[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
Agenda Item: Call to Order, Welcome and Introductions
DR. COHN: I want to call this meeting to order.
This is the first day of two days of meetings of the National Committee on Vital and Health Statistics.
The National Committee is the public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I am Simon Cohn. I am the Associate executive Director of Kaiser Permanente and chair of the committee.
I want to welcome committee members, HHS staff and others here in person.
I also want to welcome those listening in on the internet, and I want to especially welcome our four new committee members whose terms began on December 1, 2006.
First is Garland Land, and, Garland, thank you for coming. This is your second meeting. Garland is currently the Executive Director for the National Association for Public Health Statistics and Information Systems, NAPHSIS, and I think we introduced you a little bit last time, but we obviously just want to recognize your previous background with public health and public health informatics in Missouri. So thank you for joining us for a second meeting and your first as actually a formal member.
Our next is Leslie Pickering Francis, and, Leslie, thank you for joining us. I didn’t get a chance to say hello to you beforehand, but we are pleased that you are here.
Leslie is the Chair and Professor of the Department of Philosophy, as well -- and we are going to have to talk about this offline -- as well as Professor of Law at the University of Utah, which I think is a very -- it seems very appropriate, I guess, but somehow surprising.
Obviously, we are very pleased to have you join us.
Leslie has testified before the Privacy and Confidentiality Subcommittee, and she brings an expertise in ethics, public health, privacy and confidentiality, consumer and patient issues to the committee. So we obviously are very pleased that you could join us, at least over the phone at the Privacy and Confidentiality Subcommittee meeting, and, obviously, we are very pleased to have you here in person. So welcome.
Dr. Larry Green is a nationally-known researcher and a professor of family practice at the University of Colorado, and, obviously, with the way the weather is outside, I don’t think you feel like you’ve probably left Denver at this point.
He is also a Senior Scholar in residence at the Robert Graham Center for Studies in Family Medicine and Primary Care located here in Washington.
So, obviously, pleased to have you joining us.
Now, finally, we have Marc Overhage, who is an internationally-recognized health informatics expert.
He is President and CEO of the Indiana Health Information Exchange, a Professor of Medicine at Indiana University, and -- head of the Regenstrief Institute.
DR. OVERHAGE: Director.
DR. COHN: Director. Excuse me. Director of the Regenstrief Institute, replacing Clem McDonald, who, as I think as you all may remember, was a former member of the committee. So we are obviously --
PARTICIPANT: Who is here at HHS.
DR. COHN: Yes, who is now in HHS, exactly.
Marc also has testified frequently before the committee and especially Standards and Security, and, obviously, we are very pleased to have you join us and look forward to your active participation.
With that, let’s have introductions around the table and then around the room.
For those on the national committee -- and this includes also the new members -- I would ask if you have any conflicts of interest related to any of the issues coming before us today, would you please so publicly state during the introductions?
And I want to begin by observing that I have no conflicts of interest today.
Marjorie.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC and Executive Secretary to the committee, and I think from those introductions, it is obvious that it is a little dangerous to testify before the committee. We may recruit you to be a member.
MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of Medicine, member of the committee. No conflicts.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee. No conflicts.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, member of the committee. No conflicts.
DR. WARREN: Judy Warren, University of Kansas, School of Nursing, member of the committee and no conflicts.
MR. LAND: Garland Land with NAPHSIS, member of the committee. No conflicts.
DR. VIGILANTE: Kevin Vigilante, Booz-Allen and Hamilton, member of the committee. No conflicts.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the committee. No conflicts.
DR. FRANCIS: Leslie Francis. University of Utah, College of Law and Department of Philosophy, and I have no conflicts.
MS. TRUDEL: Karen Trudel, Centers for Medicare, Medicaid Services. Liaison to the full committee. Staff to the Subcommittee on Standards and Security.
MS. MC ANDREW: Sue McAndrew, Office for Civil Rights. Privacy liaison to the subcommittee.
DR. STEUERLE: I am Eugene Steuerle from the Urban Institute, member of the committee. No conflicts.
DR. SCANLON: Bill Scanlon from Health Policy R&D. Member of the committee. No conflicts.
DR. GREEN: Larry Green, University of Colorado. No conflicts.
DR. FITZMAURICE: Michael Fitzmaurice, liaison to the national committee, and staff to the Subcommittee on Standards and Security.
DR. OVERHAGE: Marc Overhage, Indiana University and Indiana Health Information Exchange. Member of the committee and no conflicts.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the full committee.
MR. BLAIR: Jeff Blair, member of the committee. Lovelace Clinic Foundation. No conflicts.
MR. SCANLON: Good morning. I am Jim Scanlon from the HHS Office of Planning and Evaluation, and I am the Executive Staff Director for the full committee.
MS. SIDNEY: Cynthia Sidney, staff to the committee.
MS. JONES: Katherine Jones, CDC, NCHS. Staff to the executive committee.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, committee staff.
MS. HORLICK: Gail Horlick, CDC Atlanta. Staff to the Subcommittee on Privacy and Confidentiality.
MS. BUENNING: Denise Buenning, CMS, Office of E-Health Standards and Services, lead staff to the Subcommittee on Standards and Security.
MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics, CDC.
MS. VIOLA: Allison Viola(?), American Health Information Management Association.
DR. COHN: OK. Well, I want to welcome those in person.
Now, we want to sort of test out -- We understand that there are, hopefully, some other members who have been calling in.
Is Don Steinwachs or Paul Tang there?
DR. STEINWACHS: This is Don Steinwachs, Johns Hopkins University, member of the committee. No conflicts.
MS. MC CALL: This is Carol McCall, member of the committee. No known conflicts.
DR. COHN: Welcome.
DR. TANG: And Paul Tang, Palo Alto Medical Foundation, member of the committee. No conflicts.
DR. COHN: OK. Well, I want to thank you for joining us on the phone. Obviously want to especially welcome the intrepid souls who came all the way to Washington for this sort of snowy, wintery mix, which we’ll reflect on a little later.
But, obviously, we want to thank you for being on the phone, and we’ll do our best to, as always, speak clearly and into the microphone, which we want to remind everyone, both current members and new members, because these microphones are a little tricky, and certainly pipe up on the phone if you can’t hear us.
Now, before we move into the agenda review, I want to make a couple of opening comments, and then we’ll move to the agenda review and then do the department review.
Since our last meeting in November, our work continues at a speedy fast pace. This reflects the increasing importance and the federal intention being placed on health information technology and the role, of course, that it can play to improve the quality and reduce the cost of health care, as well as, hopefully, improve the health of all Americans.
Within HHS, Secretary Leavitt continues to consider promotion of interoperable HIT one of his key priorities, and his leadership on this issue I think we all recognize as being phenomenal.
And, of course, in all of this, the NCVHS continues to play an important role directly advising the Secretary and the department, as well as providing expertise and liaisons to other HHS initiatives, moving the vision of the NHII forward, including, of course, the AHIC workgroups.
I want to thank those of you who are actually liaison members.
This, of course, is against the backdrop of significant congressional activity this past year, and we should expect to see continued interest in the current session.
As many of you remember, we testified before the House Ways and Means Committee on HIPAA and health information technology last year.
Mark Rothstein, I think -- since our last meeting -- actually had the opportunity to testify also on HIT issues, though as a private citizen, and we should certainly be expecting continued interest in our work and thoughts as we move into this year.
Now, the NCVHS activities since November have included an opportunity to actually formally brief Secretary Leavitt and ONC on our work to define a minimum, but inclusive, set of functional requirements for the initial definition of a nationwide health-information network.
This work has been very well received both within HHS and by the industry, and we anticipate additional opportunities for such ad hoc activities as this year proceeds.
Privacy and confidentiality, as I commented, continues to move forward at what I describe as an augmented pace.
They produced the excellent report in June on privacy and NHIN. I see this document now being used in the wider health-care community as a primer, an important resource document as groups begin to deal with the issues of privacy as we move forward with extended use of RIOS(?) and the nationwide health information network.
There have been two hearings by the Privacy Subcommittee, since our November full-committee meeting, and I know Mark Rothstein will be briefing the committee later on today on issues in preparation for a letter coming out in June.
Populations had a hearing this past fall on data linkages, and assuming weather permits, we’ll have a hearing tomorrow afternoon on surge capacity, following a full committee meeting.
Quality Workgroup has been active and is forging a strong relationship with AHRQ on a variety of performance measurement and longer-term issues.
The Subcommittee on Standards and Security has been very active this year, and since our last meeting has held hearings on national provider identifier implementation issues, as well as HIPAA next steps, and we’ll be bringing a letter forward later on today on NPI implementation.
In a word -- in a phrase, there is obviously a lot going on, and this will obviously continue through the year.
DR. COHN: Let’s now move into the agenda review.
This morning, we begin with a department update. Jim Scanlon, our Executive Director, will lead off with the department perspective, followed by Karen Trudel of CMS, and, then, Sue McAndrew or do I have that wrong? That’s OK. Sue McAndrew of OCR.
Then we are pleased, I think weather permitting, to have John Loonsk -- he is the Director for the Office of the National Coordinator -- to give us an update on the work of ONC.
Following the morning break, we move in discussions of the letter on the national provider identifier.
As you know, the NCVHS has statutory responsibility to advise HHS and CMS on HIPAA implementation of which the NPI is an important piece.
After lunch, we will have discussions on privacy and confidentiality in preparation for the letter, as I commented.
Then, I think we are going to be having an opportunity to discuss the HIPAA annual report. Now, as I say that, I am looking at Jim Scanlon, hopefully, that we will have something, but we will discuss that.
Now, finally, we are hoping to have an opportunity -- I know Don is on the phone -- to discuss, I think, some issues coming out of the populations subcommittee, again, an issues paper with the idea -- and I think Bill Scanlon will help lead this conversation since he’ll be here -- in preparation, hopefully, for a letter in June, but I think the committee -- the subcommittee wants to get the views of the full committee as they begin to develop recommendations and a paper.
Now, at about 3:30 p.m., we will adjourn the full committee and break into sessions for populations as well as standards and security.
At this point, I think we are also intending to have a 5:00 p.m. to 6:00 p.m. meeting of the workgroup on the national health information infrastructure.
Dinner, I think, as we commented -- in your information is at 7:00 p.m.
Now, let me make a couple of comments, given the weather conditions outside, and I think most of you -- and those of you on the phone just be aware that we are dealing with what is described as a wintery mix of weather in Washington, D.C., which is -- best I can tell, means the likelihood of hazardous weather conditions are likely on the rise as the day progresses.
I would certainly encourage the committee -- knowing that tonight may be icy, there may be road closures, we aren’t clear whether the government will start up promptly tomorrow morning -- that any action items we should pay particular attention to trying to deal with today while we are here, while we are all together, and I would just sort of emphasize that.
The other piece is is that we do have a committee dinner tonight. Marjorie and I were talking, and, whereas, I think we want to invite members of the committee, especially those from out of town, we are going to encourage staff to make it home while you still can, and so I think there will likely be a --
DR. VIGILANTE: That is rather ominous, while you still can.
