA - I think I am stating this correctly, Karen - but the FHA includes other activities as well. It probably will include architecture kinds of considerations and frameworks and possibly some other broader things.
So I think the timing is probably right where we want to think about bringing, maybe, a briefing on the FHA to the full committee, probably, Simon, at a future meeting.
DR. COHN: Yes.
MS. TRUDEL: And if I can follow up, the FHA's Program Management Office is being run from the Office of the National Coordinator.
The CHI is a workgroup under the FHA, and many, many of the same participants continue to be involved, including CMS, DOD, VA, and so there is continuity there, but the sense was that, as of this point in time, events have kind of caught up with us, and it did not make sense to continue to have CHI in a capacity that was outside the general discussion of a health architecture, because the standards and the vocabularies are such an integral role in developing that architecture. So I kind of view it as being a - not a demotion of CHI, but a very necessary linkage point.
DR. COHN: Yes, and let me also sort of comment.
I have actually already invited the FHA to come and present in June. So there will be a briefing. I am expecting, based on my initial understanding, that this will likely generate - I mean, there needs to be a briefing at the full committee, but I expect that it will be generating some subcommittee action, in terms of further investigation, hearings, et cetera, but I think it is too early yet to really say exactly what that will be, but, certainly, is a - I think the full committee needs a briefing on this, and it is - I think, from my view, it is CHI and a whole lot more. Clearly, it is an architecture, not just a set of data standards that deal with domains.
So, anyway, Jeff, does that answer -
MR. BLAIR: Thank you.
DR. COHN: That is at least one level of response.
Now, Mike, you have a question, and I think, after that, we are going to have to sort of complete this section and then move into our letter.
DR. FITZMAURICE: All right.
DR. COHN: Oh, is there - Oh, I'm sorry. Carol had a question. Okay. You're the last one then.
DR. FITZMAURICE: Karen, at the last full meeting, Nathan Koladne(?) presented to us and gave us a number of HIPAA complaints, number resolved, percent of Medicare claims that are compliant with the transaction and the code standards and their implementation guides.
Who is the head of the office now, and do you have those same kind of statistics that you could give us?
MS. TRUDEL: The directorship of the office is currently vacant and I do have statistics. I have not brought them with me. I can recall, off the top of my head, our rate of closing complaints is at about 53 percent, that many of the complaints we are receiving have to do with either trading-partner-agreement problems, where one party is alleging that the provisions of a trading-partner agreement either are counter to HIPAA or there are situations where inappropriate charges are being made, and, also, many of the complaints have to do with allegations that compliant transactions were rejected by a health plan.
Most of the complaints continue to be filed by our own behalf of the providers, and, in terms of the Medicare percentage of compliant incoming claims, we are hovering at about 99 percent of compliant incoming transactions.
DR. FITZMAURICE: Well, and could I follow up with a presentation you made on what dates will physicians be able to request and on what dates will they be able to receive their National Provider Identifiers?
MS. TRUDEL: It is my understanding that the system go-live date, where NPIs could be requested, is still somewhere around the end of this coming May.
DR. FITZMAURICE: And they then should be able to receive them in a month or two after that?
MS. TRUDEL: Well, the process is primarily web based, so depending on any kind of additional information that might be needed, it would be possible to get one almost immediately.
DR. FITZMAURICE: Great. Absolutely great.
DR. COHN: John Lumpkin was asking me if he could get a special vanity number. (Laughter).
DR. LUMPKIN: Like 007.
MS. TRUDEL: We have reserved that for you.
DR. COHN: Carol, please.
MS. MC CALL: Yes, I wanted to ask a question about one of your - I guess one of your first-runner-up foundation standards from this morning, and it has to do with the formulary and benefit medication history.
You talked about the fact that no other standard had bubbled up and that you are monitoring that one closely, and so while I certainly understand - because of some of the things I have done in my work history - that they need to be very flexible, and, yet, if they went into pilot, as opposed to foundation, there could be a material impact on adoption, because it could significantly enhance the experience of electronic prescribing and all that.
So with that as context, my question is what do you think the likelihood will be of the significant changes that could come out from the comment period? What have the comments been to date? And some of this is a little bit of history for me, being a new member, just trying to understand through this comment process and soliciting comments back, the likelihood that it would end up in pilot as opposed to foundation.
MS. TRUDEL: I think there are a couple of different questions kind of intermixed in there.
The comment process, under the Administrative Procedure Act, goes for, as I said, 60 days. The comments will - the comment period is up on April 5th.
Traditionally and historically, we receive 98 percent of the comments within three days of that deadline. As of right now - and I checked yesterday - we had not received one single comment on this NPIM, and we are already halfway through the comment process.
So as far as a sense of where the public comment is going, I don't know.
Let me take another step, though, and say that the SDO process, the process within the NCPDP, where the members of NCPDP are looking at the RxHub proprietary formats and trying to turn them into standards, is still ongoing. So I think that is very, very much up in the air, and, in fact, there is a meeting in Phoenix this weekend to kind of duke out some of the potential comments. So I think it is too soon to tell.
DR. COHN: And, Karen, I should comment that many of us in the industry are still trying to deal with responses to the 45-day CFS notice and other such things like that. So, yes, you will get comments three days before they are due, but not that day.
Any other comments, questions?
Okay. Well, we want to thank both - Karen, we are obviously delighted to have you take on the role of - liaison to - from CMS to the committee. So welcome.
MS. TRUDEL: Thank you. I am looking forward to it.
DR. COHN: Yes. Now, with that - and, obviously, I want to actually thank our new members. It is unusual in our first session to have new members starting to ask questions, and we certainly - I think it speaks well of the new crop. So good.
Agenda Item: Privacy Letter on Medical Devices Action March 4
DR. COHN: Now, what we are going to do now is to turn to a letter for consideration which Mark Rothstein is going to bring forward.
Now, for our new members in this room, and also our old members, it is usually the tradition of the committee that what we do is we do a reading and comment on the first day, then moving to an action the second.
We also, normally, if we are dealing with a letter, we pass it with the ability to make minor wordsmithing changes, because there's always wordsmithing changes.
