[This Transcript is Unedited]

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

AD HOC WORKGROUP FOR SECONDARY USES OF HEALTH DATA

August 3, 2007

Wilbur Cohen Building
300 C. Street, S.W., Room 5051
Washington, DC 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, VA 22030
(703) 352-0091

P R O C E E D I N G S 8:37 AM

DR. COHN: I want to call this meeting to order. This is the third of 3 days of hearings of the Ad Hoc Work Group on Secondary Uses of Health Information of the National Committee in Vital and Health Statistics.

The National Committee is attached to the public advisory committee to the US Department of Health and Human Services on National Health Information Policy.

I am Simon Cohn. I am Associate Executive Director for Kaiser Permanente and Chair of the Committee. I obviously want to welcome Committee members to this last day of this set of hearings and discussions, HHS staff and others here in person and welcome those listening. Actually I don’t think we are actually, are we on the Internet today?

PARTICIPANT: We are on the Internet and the line is open just in case Marjorie wants to join in.

DR. COHN: Okay. We welcome those listening on the Internet and remind everyone to speak clearly and into the microphone.

Let us now have introductions around the table and around the room. For those on the National Committee I would ask if you have any conflicts of interest related to any of the issues coming before us today would you so publicly indicate during your introduction.

I want to begin by observing that I have no conflicts of interest.

Harry?

MR. REYNOLDS: Harry Reynolds, Blue Cross, Blue Shield, North Carolina, member of the Committee and no conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the Committee and no conflicts.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, staff to the Ad Hoc Committee and liaison to the full Committee.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville Medical Center, member of the Committee, no conflicts.

DR. VIGILANTE: Kevin Vigilante, Booz, Allen and Hamilton, member of the Committee, no conflicts.

DR. OVERHAGE: Marc Overhage, Regenstrief Institute, Indiana Health Information Exchange and I have no conflicts, member of the Committee.

DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the Committee.

MS. AMATAYAKUL: Margaret Amatayakul, contractor to the work group.

MS. GRANT: Erin Grant, Booz, Allen and Hamilton, contractor.

DR. LOONSK: John Loonsk, Office of the National Coordinator for Health Information Technology.

DR. TANG: Paul Tang, member of the Committee, no conflicts.

DR. W. SCANLON: Bill Scanlon, Health Policy R&D, member of the Committee, no conflicts.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics Committee staff.

MS. THORNTON: Janet Thornton, American Health Insurance Plans.

MS. YULMER: Allison Yulmer, American Health Information Management Association.

DR. COHN: Okay, I want to welcome everyone. My comments will be very brief today. I think many of us as I said have now been through 2 days of hearings. This is a day for discussion for the ad hoc work group. A number of you have been here. This will be your fifth day in meetings of one sort or another related to the National Committee and so I just wanted first of all by once again thanking you all.

I may have said this a number of times but this is not easy. I very much appreciate your participation and involvement. You know, it is summertime. Many of you probably thought months ago that you would actually be taking vacation during this period and instead obviously we are here and obviously will have additional hearings and discussions later on in August and I think the good news is that we are making progress.

Now our session this morning will be from eight-thirty to about eleven. I think our intent is to you now given sort of our preparatory conversation yesterday is to begin to talk about sort of frameworks upon which we need to be making, we may be wanting to make recommendations as well as Margaret A has been working on various sort of at least some high-level recommendations to sort of gauge our reactions to see if she is beginning to move into the right direction putting things together.

So, this will be much of the day. Towards the end we will take a step back and sort of talk about from here going forward and then the various conference calls and upcoming you know the next set of hearings as well as potentially even a little bit of discussion of what happens going from there.

So, we will sort of spend some time taking a look forward but that is really the intent of the morning.

Now, I obviously have mentioned and thanked the members of the Committee. I do want to again sort of reflect and thank our consultants, Margaret A, Erin, Chris Anderson who is not here but I think she is trying to dial in.

So, I think once again we do not make progress without their help and support. So, thank you for your involvement. I do also want to thank our liaisons for their involvement. John Loonsk, thank you for participating and being here, Steve Steindel, Mary Jo Deering, Mike Fitzmaurice and hopefully we will see him for the next meetings and then obviously all the staff and obviously the lead staff and we thank you for your help. I think previously I have neglected to mention Jeannine and Cynthia for their participation and help.

So, thank you very much, and obviously there is a whole host of others. You know, Marjorie will hopefully call in at some point, Jim Scanlon but once again it just reminds us that without everybody working together we really don’t get the job done and we really can’t move forward.

So, I want to thank you and this is obviously all must meant to be preparatory.

Now, Margaret, help me how we can best utilize being on time. I know that Margaret has come in with about a page and one-half of some draft thinking on what at least some recommendations might look like given the testimony and the conversation that we have been having around the table.

These were not meant to be complete. They are early draft. It is more a question of getting the temperature of the ad hoc work group but also it was my understanding they are being printed right now. So, how would you like to proceed?

MS. AMATAYAKUL: Did you want to update the testimony from —

DR. COHN: Thank you. Yes, I should comment just sort of publicly that we if you remember Jean Chenoweth from Thompson Medical we at one point asked her what her relationship with CMS was and whether or not she was a business associate or just a user of data and she actually told us she would get back to us and she wanted us to sort of publicly indicate that she actually is, that Thompson Medical is a business associate of CMS at least for certain purposes and all of that. So, that was just meant to be a clarification.

Thank you for reminding me.

MS. AMATAYAKUL: So, perhaps while the copies are being made there is one other piece that was distributed in your packet, that big huge packet that we circulated yesterday that was a taxonomy and glossary of terms and I don’t know that we need to go through this piece by piece but perhaps just an introduction of how I came to his and how you might be able to help off line a little bit would be helpful.

Would that be okay, Simon?

DR. COHN: I think that is a very good, probably introduction. I am actually just also thinking that probably tandem to that Justine may want to talk about and Harry may want to talk about their thoughts and further works around some of the dimensions since I think it is very consistent with I think some Power Points and thinking that they put together and obviously thank you both for being willing to be Vice Chairs.

MS. AMATAYAKUL: So, you may recall that AMIA had a meeting on secondary uses prior to the first set of hearings for the work group and have come up with a classification process for a number of the terms that they had encountered and I took a look at that but didn’t study it in depth at that time.

During the testimony I then started writing down just basically every word that I heard that was unique or seemed special or might be loaded or what have you and I took those terms and attempted to group them in some way that made some sense and then to begin to identify where I thought we had definitions and where there might be some common usage without definitions and so forth and so then the result is this document here with these kind of groupings of terms and then what I did was I looked at that in relation, in more detail to AMIA’s taxonomy and found that there were a lot of similarities. AMIA had included a source of information.

I had focused primarily on uses but that certainly might be appropriate to add sources of uses as well, sources of data, not uses. There were one or two areas within the AMIA taxonomy which is also attached here that seemed to be more informational than controversial. So, I did not include them and there were some things that we had heard and I had jotted down that AMIA had not heard. So, my intent here is to get some sense from you whether this is helpful in general; is this an appropriate classification of the terms and then I will go forward and actually cite definitions.

So, where we have a definition of for example, pseudonymization we have a specific reference to an ISO standard.

So, I will use that definition and cite the ISO standard. If there is more than one definition that we sort of heard or found or whatever, I will list like the Webster’s yesterday, I will list both definitions.

If there doesn’t seem to be a definition I will say that there is no definition or it is common usage or it has been used in the same sense as another term without any definition. So, that is what my intent is.

So, it would be helpful if you would kind of take a look at this and feed back to me any missing terms, any terms I might have reclassified incorrectly or you would like to see a different classification and then I will feed back to you the definitional document, the more complete document with definitions later, and again you can kind of take a look at that.

So, maybe just some general comments first, these aren’t in any, they are sort of in order. The classes are listed in some order that made sense to me but I am not sure I could — so, they are from general to specific. So, terms used to describe information, we have heard in addition to individually identifiable and protected personal health information frequently is used, sometimes even patient health information; terms used to describe oversight of individually identifiable health information and things like even HIPAA compliant when used by vendors and they are not covered entities to be compliant.

Ownership and data stewardship were terms that I sort of felt related to that but were a little bit different but I didn’t know exactly how to classify them; terms used to describe identification, status of individual patients as well as clinician or even entity, so some of those terms, terms used to describe permission to access user disclosed information.

