Capital Hilton
16th and K Streets, NW
Washington, D.C. 20036
Major Topic: Perspectives on Security Issues in Implemention of Administrative Simplification Provisions of PL 104-191
DR. LUMPKIN: The first thing we are going to today, the very, very first thing that we are going to do is figure out who is going to be here for the work of the committee. So, if we can go around the room, figuring out when people -- I know Kathleen has to leave tonight for an unexpected reason. So, she will be gone tomorrow. So, if we can figure out --
PARTICIPANT: I will be here for the next hour.
DR. LUMPKIN: And then you are gone.
PARTICIPANT: You are not going to be here tomorrow?
MS. COLTIN: I will be here tomorrow.
PARTICIPANT: I will be here until noon tomorrow.
DR. LUMPKIN: Noon.
PARTICIPANT: I am here for the duration.
DR. LUMPKIN: Jeff?
MR. BLAIR: I will be here.
DR. LUMPKIN: You know, we have this thing about the NCVHS and I don't know if it -- we have interlocking memberships. So, if a member of a committee is -- of the overall committee is here and we are short on a subcommittee, we can draft you.
PARTICIPANT: Bob was just drafted.
DR. LUMPKIN: That is that despite the fact that we always believe that you count, you really do count.
PARTICIPANT: I really do count if they raise my price.
DR. LUMPKIN: We will double the amount we pay you.
Okay. Now that we have that covered, I think, obviously, any time that we go after noon tomorrow, we start running out of folks. So, we will play around with that.
The next item will be to figure out what we are going to do between now and tomorrow. I am going to go up to the flip chart because --
[Pause.]
Actually, I kind of lied. I think what I would like to do is kind of lay out the items that we have on our plate and then figure out how much of that we are going to dig into today and tomorrow and also that will help us figure out what we need to do in the upcoming period of time.
So, I think we have security, payer ID -- I don't think we have taken a position on that.
MS. GREENBERG: It was mentioned in the letter.
DR. LUMPKIN: Easy one, patient ID.
MS. GREENBERG: Small one. Content.
DR. LUMPKIN: Data content, what goes inside the envelope. Attachments.
[Multiple discussions.]
Right. This is our plate.
PARTICIPANT: The employer ID.
DR. LUMPKIN: Okay. We are going to just put a little tiny 2A, EIN -- oh, I am sorry -- employer ID.
Then we need to remember -- how much time do we have left on CPR? We have four years for CPR?
PARTICIPANT: We are down to three now.
DR. LUMPKIN: Oh, we don't need that much time, do we? Okay. So, somewhere we need to think about CPR. What else?
PARTICIPANT: A framework for procedure coding. You mentioned it in the letter in terms of the recommendations. "Terminology" might be a better word.
DR. LUMPKIN: Terminology. Okay.
DR. MOR: We were actually talking about this earlier. The issue of security, does that extend beyond the commercial transaction, the electronic -- it does. Both computer, as well as paper?
MR. MOORE: It says health care -- it says health information and we have taken that to mean security aspects would be broader than just the transactions that are required for electronic commerce.
PARTICIPANT: I thought so.
MR. MAYES: Just a clarification. Under "Security," are we including the electronic signature? That is explicitly mentioned in the legislation as separate from security in general.
DR. LUMPKIN: Is that something we are supposed to do in the next month?
[Multiple discussions.]
PARTICIPANT: Electronic signature tends to facilitate authentication.
[Multiple discussions.]
DR. LUMPKIN: Version control.
DR. BRAITHWAITE: Low cost distribution.
DR. LUMPKIN: Is that included under "Version Control" or --
MR. BLAIR: I don't know if this matters, but you had code sets. Are we basically considering terminologies synonymous with code sets?
MR. MOORE: We are separating the terminology and medical coding from the code sets that would be part of the -- the other parts of the transaction, like sex, type of service, place of service. Those code sets would be part of data content.
DR. COHN: I think that we need to figure out how we are going to put all these things together. I don't think that they are completely separate. They are not the same.
DR. LUMPKIN: I think that we may be -- I think data content would be where we would look at whether or not we are dealing with our core data set, what kind of things are inside the envelope and then terminology may be dealing with those code sets that would be more complex than just male, female, which I don't think we are as concerned about, which -- so, we have to figure that out.
DR. COHN: I tend to think of the definitions in the data field, I think -- and I don't know if that as good -- once again, we can revisit that.
DR. LUMPKIN: The suggestion would be the date of fields and what they are called and then the terminology will be what -- no?
[Multiple discussions.]
I see heads shaking. We need to figure this out, but we don't necessarily need to figure this out today because it is better that we have a broader definition of both these issues and do some overlap and then figure those out later, than trying to define them too narrowly and having pieces that don't quite get discussed because they are in the middle.
MR. MAYES: Just one. Perhaps a place holder because I don't really have anything specific underneath it, but there are going to be a whole series of implementation issues that I think will be coming to your plate, as we actually publish the proposed notice for rulemaking and such. And this being a public forum, it might be an appropriate place to discuss some of those.
DR. LUMPKIN: I am hoping our agenda won't get too much longer than that.
Other issues?
[There was no response.]
Now we have got some items and if people think of other things as we are going along, let's do that. Maybe if Bill can help us -- which one of these things -- what are our time frames for these? Obviously, this one we need very soon. Security, we need very soon. Payer ID, we need to do very soon. Employer ID, we need to do very soon.
Patient ID, we are supposed to do very soon. I mean, we are supposed to. I am not saying that we are going to, but I say we are supposed to. Whoever wrote that law just equated all these IDs together. I don't know who is responsible for that, but I would like to have a conversation with him later.
Data content. Soon. Okay. Attachments, we have got --
DR. BRAITHWAITE: A year to go.
DR. LUMPKIN: Okay. So, that is one year. And we have got three years for CPR and terminology --
MR. BLAIR: Well, a certain portion of that gets tagged to the financial administrative transactions and maybe another portion will get tagged to the attachments.
DR. MOR: I actually think the terminology has got to be in our mind set as we discuss data content.
DR. LUMPKIN: Okay. So, that is soon.
Version control? I think -- my guess is that if we adopt the regulation that talks about the current versions, that does buy us a little time to talk about version control. Obviously, we don't have a long time, but we maybe not have as much time. So, I am going to put this as a star minus.
Low cost distribution mechanism and implementation issues. Star minus.
Okay. Now having addressed these, are there any of these issues that we think we have not had adequate input on, such that we feel we may want to do some hearings in the fall because we probably haven't done -- I mean, none of us have gone to enough hearings, right?
I am sorry?
MS. FRAWLEY: We have a comment.
DR. LUMPKIN: We are going to give you guys separate microphones if you are going to keep on collaborating like that.
MS. FRAWLEY: It is easier to share one.
Patient ID is probably the one thing that we probably have not heard a whole lot on from industry. So, I am concerned about that.
MR. BLAIR: And that is one where even beyond industry input -- I am not sure I am using the right phrase here, but I would like to have a better understanding of the political implications of what we are doing with any form of identifier, even beyond health care and if there is somebody that could give us some guidance on that, even if it is in the form of some documents or reading or -- because I think that is more than just a technical identifier within our domain. I think it has some broader issues.
DR. LUMPKIN: Bob, do you -- from the hearings that you have conducted, would you say that you have -- can you perhaps say that there is enough there from the aspect that Jeff was talking about that we could review your hearing documents or do you think that there needs to be more to be heard?
MR. GELLMAN: Well, we did raise the issue with a lot of the witnesses that we had in January and February. There was no consensus. There wasn't anyone who had -- there wasn't anyone I would identify who had a great overview of the whole identification issue. I think you are right, Jeff, that trying to put this in a broader context is probably important. I am not saying there isn't anyone who can do it. We haven't into them yet.
I am not sure that based on the comments that we had we have raised this, not just at the privacy hearing. We brought it up some in the San Francisco hearing with people and, you know, they are just -- opinions are all over the place. I don't know that you will get much accomplished by having more hearings on this. You are just simply going to hear that there is simply no consensus and everyone has got their own pet proposal or lining up between one of three or four of the alternatives.
It might help but -- the best thing would be to find some people who really had the broadest and deepest overview and I just don't know who they are.
MR. BLAIR: Is there somebody analogous to yourself -- I mean, I tend to consider you kind of an expert in terms of privacy and confidentiality within Congress in trying to get some of the legislation written and passed. You sort of know where the mine fields are.
Is there anybody that has dealt with personal identifiers, beyond health care, that has worked with that kind of issue, whether it is within the Social Security Administration or within Congress or anything else that could just educate us on sensitivities and issues?
MR. GELLMAN: I mean, the problem is that the issue has not -- outside of narrow context, like health identifier or immigration, you know, identifier, outside of a particular context, the broader issue has not been a political issue. It has not been issue that has gotten much attention. It has not been a subject of any legislation that I know of. So, everything that has been done has been very piecemeal and I am sure there is somewhere out there is someone who has got a -- you know, someone like Willis Ware(?) from the RAND Corporation might be useful. There may be some other folks out there who have a much broader view, but even among the experts, when I have seen recommendations from them, they are split all over the place as well, in terms of what ought to be done.
There is simply no consensus on this issue anywhere. There may be some wisdom somewhere, but there isn't any consensus.
DR. LUMPKIN: Well, there are two separate issues on this. One is whether or not we should do it and we have heard a fair bit of comment and if we had a hearing, we would hear a lot of comment about that.
The second is how you do it. The law has resolved the issue of whether or not you do it.
MR. GELLMAN: I don't necessarily agree with that.
DR. LUMPKIN: Okay.
MR. GELLMAN: I think it is an open question of whether you do it or not.
DR. BRAITHWAITE: From HHS's perspective, the law directs the Secretary to do it and she will follow the law, unless it gets changed. The NCVHS's contractor on this issue is supposed to have his final report here for you tomorrow. It should be in tonight actually, but I will give it out to you tomorrow.
DR. COHN: What I was going to say, I was going to avoid the argument about UPI. I was actually going to comment, if we were to hold hearings, it obviously needs to include the privacy subcommittee, as well as this committee because it is a joint issue.
Today, as of this moment, I don't feel personally that I have enough information and the reason I don't have enough information has to do that I see that there is a number of competing approaches to how to do all of this stuff. So, I would seek additional information, which would probably be in the form of a hearing or something.
MS. FRAWLEY: Following up on your point, the July 9th meeting that we had at NIH, I mean, that was the first time that that team said here are the things that we are no longer considering and here are the things still on the table.
So, if we had a hearing, to me, it would have to be very focused. Here are the three options. Tell us which one is going to work and -- see, I don't think we should just debate whether or not we should have unique patient identifier and I agree that we have got legislation and unless Congress decides next week to change the law, I mean, we do have an obligation to come forward with a recommendation. But I would not want it to be an open-ended hearing about the merits of HIPAA or unique health identifiers or privacy, but very focused to here is the team's recommendations, kind of, you know, what does industry think, what are the implementation issues, what do you see in terms of real concerns, not, you know, whether or not this is a good thing to do.
DR. LUMPKIN: There is a scoring system that is in the ASTM document or -- and that scoring system, the unique health identifier team has taken all of the proposals and they have scored them by each one of those categories.
DR. COHN: Can I respond to that? Obviously, I think it is premature for us to make a comment only because I have only seen the draft as of July -- I think it was June 25th was the most recent draft I had seen. So, until I review that, I mean, I can't make a comment. So, we probably need to review and let's comment after we have that information.