Now, however, having said that, if a letter really does look pretty good and everybody is generally in agreement, we do typically reserve the right to actually move a letter even on the first day, if there's no disagreement. So we do have some flexibility on that.
So, Mark, I am passing this over to you, and what would you like to do with this letter?
MR. ROTHSTEIN: Any objections? That is what I would like to do with the letter. (Laughter).
The letter is in Tab 3, and I want to just briefly say, for background, this was a letter that arose out of joint hearings between the Subcommittee on Standards and Security and the Subcommittee on Privacy and Confidentiality that were largely the result of John Houston's work. So we need to acknowledge that.
There are a number of places in the letter that, as I have gone through it, minor changes need to be made - adding the Secretary's name, adding some capitalization, subtracting some capitalizations and so forth - that we will add before tomorrow's final version comes through.
Simon, do you suggest that I read the letter for the benefit of the internet listeners?
DR. COHN: Yes, if you would, that would be useful.
MR. ROTHSTEIN: So the letter, as modified, will read something like this?
"Dear Secretary Leavitt,
"As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996, HIPAA, the National Committee on Vital and Health Statistics, NCVHS, monitors the implementation of the Administrative Simplification Provisions of HIPAA, including the Security Standard for Electronic Protected Health Information, Security Rule. The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Washington, D.C. on November 19, 2004. The hearings were intended to gather information about the effect of the Security Rule on medical devices.
"At the hearings, we heard testimony from the Veterans Administration, VA, the Food and Drug Administration, FDA, as well as various manufacturers of FDA-regulated software and medical devices. We also received written comments from an individual representing various medical-device-industry groups.
"The witnesses indicated that there are a wide variety of challenges associated with bringing medical devices into compliance with the Security Rule, as well as providing effective security. The witnesses' testimony centered around two main themes:
"1. While most new and currently produced medical devices are capable of complying with the Security Rule, much of the medical equipment in use is no longer manufactured and may not be ungradable by the manufacturer. As a result, it may not be possible to bring these ‘legacy devices' into compliance with the Security Rule.
"2. Many of the medical devices manufactured today contain commercial-off-the-shelf, COTS, software and operating systems. Because of the critical nature of the medical equipment, any updates - including those released by COTS software manufacturers in response to specific security threats - must be tested to ensure that the updates do not adversely affect the operation of the medical device. This testing often delays implementing critical security updates. Further, Manufacturers are concerned that some customers update medical equipment with the latest patches without first verifying whether the update affects the safe operation of the medical device."
Should I stop here, perhaps, and take comments?
DR. CARR: Justine Carr.
It might be my naivete, but I'm wondering if we might have a statement of the current state of what is it that is - what are we fixing? In other words, what is it about medical devices and security? What is the problem
that we are fixing?
MR. ROTHSTEIN: John, do you want to -
DR. CARR: A medical device - how does a medical device link to security?
MR. HOUSTON: I think - I mean, it is buried in the second of the main themes that was outlined on page 1, which is - well, first of all, the fact that they have commercial-off-the-shelf software and operating systems embedded in them and that they must be tested to ensure that the updates do not adversely affect the operation of the medical device. I mean, it is buried there. I think maybe we could - If we wanted to, we could push that up into a paragraph.
MR. ROTHSTEIN: Well, I am hearing Justine's question to be at a more general level even. I mean, why is this a HIPAA issue at all and so forth?
DR. CARR: Right. Does a medical device have a patient's name on it somewhere? That is the part I am trying to understand. I mean, I kind of know the answer, but -
MR. ROTHSTEIN: John.
MR. HOUSTON: I mean, we can add a paragraph to discuss that. I think it is pretty clear that some medical equipment does, in fact, have patient information, as well as the fact it is - if it resides on a network which is used by other systems that contain patient information, they may be the source of some type of malicious attack or vulnerability, which could then impact that equipment.
DR. CARR: I'm not sure - You know, I guess it depends who the audience is. Maybe the Secretary knows this, but a lot of people don't know of the link of a medical device linking to a particular patient, and I think it would be helpful to state that that linkage is subject to this kind of scrutiny.
MR. ROTHSTEIN: So as I hear the suggestion, what we need to add to the letter is some indication that there is PHI in the medical devices or linked through the medical devices to some other aspect of the medical record in the hospital or other institution, and that is why it is a HIPAA-security issue. Is that your question?
DR. CARR: Yes, that would be great.
MR. ROTHSTEIN: Okay. So we will do that for sure.
MS. MC CALL: One thing and this is kind of a clarification of some examples. There are devices that are implanted that stream information, and it may not necessarily go straight into an electronic medical record. So it is actually going, perhaps through open channels, and going into some database that is not technically part of what is thought of as a medical record. So that could be another clarification put in.
MR. ROTHSTEIN: Right. John, did you get that?
MR. HOUSTON: Yes.
MR. ROTHSTEIN: Okay.
DR. COHN: Yes, Paul had a comment.
DR. TANG: Yes, actually, there's a couple of issues, I think.
One is there are devices - all devices, almost, now have both an operating system and software that operates native to the device, and some of them - let's say these smarter devices, smart monitors, actually do have patient information stored in what might be considered the confines of the box.
The other problem is actually, I think, a little bit more concerning, and that is that viruses not only can disable networks and things that you normally associate with computers, they can affect the operation of the software in the device and literally stop the operation of - let's say - a monitor, a ventilator, very important devices. So that is a real challenge. Hopefully, the challenge is more so in the more contemporary devices so that we can update those.
One of my questions would be is there a need for doing a risk analysis of these legacy systems that can't be upgraded? Is the fact that they can't be upgraded also a protection that they aren't infectable (laughter) infectable by a virus, but I don't know the answer to that.
MR. ROTHSTEIN: Well, I do think the recommendations at the end contemplate that assessment of the legacy devices and the way in which they can or should be updated.
DR. COHN: Okay. So we'll hold that thought and see if it gets reflected in the recommendations.
Mike.
DR. FITZMAURICE: On the last sentence on the first page, "Manufacturers are concerned that some customers update medical equipment with the latest patches without first verifying whether the update affects the safe operation of the medical device."