DR. COHN: Well, Kevin, you live here. I mean, maybe you would like to comment about this in a different --
DR. VIGILANTE: No, no. I think we live in a world or weather wimps here.
DR. COHN: Yes, exactly. Well --
DR. VIGILANTE: We have an eighth-of-an-inch of snow.
MS. GREENBERG: I grew up in North Dakota. Snow does not bother me, but ice does. Ice does --
DR. COHN: OK. Well, I think everyone is effectively agreeing with me in their own words.
DR. VIGILANTE(?): I agree.
DR. COHN: OK. And, Marjorie, I guess I would ask how do you want to ascertain the numbers for dinner?
MS. GREENBERG: I guess if we could just have a show of hands. I mean, for those of you who don’t know the area, the restaurant is not that far from here, and I don’t see any reason --
DR. COHN: Centrally located, yes.
MS. GREENBERG: -- why people who are staying in the hotel downtown can’t proceed with your plans, but I think it might be wiser for some of the staff maybe to get home before it gets too late and too icy, or local people.
But, anyway, so how many people would plan to be going to the dinner?
OK. Eleven, is that it? Twelve? Yes. OK. So I don’t know if we are expecting Janine or somebody will call the -- So 12, and I am sure -- I would think with the weather being as iffy as it is that they’ll understand if there’s a little change, but we were supposed to give them a number by ten o’clock.
And speaking of socials, there are pictures here from the barbeque in September, if you haven’t seen them or if you weren’t there and want to look at them. Yes, you want to feel like you were --
DR. COHN: Well, OK.
MS. GREENBERG: -- encourage me to --
DR. COHN: Well, we’ll deal with that during breaks.
Agenda Item: Update from the Department
DR. COHN: With that, why don’t we move into the department review, and, Jim, why don’t you -- if you would please lead off.
MR. SCANLON: Thank you, Simon, and good morning, everyone.
I guess we last met in November. So this is our first full meeting of the new year, and I thought what I would do is probably look ahead a little bit.
I am going to talk about the budget that the President sent up on February 5th and some of the health IT and data policy initiatives there, and a sort of a look ahead on the legislative front as well, and then there’s some specific projects that I wanted to update the committee on.
But, first of all, on the legislative front -- and I preface this by saying no one makes a living trying to forecast what Congress is going to do -- but, at any rate, there were a number of health IT bills introduced in the 109th Congress, the last Congress. Some of them involved this committee.
There were some new tasks for this committee. There were some broader health IT bills that would create grant programs and all sorts of things to promote or accelerate interoperable health IT.
And, then, there were some other bills that were directed at pretty much the federal health plans in the work forces, and they were, more or less, trying to stimulate personal health records and so on for federal health plans and so on.
And I don’t believe that there have been any bills introduced, so far, in the 110th Congress, but I think everyone -- the best intelligence is that there will be continued interest, even renewed and expanded interests in health IT in the coming year, and it will probably follow some of the bills that were introduced last year and possibly some additional issues as well.
There’ll probably be a fair amount of interest in privacy as well. Simon mentioned that Mark testified on his own behalf before a hearing in the House that was following up -- in the Senate, I’m sorry -- that was following up on a GAO report on how is the department and others -- how are we coordinating all of the privacy issues associated with the national health information network.
So we don’t have any specifics. We’ll be monitoring the situation closely, but I think we can probably look for great interest in the coming days on the Hill on health IT legislation.
On the budget side, the President’s budget for fiscal year 2008 was sent to Congress on February 5th, and it continues to support a number of health IT investments that this committee was involved in and is very supportive of, and let me update you on that.
In terms of the total budget -- this is not health IT -- the total budget for HHS is almost $700 billion. Now, that includes -- that would probably make us larger than Fortune 1, than the largest Fortune company, I think, but, at any rate, much of that is entitlements -- Medicare, Medicaid, TANIF and so on.
The discretionary part of that budget is about $68 billion. That includes funding for NIH and for CDC and FDA and so on -- and AHRQ and so on.
On the health IT side, the funding is actually continuing at levels we have seen in the past.
The budget for the office of the national coordinator -- and John will update you on this more when he gets here -- is $118 million, which is actually quite a bit more than their fiscal year ‘06 and ‘07 budget, and I’ll tell you a little bit more about what is in there, but they are continuing basically current efforts, and there would be an effort to transform the AHIC apparatus into a public/private partnership. I forget what the name being considered is. I think it is Health Care Improvement Partnership, Partnership for Health and Health Care Improvement.
But, at any rate, the idea would be-- As the Secretary has said a number of times to the AHIC itself, the idea would be to begin to transform the AHIC, which is now a federal advisory committee, to a public/private partnership, where it would have -- in essence, be able to carry out its work in that vein.
And, then, in the ONC budget, which John will tell you, there are a couple of other initiatives.
One of the initiatives that I think we are very pleased with -- and I know the committee is as well -- there will now be in the ONC budget -- we kind of placed it there -- $5 million to establish a fund within HHS for health data standards, development for mapping, for interagency standards development, assessment and mapping work.
You’ll remember that previously, this fund -- thanks to the good graces of AHRQ -- was placed in AHRQ for a three-year period, I think, Mike, and then -- but we agreed that we wouldn’t ask to absorb this any -- I mean, beyond ‘06.
So the department and OMB and everyone agree that this was a good investment. So hopefully, now -- That is $5 million. It is about the level we had in ‘06, I think.
So this will support much of the -- this supported the work on RX Norm, on Daily Med, on the mapping of the various terminology sets to each other, and we hope we’ll be able to move forward on that as well.
There was also a -- I think I talked to the group previously about the Secretary’s top 10 priorities, and I think we discussed those previously.
One of those is this concept of personalized health care, and the idea here was to bring the fruits of research and technology in health care to -- and prevention -- including pharmaco genomics and so on -- to everyday health care in the U.S., and the Secretary refers to this as personalized health care, and a big part of this will involve genomics and so on. There is some work underway here already. The AHIC has established a working group, but, for the budget, there is a $15 million initiative in the AHRQ budget that will support efforts along these lines, and a fair amount of that budget will be used for -- if I can describe -- it would undertake pioneering work into utilization of health IT for linking clinical care with research and available genomic data to accelerate clinical breakthroughs and integrate them into the everyday health care setting. So that should be an exciting and an interesting development as well.
On the population health side and population health data, most of our major HHS statistical systems and public health data systems are being funded pretty much at the level -- previous year’s level, though there is an increase in the National Center for Health Statistics of about $900,000 for a new home and hospice survey, which I think has been in the works for a while.
Otherwise, I think for most of our major surveys and data systems, I think we are continuing them at current levels, which is actually quite an accomplishment, given the pressure on domestic discretionary spending these days.
Agenda Item: Data Council
MR. SCANLON: As I said, within HHS, our Data Council is looking at how our data and statistical systems can support the Secretary’s top 10 priorities, which we discussed previously, and, in February -- I think later this week -- the Data Council will be looking at how the department can improve access and the utility of our data and statistical and analytical products, especially for policy research and program utility, and, at the meeting in February, we will be looking specifically at our various research data centers.
We have at least three research data centers in HHS, and we have other agencies who have parts of research data centers. This is in addition to public-use data files and reports and tables that the agencies produce.
The research data centers are designed to provide access to micro-level data under very protected and selected circumstances. So you can protect privacy and still allow researchers and public health workers and others to be able to analyze the data. No one walks away with any identifiable data, but you do walk away with your analysis. So you sort of achieve both purposes.
So we’ll be looking at that, and we may -- depending on what the populations subcommittee sort of sets forward in terms of recommendations and our discussion at the Data Council on Wednesday, we may decide to take some further work in that area.
That probably is the way, given the technology for -- just as we move forward on confidentiality in data, it seems that the technology moves ahead as well on the side of threats to privacy and confidentiality as well.
So there have always been -- there’s always been attention to this issue in research and statistics, and, now, we are looking ahead to the form that will take in the future.
One other thing, two other projects I think I have talked a little bit to the committee about before. We have started a project with NCHS and other statistical programs within HHS on the potential of using -- this is, again, future looking -- electronic health record data and so on for a health survey and statistical purposes.
And, again, we’ll -- I think I briefed the committee as well on this. We have started a study -- we are well along now -- looking at the quality, the comparability and utility of the income data and asset data that is collected in our major surveys. This is usually one of the major policy variables in our surveys. Most federal programs and other policy research looks at that variable as one of the dimensions, and we are well along and we are looking at about a dozen of the major federal surveys and how they collect income data, how is it comparable, what does it benchmark to and how good is it, and how could it be made more useful.
MR. BLAIR: -- income data. You are talking about the income of the patient or consumer?
MR. SCANLON: The household, yes. The household. Yes, these are household surveys, for the most part, yes.
And let me to stop there.
DR. COHN: Any questions for Jim? Mike.
DR. FITZMAURICE: Jim, do you want to mention where those three data centers are located?
MR. SCANLON: Oh, sure, sure. Three data centers in HHS. Research data centers. These are not the regular IT processing data centers.
One is at the Agency for Health Care Research and Quality, Mike’s agency. Second one is at the Center for Medicare, Medicaid Services, and a third is at the National Center for Health Statistics at CDC.
And we have a couple of other agencies that -- they don’t have full-blown research data centers, but they do have Web sites and other analytic services on the Web, for example, where you can generate your own tables. So we are going to talk about those as well, and we might be looking at how can we sort of tie these all together in a way for the department.
I might say that it is not easy to use these data centers, necessarily. Sometimes, you have to be there physically. Other times, it is a complicated sort of situation. So --
Census Bureau has one as well.
MR. BLAIR: I am not sure if you could clarify things in more detail in this area, but I think that you mentioned that for the National Library of Medicine there was $5 million allocated, and you mentioned referencing covering continuing work on RX Norm, and do you know, at this point, that -- If there is going to be continuing work on the mapping to UMLS(?) and continuing work with SNO Med(?) in concept-oriented data, it might need more. Is there a different pot of money for the mapping work or is that all within the $5 million?
MR. SCANLON: First of all, this is fiscal year ‘08. So this is more of a request than an actuality, but the idea is to -- and the $5 million would be placed in ONC, but, presumably, when ‘08 rolls around, if we get this funding, some of it would support -- wherever we are with the mapping, Jeff, at that point, and RX Norm and Daily Med.
MR. BLAIR: But all of those topics are considered to be within the $5 million.
MR. SCANLON: Well, we’ll see what the research plan would be, but, yes, yes. There are supplementary funding -- really what agencies can find on their own -- and NLM, certainly -- I won’t speak for Betsy, but NLM usually supports some of this funding anyway, even aside from this.
MS. GREENBERG: Jim, I might mention, particularly for the benefit of the new members, that one of the letters that was sent to the Secretary from this committee in November specifically encouraged that this type of funding be -- continue to be devoted to or dedicated to this type of standards work. So that is very positive.
MR. SCANLON: It worked very well in previous years. Again, we had an AHRQ ASPI fund, and even OMB liked it, and they always say no. So it must be doing something right.
