The Subcommittee on Health Data Needs, Standards and Security of the National Committee on Vital and Health Statistics was convened Tuesday-Thursday, August 5-7 in the Hubert H. Humphrey Building in Washington, D.C. The meeting was open to the public. Present:
Subcommittee members
John R. Lumpkin, M.D., M.P.H., "K2" Work Group on Data Standards
Chair
Jeffrey Blair
Simon P. Cohn, M.D.
Kathryn L. Coltin
Kathleen
Frawley, J.D., M.S., RRA
Robert M. Gellman, J.D.
Vincent Mor, Ph.D.
George
Van Amburg
Staff and liaisons
Marjorie Greenberg, Executive Secretary,
National Center for Health Statistics (NCHS)
James Scanlon, Executive Staff
Director, DHHS
William Braithwaite, M.D., Ph.D., DHHS
Bob Moore, Health
Care Financing Administration liaison
Lynnette Araki, NCHS
Judy Ball,
DHHS
Others
Jackie Adler, NCHS
Gracie White, NCHS
Charles Meyer,
HBO & Co.
Carl Landwehr, Naval Research Laboratory/Naval Research
Laboratory
Russell Jones, Ernst & Young
Erica Drazen, First
Consulting Group
Randolph Sanovic, United HealthCare Corp.
Gene Sloan,
PCSL
Linda McNish, NCHS
Sandra Fuller, AHIMA
Cindy Zakaworotny,
Hartford Hospital
Harvey Schwartz, Ph.D., AHCPR
William Schooler, HCFA
Krista
Robinson, EDS
Dan Proctor, Passport Health Communications.
A.J. Aroneck,
Blue Cross Blue Shield of FL
Margret Amatayakul, CPRI
Laura Brown, Ernst
& Young
Lyndalee Korn, TRW
Karen Folk, NAMI
Dan Staniec, NCPDP
Sean
Auton, University of Michigan
Jeanne Gilliland, CDC
Julie Miller, Blue
Cross Blue Shield Assn.
Andrew Ripps, HealthPoint
Jennifer Cook, NAIC
Saul
Golubcow, BCBSNCA
Kelly Spencer, State Farm
Adele Waller, Goldberg,
Kohn, Bell, Black, Rosenbloom & Moritz Ltd.
Karen Sealander, McDermott
Will & Emery
Robert Iadicicco, Gordon & Barnett
Dale Miller,
Irongate, Inc.
Gary Beatty, Mayo Clinic
Claudia Tessier, American Assn.
for Medical Transcription
Larry Watkins, Medic Computer Systems
Jeanne
Schulte Scott, CIS Technologies
Barbara Comstock, State Farm
Ted Cooper,
M.D., Kaiser Permanente
Tom Hanks, Medaphis Corp.
Gwen Moulton, BNA
Diedra
Abbott, College of American Pathologists
Harvis Raymond, HIAA
John
McGuire, HCFA
Barbara Clark, HCFA
Karen Milgate, AHA
Roy Bussewitz
Robert
Tennant, MGMANellie Bristol, Health News Daily
Patrick Reading, American
Medical Group Assn.
Jim Walsh, American Psychiatric Assn.
Pat Hamby, HBO
& Co.
Bob Driscoll, HHS
Christopher Bergsten, AAHP
Dixie Baker,
Ph.D., Science Applications Internat'l Corp.
Carl Dvorak, Epic Systems Corp.
Harvie
Raymond, HIAA
Jack Geisser, Congressional Consultants
Ralph Korpman,
M.D., Health Data Sciences Corp.
John Parmigiani, HCFA
Jim Klein, MD
Health Information Network
Kepa Zubeldia, M.D., Envoy NEIC
Sarah Comley,
Ph.D., International Observers
Bruce Kelly, Mayo Foundation
William
Bruno, American Psychiatric Assn.
Jean Narcisi, American Medical Association
Don
Bechtel, HDX
Charles Bread, Pretty Good Privacy
Jim McCord, Oacis
Healthcare Systems
Terese Cendrowski, ASTM
Lee Barrett, EHNAC
Wayne
Wilson, University of Michigan Medical Ctr.
J. Michael Fitzmaurice, Ph.D.,
AHCPR
Chris Plaushin, Amer. Soc. of Clinical Pathologists
Jan Lovorn,
ASTM
Lew Lorton, HOST
Jennifer McNasby, Ropes & Gray
Frank
Pokorny, Blue Cross Blue Shield Assn.
Jill Wechsler, Managed Healthcare
Holly
Butts, The International Reports: Early Warning
George Arges, AHA
Donna
Pickett, NCHS
David Berglund, NCHS
Bill Sobaski, HCFA
Jennifer
Marcus, AHA
Steve Lillie, DOD
Vince Stine, AACC
(Note: Documents pertaining to this meeting can be found on the NCVHS Web site at HTTP://ASPE.OS.DHHS.GOV/NCVHS/)
The Subcommittee on Health Data Needs, Standards and Security met on August 5-7 in Washington, D.C. The meeting began with a day and a half hearing focusing on perspectives on security issues in implementing the administrative simplification provisions of PL 104-191 (Kennedy- Kassebaum or HIPAA). Six panels made presentations and talked with the Subcommittee. The presentations are available in their entirety on the NCVHS Web site.
Following the hearing, the Subcommittee developed its work plan and recommendations on security. It spent August 7 reviewing data content issues and recommendations.
· Carl Landwehr, National Research Council/Naval Research Laboratory
· Laura Brown, Ernst & Young, LLP
· Dale Miller, Irongate, Inc.
· Erica Drazen, ScD., CPRI
· Adele Waller, Esq., Goldberg, Kohn, Bell, Black, Rosenbloom & Moritz, Ltd.
The panelists said that a good deal of technology is already available but not being used, partly because of the rate and scope of change in the industry. They stressed the importance of building security requirements into the design at the outset.
The group favored using JCAHO and NCQA to check on organizations' security policies and practices and on the implementation of CPRI and ASTM standards and guidelines. They also favored efforts to synthesize the work of CPRI and ASTM, a process that has already begun.
The panelists were in agreement that no single standard is adequate, a conclusion that is consistent with the recommendations in the NRC report and that was echoed by other panels. They said policy-level recommendations would be valid throughout the industry, with implementation varying with the setting. The panelists predicted that vendors would be able to produce appropriate security technology in a reasonable period of time once the Committee makes its recommendations.
All panelists stressed the ways in which the health care industry is more complex than other industries, for example in issues of privacy and access. While technology developed elsewhere can be adapted, this must be done cautiously and based on an analysis of acceptable risk.
The group discussed the need for a body with responsibility for ongoing review of security standards in the light of changing technology. NCVHS might perform this function, as the NRC study committee recommended.
· Sean Auton, Esq., University of Michigan Medical Center
· Gary Beatty, Mayo Clinic
· Ted Cooper, M.D., Kaiser Permanente (Chair-elect, CPRI)
The panelists agreed that a set of accepted industry practices and standards is needed, and they suggested that JCAHO or NCQA could inspect organizations and determine whether they are doing enough. They spoke of the need to know what is generally accepted and approved, to establish a minimal level and a base and to give guidance on what standards to use and how to use them. They agreed that it would be helpful to have a national standard and consistency among the states in the privacy area.
