Room 505A
Hubert H. Humphrey Building
200
Independence Avenue, S.W.
Washington, D.C. 20201
Opening Remarks and Introductions
Update from HHS on Status of the Notice of Intent and the Unique Identifier for Individuals
Comments on NPRM -- Security and Electronic Signature Standards
Progress Report from the Work Group on Computer-based Patient Records
Planning for Annual Report to Congress
John Lumpkin, chair
Jeffrey Blair
Simon Cohn
Kathleen
Fyffe
Karen Trudel
Marjorie Greenberg
Jim Scanlon
Judy
Ball
Bill Braithwaite
Stewart Streimer
Richard Harding
Rob Kolodner
DR. LUMPKIN: Good morning. I should have brought this cartoon. Somebody showed me this cartoon that said, it is this guy hanging from a cliff by his hands and another guy is looking down at him and says, don’t worry, technology will save you.
[Laughter.]
And so, for all of you out there who are trying to listen in to this meeting and expect to get there through the ASPE server, tough luck. It’s down.
There was another article that I saw that my brother sent to me over the Internet. Evidently at one meeting Bill Gates was commenting about how if the automobile industry had been like the computer industry all the great technological advances they would have in cars, and then the chairman of GM wrote back to Bill Gates and commented, yes, but if cars were built like computer software, then every now and then your car would stop for no good reason, you’d have to open the hood, close the doors and open the trunk simultaneously to restart it.
[Laughter.]
Get a new one every two years, and the controls would all be different. So, anyway, we do have a quorum. We have an agenda. We have roughly an hour and forty-five minutes. I did want to add one additional point. I am hoping Clem will be here because maybe he can give us some information on it in relationship to the immunization registry. And this is kind of a area that we may want to pay some attention to as a committee, and I am not sure if it falls into this subcommittee but probably ought to, but evidently there are now three states that are implementing or in the process of implementing Messaging standards based around HL-7 for immunization registries.
And so perhaps we can have a little bit of discussion of our desire to look at that process to see if there is some input that the National Committee may want to have to assure, first of all, that it is consistent with what we have done so far under HIPAA and, second of all, whether or not there may be some benefit for our committee getting more involved in these kind of Messaging standards that impact the public’s health.
Okay, let’s start off with the update from HHS. Oh, I guess since we may be on the Internet, for those who have book marked the VA’s page and know how to get there, why don’t we go around and do introductions.
My name is John Lumpkin and I am director of the Illinois Department of Public Health and chair of the subcommittee.
MR. SCANLON: I am Jim Scanlon from HHS Data Policy Office.
DR. COHN: I am Simon Cohn. I am the National Director for Data Warehousing, Kaiser Permanente.
MS. FYFFE: I am Kathleen Fyffe with the Health Insurance Association of America and a member of the committee.
MS. BALL: Judy Ball from HHS and staff to the subcommittee.
DR. BRAITHWAITE: Bill Braithwaite, HHS and staff of the subcommittee.
MS. TRUDEL: Karen Trudel, Health Care Financing Administration, staff to the subcommittee.
MR. STREIMER: Stewart Streimer, Health Care Financing Administration, liaison to the full committee.
DR. HARDING: Richard Harding, child psychiatrist from South Carolina, member of the committee but not the subcommittee. I am just visiting.
DR. LUMPKIN: But you are welcome anyway.
DR. HARDING: Well, thank you.
MR. BLAIR: Jeff Blair, vice-president of the Medical Records Institute and member of the committee and subcommittee.
[Further introductions off microphone.]
DR. LUMPKIN: Thank you. Jim?
MR. SCANLON: Let me give you and update on where the various proposals for standards display at this time. Let me start out by saying though that in getting into the building most of the committee members have government ID cards so you probably got in fairly readily, but the security has really been beefed up considerably. So, for visitors there may be a little bit of a delay and we may see people coming in at various times. We will just try to, we have asked for relaxed security for the meeting but they are really tough and I know how much, they will probably screen everyone so we may have little delays in getting other folks in.
At any rate, let me turn, I think we have good news on, as most of you know, on most of the proposals for standards. Four out of the five NPRMs that were envisioned have been published now. Let me just go through them and where they are.
The national provider identifier, you will recall, that outlined a proposed standard for a unique provider identifier was published in the Federal Register on May 7 for comment. The comment period ended on July 6 and we will hear about comments a little bit later. Similarly for the transactions and the code sets standards, the NPRM there was published in the Federal Register on May 7 and the comment period there ended on July 6th as well.
The employer identifier was next. That NPRM was published on June 16 and the comment period ended August 17. Currently there is an NPRM out for comment dealing with security policies and practices. That was published on August 12 and the comment period ends next month on October 13.
The fifth of the NPRMs, that dealing with plan identifier is currently in Departmental clearance and we are hoping within a couple weeks, well, it is hard to predict, but hopefully before not too long that proposed rule will be released as well. That leaves only the standard dealing with unique identifier for individuals, the easiest of all. You will remember last year because there really was a lack of consensus and opinion was divided in the industry on such a standard, what it might be, and because of the number of privacy concerns the Department decided to deal with that in a somewhat different way. It was decided to, before issuing any recommendation or proposal, to engage in a period of public input through two mechanisms. One was to be a notice of intent which is basically a publication that asks for, provides no recommendation or proposal and it asks for public input and comment on the various approaches to unique identifier. And secondly, a parallel route, the Department asked the National Committee here to hold a series of public meetings on that same issue.
The first meeting, and I do not need to reiterate much of this for this subcommittee, the first meeting was held in Chicago in mid July and it received a lot of publicity, a lot of media attention and even some congressional attention. And there was a concern voiced in much of the attention relating to the possible misuses of the identifier in the absence of privacy protections. I think there was a discussion of some of the benefits and the risks, but I think the potential misuse of the identifier, without some framework for privacy protection, really was sort of the theme of much of the attention.
Subsequently, the Vice President at the end of July announced that the Administration would not implement the unique identifier until privacy protections were in place. This was part of his broader statement about the initiative on privacy, but he made that clear in the medical confidentiality area.