DR. LUMPKIN: Okay. So, my suggestion would be that the way we handle this issue, unless -- well, let's -- you know, I think realistically we are not talking about having a hearing between now and September when we have our next meeting.
Given that, what I would suggest is that we get the materials that we get tomorrow. We look at the scoring sheets and when we have our separate committee meeting at the September meeting, that we put this as a major item on our agenda and if we don't feel adequate information to advise the Secretary at that time, we may make no recommendation. I mean, we may suggest that there will be additional hearings. So, we make that decision at that time.
MS. GREENBERG: And following up on what was said about what the team has done, I think we would invite the co-chair of the team or the teams, Bob -- to be at that breakout session.
MR. SCANLON: In terms of coordinating even the discussion of unique identifiers for individuals with what will be going on in the privacy side and there is every expectation that the Secretary will have her recommendations on time to the Congress and then I believe, Kathleen and Bob, you know this probably better than I do, that hearings would then be scheduled presumably on privacy on the Hill.
It would make much more sense to have a privacy framework being debated before we talk about a unique patient identifier.
MR. GELLMAN: Let me just off the comment that anything you do with a patient identifier is going to get a lot more attention than anything else this committee does, general attention. I don't mean industry attention. It is going to get a lot more general public and political attention than any document you have created and you are going to put out there it will be requested and will be scrutinized and will be criticized by somebody or by everybody, depending, and this will be a very high profile issue.
DR. LUMPKIN: So, let me see -- and this all is going to go out over Don Detmer's name? I like that.
[Laughter.]
Attachments, we need to think about sometime in the future but not necessarily in the near future of scheduling appropriate hearings in reference to that, but I suspect that is not a fall issue for us.
DR. COHN: Maybe a winter issue.
DR. LUMPKIN: Winter. So, we are going to do -- we are going to look and then we are going to need to define that issue and then look to beginning hearings on that in the winter. And for the CPR, we are not even going to think about that within the next 12 months. Is that reasonable?
MR. MOORE: On attachments, you might want to at the November meeting have us report where we are working with HL7 and X12, at least get some feedback on what is going on there because we are working with them and pull that together, so we can give you an input on that. That is all. It would be like a status --
DR. LUMPKIN: So, if we get that status meeting, that will help us define what we were looking for in our hearing in the fall.
DR. COHN: You know, you were commenting on the CPR and I was just going to comment that I think the attachments in CPR, there is a lot of blending we are all aware of. So, perhaps the attachments are really sort of the kickoff of us beginning to look at CPR.
DR. LUMPKIN: Okay. Terminology.
DR. COHN: Well, can I make a comment? Okay. I don't think that there needs to be a -- I mean, probably we need to have some conceptualization and a glossary so that we all agree on terms to begin with, but even beyond that, at the last meeting of the NCVHS, we agreed that we would participate, be involved in a terminology conference coming up this fall and a very specific to do out of today and tomorrow would be to identify issues that we think are very pertinent, that we would like some information on or some questions answered or whatever.
That would be the only immediate to do that I think would occur out of that.
DR. LUMPKIN: Okay. So --
MS. GREENBERG: I would basically agree but there was -- when you had the hearing on classification systems in April, there was a commitment to have a second hearing on -- more broadly on vocabulary, terminology related to the computer-based patient record. I think then it was agreed when we heard about the CPRI meeting that it wouldn't make sense for the subcommittee to have a hearing prior to that. There is going to be participation though not co-sponsorship, but certainly participation by members, as I understand it, in that meeting. But following that meeting, then I think you would need to assess whether you would want to have a hearing because I know at least in my last conversation with the team, they felt that there might still be a need for the department or for the national committee to have a hearing following the CPRI meeting.
The CPRI meeting is November what --
PARTICIPANT: The 4th through the 14th.
MS. GREENBERG: The 12th through the 14th. Right.
DR. LUMPKIN: And we in our letter made recommendations to the Secretary about specifically procedure coding that I think requires some follow-up work by our committee to define what we would recommend to the Secretary as a process to getting to that unified coding scheme. So, that is an item on our agenda that we need to begin to address.
Okay. Version control, do we think we need to do hearings on that issue or is that something we just need to schedule time to discuss? It is a star minus issue. That is the reason why I am asking.
MR. SCANLON: Would the versions be specified in our -- which version of the standard -- would that be specified some other way?
DR. BRAITHWAITE: Well, because versions will change over time, I suspect it would be better to specify what the standard is in generic terms and then have the process set up to handle the versions. We have to set up this process not only to deal with how we get to a new version, how the industry gets to bring up its new data maintenance items and get it through the process in a reasonable amount of time.
Now, remember, we have just added a government bureaucratic process on top of a private sector, voluntary, long bureaucratic process and we are going to have to work hard to bring those things together and get that process smoothed out and running more rapidly than it does now.
I don't want to have to write a new set of regs and get it through departmental clearance and everything every time X12 or NUCC or anybody comes up with a new data element.
DR. COHN: I was going to comment that I think that actually bears also on the data content issue, at least as I define the data content issue, which is sort of -- I mean, they begin to get merged, especially if we start saying, well, gee, who is responsible for data content or how does that get -- how does that move forward.
MR. SCANLON: How do we envision, though, in this framework -- how would the version, for example, be specified, the first set of standards, let's say, when finalized in the February -- if there are versions to worry about, which version to specify -- if it is not specified in the regulation, what is the other -- how would it otherwise be specified? Would we say that the most recent version as determined by the appropriate SDO or -- we have to build into the language --
DR. COHN: That is part of the question, isn't it? Aren't you asking the question?
PARTICIPANT: That is the question that we need to resolve. You are not going to do that right now.
MS. BALL: But isn't the current thinking in the department something about the version, the specific version, into the addendum rather than in the body of the reg?
PARTICIPANT: But I don't think it makes a difference. It is either put it in the regulation --
MS. BALL: Well, if you are thinking of in terms of making changes down the road --
DR. BRAITHWAITE: You can change the addendum very quickly without going through the same amount of clearance.
MR. SCANLON: Well, I don't know. You would have to be careful. If it is part of a regulation, whether an appendix or not, you have to be fairly careful. You may want to think of a way -- at any rate, just looking at that from the point of view of when would this need to be worked out. Would it need to be worked out for the October --
DR. LUMPKIN: And one of the things, just to toss in the pot, would be to establish some entity, whether that be NCVHS as being the entity that would publish a most currently acceptable version list and so the NCVHS could -- so, the reg would reference that list and that would allow NCVHS to change the list when it is appropriate, but we would want to have the appropriate mechanism because you have got a value. You know, it is just like every time Microsoft changes, you know, Windows, there is stuff that doesn't work. And the cost is tremendous to the industry.
So, I think we want to tightly --
MR. MOORE: It is not just version control. It is new standards as industry finds new needs. One of the things that we have talked about with Vince over the last couple of days is that, you know, we have the minimum data set for nursing home. We talked about -- we, HCFA, about Oacis for home health and others. How do those -- do those sets get put into a larger arena? And should they be more of a standard that, you know, HCFA is not doing, you know, that it should be done in an arena that is for health care for all?
Are these new standards that are coming forward and how do you bring other standards that the industry might need? How do they get introduced, not just data content or data elements?
MR. BLAIR: The difference between HL7, 2.3 and 3.0 may be tantamount to a new standard.
DR. LUMPKIN: And when we get into the interactive standards, you know, for some of the current batch mounts, those might be considered to be --
MR. MAYES: Just as one portion of this, we are currently looking at one of the implementation issues in terms of developing a mechanism for the distribution of implementation guides. So, that would probably wind up being where we kept the list of currently accepted standards and that might also be at least -- one possibility would be for that to be where we began the discussion of movement towards either a new standard or new version.
So, there has been some discussion on that and we are actually looking at some contractors right now.
DR. LUMPKIN: So, should we be looking at conducting a hearing on the issue of version control, low cost distribution and implementation issues in the fall?
MR. MAYES: If we were able to get -- if we are able to get out the proposed notice of rulemaking for a significant number of these, I think that that would be a good time frame. It wouldn't make sense necessarily -- it would be nice to coordinate those two activities because we are putting out the notice for public comment and these are going to be some of the issues that people are going to comment on.
MR. MOORE: I think it is too early. I don't think the version control and implementation issues can really get started to get discussed until next spring. After the final reg gets out and we get all the comments in and get different opinions and so forth from individuals and companies, then we can organize that and put it together and then present to you what are the problems and the issues with where we are and you will have people bring forward -- this is ludicrous. We couldn't put this in in ten years, let alone two years.
So, those are the kind of things that we will find out in the next six months.
DR. LUMPKIN: So, are we comfortable then putting that on our agenda then for spring hearings, then on these issues? Okay.
DR. COHN: John, are we going to discuss after we talk security and all that if we need to do more for that also or is that --
DR. LUMPKIN: Yes, I think that would naturally follow after we address that.
So, the first item we are going to address today is security. So, that is going to be this afternoon. The payer ID, are we --
MR. SCANLON: We should spend a little bit of time on that. I think the plan was that payer ID presumably would be the second of the NPRMs(?). So, that will be before the rest of the standards.
DR. LUMPKIN: Right. Do we have anything that we can discuss at this meeting?
MR. MOORE: I wasn't prepared to put something on the table and defend it with you and lead that discussion.
DR. LUMPKIN: Okay. Will September be too late then?
MR. SCANLON: Well, as a process, Bob, maybe we could -- when we have a draft ready, we could -- it wouldn't be a hearing particularly. It would be --
MR. MOORE: We can do what we did with the provider ID. We could come back in and go over what changes we have made and all the things that we have done from the last meeting we had. That was in June.
DR. LUMPKIN: That would be September then?
MR. MOORE: Yes, sir.
DR. LUMPKIN: I don't know what the agenda is, but we may want to think about extending our breakout into the evening.
DR. COHN: The payer ID also may be something that gets to be a general updating for the entire committee. There could then be some discussion after that.
MR. MOORE: We are still looking at having that reg in the next month or two. A lot of issues that you raise have, I think, been answered and more work done on that.
DR. LUMPKIN: Okay.
MS. GREENBERG: When you say month or two, are we still talking in terms of all the regs being out in October?
MR. MOORE: We are still talking about doing that and, in fact, you know, one of the things I wanted Barbara to come down on the data content tomorrow and for her to come down, I have to pull her off writing the reg. So, she is back home working on that. So, we lose a day on it. But she needs to be here for the data content discussions, particularly with the transaction sets.
MS. GREENBERG: Right. Bobby(?) Reading.
So, I mean, with all of them being scheduled for October, is the payer ID really going to be any earlier than those? It might be. Okay.
MR. MOORE: I have refused to make anymore commitments.
DR. LUMPKIN: Okay. For the employer ID.
MS. GREENBERG: That goes with that, doesn't it?
DR. LUMPKIN: It will probably go with September then?
MR. MOORE: We are trying to have some meetings set up with the IRS to discuss those issues and that might be a little bit later. We will have to see how difficult that is. We think it is easy, but --
DR. BRAITHWAITE: Hopefully, we can do it in the September meeting, along with the --
DR. LUMPKIN: There are so many enumeration issues with any of these IDs that it gets to be a lot more complicated than -- I mean, even with the patient ID, that is -- enumeration becomes quite a complicated issue.
Okay. So, tomorrow we are going to talk data content with the materials that we do have available, even though the data dictionary -- at least we can get a good start on that issue.