I was puzzled because if the manufacturers themselves are the source of the patches, then they probably know that -
MR. HOUSTON: They're not the sources.
DR. FITZMAURICE: Right. So that there are other sources.
MR. HOUSTON: Right. There's an imbedded operating system like Microsoft or Windows or something of that sort. Often, the provider will actually take that update and try to install it on the device that is containing that operating system. Maybe we should clarify.
DR. FITZMAURICE: I would clarify it with - like the latest patches from sources other than the manufacturer, and, then, at the end, I would append, in their specific uses, because they can apply it to their device, it could be fine, but somebody uses the device inappropriately, given that update, it becomes that person's or the institution's responsibility, but they would be concerned, then, about the use, not in their own manufacturing operations or the normal use, but somebody else's use. So at the end, I would put, in their specific use, just to clarify that as well.
MR. HOUSTON: I'm not sure I understand.
DR. FITZMAURICE: We can talk.
DR. COHN: I think you guys can wordsmith that offline. Anything else in terms of this first page before we move on?
MR. ROTHSTEIN: Okay. Page 2.
"One witness representing the VA testified that the Security Rule has been perceived as a barrier to the continued use of certain medical equipment. Where medical equipment needs to be modified to comply with the Security Rule, the providers must often wait for the manufacturer to provide the appropriate updates.
"Another witness representing the FDA stated that the FDA's primary focus is the safe and effective use of medical devices. As such, the FDA does not evaluate security in approving the use of a medical device. The witness further indicated that it is the responsibility of the medical-device manufacturers to design their devices to enable Covered Entities to comply with the Security Rule.
"A number of witnesses recommended that a process be developed to allow manufacturers to post Security Rule information for their medical devices. The witnesses cited an initiative by the Healthcare Information Management and Systems Society, HIMSS, Medical Device Security Workgroup. The workgroup proposed that the industry adopt the use of a ‘Manufacturers Disclosure for Medical Device Security', MDS-2, form. The MDS-2 is a vehicle for Medical Device Manufacturers to report the capabilities of their medical devices consistent with the security rule. While there was no consensus whether the HIMSS MDS-2 form was suitable for use, in concept it appears that this approach would be of great value to providers."
I'll stop here before the recommendations.
DR. VIGILANTE: So am I to interpret the second paragraph to mean that the - if a device has been approved by the FDA, that changes of this nature do not materially impact what was considered in approving that device?
MR. ROTHSTEIN: Yes.
DR. VIGILANTE: Okay.
MR. ROTHSTEIN: That was the testimony from the FDA.
MR. HOUSTON: Interestingly enough - and I have it up on my screen now - the FDA actually issued some guidance regarding medical devices containing off-the-shelf software, and it just happened at the beginning of February, and it seems to be slightly conflicting, maybe, or at least inconsistent with that testimony, and, interestingly enough, it was also - this guidance was provided by the same person who testified here.
So I am not sure whether - there's - at least indicating that they have an interest in ensuring that providers appropriately secure their medical equipment. So I'm not sure how much of an active role the FDA is going to take in that regard.
MR. ROTHSTEIN: Well, let me suggest that we take a look at that at our subcommittee meeting tomorrow morning and report back the new language that we adopt, and then take whatever credit we want for FDA changing its rule and claim that it came out of our hearing.
DR. COHN: Did you want to map that on the website? (Laughter).
DR. VIGILANTE: Yes, I think there is a fair amount of anxiety among manufacturers that if they apply a patch to something that has been previously approved, are they held liable for operating a device that is different in some way than the one that was originally approved, and I think that it is correct that, in most of these cases, that won't be the case, and I think the FDA has criteria against which that modification needs to be assessed. However, one could conceive circumstances in which you would be outside the set of those criteria. So it might be helpful to actually state those criteria, so it's fully understood.
MR. ROTHSTEIN: The criteria based on the new rule from -
DR. VIGILANTE: I believe FDA has a set of criteria against which any modification would be assessed. I haven't read them in a while, but there's three or four criteria, and as long as you are within the boundaries of those, then you don't expose yourself to liability or - by fundamentally changing the nature of the device as originally approved.
MR. ROTHSTEIN: How about if we take a look at that and incorporate the suggestions from Kevin into this new paragraph that we are going to draft when we look at what the new FDA position is? Is that okay?
MR. HOUSTON: Some of the recommendations might also sort of touch upon this or at least discusses the fact that we think there's guidance that is required, and I think, even in that regard, I think that some of that might already be there by reference point already.
DR. COHN: Well, I'm glad that you've been given some wordsmithing activities here so far, please. (Laughter).
MR. ROTHSTEIN: "Based on the oral and written testimony, NCVHS recommends the following:
Bullet number one, "HHS should provide guidance to covered entities to assist in bringing medical equipment into compliance with the Security Rule."
Bullet two, "HHS should provide clarification regarding the compliance obligations of covered entities with non-compliant and non-ungradable legacy medical devices. A range of options should be considered based on the nature of the equipment, its replacement cost and life expectancy, the security problems, and the possibility of protecting the security of PHI through other means."
Bullet three, "HHS should consider supporting industry efforts to have medical-device manufacturers self report the capability of their medical devices consistent with the Security Rule."
And bullet number four, "HHS should develop guidance to assist medical-device manufacturers to provide medical-device functionality consistent with the Security Rule, as well as address security risks.
"We appreciate the opportunity to offer these comments and recommendations.
"Sincerely."
I would make one suggestion myself, having gone through this several times, is to reverse the order of bullets four and three, because we deal in bullets one and two with covered entities, and I think that clearly should be first, and then guidance comes after that, even though it is through manufacturers, and then the fourth one, which is now number three, the consider supporting the industry seems to me to be less - sort of farther away from the core mission of what we normally recommend, and that, I think, logically, should be number four.
MR. BLAIR: I would support that change.
SPEAKER: So it's 1, 2, 4, 3.
MR. ROTHSTEIN: Yes, that is what I would suggest.