In addition, there was some attention on the Hill as well. In the House and in the Senate there were a couple of amendments introduced to repeal, I think the intent was to repeal the unique identifier requirement as a proposed standard, but actually some of them were worded in a way that would have eliminated all of the requirements for standards, for providers, plans, employers and so on. I think the language that is now on the Hill limits the focus to the unique identifier for individuals, but, at any rate, there was that kind of reaction on the Hill as well.
So, at any rate, given the Vice President’s statement about what the Administration wanted to do, the unique identifier is largely on hold for awhile. I think in the weeks ahead the Departmental leadership will sit down and think through what would be the best strategy for proceeding here, but for now the unique identifier is on hold. Let me stop there.
DR. LUMPKIN: Any questions or comments?
[No response.]
Having looked at some of the summaries or the beginning of the collations which, I understand, is still underway, I was struck, it seemed that there was only about in the mid hundreds of comments on the NPRMs. Is that correct?
MS. TRUDEL: There were only a few hundred individuals who commented on each of the rules. Many of them sent in voluminous comments. Some of them came in binders. And our best estimate at this point on the transaction and code set rules is that we have about 8,000 individual comments to contend with.
DR. LUMPKIN: Actually I was surprised not by the resulting workload, which is a product of the individual comments that are made, but by the relatively small number of entities and individuals who commented. And I suspect that one of the things we will see in the implementation process is that as we have suspected, except for the unique personal identifier, pretty much the world is kind of working out there without any real understanding of what is going on with the standards process. Because I would have thought that there would have been more comment than this, and I think it reflects either a lack of understanding or interest or concern. Of course, we will interpret that as lack of concern.
DR. COHN: I think this may just be a follow-on question to that. How many of the comments were actually from associations representing large numbers of providers and other entities?
MS. TRUDEL: Quite a few.
DR. COHN: That actually may be better than we think because I would imagine that many smaller entities may look to their professional associations.
DR. LUMPKIN: And to respond to that, at least when I have seen, at the state level when there is a rule that has a lot of concern you usually get the association and then you will get individual organizations. And sometimes people even actually generate comments. And that certainly did not seem to be the case. Bill?
DR. BRAITHWAITE: It may also reflect the feeling out there that people do not really care what standard it is as long as it is a standard that everybody uses and that meets the business needs. And since the business need debate has already been done through things like X-12, people feel pretty comfortable that as long as there is a standard in law that will solve their problems and save them a lot of money so let’s get on with it.
MR. BLAIR: The other thing is, I do not know what the history is in previous NPRMs, but, I mean, Bill Braithwaite and Bob Moore and other committee members wound up spending a year going around to those that would be most affected and most interested in the health care industry, soliciting ideas before we wound up developing the NPRM.
So, you know, the feeling that I had is that most people’s concerns probably were already addressed.
MR. SCANLON: And fortunately for many of the standards there was an existing ANCI standard. It was not entered in, this is really representing what the industry was working on anyway. So, hopefully the relative lack of comments, John, represents agreement with what has been proposed.
DR. LUMPKIN: Good. Well, we are certainly going to move forward as if that is the case.
It is certainly a lot better than, I don’t know, a couple of, 40,000 or 50,000 comments they got on CLEA(?). Okay, any other questions or comments about the status?
[No response.]
Then we will move on to the security NPRM. Maybe you could pass those around. This is a draft letter and let me read it because it is short.
To Whom It May Concern, this is directed to HCFA. The National Committee on Vital and Health Statistics, NCVHS, is pleased to submit the following comments under Notice of Proposed Rule Making labeled HCFA 0049-P.
In hearings conducted by the National Committee last August, we learned that poor security practices are commonplace in the handing of paper-based health information, and the move towards electronic storage and transmission only heightens concerns.
Health care organizations have been slow to adopt strong security practices, largely due to the absence of strong management and organizational incentives. This proposal for Security and Electronic Signature Standards is a positive step towards changing these incentives with its requirements that all health care entities must safeguard the integrity, confidentiality and availability of their electronic data.
We are pleased that these proposed rules incorporate all the NCVHS recommendations made to the Secretary last year. A technology-neutral standard that would promote interoperability among information systems, the accommodation of different sizes of health care entities and consideration of the cost of implementation are of particular importance.
Although strong national privacy legislation or regulation is still needed to ensure privacy of individuals’ health information, broad application of these standards for security of health information will help a great deal. We commend your efforts. Signed, Sincerely, Don Detmer.
Comments on the NPRM or the proposed letter? Simon?
DR. COHN: I actually have little objection with what is currently in the letter. It is really more that I think it, as I talk to people outside of, I guess, the Beltway, or however you want to describe it, I mean, my sense is that this is going to be the one that has the most impact on everyone in the community at large, and probably there needs to be some observation of that in this letter, and recognition that I think there are going to be relatively significant comments coming from the health care community on this particular NPRM.
I am not sure what to say beyond that. I do not know that we want to get too specific in terms of further comments, but I just, once again I am just sensing that there is, you know, that there is going to be a lot of comment made about this particular piece of, this particular NPRM.
DR. BRAITHWAITE: Simon, do you think that is because people disagree with having secure systems or they disagree with the security mechanisms that are proposed in this NPRM?
DR. COHN: Actually, I first of all do not think that anyone disagrees with the concept of having secure systems. I think that there are, it is a relatively complex NPRM. I think that there is some confusion out in the field about what is suggested versus what is required, and I am seeing that sort of reflected in my own organization, even among my security consultants. That some of the pieces in there are do an evaluation, others are really implement something based on principles or otherwise and I do not think that it is, I think that, once again, there is some confusion out in the field regarding that.
I think beyond that, I think there are various pieces that are probably technically difficult and/or expensive and, of course, we are coming up right now to a time where almost every organization I know of is feeling somewhat stressed with millennium changes, and I do not think that that is helping things very much right now.
And I have heard, for example, various comments made recognizing that there are many legacy systems out in the field that may be difficult to comply with many of the pieces in the NPRM, and I have heard comments, for example, of well, geez, there ought to be a way to implement the policies but hold off the technical implementations of pieces into new systems. Now, I do not have an opinion about that, but I have been hearing that, for example.
