[This Transcript is Unedited]
National Institutes of Health
Natcher Center
Bethesda, Maryland
Agenda Item: Call to Order, Welcome and Introductions, Review of Agenda
DR. COHN: I want to call this meeting to order. This is the first day of two days of meetings of the National Committee on Vital and Health Statistics. The National Committee is a statutory public advisory committee to the U.S. Department of Health and Human Services on national health information policy. I am Simon Cohn. I am Associate Executive Director for Health Information Policy for Kaiser Permanente and Chair of the committee.
I want to welcome committee members, HHS staff and others here in person for our second meeting of 2007. I also welcome those listening in on the Internet.
I do want to remind everyone, because we are using a different microphone system this time, you need to bend over and get close to the microphone. Otherwise, people are not going to be able to hear you.
I want to thank the National Institutes of Health for hosting us at the Natcher Center for this meeting. It is a very nice room and very nice table for us to have discussions at for today, tomorrow, and for the other subcommittee meeting on Friday morning.
Let's have introductions around the table and then around the room. For those on the National Committee, I would ask if there are any conflicts of interest to any issues coming before us today, would you so publicly indicate during your introduction. I want to begin by observing that I have no conflict of interest.
MS. JACKSON: National Center for Health Statistics, Debbie Jackson, committee staff.
DR. FRANCIS: Leslie Francis. I am professor of philosophy and law at the University of Utah. I am a member of the committee and I have no conflicts.
DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the committee, no conflicts.
DR. GREEN: Barry Green, University of Colorado, no conflicts.
DR. OVERHAGE: Mark Overhage, Regenstrief Institute and Indiana University, a member of the committee, and I have no conflicts.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the full committee.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, member of the committee and no conflicts.
DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of the committee, no conflicts.
MR. HOUSTON:John Houston, University of Pittsburgh Medical Center. I am a member of the committee and I have no conflicts.
MR. LAND: Daryl Land, Executive Director of NASIS, member of the committee, no conflicts.
MR. SCANLON: Bill Scanlon from Health Policy R&D, member of the committee, no conflicts.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee, no conflicts.
MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, liaison to the committee.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee, no conflicts.
MS. MC ANDREW: Susan McAndrew, Office for Civil Rights, privacy liaison to the committee.
MS. BEALE: Alison Beale, American Health Information Management Association.
MS. BITFORD: Carol Bitford, American Nurses Association.
DR. FRIEDMAN: Hayley Friedman, American Academy of Pediatrics.
MS. RIAZ: I am Fatima Riaz from Booz Allen Hamilton. We are supporting the AHED Quality Work Group.
DR. CONNELL: Mike Connell, American Dental Association.
MS. KANAAN: Susan Kanaan, writer for the committee.
MS. FRIEDMAN: Maria Friedman, RxHub.
DR. COHN: Welcome, everyone. Before we move into the agenda review, let me make a couple of opening comments. First of all, I want to congratulate Don Steinwachs on his new role as interim provost and academic vice president of Johns Hopkins University. We are very pleased to have you join us in your new role. So congratulations.
DR. STEINWACHS: Thank you very much. I have decided the interim job is really the best job. They don't expect too much, and you might actually do some good, who knows?
DR. STEINDEL: Simon, if you are going to congratulate people, I'd like to congratulate Judy Warren, who got an endowed chair at the University of Kansas. I think she has a picture of it for anyone who wants to see it.
DR. COHN: Steven, thank you. You stole my thunder, because that was my next comment. Judy, congratulations. I just wanted to congratulate you in public. If any of the others of you get endowed chairs or become presidents of universities between now and the next meeting, we will make similar announcements.
We have a very full meeting today and tomorrow. The activities of the committee continue at a fast and I would observe, accelerating pace, reflecting the increased importance of federal attention being placed on health information technology, and of course the role it can play to improve the quality and cost of health care, as well as the health of all Americans.
Within HHS, Secretary Leavitt continues to consider promotion of interoperable HIT, one of his key issues. His leadership in this area has really been phenomenal. And of course, in all of this, we the NCVHS continue to play an important role advising the Secretary and the Department directly, as well as providing expertise and liaisons to other HHS initiatives moving the vision of the NHII forward, including our liaison activities with a number of the AHIC work groups.
I should also mention that recent work products of the NCVHS are now being increasingly actively utilized within HHS. Specifically, the excellent report on privacy and the Nationwide Health Information Network, as well as our report on functional requirements for the initial definition of a Nationwide Health Information Network are now part of the recent Office of the National Coordinator RFPs that have just come out, and I think will be due sometime in mid-July.
Also since our last meeting, we have formed a new ad hoc work group on secondary uses of health information. Specifically, we have been asked by HHS and the Office of the National Coordinator to develop an overall conceptual and policy foreign worker that addresses secondary uses of health information, including a taxonomy as well as definition of terms.
We have also been asked to develop recommendations to HHS on needs for additional policy guidance, regulation and/or public education related to expanded uses of health data in the context of this evolving and developing Nationwide Health Information Network. This of course is with an emphasis in the areas of quality measurement, reporting and quality improvement.
I will be leading that work group, but I really want to thank Harry Reynolds and Justine Carr for so graciously being willing to be co-vice chair of this effort. I will be depending on them significantly, as will the functioning of that work group. I also want to thank the members who have volunteered and been drafted at this point to be members of the work group. That includes Paul Tang, Bill Scanlon, Mark Overhage, Kevin Vigilante. I also want to thank the many of you who responded to my e-mail a couple of weeks ago asking for either fuller involvement or being in the reviewer status for the duration of this. I think most everyone has responded that they are at least willing to be a reviewer, so I want to thank all of you for this participation.
I should also mention the various liaisons that will be represented on this -- be functioning with this ad hoc work group. Kelly Cronin from ONC, Mary Beth Tarquar from AHRQ, John White from AHRQ, Mike Fitzmaurice, who I can mention his name since he is not here, from AHRQ, Steve Steindel, here today, Karen Trudel. I think we also are petitioning another CMS representative to be involved in that?
MS. TRUDEL: Actually I won't be representing this, but there will be two other CMS representatives won't will be able to a attend this meeting, but will be on board for the next session.
DR. COHN: Great. We can't do this stuff without staff, and I want to particularly thank them, Jim and Marjorie, and I want to thank Debbie Jackson for serving as the lead staff. I really appreciate your work on this, and Kathryn Jones, Maria Squire.
We also have Margaret A., who is the lead consultant on the project, and I want to thank Booz Allen Hamilton and Fatima Riaz, as well as Christine Anderson and Erin Grant. One of them will be calling in tomorrow, the other one is on vacation this week, who have been also assisting the work on all of this.
So anyway, we have got a lot going on. This is going to be in some ways like the NHIN ad work group in terms of being very fast paced. We expect to be having draft recommendations and report for everyone to review in September, so we will be spending a fair amount of time tomorrow, and I will talk about the changes to the agenda that will occur for tomorrow. We will spend a fair amount of our time on briefing and discussion, providing background in this whole area so both the background group as well as the full committee has a broader context for the conversation and understanding of what we are going to be doing.
MR. HOUSTON:You said that one of the things that is within the purview of this ad hoc work group is suggestions or recommendations for regulatory change. Can you expand on that and what the scope of that is?
DR. COHN: I think I will bypass that one for the moment. We will talk about that tomorrow. I don't believe that our initial intent is to be involved with legislation for this. The question is whether or not we need to be recommending to the Secretary further guidance or whether there needs to be something -- and the issue of further guidance on regulation versus modifications to regulation is a fine line.
So did I sidestep that one appropriately?
MR. HOUSTON:No, that was a fair answer.
DR. COHN: I think we will know more as we get into it exactly what the landscape looks like in this area. As I said, we will be talking about this more tomorrow, and the ad hoc group will be meeting at the end of the day tomorrow and into Friday morning.
I did also want to comment briefly on the May executive subcommittee meeting and some changes to meeting structure that had been recommended by the executive subcommittee.
While the main focus of the executive subcommittee was on reviewing what we did last year, plans for the remainder of this fiscal year and next, we did spend some time reviewing committee function. As mentioned, the committee is getting busier and the agendas are becoming much fuller. We will be meeting until 3 o'clock tomorrow as a full committee.
The issues we are dealing with are also becoming increasingly complex and interrelated. We have all seen the need for increased cross fertilization across subcommittees and work groups.
Good morning, Marjorie.
MS. GREENBERG: Good morning. Don't ask.
DR. COHN: Yes. An important first step which we initiated as a result of our last full committee strategic retreat has been to expand the discussion of issues that are being discussed at the subcommittee and work group level to come before the full committee early on, so we can provide input and guidance.
We have also established time limited ad hoc work groups on specific issues that typically include members with a wide variety of perspectives and skill sets. We were just talking about the second one of those that we have developed.
While we think that there is progress being made in this area, we believe that more needs to be done. As an immediate next step, I have asked chairs to be especially vigilant in identifying these areas of overlap and making sure that we are getting consultation from the appropriate subcommittees and work groups on the appropriate issues.
We are also moving subcommittee and work group reports to the beginning of the committee meetings to enable early vetting and discussion of work underway in our meetings, as opposed to something which we have historically done at the very end as everybody is getting ready to leave. So hopefully we will spend at least a couple of minutes talking about the work going on in the subcommittees and work groups.
Additionally I will also be having conversations with a number of you about your participation on subcommittees and work groups, not so much with the idea of insuring greater participation, but more just exploring the idea of getting some people, what I would describe as a little bit out of their comfort zone in terms of their committee participation and involvement. I think many of us have observed that all the standards people are in standards, all the populations people are in populations, and it goes on and on, and we need to think about maybe mixing this up a little bit.
I think Don is going back to being provost again. It may be easier.
Finally, to assure that we have time for important discussions as a full committee, we have also decided at least on a trial basis to reduce the number of routine reports from the Department that normally occur on the first morning. Instead, we are going to be replacing them with written briefings, and we will from time to time engage the various departments and agencies with more substantive conversations. We will have a little more time to talk about the issues coming before the various groups.
These changes are reflected in the agenda that we will look at today. Let me just briefly go over the agenda and talk about the lay of the land today and what happens for the rest after the adjournment.
As soon as I am done, I am asking Justine Carr to lead off with a discussion of subcommittee and work group activities. I have asked Don Steinwachs to give a brief review after that. Depending on how our time goes, my intent was to have Harry Reynolds talk about standards and security, and then Mark Rothstein. We will need to play with timing a little bit. We may ask you to lead off that conversation before your letters as the day goes on, and provide the discussion at that point, but we will play that by ear.
Following this is a presentation by Karen Trudel of CMS and Harry Reynolds, one of our co-chairs for standards and security, providing an overview of the first orientation of the 5010 transaction which you see up on your screen. These are updates to the currently approved HIPAA transaction standards, and hearings are going to be held by the standards subcommittee during the summer on this, with recommendations coming back probably later this year or as appropriate.
Then after you morning break, we take up two letters being brought forward by Privacy and Confidentiality for our consideration. After lunch we have two letters from Standards and Security. Finally, we have a letter being brought up by the Populations Subcommittee on data linkages.
We will be adjourning as a full committee about 3:15, and have various subcommittee and work group meetings happening this afternoon both in this room and Room D, also followed by Quality later on.
Now, committee and staff dinner tonight is at Jaleo's at 6:30, so it is a little earlier than our usual dinner. This is the Bethesda Jaleo's, not the downtown one. I thought maybe we would take the opportunity at this point to get a show of hands. We will let people think about dinner. We will grab everybody right before lunch and see who is going to be coming for dinner.
With that, let's begin our subcommittee work group update and discussion. Justine, would you like to lead off?