The panelists supported the NRC recommendations for individual identification of users, access control, and audit trails. Regarding the latter, they stressed the need to target the auditing and to combine it with review of the audits and publicity of the practice to enhance the deterrent function. They agreed that the Committee's recommendations should cover both internal and external exposures.
· Pat Forbis, CMT, Amer. Assn. for Medical Transcription
· Cindy Zakoworotny, Amer. Health Information Mgmt. Assn.
· Kepa Zubeldia, Assn. for Electronic Health Care Transactions
· Randy Sanovic, United HealthCare
The Subcommittee and panel discussed the X12.58 security standard and PGP at some length, as well as the subject of encryption. Dr. Zubeldia said that it is not necessary to encrypt transactions on private networks, which are covered by the wiretapping act. The panelists stressed that special security measures such as encryption are needed for Internet communications and may not be needed in other networks.
· Andrew Ripps, Health Point
· Ralph Korpman, M.D., Health Data Sciences Corp.
· Dixie Baker, Ph.D., Science Applications Internat'l Corp.
· Dan Proctor, Passport
At the Subcommittee's request, panelists discussed the place of C2 and the orange book in the broad framework of security approaches. Dr. Lumpkin suggested that the Committee role emerging from these discussions is one of propounding general security requirements that can be achieved in various ways, rather than standards. It was noted that the distinction between internal and external no longer holds because of the rate of "gobbling and disgorging" in the industry, and therefore that security standards need to encompass the internal and the external
Ms. Frawley called attention to the report of the NRC study committee, and particularly Chapter 6. That group found that the problem is not the absence of policies but the failure to enforce them.
It was noted that ambulatory care providers also have a growing interest in security measures.
A panelist asserted that PCS should not be used because they lack the capability for adequate security measures. This led to expressions of concern about small providers, something that arose in several contexts. The Subcommittee reaffirmed the importance of developing policy that is workable for small providers as well as large ones.
· Charles Breed, Pretty Good Privacy, Inc.
· Chuck Meyer, HBO & Co.
· Jim McCord, OACIS Healthcare Systems
· Carl Dvorak, Epic Systems
· Don Bechtel, Healthcare Data Exchange
Discussion with this panel began with a focus on audit trails, with an emphasis on the deterrent effect of letting people know their browsing is being monitored.
Mr. Van Amburg pursued his concern about data integrity and the detection of subtle sabotage or system error. Mr. Dvorak said the technology is available to detect computer system failure. Mischievous programs are a very small threat compared to malicious acts by people with legitimate access. The latter can only be prevented by denying access, such as by isolating programming staff from the production data systems. The group discussed the problems with limiting access.
On the implementation of security standards, they discussed a staged, iterative process over several years, starting with a threshold that is attainable by the low end of the industry and becoming more stringent and accommodating privacy requirements in later years. The preference was for an emphasis on policy and procedure rather than technical solutions, with the latter left to the industry.
On the subject of encryption, the panel stressed that thresholds are a decision for experts and should be addressed only after decisions are made about access policies and other guidelines. The panelists agreed that clearinghouses and networks use well-secured networks and do not need encryption, while it is necessary for Internet communications. As encryption takes time and is not even possible on some terminals, it should be done only when absolutely necessary.
· Jan Lovorn, ASTM
· Mary Kratz, University of Michigan Medical Center
· Lee Barrett, CW Costello & Assoc.
· Dan Staniec, NCPDP
The group first discussed accreditation, establishing that clearinghouses and VANs tend to accredit portions of their organizations rather than their entirety.
An exchange between Mr. Staniec and Mr. Moore focused on concerns about NCPDP's lack of support for the ASTM security standard.
They talked at some length about the potential for stimulating multiple, incompatible approaches to security if the Committee and Department only recommend policies rather than standards. Panelists stressed that interoperability must be an overarching principle.
It was reaffirmed that approaches must facilitate the operations of small as well as large providers, and that some degree of standardization may be necessary to simplify communications for physicians. Ms. Kratz stressed that to address interoperability in a secure way, the health care industry should agree on basic architectural requirements from which a security reference model can be derived, as the finance industry did. Her fellow panelists agreed, with Mr. Barrett adding that a base set of criteria would help move things along.
The panelists supported the idea of a joint work group on health care security, perhaps with ANSI HISB filling the role of promoting harmonization. Mr. Staniec said NCPDP would work with HISB on security issues.
The Subcommittee devoted the afternoon of August 6 to discussing work plans and security recommendations. Regarding the work plan, they agreed that the immediate tasks are security, payer ID, employer ID, patient ID, and distribution/implementation. Next come data content and terminology. Recommendations on attachments are due in a year; CPR recommendations are due in three years. Work on attachments will begin in the winter, with hearings. The HHS team will report in November on its work with HL7 and X12. The attachments are seen as the kickoff for the work on CPR.
On the unique patient identifier, members agreed on the need for more input that encompasses the political dimension of this issue. They will decide on next steps after reviewing a report prepared by a consultant. If it seems premature, they will decline to recommend a patient ID at this time, despite the HIPAA mandate.
The Subcommittee discussed preparation for the November CPRI conference on terminology, in which NCVHS will participate. The possibility of sponsoring a follow-up hearing on CPR terminology was mentioned. Dr. Lumpkin noted that work is also needed on developing a process for moving toward unified procedure classification.
Members discussed alternative ways of handling version issues, and agreed to hold a hearing in the spring on this topic. They planned their initial work on data content, set to begin tomorrow, and the process that will flow from that.
The Subcommittee then discussed the security recommendations based on the testimony and discussion of the past day and a half. The framed their discussion with a recognition that the public at large is the Committee's main constituency or client in this effort, and the public's trust that their records are safe is the greatest value at stake.
Ms. Frawley urged her colleagues not to reinvent the wheel and to take into consideration the work of the HHS Security Implementation Team and of the NRC Study Committee. John Parmigiani, co-chair of the implementation team, briefed them on the team's work to date, stressing that the thinking of the team, those who testified at the hearing, and the Subcommittee seem to be very compatible. Moreover, the products being developed by ASTM, NRC, NCVHS and HHS appear complementary. The Subcommittee will review and give feedback on the matrix being developed by the implementation team.
Members reviewed the chief recommendations of the NRC Study Committee and expressed support for all of them. The Subcommittee authorized Ms. Frawley to draft a document reflecting the foregoing discussion. It will be circulated for comments and revised as needed for presentation at the September 8-9 NCVHS meeting. Members agreed that even after it fulfills its HIPAA mandate, the Subcommittee will continue to deal with security issues for a long time to come, especially given the movement toward the CPR. They also agreed to make it clear that the Committee sees its role as pushing the industry and expects its recommendations to evolve.
For the final portion of the meeting, members discussed data content, using as the frame of reference a document from the National Uniform Claims Committee (NUCC). They spent the bulk of the morning discussing individual data elements and the issues raised by them. The NCVHS core data element recommendations served as a major reference point. Although the main purpose of the discussion was to craft a workable approach to content and to surface key issues, the group also commented on several specific data elements. At the conclusion of the meeting, they reviewed their process, identified major themes and issues, and discussed next steps.