DR. LUMPKIN: I think we heard in the testimony that there were a whole host of systems developed by vendors that had the security portions of the operating systems and underlying languages intentionally disabled. So one would expect that the conversion to meet this standard may be quite significant. And so as people begin to look at this and really take a serious assessment, they very likely may come to the same conclusion, that this is not exactly a small change, even though this is perhaps our least specific requirement.
Yet, on the other hand, I think that speaks volumes to the necessity of this NPRM. Other comments?
[No response.]
So, you would propose, perhaps, the change, would you propose some change in the wording of this?
DR. COHN: Well, I guess I am, you know, at this hour of the morning it is always hard to be really creative, I am actually thinking more almost of a beefing up, maybe another sentence or two that talks about that we are aware that there is likely to be significant comment about this because of its impact on the health care sector, and that we look forward to comments, additional comments from the private sector regarding the NPRM. I am not sure that I, and I am still grappling with how it may need to be modified, but that would be the only type of comment that I would make in addition to this.
DR. LUMPKIN: Well, I was just wondering -- Jeff?
MR. BLAIR: I am sorry. I did not mean to interrupt your discussion, just when you finish this thought.
DR. LUMPKIN: Well, I was just wondering if, though, that is our role to note that there might be comments since what we are doing actually is just commenting on the NPRM.
DR. COHN: Yes, well, that is a good point.
DR. LUMPKIN: Jeff.
MR. BLAIR: Maybe because I was on the committee at the time when we were trying to see how we could wind up pulling together our recommendations in the first place on security, and I know how difficult it was, that I really appreciate the way the NPRM was finally crafted. The thing that I especially liked was the way we began to guide the users towards the appropriate guidelines and specifications in the standards community that could be reference documents to help them implement each specific part of the policies and guidelines, whether it was access control, electronic signatures, auditing, whatever those pieces are, the references on the last two pages I thought was a major step forward in terms of giving guidance to users out there in the provider community especially to be able to say what do I do in terms of implementing data security policies, practices and technologies?
The thing that I might recommend, that is the preface to what I am saying, might be added to the letter, I think that maybe the letter could reflect what has been achieved by that NPRM and wind up addressing what I would think would be the concern of a data processing manager or chief information officer who takes a look at that NPRM and says, where do I take my organization? And that is that they are probably going to wind up saying, my goodness, I have what, 40 or 50 reference documents there that I am going to have to have somebody on my staff go through and try to assess what portions of those reference documents I will take to implement into the data security system I have in my organization.
I mean that is the level where we are right now. I am not being critical of the fact that we are asking them to do that, however, I think if we were to make a recommendation, I think we ought to consider saying that in the NPRM if there could be a phrase saying, here is how far we are now. We can point you to these reference documents now, but the actual level of implementation of those policies, practices and guidelines, at this stage is fairly immature. We do not have a lot of history with that, and that is the reason that we have not pointed to specific clauses or paragraphs or locked in and said, this is the particular standard, whether it is a SEN, ANCI or ASTM standard, that we are saying, this is what you follow word-for-word.
What I think we ought to indicate in the NPRM is that after two or three years of implementation we would come back to the users and look at the experience and wind up getting more specific as to the data security standards, and I think the users, the providers might be better able to understand why the NPRM goes this far and no further if we add the statement that yes, we will go further two to three years from now based on their experience with data security.
DR. LUMPKIN: Our original communication to the Secretary from the committee noted the fact that the environment in which we were making this recommendation, there was no clear, single standard and that there was, in fact, a state of flux in the technology. And so I think what we recommended and what we thought was a technologically neutral approach, which was adopted by the Department, which was not to say you need to follow Standard XYZ, but you should make sure that you do the following things.
And I think that that is relatively clear in the standard, certainly very clear in our letter. I am not sure if, perhaps we could attach that letter as an attachment to this particular communication which basically has the goal of putting ourselves on the record saying, we said you should do this, you did it. Now we think it is a good idea still.
MR. BLAIR: Actually, I was not implying that two to three years from now our recommendations might be not technology neutral. I think they still would be technology neutral. I only meant that we might be able to be more specific in the NPRM on those references so that we could give the users sharper focus and guidance as to what policies, practices and technologies they do implement.
DR. LUMPKIN: Thoughts on those comments?
[No response.]
DR. COHN: So John, you are thinking about adding, attaching the previous letter to this to help clarify?
DR. LUMPKIN: Well, I think though, what I heard Jeff recommending is that this issue be reevaluated in two to three years.
MR. BLAIR: Or, it could be phrased in many ways. It might wind up also using the phrase, this is the first, major step and that in two or three years the journey will continue. We will be able to have more experience with the provider community implementing data security policies, practices and technologies and we can learn from that. And the standards probably will be more appropriate and maybe closer to a consensus and we might be able to give better guidance.
And I think maybe that last phrase is better guidance. I think that this was a major step forward in providing guidance. But I think that the implementation of it is going to be difficult because there is a lot of ambiguities. We have to have those ambiguities in place. We cannot be more specific at this time. But just simply to note that we intend to be more specific in the future as our experience matures.
DR. LUMPKIN: In the last sentence of the second paragraph it says, this proposal for security and electronic signature standards is a positive step towards changing these incentives and its requirement that all health care entities must safeguard the integrity, confidentiality and availability of their electronic data. I think that we could perhaps add a sentence saying that the committee believe that additional work will be necessary in the future and offers to work with the Department and other entities to evaluate the implementation of the NPRM and offer additional suggestions in the future, something to that effect. Is that what you?
PARTICIPANT: That’s fine.
DR. LUMPKIN: So, we will play with a sentence or two there.
DR. COHN: Yes, actually my memory from the NPRM is that something very similar to that is actually in the NPRM as a comment. Perhaps we should phrase it in the way of agreeing with it because I think there was a statement there that we are going to learn a lot over the next while and help refine this thing.
DR. LUMPKIN: So perhaps we can add a sentence that refers to that section of the NPRM, we agree with the statement in the NPRM that goes boom-boom, and the committee offers their services to do that.
DR. COHN: Yes.