So, there is authorization as defined by HIPAA privacy rule. There is authorization defined by HIPAA security rule which may be two sides of the same coin but they are different. Consent as relating to HIPAA that permits but does not require common rule consent and informed consent for procedures that we use, opt in and opt, de-authorization, IRB approval, IRB waiver are terms.

DR. DEERING: Could I ask whether something belongs here or not? I am thinking of things like data use agreement and MTA material transfer agreements which are the vehicles by which permission is executed. I mean would that go here or would that be a separate category?

MS. AMATAYAKUL: I had put and I called it limited data set agreement and I should have called it data use agreement for a limited data set but it is up in terms used to describe oversight of individually, but you know that is a good point.

DR. DEERING: I would certainly add MTAs which are biospecimens which will increasingly be part of care.

MS. AMATAYAKUL: MTAs?

DR. DEERING: I think that is it, isn’t it, Paul, for material transfer, I think? Data use agreement is a specific term.

MS. AMATAYAKUL: Right. Terms used to describe uses of data, primary, secondary, tertiary, quaternary, non-clinical has been used sometimes to mean secondary. I don’t know if we want to keep those terms in but I think just recognizing that those terms are used, terms used to describe transparency, terms used to describe accountability, terms used to describe health information repositories, terms used to describe exchange of health information and terms used to describe circumstances that raise policy issues. This was something from AMIA.

DR. STEINDEL: Are you looking at the section as just being a definitional section and if we actually did want to make comments about what we heard we would make that in the body of the document; is that the intent?

MS. AMATAYAKUL: Yes.

DR. STEINDEL: Thank you.

MS. AMATAYAKUL: More like a glossary of terms but a glossary that is structured in a format that helps inform people and then hopefully as we develop the report we will use the terms in a manner consistent with the definitions or be able to cite back to that.

DR. DEERING: I would add registry to repositories.

DR. STEINDEL: Mary Jo, registry did you say?

DR. DEERING: Yes.

DR. STEINDEL: What is the difference between that and a clinical data registry? Oh, no, registry, I am sorry.

DR. W. SCANLON: I don’t know if we need it here but yesterday we raised the issue of users and different types of users and they may be self-explanatory when we are doing it in the text but if there are categories of users that are created that then we make recommendations or we talk about category being subject to a certain set of rules, conditions, etc., that might be something that belongs here, too.

DR, VIGILANTE: So, when you say, “Categories of users,” one can imagine a variety of types of classifications. What types of classifications, do you have anything, sort of academic researcher, commercial, what categories were in your head?

DR. SCANLON: I guess I don’t have a set of categories in mind right now but I mean I think that as we talk about this there are things that seem, we have made the distinction between things that are going to end up sort of being for the public good versus things that sort of may be sort of for person or proprietary interest and that is one distinction and an academic researcher could be doing work in sort of both areas. So, I mean it is not clear how to do this and it may turn out we can’t, but it is something we raised yesterday which is that the same kind of use depending on who the user was and what their purpose was for that use might sort of have from, there might be different feelings about it going back to what you had raised in terms of the outrage factor, that if I knew my data were going to be used this way then I would —

DR, VIGILANTE: I absolutely agree with you. I just wondered if you had some —

DR. SCANLON: No, I don’t have the grand scheme yet.

MS. AMATAYAKUL: There is further in this packet a couple of pages from the original IOM patient record study report on primary and secondary uses. They also had in that report users. So, we could take a look at that and see if that would be helpful.

DR. COHN: It actually looks like now we also have the other document that we were waiting for printing, also. How long do you want to spend going through the taxonomy and other pieces of this.

MS. AMATAYAKUL: Just if anything else comes to mind please forward it to me.

DR. COHN: I think for everybody I would say this would be worth looking through this. At least in my view this is sort of the appendix piece though certainly some of this may, I mean if there are particularly difficult pieces and I tend to think of as we get into the anonymization, pseudoanonymization or whatever I think that may actually be difficult enough for everybody that that may actually be in the body of the text if it turns out to have relevance. So, it depends on how far we have taken the security.

Is there something more you want to talk about before we move into the framework and other conversations?

DR. STEINDEL: Yes, Margaret do we want to add, I noticed you had a section on transparency but I think we have heard lots of discussion about that. Do we want to add definitions for trust and transparency in terms of the context that we have heard of?

MS. AMATAYAKUL: I would like to. We can even add the terms from the Belmont report there which might be good.

DR. COHN: Okay, now, having said all that and I guess I am trying to think of whether, let me talk to our Vice Chairs for second. Do you think talking about the framing pieces that you had talked about is a good introduction to Margaret’s piece?

DR. CARR; I think so.

DR. COHN: Okay, why don’t I let you spend at least a couple of minutes talking about that and this is a little bit disjointed what is going to happen over the next hour and one-half, 2 hours or whatever in the sense that there has been some work sort of further looking at framing issues, some of which I think you have seen before where we have tried to talk care delivery and recommendations or whatever but just sort of looking at the elements upon which we may want to frame recommendations and then I think last night as Margaret was looking at some of the testimony and all this came up with some recommendations that were a little more cross cutting.

So, I think we are going to sort of see both at the same time, suspend belief for a little bit and sort of figure out how all of this comes together.

DR. CARR: This is meant to be just overall framing trying to put together simple concepts of things we talked about. This represents a lot of the ideas that Harry had put together and that we have heard through the meeting.

First of all, what are we just starting with? What is the good we are trying to achieve, improved care, learning environment we heard about in the first day and common good? Second, is the harm we are trying to prevent, privacy violation, especially harm from the privacy violation, also, misinformation due to inadequate data configuration, aggregation, denominators and so on.

I have three things to say and so some of us began at the AMIA meeting where we looked at their slide and we had some work groups there and I think I know for myself as I go back to this slide I understand it vastly more and to me that slide is analogous to the Institute of Medicine dimensions of care.

So, in the old days before the IOM we might say, “I have a very safe widget. It will cost a million dollars but we should get it because it is so safe,” and now we say, “Well, how many lives will it save? Is it a fact of is it patient centered?” you know all of that and that is how I think about the framework now, so that we could say, “I have a way to protect data. It will cost a trillion dollars and fix one situation,” you know. So, we can’t just take one element. We take this context and so we organized this a little bit to talk about those dimensions but also to use it as an opportunity to say where did we have some challenges in understanding it.

So, if we begin with what was called oversight but let us use, Harry suggested call this entity; so what is a covered entity; what is the oversight; where are HIPAA, IRB, common rule, business associate, data use agreements and so on?

We heard that there is confusion among various testifiers about who they are and what their relationships are.

So, then it just says, “An entity can be covered and we have to commercialize.” I think that is what was on AMIA. All right, the second thing would be data structure and here we get to the uniform definitions, anonymous

to identified and everything in between and can we get some clarity about that?

Third is patient consent and the questions we heard a lot are when is it needed and does protection follow the data and the dimensions from AMIA were opt in to no choice.

Then transparency and I think John Lumpkin really made that point and others as well that what is our patient education; what do the words mean when we are educating the patient and what are different models of educating and then that is informed to unaware and then regulatory or law, who governs what and we heard about the state laws and so that is an area and transport of data across state lines and then fully regulated to unregulated and finally accountability, enforceability, none to criminal sanctions and I think —

MR. REYNOLDS: Let me make one comment on what we are presenting here? If you took patient consent for example and some of us have been on privacy committees, and we continually went through opt in and opt out. So, we kind of were deciding which one but if you listen all the way from somebody may send somebody one letter and then opt out versus if you listened to Mayo yesterday, Mayo’s opt out is not a “Have a nice day; you are in.” It is, I mean they did a significant due diligence to do opt out.

So, that is not opt out over here way on the left side. That is opt out moving over closer to almost — it is hybrid and so as we are working through this as we try to go forward rather than just saying this or this those are some of the discussions as you listen to the different kinds of testimony because opt in we have clearly heard from people if you don’t get enough people you don’t have anything. On the other hand if you don’t tell them anything you kind of railroad.

So, as you think of the slide don’t just take one end or the other and you set it and so as we do our discussions and make our recommendations those are the kind of things that if we consider those, so that is why we are trying to put it up in that way to give some of those ideas.