Before getting into specifics, they considered the overarching question of whether the document, which is a report on an encounter, should reflect items from elsewhere, particularly enrollment forms. This discussion led to an agreement that the Committee's responsibility is to assure that the right data are collected, and how and where the information are collected should be left to the experts. Another assumption was that the Committee's focus is an electronic version of a form that should be used to report encounters both for claims and in a capitated system. Also, because the existence of other supporting transaction forms that are easily linked to the encounter document cannot be assumed at present, some redundancy is in order pending further automation. The group also agreed that data elements and content issues relating to unique identifiers should be tabled pending further progress on identifiers. In this and other ways, it was recognized that this is a transition period with unique needs that are subject to change. For example, eventually it may be possible to substitute unique identifiers for much of the demographic information.
Members decided to refer to the terminology conference the question of what to do about items identified as important but in need of further work, such as functional status. (The NCVHS core data element recommendations had suggested placeholders for these items.) It was noted repeatedly that this is an iterative process, the goal of which is to build a flexible enough architecture that content can continue to evolve.
The Subcommittee took note of the fact that the NUCC set does not include race, and they agreed to investigate whether race is included with enrollment data.
Dr. Lumpkin raised the broad question of who owns the data content, and members agreed to think through a process for addressing data content issues in consultation with bodies such as NUCC, NUBC, and SDOs.
Ms. Greenberg suggested that the Subcommittee start working on a plan for reviewing the core data element recommendations, with particular attention to those that are not in the current standards.
Mr. Scanlon and Mr. Arges asked the Committee to articulate criteria for determining the status of data elements. In response to a request for staff assistance in this effort, Ms. Greenberg said she and Mr. Scanlon would find a way to pull together the themes from today's discussion and past ones for this purpose.
The group agreed that the next set of hearings should not only look at transactions but also start the discussion of attachments.
The hearing portion of this meeting focused on perspectives on security issues in implementing the administrative simplification provisions of PL 104-191 (Kennedy-Kassebaum or HIPAA). Following introductions, Dr. Lumpkin welcomed the first group of panelists.
The panelists are listed below. The testimony of all panelists is available on the NCVHS Web site at the address listed above.
· Carl Landwehr, National Research Council/Naval Research Laboratory
· Laura Brown, Ernst & Young, LLP
· Dale Miller, Irongate, Inc.
· Erica Drazen, ScD., CPRI
· Adele Waller, Esq., Goldberg, Kohn, Bell, Black, Rosenbloom & Moritz, Ltd.
The discussion period following the presentations began with the comment from Mr. Gellman that most of the security measures discussed have nothing to do with privacy legislation, so the absence of such legislation is not an excuse for not having addressed security issues. Mr. Miller agreed with the assertion that breaches of electronic health information systems are probably occurring that organizations do not know about because of the absence of auditing practices. Dr. Lumpkin appealed for stories of breaches that the Committee can use to support its security recommendations.
Dr. Drazen said what is rare are breaches that involve the disclosure of information for personal gain. She suggested that health care organization CEOs recognize their responsibility for confidentiality and security; they simply lack the expertise to know what to do about it. Mr. Miller noted that patients are reluctant to pursue inappropriate disclosures because that process would subject them to further disclosure. Mr. Gellman pointed out that although society tends to focus on hackers as the main threat, there are many sources of threats to computerized systems, most of which are very difficult to identify or track.
Dr. Cohn asked for comments on whether the basic issue is the absence of security technology or the industry's failure to use available technology. Dr. Landwehr said a good deal of technology (e.g., passwords) is not being used. Ms. Brown explained that the rapid and far-reaching changes in health care have worked against making the business decisions that are a precondition for the use of technology. Mr. Miller noted that these are tough decisions because they force management to commit to policies about such things as access, an area that is far more complex in health than in other industries. Ms. Waller said her clients have been told by vendors that their security requirements will slow down response time, leading to difficult tradeoffs between functionality and security. Dr. Drazen agreed that on balance, the technology is available.
Ms. Frawley observed that vendors typically insist on the need for customized solutions, even when the security requirements are common to many organizations and are stipulated at the outset. Moreover, some have made promises that have not been borne out in practice. She asked for comments. Mr. Miller said people tend to focus on security issues during the implementation phase and thus ask for protections too late in the process. Dr. Drazen said similar problems arose when HL7 became a consensus standard; eventually, the vendors will respond to customer demands.
Mr. Blair observed that despite the emergence of standards and some good security policies and practices defined by CPRI and ASTM, the panel seems to be saying that consistent implementation is lacking. He asked if it would help if JCAHO and NCQA agreed on common accreditation activities. Noting that the incentive to be prepared for accreditation surveys already exists, Mr. Miller said the accrediting bodies could build on that to review how organizations are using CPRI's material and the ASTM standard.
Mr. Scanlon asked for comments on the type of federal standard the panelists would like to see -- broad policies and principles or specific techniques and software -- and, second, whether the standards would have to be tailored to different settings and systems. Ms. Brown suggested a survey of existing guidelines and standards, and a framework for how they relate to each other. Dr. Drazen said federal guidance is needed on the issue of rights to information access. Mr. Miller suggested policy-level federal guidance, rather than detailed how-to's. Dr. Landwehr noted that the NRC report also advocates a broad approach. All panelists said such policy would be valid throughout the industry, with implementation varying with the setting.
Dr. Braithwaite expressed his view and hope that the health care industry can adapt technology developed elsewhere. Ms. Brown advised caution in how things are imported, and Ms. Waller agreed, noting that privacy is not a priority in the banking industry. Dr. Drazen also noted the differences between the two industries in regard to access to information. Mr. Miller stressed that health care can adapt existing technology, as long as it is understood that one size does not fit all. The tools must be customized to suit the culture, systems environment and management style of each organization. Dr. Landwehr commented that technology developments probably will not come from the health field, and he agreed on the need to adapt appropriately. Ms. Brown noted that the adaptation is based on an understanding of acceptable risk. Asked about the sources of resistance to using existing technology, the panelists cited the time required and limitations in the design of security systems.
Noting his interest in data integrity, Mr. Van Amburg asked about the state of the art for detecting subtle system corruptions. Mr. Miller responded that the risks for such subversion are high and the chance of detecting it low, given current controls.
Dr. Lumpkin asked for comments on a reasonable time frame for recommended standards and the anticipated cost of implementation. Dr. Drazen replied that although this will vary among institutions, the cost of complying with policy standards will be minimal and 18 months is sufficient time. Technical standards will take longer and be more costly. She stressed that the cost of implementation will increase the longer it is delayed, because many systems are now being purchased. For most, the major cost of greater security will be from adding or reassigning people.
Noting that vendors have not designed proactively in the past, Dr. Lumpkin asked the panelists to predict whether vendors could have an acceptable product ready in a reasonable time once security standards are in place. Dr. Drazen said vendors tell CPRI that their costs are associated with the absence of a standard and the need to customize, and that they will be able to respond to standards. Vendors that have kept track of developments in this area -- whose investments to date have not met with marketplace advantage -- will finally be rewarded. Ms. Waller cautioned against requiring health care organizations to conform to the standards for their legacy systems, as this would be too costly. Dr. Drazen disagreed, noting that many legacy systems will have to be replaced and that confidentiality must be guaranteed throughout integrated delivery networks.