DR. LUMPKIN: Can I see agreement to add a sentence on that and we will kind of work on, this is up on the agenda when, for the full committee.
MS. GREENBERG: This morning at 11:45 a.m. and the vote is actually tomorrow.
DR. LUMPKIN: Okay, so we can come back with revised language tomorrow. We can take comments on this version --
MS. GREENBERG: And then state that you are adding something .
DR. LUMPKIN: Right. Okay. Any other comments or suggestions?
[No response.]
Okay, what I would like to do is get a motion to move this to the full committee, with the understanding that we would bring back, and report at the committee, that we are working on an additional one or two sentences that we will bring back for a vote tomorrow, but that we would move the letter as it is, to be revised, to the full committee.
MR. BLAIR: So move.
DR. COHN: Second.
DR. LUMPKIN: It has been moved and seconded. Other discussion?
[No response.]
All those in favor say aye.
[Ayes are heard.]
Opposed say nay.
[No response.]
Abstentions say nothing.
Okay. Progress report on the CPR work group?
MR. BLAIR: We are at other sides of the table here, but, Simon, go ahead.
DR. LUMPKIN: Oh, I am sorry. I am sorry. I failed in my task. There is one more thing on the security NPRM.
We have a second letter, that pesky Paperwork Reduction Act.
[Laughter.]
Let me read this one, because this one did not go out on the e-mail.
This is to Mr. Burke and Ms. Eydt who are charged, I guess, with receiving comments on this.
The National Committee on Vital and Health Statistics submits the following comments on the Collection of Information requirements in the Notice of Proposed Rule Making (NPRM) HCFA-0049-P, Security and Electronic Signature Standards.
On the issue of the applicability of the Paperwork Reduction Act of 1995 to the electronic signature standard:
The purposes of the Paperwork Reduction Act (PRA) and of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) would appear to be extraordinarily incompatible -- I am sorry -- extraordinarily compatible. Got to get all the syllables right. Both seek to minimize paperwork burden and to ensure public benefit. However, in a practical sense, application of the PRA in this instance would be contrary to these principles and threatens to impose a substantial barrier to the adoption, implementation and future modification of health care electronic data interchange (EDI) standards of which the electronic signature standard is a critical component.
There may be a role for the PRA in evaluating what government programs do to implement the standards in their programmatic spheres. However, we do not believe that the adoption of standards, as required by HIPAA, constitutes an “information collection” in the sense that it is defined under the PRA. Further, it is hard to imagine a more clear cut case of usual and customary business activities than the application of a signature to the administrative and financial functions, which include billing, adjudicating claims, and payment for services, covered by this and previously proposed rules.
Finally, the PRA regulations at -- that funny little sign that means citation something or other -- 1320.18 appear to be clear that OMB has the discretion to apply or not to apply the PRA to these rules. We urge OMB to follow the intent of both the PRA and HIPAA by not applying the PRA in this instance. Sincerely, Don Detmer.
Very similar language that we have submitted on comments for the other NPRMs. Any discussion? Is there a motion?
MR. SCANLON: John, I would note here that this applies, if I am reading it correctly, only to the Electronic Signature Standard. There are other parts of the Security Policies and Procedures that are proposed in that NPRM that probably would be subject to the Paperwork Reduction Act in terms of record keeping and other things. We are not arguing with those. So this is, if I am correct, focusing only on the electronic signature.
DR. LUMPKIN: Yes, and we just want to sign on to that position. It is certainly a signature event to this committee.
MR. BLAIR: I move that the letter be approved.
DR. LUMPKIN: It has been moved and seconded by Simon. All those in favor say aye.
[Ayes are heard.]
Opposed say nay.
[No responses are heard.]
Okay. We will move that to the full committee. Thank you. Now, I am sorry, I interrupted you, the computerized patient record.
DR. COHN: Jeff, shall I give a brief review and you can add in whatever I am missing. I think you all have copies of the agenda for the sessions today and tomorrow morning on computer-based, on the work group on computer-based patient records. The objective of the meetings today and tomorrow morning is to, number 1, approve version 6, draft 6 of the work plan and, probably more important, since the workplan still is a level above, what it is exactly we are going to do for the next six months or eight months, come to terms with the next set of actions to guide us over the next four to six months of activities, including any hearings, panels or anything else that we need to do.
I think we have benefited in this new draft by the help of a number of the staff including Dr. Braithwaite, Mr. Mayes and Dr. Fitzmaurice. We really appreciate their help. We actually look to the whole subcommittee to review the workplan this afternoon. As I remember the subcommittee and work group are essentially the same membership which will make this a little bit easier. And so we will have a chance to talk about that.
Now, the other piece is that we have had some discussions with the government’s CPR effort, and we will have an update this afternoon, I believe, from Dr. Kolodner -- he was here just a minute ago -- and so I think we will be hearing an update, as well as beginning a discussion about how, ways potentially of leveraging and aligning activities. We think that there may be some opportunities to leverage TCPR(?) to help with the work that we are going to be undertaking. So, anyway, that is really where we are at this point. Any questions or comments? Jeff, do you have any pieces?
MR. BLAIR: The only comment I might make is Simon and I have made a real attempt to strike a balance between trying to update this workplan in a manner where it is consistent with the charter and the scope that we worked out in the June meeting, and to also work as expeditiously as possible to move this piece through.
We have distributed, I guess it was just about a month ago, electronic versions. It is about an eight or nine page document. But just in case there is somebody here who will be in the meeting with us, the CPR Work Group meeting this afternoon from 3:30 p.m. to we do not know when -- as late as it takes to get through, or as early as it takes to get through and approve that and get on with what meetings we need to get scheduled, if there is anybody here who has not received a copy or who has not had a chance to look through the workplan for the CPR Work Group, just let me know. I have extra copies here for you so that maybe you could glance through it between now and our 3:30 p.m. meeting.
DR. LUMPKIN: Okay, questions or comments about the computer-based patient records. Needless to say, we will spend a little bit of time on that this afternoon. I think the building shuts down at 6:00 p.m.
MR. BLAIR: Does it really?
DR. LUMPKIN: Yes.
MR. BLAIR: Well, we are going to reach consensus very quickly.