DR. TANG: Just like the HIPAA privacy rule, one of the main advantages or the benefits might have been it raised the awareness even of providers about their obligations and responsibilities.
In this sense, I am wondering what the awareness is of providers on the potential risk of the security - the disabling of the operation of the device, and I wonder if there could be a bullet really close to the top about addressing that. So although it may be contained in how do they comply with the security rule, maybe we really need to understand the risk assessment of, let's say, viruses or broadcasting of PHI from their device, because I don't know that providers understand that until they have had their first mishap.
I am going to try to get some more details. We had a virus infect our network and disabled communication with the monitors, and I want to get some more details that I might be able to bring tomorrow morning, but it is something that is going to be just living life in the new world.
MR. ROTHSTEIN: Well, the way we could - I think - capture that in a bullet recommendation is to recommend that additional education and outreach efforts be undertaken by the Secretary to inform covered entities of the potential threats to PHI in medical devices. Is that along the lines of what you are suggesting?
DR. TANG: I think so. I suspect there's some in the industry that don't know that their devices can be infected and what its impact is to patient care -
DR. COHN: Okay.
DR. VIGILANTE: So it's more than PHI. I think - but if you can imagine the more integrated your system is the more vulnerable - in the future, when, you know, both your infusion pumps and your monitors and your ventilators are controlled by, say, a central dashboard at the ICU, rather than locally, if something gets infected and they all go down disabled, either by accident or purposefully, it creates vulnerabilities to patient care, which I think have been underappreciated rather substantially.
DR. COHN: Yes.
John.
DR. LUMPKIN: Well, I think that there is a bigger issue which we are kind of mired in because of our perspective on health-information policy, and that is that as medical device is used and have more innate intelligence, they become vulnerable, not only to intentional problems, but, by upgrading, you could, in fact, you know, if the original device was designed such that they used a loophole in the Window's operating system and a patch closes that, that could be a serious complication.
Now, if this were a hip implant and we knew that there were crystalline defects in that and they are liable to break, there would be a recall or something done by the FDA, and I think that probably what should be done, either in a separate communication or sort of as an - saying, this is something the FDA needs to look at.
These things ought to be tracked. They ought to be monitored, and when patches come out that potentially disable them, there ought to be notifications and sent to people who actually own these devices.
DR. COHN: Yes, John Houston, John Paul, and then I think we are going to need to stop for just a second.
MR. HOUSTON: Okay. I think a lot of what we are talking about, the FDA is already attempting - I think they are already attempting to do in this most recent guidance that they have put out.
DR. COHN: Okay.
MR. HOUSTON: I guess my question is is are we recommending something that the FDA is going to look at and say, February 9th, we put out a guidance document that was really intended to provide - at least start down that road.
DR. COHN: Okay.
MR. HOUSTON: So just want to make sure we are not-
DR. COHN: And I'm going to suggest we hold off for just a second. We are moving to a different item now, and then we'll come back and dispose of our comments and figure out what the next steps are.
What we want to do is to shift to a comments from the Assistant Secretary for Planning and Evaluation. Michael O'Grady, we are happy to have you join us and thank you for coming.
DR. O'GRADY: Thank you.
DR. COHN: Please.
DR. O'GRADY: I did just want to take a minute to thank everyone, and, in particular, on behalf of the Secretary and the leadership at HHS, I do want to express the Department's really deep thanks and appreciation to the members of the National Committee on Vital and Health Statistics, and, really, the long and distinguished history of this committee, I just - like I say, I wanted to come here and really thank you for the great work that you have done so far.
We have a couple of members who will be leaving and a few who will be joining, and I just wanted to take a second, and they have - as my friend, Mr. Scanlon, here - this friend Mr. Scanlon, not the new Mr. Scanlon. (Laughter). That's right. Yes, that's right, but we don't call them Scanlon One and Two. (Laughter). We just don't - we don't do that, really.
I did want to take a second. There are some certificates here, as well as an award or - to show the dedication, and I just would like to read the certificates, if you'll bear with me for a second.
From HHS, the Office of the Secretary, the Secretary's Certificate of Appreciation presented to John R. Lumpkin, M.D., M.P.H, for the dedicated leadership, service and major contributions to the advancement of the national health information policy as a member of the National Committee on Vital and Health Statistics from September 1996 to December 2004, and Chairman from September 2000 through December 2004, and as Chairman of the National Health Information Infrastructure Workgroup from June 2000 through December 2004. Dr. Lumpkin, thank you very much. (Applause).
Is it all right to take the rubber band off or is that - (laughter).
Let's see. I believe - Is Vickie Mays here as well? Oh, well, then maybe I'll read for the people who aren't, and see if she steps back in.
Again, from the Office of the Secretary, the Secretary's Certificate of Appreciation to Jacklyn Lee Adler for dedicated service and major contribution to the advancement of vital and health statistics systems for the U.S. as the committee management specialist for the National Committee on Vital and Health Statistics, February 1985 to February 2005. (Applause).
And to Peggy L. Bartles-Handrich for dedicated service and major contribution to the advancement of population health statistics, and as a member of the National Committee on Vital and Health Statistics, October 2002 through December 2004. Thank you. (Applause).
DR. COHN: And Vickie has arrived. Vickie has arrived.
DR. O'GRADY: That's all right. I just thought if we were going to read the certificate, it would be better if you were here. (Laughter).
From the Office of the Secretary, Secretary's Certificate of Appreciation, Vickie Mays, Ph.D., M.S.P.H., for dedicated service and major contributions to the advancement of population health statistics and as a member of the National Committee on Vital and Health Statistics and Chairman - Chairperson of the Population Subcommittee, October 2001 to December 2004. Thank you very much. (Applause).
And one last one to Eugene L. Lengerich, B.M.D., for the dedicated service, major contribution to the advancement of population health statistics and as a member of the National Committee on Vital and Health Statistics, November 2000 to December 2004. (Applause).
And I do want to point out for you who don't actually have a copy of this, it is actually signed by Michael Leavitt, not a lowly Michael O'Grady. It's a real - main boss is the one who actually signed it.
Jim, have you already introduced the new members at this point or should we do that?