Agenda Item: Subcommittee and Work Group Activity Scan
DR. CARR: Thanks, Simon. We held a hearing yesterday. This came about from a conference call that many of you participated in in February and also followed up on in a conversation we had with Carolyn Clancy.
There is a lot going on in quality, and we don't want to duplicate what is going on. The role of the hearing yesterday was to identify how is quality being served by the information resources available today. So we had an array of superb speakers, absolutely superb, talking about the transition from paper to hybrid and to some electronic elements.
I just had a couple of bullet points that we learned from this hearing yesterday that will inform what we do going forward. Clinical outcomes are getting better. Transparency is increasing. The public is becoming engaged. Metrics are becoming refined by blending administrative data with clinical elements. We heard some very elegant science related to that yesterday. Physicians and other clinicians as well as senior leadership are getting involved, collaboration is increasing. Public reporting in and of itself is improving participation as well as outcomes.
Then we also heard about the administrative burden, which is large and growing, as we are navigating both electronic and chart abstraction. The financial commitment is large and growing, both for FTEs to do the abstraction as well as for taking the step into the world of the electronic health record.
This afternoon, the Quality Work Group will review what we heard yesterday, and think about the themes that we want to emphasize. We are also going to take a look back at some of the reports that have been done, going back to May of '04, where we had some 20 candidate recommendations, and take a look at where we are with those and rank some of the work that we have done over the last couple of years to inform what we do going forward.
Questions?
DR. COHN: Thank you for the early view of activity. Very good hearing yesterday. Don?
DR. STEINWACHS: Let me just bring you up to date on where we are. Simon did let me go to Alaska for two weeks to study the populations, but it turned out these weren't very human populations. There seems to be a lack of humans in much of Alaska, but I wanted to add that report to my further inquiries into health in America.
We have two major areas that we are pursuing. One is on data linkages, looking for how to enhance the opportunity to link data sets that can tell us more about the health and well-being of populations. Some of these linkages as you well know link surveys to administrative data such as Medicare or Medicaid data sets, to things like the health interview survey or other surveys, so they provide a level of detail and a level of potential.
Out of the hearings that we had, we have a letter that we are bringing forward today to try and improve some of the access to linked data sets. The other issue that we are hoping to address in the near future, be talking about in our committee meeting today, is ways to facilitate how quickly you can put linked data sets together or get access to them within government agencies, as well as the outside. Much of the letter discusses more outside arrangements.
Linkage also raises privacy concerns. One of the things that I am hoping we will discuss today is whether or not we ought to be talking more in the Privacy Committee, Confidentiality, about having something that may be a joint effort to try and look at some of the regulations, laws, other things that make it more difficult to put data sets together. Immediately when you create linked data sets, almost always you have a privacy problem, because now you know much more detail about someone, either geographic or otherwise.
The second area is on surge capacity. We had a one-day set of hearings. I am going to ask Bill if he can say a couple of things about next steps, because we have a working group on the next steps.
MR. SCANLON: It was a very good hearing back in January. I think it illustrated the fact that this surge capacity issue is rather broad. You can think about it starting with the issue of hospital capacity and hospitals' ability to deal with a surge in cases of various types, but it goes beyond that. It goes into the emergency medical systems and response of systems within communities to the work force, to the availability of supplies that you can bring into communities, et cetera. Then there are multiple types of problems in the sense of how do you do with a Katrina type case, where the capacity that you might have been relying upon is now gone completely, versus another type of situation where you have got a catastrophe and you can take advantage of the capacity that you have been building over the years.
While that was all interesting, the issue that we face is that we are a data committee, we are not a catastrophe policy committee. So therefore, we did hear some testimony about the data collection related to surge capacity. That is the area that we are pursuing now. What we are doing is, we are going back to some of the participants in the hearing to talk with them more about which avenues would be potentially most productive for us to pursue, and we will put together another hearing for the late fall or early next year on the basis of the advice that we get from these individual participants.
DR. STEINWACHS: Two other things quickly. One is that Bill has been serving as our link to the Board of Scientific Counselors for the National Center for Health Statistics. There are discussions there trying to build stronger collaborative activities. Data linkages is one of those areas.
There are other issues too that come up for discussion. Funding has been one of the concerns that the National Center for Health Statistics has and was talked about at the executive subcommittee meeting. So some of these areas are shared.
We did seek at the last meeting of the Board of Scientific Counselors their input on the draft letter that we are bringing forward today, the idea that those areas that are mutual concern, we ought to be getting the input and participation to the extent that members of the Board of Scientific Counselors have an interest and have time to do so.
So I think that is making some progress. Again, it is a series of many steps as we march along, because they are very busy with their own agenda, but yet looking for ways to draw that together.
The last is that we still have on our plate for discussion, and I am hoping today we will have a chance to talk about next steps, is the idea that the committee would move ahead to look at in my view the updating of the report that we did over five years ago on health statistics for the 21st century.
Part of that updating it seems to me in looking at it again brings in electronic health records, brings in other issues that were not as central, and maybe some things that were not as concrete. So that is a great conceptual foreign worker and part of what would help the subcommittee and I would hope the whole committee to take some steps to make some of those things more concrete, and to keep the life and vitality in this. I think unless we keep coming back to it at periodic points, it will disappear into the shelves. It seems to me it is a very useful foreign worker as we move ahead.
So that is what is on the agenda right now.
DR. COHN: Questions, comments for Don? Harry, I think I had you on next.
MR. REYNOLDS: As you can see, we brought two letters forward today. We will be talking about the 5010 in a little bit to give you a sense of the next set of standards that are going to be coming out and what impact that is.
After that, there may be some other standards that could be appearing soon. One will be claims attachments, which we have discussed in here briefly before. ICD-10 obviously is still in everybody's horizon. That would be one -- we are talking about primers today, that would be one that we would probably have a couple of primers to get everybody completely aware of what that was as a full committee before we would take action on that.
We need to continue to monitor the NPI implementation. As you know, that has been moved to May of '08 for implementation. We do have a responsibility as we have all along, every time we have a hearing, to continue to at least keep an eye on that and the status, and make any further recommendations on how things are going.
Then we are going to talk this afternoon in our breakout group about how we want to continue to stay involved in any recommendations on how to continue to make the progress better. You will see our streamlining letter today, but also as we have seen with HIPAA, we wrote a lessons learned from HIPAA, and now we are seeing some of those lessons that got learned in NPI, some that maybe we haven't all learned completely well yet. So we need to continue to stay diligent as a group in trying to help the industry get better, because we are going to have these rolling out continually. It is something we need to continually take a look at and see what benefit we can offer to that process.
So that would be where we are headed as it is right now. I'll take any questions. Thank you.
DR. COHN: Mark.
MR. ROTHSTEIN: Good morning. Later this morning we are going to consider two letters from the Privacy and Confidentiality Subcommittee, the first dealing with the relationship between FERPA and the HIPAA privacy rule, and the second dealing with the currently non-covered entities. I will defer until then a discussion of that.
I just want to bring you up to date on what our current activity is and our plans for bringing that activity to completion and back to the full committee.
There is a provision in our June 2006 letter on privacy in the NHIN, in which we say HHS should assess the desirability and feasibility of allowing individuals to control access to the specific content of their health records by the NHIN, and if so, by what appropriate means. We also say that if individuals are given the right to control access to the specific content of their health records by the NHIN, the rights should be limited, such as by being based on the age of the information, the nature of the condition or treatment, or the type of provider.
That is an important statement, but it is pretty general. What we have attempted to do over the last couple of months is to add some level of detail to that recommendation for the benefit of the Secretary and others working on this NHIN initiative.
We held a hearing in April, in which we sought the input from many of the people who would be affected by any recommendation we would develop, such as physicians from specialty practice areas, the American College of Obstetricians and Gynecologists, the American Psychiatric Association, and an addiction center. We also heard from more primary care docs, from the American College of Emergency Physicians, the American Academy of Family Physicians, and the American College of Physicians, and others as well.
We held a meeting yesterday, a substantially all-day meeting, of the subcommittee in which we by the end of the day reached agreement in principle on directions to go in this. If you think about this, this is really the fundamental privacy in the NHIN, what degree of control of the information, even within clinical settings, should the patient have. It is a very difficult question, because you are balancing quality of care with privacy and public health and all sorts of things.
At any rate, our plan is the following. We are going to have a draft letter circulated to the subcommittee members in mid-July. We are going to schedule a series of conference calls of the subcommittee members. The goal is to have a letter to the full committee for our September meeting.
Because of the importance of this, I would like to follow a practice that we started with our NHIN letter a year ago, that is, make the conference calls available to all the committee members, not just the subcommittee members, and distribute drafts of our letter to you and invite you to participate. Obviously you are not required, but you may have some input that would be very valuable to the subcommittee. So that is our plan over the next few months.
DR. STEINWACHS: Mark, has there been any communication between your subcommittee and what is going on in HITSP, in the security and privacy technical committee? They are really exploring in depth the questions concerning how to encapsulate the privacy issues with the present security IT infrastructure. They have produced a list of standards that might be considered, and that was put out for comment about three weeks to a month ago. They are now working on their second set, and meeting vigorously right now in San Diego.
MR. ROTHSTEIN: I have had no dealings with them. I certainly think it would be appropriate at some point. I'm not sure the degree to which their new standards are attempting to incorporate these kinds of global privacy issues. Are they?
DR. STEINWACHS: I think that is why I brought it up. Initially, the first meetings of the technical committee involved the discussions of whether to confine it just to the HIPAA area. There was very vigorous discussion and a general consensus that it needs to be expanded beyond that. They are considering the NCVHS privacy letter as a guiding force.
MR. ROTHSTEIN: But the letter, as wonderful as it is, does not provide sufficient detail for someone to develop standards.
DR. STEINWACHS: That is what they are providing. They are using it as a guiding principle type document and asking the questions of what type of standards exist that can implement some of these features; do they exist, do they not exist, what is needed, how far should the standards go in today's world to allow the free convey of information that is needed for certain aspects of the NHIN, and how much of it should be restricted. One of their main discussion points is the level of control and how do we have control mechanisms attached to the data.
MR. HOUSTON:I'm interested, is HITSP's focus primarily, on the privacy implications on the security standards? Or how far are they -- I don't know how to say this. What is the balance between privacy and security on this particular activity?
MR. ROTHSTEIN: is part of their discussion. Obviously what they are charged to do, because they are HITSP, is to make recommendations to the Secretary with regard to what standards should exist in this area. But I think we are all very well aware that -- and as pointed out in our privacy letter, the articulation of standards to use cannot happen within a vacuum. There has to be policy behind it.
So they are drifting into areas where they discuss where the policy is weak. I think just this week, I believe, if not the latter part of last week, Dr. Kolodner announced that there will be something coming out of the Office of the National Coordinator with regard to health care privacy within the next few months.
MR. HOUSTON:My concern is, it is a lot easier to develop security standards because they can be more concretely drafted. I understand why they want to encompass privacy. So I am just trying to figure out where things start and stop.
But also, to your point about what Kolodner is advocating doing, it really does demonstration there is an amount of disjoint here in terms of who is doing what and how everything works together, and the timing. I think these are just examples of that. We have talked before, but I think it is meaningful to try to get everybody on the same page and decide what everybody's roles are and what everybody is going to be working on, so we don't all end up either doing things that are out of sequence or become moot because of the timing of whatever someone else has done.
DR. STEINWACHS: John, I think that was really the essence of my main point. I just wanted to make the privacy subcommittee aware of these discussions, and perhaps they might want to consider reaching out and finding out exactly what is going on with them.
MR. ROTHSTEIN: I think that is a very good suggestion. I would have an even broader suggestion. I think it would be very helpful if we could have a meeting, and around the same table have the OMC people, the HITSP people, the NCHS people and so forth, and everyone say what it is they are working on and what their plans are. We are on the same team here, and we should coordinate that.