DR. CARR; There was just one other slide that we talked about yesterday. Paul, we continued going on the in or outside but this is another way to look it. Purposes for use of health data. So, even in care you might have data for care but it might be for, I mean it might be for quality. It could be for other things and operations. You have data for quality improvement but you also have data for non-quality things, in research, quality, non-quality and in other commercial — commercial doesn’t equate to not quality. We heard of vendors who are assisting in quality enterprise and then the separation of internal or external. So, I think we are still struggling with how do we parse what we are talking about and then focus in on where we need the attention.

DR. COHN: My guess is, are you done now? Okay, good, because you wanted to hold comments until after you were done. So, Margaret and then Mary Jo, Steve and sort of around the room.

MS. AMATAYAKUL: I have two questions. Where is payment and is public health, do we sort of, is it missing because we feel it is included in there or is it missing because we feel like it is in good shape?

DR. CARR: I answer, right?

DR. COHN: You are the ones who put it up there.

DR. CARR: Payment is in operations. So, rather than trying to parse that more I think because our focus —

DR. COHN: I was surprised that that was your answer because that is —

DR. CARR; No, you are right. Give it to Harry.

DR. COHN: Would you want to answer?

DR. CARR; I mean we can add that in remembering that we did —

MR. REYNOLDS: Payment is in operations.

DR. STEINDEL: I was going to ask somewhat the same question. I also had another question but if you are going to list quality like you did there, quality slash other, I would add quality slash public health other.

DR. CARR; Okay.

DR. STEINDEL: Because public health actually comes, we derive public health information from all of those categories.

DR. COHN: Mary Jo?

DR. DEERING: You will know where I am coming from again and it is the prevention and the non-medical model approach again and I just want to put on the table especially with our client sitting over us,I mean it seems to me that one of the primary goals of public policy is to extend the period of time and the circumstances in which care is not needed, and so to the extent that we always focus on improving care and do not address our efforts toward improving health, through ways other than the delivery of medical care it has subtle but important differences as we have noted all along in terms of what constitutes data. So, I won’t repeat everything that I have said before but I guess I am not sure exactly how to operationalize it but I do think at the simplest it is to improve health and health care at a very minimum and then it may be as simple as that but then I am wondering how that falls out operationally in terms of our assignment.

MR. REYNOLDS: That is perfect at least because we are trying to build this so we can if nothing else use it as a filter to make sure if we all agree on the things we have got to consider when we come back and look at the letter and our recommendations that we have.

DR. COHN: Okay, Mark?

MR. ROTHSTEIN: Can we go back to the first slide or the second slide, the one that had harms?

Yes, thank you, what is the harm we are trying to prevent. I think that this is a very important issue for us. If we are going to be advocating a change and we are going to get to what we are advocating later from the status quo I think we have to make the case that there are substantial harms that we have identified both under the current regime and under an NHIN system where there is a substantial increase in the scope of the information that is disclosed and so I think we have to really flesh out these issues and some of them include recognizing that there are intrinsic as well as consequential harms from the disclosure of information.

So, people are not only worried about losing their jobs or their insurance or their mortgage or whatever from disclosure information. They are concerned about being embarrassed and humiliated and having sensitive information revealed.

There are other kinds of harms also that we need sort of catalog and one is the underlining of trust in the health care system and a sense of betrayal that I think Kevin addressed yesterday. Patients rely on their health care providers. They expect them to keep their information confidential and suddenly if they find out it is being sold or used in ways that they think is not appropriate that is not good.

It is not only not good from the individual standpoint but the actions that they are likely to take, a reluctance to seek treatment and deferral of treatment and then that raises all sorts of public health issues. We don’t want people with infections not going to see the doctor because of their concern, and the other thing that I think is very important to mention is the harms to not necessarily track the disclosure of individually identifiable information that even de-identified information raises some of the harms that I already mentioned plus as was intimated yesterday by our discussion of genetics the possibility of group-based harms. So, when information is disclosed of a genetic nature linking a certain genotype with a certain let us say racial or national origin group and the finding is that people with XYZ ancestry are eight times more likely to develop schizophrenia now you have got a group-based harm even though no individual has been identified.

So, I mean there are myriad harms that we need to recognize and use as I think a legitimate justification for more intervention in control of this information for non-health care purposes.

DR. COHN: Thank you.

Steve?

DR. STEINDEL: Again, of course I would like to comment on what Mark said and I think I really liked what he added but I was looking at this and seeing undermine trust in the health care system and I would suggest what is the good we are trying to achieve? I would add strengthen the trust in the health care system, put both sides because we have heard a lot in this testimony that there is a mistrust in the health care system.

So, we want to do both sides and I think that goes along with what we saw and some of what Margaret A handed out in draft recommendations about education, etc.

I am going to be a little bit picky. If we could go to the slide where you had your various slider categories, I think it is the next, yes, the framework slide, covered entity, covered to commercial, you can have commercial entities that are covered like a for-profit hospital.

So, those two terms are not logically the same and also in terms of data structure anonymous refers to removing the patient’s name specifically and it is not really identified.

If you want to be extreme I would call it unidentifiable to identifiable and that is just being picky but I think it makes it a little bit more logically correct.

DR. COHN: I think all these things are helpful from my perspective. I think one of the only questions I have which is something we will talk about and see what makes sense in terms of the story isn’t this slide. It is actually the slide where you are sort of parsing out quality and sort of segregating by purpose as opposed to quality. You were talking about various models where there are sort of overlapping circles as opposed to the sort of more or less one-dimension sort of view of things and I am just not sure that this helps me think about quality any better than anything else or public health or research and I mean I think the point that I think you are trying to make is that quality is infused in everything.

DR. CARR: Right. I mean on the AMIA slider they had quality, public health research and other and I think based on our conversation yesterday quality isn’t separate from those and because our focus is in particular to address the issues of quality I think that is —

DR. COHN: Sure, and it is just a question of whether or not it is overlapping circles that helps this.

MR. REYNOLDS: And again remember there was discussion about that and Marc Overhage had come up with an idea and so this is just a different way of —

DR. COHN: Sure, absolutely.

MR. REYNOLDS: In other words the issue was when we had the overlapping circles quality was really embedded in all of them. So, we just tried to depict it a little differently.

DR. CARR: I think the overlapping circles were two dimensional and in a way this is more three dimensional.

DR. COHN: John, do you want to next?

DR. LOONSK: I had a question about this point. This slide confuses me I think to some extent and in fact the four categories on the other side are overlapping as well, are they not? I am not sure. If the intent of this is to express the fact that quality is part of all four of those things, it is not a helpful taxonomy if all of them are overlapping and I am not sure exactly what the intent of this categorization is because I don’t think it is necessarily helpful and I mean if the point is to make that quality is involved in everything I think that could be made more directly. If the point is to start to build something from which one could separate some of these activities then I think quality and public health should potentially go on the left and one should realize that all these things are overlapping.

DR. CARR: Your points are well taken. I think this is an evolution that was going on yesterday as we were thinking of different ways to do it. So, this is just one of many models.

I think the take home is that as the AMIA slider had those four quadrants as if quality were separate from public health and separate from that and what we were trying to depict yesterday with overlapping circles is that quality is a part of those things and initially I mean I just added public health because Steve said that, but you are right. We have to clarify what is the question we are asking and then is this answering it, and I agree with you. There is ambiguity.

DR. LOONSK: Similarly on internal versus external I think that it is not, I mean clear what to what.

DR. CARR: Again, maybe Paul could speak to that.

DR. TANG: I will do that as part of my comments.

DR. STEINDEL: John, we had a lot of discussion about this yesterday and I think what we are meaning when we put like quality and public health in the right hand column is when the data is derived for quality or public health purposes from operations it takes on a certain set of attributes.

When we derive it from research it may take another set of attributes and another set of criteria .So, we are saying it is aspects of all of those but it expresses itself differently when it comes from each, may express itself different from one of those and this was just done to organize our discussion thoughts, and it may break down in the end.

DR. CARR: I think, and Paul will elaborate but also we thought we want to focus on, we don’t want to focus on quality as part of TPO that is already covered or research that is already in the IRB, but we want to get the things at the edges where things transition and there is ambiguity.

So, that was the internal/external. Those might not be the right words. Paul has some others.