MR. SCANLON: We could keep it open, Jeff, if --
DR. LUMPKIN: I thought I had been asked by staff to make that comment.
[Laughter.]
DR. COHN: I want everyone to recognize that I am committed to not going until 6:30 p.m. and we will make it through this agenda.
DR. LUMPKIN: And what time did your plane get in last night?
Okay, then we will move on to the annual report to Congress.
MR. SCANLON: What I am passing around is both the outline and the actual report that the committee prepared last year as the first annual report to the Congress on the implementation of -- it is in the agenda books, too.
[Comments as papers are distributed.]
MR. SCANLON: So, John, let me just spend a few minutes, you will recall that the law, Section 263 of the law requires the committee to send an annual report on the status of implementation of Part C, basically the administrative simplification provisions of HIPAA, and to do this on an annual basis. Now last year, of course, much of the work entailed really consultation, outreach and basic formulation of what the proposed standards would be, and the annual report which the committee sent to the Hill, reflected that.
It was sent in in about February, I think, of 1998, and you will see from the outline and from the report itself that it focused largely on the process of what was to come. And it also outlined some concerns that the committee had raised during some of its deliberations. But the main theme was on what was the process for actually getting to the point of proposing rules? What was the process for consultation and for implementation?
So, we are now, assuming the same time frame for, say, February of this coming year, it is not too early to begin thinking about what the committee would want to send in as the second annual report.
The outline that you have is the outline that was used last year. Of course this year there is much more progress, at least, in terms of getting the standards to the point of proposed rules for most of the standards.
There was a report on privacy, a little status report on where privacy stood as well. There there have been some developments; not as much, of course, as in the standards area.
So, I think if we can discuss this a little bit this morning, we can work up the table of contents, discuss this further and maybe possibly agree on a proposed outline for what the final report would be and then we can kind of take it from there and work it through some drafts.
DR. LUMPKIN: Okay, let me just briefly review the document. It started off with an executive summary, with an introduction, background, purpose of report, content of report, statutory requirements, and then went on to the implementation process.
Point A discussed the DHHS implementation strategy, the guiding principles, private sector consultation, NCVHS hearings, NCVHS liaison with HHS, NCVHS recommendation to HHS on unique identifier, administrative transaction messages, transaction data content, security standards, privacy, unique identifier for health plans, unique identifier for individuals.
Section III was progress to date on identifiers, transaction standards, standards and data content, security, claims attachments, privacy, implementation plan and communication strategy.
Item IV was special privacy and security concerns, federal privacy legislation, linkage to individual identifier to privacy protections, anti-discrimination measures are needed. And then, D., security.
Five would be implementation issues -- identifying and resolving standards’ implementation issues, identifying need for new standards, measurement of standards’ implementation status, strengthening the national information infrastructure to improve health care quality and access, to reduce costs and then conclusions.
That was the outline from last year. Sounds like this year.
MR. SCANLON: Very similar. Now, the actual wording in the law that describes what is required in the report is on page 8 of the full report. We can summarize it here but, maybe I should go ahead and do that, John. I think we went beyond that, actually, in the report, to make more sense out of it.
But, the law said that not later than one year after the date of enactment of HIPAA and annually thereafter, the committee shall submit to the Congress, and make public, a report regarding the implementation of Part C of Title XI of the Social Security Act. Such report shall address the following subjects to the extent that the committee determines appropriate.
A. The extent to which persons required to comply with Part C are cooperating and implementing the standards adopted under such part.
B. The extent to which such entities are meeting the security standards adopted under such part and the types of penalty assessed for non compliance with such standards.
C. Whether the Federal Government and state governments are receiving information of sufficient quality to meet their responsibilities under such part.
D. Any problems that exist with respect to implementation of such a part.
And finally, the extent to which time tables under such part are being met.
So, last year’s report clearly addressed those issues, but, well, to the extent it was applicable. We were not in the stage of implementation, of course, last year so some of the, we could not deal with some of these.
DR. LUMPKIN: Well, I think, though, for the long range planning of the committee it would seem to me that this would imply that once we have gotten to the date of implementation of the standards that we probably will be obligated to have at least a half day of hearings a year in order to be able to respond to some of these issues.
MR. SCANLON: That is true.
DR. LUMPKIN: Other comments on the outline?
[No response.]
Okay.
MR. STREIMER: John?
DR. LUMPKIN: Stew?
MR. STREIMER: Just to clarify, I think there, on the outline about strengthening the piece on the computerized patient record, because I was just revisiting the legislation in terms of NCVHS responsibilities as they are delineated in that legislation and it is a highlighted issue. And I think the progress that has been made and what we are studying should be highlighted, at least this go around.
And the other piece that I noticed, the employer ID does not seem to be -- or did I miss that?
DR. LUMPKIN: It should be there.
MR. STREIMER: And I would suspect, I am thinking about whether or not security ought to be pulled out as a separate item along with privacy and confidentiality.
DR. LUMPKIN: Yes, it is a different, really, kind of standard. And there may be other issues. I think, Simon, you were raising the issue of the millennium problem, you know, whether the committee would or would not want to address, you know, the potential for other factors that have become a little more clear in terms of affecting implementation.
We appear to be hearing both sides of this issue. Some folks are saying, give us the standards, we are going into our systems anyway. Let us plan for the change along with millennium changes. And others, I guess, are saying, well, we have our hands full with millennium issues and we could not possibly deal with some of the other standards. So, I guess we have been hearing both sides but it might be worth it to point that out.
MR. SCANLON: Well, John, if, we will use this basic outline with whatever additions, then --
DR. LUMPKIN: Yes.
MR. SCANLON: -- committee members want to make and then we will start filling in.
DR. LUMPKIN: And the next, when is the next committee meeting?
MS. GREENBERG: November --
DR. LUMPKIN: November 12 and 13 and we are shooting for a February date.
MR. SCANLON: We also have a January meeting --
[Simultaneous comments.]
DR. LUMPKIN: It will fit within our meeting schedule so that way we can comply with the requirements. We do not need to go through Department clearance --
MR. SCANLON: The Department likes to at least review it, but this is a committee report.