But I don't think it is our role to make that happen, because we are all advising the Secretary. I think it probably ought to be ONC that coordinates that. I can't tell them what to do. Maybe Simon, in your mysterious ways, you could make this happen.
But I think we would all be well served by having a discussion of where everybody is, so we are not stepping on each other's toes or leaving gaps in this area.
DR. COHN: Well, let me say that I am worried less about stepping on toes than I am about leaving gaps. I think that is the bigger danger. This is an area I would rather see more than too little. I do think it is one of our roles as advisors to help bring people to the table.
I think we will be seeing some of these groups potentially testifying as we talk about secondary uses. Maybe there is a way to find out a little more about what else they are doing in this area. If you think about it, some of the secondary use conversations do begin to insinuate into the privacy conversations, so we can certainly begin to get into some of that.
Now, as Chair I am happy to continue to engage in conversations with the various groups that you are describing about how everything works. But there is also a role for the Privacy and Confidentiality Subcommittee to invite in open session the various groups that we were just talking about, so that everybody can hear what everybody is doing, and if there are data gaps or any issues that we are hearing. So I would certainly invite Privacy and Confidentiality to consider this at a time of their choosing as a topic for our next hearing.
MR. HOUSTON:You also need to involve the Standards and Security people. I think it is right up their alley as well, at least as it relates to what HITSP is doing.
DR. COHN: That's true.
MS. GREENBERG: I'm just trying to sort out all the groups and which ones we are represented on and which ones we aren't. Obviously we have our own subcommittee, and then AHIC has a privacy -- is anyone around the table participating? You are participating in that. I would think they would be pretty closely aligned with the HITSP, but that hasn't come up there?
MR. HOUSTON:I don't want to say they are aligned. I don't see that, let's put it that way. I believe there has been some discussion about it, but I don't think anybody is doing things with the level of coordination we are expressing.
MS. GREENBERG: It is my understanding that the HITSP is driven by these use cases which are given to it by AHIC. They had decided they would form a work group to look at the privacy implications of all these different use cases, and I guess the security implications. That has evolved now into an actual technical committee, am I correct about that, Steve?
DR. STEINWACHS: To a certain extent, yes. I think the technical committee --
MS. GREENBERG: Hetty Kahn on my staff has been participating in that and following that. So we have got the AHIC group, we have got the NCVHS group, we have got the HITSP group. Was there a fourth one?
MR. HOUSTON: I think it's ONC.
MS. GREENBERG: Well, ONC, they are also obviously playing in this area. Karen Bell is going to be here from ONC tomorrow morning, so maybe we can continue to pursue that with her.
DR. COHN: That is true, though it is not her area.
MS. GREENBERG: But she is like the deputy, isn't she?
DR. STEINWACHS: Marjorie, I think we have already left off one other person who is very involved in this. She is sitting right next to Simon, the Office for Civil Rights.
MS. GREENBERG: That is true, it goes without saying. But they are not like a committee. They are a real place. That is why I didn't include departmental organizations.
DR. COHN: Maybe these departmental updates, taking them off are not such a good idea here.
MS. GREENBERG: I'm sorry that I was caught up in some kind of traffic situation here on campus and I was a little late, but did we go over the changes tomorrow morning?
DR. COHN: No, I figured I would do it at the end of the day today, based on progress made by the committee on all the other issues.
MS. GREENBERG: As to exactly when we start tomorrow morning, it is a little open. But I did think we should explain the change in agenda tomorrow, particularly even people listening on the Internet and the audience or whatever, so they know how we are going to schedule things tomorrow.
DR. COHN: Let's finish off the previous conversation and then we can move to that. I don't think we are settled on the privacy issue, but I would think this needs to be a discussion that we have in terms of -- that may impact when Privacy and Confidentiality has the next hearing. It is also an issue of, John Houston brought up very appropriately that Standards and Security we know is having a hearing later on this summer, and whether or not this all fits into that as a panel or a conversation on the security issue.
I think we do once again observe that there are at times close relationships between privacy and security, and sometime the boundaries are not always clear. So we have chosen at this point to keep security and standards and privacy and confidentiality on the other side. But it just speaks once again of that issue of integration and interrelationship, which is what I talked about earlier in the day.
So we will talk about that one without coming up with an answer.
MS. GREENBERG: Just one other thing. I know sometimes we do this. I am wondering, if the Privacy and Confidentiality Subcommittee is planning to bring forward a letter the end of September on this really critical issue of patient control of their data, if it wouldn't be a good idea to just send a paragraph letter to the Secretary with a CC to ONC saying that. Some things are going to be going on this summer that could elicit a variety of reactions: we are already taking care of that, or could we meet or various things. But I just wonder if there shouldn't be some official alert that we are going to do that.
MR. HOUSTON:I think the letter was intended to be a summary letter in September with the intent to follow up with more detail. I don't mean to speak for you, Mark, but isn't the letter really intended to be the notification that we believe there is an issue, and we intend to delve into it more fully?
MR. ROTHSTEIN: No, I think it is supposed to be where we set out our framework. In subsequent hearings and letters, we are going to drill down in some of the specifics.
This is an incredibly complicated area when you get into trying to design rules. There are lots of important policy questions. But we felt that it is important to get in front of the Secretary and all the interested groups the framework in which we think this discussion should be taking place, and if people agree with it, then we can march forward on all these specific areas.
DR. GREEN: I appreciate this conversation. I would like to ask that we not leave it without a clear definition of our path forward. As I read the reports since 2002 through 2003, four, five, six about this, and as I recall our hearings yesterday, the real problem here is our stutter steps and inability to forcefully move effectively into a high performance health care system enabled by an information technology standard with the appropriate data and data standards.
This conversation suggests a great deal of activity, but it is not clear to me that we have got our act together about how we create forward motion amongst all these groups. In a devil's advocate sort of way, why doesn't the NCVHS call for a summit of these folks that are working on these different privacy issues? I think we have agreed until the privacy thing is attended to, many other things must wait. I don't have any sense from our subcommittees or the discussions I have heard here that this committee feels like things should not be pushed forward as expeditiously as possible.
DR. COHN: Larry, thank you. I am reminded of our conversation and my comments about committee members going into other areas.
Without trying to answer your question for the moment, I know Paul had his hand up, then I'll ask Mark to comment on what you were just saying.
DR. TANG: It may be a pickup of what Larry said, but it also goes back to Mark's request that there basically be an in-person kind of congregation so we can sort these issues out. It would be nice if there was coordination in work, explaining each other's role ahead of time, so that the panel of folks involved, HITSP confidentiality, our confidentiality and privacy, our standards and security, AHIC's CPS and ONC's individual effort that is Kolodner is leading. So it would be nice to have a panel of public disclosure and how we are coordinated, but I think that will take some pre-work that helps figure out how we are coordinated or how we can get coordinated.
DR. COHN: Mark, how would you like to proceed? I tend to call these things less summits and more hearings, or they could be roundtables or whatever. But what are your thoughts about how Privacy and Confidentiality should move forward?
MR. ROTHSTEIN: The end result is as Larry described. That is what I would like to see. How to make that happen, I'm not sure of the best course politically.
I would like to get some other input into that, and maybe take that up later in the day or tomorrow or something, because I don't want to undermine our efforts. The role of a federal advisory committee such as this which is open and so on, is not exactly the same as a departmental role, which is not subject to open process and the like, so I don't know. I want the end result, but I don't want to be in the position of trying to corner the Department into doing something they don't want to do. It might be easier if we invited them to do what we want them to do, unofficially. I don't know.
DR. COHN: I have a comment, but I couldn't tell whether Paul has his hand up or not.
DR. TANG: Maybe I can offer an observation in terms of what I think is going on with these various groups. AHIC's activities are focused around their breakthroughs and their use cases. Where issues come up, they try to find a way to address those issues.
So for example, the consumer empowerment work group created a recommendation that the AHIC adopted that says we should have floor privacy and security policies imposed on operators of PHRs. So they charged the consumer empowerment work group to work with the CPS group to come up with those things that would then get passed on to HITSP.
MR. ROTHSTEIN: But one point of clarification. It is specific to PHRs, though. That is a big clarification.
DR. TANG: That's correct. That is what I am trying to point out, that it is a focused activity. I think it produced a useful output that is going to go forward once it gets to full work groups and then gets passed on to HITSP. That seems like a very clear road map.
What NCVHS is focused on is the broader NHIN context in privacy and security and the role that that plays in that broader context. HITSP also has a group looking at the broader context. So it seems like NCVHS would come up with the principles for the policies, and that HITSP is a receiver that would try to implement the standards necessary to implement those policies.
So in my perhaps simplistic mind, there is a way to carve out a road map, a path and a converging path on the appropriate policies and the appropriate standards and procedures that need to be created, so the NHIN and PHRs can operate in a safe way. It would be nice if that were actually true, and that the folks involved, who probably haven't talked as much to each other and figured out that this was in fact everybody's game plan and that we were really truly working on something that was not conflicting and was converging on a path.
MR. ROTHSTEIN: Paul, what you recommend is certainly reasonable and logical, but it is not reality now. I'm not sure what reality is, that is the problem.
I serve on yet another panel that hasn't even been mentioned. AHIC has a working group on personalized health care, which is in parens genetic information. There is a sub work group of the work group on privacy and confidentiality, which I am on. When we were considering certain issues relative to this, I thought they had a somewhat narrow focus, and I wanted to expand the kinds of global policies that we would need to have with genetic information, and was told, no, somebody else is dealing with that. I don't know who somebody else is. I think that is the problem.
There may be other groups out there who have the same jurisdictional assignment. What I would like to suggest is that we come back to this issue. I want to have some private conversations with some folks during a break and come up with a plan.
DR. COHN: Mark, I don't think anybody is intending to put you on the spot of what you absolutely need to do. I think we are having a conversation, and we will finish it up here pretty rapidly, and then we will later on talk about additional next steps. Harry, Leslie, and I think Mark had a comment, and then we will wrap up this part of the conversation. This of course is exactly why we want to get issues out early.
MR. REYNOLDS: I think Larry made a great point. We talked about some of it yesterday as far as our path. One of my assignments out of the session yesterday was to get with Jeff.
I thought I understood clearly that the RFP that just came out for the health information exchanges in public health clearly stated that two of the three main requirements were to follow what NHIN did on the functional requirements, and NCVHS's letter on privacy.
So I think we are in the midst of a glide path right now. If we stay focused on NHIN and we stay focused on as Paul and Mark have said continuing to stay a little bit ahead of the overall picture, chasing the use case is a hard game for us with the way we are set up, but driving the real vision and the real thinking and standards and privacy and other things that would really move the NHIN forward, I think we have a glide path going on.
I think we felt the urgency yesterday in privacy to continue that, and to come forward with -- that is why the intensity and the speed of the letter and the intensity of the discussion yesterday ratcheted up as far as what that next level of structure would be.
So I think we are positioned well. That is why it is exciting to see it actually starting to be used as a collateral for these RFIs, which are people spending a lot of money. So I think if we continue to stay where we are and continue to make sure we don't lose sight of that glide path, I think we are going to make a big difference.
DR. FRANCIS: My own way of viewing what we were doing yesterday was, we were trying to get as clear as we possibly could on the goals of both good care and privacy, and then how we would essentially try to put those together in realizable recommendations. So I just think it is absolutely essential that the discussions get interlinked, because I think we will be at a level that is not implemental in certain respects unless they are linked, and they will be headless, or goal-less, or something like that.
DR. OVERHAGE: Maybe Harry proposed the answer, but I think this is a broader issue than just the privacy and security. I am very worried about the cacophony of voices that the Secretary is hearing.
In our role as an advisory group and all of these others, it is not clear to me where the synthesis happens. I certainly don't have the time and energy to really understand what each of the different groups is doing and where the conflicts and issues arise.