MR. REYNOLDS: I would adjust that just a little bit because I think one of our charges is what policies, what other things need to be in place for quality as well as other things to occur and I think part of what we are saying here as you look at this, when you look at operations an awful lot of the quality that we heard that fits under operations may already be covered in all the right ways and maybe we have got to do a little more with transparency and a little more with other things. So, that is partially, again, this is a thinking document, not necessarily an end document because we heard a lot of different testimony going all over the place and as we try to frame in the end where would new policies be needed, where would other things be needed it may not be.

You may draw a box around some of those categories and say that they are just fine like they are or we may have to do that.

DR. TANG: John’s question is — what is the question. For this particular slide and actually the question posed to the entire group was this whole notion previously described as secondary use and it is really how do you make sure that you can use data for appropriate and quote, good uses while protecting it from getting exploited for others that are not as good and part if the central component of that question is how do you maintain trust so that you can use it for research quality in public health.

Kevin came up with a metaphor of semi-permeable membrane. So, there are all the things that you normally think of for care and treatment which are well understood and then there are other uses and then somehow in the semi-permeable membrane metaphor things escape and it really from the testimony and I think Steve was saying there is lots of good uses that are well accepted like research, people not only, despite the fact that there is a technical definition the public pretty much understands research when you talk about it and they accept the protections in place, and the same applies for the common use of the term “quality” and public health.

Where we had the most, Kevin’s word again, outrage is when it gets sold to people the docs and the patients are not aware of and for uses which those parties are not aware of and so, that is actually the semi-permeable membrane situation where it leaks out unbeknownst to folks. If there were a single gate and you had a set of criteria I think a lot of people would be accepting it if we understood the criteria.

So, that is the long-winded introduction to the internal and external. The innie and outie comes from belly buttons, and, also, it seems to me that if you come up with a very complex policy you might as well not come up with a very complex policy because it is never going to be implemented. A little bit of that can be said of HIPAA, a very well actually thought out document but we also heard about how it is misinterpreted and sometimes misused.

So, if there are ways where we can describe this process of data leaking out or avoid the exploitation of data it seems like simple definitions would help that process and that is where the innie-outie came from because it was so hard for all our testifiers as well as us to distinguish between quality in research and when it crosses the bounds. We know what to do when it tries to cross the bounds. We didn’t know what to do to call one piece of activity quality versus research and so if it stays within the membrane or the boundaries of the organization then you are allowed to do what HIPAA would call an operation. Once it escapes out for whatever reason then it must go through a single gate with a sell-defined process and criteria, and that was the purpose of that bullet that said — so the question that is answering is how do you control the use of data other than for direct patient care so that those harms from slide 1 don’t go ahead.

DR. COHN: I think we are all still talking about exactly what you are describing. Did you have a question or a comment or were you just responding to John?

DR. TANG: I was just responding to John.

DR. COHN: Okay, I tried. I wasn’t’ sure whether you had an additional comment or not.

DR. TANG: I do, but I will wait.

DR. LOONSK: I had some follow-up questions on what was just presented. I would be happy to express them now or save them for a later time.

DR. COHN: Why don’t you express them now in the conversation and at a certain point we are going to cut this one off and go actually to the specific recommendations that we have been sort of working on.

I just wanted to warn everybody that this is not an unlimited discussion and this group likes to talk about high-level frameworks and we actually also have to talk about directions for recommendations, but, John, please?

DR. LOONSK: I recognize that there is value of simplicity in the internal versus external. I heard a fair amount of conversation about intentionality versus physicality in terms of not necessarily where it is but what the intention for which it was provided which somehow also maps into the degree of consent that has been given .So, you could potentially be, your intention is to seek care even if theoretically you didn’t give any kind of consent. You were there to seek care and there is some information that needs to be there to support that activity and then the added complexity of consent. So, I wondered if indeed it was the consensus of the group that internal really meant a physicality like care and everything out of there or whether it was more on an intention axis.

That is my first question. My second question is about something else I heard and have heard about potentially a different layer which may suggest three layers wherein the complexities of defining research versus on the commercial sector versus non-commercial sector where research turns into marketing where there are a number of different delineations, for example, where people even if their information was being used with what could be perceived as good intent informing them of something available to them it took them by surprise because they didn’t know it was going to be used that way.

So, I wonder if even in public health we can express it as a public good and the attractions of it and that there are a lot of people who support that need. In practice there are some delineations there that exist, whether data should be always identified versus managing it to protect it in a pseudo-anonymous way or some other way because that helps with its general protection; the issues of whether data are accessible to subpoena or to FOIA as an example at another level of consideration even in public health and so my two questions are one, is the first the internal and external about intentionality or about physicality and second is there perhaps another shading beyond internal and external that suggests that maybe at least three levels are definable.

DR. CARR: We did have intention of use of health data. I think that is what we were talking about yesterday, and then as you were saying the semi-permeable membrane really is when research moves to marketing, when QI moves to research and then your question about is this subject to subpoena. We can talk about that.

DR. LOONSK: A specific example just to point out perhaps variations on that.

DR. CARR: Right.

DR, VIGILANTE: I think I agree that it is regarding intentionality and just to make it more concrete I think that when you assent in your HIPAA notice of privacy there is, your intention here either spoken or unspoken is to relinquish information to your provider so that the provider an care for you, and I think that you assent to other uses that you see somehow connected to that care and I think that if it is the either implied or explicit intention here that the data will be used you will permit the data to be used in that way.

It is when the data is used in ways that are remote from what a reasonable person would have intended based on that interaction that I think we get into trouble and when we are referring to that leaky membrane it is the information that you yield up with this intention and being collected under the rubric of HIPAA and other protections when it leaks out tertiary, quaternary uses some of which may be for sale that is where some measure and heightened measure of concern and scrutiny is invoked and I think that when we think about intention there is another dimension to this. It is both intentionality and agency.

So, even though when I relinquish my information in the context of a care encounter there is no explicit mention to me that my information may be shared for public health purposes.

I think that as the secondary use becomes more or when the agent using it is more consistently aligned with my interests and the interests of my community then I think it is less problematic.

So, there is sort of this balance and as the user more and more remote users can be perceived as being agents of mine or in alignment with my interests it becomes more and more problematic. So, I think there is the intentionality balanced with agency are two important concerns.

MR. ROTHSTEIN: I think the internal versus external dichotomy is taking on more weight than it can bear.

Let me put it in context. I think it was originally suggested in the context of how should we analyze all of this quote quality activity that is going on and try to separate what we think is okay from what we think is not okay in really sort of rough terms which is fine as I think a consideration. I think it is a valid consideration in that context, but what I hear growing out of that is sort of a general application of this characterization that is totally not supported by what I think anybody would want to do here and really is counter to many of the provisions of the privacy rule.

So, for example, the privacy rule itself does not now recognize a distinction between internal and external as such. If you are talking about separate rules regarding when information can be released there is lots of information that can be released without authorization, without consent externally to the government for monitoring various compliance activities, for public health agencies, to law enforcement as needed and so forth. I don’t think anybody wants to take on all those various exceptions.

So, if we are going to use internal versus external which I think is a valuable consideration for framing rules that apply to —

DR, VIGILANTE: Could you define what you understand internal/external to mean?

MR. ROTHSTEIN: You see, that is another problem. I think internal means that the health care provider is using that information to try to figure out whether for example the quality of care is adequate and what is the length of stay.

As a way of breaking down some of the broad health care operations area let us take a look at whether it is staying inside or whether it is going outside and I think it is a very good thing to look at but it doesn’t trump all other considerations. There may be other reasons. We still may want to have a lower standard apply to government reports of quality or even accreditation reports of quality but if it goes outside for let us say a commercial purpose then we want to say, “Well, no, you can’t do that that way.”

I don’t want to get into the specifics of what —

DR, VIGILANTE: It is consistent with what people were saying.

MR. ROTHSTEIN: I am concerned about applying it to research and I just think if you are talking about a consideration in the health care operations area I think that is great, but I would caution against sort of pushing that too far. That is all.

DR. COHN: John, did you have a comment and then Paul?