DR. LUMPKIN: But, if we do it at our February meeting then --
MR. SCANLON: I think that would be plenty of time.
DR. LUMPKIN: Okay. One item, any other issues on the annual report?
[No response.]
I had an additional item, but let me, perhaps, describe the situation and see whether the committee feels we need to, perhaps, proceed on this.
This issue actually came up very recently. In Illinois we are implementing an immunization registry. The function of the registry is to essentially keep track of every child’s immunization. It facilitates a number of things. One is that there are a number of problems, particularly with kids who are highly mobile, that these kids either end up being under immunized or over immunized. Over immunized because if they show up at different providers they have no records of previous immunizations and then start off from scratch, or under immunized because by moving around no one really knows how many immunizations they have had.
So, as part of our immunization campaign we have implemented in a system, we have an integrated maternal and child health system called Cornerstone which captures about 700,000 of the kids in the state of Illinois. And that system is a state-operated system with purchase equipment for kids basically who are eligible either for Medicaid or for the Women, Infants and Children Program, WIC Program, which goes up to about 180 percent of poverty.
For the rest of the kids in the state, though, there is no way to track their immunizations. So, we are now implementing an immunization registry which has a number of features. One of the key features is that we have a shrink wrap version that will be available for physicians to put up in their office, and we also intend to publish our specifications with the hope that vendors will then incorporate this into their own systems that will allow them to either dial up by modem -- we also allow people to use either phone or a fax-back mechanism -- to receive an immunization history on each child in the state as based upon informed consent.
In order to do that we are implementing HL-7. New York State and, I think, Georgia are two other states that are implementing that. And we suspect,, given some of the movement that exists with the HL-7 immunization standard, there is some room to interpret the various components of those Messaging standards somewhat different, particularly as to data content and data form.
There was a recent meeting last week that was held at the CDC to begin discussing this particular one, inviting the states who are most advanced. I think the issue that will be coming up, and which is one on which I think the Federal Government may benefit from some guidance, is to what extent should standard implementation -- implementation guide for this HL-7 standard and others that will impact how the health care delivery system interfaces with the public health system in electronic Messaging. We are in the process, for instance, in implementing electronic Messaging with laboratories for lead tests.
I think that the issue is, is whether or not we should be, we should urge or urge not the Federal Government to be more specific in the implementation which would then allow vendors and states to implement to a much tighter standard then may come out of HL-7. Some of these same issues have come up on other standards with the implementation guides.
So, I am just tossing this issue out as to whether it is not something the committee would want to explore, perhaps have a presentation by the CDC and maybe a couple of states that are in the process of implementation, resulting in a recommendation from us to HHS about how they should proceed in implementing these standards. Jeff?
MR. BLAIR: Could you just clarify that part of your phrase that said, that would encourage us to support a much tighter standard than HL-7. What are you thinking of when you are saying that?
DR. LUMPKIN: I am kind of operating off the report I got from the head of our data processing unit, but my understanding is that the HL-7 Messaging standard for immunizations is kind of loose. And so it would be fairly prescriptive as to -- would you care to help me out?
PARTICIPANT: No, go ahead and finish.
DR. LUMPKIN: You know, I think there needs to be a cookbook. States do not really, and should not have a different arrangement with their providers, particularly multistate providers, on exactly how that standard is implemented. Vendors do not really want to have 50 different versions of that HL-7 standard.
DR. COHN: Perhaps Bob may have the answer to all this --
DR. LUMPKIN: He is being detailed from CDC or something like that.
DR. COHN: I was just going to make a suggestion also because I think this is an important area that we need to look into. I think it is really actually also beyond just HL-7 because I think actually next year the 837 transaction will be transmitting a lot of immunization data and so it is sort of an area that we can look at from a number of different sides and really how the standards begin to come together to support an essential public health area. So, I think it may make sense to get a number of different people coming in to talk about how all this comes together.
MR. MAYES: Yes, I would like to suggest maybe an alternative approach which, there is a lot of work around making a single implementation of a standard, as those of us that have been involved in HIPAA would certainly agree, and, in fact, there are legitimate reasons why there may be somewhat slightly different interpretations at a local implementation level.
However, there is another approach that I think the Federal Government could take which would have fairly far reaching consequences and would not only apply to the particular example you have suggested but others, and it is one that I have been working on over at the HCFA side. And that is instead of publishing your specifications as a document and then having hopefully, hoping that vendors would pick them up and incorporate them, why not think about publishing that specification as an object? Why not create an object class library so that your specification is already interpreted and is encapsuled in an industry standard API encapsulation so that the vendor really has almost no work at all to incorporate your specification? You are not dictating to the vendor community what they should be doing, but you are making it so cheap and simple that it is very, very likely -- in fact, the vendors I have talked to on this idea have been extremely interested in this -- you make it very likely that your standard will, in fact, be incorporated in commercial systems.
The benefit, it is really a win/win. You have really made what is actually a non value added activity, as far as the vendor community is concerned, i.e., interpreting your report and requirements which they have to do anyway, you have made that extremely cost effective for them. And, of course, the benefit on our side and your side is you get consistent data because you are getting a single interpretation.
So, rather than spend lots and lots and lots of time trying to make the paper document so precise that somebody can code that exact implementation, why not just go straight to the implementation and make the implementation, i.e., the object available? So, that way you are not sort of forcing anybody to use what you want them to use.
MS. FYFFE: Bob, you used an acronym, was it API?
MR. MAYES: Yes, application programming interface. IT is the code that surrounds a particular piece, a particular function or subroutine that allows you to plug it in in a standard way. A good example is cut and paste. You know, cut and paste works the same for all Windows programs and people do not read the specification and recode it, they simply get a chunk of code that is standardized, that is free, that they can then plug in.
MR. BLAIR: Bob, that sounds, the idea has, it sounds very attractive. Were you envisioning that we would be proactive in encouraging either a special interest group within HL-7 or the object broker technology special interest group in HL-7 or CORBAMed(?) to work together to define those objects or did you figure -- in short, who would be defining the object and what would be the procedure for that that you are envisioning?