DR. SCANLON: This is both a comment and a question, and it is in the context of the populations subcommittee thinking about the data needs for the 21st Century; and, Jim, I think you did a very nice job of describing the glass as half full, saying the surveys are going to be continued at current levels.
And I guess it is -- I think it is important to bring up that these current levels are not levels that we were used to, if I understand that right, that we have actually had to make some sacrifices in terms of what we are collecting.
And, then, I think, in terms of the subcommittee’s work for the future, that there is probably the reality that we really need to be collecting a lot more information, that it is really, in some respects, an investment to try and -- If we want to sort of be able to, from a public policy perspective, manage our health care system better, we need to know a lot more about how it operates, and that the need for that kind of information is going to become more and more important as we move forward.
But am I right that we are not necessarily at levels that we used to be in terms of --
MR. SCANLON: Well, I think it is -- I was talking about the ‘08 budget. We’ll be looking at -- ‘07, I should mention, for the current fiscal year, we are -- and most federal agencies are on a -- the continuing resolution, which is -- really, we are sort of straight lined at the levels of last year or some other level, and the chances are we will have a resolution like that for the rest of the year.
I think it is fair to say, though, that the needs for data are -- always exceed -- the demand for data and the needs for data always exceed the resources available and it is always a prioritization issue, and, yet, I think, folks, when the President proposed this health access tax breaks and so on for health insurance coverage, much of the analysis there was based on data from HHS surveys, from the MEPS and from other surveys. So it takes a fairly big investment to have that available, whether you use it or not, and that is kind of -- So, in a way, it is not visible ‘til you call on it, and if you haven’t made the investment already, it is too late.
So I think we really do -- To be honest, I do think we need to rethink some of the surveys in terms of -- I don’t think we are going to get a lot more money. That is just not going to happen. So I think everyone has to become prudent planners and analysts and get the best out of our surveys.
DR. STEUERLE: Just one comment and then a question.
The comment is I think when you say straight line, I think you are talking about nominal dollars, right? So --
MR. SCANLON: Yes.
DR. STEUERLE: So in real dollars, it is going down with inflation, which using three percent or four percent inflation every year that’s a real cut of about three or four percent per year. Compounded, it really starts adding up.
I hope, Jim -- and I am sure you will -- that you’ll help us think out, in terms of when we do things like our workshop on data linkages, you know, there were a number of suggestions that came through there. There is always this question of how do we integrate it in in a broader budgetary context. I certainly hope you’ll help us think about how we can be most useful to that process.
My question is a little more specific on when you talk about continuing existing surveys, there’s a number of surveys, for instance, where there are a lot of improvements could be made if we could figure out ways to integrate them with other data sets, which was part of our workshop, or where we would like something more like a better time series data or we’d like to link with wealth data.
HRS -- Health and Retirement Survey is one of the few that really does a good job, I think, on the income and wealth side, but then you only get a certain subpopulation.
So when you say continue existing surveys, does that pretty much confine them to their existing status, so Health and Retirement Survey only does 51- to 61-year-olds and you can’t link up additional years or is there flexibility within these budgets --
MR. SCANLON: Well, yes, I think -- All I was referring to was the dollar level. We always have -- and I think that is why I guess rethinking is probably not the best.
Statistical agencies tend to be fairly conservative, for a good reason. You are protecting time series, and I think we have to be a little more nimble and sort of open up things analytically. I think that is sort of what you are talking about, and even structurally for some of the surveys, and I think that is -- I don’t think the levels of funding will be much more than they are, but -- except NCHS will be getting funding for this Home and Hospice Survey, which is actually a new -- Well, I think it was done previously, but it will be done again.
So I think it is -- Certainly, Gene, I think making better use and analytic use and even design of the surveys, I think that is always open.
DR. STEUERLE: Just a related question. The President recently proposed two very major health initiatives, one of them on which I have worked, and I know your office worked was this limitation on tax --
MR. SCANLON: On tax --
DR. STEUERLE: -- exclusion.
MR. SCANLON: Yes.
DR. STEUERLE: And Treasury, as well as HHS, I am sure, worked long and hard on trying to make estimates, and, as you know, based on very, very weak data in terms of integration of what actually health insurance costs per employee projected out to the future so on and so forth.
I mean, I wonder if there is also not a play here in terms of just pushing a little bit for more research where we know there are policy initiatives or there have been policy initiatives, where we can admit a little more readily the weakness of what we had to rely on to make --
MR. SCANLON: Well, we always use secretarial and presidential initiatives as a horse to ride for more funding.
DR. STEUERLE: We are making --
DR. COHN: OK. Garland, and then we’ll move on, hopefully, to the next presentation.
MR. LAND: I know we are interested in the national surveys, but I want to make sure that we --
DR. COHN: Garland, you need to get closer.
MR. LAND: I want to make sure that we understand what I think is a real crisis coming up in terms of the vital statistics system.
With the level of funding for ‘07, and now the level funding for ‘08, the national center is faced with some very difficult decisions of what to do, because there is not sufficient money to purchase 12 months of data, and they are looking at some scenarios I don’t think anybody would favor, possibly only having seven months -- collecting seven months of data in ‘07 -- that would be birth and death data -- possibility in ‘08, if they fund ‘07 calendar-year data with ‘08 monies, then they will not be able to purchase 12 months or any data for ‘08 for mortality data, and other scenarios are just as drastic.
So we really are facing a serious crisis for the -- if we think that having birth and death data for the nation is important, which I think most of us would agree, that the money isn’t there right now, and they are really struggling with what to do about that situation.
DR. COHN: I think Jim is nodding his head.
MR. SCANLON: Yes. Well, I think Ed -- I think we have to have Ed come back and report periodically.
I have to say we have not -- The current year is ‘07, and I think we -- Since the funding available is not clear yet, though looks pretty clear, we haven’t really looked at where would we be in ‘07, but I think you are right. I think the vital-statistic system has always been -- it is little recognized for its importance. It is the foundation for all the other health statistics and there is always difficulty in funding. In fact, we ended up eliminating two components of it in the past. So --
DR. COHN: And given that we have had a couple of questions, now, as we move on to Karen, I do want to just observe that, obviously, this is an area where there have been a number of issues brought up by members of the populations subcommittee.
This may actually be something that you may want to work into a letter, hold hearings on or otherwise, if you feel that this is something that should be -- I mean, it is one thing to talk about it. It is another thing to send a letter raising the issues.
OK. Listen, thank you, Jim.
Agenda Item: Health Insurance Portability and Accountability Act of 1996
DR. COHN: And our next presenter is Karen Trudel, and, Karen, thank you.
And this time, obviously, we are having sort of a change of pace in terms of the presentations, because, rather than just a general HIPAA update, we are actually going to be looking more to a specific area that I think Karen wanted to bring to our attention. So, Karen.
MS. TRUDEL: Right. Thank you.
I am going to concentrate on a guidance document that CMS published recently that provides specific guidance for applying the HIPAA security rule to situations of remote access and remote use of electronic protected health information.
This is something of a landmark in that this is the first time since the security rule was published that we have issued formal guidance on this document.
Previously, we had provided -- we have published educational materials.
This is the first official guidance document. It was released on December 28th of last year, and I would highlight the fact that it does not change the security rule. It simply examines the backdrop of the security rule and how it specifically applies in cases of use of data remotely and remote access.
I probably didn’t need to provide this slide: Why a new guidance? Obviously, there has been enormous change in the technology. Mobile devices, BlackBerrys, the storage media have become smaller and smaller and more and more portable; and, of course, I think everyone is aware of recent security incidents having to do with either thefts of laptops with EPHI on them, thefts of media containing EPHI that were taken off a campus, reports of access by unauthorized users, problems with inappropriate destruction of EPHI that allows it to be utilized, and the original security rule was intentionally broad. So the need to bring some of these broad concepts home and distill them to a remote access scenario was pretty considerable.
In terms of what has affected the list on this slide is just the tip of the iceberg -- laptops, home PCs, PDAs, PCs in libraries and hotels and other public places, wireless access points, flash drives, smart cards. All of these things are anticipated in this guidance.
One of the Guiding Principles that we wanted to bring to people’s attention was that there is a real need to be deliberate about remote use of electronic PHI. In other words, when EPHI leaves one’s premises, there ought to be a good solid business reason for doing it, not simply because you were taking a laptop off site and it happened to have a lot of data on it.
So that is one of the things that we are trying to stress here, and that the release requires risk analysis, policy and procedures and risk mitigation strategies, just as any other security procedure or process.
Here are some example business cases for remote use of EPHI: A home health nurse updating electronic records during a patient visit; physicians reviewing refill requests at home for e-prescribing; for continuity of operations, EPHI being maintained in an off-site data center for disaster recovery.
All of these things are appropriate uses of EPHI remotely, and there are a host of others that we haven’t specified here.
Again, this is the backdrop against which we are looking at these remote-access factors, and that is risk analysis.
There is a requirement in the security rule to analyze risks and mitigation factors, and, in general, to look at size, complexity and capabilities of the entity, the technical infrastructure, the security measures and the probability and criticality of potential risks.
In terms of policy development we are talking about the normal training, compliance workforce awareness, and our guidance specifically talks about three areas: Access, storage and transmission of EPHI.
Some examples of the data access strategy and the guidance document itself presents these in matrix form, talk about things like lost passwords, unattended workstations, failure to log off public machines. We have had an incident recently with someone using a hotel computer and data being inadvertently retained.
Some of the things that we need to address are stronger authentication, clearance and training, but, specifically, again, limiting access to EPHI to users with specific requirements and authorizations, session termination. These things seem very simple and almost no brainers, but we did not get to this level of detail in the security rule, and we felt that we needed to go to this level to bring this awareness to covered entities and make sure that, as they consider their risk analysis and their mitigation strategies ongoing that they take some of these specific considerations into consideration.
Data storage strategies. Some of the risks are EPHI on lost or stolen portable devices, unauthorized use of EPHI after faulty device disposal, loss of data, viruses via portable storage.
And some of the mitigation strategies that could be useful would be procedures to track devices in location; encryption of EPHI, so that even if the file is lost it can’t be accessed; appropriate deletion and disposal procedures for media; and appropriate security policies for PDAs, smart phones, BlackBerrys, et cetera.
MR. BLAIR(?): Is this a presentation we’ll have a copy of?
MS. TRUDEL: Yes, you have. Yes.
In terms of data transmission strategies, clearly, the main risk is data being intercepted or modified during transmission and we do make a stronger point about encryption and use of open networks in this guidance than we did in the original security rule. We do talk about where it is practical and appropriate prohibiting transmission of EPHI via open networks, using secure connections for email, mandatory encryption for Web systems, et cetera.
Our next steps will be to obtain additional industry input. In the guidance device itself, we provided a feedback mechanism.
We intend to develop a proposed rule that will include at least the information that is in the security guidance, and that is specifically for the purpose of assuring that the guidance, once it is part of a rule, will take on the same strength, in terms of enforcement action, as the existing security rules themselves.