So what is already happening is, we are seeing conflicting and incoherent -- not incoherent in terms of un-understandable, but incoherent in terms of not nicely fit together. So for example, as HITSP is going down the road with security standards, they are charged with finding some standard somewhere which does something that needs to be done. So you end up with this mish-mash of things that I don't think necessarily is the best way for the country to move forward.
If we can be far enough out front -- but and I don't know how we reflect this, but what I worry about as a committee, our advice to the Secretary may not be very effective, because these are tough complicated issues. Just to read the material, synthesize it, and say here is what HITSP has got and here is what our privacy letter says, and here is what is going on elsewhere and make any sense out of it, is a month-long job. I don't know who is doing that job. I really think that we run a risk of ending up with a set of recommendations and moving forward with some of these efforts and setting ourselves up for failure.
MR. HOUSTON:After hearing Harry and everybody else and remembering what Marjorie said about trying to get some statement out there, maybe one of the things we can of value is -- and to Harry's point about staying out in front of this trajectory, but if we put out a statement of where we intend to go and a schedule in which we try to accomplish that in, maybe that will be helpful to allow other groups and the Secretary and Kolodner to understand exactly what we are planning on doing with enough detail and concreteness that they either come back and say, we need this sooner or yes, this makes sense, or maybe it causes them to back off some of the plans that maybe they would otherwise have because they know we are working on it.
Is that something we could reasonably do?
DR. COHN: I think we have heard a variety of comments. I want to thank you for getting the conversation going. I thought this might be dull for awhile there.
The committee performs a number of functions. It doesn't do the same thing for every topic area, and it doesn't necessarily always do the same thing consistently. But we are an advisory committee. One of the things that we do very well is bring the many players to the table to talk about common names, which of course for all of us is a healthy America, improved health care system and all of that.
This is an area where you are talking about various aspects of privacy, but I come away continuing to be convinced that Privacy and Confidentiality is doing the right thing. We are taking a leadership role, looking at the forests rather than the trees, looking out to the larger dimensions, looking at an integrated health care system as opposed to specific use cases. I think we have been doing a very good job on that.
Now, having said that, I do think it is very timely to ask key other participants in this area to come for a roundtable, hearing, whatever you want to call it, to sit down and find out what everybody is doing. The fact that some of our conversation is, we don't know what is happening with X, Y and Z, I think it makes sense for everybody to be hearing everybody.
Traditionally, the good things about our hearings is that everybody else gets to hear what everybody else is doing. That helps with alignment and coordination. We can from that identify if there are issues, we can advise the Secretary on that. That might be a very helpful piece in privacy and confidentiality. I think what we are hearing is that it is the right time to begin to put together a hearing on that.
Mark, I'm sure you probably don't disagree with that as a reasonable piece. That is not the same as trying to solve all the problems of the moment, and we should talk about when there is a good time for that. Those are certainly conversations we can have with the various players, including HITSP, ONC, various others, knowing that around the table there is a fair amount of representation in all of that.
But I think that is a reasonable next step, and then we can figure out where we go from there. Does that make sense to everybody? And we always need to remember that that is what we agreed to.
Now, Harry, we are unfortunately running a little late. What I am going to suggest is, Marjorie had asked -- and this is something I was holding off until the end of the day to surprise everybody with how different tomorrow is really going to look. But Marjorie I think is right that we need to at least run by a little bit of what the agenda is going to be like tomorrow. I am going to suggest we take a couple of minutes to do that. Knowing that we are running a little late, why don't we take a break then and then we can take up 5010 right after the break.
MR. REYNOLDS: We will remember over the break what we were supposed to say.
DR. COHN: Okay. Let me try to explain to you how tomorrow is going to be different than what you thought. One of the questions that we will not answer until the end of the day is whether or not we are starting at 8:30 or not. The difference has to do with exactly how many outstanding action items we have, which is why I was not going to get into it quite at that point.
What we are going to do is, we are going to start out either at 8:30 or 9:00 with the action items that are unresolved from today. Some of the letters we will probably need to come back, others we will look at, and they will be good enough for us to pass either as is or with minor wordsmithing, or referring to the executive committee for additional wordsmithing, as we choose.
Anyway, after that we will continue to have Jim Scanlon talking a little bit about the Data Council and a little bit of Department update. We are having Karen Bell coming from the Office of the National Coordinator to give us an update. We probably should listen very carefully and ask her about what is going on with privacy based ont this conversation.
From about 10:30 to 12:00, and this is what is different on this agenda, we are going to be having a series of briefings. This will be led off by Fatima Riaz and Kristin Martin Anderson. This is about secondary uses of data, and briefing context setting, talking a little bit about the quality work group from AHIC and their vision and work, then moving to the discussion led by John Lunsk that has to do with the NHIN core services, and then finishing up the conversation about the quality use case and how it applies in all of this context around secondary uses, presentations, conversations as background and context for all of these secondary uses work that we are going to be doing this summer.
Probably around noon we will take lunch, once again different than on this agenda. After lunch we are having Betsy Humphreys talking about the international terminology standards development organization formation and activities. I do need to disclose that I am a U.S. alternate on the governing board. No pay, but I just wanted to disclose that I am part of this new activity.
Then we will follow with Marjorie Greenberg and Steve Steindel following the conversation that we started two meetings ago around international activities around coding and classification and standards, their perspectives and next steps.
At 2 o'clock we then connect with John White from AHRQ, who is going to be talking a little bit about the data stewardship RFP that has been produced by AHRQ. Once again, it is one of those issues that we will need to be talking about as we talk about secondary uses.
With whatever time we have left at the end of that day, we will probably talk a little bit more about secondary uses, finish up the agenda. Everyone needs to remember, at 3:30 we convene the ad hoc work group which will continue to the end of Thursday and then from 9:00 to 12:00 on Friday.
So we will be able to tell everyone a little better about when the meeting starts, but these are the broad outlines of how tomorrow is going to look. So look at the 21st, realize that it doesn't look anything like you would have expected it to be, but I think it should be a lot more interesting and a lot more fun. So that is the good news. I am an emergency room doctor. I am used to controlled chaos, I guess is the best way to describe this one.
With that, why don't we give everybody about a 15-minute break. Then we will come back for 5010. Think about whether you want to join us for dinner, and maybe we will take a hand count right after you come back from the break.
(Brief recess.)
DR. COHN: Like I said, we are running a little bit late, but not terribly so. Our next item is Harry Reynolds and Karen Trudel talking about 5010.
MR. REYNOLDS: Karen is going to kick it off.
MS. TRUDEL: I am going to start by providing just a little bit of background. We will start with, what is 5010.
5010 is a new version of the suite of administrative transactions that affect the non-retail pharmacy sector. So we are talking about transactions that affect physicians, hospitals and other institutions and health plans that they communicate with, as well as the vendors and clearinghouses that serve that sector of the NHIN.
The 5010 transactions, which is the way of naming a version, were developed by the standards developing organization X12N. This is the first time that these transactions have been updated for HIPAA purposes at least, or that we have even anticipated updating them. So the version in play right now is the original set of transactions that were adopted by HIPAA 4010 and the 4010-A modification to them. These have been in place since about May of 2000, so you can see it is about time for an update. There are a lot of new business functions in these transactions.
What we will be doing, the end result of this process, is a modification to the HIPAA standards. This would be done by notice and comment rulemaking. Then these standards would replace the 4010 standards and all HIPAA covered entities would be required to adopt them.
The reason that this process is in place for NCVHS to review these potential standards is that while the standards developing organization meetings are open to the public, there is concern that participation generally consists of a limited group of very technically savvy industry representatives. So the point to this process is to broaden the potential for input to get a sense of what the impact, any concerns that the general public have about these transactions, are these good to go, are they not, and NCVHS is the venue for receiving and distilling that input, with the final result being recommendations to the Secretary.
MR. REYNOLDS: We just put together a few slides. This is the first of the committee efforts that you will all be going through as different committees, trying to get the full committee to at least understand the subject before we come roaring in with a letter and say, read sentence three and you get it. So this is written at that level. We want to make it perfectly clear this is a primer. We are going to have industry experts come in and talk to us and tell us the impacts and so on. So we are not here testifying what 5010 is going to do to the world. However, on the other hand we do want to give you a general picture of the overall impact that it is going to be.
As you have heard us talk a number of times, it is a prerequisite for ICD-10. The current versions of the transactions will not in fact handle ICD-10.
These are the nine transactions. We won't go through the buzz words, but basically what we are saying to you is that it affects enrollments in health plans, premium payments, eligibility and inquiry responses, authorizations, the actual claim itself, claim inquiry and the payment remittance. So all the transactions listed here. We won't geek you with the numbers, but it pretty much affects everything we did in HIPAA, and is pretty much end to end on the information that flows back and forth between the entities related to HIPAA.
You have heard a number of times in here, we have implementation guides. There are industry implementation guides that explain the regulations and the transactions and what do the fields mean and so on. Each one ranges between two and 600 pages. Most pages contain changes of 5010, so let's do a little quick math.
Every entity has to look at between 1800 and 5400 pages that may have a change on it, and then decide what it actually means to them as an entity. We will talk a little bit about that. You see the changes; some of them are logic, some are just wording, so you are not saying the world is changing dramatically on every page, and you are not saying that the world isn't changing dramatically on every page, or you are changing what you are doing as a business or anything else. You are just making it clear that there are changes in pretty much every page of these things, in one way or the other, so the industry has got to go take a look and make sure that it sees what is going on.
The other thing is, what we will hear in our hearings, and we had tried to get that earlier, but we are not going to be able to get it to our hearings, is what is the real business impact to this. I think what has gone on in the standards organizations right now is, these are the changes to the data, to the formats, to the other things, but we need to hear, and it is part of our responsibility to hear what it does to the overall industry and what those impacts might be, and that may or may not affect what recommendations we would or wouldn't have to the Secretary as we go forward.
Each entity in the health care industry, whether it be a clearinghouse or a payor or a provider or anybody else that is involved, CMS, the Medicaids and so on, after they review the implementation guides and decide their impact, change their systems and processes again, and then test those systems and processes internally, and then do it with all the trading partners that they are involved with. So if a clearinghouse is doing it for a lot of providers, once they get ready, they would work with the payors that would receive that. It is the same kind of testing that originally went on, not nearly to that extent because you are changing, not building. So everybody has built their testing in thinking about HIPAA, so now you are just changing all that, you are not rebuilding it. So as some people said, it is not HIPAA 2. It might be HIPAA on steroids, but it is not HIPAA 2, it is not a re-do of HIPAA.
Then you have got to work with your business partners to implement, then you are going to have the same kind of thing, when is it effective and how do we track it as to how it is being affected. You heard us all talk from Standards and Security on NPI, what is the due date, how is everybody doing, is everybody coming together at the right point, and are we going to make it, and what kind of contingency plans are in place and what kind of dual processing, and all the other things that normally go on.
So we are going to begin hearings on the 5010. Our first one is July 30 and 31, where we are going to have the industry come in. WITI will also be coming in, and hopefully giving us a survey that they have done of the industry on what some of the impacts would be to the business. We will be hearing from all the same constituents that we pretty much heard from, or a good many of those that related to HIPAA initially. We have got to hear from everybody as to what they think and see.
We are looking, since it is a prerequisite to ICD-10, since there is a flow that is going to be coming along, trying to put together something for the full committee in the September time frame, stating what it looks like and mean, so that can be input to the Secretary and CMS and others as they look at putting out a proposed rule and other things accordingly.
Yes, Justine.
DR. CARR: Will this work with ICD-11 also?
MR. REYNOLDS: I'm not good enough at 10 to go one past there. Marjorie has got her hand in, so we will let Marjorie jump in. Remember, this is a primer. You are getting serious on us here.