MR. MAYES: Yes, I know actually that the immunization people at CDC are looking into this and have been talking with the CORBA people and also with the object sig(?). It is going to really require, you know, at least initially to figure out what the best approach is in a generic sense, it would require a combination of people because once you get into objects you are actually talking about both the Messaging and the content and combining them, all the behaviors, so you really need to work together on this. But there is movement going on.
The ideal would be to adopt an approach which, in fact, is generic enough that it does not really matter what kind of reporting you are requiring, whether it be public health reporting, whether it be other kinds of regulatory reporting, if you build this sort of framework and infrastructure, it is very similar to the approach with HL-7. What is in the message can be determined at any point. They have tried to standardize the structure.
So, it is just moving from this idea, if we are going to be talking about electronic standards, we should be thinking in electronic standards and not thinking paper standards which would then somehow be translated into electronic. The technology is rapidly catching up with us.
MR. BLAIR: Let me repeat back what I think you are proposing and you tell me whether I understood you or are off base. I get the feeling that you are saying we should use a similar approach to the one we are using with health claim attachments where we would basically wind up saying that we have, the Department of Health and Human Services has a target date when we want to be able to produce NPRMs and that we would work proactively within the standards organizations, it might be a consortium of HL-7, CECOW(?) and CORBAMed and maybe some others, in order to move the process forward more expeditiously. Is that what I am hearing you are proposing?
MR. MAYES: I do know whether I would even say that we want to mandate it. I think that with the GCPR project, for instance, I am pretty sure they will wind up taking something of a similar approach, although Rod might be able to talk more to that. But, at this point I would say, if you were going to make a statement from the committee as either supporting or, you know, saying that a particular approach would be very beneficial and useful, you know, it is not just a choice of saying, well, we should have implementation guides and standards or we should leave it completely laissez-faire. There is --
DR. LUMPKIN: Yes, I think, if I could, perhaps, clarify where we are at. Historically the committee has never waited for Congress to tell us that we should get involved with issues related to data. It is only with HIPAA that we were actually mandated to begin to get involved. We never got a mandate to do a minimum data set.
So, in this regard, looking at some of the developments that are occurring with standards, we have had some discussion and concern that different units of HHS may be using different standards for data definitions and so forth, and we have encouraged the use of what is essentially de facto a data dictionary created by HIPAA, that that be used by all HHS programs.
So this would take us one step further and say that there are some now Messaging and transactions that occur between the current public health system and the medical treatment system which we ought to get into the ground floor and help HHS develop a way to approach it. And by using immunization as an object example, as an example, we may be able to find a methodology to do that.
This gets us out of the realm of doing NPRMs, into the realm of saying there are 50 states that are going to do it, if we give them something that makes it easier for them to do it, by and large it is going to be adopted. But there is no mandate for them to adopt it.
MS. GREENBERG: John?
DR. LUMPKIN: Yes, you are sitting in my blind spot.
MS. GREENBERG: Oh, I was in Chicago, too.
DR. LUMPKIN: Watch those comments.
MS. GREENBERG: I think you suggested it and it was sort of reinforced by Bob, but the immunization program at CDC I know has been very active in this area and actually was the first component of CDC to be participating in HL-7. I know they have worked with them on a specific immunization message. So, I think your suggestion to hear from them, maybe at your next meeting, and discuss these issues with them, see where this is going, is a good one and probably would be a good thing to do prior to actually making a statement.
DR. LUMPKIN: Oh, yes. Simon?
DR. COHN: Marjorie, I was just going to second your comment which is I think we are all convinced that there is an area that we need to understand better and I do not know whether it is a panel at the November NCVHS meeting period or a group coming to our subcommittee, but, clearly, we need to look at this a little more and come to greater understanding of the area.
MR. MAYES: Let me make one other comment. About three or four weeks ago I put together a meeting looking at the issues of data management across enterprises, and this is one of the issues that came up. And was able to get DOD, Veterans Administration, EPA, Department of Transportation, Department of Energy, Department of Justice and ourselves to meet, and we are going to be meeting again October 8. The Department of Transportation and their Smart Highway System is looking at using this type of approach as well. So this would be potentially a kind of subject or approach that could be even much broadly addressed, and there might be some consortia being able to be developed, even outside of just HHS that would be able to approach this.
DR. COHN: Actually, I just sort of wanted to see if we could finish this up, only because I have a question or two about some other issues around the subcommittee. So, I was not sure whether we were done with this particular piece of business.
DR. LUMPKIN: Actually, I think I see enough guidance that we will try to put something a little bit more in detail on one of our agendas. We will have to figure out where it would fit in our work plan but it is something I think we, there seems to be interest in the committee to look into it. Kathleen?
MS. FYFFE: Not to put you on the spot, John, but what identifying information is the state of Illinois using?
DR. LUMPKIN: You mean other than name and address and -- I do not know if we use Social Security number.
MS. FYFFE: Okay. I am very curious about that.
DR. LUMPKIN: We actually generate for people who are in our Cornerstone system, which would probably be based upon that, it is an algorithm similar to the one our state driver’s license uses. And so we generate a unique number and then there is a whole state look-up table that once you get the name, the mother’s maiden name gets put in there and it gets algorithmed into a number.
DR. COHN: I actually recognize, I think, that that agenda item is, I think, complete. I was just actually looking at, actually not looking at our previous work items, but was perhaps remembering many of our previous work items and was trying to figure out what the status of some of them were. I know we have had for a long time the issue of change management data and maintenance and all that as we move forward with these NPRMs and data maintenance committees, the standards and all of this, and I am wondering if there, if you have any thoughts about any plans to investigate that area at this point or whether as a, perhaps not you but whether the subcommittee, whether it may be reasonable timing at this point for us to ask some representatives from X-12 and some of the data maintenance committees to come and talk about how they are going to handle data maintenance and change management and all of that into the future. I understand that to be somewhat of a controversial area at this point.
DR. LUMPKIN: I think that that would be certainly appropriate. I think we all kind of expected to be inundated with hearings on unique identifier, which evidently is not quite on our plate anymore for the time being. So, I think we have allocated some times and we perhaps need to review those.