Asked if they favored a specific standard for recommendation to the Secretary, the panelists were in agreement that no single standard is adequate. Dr. Landwehr said the NRC suggested the creation of a group to advise on standards on an ongoing basis. Ms. Brown reiterated her request for a survey and a framework that integrates the strengths of existing standards. Mr. Miller recommended that ASTM and its affiliates be recognized as the SDOs. Dr. Drazen recommended that the Committee outline all the areas that should be covered in the standards.
Mr. Blair asked if it would be useful and feasible for the overlapping activities of CPRI and ASTM regarding guidelines and standards to converge, and if their guidelines would provide a foundation for extending data security practices. Dr. Landwehr cautioned against relying on the convergence of two disparate groups. Ms. Brown said although the two can be combined, the product must be compared to generally accepted security principles and practices outside health care. In combination, they can contribute to a foundation but not form one. Mr. Miller affirmed that the work of the organizations to date can improve security. He agreed with a suggestion to bring the wisdom of information systems security professionals to bear.
Dr. Drazen said that while CPRI enthusiastically supports the idea of a joint effort, it is limited by a lack of funding and its volunteer membership. CPRI and ASTM have already talked about melding their glossaries. The NRC report can help provide perspective on where the gaps are in the topics addressed by the two organizations. Ms. Waller endorsed the idea of building on what they have done. Ms. Frawley described the joint activities by CPRI and ASTM, noting that a process is underway that is aided by HHS staff. She praised the SDOs for their joint efforts in this area.
Ms. Greenberg asked for a clarification of the NRC recommendation for a new standard- setting body in this area. Ms. Frawley said the NRC recommendation (which calls for a new body within NCVHS to address security) predated the passage of HIPAA and the reconfiguration of NCVHS. The legislation and the creation of the Subcommittee on Health Data Needs, Standards and Security and its K2 Work Group have fulfilled the NRC recommendation.
· Sean Auton, Esq., University of Michigan Medical Center
· Gary Beatty, Mayo Clinic
· Ted Cooper, M.D., Kaiser Permanente Medical Group (Chair-elect, CPRI)
Mr. Blair asked for comments on what is still lacking, given that the industry is using CPRI and SSL guidelines and that encryption technologies are available. Dr. Cooper said the problem is "knowing what is enough" -- i.e., a set of accepted industry practices and standards is needed. Perhaps JCAHO or NCQA could inspect organizations and determine whether they are doing enough. Mr. Beatty said Mayo's goal is a security perimeter that would assure high-level security across communication vehicles. Dr. Cooper agreed with Mr. Blair's characterization that what is needed is a minimal level and the establishment of a base. Noting the crucial difference between policy and technology standardization, Mr. Auton said what is missing now is the policy for what standards to use and how to use them. He urged the Committee to put its energies in this area. Dr. Cooper agreed that a "Good Housekeeping Seal of Approval" would be helpful for health care organizations, but he added that an indication of where to employ the technology would also be helpful. Mr. Auton asserted that the nature of the boundaries between levels of security for different environments is a technology issue.
Asked why they are calling for standards and policies, the panelists spoke of the need to know what is generally accepted and approved, to know they are playing by the rules and to level the playing field in terms of costs.
Mr. Scanlon asked about the relationship between privacy and security, and whether a national privacy law would help create the conditions for implementing security policies. The panelists agreed that it would be helpful to have a national standard and consistency among the states, which are now incompatible with each other and with federal regulations. Only the federal government can create consistency.
Dr. Lumpkin asked the panel to comment on the basic practices recommended by the NRC. They supported all three mentioned: individual identification of users, access control, and audit trails. The latter recommendation prompted considerable discussion, which stressed the need to target the auditing and to combine it with review of the audits and publicity of the practice so it serves a deterrent function.
Mr. Scanlon asked the panelists to rate the relative risks from insiders versus outsiders. Mr. Beatty said Mayo is able to track internal activity but loses that control outside the organization. Dr. Cooper said his organization is currently more concerned with internal threats, but the attention will probably shift to external threats in a few years. The panelists agreed that the Committee's recommendations should cover both internal and external exposures.
· Pat Forbis, CMT, Amer. Assn. for Medical Transcription
· Cindy Zakoworotny, Amer. Health Information Mgmt. Assn.
· Kepa Zubeldia, Assn. for Electronic Health Care Transactions
· Randy Sanovic, United HealthCare
Mr. Sanovic was asked to discuss the application of a national standard to clinical data. He said clinical data that identify the individual should be encrypted and hidden from view, while accounting-type information does not require that level of protection.
Asked about disclosure practices by vendors using transcriptionists in foreign countries, Ms. Forbis said no disclosures are made unless the client asks a specific question.
At Dr. Cohn's request, the panelists explained the X12.58 security standard, which has been approved for about 10 years. It has a syntactical structure that permits the secure transfer of X12 information between entities. It will cover HIPAA transactions for encryption and digital signatures. PGP is a security envelope and can be used in lieu of the X12 security standard. It is sometimes preferred because of its greater convenience and lower cost.
Dr. Zubeldia said ENVOY-NEIC uses PGP, rather than X12.58 encryption, to send data over the Internet. Asked to characterize the security policies of private networks, which carry 99 percent of health care administrative transactions, he said tapping into the line on such a network is unheard of, probably because it would be very random and yield little information. It is felt that the wiretap act provides adequate legal protection. Dr. Cohn suggested that the Committee learn more about these topics before discussing them further. He speculated that PGP and X12.58 are complementary standards.
He then asked whether United HealthCare meets the standards specified by the NRC regarding the secondary uses of data. Mr. Sanovic responded affirmatively to all the specifics and the general policies and procedures cited. He is comfortable with the recommendations with respect to internal operations; externally, the information may be vulnerable to lapses by other entities. Caution is needed, for example, in the use of the Internet; his company monitors their use of it, which is limited to business purposes.
· Andrew Ripps, Health Point
· Ralph Korpman, M.D., Health Data Sciences Corp.
· Dixie Baker, Ph.D., Science Applications Internat'l Corp.
· Dan Proctor, Passport
The group agreed with the following framework for thinking about security measures, as proposed by Dr. Cohn: security within information systems, policies around security, and security for linkages between systems. Dr. Cohn asked the panel to explain where C2 and the orange book fit in this framework. Dr. Baker explained that the TC set is a hierarchical structure of functionality that begins with C2 (the minimal requirement) and goes through B1 to A1. The A1 standard is attained by only one product. Dr. Korpman said the orange book is the archetype of what he thinks the Committee should do. Everything in it is germane to the health care system.
Mr. Proctor commented that the Committee is starting with a clean slate in setting policy, and its role is partly to legitimize some of what people are already doing.
Dr. Lumpkin suggested that the Committee role emerging from the foregoing discussion is one of propounding general security requirements that can be achieved in various ways, rather than recommending standards. Ms. Frawley noted that the NRC study committee reached the same conclusion. Dr. Lumpkin observed that in security, the Committee is focusing on the internal work of entities more than the interaction between them -- the latter having been the focus of the earlier standards recommendations. Dr. Korpman observed that standards discussions have generally focused on inter-party transactions because of the emphasis on claims data, when in fact the serious security issues have to do with health care data, much of which is internal to organizations and networks.