Attachments, we are going to have winter hearings. So, we are going to talk security this afternoon and data content tomorrow morning.
Anything else we need to put on the agenda for tomorrow?
PARTICIPANT: [Comment off microphone.]
DR. LUMPKIN: Okay.
DR. COHN: We will figure out what we need to do at that point, take the next step. Is that what you mean?
DR. LUMPKIN: That is right. And with the patient ID, we may think we have enough to go -- for recommendation, given the environment or we may -- if we decide we don't have enough and we want to do a hearing, then we will decide that later.
MS. GREENBERG: Let me just say on the data content that we do have a document from the NUCC and one from the NUBC and if members or staff want it by the end of the day so they can look it over in the evening, you may have it. Otherwise, you will have it in the morning. So, it is your choice.
DR. LUMPKIN: So, looking at this, then do we feel comfortable? I think I am suggesting that maybe we can shoot to conclude at noon, when Simon leaves.
MS. GREENBERG: It depends on the kind of review you -- I mean, I think that probably the kind of review -- one type of review you might want to do on the data content couldn't be done in one day either. So, I guess, you know, see how it goes. It is just that there is a lot of content.
MR. SCANLON: But isn't the issue there the process for considering new content and revised content, rather than for the individual --
MS. GREENBERG: I don't know. Do you see an actual discussion of content as opposed to the process for determining content? I had thought so, but maybe not.
MS. COLTIN: I thought that what we would be talking about is not only what data elements were in the transaction sets, but the recommendations as to whether those elements ought to be required versus conditional or optional and the definitions to be used for those data elements.
MS. GREENBERG: It is a big job.
MS. COLTIN: Okay. The next step would be logically, as Simon outlined, what are the acceptable values given those definitions, but I think we would be crazy to think we could get through that.
MR. MAYES: You are talking this much documentation at that level. It may be better for the members to get all the documentation over the next week or two and review it with their particular -- because otherwise, I mean, you will spend all the time flipping the pages trying to find it.
DR. LUMPKIN: See, I think that when we say, you know, there is this much in there, I suspect that, you know, there is a lot that will be culled out that we don't really need to discuss and maybe we can start some of that tomorrow with what we have and then the additional documentation that we had hoped to get today will come and we can add some additional items and we may either want to do a conference call before the September meeting or go until 10:00 in September. But I think that we will work with what we have tomorrow and that will give us a better feel for what kind of work load we are pressing ourselves in.
I am a little bit concerned about the ending time. So, would people feel comfortable maybe starting at 8:00 tomorrow, so we get a much better start? Then we can evaluate where we are at a little bit towards later morning. I wouldn't suggest that anybody who has a flight scheduled out that they would get an earlier flight at this point, but at least we have some idea of trying to get as much done before Simon has to leave and then evaluate where we are at.
DR. COHN: Yes. I guess one of the questions has to do with the expectations around data content because that really is like walking into -- it is heavy treading, I guess, is a nice way to describe it and I guess I would suspect that at least in our view, we need to sort of have an overview, an introduction to the issues and the views about it, rather than attempting to make decisions.
Is that sort of what your view of the outcomes of that session or are you expecting that we will come to some final agreement on some of these things?
MS. COLTIN: I think there needs to be some framework provided, but I wouldn't see spending most of the time on that. I mean, I would hope that we could get through actually making some decisions on some of these data elements. One of the concerns I have, I am not sure how the discussion will be framed, but there are an awful lot of data elements that are in common across a number of transactions, that we would only need to discuss one time and to indicate that they should be used consistently across transactions.
So, you know, perhaps, if we could at least identify those data elements that pertain to multiple transactions and work through those, then start getting into some of the unique ones within particular transactions --
MR. MAYES: That might not actually be a good characterization. There are a number of elements that appear in various transactions, but when you bring in the concept of context or what we are calling conditionality, you may find that, in fact, they are not used and appropriately not used in exactly the same manner, even though from concept purposes, they might have the same one.
I would certainly hope that you would look, since we probably will have a lot of the claims stuff and Bobby Reading is very experience there, I was hoping you would address or at least look at the equivalent encounter, a part of that definition. And there might be some other groups like that versus just started with the A's and going to the Z's of the data elements, to make sure that there are, in fact, the business uses that are covered in the transactions.
DR. LUMPKIN: So, we will start tomorrow at 8:00. Okay.
I am going to leave this up here. I think this is pretty close to our vision of the work plan for the next year. It is enough to keep us busy.
Security.
MS. COLTIN: Before you move on, just comment on the last point. I think it will be important to look at the enrollment transaction as well as the claim transaction because there are a lot of recommendations around what should be required or conditional that made assumptions that you could get that from the enrollment transaction so you didn't necessarily need it in the claim transaction or whatever.
So, I think we may need to start with enrollment, so that we have a base of what ought to be there on everybody and then move to the claim and begin to identify then the relationships.
MS. GREENBERG: Will we have information by tomorrow morning on what is in the enrollment because I know certainly the NUCC and the NUBC materials do reference that certain elements wouldn't be covered by their documents because they would be more appropriate for enrollment or eligibility.
MR. MAYES: I can't tell you off the -- I am not sure. We are trying to put together the master list of everything we have in. Our contractor is due to have to have to us by the end of next week all of the data elements. It is not so much the elements we have had a problem with. It is the definitions because they are not -- not all of them been defined by the groups that have put them into their standards. So, we are running a little behind that.
So, we do hope to have available to you in two weeks a referenceable type of master data list, where you not only have the element name and the definition, but also all the references, i.e., which transactions it appears in. That way it could be distributed either as a master list, alphabetical or otherwise or as each transaction with cross references to others.
So, I apologize that it won't be in that format tomorrow, but we may have -- we are trying to pull out those that we already have in the master data dictionary.
On the claims side, we do have the NSF and the UB92, which given the discussion of bridging them over, would be useful and I know Bobby Reading is extremely conversant with the data content for the X12, 837. I am not as sure on the enrollment eligibility.
DR. LUMPKIN: And speaking from the government viewpoint -- the government isn't always the only ones who are inefficient.
MS. GREENBERG: I know of a few people who -- actually one who is even coming from out of town, just for tomorrow's discussion and others who are local. So, if anyone else knows of these people, it is important to let them know that we are starting at 8:00. I don't know whether it would change their opinion if they heard it was only going to be half a day, but at least that they are starting at 8:00, so that -- because this is different than the agenda and I know some people who are specifically coming for those sessions.
DR. LUMPKIN: Right. And we did expect to have the fuller document for our meeting.
MS. GREENBERG: Just if anyone else knows of such folks, let them know, please. I will take care of the ones I know of.
DR. LUMPKIN: Okay. Good.
Security. I am going to keep the microphone and the board because I think we need --
DR. MOR: John, just on the security, because I am going to have to leave in a moment, in yesterday and today, the issue that sort of kept banging me, trying to get a handle on the understanding of the value of the information in order to make some kind of risk assessment is very, very difficult for me. People were talking about, you know, building Fort Knox for something that doesn't have much value, except for idiosyncratic applications, like curiosity seekers within an organization.
I think we just have to keep that in mind, what the real -- there may be value to some of these, you know, static, stable databases. Someone can go in and pirate, steal and take things that then have some use in the world out there, money use or other kind of use, but a lot, I think, of what we are talking about is not value-laden in the normal way we think about value as in doing a cost benefit analysis because the value, how to figure out what is going to motivate someone to do something is -- I don't see it yet, you know, and trying to think about all the different examples people were giving us in the last day and a half, I couldn't imagine an economic analysis of what value these data have.
So, it is just something to keep in mind.
DR. LUMPKIN: Let's spend a few minutes on that because I think we can describe certain classes of data that would tend to have value and I would argue that value is two kinds of value. One, having the information is of value to the person who is trying to get it.
DR. MOR: Right, but that is unestimable in economic terms.
DR. LUMPKIN: And second is the -- well, there are probably more than two, three, but, for instance, the value to the organization in a proprietary sense of having their own ability to do their own actuarial estimates, which is of value to them and their competitive arena. There is the value, the negative value, which is that the entity is put at liability if access to information about an individual becomes available, then they are at risk for litigation.
But I don't think it is going in and pulling out an HIV value. This value itself is positive, but it is the fact that that value is linked to something.
DR. MOR: What do you mean it is linked to something?
DR. LUMPKIN: John Jones, HIV value, has value or -- either in the negative sense of someone who is mischievous, but not just knowing that this value -- so that it is not just the data elements that in and of themselves have value, but it is the fact that these data elements are linked in some way to some identifiable person.
DR. MOR: That goes without saying. I guess, perhaps, thinking about it in terms of your second or third example, is really it is from the firm's perspective and/or society's or a patient's perspective, it is the willingness to pay the opportunity cost of a breach is a way to conceptualize this.
What is the cost to a firm of having their data corrupted and what is the cost to the firm of having their patients think, their customers think that their information is not secure? I am just trying to think about this in a value perspective.
DR. LUMPKIN: Jeff.
MR. BLAIR: I always feel uncomfortable stating my thoughts on these things since I have spent about the last month or two trying to understand the whole area of security. So, I feel like my knowledge is somewhat superficial, but from what I have been able to discern, there is virtually a market that has been emerging in the last year or two of health care security consultants and their whole business is to help a health care institution or an integrated delivery system begin their evolution towards a comprehensive security strategy design or architecture.
And the first step in that is to hire competent security consultants to assist that organization with an assessment of the risks, threats and exposures that they have. They do that not only with an awareness that the organization may not have because they are -- this is their business, but they do it also with techniques, which include what they refer to -- the phrase that I have seen is "ethical hacking." I laughed at it when I heard it.
But in other words, to demonstrate to that organization vulnerability that they may have that they may not be aware of, to help them evaluate the value of their information assets. You know, we tend to think in terms of the liability of somebody's health record gets divulged, but on the other hand, they have got just simply a list of their providers. They have a list of the accreditation or sanctions or credentialing.
I mean, there are so many different things that are assets, which can be a threat if they are divulged. So, at least in my mind, I think that your point is a very important one. I guess I felt as if this is an area where we couldn't begin to come up with our own guideline assessment or threshold with respect to those risks, that the work that we will be doing is going to be more in terms of trying to identify the standards or guidelines that reference policies and practices and maybe some minimum thresholds for specific use cases.
By "use cases," I am referring to the fact that in a pharmaceutical environment the thresholds for security may be somewhat different than they are in an ambulatory or acute care setting and even within an ambulatory or acute care setting, there may be finer definitions of the risks, threats and exposures. So, we would be building upon each of those and trying to give a framework.
DR. MOR: That makes sense. I was having a difficult time contemplating --
DR. LUMPKIN: But I think we need to take that issue a little bit further because I think that the pertinent -- to my mind, the important part of what Vince was raising was -- is why is government getting involved in this? If, in fact, there is a portion of this data that may be of some proprietary use to a plant because it gives them a competitive edge, it is not really government's job to protect their ability to compete in the marketplace, but there are certain other parts of the value of this data for which we as government are getting involved in it.
So, what is it that we are here to protect? And I think the issue that Vince raised of trust of the customers for which people see government as having a role, that what they have that is in there is held safe and that may not have a quantifiable number to be put on it, except for the extent that if it is breached, it has an adverse effect.