MR. SCANLON: Why don't you do that.
DR. O'GRADY: Okay. All right. Well, I just do want to really thank very much everyone who is finishing up their turn and wanted to really welcome the new members of the committee.
Dr. Bill Scanlon, an esteemed scholar, recently of the General Accounting Office, before that and after that of Georgetown University and any number of different areas. I think you'll find Dr. Scanlon is an excellent member and contribution to this.
Carol McCall from Humana. I have to admit in my checkered career I have had the interesting career of having an awful lot to do with actuaries over the years, for a guy who basically worked on the Hill for much of his career, and Carol is really one of the smartest and most innovative actuaries I have ever come across, and whether she knows it or not, her thoughts and influence can be found in any number of provisions of the new Medicare Prescription Drug Act, in terms of just an innovative way of looking at these very old problems and how to sort of come up with a new way to deal with them.
And Paul Tang. Paul - Hi, Paul. Welcome very much. I'm afraid you and I - this is the first time we have met, but I really want to welcome you very much, and you certainly come very highly recommended, and I'm sure – hopefully, you'll enjoy it, and I am sure that your fellow members should really appreciate your contribution. Thank you very much. (Applause).
DR. COHN: Michael, thank you very much for joining us.
Now, probably, we ought to try to finish up that last item and then take a break.
I think what we have heard is a variety of - I think, primarily, wordsmithing with some substantive bullets -
MR. ROTHSTEIN: Well, I think there are several substantive additions that need to be made that John will get on right away. (Laughter).
DR. COHN: Yes. I do want to comment, obviously, the focus for this effort is really going to be the privacy subcommittee meeting tomorrow morning -
MR. ROTHSTEIN: Right.
DR. COHN: - and I think this is a timely enough letter that we do need to have this completed and up to everybody's satisfaction, though maybe not perfect, but, hopefully, good enough that people will be willing to pass tomorrow, and I also am hoping, obviously - I know John had a reputation, certainly, I have a reputation of having meetings end on time, and so I want to make sure that we have this letter in a shape tomorrow that we can actually go through it and pass it in a relatively speedy fashion, lest I'm going to have to violate my tradition and keep everybody after. So -
MR. ROTHSTEIN: Simon, you'll have it tomorrow. May have some tomato sauce on it, but - (laughter) - you'll have it tomorrow.
DR. COHN: Okay. Well, with that, I think we'll all work on it and provide input, and, obviously, thank you all.
John, again, congratulations, and Vickie.
Now, with that, we will take a 15-minute break and reconvene at 11:10.
(Whereupon a break was taken at 10:55 a.m.)
DR. COHN: Okay. Let me just talk for a minute about the work of the next hour and 15 minutes and then what will be happening as we move to after lunch between basically 1:15 and two o'clock.
As you'll see, we have basically two action items coming forward from the Subcommittee on Standards and Security. There is a longer letter on e-prescribing. I think you have the - sort of the final draft on your desk, and then there's a shorter letter, once again, from the subcommittee making comments on the e-prescribing proposed rule that CMS has come out with.
Now, actually, do we have that other letter? The other thing. Okay. So we have both letters.
What we'll be doing is discussing both of them, with potential action coming tomorrow.
Now, I do want to remind everyone that full committee time is - obviously, we try to minimize actual wordsmithing. It is time for important concepts, if we are not expressing the ideas, and I think we did a pretty good job of that with the letter on medical devices.
Obviously, given the length of the first letter, we are not going to start reading all of the background. Otherwise, we will be here many hours into the evening.
MR. HOUSTON: I would like to have it read, please. DR. COHN: Thank you, John. I think I'll pretend I didn't hear you on that one.
But what we will do is to start moving into the observations and recommendations and, obviously, asking all of you who have reviewed the background - I mean, obviously, time permitting, we will go back and take comments on the background, but we would really ask - since the background is primarily factual and sort of sets up the observations and recommendations, if there are specific points in there, we will either take them from you, after we have gone through the observations and recommendations, or off line, as we begin to do further wordsmithing on the letter.
Obviously, as I said, we'll, hopefully, make it to as far as we can on the first letter before the lunch break, finishing up whatever is left afterwards, and then move on to the other letter.
Is everyone okay with that process as we are describing, other than John Paul? (Laughter). Thank you, John.
MR. HOUSTON: Make one other statement, that I am glad that Paul is now on the committee, because we have preserved the ratio of lawyers to physicians - (laughter) - which is a very important.
DR. COHN: Well, with this one, I will hand off the discussions to both Harry Reynolds and Jeff Blair, please.
Agenda Item: Letter on e-Prescribing Action March 4
MR. BLAIR: Okay. Harry and I have kind of worked out a little game plan here, and Simon has, you know, indicated to you, for the most part, our proceeding here.
For those of you who are new, you probably noticed that in September of this last year we provided our initial recommendation on e-prescribing standards, but we didn't have time to be able to cover all that had been set forth in the MMA - MMA being Medicare Prescription-Drug Improvement Modernization Act. So this letter that you have in front of you now is an effort to focus on some challenging areas.
As Simon indicated, we are assuming that, since you received this letter before this last weekend, that you will have had a chance to have read it by now, and, therefore, we will not go through the background section up front. We could come back on that, but we are assuming that you have at least read that through.
So Harry is going to begin with the observations and then the recommendations that address those observations. There's 10 of them.
The first two observations are focused on e-prescribing. They are a pair. The first one winds up having observations that focus on current e-signature issues, electronic-signature issues within electronic prescription networks, and the second one winds up indicating that not all electronic prescriptions will go through e-prescribing networks and that there may be greater security requirements in the future. So they are a pair. So keep that in mind as Harry reads those through to you.
Then, Observations 3 through 9 are really follow-up or monitoring observations based on the recommendations of NCVHS last September.
Then Observation 10 winds up being kind of a joint observation and recommendation that was done with the Privacy Subcommittee on privacy issues related to e-prescribing.
After Harry and we go through the process of going through all of those - we've got about an hour - okay? - then, if there is time left over, then, we could entertain any questions or comments on the background section, and if we don't have that time, then Margret Amatayakul, are you here?