Mr. Blair asked whether C2 standards would be consistent with the emerging security technologies for the Internet. Dr. Baker noted that the goal is protecting the integrity and confidentiality of data "from end to end." Dr. Korpman added that the orange book is necessary but not sufficient for achieving this goal. Dr. Baker reported that TC SEC, the European IT SEC and the Canadian CTC PEC came together last January and developed common criteria for protecting health data.
Dr. Mor observed that the distinction between internal and external no longer holds because of the rate of "gobbling and disgorging" in the industry. He proposed that security standards need to encompass the internal and the external, and Dr. Korpman agreed. Dr. Cohn commented that the distinction between clinical and administrative data also is tenuous, and here too security needs to cover it all. He wondered about the boundary between security standards and policy standards, and was told simply that the two are inseparable. Dr. Korpman cited the Quebec model as something that addresses both, and he suggested that the Committee specify both the policy criteria and the technical criteria that should be met. Ms. Frawley noted that the NRC study categorized five threats within a health care entity, four of which are internal. As she did several times in the course of the meeting, she encouraged her colleagues to look at Chapter 6 of the report, adding that the study group found that the problem is not the absence of policies but the failure to enforce them. Dr. Korpman added that this must happen in real time.
Mr. Ripps pointed out that 450,000 ambulatory physicians are starting to implement the kind of technology being discussed here, and disclosure is a big issue for them. Dr. Korpman commented that security measures must be transparent to health care providers, partly because "they don't care" about it.
Dr. Zubeldia raised the possibility that the same security level can be attained by isolating computers as by building in the kind of protections being discussed. Dr. Baker asserted that it is critical to separate execution domains, which cannot be done on PCS; thus, "if you care at all about the integrity of data, you shouldn't be using the PC." Dr. Lumpkin observed that this restriction would be very problematic for small providers and thus for the country. Dr. Korpman countered that all providers' patients are entitled to a minimum level of authentication and auditability, and he suggested laying out on a policy basis what patients should be entitled to.
Dr. Cohn commented on the Subcommittee's need to integrate what it has learned in this hearing into its recommendations. Members encouraged the panelists to stay for the next day's discussion, to attend the September meeting of the full Committee, to watch for letters from the Subcommittee with additional questions, and/or to send their own unsolicited comments and suggestions. Dr. Lumpkin thanked them for meeting with the Subcommittee, and they recessed until the next day.
· Charles Breed, Pretty Good Privacy, Inc.
· Chuck Meyer, HBO & Co.
· Jim McCord, OACIS Healthcare Systems
· Carl Dvorak, Epic Systems
· Don Bechtel, Healthcare Data Exchange
Asked how his organization knows its audit trails are effective, Mr. McCord stressed the effectiveness of letting people know their browsing is being monitored. In his organization, the amount of inappropriate visits decreased once the auditing process was publicized. In response to a follow-up question from Mr. Gellman, he said that although he favors having confidentiality legislation in place prior to security standards, he would prefer to move ahead with the latter if it will take several years to pass confidentiality legislation. Something, he noted, is better than nothing.
Mr. Van Amburg pursued his concern about data integrity and the detection of subtle sabotage or system error. Mr. Dvorak said the technology is available to detect computer system failure. Mischievous programs are a very small threat compared to malicious acts by people with legitimate access. To prevent this, it is necessary to deny access, and he recommends isolating programming staff from the production data systems.
Asked to comment on audit trails, Mr. McCord and Mr. Dvorak said the issue is the amount of detail of the record, and it is best to keep it simple. Mr. Meyer pointed out that systems in the industry are heterogeneous, and the legacy systems have tended to focus on who has changed the record. Returning to Mr. Van Amburg's question, he said malicious attacks are more likely to be directed toward organizations than individuals, focusing on financial or administrative systems. Mr. Gellman warned that this could change. Asked how his organization reviews audit trails, Mr. Dvorak said they use algorithms and run analyses that detect patterns. Mr. Meyer commented that it is preferable to limit access up front rather than trying to detect misdeeds, although he acknowledged that people must have access to conduct operations. Dr. Lumpkin gave a hypothetical example illustrating an urgent need for patient history information by emergency personnel without authorized access, and Mr. Dvorak called this a "break the glass situation" with its own protocol.
Dr. Cohn observed that the general question is the appropriate level of security for the community to seek. He asked what the speakers regard as fundamental, given their advocacy of building security into systems from the beginning while "starting low and then advancing." Mr. Meyer favored starting a step beyond where the field is at present and beginning a process by which standards can be built into the next iteration of products. He agreed with Dr. Lumpkin that it might be advisable to outline a series of stages involving progress over several years. This process would include accommodating any requirements in privacy and confidentiality legislation. He stressed the need to be policy- and procedure-based, as exemplified by the European pre-standard. Mr. Dvorak noted the importance of building systems that can be added to.
Dr. Cohn observed that two different views have been expressed: one recommending starting now at one level and moving to a higher one in a few years, and the other saying that given six months, good security could be attained in the short term. Mr. Dvorak asserted that the main issue is getting a consensus on what adequate security is. Most systems built in the last five years have more security than the initial recommendations will require. Mr. McCord noted that cost is another barrier.
Ms. Frawley commented that given the NRC Study Committee's finding that most of the industry lacks even a security perimeter, it will not be possible to "jump ten steps up." She recommended defining the threshold and getting everyone to that level -- something that will be especially challenging for clinical information systems, whose organizational policies and procedures are often weak.
Mr. Blair asked about the applications and thresholds for encryption in the contexts of the Internet, clearinghouses or VANs, and within organizations. Mr. Breed demurred that thresholds are a decision for experts and should be addressed only after decisions are made about access policies and other guidelines. Mr. Bechtel noted that encryption adds considerable overhead to processing, thus reducing transaction processing throughput which will have a significant impact on system and processing costs to information systems and clearinghouses.. Mr. Dvorak cautioned that all security threats and risks should be prioritized before encryption is considered. Many other measures may prove more important in protecting patient records. Dr. Zubeldia later reiterated that the private circuits used by clearinghouses and VANs are very secure and do not need encryption. He explained that unlike VANs, clearinghouses would have to decrypt and reencrypt data, so their overhead would be much greater.
Pressed by the Subcommittee to recommend thresholds for encryption for data in motion and data at rest, the panelists agreed that clearinghouses and networks use well-secured networks and do not need encryption, while it is necessary for Internet communications. Mr. Meyer recommended encrypting patient identifiers, which he noted could include such data as address and birth date. Mr. Breed pointed out the need to "know your attackers" and to be clear about what you are trying to protect. He cautioned against assuming it is unnecessary to protect internal data. Mr. Meyer said risk assessment is key, and he pointed out that Dr. Zubeldia favors message authentication over encryption. Dr. Zubeldia explained that encryption takes time and is not even possible on some terminals, so it should be done only when absolutely necessary -- e.g., for Internet communications. In that context, there is less overhead when everything is encrypted because the data can be compressed before encryption. Mr. Blair noted that this view contrasts with clinical data repositories, which would only encrypt identifiers.