MS. GREENBERG: We can talk about this a little bit more tomorrow, but the idea is that ICD-11 would be the same alphanumeric structure as ICD-10. So as I have said many times, ICD-10 is a pathway to ICD-11, but ICD-9 is not.
DR. COHN: Harry, I guess this is an industry question, and perhaps you have a better sense. Do you anticipate that this summer people will understand the impacts of 5010, in terms of the business aspects? How do you anticipate eliciting that sort of thoughtful input?
MR. REYNOLDS: I'll speak as a member of the industry for a moment. Everybody knows it is coming. People have begun working on it. The quality of the testimony will tell us where it is. But I think the key point is, the thing that we would want to recommend to the Secretary as this committee is, get into some idea of sizing it, get into the idea of -- what we have asked WITI to do is take what are the cosmetic changes, what are the changes that actually correct the things that were not where they should have been on 4010, and then what are the real business changes.
You are going to have those three categories, so when we get to the third category, I think that is where it is going to be, does the 5010 really change the business processes amongst players. It may change somebody internally, but does it also change what is going on amongst players, which will be where -- if I would say that it would be a lesser quality of input, it might be at that level, because people have looked at it themselves in a lot of cases, but I'm not sure a lot of businesses have looked at it amongst themselves, who they do business with.
Again, this is a primer. We are going to have the right people come and talk. WITI has agreed to take that responsibility and is working on breaking that down that way with their industry input. But we wanted to make sure the committee at least understood the premise of what was going on. We are going to have the right people at the table now. We will find out then, and that will help everybody that is looking at putting the NPRM out. That will help us to decide whether or not, if we have something for September, we may need to have something else for the full committee for the next meeting after that to add further, based on the fact that the industry all of a sudden realizes that there are other changes or implications in whether or not we want to have those.
If we really hit a train wreck on what we hear, then maybe we don't have something for September. We are trying to set a path, not necessarily a mandate that we have to do it. So unless we get a major surprise, I think we could have something for September, but the testimony will tell us a whole lot as to how we position what we say or don't say.
Are there any other questions from the committee? The other thing that I think would be good is, since we are the first, any input to Simon or anybody else as to whether this is the level that you are looking for in these primers, because we are the first one out of the chute. You are going to hear it on a number of other things. We are going to be doing some similar things on the secondary uses possibly and some other things, you are going to hear a lot more tomorrow from other people on that, but trying to put this together and figure out how to say it is the question.
DR. GREEN: I think someone who can put into three PowerPoint slides with that size font something that is subject to 5400 pages should be commended.
MR. REYNOLDS: Thanks goes to Karen also.
MS. GREENBERG: I might mention, one of the things in addition to ICD-10 that is accommodated by the 5010 was prominently mentioned by every speaker yesterday, and that is the present on admission qualifier. That just came out in every presentation as being very critical.
DR. TANG: Just a minor comment. To answer your question, I think the primer is very, very helpful. I think that is a good way for us to continue to keep the committee informed and elevate the level of understanding as we go along.
The other thing is, I don't see how anybody can take summer vacation or how we can accomplish all we have scheduled for September based on what I have heard this morning.
MS. GREENBERG: I heard on the ride here that nobody is taking a summer vacation. So we are in good company.
MR. REYNOLDS: Simon, that completes our presentation.
DR. COHN: Thank you very much. Our next set of actions, Mark, have to do with letters coming forward from Privacy and Confidentiality.
Agenda Item: Subcommittee on Privacy and Confidentiality Action – Action June 21
MR. ROTHSTEIN: Thank you. Each of you should have at your place a copy of the revised letters that Maya circulated this morning during the break. They are slightly updated versions of what appears in Tab 3 and Tab 4, so you can follow along.
The first letter I want to take up is the FERPA letter. Of the two letters, you can identify it by the fact that there is no big block quote on the first paragraph, that says R-12. Same date and same introduction. There is a block quote with the R-12 recommendation, but that is the second letter.
I assume, Simon, that we want to go paragraph by paragraph, so let me go over the first two paragraphs for the benefit of those on the Internet.
Dear Secretary Leavitt. On June 17, 2004 the National Committee on Vital and Health Statistics, NCVHS, sent a letter to your predecessor, Secretary Tommy G. Thompson, making recommendations on the disclosure of health records by health care providers to schools for both treatment and public health purposes.
The NCVHS revisited the issue of sharing health information with schools, and also heard testimony on the disclosure of health care information by schools during a series of hearings in September 2006 and January 2007, as part of our effort to monitor health privacy protections by entities currently not covered by the Health Insurance Portability and Accountability Act of 1996, HIPAA.
Most schools fall into this category, because the education records of schools that receive funds from the U.S. Department of Education are subject to the Family Educational Rights in Privacy Act, FERPA, and are specifically excluded from coverage under the HIPAA privacy rule. Even the medical records that schools create, for example, through the school nurse or athletic programs, are considered education records subject to FERPA, and explicitly excluded. This letter is intended to bring to your attention a broader set of concerns about the protection of health information in the school setting.
Any comments or suggestions on those two paragraphs? Hearing none, paragraph three.
At the time of the 2004 hearings, we were concerned with the ability of schools to obtain information about students' prior immunizations, both to facilitate registration for school and to avoid duplicate immunizations. Providers may not disclose immunization information to schools for a purpose other than treatment without a HIPAA compliant authorization, because schools are generally not considered public health authorities and therefore do not fall into the HIPAA exception for public health disclosures.
We recommended that HHS deem such disclosures to be public health disclosures under HIPAA. We also reported that there was confusion about the need for authorizations for the purpose of treatment, because HIPAA does not require authorization to share records for the purpose of treatment, but FERPA does. HIPAA compliant authorizations, which are required to share records other than for treatment, were difficult to obtain to confirm that a student had already been immunized. Even where there were HIPAA compliant authorizations, some health care providers refused to disclose records to schools in response to valid authorizations, delaying registration in school or causing students to undergo duplicate immunizations.
That is a long sentence. Any concerns, comments? I'll let you ponder that for a second.
DR. COHN: I would suggest we just note wordsmithing issues as opposed to fixing them on the fly.
MR. ROTHSTEIN: So noted. The comment was that we need to break up that long sentence to one with semicolons. It probably would be easy to just chop it into three sentences. But we don't need to do that now. Any other comments? Next paragraph.
The interaction of HIPAA and FERPA has consequences in three areas. One, release of health information from educational institutions, two, privacy and security of health information held by educational institutions and three, differentiating health information of students covered by FERPA and health information of employees of an educational institution covered by HIPAA.
MS. GREENBERG: What about release of health information to educational institutions? Is it only from?
DR. FRANCIS: That was the subject of the previous letter.
MR. ROTHSTEIN: This is the new information. The first letter, we were concerned about stuff getting to schools. In this we are concerned about information getting out of schools to for example public health authorities.
MS. GREENBERG: But if you say the interaction of HIPAA and FERPA have consequences in three areas, that is clearly one of the areas.
MR. ROTHSTEIN: Maybe we should qualify that. The interaction of HIPAA and FERPA in the following three areas need to be --
(Simultaneous discussion.)
MR. ROTHSTEIN: So this letter addresses the interaction of HIPAA and FERPA in the following three areas? Okay, thank you. Other comments?
Release of information. In our more recent hearings on the subject, we heard from the American School Health Association, the American College Health Association and the National Athletic Trainers Association about a problem related to release of information. These witnesses told us that absent an emergency, FERPA requires parental authorization prior to disclosing a student's medical information to public health officials or even to a student's personal physician. Parental authorization is not required for a health care provider to share records for the purpose of treatment under the HIPAA privacy rule.
The requirement for parental authorization under FERPA limits immunization reporting, mandatory communicable disease reporting and surveillance, hearing testing, autism screening and other health information collected in school settings that might be disclosed to public health officials or health care providers for surveillance and followup treatment.
Comments?
Privacy and security. Sorry.
DR. GREEN: On the limits hearing testing, I think the issue is more of a coordination of hearing testing. What is going on is, these intervention programs that the schools are running, the public health departments have the hearing programs, so they are not able to get the information back from the schools to know if a child needs to be tested or not. So I'm not sure if it is listing hearing testing as more of a matter of determining if there is a need for hearing testing.
DR. FRANCIS: Is it reporting of the test results?
DR. GREEN: That is what their health departments are wanting, is the reporting of tests and results, yes.
MR. ROTHSTEIN: How about this suggestion? In the sentence that begins, the requirement, really what we are saying is the requirement for parental authorization under FERPA limits the effectiveness of immunization reporting, mandatory communicable diseases, et cetera. Is that the point that you want to make?
DR. BERNSTEIN: It can't move out of the school system to the public health authority because FERPA did not contemplate public health disclosures.
MR. ROTHSTEIN: No, I understand that, but what I am trying to get, which I think was Garland's point, is that the problem is that these programs are not as effective as they could be because of this limitation. That is how I am trying to fix that.
MR. SCANLON: Since the subject is parental authorization, maybe that parental authorization is an obstacle to reporting.
DR. BERNSTEIN: Well, we specifically do not want to say that, if I can characterize the committee's discussion, because it characterizes a privacy law as an obstacle rather than something that promotes privacy. The point is, the effect of it is to reduce as Mark was saying the effectiveness of the public health issue, rather than to call it an obstacle.
DR. FRANCIS: The awkwardness of the sentence was that what it is supposed to say is that it limits reporting in all of those cases. So maybe it just might say, the requirement for parental authorization under FERPA limits reporting of, and then put a colon. That way it doesn't look like reporting is linked just to immunization.
DR. BERNSTEIN: Say that again?
DR. FRANCIS: You put a colon after reporting of, and then you just say immunization, mandatory communicable disease surveillance, hearing test results, autism screening and other health information. That way it is clear that the reporting is about all of those results, and that is what it is meant to say.
MS. GREENBERG: So the mandatory communicable disease and surveillance doesn't exactly go well.
MR. SCANLON: Reporting of communicable diseases.
MS. GREENBERG: You would have to take out communicable diseases. I think you would have to take out surveillance, too.
MR. ROTHSTEIN: Is everybody comfortable with that fix?
DR. WARREN: I don't know how much grammar you want, but I have a knee jerk putting a colon after the word of. It should be of the following, and then the colon.
MR. ROTHSTEIN: Thank you, Miss Warren.
DR. BERNSTEIN: I'm happy to take her edits.
MR. HOUSTON: I think if you want to stick with the word limits, I think maybe it should be has limited. It doesn't necessarily -- the requirement for parental authorization doesn't necessarily limit reporting. What it says is, if you get the authorization you can then report. The problem that you have encountered is that you don't always get the authorization. So it is experience. Probably what you heard is that it has resulted in people not getting the authorization, and therefore we have not had all the reporting we would like.
MR. ROTHSTEIN: Yes, because it doesn't technically limit. It has had the effect of limiting. Thank you.
Privacy and security. Representatives of two school health associations testified that they and other school organizations would generally prefer that health information be protected in schools the way it is in health settings. Furthermore, both acknowledged that having more robust guidance on security would be helpful, since school environments generally lack the security protection required by HIPAA. Nevertheless, there may be other individuals or groups that would prefer to continue to have school health records only covered by FERPA, which has fewer disclosure exceptions than HIPAA, and we do not hear from them.
Consequently, although we do not have a specific recommendation now, we want to alert you to the problems in this area and advise you that the issue warrants further action.
Before we get to the question of the wording, let me explain what we are trying to say here, maybe not as artfully as we could.
It is kind of outside of our purview to say that Congress -- we tried to skate around the issue of whether Congress should take jurisdiction away from the Department of Education that is has under FERPA and stick it under the department, under HIPAA or anything else. So that is the explanation for why we said what we did.