MS. FRAWLEY: I think the trust issue is really important because, you know, we can sit here and talk about data all we want, but the bottom line is you are talking about real people and real lives. They are entering the health care delivery system. Most of them have never seen their medical record, wouldn't have a clue what a claim form looked like, who will probably never know what HIPAA is or the national committee or whatever, but the bottom line is that essential assumption when I enter the hospital or I enter a provider's office that my information is going to be protected.
I think the first thing that could happen would be not to deal with the situation appropriately and have the industry not be able to move forward with computer-based patient records and to have, you know, the debate focus on paper versus computers. So, I think that, you know, it is very hard for a person -- I mean, every single person here, we could have our information bought and sold and none of us know because we can't quantify a harm to us.
You know, for an organization, they have got, you know, business assets and they have got to worry about, you know, threats. Certainly the NRC report, you know, gave people a model and explained to them how to do a threat analysis and how to do risk assessment and how to do some of these things.
But I think the bigger problem that we have is that there are people out there who say I don't care. I will take the hit. You know, I am not going to deal with this. I mean, on our study committee, we had a CIO of a major integrated delivery system, who said this is not important to me. I am not investing my dollars in this. So, we said, well, you know, what breach of confidentiality. Well, since they had not been sued yet, they could not put a price tag on that.
PARTICIPANT: Economic value, I guess, was the only way he thought.
DR. COHN: Kathy, I am in full agreement with you about this. I think out of the hearings from the last two days, I really saw that the issues -- really the customer of our security policies is much less the health care organization, really much more the public at large. And it is because they aren't the direct customers but the indirect customers that they have historically little say in all of this.
I mean, if you ask the HMO or the hospital or whatever, you know, so what if -- I mean, there may be acceptable risks. Obviously, as part of the public, I think in our role here have a major responsibility to assure that there is a uniform, acceptable level of security on those records. I mean, I would say as a public person that I would be uncomfortable then having my information computerized and that is certainly the last thing in the world we would want to see happen.
MR. BLAIR: That would be called disaster.
DR. COHN: Yes, exactly.
DR. LUMPKIN: So, that gets back to one of the comments we heard -- I can't remember if it was this morning or yesterday -- that the value of the data -- the effort expended to protect the data is dependent upon the value and in this particular industry we have to understand who the customer is and in much of our administrative simplification, the customer wasn't actually the patient. The customer was intended to be the end provider. The clinician is the customer who we are really most concerned about in simplification. That is why he got started.
But in this particular issue the customer is the patient and so the value in the system is their ability to believe that their record is safe. And that is the government's interest, our interest, in getting involved. And that is important for us to start out in our discussion understanding who it is we are trying to protect and why and what their value is in that system.
DR. COHN: You know, as we talk about this, I find myself looking to Bob Gellman, only because I feel like we are sitting, beginning to talk about privacy and confidentiality again and I am -- I mean, is this all consistent with your views, having chaired the Privacy and Confidentiality Subcommittee?
MR. GELLMAN: But we are really talking about security. I mean, that is very much a subset of the privacy and confidentiality issues. It is just a piece. That is all.
MR. BLAIR: Kathleen, could you give us some guidance as to, you know, how you feel this pulls together? You know, do you have a vision in your mind?
MS. FRAWLEY: Sure. Well, a couple of things. I think that one thing that is important, I serve as liaison to the HHS Security Implementation Team and they have spent at least six months already addressing this and have done a lot of very good work. So, I think it is important that we hear from the team.
I also think that some of the things that Vince raised and some of the other people here is that we should not reinvent the wheel. We have heard a lot of testimony about, you know, work that has already been done. And having been part of the NRC study committee and having spent 18 months of my life dealing with that, I would hate to see us try to reinvent the wheel one more time.
So, I guess my recommendation would be that I think it would be helpful to find out what the team -- you know, where they are and kind of what their perspective is. The other thing, I think, that is important is really to go back and look at Chapter 6 of the NRC report, which pretty much laid out a framework and used that kind of as a -- you could go down the list and say we agree, we don't agree, we are not sure, we need more info.
If you look at the NRC report, we were very careful where -- you know, we were not -- we did not adopt specific standards and I think that was the message you have heard over the last day and a half is that by the time you adopt a standard, particularly as a technology standard, it will be outdated. So, I think that the framework that we tried to put together in the NRC report laid out a vision for industry of what we thought could be a good template and laid out some time lines.
So, I think that might be, you know, a good approach also, but I guess my concern at this point is since we have a team that has been working on this -- you know, I mean, Dennis Steinhower(?) is deputy director of the Computer Security Division at NIST and John Palmigiani(?) from HCFA, those are the co-chairs and that team is across agency and then we have got representatives from all over.
So, you would hate to like not have the benefit of some of their discussion.
MR. SCANLON: Kathleen, can I follow up?
On the NRC report, where clearly there were technology standards that were -- were there policy level standards that were identified?
MS. FRAWLEY: Actually, we thought, based on our deliberations, that if we could get the organizations to adopt policies and procedures, make sure there was employee awareness training programs, make sure there was some basics, that would be a good first step and then the second tier was what we called the technical practices and we recommended some technical practices for immediate implementation and then we had a whole suite of technical practices that we thought were longer term and then we also identified some promising technology that we were just presenting to people and saying this stuff is rather immature. There is some potential and perhaps in a couple of years the industry might migrate in that direction.
But because this industry is moving so quickly, you know, it is hard to, you know, lay out a template. And I think that the biggest problem we have is that we have organizations who -- we have heard from our vendors -- wouldn't know what security features they should be asking for and wouldn't even be in a position to evaluate whether the technology was adequate for their needs.
Then we have got organizations where we have, you know, turf battles with the medical staff in terms of whether or not they should have open access to all clinical information or whether it should be role-based access control. So, yes, the list goes on and on and on and it plays out in every organization in some permutation.
DR. LUMPKIN: I would like to now go Bill, who is going to give us a brief review of what our charge is in the Act and I think John is here. Then after Bill, if you would be willing to give us a little update of your thinking and experience with the team.
DR. BRAITHWAITE: Well, HIPAA changes the Social Security Act by adding a bunch of stuff and one of those things is Section 1173(d), called Securities Standards for Health Information. It says that the Secretary shall adopt security standards that take into account the technical capabilities of record systems used to maintain health information, the costs of security measures, the need for training persons who have access to health information, the value of audit trails and computerized record systems and the needs and capabilities of small health care providers and rural health care providers.
Then there is an extra paragraph that talks about ensuring that health care clearing houses that are part of larger organizations have appropriate policies and security procedures in place, which isolate those clearinghouse activities from their larger organization.
There is another paragraph on safeguards that says each person who maintains or transmits health information shall maintain reasonable and appropriate administrative technical and physical safeguards to ensure the integrity and confidentiality of the information, to protect against any reasonably anticipated threat or hazard to the security or integrity of the information and unauthorized uses or disclosures of the information and otherwise to ensure compliance by the officers and employees of such an organization.
In addition, there is a paragraph about electronic signatures that says that in coordination with the Secretary of Commerce, the Secretary will adopt a standard or adopt standards -- it is actually plural -- specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions covered by this part and that those standards shall be deemed to satisfy all federal and state statutory requirements for written signatures; in other words, a mechanism for substituting for laws which require signatures on paper for these transactions.
So, that is the context of the law that we have to provide recommendations to the Secretary within.
MR. PARMIGIANI: I am John Parmigiani. I am from the Health Care Financing Administration and I am the co-chair of the HIPAA Security Implementation Team and really unprepared to, you know, speak here, but let me just tell you sort of what we have been doing, where we are going. Based on what I have heard the last day and a half, we are definitely encouraged. We are pretty much tracking exactly what you all are coming up with or, let's say, we are in sync.
What we did very early on, and we had a group composed of people from various agencies, not only HHS agencies but SSA and NIST and kind of a governmental representation, a cross section. And we have brought in various people from like the federal PKI and we have attempted to do a lot of outreach, going to various SDOs. We have worked very closely with ASTM, AFFECT(?), CPRI, HL7 and we have kind of been in and out of their meetings and dealt with them.
We have focused on requirements and the reason we have focused on requirements is because this is a very rapidly-evolving technological arena. For us to come out and specify a specific technology, a PGP or, you know, RSA, or any of the various types of authentication, we feel would be doing a disservice.
There wouldn't be any longevity to this standard, any kind of viability. It certainly wouldn't be flexible. You would be tying the marketplace into something that would potentially be an obsolete technology by the time that they had the two years to implement. So, we have concentrated on coming up with a rather elaborate matrix of requirements with the believe that these requirements will span whatever it is going to take as we go up this learning curve and as we go through various levels of refinement.
We have dealt with feasibility. The gentleman that asked -- Vince, before he just left -- basically, you know, how do you try to measure the worth of implementing security and we looked at economic feasibility, technical feasibility, operational feasibility.
One of the things that we have emphasized is trying to get something that will work, something that will not be very costly to implement, something that people will naturally do, especially in an electronic commerce environment where initially we are talking about nine transaction sets, but really we are talking about communicating electronically and security should be an adjunct to that. Security in and of itself is very difficult to justify.
If you are looking to try to get the transaction or the message through intact, the right person, et cetera, et cetera, you need to have security protected measures in effect. That is the approach we have taken. So, we have looked at administrative. We have looked at physical. We have looked at various types of technical aspects of security and we have this, in effect, a hierarchical matrix, which Kathleen has and we will be glad to make available.
It is a continued state of refinement, hopefully, aimed at coming up with an NPRM in October with everybody else and what we have also tried to do is make it technology neutral.
MR. BLAIR: NPRM or --
MR. PARMIGIANI: Notice of proposed rulemaking, something that goes out for 60 day comment, that sort of thing.
The emphasis has been on technology neutrality. We want the marketplace to come forth in meeting the requirements and some of the discussion over the last day and a half dealt with specifying various levels, you know, Orange Book, and all these types of things. I think that this has to be worked out between trading partners.
I think there is -- a number of people have said, you know, you need to do some of the things that came out of the NRC report for the record. And we have looked at that in depth, especially Chapter 6. We plan on referencing that because that gives a template that says, you know, any organization dealing in health care needs to have security policies. They need to have various types of administrative controls, behavioral controls, these types of things in place.
But that is going to vary. That is going to vary by the size of the organization. It is going to vary by the type of data they are handling, the value of the data. We have heard, you know, you don't spend a thousand dollars to protect something that is worth ten. My belief is that it is the government's role to recommend the policies or requirements and one of the things we are doing is against this matrix, we are mapping all of the available and emerging -- I mean, you have heard about -- the different groups talked about this one is an approved standard. This one is a draft standard. What is applicable out there from ANSI, as well as other types of groups, like CPRI?
This is what is available. This is what you can look at in order to fashion your response -- and when I say "your," I am talking about the industry. I am talking about providers and I am talking about payers and I am talking about -- this is a lot different than transaction sets because it is something that has a certain amount of utility to the user.
There are values that can be placed on -- I mean, we have talked about loss of data, loss of image, loss of confidence, trust, that sort of thing. You know, we are saying certain things in terms of, you know, personally identifiable information definitely has to be protected. I mean, we can come out with certain, you know, kind of guidelines like that, but the degree that you go into the protection really is going to depend on your relationship with your trading partner.
You are going to have to use some sort of standardized transaction set, but your level of security may vary. If you are going across the Internet, as you have heard, you know, it is going to have to be encrypted. If you are going across, you know, private lines or something like that, maybe you don't have to do that. We felt that it was inappropriate to dictate to industry that this is what you have to do. So, we are coming out with -- and, by the way, when we get into -- I think you had on your chart the electronic signature -- there is a lot of debate over, you know, what was the intent of that bill. I mean, you can say electronic signature, but really in the security parlance that we have been dealing with a lot of people, we are only probably talking digital signature.