However, we are not limiting ourselves necessarily to simply codifying what is in the guidance document, and we do want to use some opportunities over the next four to six months to get some industry input. We have reached out to the Workgroup for Electronic Data Interchange, and we have talked to the NCVHS Committee on Standards and Security, and, in part of their May hearing, there will be some discussions about security, and, hopefully, not just related to this guidance document, but any other issues related to the HIPAA security rule that are felt to require either additional clarification or new specificity.
That is my presentation, and I’d be glad to take any questions.
DR. COHN: OK. I just want to start out, Karen, by thanking you for obviously bringing this up to everyone’s attention.
I know when I saw the guidance document -- and I think most of the industry considered these documents effectively being the same as a rule -- but I think it makes sense to, obviously, bring it forward in the way you have, and, obviously, I am very pleased that Standards and Security will be reviewing this.
I am also, obviously, expecting John Houston, hopefully, to join in those hearings, since you are a security expert.
Now, with that, Harry, John Houston, and, then, Jeff, and, then, Mike.
MR. REYNOLDS: Yes, Karen, I would like to commend you for doing this, all of you at CMS, because I think, as these regulations have come out, business people trying to grasp -- and there’s a difference between people that really are down in the bowels of security or down in the bowels of understanding these things may read the regulations and understand them.
But I like the terms that are used here, because it raises it more to where pretty much any business person in a company -- executive level down -- should be able to read this and get it, and I think that’s the one task that we all have as we pass these new things is trying to help people understand how to live by them in a context of their words, not a context of the words and acronyms that we love to use as we are reviewing something.
So I think this goes a long way, and we look forward to spending more time with you on it in the hearings.
But I think this really goes a long way to start having the dialogue at the business level, rather than just at a detailed standard or a detailed acronym and really puts people, you know, to some kind of sense that executives can start making the right decisions to help their companies, rather than just leave it to somebody else to try to understand what the heck is happening to them.
So thank you for the --
MS. TRUDEL: Thanks. That was our intent.
MR. HOUSTON: I think overall this guidance is very valuable. The one thing, though, after reading it, that I sort of --
DR. COHN: John, you get a little closer?
MR. HOUSTON: OK. I thought the document, overall, was really valuable. The one thing, though, after I read it, I thought to myself, You know, a lot of what is being described here is probably things that apply not just to remote use of EPHI, but, frankly, is probably applicable within the four walls of a hospital or any other covered entity, and some of them are not, but, in large measure, they are, and I think there are some things that -- some awareness that needs to be raised within industry, and I’ll give you a good example of that in one of the things that we are doing where I am at.
We are in the process of encrypting all devices on our network, because of the fact that devices get stolen, they get taken out of use. Sometimes, they are disposed of appropriately, but, sometimes, you’ve got to -- you have to use a lot of diligence to make sure that when something comes out of production that somebody is actually going through and wiping the hard drive, and I know that sounds obvious, but the practical reality is is in a lot of cases, you hear stories of people not doing that.
So I guess my point in all of this is that it almost doesn’t go far enough. I think there’s this heightened awareness to remote access, but it is -- I think a lot of the risks are -- and a lot of the things that you are describing here are things that really do have broad applicability, and I think they are things that frankly need to get a little bit of play in the industry.
And, again, I use the idea of encrypting hard drives on desk-top devices as an example. It doesn’t cost very much. It doesn’t affect performance very much, but if that device is stolen or it is taken out of production and then not disposed of appropriately, because the device isn’t encrypted, the net effect is that data can be inappropriately accessed.
So I almost want to take this a little bit further and say there’s other guidance I’d want to do that really is related and it doesn’t take much effort, I think, to extend it to that, but I think it would be really valuable in the industry.
MS. TRUDEL: Thanks.
MR. BLAIR: Karen, this is timely and appreciated, and I just wanted to -- I didn’t hear you, maybe it is on the paper. Are you receiving input from the privacy and security specifically authentication authorization issues that might be impediments to health information exchange from the prime contractor, RTI, on the privacy and security project, otherwise called the HISPIC(?) Project?
MS. TRUDEL: No, we have not had a dialogue with them at this point. I think they definitely do need to be part of the dialogue when we begin to talk about what would be in a subsequent regulation.
MR. BLAIR: OK. Because that project has already gone through stages of identifying a lot of these issues, and this is the same issues, and then coming up with solutions in January, and, now, we are coming up with implementation plans, and they won’t be finalized like until late March or early April.
The information is already there on the issues and the suggested solutions, and I think it would be unfortunate if you don’t get those until the April-May time frame, because that information really is available now from RTI, and it seems like it directly correlates to what you are doing, but I don’t know if you look at health information exchange networks as a different context. I look on it as an extension of at least what I was hearing you saying, and I think it is really relevant, because they are impediments to us moving forward with RIOS and the NHIN.
So, in short, I think that information you should be able to get from RTI. I don’t know what we need to do to -- I could encourage -- They are going to have a national meeting, actually, on March 4th and 5th here in Washington, where they are going to be reviewing a lot of the findings, as we are getting close to finishing off, and I think, at that point, a lot of that information ought to get communicated to your group.
MS. TRUDEL: We can touch base with the Office of the National Coordinator on that.
Thank you.
DR. FITZMAURICE: I want to join in the accolades to you and to CMS also on the guidance, Karen. While not having the force of regulation, it does show the current thinking of CMS on these issues, and it is kind of a brush of good win(?) to come out and tell everybody what CMS is thinking.
So I have a question. Will this guidance help the Medicare program speed up the access by Medicare beneficiaries to information about their claims, eligibility, deductible levels and year-to-date payments when accessed over the Internet?
And, then, secondly, will it help Medicare programs speed up the electronic submission of claims by providers via the Internet? Will this help form a basis for that?
MS. TRUDEL: As far as the first issue is concerned, I think that we are already well on our way with our beneficiary portal under MyMedicare.gov to providing that kind of access already, and we are using standard security procedures to accomplish that, and we are finding that it is being well received by beneficiaries. They get not only information about eligibility, they can look at claim status. They get information on immunizations or other preventive procedures that are appropriate for them, and I think that program has been well underway.
We are working on some fairly long-term PHR-type pilots that I don’t think this implicates right now, but certainly will later.
In terms of the access to Internet claims, I think this policy will inform how that occurs, but putting the infrastructure in place to do that, for us, is a significant issue, and so I don’t think this will accelerate that process at all.
DR. FITZMAURICE: Thank you, Karen.
DR. STEUERLE: I, too, am impressed by your taking charge and charging -- the law requiring it. I really like providing the guidance here and in other areas.
I just have one comment, and I have made it before with respect to HIPAA in general when we analyze risk, and that is that there are obviously two types of risk. Statisticians often call them Type 1 and Type 2 risk.
The analogy here is there is the risk, of course, that we do something and it violates somebody’s privacy, but the other risk is impose a regulation or a standard or a guidance that actually increases the risk that something useful in health care might not be done.
And I would just -- This is just a suggestion. I would suggest that any report, you always sort of list both types of risk and then basically say this is, on balance, where you came out.
I mean, here, I see no objection to what you have done here, but I always worry when we focus on the one type of risk, because I think it always leads towards lack of concern, and although I don’t see it here, in other areas where we have talked about HIPAA, I have seen where I sense that HIPAA has prevented certain information from being passed on, and, therefore, has introduced new risk to the population, and I just think it is always worth listing them both in almost any HIPAA-related report.
MS. TRUDEL: I absolutely agree that while we have specified that here, our take on security is also always trying to balance those two things, and part of the reason that we have maintained flexibility in here and not required everyone to do everything the same way is to maintain some of that flexibility, so that the other risk that you were referencing doesn’t occur, but it is probably better to be explicit about it, I agree.
DR. STEUERLE: But it also allows if somebody wants to comment back, they feel that that is an appropriate area to give you comments back as well, not that -- they probably wouldn’t anyway.
MS. TRUDEL: Right.
DR. STEUERLE: But --
MS. TRUDEL: Thank you.
DR. COHN: Well, Karen, thank you very much, and, obviously, thank you for raising it to everyone’s attention, and, obviously, we’ll be working with you and CMS to, hopefully, help move forward revisions to the security rule, and thank you.
Agenda Item: Privacy Rule Compliance Update
DR. COHN: Susan McAndrew, thank you for joining us.
MS. MC ANDREW: Thank you for having me.
I will try to keep my remarks short, and there was some strange press after my last appearance here, where some of the information seemed to have been translated in the press as being received with shock and awe, and I will try to low-key that. I mean, there’s really not much shock and awe coming out of here right now.
The complaint activity related to privacy continues apace. Through the end of January, we have received just slightly over 25,000 complaints. A little less than a quarter of those cases are still open.
We continue to develop more data related to the types of cases that we are closing, and approximately a third of all closures are the result of investigated cases. So that means about two-thirds of the cases that we receive and close are done for reasons that the case is beyond our jurisdiction or doesn’t really raise a facial(?) violation of the privacy rule.
Of the cases that we do investigate, we have taken and achieved corrective action in two-thirds of those cases. So since the beginning of our compliance program, we have actually achieved corrective action in over 4,000 cases, and we got corrective action in 1,500 cases in last calendar year alone.
So I think both the volume of cases in which we are getting corrective action continues to increase, and the percentage of those cases in which we are achieving corrective action also is increasing.
MR. HOUSTON: Excuse me. Can I --
MS. MC ANDREW: Um-hum.
MR. HOUSTON: Corrective action as being equivalent to voluntary compliance or -- I mean, that seems to be a new term.
MS. MC ANDREW: Well, it is -- we are closing the cases because we have achieved informal resolution. The informal resolution is because the covered entity has agreed voluntarily to come into compliance.
The way they achieve that is through providing us with some sort of corrective action. Most of the time, it is a change to their policies and procedures to make sure that whatever the incident was that it doesn’t occur. Where there was an individual involved that, for instance, did not get access, part of that corrective action is ensuring that that individual, as well, is provided the access that is required under the rule, as well as making sure that the procedures are in place, so that others dealing with that entity will get access as required by the rule.
MR. HOUSTON: Thanks.
MS. MC ANDREW: We are continuing, as I mentioned before, to work on both -- to get out a clearer message and more useful information through our Web on the enforcement actions that our office is engaged in.
We are developing a Web page that will be devoted to compliance activities. It is still in the developmental stage, but we are hoping to populate that with statistics as well as success stories and case examples of how corrective action was achieved and what problems have been solved through this kind of voluntary compliance by covered entities.
Eventually, it would also be where we would post any civil monetary penalties or other monetary settlements that are achieved through our compliance activities.
We are, as I say, still in the development stage. So ideas, suggestions are always welcome. If you have any thoughts, just please let me know, and we will see if we can work them into our plans going forward.
I would like to let you know, in addition -- just to update you on some other activities that my office is involved in on a regular basis -- we clearly are very actively involved with ONC and the AHIC on the health IT projects. We participate in the consumer empowerment workgroup, and, recently, at the last AHIC, there were recommendations for specific tasks that my office will be working on with this workgroup, including some mapping of the privacy rule to some scenarios with personal health records.
We also continue to work with the confidentiality, privacy and security workgroup under AHIC, and I expect -- certainly, following the congressional testimony on the intersection of privacy processes and how the network is going forward -- that this workgroup is going to become extremely active.