DR. LOONSK: Thank you for your indulgence. A question would be whether if it is used internally for marketing purposes would that be acceptable. It is a rhetorical question and I think that the term internal and external is fundamentally problematic and without suggesting to put a fork in it there is a very strong attraction to having something that is simple here and actionable and for me it comes down to the actionable part and I think part of the issue here has been that there has been a discussion. I will just put my cards on the table, there has been a discussion of what is necessary in the context of public health and in the context of operations and then there has been a question of things that are not, that are for consideration for opt in or opt out and I just wonder if that is the wrong equation an whether the action here is three tiered and that there is an opt in component and activity or data, an opt-out component and a piece of it that is necessary and for which there are societal goods that those data need to show to need to be used and so I think the attractiveness of the internal versus external for me is on the intentionality side and I am not sure if internal and external are the right words to use in that regard per se but there is an attraction to that, some level of simplicity. I just wonder if it has to go one step farther.

DR. COHN: And obviously you bring up trust and timing and everything else.

Now, Paul, we said that you were on next and then Kevin we will let you comment and Steve and then I actually would like to at some point transition into actual recommendations as opposed to high-level frameworks. So, we have a couple more minutes and then we will transition.

Paul?

DR. TANG: Okay, so the appeal of simplicity, that was the internal/external, the problem with intention is you have to go inside the mind of the person grabbing the data which is where also we heard about the potential for abuse.

So, a back up to that might be another idea that came up is to disclose what you are going to do with it and it is the trust but verify kind of approach so that —

DR. LOONSK: Did you say that you have to go into the mind of the user or the —

DR. TANG: The person that grabs the data.

DR. LOONSK: Is it the group talking about intentionality from a provider or secondary user perspective or from a consumer perspective?

DR. TANG: Secondary user. So, a common way for folks who want to go and get data to resell or unanticipated uses, unintended from a consumer point of view is to come in under the TPO, the operations or quality, the state definition of quality and then go once they have it and go do whatever it is they want to and so that is why if it is going to leave the house it has to go through one gate and that gate has well-defined rules. That sort of helps protect how it gets out and the back up to that on enforcement is when you left the gate you had to disclose what data you were leaving with and what purpose and then this makes it also transparent to the person who is subject to the data and often it is the auditable use.

On the first slide, please? So, what harm we are trying to prevent, one of the ones that is not up there is harm to the patient due to data that is, due to incomplete information.

DR. CARR: It could be incomplete. It could be misunderstood. It could be any number of things but we could word smith it.

DR. COHN: Paul, you are describing the word “configuration.”

DR. TANG: Yes, I didn’t understand what that meant, so just lack of information due to inaccessible information and then the second slide I think or third slide. Oh, the change to entity oversight, the original reason for using oversight is again the guardian of this gate.

When Mayo described their policies or NCHS described their policies that looked like I could turn over, I could delegate the purview, the oversight function to those organizations because I believe the process was robust and I believe these were honorable people. That is what oversight is. So, that is not the same thing as entity. So, if you want to create something new I would look at your use of the word “entity” as more in the regulation side because covered entity has a certain regulation but oversight really was meant to be oversight.

The common rule is the policy that oversees federally funded research but that notion would be good to have somebody look at research in general.

So, to me that is a mixing of things.

DR. COHN: Paul, thank you. Kevin and Steve.

DR, VIGILANTE: In keeping with the theme of simplicity I think our struggle is where to focus our energy and what to say at the end of the day and what to say it about.

So, one of the I think as we think algorithmically about this, one of the things we need to identify is the areas of most significant risk and so I am not saying that this concept of leakage is the only risk but it is at least one that we should consider very carefully and when I talk about this issue of leakage or leaking from the inside to the outside it actually pertains to the intentionality of the donor of the information, that somebody presents to the health care system in some way with an intention to be cared for or prevented and they yield up information with that intent and they yield it to somebody who they assume, the intentions of the person to whom they are yielding it that their intentions are aligned with mine on donating it, and that this is covered by HIPAA.

The problem, one of the areas of risk that we probably should comment on I think is what happens when it is collected under that rubric but then used for purposes that are very remote or unimaginable to the person who, the intentions of the person who originally donated it and so when it leaks from being collected under the rubric of operations and then is sold for other purposes that the donor could never have imagined and might object to if they knew about it, I think that is problematic and an area that we need to focus on and whether that is dealt with by some sort of, and what the mechanism is to deal with that is not clear, whether it is some sort of black and white opt in, opt out, some hybrid version of it I think is part of the problem here.

I think it is however, less problematic in areas of public health which are from long traditions of laws to govern this and it is less problematic in most areas of research that are governed by IRBs.

So, I think one area of risk and concern should be around when data is yielded up with the intention, with one intention under the rubric of HIPAA under TPO and then leaks out to be used for other intentions, other purposes that could never have been intended by the donor.

DR. COHN: Kevin, thank you.

We have a final comment from Steve and then we will wrap up this segment. I do want to remind everyone that just at the end of the day we don’t so much have to persuade John; we need to persuade everybody else in the room.

DR. STEINDEL: I don’t know how much I have to add to Kevin’s because Kevin’s eloquent talk yesterday actually was the one that made me start to be convinced about internal/external and how the semi-permeable membrane works as a nice model for telling us when to start thinking about when to talk about what type of controls should be put on it and Mark made a very good point yesterday about internal and just because it is internal that doesn’t mean it is totally free of anything. It is still covered under a whole set of HIPAA rubrics that still prevent everybody internally from looking at the data, etc.

So, it is not a free pass in any way but when it is internal and it is collected for care purposes and if we are looking at it from a public health point of view if internal is collected for are purposes and you find a reportable disease by law that is cleanly covered under HIPAA, and it is covered under state law. There is a societal good that has been well established for several hundred years. It goes out.

Now, if you take a look at the same data that is collected for care purposes and we use it for biosurveillance programs which we are just instituting there is still a lot of discussion about how that data should be released. There is a universal idea that it is good to release that data but we are still talking about how.

So, that is an area that I don’t think we are going to discuss in this report but where that semi-permeable membrane has gotten a little bit blocked and I think you are well aware of that, John.

DR. COHN: With that I am going to sort of begin to transition. I would observe that in many ways, and we have talked about what we considered to be the charge which is sort of this conceptual and policy framework, and a lot of what we have been talking about is sort of the conceptual how we begin to put this all together. The other piece as I said of our charge is moving down into talking about recommendations to HHS on additional policy guidance, regulation, public education, and I think that is what is sort of the next stage of the activity that we need to be doing somewhat simultaneously, continuing to go back and check because I think there is still some fuzziness about our conceptual piece but I think in each conversation certainly when people are asking us does it make sense, it helps us begin to refine things.

Now, Margaret, do you want to begin to move us into some of the conversation about some of the high-level draft recommendations? She wants to get our sense about them. I don’t think that we should take any of these as I mean, certainly nothing is given here. Nothing even has the, I mean there is no full support on any of this stuff. We have seen them before. In many cases they are sort of options and I thought we would just sort of walk through and, Margaret maybe you can sort of —

PARTICIPANT: — a blank sheet of paper.

DR. COHN: A lot that is a blank sheet of paper and probably you can only talk about high-level conceptual issues for so long before you realize you actually need to come up with some recommendations.

So, Margaret, do you want to walk us through, and I guess you want comments and discussion on each of these issues.

MS. AMATAYAKUL: Yes, that would be extremely helpful. You know I really think it might be helpful though to take a moment and have everybody read from start to finish as opposed to let us just talk about the first one and not get to the fourth one or whatever.

I think you and I talked this morning about the second one maybe not being in the right place and it might distract from getting to the third one or whatever. So, I think that would be helpful.

DR. COHN: In that case what I am going to do is give everybody a 5-minute break to read as well as take a bathroom break from the last hour of conversation so that we don’t have people leaving in the middle of the conversation. So, why don’t we take about 5 minutes, read through and then we will get back together?

(Brief recess.)

DR. COHN: Now, Margaret what I would like you to do is to even before we start I mean obviously some people have sort of begun to look through this one, but if we can at least just run through and talk about the topics of each of the recommendations before we go into the specifics of them just to sort of begin to get people’s temperature, see where we have agreement and not as we sort of move forward.

So, Margaret?

MS. AMATAYAKUL: Basically what I tried to do was take things I have heard and craft a statement that is for you to say, “Yes, I agree,” or “I totally disagree,” or “We need modification,” okay?