MR. LAND: I guess I am not sure what we are really recommending then. If the Department can't do anything about FERPA, if there has to be a change in the law to activate some of these issues and results of these issues, then what are we asking the Department to do?
MR. ROTHSTEIN: We are asking at the end, the recommendation that is on page three in the first full paragraph, therefore NCVHS reiterates our recommendation that HHS work with the Department of Education to improve the interaction of FERPA and the privacy rule with respect to health records in school settings, and to resolve the issues noted above. The effort should clarify the circumstances under which each law applies, et cetera.
So that is the recommendation. The two Secretaries could get together and decide that it is not really solvable and they want to go to Congress and do something.
MR. LAND: This implies that it is just a matter of interpretation of the law and different rules could be promulgated to resolve it. It is my understanding that Department of Education and the schools are saying that is the way the law is, and we can't do anything about it. So having the two Secretaries get together isn't going to help.
DR. BERNSTEIN: Sure, the Secretaries could get together and recommend legislation jointly. They could propose a legislative change. Of course, it would have to be cleared in the normal way, but the Administration does that all the time. They make legislative proposals where they see fit.
MR. LAND: I guess I would like to see something like that in the letter, that if in their consultations they feel the legislation needed to be changed, that they make those recommendations to Congress.
MR. SCANLON: There seems to be a leap here in this paragraph. The paragraph is, we got some information, we didn't get information from others. It seems like the next step would be, maybe we should get information from the others. So the action that is implied in my mind is the idea that this issue needs to be investigated further before anybody does anything as concrete as proposing legislation.
So the question would be whether further action should be modified to say, warrants further exploration, so that people can understand that you think there is another viewpoint out there. The paragraph also in some respects implies that; you didn't hear it, but you think it may be out there.
MR. ROTHSTEIN: Right. If we were to pursue it, theoretically what we would have had to do is have another hearing and invite for example the parental rights people or the pro-FERPA people, whoever they might be, to come in and make their case why they think that FERPA should continue as it is. That seemed to be a little bit out there in terms of our charge, investigating the jurisdiction of FERPA. So that is why we just wanted to leave it like this.
Would it satisfy your concerns, Bill, if we just changed the word action to explored? So the very last word, warrants further exploration?
MR. SCANLON: Yes.
MR. ROTHSTEIN: Garland, tell me where you are.
MR. LAND: I just know that this is a major issue for public health. It seems like we need to be giving some real impetus to -- I don't know for sure, but I presume that this is going to require the law to be changed, is that correct?
DR. BERNSTEIN: I haven't explored enough to know, but it is my sense that that is probably right. FERPA is pretty specific.
MR. LAND: But we don't mention anything in here that that is our understanding, that it is going to require a lot of change. We are kind of leaving the implication that two good people can get together and resolve this, and I'm not sure that that is really --
MR. ROTHSTEIN: Perhaps this is not the place to -- if I can ask you to hold on to that thought, when we get to the recommendation paragraph on page three, maybe we can add that on there. Other comments on the privacy and security paragraph?
Student employees of educational institutions. Another problem identified by the American College Health Association at our 2006 hearing was the overlapping coverage of HIPAA and FERPA in the very common instance where an individual is both a student and an employee of a college or university.
As a student, all of the individual's education records including health records, are covered by FERPA. As an employee, an individual may be enrolled in a group health plan where the individual's health records are subject to HIPAA. In either role, the individual may become a patient of the associated university health center or hospital where both FERPA and HIPAA records are under the roof in the same institution. Consequently, ambiguity and confusion arise as to whether the individual's medical records are covered by FERPA and thereby excluded from coverage under HIPAA.
Another example is the case of the athletic trainer who treats a student covered by the university's health insurance plan so that it is not clear whether the trainer is creating records covered by FERPA or HIPAA.
I'll let you think about that for a minute. We have conveyed the degree of confusion. Here is the paragraph that we may need to touch up a little bit in terms of recommendations.
As we highlighted in 2004, FERPA was enacted at a time before students with significant physical, developmental, behavioral and mental health conditions regularly attended school, and before schools became providers of a wide variety of physical and mental health services. NCVHS recognizes that over 30 years ago, at the time of the passage of FERPA, the role of schools as health care providers and as partners with public health officials was not as prominent as it is today.
Therefore, NCVHS reiterates our recommendation that HHS work with the U.S. Department of Education to improve the interaction of FERPA and the privacy rule with respect to health records in school settings and to resolve the issues noted above. The effort should clarify the circumstances under which each law applies to insure that disclosures to and from schools for public health purposes work smoothly in appropriate circumstances.
Garland, if we want to add that, I think this would be the appropriate place. Can you suggest some language that you would like to --
DR. BERNSTEIN: If I could just point out, I think the reason that this sentence, therefore NCVHS reiterates, that is language that comes from our previous letter, so we knew that it had already been blessed by the committee. Nevertheless, the committee is free to change its wording now.
MR. ROTHSTEIN: And we can supplement it, too. We can take that sentence and add something after the word above.
MS. GREENBERG: At the end of the paragraph you could say something about, further the need for any changes in current legislation or regulations should be explored, or something like that.
DR. GREEN: What would you think about, instead of restricting it for public health purposes, inserting the phrase for public health or personal health care? It is a bidirectional issue. These kids, these trainers, these athletes' personal health care depends upon changing this information in the other direction just as much.
MR. ROTHSTEIN: We have got that up there now. Would that do it for you, and insure that disclosure to and from schools for public health for personal health care purposes?
MS. GREENBERG: I don't know if you need the word personal. You need just public health or health care purposes.
MR. ROTHSTEIN: Okay. What about the last sentence that was added in that paragraph, further the need for any changes in legislation should be explored.
DR. BERNSTEIN: Other than the passive voice.
MR. ROTHSTEIN: So the next revision of that final sentence is, further, the Department should explore the need for any changes in legislation or regulation. Is that okay? Okay, good, we have got a sale.
DR. COHN: We seem to be having problems here. I know how hard it is, this is a new system, but we will keep reminding, because people on the Internet are having a little trouble. I don't think we are able to record it if it is not lit. Garland, it is not you. We are all having trouble with this.
MR. ROTHSTEIN: So could you restate that question?
MR. LAND: Do we know what happened to your first letter, in terms of what action the Department took?
MR. ROTHSTEIN: I would ask Sue McAndrew to comment on that.
MS. MC ANDREW: The first set of recommendations are under consideration in the Secretary's office. Particularly the recommendation about student immunization and its treatment and public health has been the subject of discussion about whether or not a regulatory change to the HIPAA privacy rule should be done to accommodate that route.
I would also add just for the committee's information that I believe it was last week, the Secretary together with the Secretary of Education and the Attorney General released a report to the White House which contained a number of recommendations that would be encouraging information sharing from educational systems. This was largely in reaction to the Virginia Tech incident.
So there is going to be ongoing cooperation between the two Departments to ascertain how FERPA and HIPAA can be -- what guidance is necessary, and potentially further actions may be necessary in order to insure that appropriate information sharing is done, and that those privacy rules do accommodate important sharing activities.
DR. BERNSTEIN: If I am not mistaken, that report is available on the website. Also, on the White House website, it is the report that the Attorney General and the two Secretaries did in response to the Virginia Tech tragedy. I can't remember the exact title, but that is the nature of it. If anyone wants it, we will be glad to provide you a link.
MR. HOUSTON:You said the NCVHS' website?
DR. BERNSTEIN: No, the HHS website, our Department's website.
MS. MC ANDREW: The Department website. This is a copy of it.
DR. BERNSTEIN: What is it called, Sue?
MS. MC ANDREW: The Report to the President on Issues Raised by the Virginia Tech Tragedy. It is dated June 13.
DR. BERNSTEIN: So if anyone wants to see that, we can send you the link.
MR. LAND: The way we have it now, the last sentence for me about looking into changes in legislation and regulation just hangs there. We have embedded in the sentence before that a broader purpose than looking into the issues noted above, assuring that disclosures to and from schools for public health, et cetera, that that is the ultimate thing we want. We want the issues we have noted above dealt with, but we really want -- if there are other questions that are interfering with these transmissions, we want those addressed as well.
I would move that purpose into the prior -- instead of ending, the issues noted above, say, to resolve the issues noted above and to insure that disclosures to and from schools for public health, et cetera. So we have set that up and we have two specific tasks for them to do in this effort. One is to clarify the circumstances under which each law applies, and then secondly to explore the legislation and regulatory changes.
DR. BERNSTEIN: That is going to make this sentence really long, but --
MR. ROTHSTEIN: John, do you want to comment?
MR. HOUSTON:I just was looking up what Sue had just indicated; www.hhs.gov/secretary/violence.html.
MR. ROTHSTEIN: Let me for the benefit of those on the Internet read what I think it says. Therefore, NCVHS reiterates our recommendation that HHS work with the U.S. Department of Education to improve the interaction of FERPA and the privacy rule with respect to health care records in school settings and to resolve the issues noted above.
MS. GREENBERG: I think you can just skip that now, to resolve the issues noted above, because the main thing will be to assure.
MR. ROTHSTEIN: Correct, so let's try that again. With the U.S. Department of Education to improve the interaction of FERPA and the privacy rule with respect to health records in school settings, to assure that disclosures to and from schools for public health or health care purposes work smoothly in appropriate circumstances. The effort should clarify the circumstances under which each law applies and explore the need for any changes in legislation or regulation to accomplish these goals.
Bill, Garland, are you okay with that? Anyone else?
DR. TANG: I just think the word is insure rather than assure.
MR. ROTHSTEIN: I agree, I think it should be insure. The last paragraph.
We also recommend the Department strengthen its outreach in education program to eliminate the unintended confusion that has arisen in recent years with respect to the protection of health records in schools. We appreciate the opportunity to share with you our additional thoughts and recommendations on the issue of school health records.
Any comments on those paragraphs? Any overall comments about the letter? Simon, do you think it is appropriate to vote now, or do you want to vote tomorrow?
DR. COHN: I would ask the view of the committee. I think it is an excellent letter, which was even further improved by the work we just did. Does anyone feel that we need to think about it over the evening, or would you rather just move forward as an action?
DR. WARREN: I just had one question. One of the things that I was looking at as I was reading through this is some of the questions we have had in Standards and Security. If I am an executive reading through this letter, I have to really dig to find the recommendations. I am wondering if we should enumerate those at the end of the letter so that they can easily be found.
DR. COHN: As in bolding them?
MR. ROTHSTEIN: Can we pull them out and bullet them or bold them or number them?
DR. WARREN: Yes, a bullet I think would be better, because then you could skim the letter.
DR. COHN: I would take that along the lines of wordsmithing. You're right, these are hidden in the body of the text.
DR. BERNSTEIN: I still need to break up this previous one we were going to break up into two sentences.
DR. COHN: I think that is formatting and bolding.
DR. CARR: I would concur. The more we can have the format of our letters look the same and the recommendations easy t find. I would also encourage that we might have a headline of what the letters are about, because as evidenced by today, it is very hard to figure out which letter we are on, other than the visual appearance.
MR. ROTHSTEIN: I think that is a very good suggestion as well.
MS. GREENBERG: Yes. In fact, I wouldn't necessarily want to make this the guinea pig, but I think the headline like we sometimes do on an agenda is very good. This is what we are about here.
But also, it is this idea of starting with the end in mind. Even maybe something right in the beginning of the letter that says that, sending the recommendations to you in this letter follows up on that or something, and specifically recommends further efforts by the Department and the Department of Education to bring clarity to these problems.
That is really what these recommendations are about. Then you can go through the whole -- build the case and the specific recommendations. We did this with the latter last time, just bring the essence of the recommendations up to the first paragraph.
MR. ROTHSTEIN: So you are suggesting adding a last sentence onto the first paragraph.