They made their virgin report to the AHIC on security and identity proofing for patients, and so, now, they have made their maiden voyage and they can -- got their feet wet, and, now, they can -- I think they are prepared to tackle more meatier issues as they go forward.
As I think I mentioned last time, we continue to work with the research communities within the department to try to harmonize the rule structures from HIPAA as well as under FDA and the common rule to make sure that all of those rules are working together and facilitating the research endeavors that are being undertaken.
Two additional areas that have gotten increasingly active, and I expect will remain active the next year probably. The first, again, comes out of the Secretary’s priority for personalized health care, and that is the intersection of privacy and genetic information.
There have been several workgroups that have been formed within the department to take a look at that as well as it is on the agenda of one of the AHIC workgroups now, and we are watching the -- there was a discrimination bill that was, I think, passed the Senate -- passed one of the Houses, I think -- which would prohibit discrimination based on genetic information in insurance and in employment situations. So we are expecting that we will be spending a lot of staff time working out what genetic information is and how to adequately protect it.
The other area that continues to be hot, in terms of activity within the department, and that is disaster and emergency preparedness activities.
So we are -- my office is also helping to staff a number of groups that are emerging within the department to make sure that emergency response is done in a way that respects confidentiality of the information while still enabling this information to be available to ensure treatment in these kinds of chaotic and often disassociated settings.
So we have a lot on our plates, and, this year has been especially challenging, given the continuing resolution and the uncertainty with future funding, and just the increasing demands on resources is always a fun juggle.
But I think all of these initiatives are extremely interesting and challenging, and we are really looking forward to keeping privacy and confidentiality in the forefront of all of these discussions.
DR. COHN: Well, Susan, you are right. I don’t think we have any shock and awe today.
Mark, John, Leslie, and, then, Jeff.
MR. ROTHSTEIN: Thank you.
I have a question and a comment.
The question has to do with the privacy rule/common rule harmonization, which, as you know, is an area that we have been interested in over the years, and we were -- Speaking for myself, I was very pleased to hear at the last -- I guess in November, when you announced that this harmonization process was in the works.
Can you give us any sense of how that is going or whether you are hitting any sort of major snags along the way to do that or whether you are optimistic that something will be done over the next six months or year or -- Can you give us more information?
MS. MC ANDREW: Other than to say that I know the group has been meeting regularly -- I think monthly is the schedule that they are on -- there has not been -- I think there is still a little -- struggling a little bit in terms of setting their agenda. As far as I know, they have not come to us with any solid proposals either for areas of guidance or --
MR. ROTHSTEIN: So when you say they, this is sort of an OHRP/OCR working group, something like that?
MS. MC ANDREW: Yes. There is a committee that is formed and it includes OHRP, FDA, NIH. I think ASPI has representatives on it as well as OCR. So it is a broad -- I am not even sure that there aren’t other research entities -- AHRQ is on it.
So it is really cross cutting. The interests are very disparate, and I know that they are -- I don’t have a precise update where you -- but I can certainly have that for the next meeting of the committee, if you would like that.
MR. ROTHSTEIN: Well, I just -- I am very anxious to see progress made, and it is something that we have heard from in hearings from members of the research community for years, and we have promised them, as a committee, that we would recommend it to the department, and, now, the department has taken our recommendation and/or from other sources is doing that, and I am anxious to have the payoff, basically.
My comment deals with your remarks regarding protecting genetic information, and, although I think that it is very important to do, just as a comment, I would say that it needs to be done in the right way, and I think a lot of what is being done, both in Congress and elsewhere, is maybe not the best way to protect genetic information, and there are many people who feel that by treating genetic information separately and regulating it separately, you further stigmatize genetic information, and, in a sense, make the problem worse, in some respects, and as anyone will quickly find when they are trying to work with this, it is also impossible to define.
And so my comment/suggestion would be that OCR and the department, more generally, not be committed to sort of this genetic exceptionalism model and be flexible in trying to achieve the same goals, but through considering other options besides another sort of separate layer of genetic-specific regulation.
MS. MC ANDREW: I just would want to clarify that, clearly, that is the major area of discussion, and I did not mean to imply, in any of my remarks, that the department has decided on or even supports genetic exceptionalism. That is clearly one of the core issues that all of these debates and these workgroups will be focused on.
MR. ROTHSTEIN: Good.
That concludes my question and comment, Simon. No additional shock and awe.
MR. HOUSTON: I was just about to comment about how I thought it was a really great thing that people were actually thinking about looking at genetics and privacy, and it actually came up in a conversation I had yesterday.
And I think that the time is ripe to understand the issue and to really be proactive in trying to establish the appropriate framework for addressing people’s reasonable concerns about genetic privacy.
I think that, in a few years -- whether it be 10 or 15 years down the road -- I think genetics are going to be so powerful in testing, and the implications, that I think if we don’t get them right now, if we don’t understand fully, then I think we are going to develop systems and things in a way that, if we had to go back and overlay a different level of understanding of genetics, that we are going to be at a real -- we are going to be trying to do a patchwork that is not going to work.
So I applaud you for that, and I think that you can’t start soon enough to work on that particular issue, and I am just glad you are.
DR. FRANCIS: I actually wanted to second Mark’s comment about a bit of skepticism about genetic exceptionalism.
But the question I had was with respect to the complaints. Are you noticing any discernible patterns that it might be useful for -- that is, as types of complaints, kinds of violations that it might be useful for this committee to know about?
MS. MC ANDREW: Actually, there have been a number of discussions with the committee about what trends can and can’t be discerned from the pattern of complaints, and I do believe part of that was a conversation that might be continued following either this meeting or tomorrow’s meeting -- if there is a tomorrow -- but, right now, I would say that we haven’t noticed -- One of the things we have gotten from the compliant data are the most frequent allegations as well as the types of entities against whom these complaints are filed most often, and neither of those categories has changed significantly over time.
So we are not really seeing -- Other than the fact that complaints concerning failure to get notice, your notice of privacy practices has tailed off since the early days, which one would expect, but not really anything unusual or startling has --
DR. COHN: OK. Thank you.
MS. MC ANDREW: You’re welcome.
MR. BLAIR: Susan, about a year ago, you introduced an individual to us -- I don’t remember his name -- who is --
MS. MC ANDREW: That was a hell of an introduction, then --
MR. BLAIR: I apologize.
DR. COHN: I think it was maybe the director of the office of civil --
MS. MC ANDREWS: Oh, Mr. Wilkinson?
MR. BLAIR: The individual was going to have responsibility for directing a program of public education for people -- for consumers and patients -- so that they would have a better understanding of the rights that exist, now, to protect -- you know, for protected health information, and I hadn’t heard anything since then about a public-education program or what has happened with that.
And, now, you can tell me the name of the individual that I apologize that I forget; but what has happened with that program for public education of the privacy rights that do exist under HIPAA regs?
MS. MC ANDREWS: I believe you are probably referring to Patrick Hadley(?), who we brought on about a year-and-a-half ago to be our outreach and public education team lead senior advisor.
As it turns out, as luck would have it, Friday is Patrick’s last day. He --
PARTICIPANT: -- the job done?
PARTICIPANT: His work is done?
MS. MC ANDREW: He has decided to move to Atlanta, and so he is -- He is down there, actually, now, and he will be leaving us as of Friday.
The efforts that he was able to accomplish while he was here included a number of consumer education activities and materials that have been posted on the Web. There have been -- We have a number of fact sheets, and he did help coordinate with the other side of the office, the Office for Civil Rights, on a fact sheet that combined the two sets of rights that the office enforces.
There is still, clearly, much more work to be done in that area, and it is, again, always something that we struggle, in terms of being able to allocate sufficient resources to, both in terms of being able to get out, as well as to develop consumer-oriented materials for the Web site, but we continue to try to move along as fast as we can in that area, but it is -- I do consider it to be a loss that Patrick has decided to put his talents to other uses, and we will miss him.
In the interim, the responsibility for heading up our public education and outreach efforts has been transferred to Linda Sanchez, who I believe some of you may know from her past work. She has a long history with the privacy rule and brings a lot of expertise to this effort. So she will be leading our public education --
MR. BLAIR: She’ll be within the Office of Civil Rights.
MS. MC ANDREW: Yes.
MR. BLAIR: And is there any plans to provide public education beyond posting the rights on a Web site?
MS. MC ANDREW: She and Patrick are tasked with coming up with a proactive outreach plan for ‘07, and when that plan is vetted, we will share that with you.
DR. COHN: Well, Susan, thank you very much.
MS. MC ANDREW: You’re welcome.
DR. COHN: Obviously, we appreciate this.
And we do believe there will be a tomorrow. The government will be open as part of it. We will, obviously, wait an see, but thank you.
Agenda Item: Office of the National Coordinator Update
DR. COHN: Our next presentation is from John Loonsk. John, thank you for joining us.
John is a Director of the Office of the National Coordinator, and his charge focuses on interoperability in standards, and it is a pleasure to see you back again.
DR. LOONSK: Good morning. Thank you, Simon.
DR. COHN: Thank you for joining us.
DR. LOONSK: It is a pleasure to be here. Thank you for having me.
I am going to give an update on several items from the Office of the National Coordinator. There is a lot going on, and I am, by no means, going to talk about everything that is going on, but I will talk about three important things.
One is the recent Secretarial actions regarding interoperability specifications from the Health Information Technology Standards Panel.
Second is the next step use cases from the American Health Information Community.
And, then, the third is an update on where we are with the Nationwide Health Information Network, which I think was one of the principal reasons you had me here today, and, then, hopefully, we can have time for questions.
Recently -- actually, December 2006 -- Secretary Leavitt accepted three HITSP -- Health Information Technology Standards Panel -- interoperability specifications. He accepted these, and, in his letter of acceptance, identified the fact that he intends to recognize them formally in December of 2007. So accepted in December of 2006 with the intent of recognizing them in December of 2007, assuming that there are only minor changes of a technical nature between those two versions.
The intent here is to have a process that roughly parallels the activities on the private sector regarding the certification commission for health information technology and its progress in moving interoperability specifications and standards into certification criteria for electronic health records and, eventually, for networks.
So what we have here is an effort by the government on the federal side to parallel basically a year’s worth of time between the availability of implementation-level guidance and when there can be an expectation for implementation of those guidance, in this case, relative to the Executive Order federal systems and contracts.
So accepted these three interoperability specifications December 2006 with the intent to recognize them in 2007.
At that point, once they are recognized, there are activities that are induced by the Executive Order that suggest that, indeed, upgrades to federal systems and new federal implementations of health information technology systems will need to incorporate those standards into them.
And, as I indicated, this is grossly an attempt to also parallel the process where a certification commission for health information technology has identified as general guidance the desire to have a year’s availability of implementation-level guidance before standards can be expected to show up in certification criteria and then be tested accordingly.
That was an important step in moving forward with a broad health IT agenda the first round of interoperability specifications from the health information technology standards panel put on a course for their involvement in federal and private systems.