So, that is sort of the premise I guess to think about this. First, there wasn’t an exact order to this but something that seemed fundamental to me was this whole issue of de-identified data and some people think de-identified data is a license to do anything and everything and other people feel it is not and that we need still to focus people’s intent on that.

The second on is to look at an evaluation process that enables modifications and updating of HIPAA without it being some monumental onerous task that scares everybody until it maybe doesn’t get done.

Is this the kind of high-level things you are talking about, Simon?

DR. COHN: Yes, that is the level.

MS. AMATAYAKUL: We did add one that is not on your document this morning with respect to require covering in the MDA(?) to attest yearly, in other words to have a process that is something a little bit akin to the Sarbanes-Oxley and how many non-profit organizations are starting to take formal steps to evaluate internally.

We, also, looked at education, communication program, a lot under there really looking at everything from you know understanding the landscape to target specific messages to specific target groups, to using our glossary of terms, to dispelling HIPAA myths that we would keep enumerating, things like proactive self-policing, a lot more transparency and things like that, also, looking at the classes of HIPAA covered entities. Today we have three we know and do we need to add a fourth that might be data storage that might cover other organizations, looking at the means of appeals and waivers. Some people have been successful in invoking waivers to get innovative practices that might help inform some of the modifications, make that perhaps easier, more visible to the community and then without totally dismissing state’s rights to try to get across that there needs to be a way to deal with the state areas and is there is some way we could put that in a compendium on a web site or something where at least we would know what they are as opposed to stumbling upon them; set up more proactive investigations. CMS and ODAIR(?) have just started doing that and this spring they started doing that.

Step up enforcement. That might be something that would help people recognize the importance. We are sort of losing it I think with HIPAA. They are not paying as much attention as before.

Perhaps harmonize definitions between operations and research especially with respect to quality in research and perhaps OCR and the Office of Human Protections can really help to do that together and achieve consistency in IRB application of rules perhaps by a common set of criteria, maybe again posted to the web or something like that where they can go and do a checklist, so some very broad things, some very specific things.

DR. COHN: And certainly not a complete list of things.

MS. AMATAYAKUL: And not complete by any means.

DR. COHN: Okay, how would people like to do this? Do you want to just sort of run through or have people give initial comments?

Steve and Mark you wanted to comment and then Paul I know you wanted to comment and then Bill.

MR. ROTHSTEIN: The first thing I wanted to say is that in drafting these we have to be mindful of other recommendations that we have previously made to the Secretary and I would note that recommendations 2, much of 3 or several parts of 3, 4, 7, 8, 9 and 10 have been addressed to one degree or another in our letters and that for example in our June 2007 letter when we recommended extending health privacy coverage to anybody who basically touches PHI that would be inconsistent with if we adopted recommendation 4 or it would be inconsistent with this new thing that was added about covered entities and BAs of testing because in effect we have done away with that by recommending that everybody be covered. So, that is the first point I wanted to make.

So, everybody is covered by a privacy rule, there is no BA.

DR. COHN: May I ask you a question about that one because I guess I had thought this in a couple of different frames? I mean what you are describing now requires not modifications to HIPAA regulations but modification, new legislation, and I think we described this as potentially multiple tiers of recommendations which need to be consistent with our recommendations.

MR. ROTHSTEIN: What we could say is that we have previously recommended X which Congress would need to do. In the absence of that we would recommend that the Department do Y. That is okay, but I think we need to recognize where we are.

Basically I want to talk about 1 though. I think that that is the essence of what we have been asked to deal with and it needs to be totally fleshed out. I think that is the problem. These are options. I would say that the second option or modify HIPAA or the privacy rule to address restrictions on data, it is not just de-identified data. I mean we are dealing with this sort of problem area in health care operations where it is such a broad area you can drive a truck through it and there is no requirement that the covered entity use the information in de-identified form.

So, I think while we heard a lot of interesting testimony on how you de-identify and the value of that and it should be addressed, I think it is just one part of this. It is not, our focus should not be entirely on de-identified data. It includes data and I think the answer is after reading this saying, “Well, half,” and that is what we need to discuss. I mean how should we work through if we want to differ from existing approaches which basically says that there is no requirement, that the individual has consent or the opportunity to opt in or opt out or anything else other than giving the individual the notice for TPO. What are the attributes of the information or the parties or the uses and disclosures of the information that we think that maybe some heightened rule should apply to, and then what should that heightened rule be, and I think those are the two things that we still need to resolve and that is under No. 1. I think all the rest just sort of supports that. We have said education for you know at least 5 years that I can think of and some of these other things, not that I have changed my mind on the importance of it; it is just I think the essence of whether our letter is sound, defensible will be viewed as something that ought to be implemented I think depends how we address those two questions.

How do we distinguish between information that should get some additional level of protection that it currently doesn’t get and then what should that level be?

DR. COHN: Mark, thank you.

Paul Tang?

DR. TANG: So far in the testimony I think the thing that comes closest to giving me more comfort, more confidence and in essence as a proxy for the patient for these sort of data is listening to the Mayo description of what they did and so trying to analyze that what makes me comfortable is the robust process that they have in place and the robust way they implement that process. That gives me a lot of comfort.

So, I think our goal is to clarify, demystify and decrease the ease with which data can be acquired and misused.

So, one addresses the first recommendation which is almost to get rid of this whole shroud of de-identification. It is one of those words and that is sort of like what quality has been use for. Everybody says that they de-identify and if we say, “Recommendation 1 is your free ticket,” everybody will jump on that free ticket and in contrast I think what we heard through testimony is there is almost no way to de-identify data in the proper sense, certainly no way without, while preserving the usefulness in research, okay?

So, nobody is going to even want to pay for de-identified data. So, it almost never gets asked for in that form. So, in some sense having it out there as a free ticket is not helpful.

The second piece has to do with this whole quality, the use of the word “quality” because that is another one of those good-sounding words that nobody can define. So, there is another inexpensive ticket which is why we came up with this inside/outside, innie/outie thing.

So, it seems what we need to do is take something like the Mayo model which can give confidence and trust which is make it transparent, make it understandable and disclose how it works in an understandable way to the subject of the data.

MR. REYNOLDS: Would you add robust to that?

DR. TANG: Yes.

MR. REYNOLDS: You would add robust to that same sentence?

DR. TANG: Yes, thank you, and at the same time because no process is perfect in terms of being able to describe in an understandable, robust way I think we actually do have to stop the leakage somehow. So, we have got to cover up this semi-permeable membrane and make one well-defined robust understandable gate with its process and its implementation of that process and then have an accountable disclosure. That is this list thing. So, if I am going to take as people leave the gate, they just sign up, data source, who am I, what am I using it for, it is not an administrative burden but it is a check because then we can go in this way, come back and if I find you and you didn’t post this on your check out to this gate then I can come get you, and that is the Sarbanes-Oxley or that is that model which is I declare.

So, because in another observable operating form I would have to say that HIPAA as much as it can be misinterpreted has definitely had a net increase in the protection of confidential health information.

I would also have to say Sarbanes-Oxley has definitely had an increase in people’s attention to the things that it was trying to address. So, as much as I don’t want to over regulate or over legislate the world those two examples show that you can improve the internal process of organizations and result in a net benefit in terms of privacy and the use which turns around and makes data use accessible and useful for others doing, well, we said, quality public health research.

So, I guess the consequence of all that is we should focus in on those recommendations rather than a lot of other things.

DR. COHN: Bill, and is this directly on this, Mary Jo or do you want to —

DR. DEERING: I just wanted to make an observation and make sure that I was clear on it, and I am trying to make this as neutral as possible which is that the directions that we are going especially based on Paul’s last comments would place the Committee firmly and conclusively in the camp of extending and improving HIPAA as opposed to any other approaches.

There have been times in the past when it was reluctant to finally actually go that far. People were too realistic about its deficiencies. So, in the past there have been clear statements that, you know, such as HIPAA.

So, just for the record this would constitute a decision that that is indeed the path to go as opposed to considering anything else. So, I just wanted to make that observation. That is what it is sounding like to me from the direction of the conversation that all of the recommendations go towards changing, improving, extending, modifying, applying HIPAA as opposed to any —

DR. COHN: Mary Jo, let me just because maybe I am confused and let me just try to react and it is the same reaction I had to Mark which is that I see and we just need to keep sort of loose that there are multiple tiers of recommendations.