Regarding tracking audit trails, Ms. Coltin noted that there are different types of inquiries, those on individual patients and those on populations. Mr. McCord replied that most panelists are interested in the first type. One approach to crossectional inquiries involves scrubbing the data, assigning a report key that requires approval, and then auditing the approval.
· Jan Lovorn, ASTM
· Mary Kratz, University of Michigan Medical Center
· Lee Barrett, CW Costello & Assoc.
· Dan Staniec, NCPDP
In response to a question, Mr. Barrett said that there are between 100 and 200 VANs and clearinghouses, of which fewer than 10 percent are accredited. Dr. Zubeldia added that the top ten clearinghouses (most of which are represented at this meeting) process about 80 percent of the business. Asked if they are accredited, Mr. Barrett said that typically, companies under the clearinghouse umbrella are accredited but not the entire clearinghouse.
Mr. Moore talked with Mr. Staniec about NCPDP's position not recommending the ASTM security standard. Citing concerns about the cost to pharmacies, Mr. Staniec said NCPDP wants more time to work on a joint SDO effort. Mr. Moore pointed out that NCPDP is being considered as a major change in the standard, and security will be a big issue. If security seems to present a problem, the Department may have to take another look at NCPDP. Mr. Staniec assured Mr. Moore that the NCPDP standard is secure, and Ms. Lovorn affirmed that they use dedicated phone lines.
Dr. Mor followed up on Ms. Kratz' comments about standardizing health care role definitions. She explained that professionals play different roles in different settings, and these need some degree of standardization. Dr. Mor cautioned against prescribing a structure that inhibits the natural evolution of clinical processes.
Ms. Frawley asked the panelists to comment on standard X12.58, which was discussed the previous day. Ms. Kratz explained that it defines security as a message wrapping mechanism, but her impression is that it does not really address secure message wrapping. HL7 feels that a three-tiered message wrapping approach, which X12.58 does not offer, is needed. Ms. Lovern said the standard in question was designed to protect transaction sets, and it has not been used because it was not required. Ms. Kratz said the X.9 subcommittee is working on this and would welcome collaboration with the health care industry.
Mr. Blair queried whether the emerging vision of an approach -- starting with risk assessment, followed by policy development and finally decisions about standards and technologies -- is at risk of generating incompatible solutions. Ms. Lovorn said a central requirement is interoperability. Organizations can do what they want with their closed systems, but must meet certain requirements if they want to exchange information. Responding to a question about what is needed to achieve interoperability, Ms. Kratz said the Orange Book will become obsolete. Ms. Lovern added that the U.S. and the European Community are identifying a set of common criteria that allow for modular system development to replace the Orange Book.
On the scenario of proliferating approaches, Dr. Lumpkin pointed out that one- or two- physician offices participating in multiple health plans would have a hard time dealing with a variety of approaches if the government chooses not to standardize practices. Mr. Barrett agreed that some standardization is needed, to minimize the hassle factor for physicians.
Ms. Kratz advised physicians in small practices to use the Internet. Asked about the effort to bring together use cases, frameworks and thresholds, she spoke in support of a joint work group on health care security, and suggested that ANSI HISB fill the role of promoting harmonization. The other three panelists agreed, and Mr. Staniec said NCPDP would work with HISB on security issues. Mr. Blair observed that this would then make it possible to identify the level of risk in pharmaceutical transactions.
Returning to the issue of interoperability, Ms. Frawley noted the danger of perpetuating the complex and incompatible systems that have plagued hospitals. Ms. Kratz stressed that to address interoperability in a secure way, the health care industry should agree on basic architectural requirements from which a security reference model can be derived, as the finance industry did. Her fellow panelists agreed, with Mr. Barrett adding that a base set of criteria would help move things along.
In response to another question, Mr. Staniec agreed with Ms. Frawley that pharmacy benefit management companies need security practices to maintain patient confidentiality. He said the large companies have such policies and procedures. She had commented that the NRC group found that some PBMs were passing individually identifiable information on to employers. This concluded the hearing portion of this meeting.
The afternoon session was devoted to a Subcommittee discussion of work plans and recommendations on security. Members began by identifying the tasks to be included in the work plan, as follows:
· security
· payer ID
· patient ID
· content (including core data elements)
· employer ID
· CPR
· a framework for procedure coding
· terminology
· code sets
· implementation and distribution issues
Timetable: The immediate tasks ("very soon") are security, payer ID, employer ID, patient ID, and distribution/implementation. Next ("soon") come data content and terminology. Recommendations on attachments are due in a year; CPR recommendations are due in three years. Work on attachments will begin in the winter, with hearings. The HHS team will report in November on its work with HL7 and X12. The attachments are seen as the kickoff for the work on CPR.
Dr. Lumpkin asked if more hearings were in order, and the initial response focused on the need for more input on the unique patient identifier. Mr. Gellman observed that the hearings on confidentiality revealed the lack of consensus on this issue and the need to view it in a broader, political context. He suggested Willis Ware as an expert on the subject. He advised against recommending an identifier pursuant to the Congressional mandate if the Committee does not feel ready to do so. Members agreed to decide on next steps after seeing the consultant's report due the following day. The patient identifier will be a major item on the agenda of the September breakout meeting, to which the co-chairs of the HHS teams will be invited. Mr. Scanlon suggested deferring discussion of this issue until the Secretary's recommendations are out and a privacy framework is being debated on the Hill.
In view of the decision to participate in the CPRI conference on terminology on November 12-14, Dr. Cohn noted the need to identify pertinent issues. Ms. Greenberg added that the Committee also committed to a second hearing on vocabulary and terminology related to the CPR. This might take place following the CPRI meeting.
Dr. Lumpkin noted that the Committee's recommendations on procedure coding call for some follow-up work to identify a process for getting to a unified scheme.
The group then discussed version control. Dr. Braithwaite suggested specifying the standard in generic terms and having a separate process for handling versions. Hard work is needed to bring together government and private sector processes in this area. Members discussed possible ways of handling version questions, including designating an entity with this responsibility. Mr. Moore noted that the issue extends beyond version control to a process for introducing new standards generated or required by industry -- for example, the minimum data set for nursing homes. The Subcommittee agreed to hold a hearing on version control in spring 1998.
The group added Payer ID and Employer ID to the agenda of the September meeting.
They then turned their attention to planning the next day's meeting and the process that will follow from it in regard to data content. After identifying the data elements in the transaction sets, deciding whether they should be conditional or optional, and agreeing on definitions, the next step is determining the acceptable values of the definitions. Mr. Mayes suggested that the members review the documentation over the next few weeks and return to the subject in September. Ms. Coltin pointed out the importance of looking at both the enrollment transaction and the claim transaction in considering content.
Dr. Lumpkin observed that the foregoing outline represents the work plan for the coming year.
The Subcommittee then focused on its recommendations on security. Dr. Mor helped establish the context by questioning how to do risk assessment when many of the values at issue are not monetary. Dr. Lumpkin further focused the discussion with the questions, "Why is government getting involved in this?" and "What is it that we are here to protect?" This led to identification of the public at large as the Committee's main constituency or client in this effort, and the public's trust that their records are safe as the greatest value at stake. Dr. Lumpkin noted the contrast with administrative simplification, where the main customer was the provider. Dr. Cohn noted the Committee's responsibility to assure a uniform, acceptable level of security in people's records. This trust also is a precondition of public comfort with the computerization of medical records, another Committee goal.