Another significant action from the American health information community has been the identification of the next step use cases to move forward into the national agenda, and, if you’ll remember, the use cases are articulations of priority areas that the AHIC has been discussing, priority areas and issues, an effort to the use cases document what some of the needs are in regard to those activities, so that they can then be fed in the broad apparatus of the national agenda and the many different organizations and individuals that are participating in that can work on them and have a shared point of focus for their activities.
Last year, we had consumer empowerment, medication history and registration data. We had EHR use cases around labs. We also had the biosurveillance use case, which focused on the use of clinical-care data to support biosurveillance purposes.
In mid cycle, the community EHR working group of the American health information community identified the need for an emergency responder EHR use case.
That was advanced. We had two rounds of public comment on that, and that was actually publically posted in December of last year. That will form one of the areas of focus for the next-step activities.
Important in this use case are the ability to exchange a summary patient record in emergency situations, as well as issues around provider authentication authorization and credentialing, which were apparent, for example, post-Katrina, where access to patient information was -- while there were some electronic data available, accessing them in the context of emergency care was a challenge.
There are other enabling technologies associated with that use case, but that use case is publicly available, and, among other activities, the health information technology standards panel will be working on this use case in its next cycle.
Similarly, as I will talk about later, these use cases feed into efforts of the nationwide health information network, as well as the certification commission and other discussions as well.
The American health information community identified a new use case to be worked in the area of medication management, and, in this case, the related areas include things such as medication reconciliation, pharmacy and allergy data, monitoring of medication, ordering transmission dispensing.
Essentially, one of the needs that had been advanced to the community, both from the working groups, in terms of priority areas coming forward, and from the certification commission on health information technology, was the fact that, although e-prescribing has standards identified and has regulation associated with it, there are ancillary areas in medication management that also need to be attended to in this very important area for clinical care.
The prominence of medication use and issues in the context of clinical care raised the attention of the community to this activity. The intent is not to duplicate the work of e-prescribing and the regulations that exist in that area, but to, indeed, compliment those activities with appropriate standards and processes and issues discussion in associated areas around medication management, and it is one that received a lot of support at the community level in terms of those discussions.
There is an aspect to this as well around clinical-decision support, and I hesitate to put that on the slide, because, for many, that is evocative of a lot of different things.
I think, in this context, it is meant to suggest some really introductory issues associated with providing information to providers, to clinicians in the context of making medication decisions, and so we shouldn’t think of this as the full-blown vision for clinical-decision support that many people have, but maybe an incremental step forward in that direction.
Another area that the community approved in this next round was consumer access to clinical information, and the community still clearly puts a high premium on the role of the consumer in moving forward with the health information technology infrastructure.
We have positioned this as an extension of the existing consumer empowerment use case, and one of the things that we are attempting to do with these next round of use cases is to try to make sure that they are coordinated among the different working groups.
We have a multitude of different American health information community working groups now. They are coming forward with priorities at a significant clip. Over 120 different priorities and issues were raised in the course of their work over the last few months.
We have attempted to embody as many of those priorities into these different packages as we can in terms of advancing them, though we don’t -- and we readily admit that we can’t necessarily attend to all of them or attend to all of them in complete detail, because there are so many.
Nevertheless, by building on the existing use cases and by trying to put these in rational groupings, we think we can advance a good number of these things in the next round.
The Secretary, during the AHIC meeting, when these decisions were made, made a request that we begin to work up all of these use cases with the intent of having them primed and ready for the next round of activity as soon as that can be.
There are obviously some other activities that have working groups and have general little areas of interest, including personalized health care, which will probably also be on the agenda for next steps, but the Secretary has asked that we work all these up, and as soon as we work up this first round, we will turn around and start to work up the next round, so they are available as well.
This extension to the consumer empowerment use case references specifically lab results, as needed by the patients, list of conditions and allergies, health problems and diagnoses codes, and we have also identified a number of enabling technologies associated with these that are important in two contexts.
One, they are important in the context of this specific area, the specific use case, the specific breakthrough that is being advanced.
But, two, we have also reconciled those with the needs of the nationwide health information network in terms of standards and architecture moving forward.
And so there is a great synergy between some of the enabling technologies here and the next steps of the NHIN, as I’ll mention in a couple of minutes.
So some of the enabling technologies in this area include management of links between consumers and providers, consumer access control and how consumers can express their interests in access to their data, PHR portability methods and access auditing.
The final use case for this coming round is identified as one around quality, and we are terming this as an extension to the biosurveillance use case, because, although this is in the general area of population, formally known as secondary use, no one wants to be seen as secondary. So the general area of population data access and use for population purposes is what is referenced here.
The quality use case has a number of important associations.
One, there is the suggestion that it will need to involve a core set of inpatient and a core set of ambulatory measures -- focus on core set -- that will be advanced in this context.
Two, there is the fact that a prominent part of this is clinician access to these information. So while, frequently, people think of quality reporting as what this area is about, it came through loud and clear that clinician access to data is a critical part of this moving forward, and that will play a prominent role in the use case in the subsequent discussions.
And then there are a number of enabling technologies associated with that use case as well.
So three new use cases. Two of them are extensions of existing ones, and, then, the emergency responder EHR, which is already developed and advanced.
The third area I wanted to touch on was an update on the nationwide health information network.
We had recently a third public forum for the nationwide health information network. It was very well attended.
We also had a presentation at the last American health information community meeting, and both these events focused on two things.
One, they focused on the business models for how these type of services could become self sustaining, and the other area of attention was the software prototypes.
Now, there is a great tendency in software development to -- and in systems architecture -- to think that -- you know, software is very evocative, and I think that was both a plus and a minus of the activities that went on. So people were able to envision, indeed, some things that had been talked about very frequently in abstract ways.
But it is important to recognize as well that what had the four consortia demonstrate were really applications that were connecting to architectures -- network architectures. They are not the network themselves.
And so at the same time that we had, I think, some very compelling presentations of the work that was done, it was only a fraction of the work that was accomplished over the last year.
When we initiated the nationwide health information contract, we roughly asked that the consortia spend about 80 percent of their time on architecture issues and about 20 percent of their time on the software prototypes that validated that their architectures were viable, but, nevertheless, this was a very -- I think there was a lot of excitement at this forum. It was much more tangible than many of the architecture activities that had been carried on heretofore, and people could actually put a face, if you will, on what the kinds of services and capabilities could be when we get to this vision of having a nationwide health information network that can foster these types of activities.
Important in that is that NHIN is part of a broader cycle, and we have consistently described the fact that there are iterations to this cycle, that we are going to get at this in an iterative fashion.
We have, in some ways, gotten through most of one cycle. I wouldn’t say we’ve gotten through the complete cycle, but we have taken the first round of use cases, the breakthroughs from the community, put them into use cases, put them out to the NHIN for prototype architecture work, put them to the HITSP for standards work. We have had focused discussions on policies and regulation issues associated with those. We have talked about business deployment and sustainability issues, and we have shown a path for how they can -- these can influence next steps from a certification perspective as well. It is part of a broader process.
What we are advancing, in terms of the NHIN, is a network of networks to connect providers and consumers and interconnect state, regional and non-geographic health information exchanges.
Visually, we are focused on, to a significant degree, on the interconnection between exchanges. So it is a network of networks, and the needs for health information exchanges to be able to work with each other across some very complicated issues.
We are also focused on the ways in which those health information exchanges, to an extent, interact with provider organizations and other networks and systems that they connect up, but I think that it is important to differentiate some of these interfaces.
We think that there is an important role for the personal health record connection in this regard, but not all of these three interfaces may be dealt with completely in the same way. The needs for health exchange to health exchange connections are going to be highly specific and highly standardized, if that is going to work.
On the other hand, some of the needs, in terms of engaging provider organizations, and, potentially, consumer organizations, systems and networks, will have to have some flexibility to sustain this activity where the service provider, the group, the health exchange that is doing that connection may, indeed, lead to work to help get those groups up and running involved and participating.
And so these are different kinds of interfaces, different kinds of interconnections, and I think you’ll see, when we talk about the next steps for the NHIN, that that will play an important role.
We have also been talking about the fact that there is a need to potentially have service providers that can support health exchange, and this gets into a complicated discussion of potential acronyms and other terms, but to have successful health information exchange, a number of elements are necessary. There are business needs. There are trust needs. There are governance needs, and there are technical needs and simple service provision capabilities, and not all organizations are going to fill each of those functions.
So we are identifying, in the next steps of the NHIN, some important constituent aspects, attributes that need to be participant, and some of it is having the technical and service wherewithal to advance this activity, but, clearly, a very important part is also having developed a trust at a regional, state and potentially cross-regional level to be able to support health information exchange and to have governance that can support that.
This is one of the products from this year’s work, which is a depiction of some of the kinds of services that health information service providers may be providing, and, clearly, as the discussions have gone on, there has been a lot of good interchange between what services are viable to support health information exchange, what ones may need to be there -- such as security and secure transport -- which ones may be added value, additional roles and participation that may be specific to a particular community or specific to a particular region, and there needs to be a flexibility between having some core capabilities that allow people to trust this kind of health exchange and for the health exchanges to work together at the same time that there may be -- there are needs for flexibility in terms of the types of services that may catch on, if you will, in different communities to move forward.
So the third forum, as I mentioned before, focused on prototype architecture presentations through these software manifestations. It did focus on the three use cases from last time, and core network services.
So that was, I think, important to recognize that the work that was done did have a particular emphasis in the consumer empowerment electronic health record and biosurveillance realms as per those use cases.
It did put a face on these efforts that I think was compelling and represents -- and so some really important issues came forward in the course of the discussion, and some potential approaches for how to advance this kind of exchange came forward out of this prototype architecture work, including different approaches or connection of both commercial and tethered personal health records, opportunities and approaches for ways in which consumers can manage PHR data, considerations for how consumers could express the way in which their data could be managed, even beyond their PHR, potentially, in terms of network exchange. In one model, coming forward with approaches to the exchange of access management emanating from a PHR, but potentially applied to network exchange as well.
Clearly, a need for tracking providers associated with patients, and, here, you’ll see one of those synergies between the next use cases and some of the NHIN needs as well. Routing of lab data.
There were presentations on both portal- and EHR-based retrieval of historical results. There was not a one-size-fits-all for this, and they were both important, in the end, in terms of the presentations.
Notification technologies for how new data are available, making people aware of when new data are available. Some of the work of routing non-ordering providers of care, data to non-ordering providers of care, and, then, a number of issues about the importance of comparability across provider sites, data comparability and the importance to other activities that that engendered.
We have said, steadfastly, that the approach of the NHIN is going to be incremental, that we are going to take steps to this -- this slide is from the first forum -- that we have been working on first prototype architectures and producing a number of architectural products.
We are going to, then, take the next step, which is to trial implementations, and I will talk a little bit about what that will look like in a moment, but -- and, then, move on in subsequent steps from there, each time taking the products of the previous work and applying them to the next work.
So one of the things that we have identified, in terms of the next step of trial implementations, is that we will be taking the work that has been proceeding over the course of the last year and applying it in the context of the next-step contract and the next-step procurement.