MS. GREENBERG: Yes.
MR. ROTHSTEIN: Which basically summarizes what we are trying to do here?
MS. GREENBERG: Yes.
DR. TANG: Or summarizes the issue. If you just say this letter addresses the confusion that has arisen between FERPA's interaction with HIPAA, that sets the context and describes the problem.
MS. GREENBERG: And recommends approaches to address it, or something like that. But it is wordsmithing, what are we about here. You have certainly made the case well that this is very confusing, but we could lose the reader before it ever got to our recommendations if we haven't told them right up front.
We will work on that. I think we agreed to work on it with Susan Kanaan, on trying to get a more standard set of template or guidelines for all these letters.
DR. FRANCIS: What you have there is just another paragraph, though. So what you really should do is, before it is Dear Secretary Leavitt, it should be almost like the way you would have in a memo, re.
MS. GREENBERG: We will do that too.
DR. FRANCIS: But I think the recommendations should be up there, too. It should be interaction of FERPA and HIPAA, recommendations one, two, three, and then have the letter.
MS. GREENBERG: That would be more radical, but we will take that under --
DR. FRANCIS: You can really see it then.
MS. GREENBERG: I don't think we should do that with this letter, but that will be under advisement as we consider a template.
MR. HOUSTON: It is not that long of a letter, either. I could see if we had long letters and we decided to make recommendations in order to clarify, but this is two pages.
DR. COHN: I guess we will move into this, but I do think bolding RE's are very useful. I think what you are describing is an executive summary. I don't think a letter this long needs that. But you're right, it does need clearly an RE, which we will talk about.
Now, with all of that, how are we with the letter? Are we talking about formatting, bolding? Are we okay? I am seeing people feeling that we can move forward with a vote on this. No?
DR. BERNSTEIN: I just want to make sure that I understand what it is that we are clearing. I need to have a subject. It would be good if the letter were, with the exception of minor editorial fixes, exactly what you want to say.
MR. ROTHSTEIN: I think we're fine. We have to split that one sentence into three sentences, and I think that is about it.
DR. BERNSTEIN: So you people are happy with the sentence I just wrote on the fly? The reason I didn't put FERPA and HIPAA in there is because I would have to explain what both of those laws are before saying that, and it would be hard to do. It took us a whole paragraph to figure out how HIPAA worked.
MS. GREENBERG: That's okay.
MR. HOUSTON: Even though I am a member of the subcommittee, can I make a proposal that we approve the letter, subject to any wordsmithing that Mark would need to do just to clarify these last two points?
DR. COHN: Sure.
MR. LAND: Second.
DR. COHN: Any discussion? Without discussion, all in favor?
(Chorus of Ayes.)
DR. COHN: Opposed? Abstentions? The letter passes. Mark, on to your second letter.
MR. ROTHSTEIN: Thank you. The second letter was originally in Tab 4. It is the one that deals with non-covered entities. I'll give you a second to pull out the revised draft that Maya distributed. There weren't that many changes, and they appear primarily on page two. So let me begin by reading the first two paragraphs, because the first paragraph is not controversial.
Dear Secretary Leavitt. On June 22, 2006, the National Committee on Vital and Health Statistics, NCVHS, sent you a letter report, Privacy and Confidentiality in the Nationwide Health Information Network. Among the 26 recommendations was the following. R-12, HHS should work with other federal agencies and Congress to insure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers and schools.
The NCVHS held a series of three hearings in 2006-2007 to learn more about the health privacy practices of entities that make significant use of health information in their day to day operations, but are not covered by the Health Insurance Portability and Accountability Act, HIPAA.
At the first two hearings we heard from representatives of life insurers, insurance regulators, human resource professionals, occupational health physicians, financial institutions, primary and secondary schools and colleges. The third hearing focused on health care providers and other entities in the health industry that are not covered by the HIPAA privacy rule.
We inquired about the degree to which they are regulated by other federal or state laws, and the possible effects that federal health privacy coverage would have on their operations. What we learned from the testimony strongly reinforces our conviction that all entities that deal with personally identifiable health information should be covered by some federal privacy law.
The NCVHS would like to share with you some additional observations in support of our earlier recommendation with respect to this last group of non-covered entities, those operating in the health care arena.
Okay? Next paragraph.
A significant concern is that many of the new entities essential to the operation of the Nationwide Health Information Network fall outside HIPAA's statutory definition of covered entity. Health information exchanges, medical record banks, regional health information organizations and other new entities established to manage health records have proliferated in recent years.
While some of these entities may be business associates under the privacy rule and thus obligated by contractual agreements with covered entities to maintain similar standards, it is the view of the NCVHS that business associate arrangements are not sufficiently robust to protect the privacy and security of all individually identifiable health records. Business associates are subject only to contract claims brought by the covered entity, and not through enforcement actions by HHS or the Department of Justice.
Furthermore, the majority of participants proposed as service providers of the NHIN, e.g., health information exchanges, regional health information organizations, record locator services, community access services, system integrator, medical record banks, are not covered entities or business associates.
The health information technology community is moving quickly in response to the Department's efforts on NHIN, but our hearings have revealed that even today, numerous individually identifiable health records are not subject to federal privacy and security protections. This remarkable fact underscores our view that all individually identifiable health information created, collected, stored or transmitted should enjoy the protection of a federal privacy standard.
DR. OVERHAGE: My ignorance here. So does this imply for example state and local public health departments should be covered by a federal privacy standard?
MR. ROTHSTEIN: Well, at some point they are. If they are covered entities under HIPAA they might be.
DR. OVERHAGE: No, they are not, I believe. I could be wrong, but I think they are carved out. They are not covered entities. We have gone around and around with this with health departments, who have said we are not covered entities, we cannot sign a business associate agreement, because we are not, and we don't want to be.
MR. ROTHSTEIN: I'll let Sue clarify this, but they can be a hybrid entity or they could be a covered entity at their election, depending on what services they provide, correct?
MS. MC ANDREW: By and large, the public health departments within states would not be considered covered entities. That is not to say that some of them have not in fact, because of their definition of what legal entity they are a part of, and/or they may be a direct provider of health services and may bill electronically. They may be -- part of them maybe a covered entity. Most of them we have encouraged to get into a hybrid situation so that their public health functions are not part of the HIPAA compliant component.
MR. ROTHSTEIN: So in answer to your question, we had originally said in R-12, we sidestepped the issue of whether it should be federal or state law, and we also avoided the question of whether, it federal law, whether HIPAA or some other law. So that is why it reads, to insure that privacy and confidentiality apply to all individuals. We didn't say that here, we are saying federal.
So there is an argument that could be made that we should just take the word federal out, I suppose.
DR. OVERHAGE: I don't have a position. I just want to make sure we knew what we were recommending.
DR. FRANCIS: It is of course possible that a federal standard would defer to states in certain areas. So I actually don't think that language takes a position on the point you raised.
DR. OVERHAGE: I guess maybe somebody can explain that to me. So a state health department for example, which is a particular example that is not a direct deliverer of care -- again, I am just ignorant about these things -- this says that entity because they have personally identifiable health information, should be covered by federal privacy law.
MR. ROTHSTEIN: But federal privacy law could say that all information in the custody, under the control of a state agency has to comply with federal law or a comparable state law, if there is one. What that law would say would be, you can't have information that is maintained by a state health department unless there was a state law that protected it, or then it would be subject to the federal law.
DR. FRANCIS: It doesn't for example include the word uniform, which would be -- I think your worry would be a real worry if it included the word uniform.
MR. ROTHSTEIN: Or pre-emptive.
DR. BERNSTEIN: You could say a minimum set of standards plus whatever the state wants to do, but we didn't say that. It could look like lots of different things. HIPAA for example says that state law that is more stringent in certain places continues to apply.
MR. ROTHSTEIN: Would it be better if instead of the word standard we put, enjoy the protections of a federal privacy law? Would that imply more flexibility or less flexibility? No? Or should enjoy federal privacy protections?
MS. GREENBERG: You already said, enjoy the protections of a federal --
MR. ROTHSTEIN: Well, take that away, or transmitted should be subject to federal law. I am just trying to accommodate the concern.
MR. SCANLON: I think the federal privacy standard may be fine. There is a precedent here in the other portion of HIPAA that deals with insurance reform, and sets a standard that there has to be guaranteed issue for certain people. That was something that was left, because insurance regulation is a state function, left to the states unless they fail to do so, and then there was a federal fallback.
So I think we have got a precedent here. Standard is a vague enough but specific enough term at the same time that I think it will accomplish what you intend.
MR. ROTHSTEIN: Any other comments? Are you okay with that, Mark?
DR. OVERHAGE: I didn't have a position, but only that I thought we wanted to make sure that we knew what we were saying in that specific instance, because they are a little bit different than a lot of the organizations that we think about.
MR. ROTHSTEIN: We sometimes know what we are saying.
DR. COHN: I won't tell you that I spent a lot of time wordsmithing this paragraph. As many of you know, you have seen iterations of things getting crossed out.
I had almost a question of fact that I just want to clarify and make sure that we are right on here. I am looking at a particular sentence that says, furthermore, the majority of participants proposed service providers of the NHIN, e.g., health information exchanges, regional health information organizations, record locator services, community access services, system integrator, which may or may not be the right group to be included as medical record banks, are not covered entities or business associates.
Is that a true statement, I guess is my question? I can believe many. I just wonder if we have evidence to support the fact that the majority of them are not covered entities or business associates? Mark, do you have information? Either Mark.
DR. OVERHAGE: I don't have any data other than personal knowledge of those organizations. I don't know of any that are not business associates.
DR. BERNSTEIN: But they are not required it be, right? They choose to do that as a matter of their business. They decide that that is a good business practice. But I'm not aware that they are required to do that.
DR. OVERHAGE: Well, I guess it depends on your perspective. If you are the holder of the health information, if you are a covered entity, you are required to have a business associate agreement with the people you contract with that are going to manage protected health information. If one of these organizations is going to manage protected health information, they would be required by the covered entity to be their business associate.
DR. BERNSTEIN: Sue, is that a precise statement? I don't mean to pick, but I just want to make sure. I think it is right to ask about this.
MS. MC ANDREW: I think in the world today, most data managers, I would hazard a guess, all data managers are business associates of the covered entity that they service. We are presuming that some form of that relationship will carry over into a RIO setting. It becomes difficult to decide whether or not they fit the business associate model, simply because you have the central player that is connected to a whole array of different providers, and also may have some relationships and obligations to yet other networks independent of the providers.
It is not clear yet where the data will reside and what their range of functions will be. Some of them may actually be engaging in functions that would be independent of a business. They are not things that come out of a covered entity and get passed on to this entity as a business associate. They may be business functions independent.
So they wouldn't be doing everything on behalf of the covered entity or even multiple entities. So conceptually as we get further down the RIO road and the networks road, it does become challenging to figure out if the business associate model truly functions and functions effectively in that environment.
DR. OVERHAGE: I am looking at examples like the Memphis project and ours. Everyone I know of, we all have many business associate agreements.
DR. BERNSTEIN: My question was, are they required either by the law or by the rule to be business associates, or is it just a good business practice to do that. Those are different things.
MR. ROTHSTEIN: Let me recognize Paul, and then Harry wanted to comment, and then Marjorie.
DR. TANG: Maybe I would like to try to resolve this discussion by taking out the or business associate phrase from that sentence. We spent most of the paragraph setting up the claim that business associate is such a weak instrument that it is a bit moot.
It is true that none of these folks are covered entities, and it is that principle, not that they become covered entities, but that the data the store, access, touch have the same protection as if they were covered entities. I think that is our point. So if we take away the business associate phrase, --
MR. ROTHSTEIN: But let me ask you, Paul, if we did that, then what about the majority? Should we just take that away, furthermore the participants proposed as?