I mean for example, Mark started out by saying that we have so far gone an said, X, Y and Z which require new legislation and I think that is one tier of recommendations knowing that those are a little less likely potentially to happen but that doesn’t exclude things. There is a whole other tier that is called improving current regulations which is different than legislation and so I think we just sort of need to keep these sort of separate knowing that it is within the province of HHS to improve, refine, clarify, provide additional guidance on regulation and so that is an area where if we say something it is more likely actually probably to happen.

So, I think I would rather than trying to have to take one or the other I am just sort of trying to frame these in ways that we can sort of work on them and maybe help the department in the process.

I am not sure if I am saying anything so different than what you are but I am just trying to frame that I think we do have some options and there are some high level things we can say that may be slightly different than what you were just describing.

DR. W. SCANLON: This may be related to that, I mean what you just said and in terms of the kind of recommendation we make because I think I am very much in agreement with Mark in this and I am not going to comment on all but just the first part of Paul’s comments because I think that there is a lot of these recommendations that I think are positive but they are not necessarily dealing with that future that I keep seeing focused on which is potentially a different world and I would characterize some of these as I mean there is both the issue of who is going to be the actor in terms of carrying out the recommendation. There is also an issue of whether some of them are transitional and my future is not tomorrow. It is maybe 10 years down the road, maybe sort of longer, etc.

I think we need to worry about it in terms of what it is going to entail because government has trouble being nimble and changing quickly as circumstances change. So, they want to put something in place that is not so tailored to the present that it is not really applicable in the future but again echoing Mark, it is recommendation 1 that I mean I think is critical because and Paul almost used the term, de-identified data is going to be an oxymoron in the future and de-identified useful data is potentially an oxymoron today and so, the issue is okay if you are not going to have data that can be de-identified what do you need to do sort of in those circumstances and if I understand the HIPAA approach it is kind of formulaic as opposed to what we heard in the data linkage workshop which was if I am given the charge that I have to make sure that I do not disclose anything that is confidential, what am I going to do, and the answer in the data linkage workshop was I am not going to do anything. I am not going to let any data out, okay, and so you don’t want to create a world where you have set up an obligation that is chilling in terms of limiting the kinds of uses that we are talking about as being positive.

You want to set up a framework that there is actual possibility of progress in terms of these uses simultaneous with the protections and avoiding the risks that we had up in Justine’s slides, and so it is focusing on that is where I think we need to be and Mark laid out a very nice set of questions in terms of what you have to answer in order to focus on that.

DR. COHN: I guess we are getting questions now. So, thanks.

Marc?

DR. OVERHAGE: This is heretical but I will try to anyway. I almost think that we should think about a recommendation and I don’t know enough to know what category this falls in your levels of recommendations but it is easy to say what it is not. It is harder to say what it is, but uses of the data which are for marketing for commercial gain for I am not quite sure how to say that, and I am partly trying to distinguish commercial entities doing research are not in the category I am trying to describe, the uses of PHI for those purposes without explicit patient and I am not sure if it is authorization or consent that we want to say should simply be prohibited because I think it fixes a lot of problems.

DR. COHN: Margaret initially had her hand up and I know Paul has his hand up. So, Margaret, did you have a clarification?

MS. AMATAYAKUL: Yes, I have a question. So, the data, are you referring to in whatever form.

DR. OVERHAGE: In whatever form.

MS. AMATAYAKUL: Okay.

DR. OVERHAGE: DHI, no matter how it got there, no matter how it is de-identified —

DR. COHN: You don’t mean THI there because THI —

DR. OVERHAGE: I am sorry derived from THI.

DR. COHN: Paul?

DR. TANG: I think it is going to end up like prohibition in the sense of you will have more people — right now there already are people that work through others, CEs to get the data. I think that would increase if you had that prohibition.

So, I think which is why I sort of get into the make it open and let conscience and the transparencies do some of the work to run some of these more nefarious schemes.

DR. OVERHAGE: I like the idea of transparency and we talked off line a little bit about you are required to post uses or whatever. It is going to be very easy to hide that I would say, too, I mean you know it is sort of the, there is always some intermediary that can post it somewhere that sounds reasonable, I mean if that is what you are worried about. I don’t think it necessarily helps that.

I guess what I am thinking I mean where I am coming from partly here is there is obviously this gradient of risk to the individual and trust and tolerance of the individual and back to the issue of expectations about use and I think that many patients would especially with just a little bit of nudge would say, “Yes, you know, I can see the societal benefit of participating in research and so on as long as there is really a pretty small risk to me,” and you have to assure that through transparency and process and oversight of the organizations that do that, for example.

What I was trying to do is say is there a piece that we cut off and we just say, “You know what it is just not on the table,” and that way the expectation for the individual is that their data would never possibly be used for that sort of stuff without somebody coming and asking them and obviously you know it is their data and their right and if somebody comes and asks them, sure.

MS. AMATAYAKUL: So, for the data that is not for commercial gain it is free to be used in any way, in any other legitimate way?

DR. OVERHAGE: That is kind of where I was going and partly I was sort of doing a picture. I mean there is a continuum obviously and at least in my mind there is a scale of use from sort of clinical care through operations and public health and research of various kinds that at least I would assert that there is a level of, that the patient would be accepting and appropriately protected if there were a process and controls and I would like to start by kind of thought around organizations that are using and managing data and it gets back to necessary IRB approval and all the things we have been talking about that provide, so for example research where it is, you know there is always risk. You never totally de-identify but with carefully controlled organizations and there is a degree of trust obviously through public and insurance companies and research entities and so on. There is a gradient of pre-existing trust and part of what we are trying to achieve with some of the other things we are talking about is building increased trust by making the process trusted and the oversight trusted for those organizations and so as long as it stays within the, I guess what I am trying to say is there is a process where Mr. Consumer or Miss Consumer you really don’t have to worry about uses within these boundaries. We prohibit this which would make people nervous. There is a continuum here and here are the processes that help ensure that the organizations who are touching the data and I like the notion of focusing on organizations who touch and use the data, not like in No. 4, who are all the named organizations because I think that is very hard.

DR. COHN: Okay, well, without trying to argue one way or another on this what I think we are hearing are people trying to delve down into one. You know Mark began to create a structure. We have both Paul with one view of how it should work out, Mark, your view. I just want to make sure.

What we are going to do is we are not deciding right now. What I am trying to do is get things on the table to make sure that as we sort of look at them and understand their ramifications and we will sort of move down.

John Loonsk, you are next and then we have Steve Steindel and Mark Rothstein and I see Mary Jo at the end here.

DR. LOONSK: I just wanted a clarification on Marc’s comment as to whether that would include publicly disclosed data as falling under those controls in terms of your statement?

DR. OVERHAGE: Yes, and we want to talk about the kind of use cases because I don’t think it prohibits necessarily, would necessarily prohibit for example public disclosure of quality measures because that is not a commercial individual gain use.

DR. COHN: Okay, we are just playing with things.

DR. STEINDEL: I am on next which is one reason why I chose to comment because I can now have the floor a little bit on this. You know basically I think I am to a large extent in Mark Rothstein’s camp on this and Bill’s on you know we need to talk more about item 1.

I think we need to talk more in terms of recommendations in talking a lot more on the risk/benefit equation that we heard discussed and the need to make people aware of it which means I think we need recommendations more in the area of transparency in education.

I think we also need to talk and I don’t know whether this would come in the area of recommendation or not but this goes along with some of what Paul was saying is that we heard numerous evidence of people doing it successfully under today’s what some people perceive of as restrictive guidelines and without really I don’t know if it was that much effort. So, I think we need to balance that in when we talk about risk/benefit and I think this plays a lot on what Mark Overhage just suggested. I find that Paul’s concept of the gatekeeper, Mark’s concept of total restriction on any commercial use when we were sitting there listening to the fifty-ten discussions in the early part of this week one thing that really bore down on me very hard in saying that we —

PARTICIPANT: Fifty-ten?