I think that this is not necessarily the complete -- it is certainly not the complete approach to addressing the incremental development of the NHIN, but it is an important tool in trying to help advance some of these areas and some of these activities that are going on now at state and regional level.
So the types of products that will become parts of the guidance for the next step include the standards that have been -- from HITSP, the security model considerations, the work that the National Committee on Vital and Health Statistics has done on recommendations in the context of privacy and confidentiality for the NHIN, the work of the confidentiality, privacy and security working group, the vast amount of public input we have received in the context of the now three NHIN fora that have occurred.
The use cases that I have mentioned and talked about before will also figure prominently into the next round of activities, the functional requirements that NCVHS has worked on in the context of helping to define in simple, declarative terms the kinds of activities that need to be carried out.
We will be coordinating with the certification criteria for ambulatory care and inpatient, and particularly network certification criteria, as they become available in the next round of the certification activity, the work on business models, and, importantly, a report that we are going to have delivered from Gartner(?) Consulting on the 2006 NHIN work. We expect it to become available in the March 2007 time frame, and focus specifically on the interfaces.
We did a pretty deep dive into some of the technology in the last year, and I think that was appropriate from a prototype architecture standpoint, but, now, in the next steps, in trial implementations, we are going to step back a little bit from that and talk particularly at the interfaces where there are great needs for standardization and needs for systems and networks to work together, and to bring, in the context of the next-step activities, some of these attributes that are necessary for health information exchange.
Obviously, providers and systems need to be engaged. Health IT adoption is a critical part of the business models that have been discussed in terms of making this sustainable. Consumers need to be involved. Security has to be provided. Governance has to be in place. Trust has to be enabled, and, then, business services and technical capabilities have to be brought to the table as well.
So the next round of the NHIN activity we have termed trial implementation. So 2006 prototype architectures, 2007 trial implementations.
We are in the midst of initiating the procurement for this activity. So there are some things that I can’t talk about in that regard, but the important concepts I can allude to, which are, one, we are going to bring together the products of the 2006 work, some of which NCVHS was critical in helping to form.
We are going to try to bring together some of the technical accomplishments of the prototype architectures. We think that those technical capabilities and some of the other businesses that are out there working in this health information exchange area need to be brought together with directly engaging state and regional health exchange.
So an important difference here is that the next round of the NHIN procurement will directly engage state and regional health information exchange and focus on the interfaces by way of moving forward with next-step activities.
We anticipate that there’ll be a request for proposals in a March-April time frame with awards made in June and July to represent the next steps of the NHIN.
So, with that, I thank you for your attention this morning, and I’d be pleased to try to answer any questions you may have.
DR. COHN: John, thank you. Quite an overview of a year’s worth of very hard work.
I guess we will start Mark and then Justine, Harry, Kevin -- actually, John and then Leslie --
MR. ROTHSTEIN: Maybe you ought to take hands of all the people who don’t want to -- Well, I’ll be brief, then.
John, as you know, the GAO report was very critical about -- 84(?), its lack of efforts in the area of privacy in the NHIN, and I notice that your presentation had a de minimis amount of privacy to report to us. Maybe you wanted to keep it private.
What is ONC going to do in terms of ratcheting up its privacy efforts before privacy falls hopelessly behind the technology developments?
DR. LOONSK: Thank you for your question, Mark, and I certainly recognize your concerns in this area, and I, in fact, have read the GAO report, and I find it to be a very -- a reasoned detailing of a vast number of activities that are going on right now in the area of privacy and security.
I think the headline certainly caught a lot of people’s attention, but, in detailed reading of the report, there actually were -- there was a listing of a great number of activities that are going on.
We have tried to articulate the fact that this is going to be an incremental and iterative activity, and I tried to point that out in the context of my comments on the NHIN. We are not going to production systems as the next round. We are going to trial implementations, partly because we still feel we need to tease out more of the issues and work more of the privacy and security and some of the other related issues as we move forward in that regard.
So the plan is an iterative one. It is one that involves a vast number of different people and organizations in bringing forward issues, some of which, to be quite honest, are at the state and regional level that they need to be addressed.
We are working to try to offer new technical approaches to how some of those things can be advanced. I think some of the work in the NIHN prototype architectures around the ways in which consumers can influence how data could be managed are very promising in terms of what they potentially offer in terms of moving things forward, but they still have to be potentially tried in trial implementations to determine whether they are fully viable. So an incremental approach, trying to bring forward the issues, trying to bring them forward.
I think what the GAO pointed out, and I think it was one of the issues that we discussed with them in fair detail, was that when you have as many people working on these varied activities as there are, that you can’t always have distinct milestones and say this is when this issue will be addressed and this is when that issue will be addressed because of the iterative nature of this, and I think that that is an area where I think the Office of the National Coordinator differed with the GAO, who really was focused on -- in terms of the message -- having distinct milestones.
We certainly are as intent as we can be on having milestones identified wherever they possibly can, but there is still an aspect of discovery that is going on in the context of what the issues are at the state and local level that need to be addressed. So it is certainly an area that is -- our attentions are heavily focused on, and there’s still a lot to do.
DR. CARR: Thanks for a great presentation.
I have a question about medication management. Medication reconciliation is, as you know, one of the national patient safety goals for JAYCO(?). So my question is is there a new work group that will be working on this and --
DR. LOONSK: No. So, essentially, I think we have seven working groups of the American health information community, and what we were starting to see was that there were common priorities coming out of different working groups and potentially being addressed in different fashions.
So these use cases attempted to bridge some of that, and a lot of the medication reconciliation issues come out of the EHR working group and needs for -- although they are frequently about presentation at a clinical care setting and how medications can be reconciled at that time relative to historical medications, what the patient is actually taking, any over-the-counter medications, et cetera.
So the principal focus for that one, I think, would be the EHR working group, but these use cases will not necessarily mean that there is one working group that is working on those issues alone.
DR. CARR: Thank you.
MR. REYNOLDS: The question I have is on the patient identity reconciliation, you mentioned it on your slide under Emergency Responders, and, then, under Medication Management.
As you know, the committee has had some hearings on matching patients to their records.
Do you see a drive towards one type of matching criteria, obviously without the prominent use of Social Security number, without an individual identifier and some of those other things, if everybody picks their own and -- So where do you see that heading? Because it is showing up consistently throughout your presentations and a lot of other presentations that are going on about the subject, but where do you see it going?
DR. LOONSK: So the focus of the prototype architecture activities and the focus of the trial implementations will obviously be trying to make health exchange work when there is no national patient identifier and Social Security number is not used in the context of that identification.
So what that begs is the identification of demographic data that are available in the context of doing that reconciliation.
We think that an important aspect of the next step work will be on the ability for health information to health information reconciliation of patients as information needs to be exchanged, and there is a goodly amount of work going on in that area.
We think that is a critical component to getting to a network of networks, so that when one health exchange is routing data through another health exchange or vice versa, that there is a -- that the shared patient attributes necessary to do a reconciliation, but that is going to be a communication. It is not a single transaction. It’s gotta be more than one transaction that occurs, and that is part of what we anticipate will be a focus for the next round of the trial implementation.
MR. REYNOLDS: Thanks.
MR. HOUSTON: Having attended the forum, I actually thought it was really interesting, and there are two themes that you really didn’t talk too much about. I saw in your notes somewhat, but I think it probably bears a little discussion, and the things I know I at least had discussions about at the forum, one was sustainability and the other one was secondary uses.
I thought there was -- At least in the circle I was in, there was a lot of discussion about both. I mean, I don’t -- What I hate to open up is a sort of a broad discussion point, but I didn’t really hear you talk about the, but, yet, they seem to be topics of interest of a lot of people.
DR. LOONSK: And there was absolutely a lot of interest in -- For the third forum, the first day was on the prototype and demonstrations of the prototype software. The second day was around sustainability of health information exchange, and there was a very robust discussion that may not have been fully captured in my slides.
Interestingly, a number of the models, indeed, pointed to a similar time point of about eight years, seven, eight years out for achieving sustainability for some of the exchange efforts, which I thought was encouraging just from the standpoint of that there was some commonality of approach in that regard.
You are right that there were a number of issues about secondary use and discussion of secondary use, and, in those business discussions, many people point to secondary use as potentially something that plays an important role in sustainability.
I think part of what needs to occur, though, is further investigation into which of the different services are indeed viable and what added value service providers can provide, how much doing data translation and mappings. Can that be a service that they can potentially sell to some of the provider -- engaged provider organizations, for example, to bring people on board and get them engaged.
And so I think there are still a number of other models, but you are right that that was one of the things that was prominently presented.
DR. FRANCIS: Obviously, one of the privacy and confidentiality issues that this does highlight is questions about data security, but I want to just underline an entirely different range of questions.
Obviously, there are questions about control over information getting into the network in the first place from a privacy and confidentiality point of view, and, related to that, in the technical architecture design, the possibility of secure envelopes within, and I would hope that there is attention, as infrastructure is being looked at, in that set of questions as well as the data security questions.
DR. LOONSK: Thank you.
I think there has been a good amount of discussion about security approaches, auditing, encryption, where -- issues around data persistence and where that occurs. So there are a number of different discussions and products in the work that has been done.
DR. COHN: OK. Now, we move to the other side of the room. Jeff and Marc. Do you have a question also, Mike and Larry -- OK.
And, then, hopefully, after that, we’ll be able to take a break. So remember, your questions, you are standing between us and the break.
PARTICIPANT: We have better questions over here.
MR. BLAIR: John, first of all, I want to express my appreciation for the fact that -- you know, it has been obvious for some time that ONC has been moving forward with a number of parallel initiatives, and what you outlined today was that, for the first time, that I was able to see how these things might converge and build on the results of each other and then go into further iterations. I really appreciated seeing that.
It is obviously going to be difficult, and it may be difficult to keep them on schedule, and it may not be as fast as we want in all areas, but the convergence, the iterations kind of gave us, for the first time, a little bit of a road map, and I really appreciated that.
One area that you mentioned that probably I had less concern about as a techie type person, until my recent experience in New Mexico with our health information exchange, is -- and this gets to the area of convergence and how this fits in, because, in some sense, while we move forward with a lot of things that you discussed, the functional requirements for the network and all of the pieces and how everything works together, we are finding that the community is very interested in the health information exchange network for different reasons than we expected, and we are finding ourselves, in order to be responsive, redefining what we are doing every few months, and it is being driven by business models.
You mentioned business models, and I would like to have a better understanding, and maybe I’ll just give two quick examples of this, because we are finding that the business case, in some cases where we thought there was one, it was weak, and we are finding that there’s business cases where we didn’t expect to find them as we try to be responsive to our community.
One of these that is especially strong and was struggling, because not all the pieces are there for us to put it together, is that as different health care institutions begin to say yes, they are signing agreements to be able to share data, they are realizing that folks outside of their health plan, health facility will now begin to have access to their health care information, and it isn’t just the technical authentication standards that are not there, it is the policies, the practices, the authorization, the authentication, this whole area, in terms of not just a covered entity, but a community-wide network for coming together with agreements on all of these. That turns out to be a major positive business-case driver for these entities.