DR. TANG: None of them are covered entities.
MR. ROTHSTEIN: So it would now be, furthermore the participants proposed as service providers of the NHIN, skip the parenthetical, are not covered entities, period. Is that what you are proposing? Harry was next in line.
MR. REYNOLDS: Let's keep in mind that more and more of this business of NHIN and other things is going to be done over the Internet. There are going to be silent partners in many ways, as data flows back and forth between entities that you don't know, you don't see, and you don't have jurisdiction over. So that is where a lot of this business is going to be going.
So I think the point is, everybody that is doing business now that knows of someone who is helping them do that business may be bringing them into the fold. But the model that we are looking at for the future doesn't necessarily let you know everybody that sees or touches or gets anywhere near the data. So I want to keep that as an overview thought, too. Everybody can defend that I have got the right business associates, and we do the same thing. But when you shoot it out into the highway now, you're not sure who all is getting it and what they are doing with it and who is who.
MR. ROTHSTEIN: Thanks, Harry.
MS. GREENBERG: I think Paul covered my point.
MR. HOUSTON:As I look at it, I think if we are going to remove business associates, then rather than furthermore at the beginning of the sentence, I would almost be inclined to say something like, additionally, other participants proposed as service providers of the NHIN are not covered entities.
We have talked about business associates above in this paragraph. We also talked about the group that are -- there is an assumption that some could be covered entities, but there is this others category that would not be either of those. You have to make that linkage somewhere in this sentence.
MR. ROTHSTEIN: Reading the paragraph as a whole, the change Paul suggested makes the paragraph illogical now. We start out talking about -- it just doesn't follow. It starts out talking about covered entities, a significant concern is that these people are outside the covered entities, and then we say that some of them might be business associates, but there is a problem with business associates, then we go back and say that they are not covered entities.
What we would have to do to make it fit together is move the new sentence the way Paul rewrote it up into the first part and then talk about business associates as the second part, to make that logical.
DR. FRANCIS: Another problem here is that what you might have is a network sharing be a business associate of one entity and then a business associate of another entity and there are issues about the consistency of those arrangements, too. That is a problem if what you are dealing with is enforcement only through contract claims.
I was playing with the idea of business associates with each other. That is one way to think about it. Another way to think about it is just to weaken that and say, may not be business associates rather than are not business associates.
Basically we are pointing to the fact that there is a patchwork of protections maybe afforded by the business associate model. We certainly don't have the protections afforded by the covered entity model. It is hard to know exactly, but if we just changed are not to may not.
MR. ROTHSTEIN: Another way of doing it is not to undo what Paul just said, that we like, but just to make the change, to think about the original language which you have in front of you on the hard copy, and take the word majority out, and just say, furthermore many of the participants proposed as service providers are not covered entities or business associates. I think that is a statement of fact that nobody would disagree with, and many of them aren't, either.
So then logically we would say, some are covered entities, some are covered as business associates, but that is not too not anyhow, and many aren't, either.
DR. COHN: I think I like the way you are wordsmithing this. My own question at this point is where it fits in the paragraph.
MR. ROTHSTEIN: If you go back to the hard copy and don't look at the screen, in the fourth line down, where it says furthermore, at the end of the line, strike out the majority of and substitute many of the.
DR. BERNSTEIN: Do I have it on the screen the way you are talking about, Mark?
MR. ROTHSTEIN: Yes.
DR. COHN: I just have a question of clarification. The way the sentence is going, I found myself looking at this and trying to figure out how this point is different than the first and second sentences of that paragraph. Maybe we are making a distinction between entities essential to the operation versus service providers. Is that the distinction we are making here?
MR. ROTHSTEIN: A significant concern is that many of the entities are not covered entities. They have proliferated in recent years. Some may be business associates, but there are problems with that.
DR. BERNSTEIN: And many are neither one.
MR. ROTHSTEIN: Many are neither.
MS. MC ANDREW: Those are different ways in which business associate arrangements are not sufficiently robust.
MR. ROTHSTEIN: I sense that we have an agreement on what we are trying to say with the paragraph, but it may not read with sufficient clarity for everyone's comfort. Is that pretty much true? In other words, we need to meet privately, the subcommittee, redraft this paragraph and bring it back tomorrow, do you think, or not?
DR. OVERHAGE: I was going to say the same thing Simon did. I think you should strike this sentence and the whole thing would be clearer.
MR. ROTHSTEIN: Strike which sentence?
DR. OVERHAGE: The one we are discussing about, furthermore the majority of participants proposed as service providers.
DR. COHN: That is what I was trying to say. I just wasn't sure whether there was anything new that we were adding.
DR. OVERHAGE: If it adds something, it is not clear to me.
MR. ROTHSTEIN: One of the things that I didn't want to lose that maybe we can salvage from that is, could we move that list that is in the parenthetical into the second sentence of the paragraph, just to give a flavor of the varieties of these organizations? Would that be okay?
DR. OVERHAGE: Yes.
DR. BERNSTEIN: If you strike the sentence, then you lose the -- the previous sentence talks about that you might have business associates and the arrangements are not very robust. But I think it was trying to drive the point that some of them aren't even business associates, so there is nothing protecting them. That point is not made if you lose that sentence.
DR. OVERHAGE: I'm not sure why you lose that point. You say in the third sentence, while some of these entities may be business associates, --
DR. BERNSTEIN: The argument is, we are not covered entities, but it is okay because we are business associates. From the discussion, without trying to put words in the subcommittee's mouth, the idea was, we don't want them to be able to say for business associates that is good enough, because we don't think it is really good enough. We think that is not very robust.
Then the point is, even though it is not very robust, it is better than the fact that some of them are not covered at all. And they are not business associates, and there might be some state law that applies, but probably not. These are new kinds of business models.
DR. FRANCIS: Suppose what we did was, we take the sentence that starts, while some of these entities may be business associates under the privacy rule and thus obligated to maintain similar standards, others may not be business associates, period. Moreover, it is the view of the NCVHS that business associate arrangements are not sufficiently robust. That way, both points get made.
MR. ROTHSTEIN: I'm okay with that. Maya, do you want to give that a shot?
DR. BERNSTEIN: I'll do that. Then do you want to put this list somewhere? That would mean we would kick out this part right here.
DR. FRANCIS: I believe we have that list already. We have most of that list already in the second sentence, and we should make sure that the list in the second sentence is complete.
MR. HOUSTON:I think what Leslie said works. If you take the parenthetical out of that sentence that started originally with furthermore, it is a lot easier to read. I think we can use Leslie's approach, too. I think the parenthetical makes it difficult to navigate, which might have caused some of the confusion. Either way I'm okay.
MR. REYNOLDS: I am in total support of Leslie's position on the business associates also.
MR. ROTHSTEIN: Thank you. Other comments on that paragraph? Let me give it a try. Are you ready for me to try to read that now, Maya?
DR. BERNSTEIN: How's that?
MR. ROTHSTEIN: Here we go. A significant concern is that many of the new entities essential to the operation of the NHIN fall outside the HIPAA statutory definition of covered entity. Health information exchanges, regional health information organizations, record locator services, community access services, system integrators, medical record banks and other new entities established to manage health records have proliferated in recent years. While some of these entities may be business associates under the privacy rule and thus obligated by contractual agreements with covered entities to maintain similar standards, others may not be business associates. Moreover, it is the view of the NCVHS that business associate arrangements are not sufficiently robust to protect the privacy and security of all individually identifiable health records. I think there is no change in the rest of that paragraph.
DR. BERNSTEIN: That second deletion. So it goes, business associates are subject only to contract claims brought by the covered entity, --
MR. ROTHSTEIN: And not to enforcement actions by HHS or the Department of Justice.
DR. BERNSTEIN: And is followed by the health information technology community as moving quickly, that sentence.
MS. GREENBERG: Then you pick up again here?
MR. ROTHSTEIN: Right. So is everybody okay with that? Hearing no moans, --
DR. COHN: I don't mean to take all the fun out of this paragraph. I just wonder about the word remarkable.
MS. GREENBERG: I like it.
MR. ROTHSTEIN: I think an early version was astonishing. Next paragraph.
In addition to new entities that manage health records, mentioned above, NCVHS also heard from representatives of non-covered health care providers, the National Athletic Trainers Association, International Medical Spa Association, a large employer participating in a multi-employer personal health records system, a health record bank organization, and a home testing laboratory. We also heard from legal experts who addressed various issues associated with those entities, such as the status of concierges, medical practices and the disposition of the health records of entities that enter into bankruptcy.
DR. OVERHAGE: Two comments. One is that I wasn't sure why concierge medical practice -- to me that means something that covers -- it is just a medica practice that happens to operate in a different way, and I wasn't sure why that became a different --
MR. ROTHSTEIN: Because there are basically two types of concierge medical practices, one of which is cash only, no billing, and therefore not covered.
DR. OVERHAGE: I guess that is my trouble, that using that word might imply a broader group of practices, and what you really mean is people who charge cash for their services. We have used a word that describes something different, which is how care is delivered.
MR. ROTHSTEIN: This sentence, keep in mind this is a description of who we heard from. We heard from a legal expert whose practice is representing concierge medical practices of both kinds. In the next paragraph, we talk about -- we don't use the term concierge medical in the next paragraph; we say among the health care providers not covered by HIPAA, entities are directly paid by their customers or another party, blah, blah, blah.
DR. OVERHAGE: My question would be, I fear it might engender some confusion by convoluting the two things, and we might be better off saying something like, the status of medical practices to operate on a cash-only basis or something, and then you are going to go on and explain that further.
MR. ROTHSTEIN: This is narrowly, precisely who we heard from. But I understand your point. So let's make that change.
DR. OVERHAGE: Then the other is a similar vein at the end.
DR. BERNSTEIN: Mark, before you go on, can you tell me what the language was that you wanted?
DR. OVERHAGE: I was just going to include cash only or something like that. You could wordsmith that.
MR. ROTHSTEIN: And your other change?
DR. OVERHAGE: In the last sentence you talk about entities that enter into bankruptcy, and I wonder if we want to say cease to exist for various reasons, including bankruptcy or something. Again, this is in a similar vein. You heard about bankruptcy.
MR. ROTHSTEIN: This is exactly who we heard from. We heard from an expert on bankruptcy law, who commented on the issue of whether any promises to safeguard privacy extend to entities that enter into bankruptcy.
DR. BERNSTEIN: Right, and also because the medical records may have value in the market, whether they are required to sell them
DR. OVERHAGE: I understand the issue. My worry is that -- and I appreciate your point about, this is who you heard from. The question though I had was, obviously entities cease to exist for a whole variety of reasons, one of which is bankruptcy. The same set of issues apply when the organization ceases to exist. A simple example is, a physician shutters his doors.
DR. BERNSTEIN: No, the same issues do not obtain if the practice just goes out -- sorry, Mark.
MR. ROTHSTEIN: Actually, the issues are different under the Federal Bankruptcy Act. That is what we wanted to explore, the intersection of the Federal Bankruptcy Act protections and the privacy.
Any other comments on that paragraph? The next one.
Based on the testimony we heard, we now understand that a significant number of everyday providers of health care and health related services are not covered by the HIPAA privacy and security rules.
These entities fall into two categories. The first category do not submit payment in electronic form. These entities are not covered because the definition of a covered provider is connected to the original purpose of HIPAA, administrative simplification of the processing of claims. Since these entities do not submit claims or bill health plans, they fall outside the definition and are not covered.
Among the health care providers not covered by HIPAA are entities that are directly paid by their customers or another party such as some providers of cosmetic medicine services, occupational health clinics, fitness clubs, home testing laboratories, massage therapists, nutritional counselors, alternative medicine practitioners and urgent care facilities.
Simon, you have a quizzical look on your f