I kind of would like to hear what we are doing with CPR first because I think that is going to keep a lot of us busy, too. So, there is that issue, change management. There is also transactions which we need to, it has kind of been there. We did not expect it to progress very fast and we probably need an update on that.
But, I think that is something we have wanted to do hearings on.
DR. COHN: Okay, I guess I am going to suggest perhaps the novel idea of a coordinated approach, then. That even though we are going to meet as a work group later on this afternoon on computer-based patient records, maybe tomorrow morning we spend part of our time sort of reintegrating the work plan to make sure that since the work group is a work group of this subcommittee, that we come out of tomorrow morning having a feeling that we have a well integrated work plan to move us through into the next year.
DR. LUMPKIN: So we are going to make the 8:00 a.m. meeting tomorrow be a work group, subcommittee meeting?
DR. COHN: At least part of it. We will see how far we get done with the other work, but I think maybe a chance to have us take a look at --
DR. LUMPKIN: -- being just a work group meeting, it is a work group slash subcommittee.
DR. COHN: Yes, we will move from one to the other as we finish the --
DR. LUMPKIN: Because then we will be able to better see where our work is going to be, we can reintegrate that. We may look at hearings. For instance, we may do two days of hearings, spend half a day on change management and the other day and a half on CPR.
DR. COHN: Exactly.
DR. LUMPKIN: Good. Jeff.
MR. BLAIR: Are you in the position now to take up an administrative issue or should I wait until, or do we have any time left?
DR. LUMPKIN: We have plenty of time.
MR. BLAIR: Okay.
DR. LUMPKIN: I am sorry, let me just first, was there any follow-up issue? Are we done with what Simon raised? Okay, Jeff, take it away.
MR. BLAIR: I found from doing the inventory of standards and from working on this work plan for the CPR work group and other things that for the most part those of us who are outside the Federal Government seem to have been using Microsoft Word as a document and those in the government, for the most part, have been given WordPerfect. I think that this is something where we need to come to a reconciliation on this because we are going to be doing more and more and we are going to be exchanging documents and working together in this committee on this and my comments really, I do not know administratively how we need to proceed on this.
For those, it does not really matter to me which way we go. I have Word. I looked at what it would cost me to purchase a copy of WordPerfect. I think that there are many different ways that we could go, and maybe the staff could explore and give us a recommendation on what we should do because about a year from now we are going to be making recommendations from this committee to the DHHS and Congress on a whole heist of things that are going to come out of this work plan. There are going to be, I think, a lot of documents that we are trying to share and work together on and I think by that time we need to wind up being able to be sure that we can share these documents.
Let me just give you a couple of ideas that might be explored by somebody who is staff to the committee. And that is either if the Federal Government is standardized on WordPerfect, then maybe they could either make a copy or give us some way of covering the cost of purchasing WordPerfect for those of us who are not full-time government employees. That is one approach.
Or, there could be distribution, I think that Marjorie has already gone through the process to some extent, trying to get WordPerfect, you know, to the folks who are government employees, or Word. I do not really care how it is addressed and I really do not know who would be the right person, but I am raising the issue and maybe I could ask you, Marjorie, what recommendations would you have as to how this issue can be addressed? Is there somebody on your staff who can take a look at this and make a recommendation as to how we get on to a common software platform to exchange documentation.
MS. GREENBERG: I agree with you that it really is, it is a problem and it is an issue. As you mentioned, a few of us actually just in our program budget purchased Word because of the requirement to interact with the outside world which does primarily use it. And for your inventory we produced the documents in Word which did create problems because almost nobody else in the center had Word. And we have raised this at the center and I do not know whether there is a, it does not seem to, at this point, be support within the agency supporting two different systems.
But, in a way I think we dropped the ball on this because I think I raised this, and others, at the Executive subcommittee last November and we had a staff person who was supposed to be looking into this and just seeing how we should proceed and just finding out what the different members use and et cetera. That was initiated but she has gone on a detail and so it was not completed. I am just being really honest about it because this is something, I mean, it has been almost a year, that has been a concern of mine, definitely. So, we will reactivate that inquiry and I welcome, Bob Mayes is coming to the microphone here --
MR. MAYES: We have a wrinkle, Jeff. It is not even just Word or WordPerfect. HCFA is currently on a 16 bit operating system. We had hoped to move over to 32 bit by now but that process is delayed and with Y2K it is difficult to see how long that is going to be. So, it is not only, we could buy Word, but we would be buying Word 6 so we would not be able to read your Word 7 anyway. So, it is a little more complex.
DR. KOLODNER: Actually there are converters that Microsoft finally released so that Word 6 can read Word 7, at least for the -- this is Rob Kolodner -- at least for the subcommittee on computer-based patient records, most of the staffers use Word, so for that subcommittee I do not think that is going to be as much of a problem, but certainly when we get the documents to the full committee we may run into that again.
DR. LUMPKIN: Is Windows 3.X Y2K compliant?
MR. MAYES: That is actually a problem ---
DR. LUMPKIN: So your problem will solve itself in a couple of years.
[Laughter.]
MR. MAYES: That is the issue. I mean, we are actually moving in. We have begun the transformation over to a Windows NT environment at which point we are switching over to Word, but it a little complex in terms of, it is not just a matter of buying --
DR. LUMPKIN: I know. We are doing the same thing for a couple thousand computers at our shop. It is kind of tough to get those 286s to run Windows 95.
[Laughter.]
Well, thank you, Jeff, for reenergizing us on that. It is an important issue.
MR. BLAIR: We have been able to muddle through so far and it has not been a show-stopper for us, but it has been a delay or it has made it difficult for some individuals to be able to review documents. But my thought is that during this next year I think it might become a real impediment to us operating efficiently in the committee.
MS. GREENBERG: Jeff, I assume you are willing to work with whatever staff get involved looking at it.
MR. BLAIR: Yes, sure.
MS. GREENBERG: Okay, thanks.
DR. LUMPKIN: Other issues before the subcommittee?
[No response.]
Then we can adjourn until the full committee starts in half an hour. Thank you.
[Whereupon the meeting of the subcommittee was adjourned at 9:25 a.m. on September 15, 1998.]