And so that is just one example, but I am giving that example, because, I am really, really interested in how you will be constructing the business-case piece because I would think it would need to be responsive to the emerging business cases in the various health information exchange networks across the country.
So whatever you have done to begin to think out how we would do this, I would really be interested in this, because this may be driving a lot of the other pieces instead of vice versa.
DR. LOONSK: Thank you for your comments, Jeff.
I think you have pointed to a number of very challenging areas, and so one -- I think one conclusion from that, and one that we have held for some time, is that we, the country, do not know all the activities or how they will look on the Health Internet, and that, like the Internet, it is incumbent upon us to not assume that we know what it will look like completely in a number of years, and that has to flavor the way in which we pursue things, that we should not stifle certain activities unduly lest we don’t understand what the implications are relative to moving forward with that.
So the general model, I think, is to move forward iteratively, to try to be specific where one needs to be specific, but also to allow for the development to proceed, and that is a challenge.
I think there a few different aspects to the business activities. One is that the AHIC basically is making an estimate as to what activities they think have a business case when they identify a breakthrough, and they are doing it really in anticipation of the rest of the activities and in anticipation of how that plays out at times, based on the best information available, but certainly without knowing conclusively how that will look at the end of what is a cycle of activities and movement toward implementation.
But they are making an estimate. They are trying to identify breakthrough areas where services can potentially be sustainable, where there are needs for those services, even if there isn’t completely identified the relationship between entities that would cause a self-sustaining service.
So moving forward with those areas, those breakthroughs through the use cases, advancing them through the entire activity, they press on different issues in different places along the way.
At certification time, for example, there is a heavy emphasis on why the EHR vendor should implement those services. Is there a compelling case that people will want to buy EHRs that implement those services.
At the architecture level, there is the issue of how do health exchanges be able to be -- how can they be self sustaining in terms of providing services, et cetera, et cetera. So there are a number of different glimpses at that, a number of different lenses that are put on that.
But I think the simple answer is that what we are trying to do is to encourage the development as we proceed through this, recognizing that, indeed, work flows are going to change, different services are going to change, what the complete capabilities are of the Health Internet, if you will, are not completely known, and that we have to be very strategic in terms of how to foster the movement in this direction without impeding its progress.
MR. BLAIR: The philosophy that you have just expressed, I completely agree with.
Now, the only piece that I would be concerned about is that if people looked at what appeared to be positive business cases six months or nine months ago, they are shifting, and they are shifting quickly as people understand the strengths and limitations of these networks, and so if there is any way to communicate that that AHIC group would need to have current information from a diversity of health information exchange networks that are out there as we are finding out that as people understand these networks better, the perception of what the business case is is shifting significantly and quickly.
Is there some way for us to --
DR. LOONSK: We see that, too, and I think that what you’ll see in the next round of the NHIN activities is some flexibility in terms of which of the breakthroughs and which of these additional focus areas can be implemented as they move forward with trial implementations, because not only are there shifting priorities at times, but they vary, in terms of the particular region and what will work there and what will work somewhere else.
So we need to maintain that flexibility for both those reasons, and we agree with you that that is a critical aspect of moving forward.
DR. OVERHAGE: I can’t tell you how much fun it is to get to ask you questions, instead of the other way around. Now about that other deliverable --
I had a number of questions, but I guess I might role them up into one broad question, and you probably can’t answer this, but I’ll let you take a stab at it anyway.
One of the concerns that I have is there are myriad forces spinning off activities for ONC in this area, and it feels very fragmented and disconnected to me, as I look at the overall picture, and, as Jeff said, I think there is an architecture. There is a direction.
I am worried a little bit, though, that the pieces aren’t tied together enough to make real progress.
So, for example, the HITSP recommendations that you talked about, when you look at those -- and, frankly, I haven’t read them all, and I do this for a living, and I -- I mean, there’s just too much, and part of that, I think, is organization, presentation and focus that makes it harder to digest and track, but part of it is this myriad of pieces that are out there moving.
C-CHET(?), as another example, we started out and focused on electronic health record certification. We can’t quite get to interoperability yet. We’ve got to go through this other process, all right and good, and, yet, most of the data that we look at in the systems today are in laboratory systems and pharmacy systems and radiology systems and things like that, and not NEHRs or anything else that C-CHET has looked at yet.
So a very broad concern is too strong a word, I guess, but maybe the question is is do you have thoughts about how we can help corral this a little bit better, so we can actually make real progress?
I think there is broad progress being made, but I am a little worried that it is broad progress at the 100,000-foot level, and that the 10,000-foot to the ground level, there is so much diversity and so much fragmentation, I am worried that we are not going to get done what we really want to get done, although the trial implementations and things like that, I think, are a step in that direction.
DR. LOONSK: Well, thank you for your comments.
A few responses, a few points. One is that this is complicated. This is not a trivial thing, and just take the interoperability specifications, at the same time that you and others may be overwhelmed by 800 pages worth of implementation guidance, we clearly need that kind of specificity to get to a level of interoperability which is really got to show value in terms of connecting systems.
I mean, we know for some time that we have to talk about how standards are implemented, not just what standards there are, and that basically compels that level of specificity.
We also know that this health exchange is not going to be a simple thing and that we need to advance it in a way that is coordinated. We know that it is going forward at state and local levels. We know that if it goes forward without coordination, we are going to not have the kinds of security necessarily built in in every implementation that we would like. We are not going to have them be interoperable with each other, because they are going to go and do things in their own way at times to meet their own compelling needs, and so I think this is a complicated activity.
We have a number of things going on. A number of them are about discovery, and a number of them are trying to identify. If you think about the activity with the state and local implementations of HIPAA and how we still have lessons to learn from that.
We are still early in this process, and so it is a balancing of the fact that we are -- we have some time to go. We have to go through a number of iterations. Some of these processes still have to produce products, so that they can be fed into the next round, like the -- limitations and how I describe that here, and I think that things will look much more cohesive when we start to get into that cycle and start to implement those things.
But, at the same time, we are also very -- there are needs to move forward and to move forward fast, because we know that there is a lot going on, and so it is a balancing of those two things and the communication thereof.
So I think that, as things progress, you’ll start to see the way in which they start to fit together, the way in which we can take the product from one activity and feed it into the next step activity and that that is basically what coordinating is about.
DR. FITZMAURICE: I gotta say, by the end of that answer, much as I’d like to say, Gee, it is all fragment(?) and everything, it is complex and it is hard to get your mind around, but I find that quite a few minds are getting around it, and as I see us working ahead, I see us pulling in more and more things to the overall picture, not just reaching out with more and more arms of an octopus without a head. It does -- it is better coordinated than say a year ago, because we have learned more, and so I buy into your statement.
For interoperability in trial sites, it would be useful if we looked at how the codes and terms that are exchanged are understandable, understandable to clinicians at both ends of the transmission, and, indeed, we’d like their computers to be able to accurately identify the concepts and use them for information retrieval and decision support.
But sometimes we have difference in terminologies and codes, even across the named or recognized standards. So it would be useful to have a look-up tool to guide vendors and clinicians in achieving the interoperability of this message content that is exchanged.
So I want to ask you have you given consideration about how to improve the interoperability of the data elements and the name standards and the use-case information exchanges?
For example, you might encourage electronic access to the name standards, maybe for a price, make a deal with the SDOs and say, When you put them electronically, we want the vendors, the people who are making the systems work, be able to hone in on the particular standard that they need, and the terminology. Maybe electronic access to terminology services to guide vendors to the right terms and codes. There are some in DOD, NCI. National Library of Medicine may have one, and, then, you might support an analysis of the differences in terminology among the name standards with a goal of harmonizing these differences.
As you move into the trial implementations, are these some of the considerations that you are pondering or do you think that they are beyond the scope of interest at this time and best left to the private sector to do?
DR. LOONSK: Well, I think you point to some very important issues, and I would also like to reference some of the work that is going on at the National Library of Medicine in regard to projects to relate terminologies and be assistance in that regard.
We do see that there are a number of needs out there that will need to be advanced. Clearly, as we get to more and more implementation of standards, there will be demands on services for terminology mappings and terminology accessibility.
It is one of the things that has been discussed around health information service providers that might help support a health exchange and support the NHIN is that that kind of technical capability may be a key service that they could help provide, particularly if they are offering out data mappings and message transformation to others in helping to bring them in.
We do have to be a little bit realistic, though, in terms of the amount that can be bitten off in the next round of the NHIN, and we think that there is an important area of focus for highly constraining, being very specific about health exchange to health exchange translations.
Here, the standards really need to be as well implemented as possible. I think that can offer lessons learned, so the kind of discussions you are having, that the health information service providers may, indeed, in the process of that, identify needs for terminology services that -- as those that you are alluding to, and that that could be a productive outcome, and then allow some flexibility in terms of some of the other interfaces as we move to the business model for supporting these services as well as adoption, because we know that we can’t rip and replace all the health information technology that is out there in the different participating organizations, and there will be needs for some flexibility in terms of -- for some time to come.
DR. FITZMAURICE: I guess what I am seeing is that at the AHIC and the NHIN conference, when the business case was presented, I think 50 percent of the revenue was projected to come from secondary uses of the data.
Not only do we want to have a good understanding of the information exchanges, but as that data get stored in a repository, it is more valuable and adds to the business case if it is more uniform.
DR. LOONSK: And I would note here that one of the areas that we look forward to potentially working with NCVHS moving forward is in the area of secondary uses of data, because we think this is a very important area where the technical expertise of NCVHS could be helpful in some next steps as well.
DR. GREEN: I am Larry Green, John. I am one of the four new members. I feel like I have been drinking from the fire hydrant since last December trying to get -- All of you, I presume, were once new members also.
Your presentation was enormously helpful to me. I want to thank you for it.
I would like to ask you to go back up to 30,000-, 40,000-foot level from all these interesting details.
I have been looking and reading and trying to understand the logic model here, and I would just like to hear it from you how you see the logic that leads to the conclusion that we need a national health information network.
The H -- I mean, I have been reading up and listening. I can understand why we need a national information network, and I can understand why we would have health applications in it, but as I listened to you talk about the network of networks and this thing that we have the article T-H-E in front of -- The National Health Information Network, I am still struggling for the logic that comes to the conclusion that we need The National Health Information Network sort of as a discrete thing. Can you help me with that?
DR. LOONSK: Certainly.
I think one of the issues with terminology is that if you do use a capital The or you use a term like network, that it necessarily becomes very concrete for people and that they -- on the one hand, it is something that they can associate with, but they can say this is an organizing principle that we can work around.
On the other hand, they very much see it as a physical entity which would sit somewhere and look like something and be owned by someone.
And I think that it is the -- sort of the challenge and the opportunity of moving forward with a nationwide initiative is that you need to rally people around some coordination.
It would be, I think, a tremendous loss if every region and state went about developing health information exchange differently, they didn’t learn from what others did, they weren’t interoperable, so that you could have your information be portable if you moved from one jurisdiction to another. The benefits of population data that come from multiple jurisdictions that would be impacted by comp