MS. AMATAYAKUL: Yes.
MR. BLAIR: Okay. Then may I ask if you get those additional - you know, especially any wordsmithing or editing, commas, punctuation stuff, please get that to Margret in time for our breakout session at - I guess it's three o'clock today.
Okay. Harry, would you like to help us through the observations.
MR. REYNOLDS: As I get started, I think it would be appropriate for the Standards Committee to thank Simon for his leadership in putting this together, since this is the morning of thanking everybody for their contributions as they move forward.
MR. BLAIR: Yes.
MR. REYNOLDS: So we would like to applaud that. (Applause).
Obviously, there must be a problem with the letter or he might have gone ahead and presented it, but - (laughter). So I'm not sure. Sometimes being new chair people is not a good thing to do. So we'll see.
Karen mentioned it was the Academy Awards. I feel like I'm doing a responsive reading of the Federal Register but hang with us. We'll get through this.
Okay. Observation 1, on page 5 of 18. That is the need for coordination between HHS, DEA and state boards of pharmacy to avoid fragmentation of e-signature requirements.
E-prescribing offers great value. E-prescribing networks provide end-to-end security through a series of electronic pass-offs that do not entail any human intervention. The result of e-prescribing has been improvements in patient safety through more complete and accurate prescriptions, direct transmission of prescription to a dispenser where fill status can be monitored and elimination of the need for the dispenser to decipher and transcribe often illegible, handwritten facts or paper prescriptions.
E-prescribing transaction processes can support return receipts sent from dispensers to prescribers that also contribute to identification of potential fraud and abuse should a prescriber receive receipts for prescriptions not written.
Pharmacists are responsible by law for ensuring the authenticity and validity of prescriptions, including e-prescription.
The states and federal government have distinct roles in relation to e-prescribing. The states regulate paper prescriptions for non-controlled substances and are branching out into the regulation of electronic prescriptions for them.
The requirements differ from state to state, which makes it expensive for vendors to vary their products from location to location, and, in some cases, makes it difficult to handle e-prescriptions across state lines.
In addition, some states have restrictions on e-prescribing so that e-prescribing networks do not provide services there.
Let me stop there a moment, so we don't get way too many paragraphs out there before there is comment.
Okay. Hearing none, we will continue.
The federal government has a role in e-prescribing through the Drug Enforcement Administration's regulation of prescriptions for controlled substances.
The Controlled Substances Act requires that prescriptions written for Schedule 2 controlled substances can be delivered to a dispenser in original form with a wet signature.
Prescriptions for Schedules 3 through 5 substances may be faxed or communicated orally to the dispenser.
The DEA has not yet made a ruling regarding the requirements for electronic transmission of prescriptions for controlled substances.
E-prescribing network and software vendors expressed strong concerns that the DEA will require a PKI solution for controlled substances that are prescribed electronically. This could take the form of requiring PKI use for only Schedule 2 substances or PKI use for all controlled substances. Either way, the industry expressed concerns that this would create a significant cost burden, which would serve as a barrier to e-prescribing adoption and use.
In addition, the e-prescribing industry testified that the marketplace was not yet ready for widespread PKI use. As a result, if PKI were required for e-prescriptions for controlled substances, the near-term response would be for the industry to continue its current practices which is paper based. This, in turn, would slow down e-prescribing adoption and use, create a two- or three-tiered system for e-prescriptions for controlled and non-controlled that would be expensive and burdensome to implement, and, in the end, deny patients the safety and quality-of-care benefits afforded by e-prescribing.
Comments?
Finally, the e-prescribing industry strongly believes that PKI is not necessary, as current methods are adequate for ensuring prescriber authentication and accuracy and validity of prescription contents.
It is clear that e-prescribing networks provide more security than traditional fax - traditional paper, fax or phone, which are prone to abuse, given today's copier, fax and telephonic technology.
E-prescribing transactions for non-controlled and Schedule 3 through 5 controlled substances currently are conducted in compliance with HIPAA security regulations and include dispenser validation through callback to the prescriber for prescriptions written for Schedule 3 through 5 controlled substances.
Today's e-prescribing networks use several important security features, including credentialing prescribers and dispensers, trading-partner agreements to grant access to the networks, and protocols to secure transmission and provide authentication and integrity to the electronic prescriptions. Testimony indicated that there is no evidence that these security measures have been inadequate to secure electronic prescriptions.
Recommended Action 1.1. HHS, DEA and the state boards of pharmacy should recognize the current e-prescribing network practices that are in compliance with HIPAA security and authentication requirements as the basis for securing electronic prescriptions.
These security practices are discussed in the background and illustrated in Appendix A. In addition, these practices are applied in conjunction with the dispenser's responsibility to use their professional judgment in determining the validity of prescriptions.
Different requirements may be needed for transmission of electronic prescriptions that do not go through such networks.
Recommended Action 1.2. HHS and DOJ should work together to reconcile different agency mission requirements in a manner that will address DEA needs for adequate security of prescriptions for all controlled substances without seriously impairing the growth of e-prescribing in support of patient safety as mandated by MMA.
Comments on Observation 1?
MR. ROTHSTEIN: I have a question in the wording of Recommended Action 1.1. I am trying to focus on what the event is that we want as a result of this, and you say HHS, DEA should recognize the current e-prescribing networks that are in compliance. What do you mean by recognize? Certify? Develop standards or notify?
MR. BLAIR: Could I clarify that?
MR. ROTHSTEIN: Please.
MR. BLAIR: Yes, actually, if you read a little more in the sentence, it is really recognizing that the e-prescribing networks - and I don't have it in front of me, so I can't have the exact wording - that are in compliance with HIPAA security and authentication requirements form the basis for e-signatures for e-prescribing over current e-prescribing networks. So it's - we have bounded it. We basically wound up saying that if a prescription - an electronic prescription - is being sent over those networks and they comply with the security - the HIPAA security requirements that are there that HHS accept that that is the basic level, the foundation level and that that is sufficient and adequate at this time.