You are probably talking public key infrastructure and you are talking some way to tie the person sending the message, you know, unequivocably with that identity. So, again, what we plan to do is in the scope of our notice of proposed rulemaking to define, you know, the logic, what we did, how we went about this, and, of course, we are looking for guidance from NCVHS, but so far what we have heard has been pretty much, you know, in sync with the way we have been going.
There are a number of members from the group here today and, you know, we will be glad to answer any questions that you might have.
I am just trying to think what else -- oh, the cost benefit analysis. Our feeling is that the cost -- most of the cost benefit analysis needs to be tied to the transactions and rather than just say, you know, you have to do encryption or you have to do this because encryption only is a technique or a tool. It is a protective measure. It is one of many. And it depends on the situation in which you are electronically moving data.
We have also looked at -- interestingly enough, we have looked in detail at data at rest and data in motion and we also -- and I think it was Kepa or someone said who said that as of July 9th, the wraps were sort of off. It is not just the transaction sets. We are looking at all health care data. So, we are looking at the ingredients that might go into a transaction set or that might be used in electronic environment and also coming out with requirements for protection for that type of data also.
I will be glad to answer any questions. This is just an off-the-cuff synopsis.
DR. LUMPKIN: It comes to me that -- and maybe I am looking at this wrong -- our charge really has to do with the security and health information that is being transmitted. No?
MS. FRAWLEY: No, not at all. Much broader.
PARTICIPANT: That is just a part of it.
DR. LUMPKIN: I just read that section again.
MR. BLAIR: Maybe it is that we can separate it out, even if we focused on it from a transmission standpoint, we can't really keep it in isolation.
DR. BRAITHWAITE: As I read it, it talks about any person who maintains or transmits health information.
[Multiple discussions.]
-- has to maintain these safeguards according to the standards that we come out with. And it refers to every entity to which these standards apply, which is all payers, all clearinghouses and all providers who elect to do electronic transactions. That is a set of systems that it applies to.
MS. GREENBERG: Are you saying that it does not apply to providers who do not elect to do --
DR. BRAITHWAITE: That is correct.
MS. GREENBERG: But it does -- those who elect to do the electronic transactions, it applies to their information that they then take to put into them. So, it isn't just the transactions.
DR. BRAITHWAITE: Well, with security you can't just talk about the information. It is security of the system in which the information is maintained.
MR. PARMIGIANI: Let me ask a question, Bill, maybe also to clarify it for us.
For example, if a provider, a physician, chose to deal with a clearinghouse and he or she sent in paper to that particular clearinghouse, the clearinghouse then formatted it into an electronic format. It suddenly now gets -- and even if they kept a repository of that data, that all has to be protected.
MS. FRAWLEY: Correct.
MR. PARMIGIANI: Now, the paper document, the files, the paper files in the physician's office -- I am looking for guidance.
DR. BRAITHWAITE: I think you could interpret this law either way. I don't think it is reasonable to interpret it to --
MR. PARMIGIANI: Okay, because we have been interpreting it the first way. While it is paper, it is -- you know.
DR. BRAITHWAITE: And I think that is reasonable. The reason the physician is going to a clearinghouse is to deal with that technology without having to deal with it themselves and I think we should allow that line to be drawn.
DR. LUMPKIN: Now, in your thinking, it seems that there are -- once you get to the point of transmitting that first transmission of data, there is more or less a level set of entities. It is either going to be a payer, a clearinghouse or a VAN or something along that line. So, we are going to be on the receiving end.
On the sending end, it seems that there is a great disparity in the types of people who may be sending from a single physician office or single clinician office, all the way up to a 600 bed tertiary care center.
Have you taken into account the fact that the level of standards may depend upon the environment?
MR. PARMIGIANI: Yes, and what we had hoped to do would be to say these are the requirements. This is a minimal level of satisfying those requirements and I think someone said, you know, lower the bar or something this morning.
Yes, you know -- now, if you want to go past that, that is fine. This is the minimal level of meeting the protection that would be required. After trading partners
-- I mean, obviously, the Mayo Clinic is going to have much more capability of moving data around internally, externally, everything else, than the two person office or something like that.
So, we are not -- that is another reason why we wanted to try to get away from saying, you know, you have to have, you know, PKI and you have to have 1024 byte and all this kind of stuff because it is just not going to -- that is not needed for most of these -- and in most situations if somebody is so small, they are probably going to opt for some support, a clearinghouse or something like that.
DR. LUMPKIN: Let me just follow that up. The regulator in me then raises the question, given that level of specificity, how does one know if an entity that is covered is meeting the standard.
MR. PARMIGIANI: Good question. One of the things that we have yet to look at but want to try to touch is, you know, how do you measure enforcement or compliance? How do you measure the effectiveness of these guidelines in terms of -- and, you know, again, there is a leveling factor here that comes into play because you have trading partners deciding -- you know, you have talked about the recipient and there is an onus on the sender and that sort of thing. That has got to be worked out.
DR. LUMPKIN: But that talks about data on the move when it is going from one place to another. This also covers data at rest in one location and what I have learned and I call it the 95 percent rule. We don't write rules for 95 percent of the providers because they are going to do what is right anyway. You write the rules for the 5 percent of the providers who are not going to do right. And they are going to look at every single "t" that is crossed and every single "i" that is dotted to demonstrate why they, quote, are meeting the standard even though there are holes all over their organization that data can leak out of.
So, the question is is how can we can get specific enough that we can assure compliance and at the same time not be so restrictive that there is -- that we are prescribing technology and how to.
MR. PARMIGIANI: Well, you know, it doesn't matter how specific you make it. If you don't follow up on it, you know, how are you -- if you don't audit it, how are you going to know whether or not there is compliance?
MS. FRAWLEY: The NRC report recommended that any accreditation organization, such as Joint Commission or NCQA, HCFA, as part of the conditions of participation or any state licensure organization incorporate requirements into their accreditation standards and licensing requirement, so that if you were accredited by the Joint Commission or if you were credited by NCQA or if you were participating in, you know, Medicare or Medicaid, that there would be a minimum threshold that you would have to meet. And as part of that, you know, annual or triennial survey process, that you would be accountable.
There was a meeting held last Thursday by the Joint Commission and NCQA here in Washington and they have read the NRC report. So, they figured out that obviously they needed to start addressing this issue.
PARTICIPANT: Together.
MS. FRAWLEY: Correct. And they did bring a group of industry experts together. So, fortunately, Bob and I got invited to the party and they hope to finish their recommendations in October and publish it to industry and the recommendation then would be to take that report and incorporate that into the accreditation process for both organizations. So, that process is already now in place.
MR. SCANLON: That wouldn't cover -- the bodies covered by those accreditation processes would not encompass the range of entities envisioned here.
MS. FRAWLEY: No. But it is at least a start. Well, the reason why is because you have to understand something. If you say to a provider, we are going to come in and we are going to look at your contracts and see what VANs, what clearinghouses, what transcription companies, what imaging companies, what software vendors, what hardware vendors are contracting with, and we would like to review your contracts. We would like to see evidence that the vendor has in play, where in his training program. We would like to see the vendors, you know -- I mean, you would have to, you know, be able to show that this is being adequately addressed.
So, I think that what it will force is that the providers, who cannot disclaim their liability -- I mean, they can outsource stuff, but the bottom line is if you outsource to a clearinghouse or a VAN, you are still liable. You still have an obligation to that patient that their information is being handled appropriately.
It will place the onus on the provider to make sure that they are entering into business agreements with ethical, you know, organizations. And Adele gave you some examples yesterday morning during her testimony, where we have had vendors disclaim any responsibility and try to write contracts that were inappropriate.
So, I think that what it will force is the industry will say I don't need to do business with you. I will find an organization that will meet my business needs.
MR. BLAIR: A couple of things. I get the impression from that the work that you have done in your committee and the work, Kathleen, that you have been doing especially with this framework and this unpublished ASTM document that will have the framework, are those essentially the same -- and I guess that is also Chapter 6 or the extension of Chapter 6. Are those all three essentially the same?
MR. PARMIGIANI: I would say they are complementary. I think they could be joined and make a pretty much complete picture.
MR. BLAIR: Okay. And I am also -- if I understand it correctly, basically, that will enable us for a particular setting or environment to say here is the threshold for security for this, whether it is authentication or whether it is log -- you know, audit trails or whatever it is, here is the threshold, given your setting for this security requirement.
MR. PARMIGIANI: Right. Along with some other things that we are talking about is security policy and doing threat analysis and, in fact, someone talked about trust models, threat models. I also might add before the previous topic, I remember -- I think it was Kepa talked about a chain of trust, this sort of thing. I think that also would apply here where you are having various players along the network, so to speak, you know, different nodes, that have to be held accountable and the fact that if a clearinghouse is dealing with a provider, you know, they can require certain types of minimal safeguards or something of that data that is coming to them because ultimately it comes back down the line.
So, I think that there is enough out there. It just needs to be kind of coupled and it is then possible for the industry to be able to, you know, meet by looking at the different -- their different level of needs to be able to meet the requirements or the standard, so to speak, of security under HIPAA.
MR. BLAIR: Well, then given that all of the above was true, how does this fit into the time frame that the NCVHS committee is aiming towards in terms of providing recommendations to the Secretary so that security guidelines can be mandated as of February of this next year? Are we on -- are we going to be able to, for example, get the ASTM document published and balloted within a time frame to do this or --
MS. FRAWLEY: The testimony from the ASTM this morning was that the standard would be balloted at the end of August and then, of course, we have the process where it has to go through a subcommittee and main committee ballot and assuming that there are no negative ballots or necessary revisions to the standard, it would be published in early 1998 and then available for adoption by industry.
MR. BLAIR: Are we able to mandate or recommend a mandate of something, you know, that may not be balloted until the first quarter or do we just pretty much have such a high level of confidence that this is the right thing, there is no other real viable alternatives that this is --
MR. MOORE: If everyone knows that we are leaning in that direction, I think they might be more inclined to go along with it or -- I would be looking at minor discrepancies. It is the same thing with the transactions. You know, we are putting all the transactions into one rate, knowing that there may be some small slight flaws in some of them that aren't clear yet. But no one is willing to throw everything away in order just to get a minor correction maybe. That is what I am thinking.
MR. BLAIR: What do you envision in terms of what this committee would be recommending? Are you envisioning that we are going to recommend the use of the ASTM standard that will be balloted or is it -- are you going to be publishing, John, the document that you have developed and consider that they are --
MR. PARMIGIANI: I don't know what your time line is, but, you know, based on what you put out in I guess it was June or July on the transaction sets, I would expect something very similar on security. Again, maybe the end of this month, beginning of September. I don't know exactly, you know, what your time line is, which would precede anything that we would be coming out with, but what we would produce would certainly be compatible with those general guidelines that you recommended.
I would think that your recommendation would say something along the lines of what we were doing and what the NRC, ASTM, that sort of thing --
MR. MOORE: One point there, Jeff, if you go back to the report that you just prepared that went to the Secretary for transactions and so forth, was like two and a quarter pages or two and a half pages. The first reg on the NPI -- and you said you recommend the NPI, it is going to be a couple hundred pages, the reg. The regs are going to be enormous with great detail about how we got there, why we did this, what we did, et cetera. And then the implementation guides behind even the transaction sets are at hundreds of pages that we are going to be referencing in the regs because that is where people go to get the detail on the data content and the how to, et cetera.