Ms. Frawley urged her colleagues not to reinvent the wheel and to take into consideration the work of the HHS Security Implementation Team and of the NRC Study Committee. The NRC report identifies the policies and procedures that would be "a good first step" for organizations. It also recommends a "second tier" of technical practices. She noted the wide range of capabilities and concerns, as well as turf battles, in the industry that make it difficult to lay out a template.
At Dr. Lumpkin's request, Dr. Braithwaite reviewed the Committee's charge under HIPAA. Then John Parmigiani, Co-Chair of the HIPAA Security Implementation Team, reported on the team's work to date. He stated that the thinking of the team, those who testified at the hearing, and the Subcommittee seem to be very compatible. Because this is a rapidly-evolving technological arena, the team has focused on requirements. In developing the recommendations, it studied feasibility from various perspectives, and has emphasized the importance of keeping the measures affordable. The analysis is summarized in a hierarchical matrix of requirements, a draft of which has been supplied to the Subcommittee. That document is still being refined, with the goal of releasing an NPRM in October, followed by a 60-day comment period. The team is mapping all available and emerging standards against the matrix.
The team's recommendations, which look at all health care data, emphasize technology neutrality, with details to be worked out among trading partners. They reference the NRC report, which provides a template for the kinds of controls needed. The notice will explain the logic that went into the recommendations.
The Subcommittee and staff discussed the law's intent for the NCVHS purview in this area. Ms. Frawley asserted that it covers more than transmitted health information. Dr. Braithwaite suggested that the law applies to every entity that does electronic transactions, but to the security of the system in which health information is maintained, not just security during the transaction.
Asked how it will be determined that an entity is or is not meeting the standard, Mr. Parmigiani said this has yet to be worked out. Mr. Frawley said the NRC report recommends that accreditation organizations incorporate requirements for meeting a minimum security threshold into the conditions of participation or licensure. The Joint Commission and NCQA have read the report and begun developing recommendations in this area, scheduled for completion in October. She agreed with Mr. Scanlon that the bodies covered by the accreditation process do not include all those to whom HIPAA applies; but it is at least a start that places the onus on providers to ensure they are dealing with ethical organizations.
In response to a question, Mr. Parmigiani said the ASTM document, the NRC report and the work of the HHS team are complementary and together form a fairly complete picture. The ASTM standard is to be balloted in late August and if approved, would be published in early 1998, in time to meet the NCVHS timetable for security guidelines mandated for February 1998. Mr. Moore commented that if the momentum is in that direction, people are likely to tolerate small, correctable flaws.
Asked about his expectations for the Committee's security recommendations, Mr. Parmigiani said he envisioned something on the scale of its previous recommendations on transaction sets, possibly referencing the work of NRC, ASTM, and the HHS team. It was noted that the SDOs are asking for specific thresholds. Mr. Moore said the Department will strive to make its regulations consistent with the Committee's guidance, as it has done with the Provider and Payer IDs. He pointed out that this first step of what will be a long, iterative process is to lay the basic groundwork. Significant comments are expected from industry following the NPRM. Mr. Parmigiani commented that even the SDOs see this as an iterative process and accept the need for flexibility and versatility, and everyone agrees on the need for interoperability.
Dr. Lumpkin asked the Subcommittee members about their comfort level with the direction of these discussions. Mr. Blair said he was encouraged by the progress. Mr. Gellman asked about the role of the Committee. Dr. Lumpkin predicted that its recommendations would be general and technology neutral. Dr. Cohn reserved judgment until he has reviewed the implementation team's matrix, but agreed about not getting into technical standards. Mr. Blair noted an apparent contradiction between recommending interoperability and letting trading partners decide how to do things. Mr. Parmigiani said the emphasis is on the former.
From the audience, Tom Hanks said that the clearinghouse industry favors the European standard presented in the AFEHCT testimony, and finds none of the existing U.S. standards satisfactory.
The Subcommittee then authorized Ms. Frawley to draft a document reflecting the foregoing discussion. It will be circulated for comments and revised as needed for presentation at the September 8-9 NCVHS meeting.
Mr. Gellman asked if the Committee might contribute anything beyond affirming the level of consensus -- for example, by highlighting broader unresolved questions that the Committee might help address, such as those around risk assessment. Dr. Lumpkin and others responded that even after it fulfills its HIPAA-related mandate, the Subcommittee will continue to deal with security issues for a long time to come, especially given the movement toward the CPR.
Mr. Blair hailed the evidence that NCQA and JCAHO are starting to close the gaps and loopholes between their operations. He suggested a process whereby these bodies use the HHS matrix as a guide for accreditation and also give feedback to NCVHS and/or the SDOs on areas where the standards need enhancement. Dr. Lumpkin commented that many health care organizations fall outside the scope of JCAHO and NCQA, making it necessary for NCVHS itself to set the pace and standard. In this vein, Mr. Moore said it would be appropriate for the Committee to recommend that all the conditions of participation for Medicare and Medicaid and other federal sectors be enhanced to include more comprehensive security requirements, with extension to the states. Ms. Frawley supported this reference to the states, citing as an example the lack of consistency among the states in the licensure requirements for authentication.
Moving toward closure, Dr. Lumpkin confirmed members' support for the principles of promoting interoperability and technological neutrality. They agreed that facilitating the process of finding solutions between trading partners is subsumed under the second. Finally, he reviewed the NRC recommendations, to which the Subcommittee members gave their support.
Ms. Coltin observed that in addition to the "buckets" of technical mechanisms and organizational practices, there is another having to do with external accountability. The group agreed to state that the Committee sees its role as pushing the industry, and that it expects the recommendations to evolve. Ms. Frawley noted the importance of education for consumer awareness.
Mr. Parmigiani asked the Subcommittee members to give feedback on the completeness of the requirements in the HHS matrix.
The meeting was then recessed until the following day.
Dr. Cohn asked for suggestions of topics of particular concern to NCVHS for discussion at the November meeting on terminology. He noted that many groups are participating in that meeting in addition to CPRI. Members agreed that procedure coding is the principal issue.
They then moved to the main topic of the day, data content, using as the frame of reference a document from the National Uniform Claims Committee (NUCC). They spent the bulk of the morning discussing individual data elements in this listing and the issues and principles raised by them. The NCVHS core data elements recommendations served as a major reference point. At the conclusion of the meeting, they reviewed their process, identified major themes and issues, and discussed next steps.
Before getting into specifics, they considered the overarching question of whether the document, which is a report on an encounter, should reflect items from elsewhere, particularly enrollment forms. Ms. Greenberg noted that some critical elements that are not part of encounter data are in danger of being lost between the cracks. Dr. Braithwaite observed that the industry is in transition between paper-based and electronic information systems. Much of the industry still depends on gathering enrollment information from the provider, and it will be a few years before the ideal of a separate enrollment database is attainable.