And then recommendation. When Harry reads Observation 2, it is going to wind up saying what if they are not over an e-prescribing network or what if we determine that there's more demanding requirements in the future - and I won't get ahead of - you know, but that is going to be a different case.
DR. COHN: Mark, is that satisfactory or are you still mulling over it?
MR. ROTHSTEIN: Well, that is a fine rationale, and I am not questioning that. I just - I don't know what should recognize mean -
DR. COHN: Okay.
MR. BLAIR: May I say one other piece here, because while Harry was reading through the observation which explained why we came up with this, I think you were in a conversation at that time. You may not have heard the observation.
MR. ROTHSTEIN: That is a risk of sitting next to you. (laughter).
MR. BLAIR: So let me give the premise for why we would make such a recommendation. It is an unusual recommendation. You are right, Mark. It is - we don't make very many recommendations like this, and it was basically that we received testimony from the industry that said that even though the security procedures that they have in place and authentication procedures they have in place may not be using the most advanced security technologies, it appears as if what is being done today - there is no evidence that what is appearing being used today is inadequate, and the other pieces are that if they were to use the most advanced technologies, it would be very disruptive and delay the use of e-prescribing and leave a lot of folks back in the paper mode, and so you might say this is sort of an acceptance of reality. So, therefore, Recommendation 1 says, HHS should accept this as the basis.
MR. ROTHSTEIN: That would be fine. That is not how it reads.
DR. COHN: Paul, do you have a comment on this or another comment?
DR. TANG: My comment is on the authentication process.
DR. COHN: Okay. Well, Steve, did you have a follow on?-
DR. STEINDEL: I have a follow on this.
I think, Mark, your question seems to revolve around the word, recognize, and we had a lot of struggle about what word to put in there, and one of our big problems in this area was normally the committee sends a recommendation to the Secretary and we can say we recommend that HHS does -
MR. ROTHSTEIN: Right.
DR. STEINDEL: Well, in the e-prescribing world, HHS is just one player. There is also the Department of Justice through the DEA and the State Boards of Pharmacy. So they are all involved in the e-prescribing process and all have to agree that the e-signature process is acceptable, and we struggled with what word to use. We can't say that HHS should put out regulations in this area or anything like that, because, really, they are not the only player. So we used a word that would convey the acceptance of the process, but not be prescriptive on how to do it. Does that clarify why that word was chosen?
MR. ROTHSTEIN: Yes, I just think - I understand all that and I have no expertise in this. I just think how we phrase what the recommendations are is very important, especially in a big, long document, the very first one out of the box you read and go, What's that all about? But, I mean, I accept that.
DR. COHN: But I think you are also asking whether it recognizes the right verb -
MR. HOUSTON: What are the options -
DR. COHN: Well, I guess -
MS. MC CALL: Or even to clarify, to say, recognized by accepting as a possible standard as sufficient, recognizing that it may not be setting a standard.
MR. BLAIR: Well, if we go to solution or as a standard, that was more definitive than we felt comfortable with.
We wound up saying, as a basis, as a foundation, because there is not enough information to know whether this is really adequate.
We had industry testimony that seemed to say there is no problem with it yet, and that is why I indicated that this Observation and Observation 2 are a pair, and this is basically saying that they should recognize current practices as a basis, and, then, when we go on to Observation 2, it is going to wind up saying, when we start to look further, then, more research needs to be done.
MR. REYNOLDS: I would add one other thing, that there's really - the structure that we heard is that there is multi- - and we heard from NIST and everybody else about what is good authentication and security.
We feel that we heard clearly from the industry that they have multilevel authentication and security, and, further, pharmacists are responsible for the authenticity of the actual prescription. As we listened to the testimony on the paper versions, now, where doctors sign all the slips already and then somebody else fills it out and the other things, there is plenty of down sides to now.
So when you get into the security world, we heard clearly that there is no single standard - back to your point, Carol. There is no standard out there. Different than NCPDP, which they handed to us, and these other things that are going on. So you are into different levels of security, multi-tier authentication and other things. So that is why we recognized that we would send it over this way, and then, as the pilots go on and as further discussion, and you'll see an Observation 2 goes on, exactly what that needs to be, because PKI, as we heard it, was really - didn't look like an ultimate answer at the time, and there was no standard that you could just pluck out like we did NCPDP and some of the other things, and so we talked about the multi-tiered and we talked about - you'll hear us say in here, a number of times, that the dispenser is responsible, in the end, in all states, for the authenticity of the actual prescription. So most of them have set up the network all the way back to the prescriber. So that is why we termed that exactly like we did.
DR. COHN: John, did you have a help in this one?
DR. LUMPKIN: I hope so.
DR. COHN: Okay. Thank you.
DR. LUMPKIN: From my years as a regulator, one of the things that states don't want the federal government to do is to tell them what the standard is, but they do appreciate it when the federal government identifies what could be a standard, and so, actually, I think the word, recognize works if you were to change the - in line 43, to say authentication requirements, as a basis for securing electronic prescription. So we are giving guidance to them. They can accept this. They can also accept another standard that they would consider to equivalent, generally, something home grown, but I think this may deal with the regulatory environment that we are trying to sort of stick our foot into.
MS. GREENBERG: Changing "the" to "a".
DR. LUMPKIN: To "a".
MS. GREENBERG: Um-hum.
DR. COHN: Well, that's not bad.
MR. REYNOLDS: Margret, did you capture that?
MS. AMATAYAKUL: Yes.
MR. REYNOLDS: Okay.
DR. COHN: Well, that is certainly right minimalistic. Thank you, John. (Laughter).
MR. BLAIR: Can we say something to the Secretary where you could stay on, John? (Laughter).
DR. COHN: Okay. Now, Paul, you had a question?
DR. TANG: Yes, and maybe this is helpful with his the/a change.
Compliance with HIPAA security and authentication requirements is still quite open-ended, because it is mainly addressable, and I am not sure the comparison with paper is as relevant as we would like to think. One, of course, if paper was so bad, I'm not sure we want to just be a little bit less so bad, but the other is the pharmacist. All humans are quite capable of making judgments on the written signature, which was the standard, or the tone of the voice order over the telephone. There are ways you can detect - you assess authenticity. Do they have any of the wherewithal to assess authenticity when they are just basically getting an electronically-transmitted message from - let me just hypothesize - a provider that uses a password - a generic password for the entire office - is that good enough?