MR. BLAIR: We have the flexibility --
MR. MOORE: Do you have the -- I wish I had your flexibility because then I could just name something and move away from it, but I don't have that kind of flexibility to do it.
DR. LUMPKIN: I think our responsibility is to give guidance. We are not a body that publishes regs and so we have that leeway. But my question really in this process, I have not heard in the last day and a half, as we heard with the other standards, we heard all parties say, yes, we kind of like this, you know, or some flavor of 837. It will work, you know. We are a little bit concerned about the coding sets, but pretty much the format is together.
What I heard in the last day and a half were the SDOs saying, yes, we have got standards. But when we ask the industry and other folks about whether or not there was a standard, most of them said, well, not yet. There is no comprehensive standard. There are pieces here and there.
MR. BLAIR: And that is when I thought, as we were trying to get that clarified, the response was, yes, there are guidelines and policies but they didn't have specific thresholds and that is what they were looking for when they said that there is lack of standards. And apparently that is what is now going to be addressed with the stuff we are coming out with. Did I hear that correctly, when they said lack of standards, they really meant lack of thresholds or minimums?
MR. MOORE: I heard that -- I have heard from others, that -- they would like to be specific, but I am not sure that we can be as specific as the industry. When we met with a lot of the standard organizations, we asked for that level of specificity. I think you were at that meeting, Jeff, where we said you tell us what it is and we will put it in the regs and the industry came back and said, no, you guys find it out and put it out there and we will comment on it.
The issue here is that I think that it is the reg that is going -- that the Secretary is going to be adopting and it is our responsibility to make sure that the regulations that we develop are consistent with the guidance that is going to be coming from this committee prior to that reg being there. Where there have been some inconsistencies, we have been back to the table several times to go over those with you. We have been back a couple times on the provider ID and the payer ID, wrestling with comments that Simon and others have had. How many discussions we have had about transactions, particularly the claim. And we are going into more detail tomorrow with data content. So that there is -- you know, there is agreement and also what we are finding is this takes time.
I am sure as we get further into the reg and we come up with what is going to be the -- it is a notice of proposed rulemaking, we are going to get significant comments back from the industry about what they would like to see that reg changed to before February when it is finally adopted.
It is not over. That is all I am trying to say. We are trying to get the very basic groundwork laid so that everybody is working from a document that they can look at, that brings together all the pieces, what Kathleen says, what John said, what we heard for the last day and a half and then begin to work that down and put in the comments and then go back to the Secretary and say this is what 90 percent of the country wants to do. This is what it might cost them to do it. These are what the payoff -- I have heard from some that said they would go further and others that said, you know, keep -- I had one make a comment to me today, keep in mind whatever comes out of security, HCFA has got to do it with Medicare, too.
And we do.
MR. PARMIGIANI: Not to speak for everybody else who is here, I mean, you know, the vendors and the SDOs and all, but having -- the committee having spoken, you know, my group having spoken to most of these people in detail, everyone sort of agrees there needs to be a certain amount of interoperability. You need to be able to make it technology neutral and interestingly enough, even the SDOs that have specific guidelines or standards will tell you that it is not one size fits all.
You know, it will apply to certain aspects of security. So, at this point because it is an evolving kind of a technological environment, everyone seems to be fairly willing to -- if you can come up with something that has a certain amount of flexibility and versatility and it allows people to communicate and do business together, as well as not restrain trade in any way, that is maybe a compromise. It is a happy medium. So, that is where I am kind of coming from.
DR. LUMPKIN: So, what I am hearing is as a regulation with a focus towards enforcement, that given the lack of maturity in the industry in this area, that it may be better to have a regulation that is less enforceable because it begins to solidify what the standard will be and that subsequent rulemakings may lead to more measurable outcomes.
MR. PARMIGIANI: And I see this as an iterative process, that whatever you first come out with will probably need to go through, you know, several other levels of refinement over the years. But you have to have a first cut and that is what we are aiming at.
DR. LUMPKIN: Are any members of the committee uncomfortable with the approach we are sort of describing as of this point.
MR. GELLMAN: I don't know what the approach is. What is the role of the committee?
MR. BLAIR: I feel encouraged because I started these two days and it seemed like we had a huge mountain to cover and now I find out that a lot of the work has been done. So, I feel, you know, really pleased about it.
When could we get a copy of, you know --
MR. PARMIGIANI: The matrix. You have a copy right now, but we can certainly make it available.
Kathleen has the -- kind of the skeletal, you know, the rows and columns. We are working on something that has a full mapping of all the existing -- in fact, we are working with affect and ASTM and people like that. So, you know, it is not like we are just doing this and no one else knows about it.
MR. BLAIR: Since you guys have done all the work, then that means all that is left to us is to fulfill our level of irresponsibility.
DR. LUMPKIN: Bob asked, perhaps, a key question, which is what is it that we are feeling comfortable about.
[Laughter.]
And I think that as of this point what my question really was is that we will be more general in expectations that would be technology neutral and that is my little concern about saying that we would get on board with the ASTM guideline that I haven't seen because I don't know if it addresses that. But, for instance, that we may say that the recommendation from the NRC was that be individual authentication of users. I think we could, as a committee, make that as a recommendation but not recommend a specific methodology for that authentication. That would be the character of our recommendations.
Is that -- Simon?
DR. COHN: Actually, I was curious -- I wanted to find out what Bob's comment was also to find out what he was thinking, but I, obviously, think that some of these things are a little premature, not having seen the matrix and sort of seen what it is you are working on. I mean, I sort of need to see that and then be able to ask you more questions is sort of my view on that.
But I agree with you, we need to stay above, you know, real technical standards on this.
MR. BLAIR: It seems to me that we have heard and have heard John say two things, which are somewhat contrary. One is that we need a level of interoperability. Another is that we need to let the trading partner agreements decide how they do it. Unless all the trading partner agreements agree to the same thing, that doesn't seem to be --
MR. PARMIGIANI: No, what we were saying was -- the emphasis was on having interoperability. We did not recommend something that would in any way create a barrier to interoperability, just like we are talking about technology neutral. Okay? Now, in terms of coming out with that broad level, then the trading partners, the people that have to do business with each other and determine, you know, how they protect the data according to the requirement and then how they operate with each other.
Now, of course, they are going to also be bound by the transaction sets. So, it is -- I don't think one is mutually exclusive of the other. You know, that was one of our guiding principles, so to speak, that we wanted -- we didn't in any way want to hamper the health care industry from being able to communicate electronically with each other, even though the data needed to be protected and secured.
MR. HANKS: I just wanted to try and provide some clarification on the position of the clearinghouse industry. My name is Tom Hanks and I sit on the Security Committee for AFFECT.
I think what we are trying to come across with is we are not particularly satisfied with any existing standard, whether it be ASTM or any of the FIPS(?) or HIST that would fit the clearinghouse industry in a single standard that is. Some of them tend to be too specific and too technology oriented, which would restrict some of the interoperability you are talking about. Some of them tend to be too restrictive to allow us to continue to make development in the area.
I think what we presented was a model of a standard that has been done by the European Community, that, in fact, details policies and procedures and establishes levels of risk and establishes risk assessment within the standard and establishes those levels and makes it up to the company to, in fact, meet those levels of risk. The European standard that is in the testimony that was presented by AFFECT is the model that we are trying to present, that we feel would be effective.
DR. LUMPKIN: Thank you.
MS. FRAWLEY: I guess in terms of just to help everybody, in terms of their process, I guess what I think we need to do is at the September 8th/9th meeting, would be prior to the meeting, to have John submit, you know, the matrix, and understanding it is a work in progress, for people to review because the other thing is we have an obligation to make sure we educate the other members of the full committee, who are not present here.
I would suspect that Don Detmer would be expecting that in addition to that dialogue of updating the rest of the committee members about this hearing, that we would also be, you know, coming forward with some draft, you know, similar to what we have done at the prior meetings in terms of, you know, a two to three page letter to the Secretary, that we could use to help formulate some of our discussions and also perhaps achieve consensus on on September 9th.
So, I would be willing to draft a document. Since I work with John, I don't see there is any -- I mean, I think that this is very doable in the next two to three weeks to have all this out and that people can come on September 8th and 9th with the feeling that we are not starting, you know, from point A and trying to get to point Z. You know, within a 48 hour period.
So, you know, you would have a chance to look at the matrix before the meeting, obviously, be able to come and ask John and the team questions. We would have like a draft letter to the Secretary that you could kind of react to, that I would work with, you know, people here and with the team on, so that we could make sure we were all on the same page here.
MR. GELLMAN: John, can I go back to my question? I mean, that is one answer to it and I am not sure if I have an objection to it, but picking up on Jeff's sort of optimism and sort of hearing a lot of good things going on everywhere and I think I probably agree with that.
Sounds like, you know, you have got some level of consensus with folks out there and what we heard here and everything is going in the same direction.
If that is what we have heard and all we are going to say is what we have heard and what is going on, then we haven't contributed very much to the process and that may be there is not much for us to do. Things are going well. We could say that in a letter that Kathleen drafts. We could say that in response to comments on the NPRM when it comes out.
The question is is there a broader role for the committee. What else is out there that isn't being -- and I don't h ave an answer to this. And there may not be a good one, but are there broader questions out there that aren't being addressed longer term? Are there other kinds of issues that aren't being addressed?
One thing that occurs to me, and I don't think we can answer this, although we could highlight it if it is appropriate, is in all the talk of risk assessment, you know, no one really -- in some areas that is readily done, but in other areas we don't have a clue. No one has a clue what is going on with medical records, who may or may not be inquiring them and the few investigations that have been done many years ago discovered all kinds of stuff that no one knew about.
There must be no one out there who has a -- who knows what is happening and it may be something worth highlighting. There may be other issues similar to that that are worth -- again, we are not not answering the question because we don't have the capability of doing it, but are there broader issues or procedural issues or structural issues that go beyond the immediate concern that you are addressing that we ought to be saying these are things that need to be raised in some way?
DR. LUMPKIN: If I could, perhaps, jump in at this point and suggest that the answer to the question that you pose, what do we contribute, I think has to be taken within two time frames. One is, I think, we can work with HCFA and so forth and look at our immediate task, which is HIPAA. But I would argue that our role of this subcommittee and looking at security has only just begun because we have standards that are coming down the pike and I think it would be beholden for us to say to HCFA -- I mean, to HHS, just because the -- you know, we have gotten over this particular time frame hurdle of HIPAA, but that doesn't mean that the issue of security, which from everything I have heard and my own personal experience out there in knowing how the health care system is, is in a dismal state and I think that there is a lot that we can contribute to begin to continue to keep the security issue on our plate, which would include looking at conditions of participation that may be under HCFA.
They may be making recommendations and reviewing what the Joints do and NCQA, to say that there are some issues and refinements as to technology advances that our committee can play a role and putting out there and moving the standard process of guaranteeing the security of health information over a period of years.
MS. FRAWLEY: The other thing that just -- to add on to John's comments is because security is so closely linked to privacy and confidentiality, we have to keep in mind that the Secretary is issuing her report on August 21st to the Congress and having sat at the national press conference last week when she, you know, recommended her principles, and she has a principle of security, it was pretty clear on terms of what her expectations are and I think it is going to be very hard to kind of, you know, put this one away and say we are finished with this.