Dr. Lumpkin commented that the purviews of NUCC and NCVHS, and thus the issues they are addressing, are different: NUCC looks at the encounter form, both paper and electronic, while in this context the NCVHS responsibility is for the electronic record. Dr. Cohn cautioned against tying data content too closely to work flow and suggested a consultation with experts on how and where information will be collected. The Committee's responsibility is simply to assure that the right data are collected. His colleagues endorsed this approach, noting as well the need to be attentive to burden.
In further discussion of the nature of this transition period and differences between paper and electronic records, it was noted that the potential for data linkage in an electronic environment is a major difference between the two. Because of this difference, Mr. Mayes encouraged that this discussion pay attention to the context (enrollment or encounter). Mr. Moore commented that the fact that billing data are being used for other purposes as well, such as quality assurance, has implications for what information is collected in the encounter. Ms. Coltin observed that some information is included because of concern that linkages will not work perfectly. Thus some redundancy is necessary, at least in the transition period. It was noted that eventually, unique identifiers may obviate the need for some demographic information, but even then, some intentional redundancy will be in order as a protective measure.
Ms. Greenberg observed that because encounter information is used for more than reimbursement, there are calls for information such as race and various risk factors. This too relates to the potential links between enrollment and encounter records.
Jean Narcisi of the AMA pointed out that the list of data elements is evolving, and there will be subsequent opportunities to update the data set. Dr. Lumpkin added that the Committee should give some thought to a process for updating the data sets.
As the group prepared to review specific items, it was suggested that they be evaluated in the light of what information is needed by the recipient of the information. Ms. Coltin said the NUCC list reflects what payors have said they need, at least during the transition phase. Mr. Moore added that this is the HHS approach, as well. He noted that the field is at best 65 percent electronic for claims transactions today. The group briefly discussed but did not resolve the question of whether or not "claim" and "encounter" are synonymous.
Members endorsed the following summary by Dr. Lumpkin of the foregoing conceptual discussion: The Subcommittee is working on an electronic version of a form that should be used to report encounters both for claims and in a capitated system. The existence of other supporting transaction forms that are easily linked to the encounter document cannot be assumed at present, so some redundancy is in order pending further automation. The group also agreed that data elements and content issues relating to unique identifiers should be tabled pending further progress on the identifiers.
The Subcommittee then looked at the NUCC document. Although their main purpose was to arrive at a workable approach and to surface key issues, some of the details may be worth noting. The following elements and issues received particular attention:
· NRUC (Not required under contract)
Given that this designation works against uniformity, it should be kept to a minimum. However, there may be instances when it is needed.
· Sex of the insured
Because it is not required under contract, it should be removed.
· Payor ID
Not currently included; may need to be added.
· Weight
This generated a good deal of discussion from which some broader issues emerged. First, the original intent of this element (which related to Medicare EPO claims) raised the question of how to handle the need for specialized information using standardized claims while also minimizing attachments. Second, members agreed that information that pertains to some 4-5 million claims a year, as birth weight does, affects enough people to warrant inclusion on the standardized claim. The Subcommittee agreed that weight as applied to EPO claims should not be included, and that they would investigate adding birthweight of newborn as an RIA (Required if applicable). Dr. Cohn noted that issues of perinatal data gathering are highly complex and recommended that they query the nation's experts on this matter. Members agreed to revisit the question of how best to get information on birth weight.
· Patient ID number, patient account number and patient Medicaid ID number
The goal is to collapse all three of these into the unique patient ID. Ms. Narcisi pointed out that with the 837, an element can be sent an unlimited number of times.
· Homebound indicator
It was noted that "homebound" needs defining. Mr. Arges described alternative ways to handle information on unusual circumstances, with the aim of reducing attachments. Mr. Moore said to withdraw this item, which he had initially asked for.
· Auto crash indicator and e-code
These should be flagged as potentially redundant once confidence in the use of e-codes has been established.
· Patient's functional status
NUCC included this as a placeholder based on the NCVHS core data recommendations. Ms. Greenberg explained that this is one of several elements that were identified as important but needing further work, and the Department has not followed up on that recommendation. The group discussed whether, for elements that are important but still under development, it is in fact necessary to reserve places in the structure of transaction sets pending the specifics of definitions, data set, etc. It was agreed that this is a good item for the terminology conference. It was noted that the goal is to build a flexible enough architecture that content can continue to evolve.
· Patient tribe
This item is necessary now for payment in the Indian Health Service. Members felt that the goal to be worked toward with the IHS is for that agency to align its enrollment system with those of other third party payors and to find another way to accommodate this need, so that this element can be removed from the standard claim. In the meantime, they agreed that it should be retained as an RIA. A related suggestion was to add the patient's county as an element.
· Race
The foregoing discussion highlighted the fact that the NUCC set does not include race. The Subcommittee will investigate whether race is included with enrollment data. Arguments were advanced both for and against collecting race with enrollment. On the positive side, it need not be collected at every encounter and should be self-report; on the negative side, it would then only be collected on insured people.
Dr. Lumpkin then reviewed the principles illuminated by the foregoing review. First, one goal is to minimize or eliminate the variabilities that could lead to varied practices within the standard. Second, this is viewed as a transition period, at the conclusion of which it may be possible to substitute unique identifiers for much of the demographic information.
He then raised the broad question of who owns the data content, noting that the Committee should think through a process for addressing this issue with bodies such as NUCC and NUBC. Dr. Cohn suggested that several SDOs should be heard from on this issue, as well. He also expressed hope that NUCC would follow up on the Committee's comments on specific data elements. It was suggested that both of these topics might be added to the agenda for a winter hearing.
On a separate topic, Mr. Blair said he would like to coordinate his forthcoming work on templates for clinical message format standards, clinical vocabularies and clinical data sets or models (which he is doing at the request of Dr. Fitzmaurice and under the auspices of ANSI HISB) with the Committee's work. Subcommittee members agreed that this is a good idea. Mr. Blair will speak with individual Committee members about this in the coming weeks.
Ms. Greenberg suggested that the Subcommittee start working on a plan for reviewing the core data element recommendations, with particular attention to those that are not in the current standards.
Mr. Scanlon commented that it would be useful to have a set of criteria for determining whether something is in, out, transitional, RIA, and so on. The Subcommittee asked for staff assistance in this effort, and Ms. Greenberg said she and Mr. Scanlon would find a way to pull together the themes from today's discussion and past ones for this purpose.
Mr. Arges said that NUCC is interested in continuing the dialogue with other bodies involved in the standards effort. He agreed with Mr. Scanlon that some basic criteria would be very helpful.
In conclusion, members expressed some frustration with the hurried nature of the current process and the delays in seeing the documents nominally under their purview as advisors. However, it was affirmed that what has begun is an iterative process that will build on these good but imperfect beginnings. A more deliberate process should be possible following the October deadline for issuing regulations. Dr. Lumpkin agreed with Ms. Greenberg's suggestion that the next set of hearings not only look at transactions but start the discussion of attachments. After the group agreed to meet for an extended time in September, he adjourned the meeting.
I hereby certify that, to the best of my knowledge,
the foregoing summary of minutes is accurate and complete.
/s/ Barbara Starfield December 16, 1997
_________________________________________________________
Chair Date