So in John's thought - and I certainly am not for over-regulation either - but could there be a floor, in terms of what is the authenticity required for this application? Even passwords alone - having a password rule alone could be a step in the right direction, although, we, of course, can't stop the shared pathway, for example, but to think that anything that goes - that any provider office, which is how - you know - the superior role is written, could go, assuming they decide the risk is appropriate, is that good enough for, let's say, a controlled substance? I just have that question. It is not the same as looking in the signature. We don't have the same equipment. We don't have the same -
DR. HUFF: The discussions we had on this were - one is what we are really trying to say here is they have ultimately the responsibility, and, in fact, what our discussion was is that what we would hope is that, given the principles, they would accept that - basically, they would accept the design of the system as, in fact, secure, so that they didn't have an individual responsibility to try and determine each one that came in was there.
Now, the other thing that - just to address - we had also testimony that said, yes, one out of 100 times I might catch, in the paper world, an error, but, in fact, because of how chain pharmacies have happened, and the growth of - we don't know anymore what a physician's signature looks like, and, you know, it is very, very rare that we can authenticate, based on paper or on the signature or on anything else, and so, you know, we do feel this is better.
Now, the other thing is that - as you point out - we recognize that people share passwords. I mean, you know, we give out secure ID cards, and then you go visit the office and there it is on a chain by the computer, so that anybody - you know, so it is handy for people to - and so, in spite of recognizing that happens, we still hold the person legally responsible who had that. So whether it is a valid prescription or not, we are going to hold that person responsible because they signed documents that said that they would be responsible, in spite of the fact that they are now sharing their password and doing other things.
And then, finally, we intentionally didn't want to be prescriptive here, in terms of technology. In fact, we felt like, because technology is moving and we didn't want to try and designate a particular technology - and especially not a particular vendor that had to be used in this environment - we tried to leave it, in fact, according to the spirit of what was being done in HIPAA, so that these things could change over time, as long as they were meeting the standard that, in fact, people were authenticated.
So that is kind of the thinking that went into how we got there.
DR. COHN: Paul, is this helpful?
DR. TANG: Yes, I think so.
DR. COHN: Yes, and it is a difficult issue, and we actually struggled - I mean, I think Stan is right, I mean, that there was a lot of struggle about how prescriptive to not, and, at the end of the day, we have to reflect back, as we get into these areas.
You know, HIPAA actually did talk about an electronic-signature standard, and that was never acted on, because nobody could quite get their arms around it, and the security rule is really an evaluation standard. It isn't a standard like anything else we see. I mean, it says, do a risk analysis and use your best judgment based on that. It is really - with various addressable aspects, and we sort of, at the end of the day, had to sort of come back to something that was a little less specific, as much as we would all like to really pin it down, I think, such as you are describing. I think I am reflecting the views of the subcommittee on that.
MR. REYNOLDS: Yes, and I think another thing we heard is there could be as many as five to six hand-offs from the original doctor submission, and that there are checkpoints, and that there are multi-level - as I said - authentications, and then it goes to the hub, and the hub has authentication and they assure the pharmacist that anybody they sign up that is coming through has these things in place. So there is an industry out there that self-enforces its hand-offs, and that has to be to the satisfaction of the dispenser or they don't get signed up. The dispenser, in the end, is still in the whole chain and knows where those things are coming from and whether or not - because it usually comes through - the last step before the dispenser is their switch that they have signed up with. So that is the other thing I think we heard from the industry and felt comfortable that that had been addressed, but, obviously, it is the most imprecise of our recommendations on what should be done, because it is a questionable area.
DR. COHN: Other comments?
And I don't know that we are solving everything, but, hopefully - at least, I see people nodding their heads. Hopefully, we are - we have obviously made one change, a the to an a - (laughter) - which actually was very helpful, John. Thank you. That only took 10 minutes, but we do appreciate that.
Any other comments about these observations?
I guess I should also comment that one of the other pieces we saw that are probably almost more important than anything else and which we really haven't commented, because it is so obvious, is this idea that, Geez, we have HHS and DEA, and if we don't get them working together, we are in real trouble, and I think we were sort of struggling with this, and that becomes a very important concept that we are trying to bring forward. We don't want a world where everybody can do everything for 85 percent of their prescriptions, and, then, for 15 percent, so much of a hassle they dropped a paper, and so we don't have any of the benefits of e-prescribing for any of the narcotics being prescribed or controlled substances, and we thought that that was a very important concept that needed to be sort of brought forward and I think is well expressed here.
MR. SCANLON: The other message here is that - I guess I am reading between the lines - you are recommending against the - what sketches we had of the DEA proposal that involved PKI plus biometrics plus - it is sort of an in-between-the-lines -
MR. BLAIR: Could we not make a comment on that? MR. SCANLON: Sure. Between the lines.
MR. BLAIR: And, actually, when you go to our Observation 2, I think Observation 2, in some ways, they clarify the missing pieces that we didn't address in Observation 1.
MR. REYNOLDS: Ready to move on to Observation 2?
MR. BLAIR: Yes.
MR. REYNOLDS: Observation 2, the need for research to address future security risks.
Because there may be a greater need to send prescriptions over the open internet in the future or for enhanced security of prescriptions for Schedule 2 controlled substances, there may be an increased demand for improved authentication, message integrity and non-repudiation services.
Although PKI and other forms of digital signature are available, testimony indicated that, currently, these technologies are costly and impair interoperability for e-prescribing functions. Therefore, it is important to plan for evaluating feasibility of PKI and other forms of digital signature for use in e-prescribing as these technologies mature.
Reference information regarding electronic signature, digital signature and PKI are available from ASTM International and ISO.
Recommendation 2.1. HHS should evaluate emerging technology, such as biometrics, digital signature and PKI for higher assurance authentication, message integrity and non-repudiation in a research agenda for e-prescribing and all other aspects of health information technology.
Reason we pointed o