So, this is going to be something that is going to be a very long term issue for this committee, particularly as we move towards the CPR because we will never get to the CPR if the American public thinks their information is insecure.
DR. COHN: Actually, it was just a brief comment because Kathleen had mentioned a process for getting from here to a letter and all that and I was just going to comment on that, that based on what I am hearing, as well as response to Bob, it is sort of a comment about what part we play in all of this. I guess from my own knowledge of all of this, not knowing what is in the matrix or what is going to be in your letter, it almost seems to me that there is a piece in there that we are missing, which is, you know, getting our recommendations together, maybe putting them out to hearings and seeing once we have something to recommend, seeing what people think about that.
Certainly, we have heard today A to Z, today and yesterday, people all over the map on both security and issues and ideas and I think before we recommend anything, we may want to have a single eye today.
MS. FRAWLEY: Well, I mean, the subcommittee discusses that in September. I mean, I am just laying out the format that we have followed all along, which seems to have worked so far, is that we come back as a subcommittee in September. Obviously, Don will expect a briefing for the full committee on the hearing. The subcommittee then will sit down and look at the matrix, look at the draft letter, see how they are doing.
I mean, obviously, we are not going to make recommendations to the full committee until we are sure we are at that point. If we have to go back to industry and say we are still confused because five people sat at the table and three out of the five didn't agree, then industry will have to be responsive and I think that most of the people in the room should understand that they had better come on September 8th and 9th, because it will be helpful to us to call them up to the mike and not waste time.
We do have some time constraints. I mean, that notice of proposed rulemaking has to be out in October.
DR. LUMPKIN: Jeff.
MR. BLAIR: I feel like every time I make a proposal, Kathleen is three steps ahead of me already. So, you may be on this one, too.
First of all, I was really pleased to hear that NCQA and JCAHO would be working together with respect to including security considerations in their accreditation piece because one of the major gaps that I was concerned about was that an integrated delivery system would wind up slipping to say, oh, we don't have to follow the security guidelines of JCAHO, because we are a health plan or, oh, we don't have to follow the security guidelines of NCQA because we are a provider.
If you get those consistent, I feel like that closes a major loop and if we could draw in HCFA and if we could draw in maybe that organization that testified this morning, that might be an appropriate accreditation vehicle for clearinghouses. We could begin to close the loop.
You have already done that, right?
MS. FRAWLEY: Not me.
MR. BLAIR: Okay.
The other piece is Bob and Simon, especially Simon, you are winding up saying setting up a process? It seems as if one is almost evolving before us in that -- John, you were indicating this is the first step in an iterative step. If we wind up getting that matrix out there and if we have the accreditation agencies use that framework or matrix as something to use as a guide for when they do the accreditations of the providers and the payers and if, Simon, we were to indicate that those are the first two steps of a process where the accreditation agencies, as they begin to go through that process, also give feed back on the areas where standards need to be enhanced or strengthened or supplemented and then get that fed back maybe through our committee and to the SDOs, then we begin to have a process that begins to close that loop and continuous what, continuous quality improvement.
So, maybe that could be part of our recommendation out of this committee.
DR. LUMPKIN: I think, though, that we have to be careful to realize that really the scope of our responsibility is much greater than just recognizing that it is important for JCAHO and NCQA. There are 15 hospitals in the State of Illinois that are not Joint Commission accredited. They are licensed by the state and they are certified under Medicare.
So, if we don't deal with the conditions of participation, then we don't address those. There are about 300 long term care facilities in the state that are neither accredited nor are they certified by Medicare because they are all private pay. These facilities would only be covered under state licensure law. So, when we start talking about the scope and looking at other partners, if we don't do this under HIPAA or under the commission or under this particular committee, there will be many entities, especially when you start getting out into individual clinician's offices, that will not be covered in a way that I think will be adequately reviewed.
So, I think our charge is fairly large and it is going to be important that not only are we consistent with the Joints and NCQA, but, more importantly, they are consistent with us or else it is going to be cross messages sent out.
MR. MOORE: You had me pull earlier a copy of the conditions of participation for Medicare and in there it has some very vague pieces on privacy and confidentiality. I only looked at the one with hospitals, which is very general, but then it covers all the different types of providers. There isn't anything wrong with this committee recommending to the Secretary that all of those conditions for both Medicare and Medicaid and also even across all the federal sectors, be it CHAMPUS, VA, et cetera, that those specific areas be enhanced and embellished to include more comprehensive security requirements in order for our participation and taking that all the way back to state licensure laws, maybe working with the governors to do that.
MS. FRAWLEY: I will just give you an example. Right now, on one issue, authentication, there is no consistency between the 50 states in terms of their licensure requirements, the Joint Commission or HCFA's conditions of participation.
So, for an organization that is installing a clinical information system right now, there is absolutely no consistency and people are struggling with this because they have no idea what is the right thing to do because there is no clear guidance. So, basically, if they are participating in Medicare and Medicaid, they have to go with the conditions of participation, which have not been revised in many years, which basically has everybody signing everything and the Joint Commission has changed their standards to allow more flexibility and the states are all over the place.
So, HIPAA, one of the intents of some of the language in HIPAA was to eliminate the state quill pen laws, which basically said, you know, the medical record has got to be written in pen and signed. So, I mean, just on one thing like authentication, we are all over the place.
So, I mean, I can give you example after example that is compounded because there is no one solution. So, I mean, this is just not a simple area. I mean, it is incredibly complex.
DR. LUMPKIN: Okay. Let's take a break.
[Brief recess.]
DR. LUMPKIN: Let's get started. I have to apologize for not remembering that there was a break. I didn't realize so many people were feeling insecure as they were having this discussion.
What I would like to do is, since we have such a generous offer to have a draft letter prepared, that I thought what we would do is go through some of the items that we will put in that letter and kind of base it upon two things. The first is what I heard from John's presentation, that there were three overarching principles and I just want to make sure we are all on board with those.
The first one is that anything that is being done should be technologically independent. Are we comfortable with that? Okay. Good.
It should not inhibit interoperability.
DR. COHN: Is that a strong enough statement? I am all in favor of interoperability but I am just wondering if not inhibited, is that a --
DR. LUMPKIN: Do you want it to promote interoperability?
DR. COHN: That would be I guess -- yes.
MR. GELLMAN: Could I go back to the first principle and ask --
DR. LUMPKIN: It is too late. You missed your chance. Besides you are not even on this committee.
MR. GELLMAN: Right. You got me there. I won't talk tomorrow.
DR. LUMPKIN: Please.
MR. GELLMAN: Technologically independent? I mean, does that mean it has to work as well on paper as it does on computers? I mean, what are we talking about. What do you mean?
DR. LUMPKIN: No. What we are meaning is that we will not proscribe a particular technology for assuring the security goals.
MR. GELLMAN: Well, that is not the same thing as technologically independent. Why don't you say it that way?
[Multiple discussions.]
DR. LUMPKIN: No, because really it is more than a product because there may be a whole range of encryption products but we are not saying, at least as of this point, that we want to use that. So, I think probably it is almost a -- neutral, technologically neutral.
DR. BRAITHWAITE: Technology neutral. Okay. And I don't want to hold Kathleen to this wording, but the principle, I think, we are all agreed upon, that we are not going to mandate a technology, a specific technology.
The third one that these measures should facilitate the process of finding solutions between trading partners.
MR. GELLMAN: Is that the same as 2?
DR. LUMPKIN: I think that is different than 2, but I am not --
DR. COHN: I guess we have to revisit that one a little bit. I am just trying to think of whether that reminds me a lot of our move away from, you know, standards that were only implementable between willing trading partners, which is beginning to feel that that is sort of what it smacks like, as opposed to a standard minimum level of security between all trading partners.
Am I saying something --
MS. FRAWLEY: No, I agree with you because I am thinking it is a lot more than just trading partners.
MR. BLAIR: Interoperability is both within an institution and between institutions. So, maybe the fact that it is promoting interoperability covers both.
DR. LUMPKIN: Okay. So, we might be comfortable with just getting rid of 3.
MS. COLTIN: Given how we changed No. 2, No. 3 may not be necessary.
DR. LUMPKIN: Okay. Going, going, gone.
Then we have, to see if we are, again, all on the same page, seven recommendations from the NRC. Those recommendations, and I would like to walk through them to see if that is something we are comfortable with -- the first is is that there be individual authentize -- anyway of users. We know who they are -- authentication. Thank you.
Are we comfortable with that being part --
Second is that there is access controls.
PARTICIPANT: Appropriate access controls.
DR. LUMPKIN: Appropriate access controls. Now, the report has two recommendations. They have a low bar recommendation and then they talk about -- in the future recommendations, which I think we are not going to be as specific, but the ability to not only assure access control, but access control to individual parts of the medical record; validation of access rights before access is granted. Okay.
It is hard to read your eyebrows from all the way across the room.
MS. FRAWLEY: We are not shy. So, if we don't say anything, you can figure you are on a roll and keep going.
DR. LUMPKIN: The third one is -- that should be audit trails. Audit trails --
MR. GELLMAN: I think that that was actually was better the way you had it before. I mean, I think that there was -- in the discussions that we had yesterday and today, it was clear that there is some utility to audit trails, but audit trails by themselves don't solve the problem. I mean, the testimony this morning was that audit trails marry with notice to people that they were being trailed, for example, made an enormous difference.
So, I mean, it is not simply a matter of maintaining an audit trail. It is just, you need a bigger bite at the issue. You need monitoring controls or something like that. Audit trails are possibly a solution, possibly a major solution, but just having audit trails by itself doesn't -- isn't enough.
DR. LUMPKIN: So, audit trail-based controls?
PARTICIPANT: What about auditability?
DR. LUMPKIN: See, the difficulty is and maybe it is my conception of the use of the word "audit." An audit is these guys who come into our agency every two years and look at what we did two years ago so that I can get -- go in front of a legislative committee and explain how we don't do things right.
MR. MOORE: Can we say monitored audit trails?
MS. FRAWLEY: Well, that is even assuming you have one.
MR. BLAIR: See, I thought the essence of Bob's comment was to get away from the word "trails" because it starts being specific to a technique for auditing. So, I thought if we want to be more general, we would just simply say auditability. It can be audited in whatever form you do it, whether it is monitoring, whether it is -- however you do it.
DR. LUMPKIN: I think the issue is monitoring. So, why don't we just take this out and why don't we just say monitoring and -- monitoring of access? Okay. So, not only do we monitor who has access -- I mean, we have control of who has access, but the people who then are granted rights to access are monitored in how they access the system. Okay.
Physical security and disaster recovery.
Protection of remote access points.
Well, I was about ready to say fire walls, but then we had somebody today that said he could get through any fire wall that is out there. So, I am not sure exactly what that means, but I think it means if you are going to have a remote access point, then that has to be secure as opposed to anybody can in the modem with Star Wars.
MS. COLTIN: When you say "remote access points," you are not necessarily limiting that, as I would understand it, to someone like calling in from home. Aren't you also thinking about the terminals that are all over a health center, for instance, that link into the main computer and that they not be left on and unprotected when people walk away and that sort of thing?
MS. FRAWLEY: I don't have the report in front of me. Marjorie does. So, Marjorie, why don't you --
MS. GREENBERG: Actually, I think it was more of the former. It says, "Organizations must protect their information systems from attackers who try to gain entry through external communication points, such as the Internet or dial-in telephone lines."
MS. COLTIN: So, where would the other concept come up and isn't that important?
MS. FRAWLEY: Access controls. The idea being is you have printers left unattended, you know, and you don't have, you know, secure containers for paper and the idea that you can't have, you know, your operating system just out anywhere or you don't have your service secure. I mean, that is one of the things, if you look at the back of the report, we physically walk through organizations and then provided the organization with an assessment of their physical security.
So, I mean, I think, you know, it is hard to take some of this stuff apart without having the report in front of you and looking at the kinds of things that we were looking at.
MS. COLTIN: So, some of that might actually come under --
MS. FRAWLEY: It kind of gets mixed in a lot of these different areas. That is a problem is that even just looking at this list this way, you don't get the real flavor of some of the recommendations.
DR. LUMPKIN: I think this one really says that you protect your system from external forces. And I am not going to write that down, but that is what it really says.
Okay. Protection of external electronic communications. Anything from encryption to using dedicated lines to -- okay.
Software discipline.
MR. BLAIR: I thought that was a really good addition. You are laughing. I was just so impressed when I read that portion of the book. I just thought that was an excellent enhancement to what we normally talk about when we are considering security.
DR. LUMPKIN: My only question about that was why it was there as opposed to in the organizational policies, as opposed to a technological issue. But that is with the book and not with our recommendations because we don't care, but we want that in there, right?
System assessment. Okay.
Risk analysis.
Now, this is the other part of the recommendations of the report, which was to prescribe organizational practices and the question is is whether or not we want to as we walk through this as part of our recommendations suggest that they also do those.
The first one is that there be security and confidentiality policies. Now, my only suggestion on this is that we suggest in our report that these be scalable and that the policies -- what is meant by this would be different for a one or two physician office than it would be for a hospital. Okay.
For instance, security and confidentiality committees. If they have got two practices, that is going to be a very small committee, but I think that is --
MS. FRAWLEY: I think the report tried to acknowledge that is not necessarily needed in all environments, just like you might not necessarily need an information security officer, that maybe the committee approach might be appropriate for an organization; whereas, in the United Health Care, as you heard from Randy yesterday, you need, you know, a full blown department.
I mean, so, I think the intent was to try and come up with some things that people should be thinking about and kind of modifying for their organization.
DR. LUMPKIN: I think that speaks to the scalability. Okay. Good.
Information security officer, we just mentioned.
Education and training programs.
Organizational sanctions. The report just talks about sanctions, but I think we have to be careful that we be clear that it is not government fining them. It is actually that there are sanctions within the organization.
I took what was in there and I just called it improved consent.
MR. GELLMAN: Meaning what?
DR. LUMPKIN: The recommendation talks about improved authorization for access by the patient so that the forms actually better tell them what they are signing for. That really is a process of consent. So, the recommendation would be is that there is improved informed consent when they sign access.
MS. FRAWLEY: The point is that the committee did not like the current practice of blanket authorizations that patients were being asked to sign, almost in a coercive manner that sometimes was perceived as a condition for treatment and that any authorization for disclosure of individually identifiable information should be informed and the patient should have the option of identifying what parts of their medical records should be released and for what purpose and place some time limits on that authorization, so it was not open ended forever and ever.
DR. LUMPKIN: I can read the eyebrows from here. Do you have a comment? No? Okay. Good.
The last one was patient access to audit logs, that the system should be designed to give the patient access to who is accessing the record. And that is it.
George.
MR. VAN AMBURG: Where would be monitoring the integrity of the database fall in this list? I didn't really see that in there anywhere.
One could think it would fall under system assessment, but that really isn't what system assessment means.
MS. FRAWLEY: The report also has a whole host of technical practices. So, we did spend a lot of time talking about data integrity because it wouldn't help us, you know, if the data was not reliable for caregivers. So, yes, the other flip part of the report is all the technical practices, you know, that are recommended. So, there is a whole other host of recommendations in this report. This is just kind of like the entry level.
MR. VAN AMBURG: I think that that is a fundamental issue.
DR. LUMPKIN: So, what I have added to the chart is the monitoring -- under a technical component, monitoring the integrity of data. That would be some sort of routine check, whether it be a check something or other or a random check on the data set to make sure it is accurate. It doesn't change over a period of time.
Okay. We are comfortable with putting that in.
Anything else that is missing?
MR. BLAIR: Could we just validate that that wasn't included, you know, under some of the other issues, so there --
MS. FRAWLEY: I can just tell you there is a lot of other recommendations that aren't even on that list. So, the point is is that anyone who needs to -- we talked to Marjorie, once again, that Jerry Sheehan(?) will be happy to get everybody on the committee a copy of the report. Chapter 6 has all the answers and it is very clear because the recommendations are bolded and then there are several pages of discussion with time lines and, you know, recommendations. You can't even just take some of this. We are not even doing the report, you know, justice at this point, kind of throwing some stuff off.
DR. LUMPKIN: But I think what we are trying to do is make sure that there are some highlights that would be in our letter of issues that we think are important in a system of monitoring security under HIPAA. And there may be some that Kathleen may run into that you may throw into the letter that --
MS. FRAWLEY: Right. And if there is stuff that I think we didn't address, I will make a little sheet that you will all get that will say, okay, you didn't think about these ten things.
DR. LUMPKIN: And certainly other members of the committee can do likewise.
MS. COLTIN: Now, it seems like these are two buckets, one having to do with technical steps or mechanisms that can be put in place, the other being what happens within an organization in terms of its own practices, but isn't there like another bucket, which would have to do with sort of external accountability or whatever, the kinds of things you were talking about in terms of whether it is JCAHO or NCQA accreditation or whether there were certain disclosures that if my health plan needs to be held accountable for what a clearinghouse is doing, then that clearinghouse needs to divulge to us in order for us to evaluate them and to decide whether --
MS. FRAWLEY: That is also part of the recommendations in Chapter 6. There is a series of recommendations to the Secretary. There is a series of recommendations to the National Committee. There is a series of recommendations to accreditation and licensure organizations, you know, I mean -- so, it is pretty well defined in a lot of those different recommendations.
The thing is that I think that one of the problems that we have, as we discussed earlier, is this is going to be just, you know, an evolving issue. I mean --
DR. LUMPKIN: And perhaps in your draft letter, we can put somewhere that the committee is very concerned about this, that we see part of our role as pushing the industry and as it evolves, we believe that these recommendations and the expectations will also evolve, which will be a way of saying to the industry that if you have an option to go to the highest level of, you know, assuring security, that you should seriously consider that.
The other -- you know, the tradeoff is is that as time goes on, CPU cycles get cheaper and cheaper. So, it may be that some solutions today, which have unacceptable overhead may be acceptable in four or five years as technology advances.
MS. FRAWLEY: The other thing is the report talks a lot about perhaps we need to have a, you know, privacy advocate or, you know, the U.S. Office of Consumer Affairs should play a role in this and perhaps -- yes, there are some roles for, you know, other groups. I mean, there is a lot of concern about consumer awareness and, you know, the bottom line is that somebody has to step to the plate and start to have some responsible education and the Secretary called on that last week to the media and she specifically said every insurance agent, every pharmacist, every health care provider, anyone who comes in contact with a patient has the responsibility to educate the patient and not to focus on privacy risks or rights, but focus on the value of health information and the importance of computer-based patient records.
So, you know, I think that -- you know, there are so many different components to this and some of it is within the purview of this committee and some of it is going to be, you know, the global infrastructure and it also talks about the EU directive and global competitiveness and what do we do in terms of, you know, international solutions. So, I mean, there are just so many different tiers within that report.
DR. LUMPKIN: I think we are almost -- John, do you have a final comment?
MR. PARMIGIANI: I just have a question. Actually, when we send the matrix out, what I would like everyone to do would be to look at the requirements in terms of their completeness. You know, our hope here is to maybe be conservative, you know, but make sure we have everything possibly covered and it is in layers also.
So, you know, that -- I think, Barbara Clark, who is a member of the team also from HCFA -- you wanted to say something.
MS. CLARK: Yes. I just wanted to add a little bit to what John said. The matrix that we are working on and the mapping we are doing now, as we are mapping these different standards to the matrix, we are hoping to be able to identify one or more standards that can be followed to meet a piece of the matrix here and there.
I don't think there is any standard out there that will meet the whole matrix.
Someone earlier mentioned the European standard. So far, that is the closest thing that comes to meeting the most elements on the matrix. As a plug for that standard, it also is scalable. It addresses the small provider as well as the large provider specifically, which is very interesting.
MR. PARMIGIANI: One of the outcomes might be, in fact, a suite of standards to meet certain levels of enterprise.
MS. CLARK: And another thing we are also looking at because there is a dearth of standards, which cover a wide range, we are also looking at the guides that have been put out and we are comparing them as well, to see if perhaps one of those would suffice.
DR. LUMPKIN: Would that European group qualify as an SDO under HIPAA?
MS. CLARK: Oh, no. Well, see, now, HIPAA says if there is no standard that has been done by an SDO, we may look elsewhere.
MR. BLAIR: Well, after I just heard some of these comments, I am not sure whether this holds together. What is going to suggest was that I thought we were heading towards framing our recommendation with three major sections. One essentially would consist of our endorsement of all of the recommendations in Chapter 6. And the framework would be the second piece, which basically shows that they could be implemented in setting specific environments so that begins to apply all of those recommendations to specific settings with thresholds.
Then I thought the third part of our recommendation would be a recommendation of a process, as we had talked before, where the use of the standards would then go through an accreditation process. The accreditation process would then feed back to the SDOs and the committee for updates.
But now, I am not sure that that still holds together with your winding up saying that we are also going to have separate recommendations of specific standards by SDOs. Is that --
MS. CLARK: Well, what we think we may end up with is, say, we have listed, say, 40 requirements. We may find a piece of those -- say ten of those requirements will be completely met by a particular standard and maybe ten of then will be met by three or four standards. What we would like to be able to do is say these are requirements and if you want to meet Section A, we have found that you could use Standard C, D or E and be compliant where there will be something developed in the future we are sure.
MR. BLAIR: Is that within the matrix or is that something separate?
MS. CLARK: Well, that would be attached to the matrix. That would be a summary, if you will.
DR. LUMPKIN: That would be the equivalent to saying -- and it is done frequently -- it essentially deems compliance with the standard -- I mean, to the requirement to a certain standard. So that if you follow that standard, then it would be determined by HHS that you have met those ten items on the list.
MS. CLARK: Correct.
DR. LUMPKIN: But it doesn't mandate the standard.
MR. MAYES: Barbara, how about the issue of the implementation gap? Would we have to deal with the implementation -- how will we handle the multiple standards that may meet that in terms of that?
MS. CLARK: I am afraid I can't address that for you, other than some of these standards have guides attached to them.
DR. LUMPKIN: Okay. Any other questions?
Thank you.
MR. BLAIR: What did we decide?
DR. LUMPKIN: We have given the framework to Kathleen to prepare a document for our meeting in September and that will be the basis of which we will provide adequate, hopefully, background material to the full committee so that after we review that and Kathleen's letter and come back on the second day of the meeting with a recommendation, hopefully, it will be passed by the full committee.
We are going to meet at 8 o'clock tomorrow morning. The most important decision is that we are, I think, done for the day.
[Whereupon, at 4:30 p.m., the meeting was recessed, to reconvene at 8:00 a.m., the following morning, Thursday, August 7, 1997.]