DR. STEINDEL: Fifty-ten is the new HIPAA transactions, the next standard and it is just the process that is really relevant to this discussion not the item. What it struck me is we are still continuing in an IT unsophisticated world in health care, that we have a huge number of practitioners who are out there who are not very sophisticated, who take a look at anything that says, “Create a list,” or “Total prohibition,” and their immediately reaction is, “We can’t do that,” and we have barriers that are, whether they are real or perceived that prevent us from moving forward for a number of years and so I find the measures of what you said about oh, it is easy, let us just create a list; if they are on it we can do it; if they are not, and Mark comments about well it can just never be sold for these reasons, those types of black-and-white decisions do not play well in the health care world.

They do play much better in the Sarbanes-Oxley world. We are dealing with a totally different world. There is an IT sophisticated set of people. There are people who are used to these constructs who can live with it. They may not be happy with it, but they can live with it and so they move forward better and I think we can’t use that as a one-to-one comparison and I think we have to use the uniqueness of the health care environment and our intent, the President’s intent to move the health care environment into a more electronically sophisticated realm over the next 10 years; until we get to that realm we can’t talk about a lot of these sophisticated measures that we would like to talk about.

The first thing that went through my mind when Mark said that we can’t sell it for anything is immediately these databases get put up for sale from India you know where we would have no control at all. People are going to find multiple ways around it and still make money on it.

DR. COHN: I would just comment as I move it over to Mark Rothstein at this point any decision, anything that we eventually come to in all this stuff obviously also needs to reflect some of the framework discussion which is the balance between benefit and harm. So, we also need to as we begin to move through this stuff and begin to write them down, we just need to reflect and make sure that benefits are helped; harms are minimized and mitigated.

Mark?

MR. ROTHSTEIN: I think it is a valuable discussion that we are starting now on what conduct we are trying to prohibit. I am not sure I would just stick to the commercial applications but I think it is a starting point.

I have two things that I want to suggest we not, two paths that I think would be not very productive if we went down them. One is I don’t think it is a good idea to over rely on IRB processes. Many of the actions that I think we would deem to be unacceptable data mining would not be considered research and would not be subject to the common rule.

Another reason under the IRB processes that OHRP has a looser definition of de-identification than the HIPAA privacy rule and so that is one of the things that we have asked them to sort of harmonize and so it is easier to satisfy the OHRP definition of de-identification than the HIPAA definition and if you think about the purpose, the express purpose of the common rule is to protect the quote welfare of human subjects of research.

Now, one aspect of that is their privacy but it is only an aspect whereas the privacy rule for all its faults that is the purpose of it.

The second suggestion I would have is or opinion is not to over rely on transparency as a substitute for rules. I think transparency is necessary but not sufficient to deal with this problem. Transparency in theory is what we have now under the HIPAA privacy rule where you have got the notice of privacy practices which theoretically advises people of the uses and disclosures of their health information and just speaking for myself I was thinking whether I am or not I consider myself a relatively sophisticated consumer of health care and how would my behavior be influenced by greater disclosure of the uses and disclosure of my health information and the answer is it wouldn’t because if I want to see a particular provider in a particular hospital and I have made this choice because I think they are the best then I am just going to have to suck it up and go with whatever their rules are and there are other quote less sophisticated people who won’t, the restrictions or the rules would not register with them or they won’t care or they have even fewer choices because they may be in a network that they have to use hospital A or B.

So, I am a supporter of transparency but I don’t think it is a substitute for doing some of the other stuff that we need to do.

DR. COHN: Thank you.

Mary Jo Deering and Harry Reynolds?

DR. DEERING: Just another reminder that I think we have said many times that we want to be very careful about how we characterize commercial because we do live in a mixed health care system where there are for-profit entities and it could well be that one of those unforeseen things that happens within the next 10 years is a universal health care system but in the meantime I think for us to be mindful of the unintended consequences of penalizing, forbidding, prohibiting, over regulating and I am not necessarily a free marketer but I just think we need to be mindful and conscious about anything that we do in that area.

MR. REYNOLDS: I want to play off of Steve’s comment because most of the people and I liked what Bill said earlier about the transition, you know between now and 10 years from now because most of the people out there right now are implementing anything that is said, whatever it is, one regulation at a time. They are not looking at the overall picture.

I think transparency is really a naive concept right now versus what it is really going to need to be in 10 years.

So, the same way as we look at these frameworks, as we look at anything we look at, we have got to really figure out what we want to do. What structure do we want to have because if we just say that this regulation or this regulation or this regulation I mean we saw it the other day and this industry does a pitiful job of turning that into other subjects like transparency or compliance or other things. and so continuing to go down and then come back up and just making sure we work it from all views is really going to be important because remember this is the learned group in the room here and it is a much different group out there that is actually playing the game day in and day out and that really gets delivered to us regularly through some of these standards discussions as to who is really in the game and who really understands.

So, that is something to keep in mind so we don’t get too focused on one word and we continually remind ourselves where we are going.

DR. COHN: I am going to make a comment or two and I see Paul is also raising his hand. It is not going to be so much on what you were just describing but I think what I am sort of looking at is just sort of recognizing you know we talked about, we started out talking about framing pieces and now we are talking about guidance.

The other piece we need to be talking about is what I would describe as tools to minimize risk and I think we are beginning to put our arms on some of them. I mean some of them are regulation versus legislation. I am struck and I think John sort of commented and I only mention this as one dimension but there is the you know some things are okay; some things opt out; some things opt in. It may not be a black or white for everything but we are beginning to talk about that.

I would also put the dimension that if at the end of the day there is, you know and obviously there is also this concept of transparency which I tend to consider to be a tool that relates to education but at the end of the day the more you understand the better off you are even though we all agree that as Mark commented that what has gone on so far has not been exactly, it is maybe more of a paper exercise probably in transparency than real transparency.

There is also the issue of now versus the near future versus the distant future because in a sense here we are also dealing with an issue and once again I am just laying out framing pieces here which I think going back to some of the pieces that Justine was showing up on the screen is that we are talking about trust in people and remember we are being asked in some ways to talk about these environments in the world as we move more and more to the NHIN and right now we are in an environment where other than a very, very few places and I am actually looking across the table, one of them probably Indiana you know if you are going to get trust one of the elements of trust is time and you don’t show up on the scene in one day and suddenly have a great deal of trust.

You earn trust with repeated acts showing that you are doing the right thing and I think one of the things that we also saw in all of our testimony is that sort of being around for a while and showing over and over again that you were trying to do the right thing even if you are not perfect earns you a fair amount of trust in the environment and so I guess what I am describing is sort of an environment where yes, it is now; yes, it is 5 years from now; yes, it is 10 years from now but we need to be able to create a little bit of fluidity in terms of whatever we are doing to recognize all of these tools and of course we don’t even know yet, we haven’t even talked much yet about security tools to see if they have any part in all this but obviously we are primarily talking about policy at this point.

So, I just want to bring up all the tools we have at our disposal to play with here as well as the dimensions. This is just not I think as any of us described as black and white.

Now, Paul had a comment. I see Kevin had a comment and we will let others comment.

DR. TANG: I think you are obviously right about the track record that is established to earn the trust of the community. I think the reason this Committee and other efforts were started was because people were starting to see, well, that is too harsh.

There is a track record being established of misuse of data only it is below the surface and so I think transparency could work very well in that regard because there are egregious violations that are happening amongst parties that I hope neither party would be proud of were it to see the light of day and so that is why I think that transparency would be such a potent force in helping to start having people have a better sense of conscience on what they do with confidential health information and that is a softer more error correcting way of moving it forward and in some sense that establishes a track record of responsible behavior rather than accidentally some of these behaviors coming to light.

So, I am agreeing with you over the test of time. We have seen some positive examples. I think there is an undercurrent of some risky behaviors that should be at least threatened with the risk of exposure in the Sarbanes-Oxley way really so that it can start regulating itself and I think there is a good sense of conscience out there. There are some rogues that are not following that and if we could impose the societal conscience on that that is sort of the point.

DR, VIGILANTE: I just want to go back to something Mark said and I disagree with Mark with always great trepidation.

DR. COHN: Which Mark do you disagree with?

DR, VIGILANTE: Actually both of them, and I never disagree with either of them. I mean they are both smarter than I am, but Mark said that there is transparency today and that so I think in this particular case — you didn’t say that? Okay.

So, what I thought I heard is that there is transparency today or some measure of it through HIPAA but in fact you know there is no transparency around the potential for your data to ultimately be sold sometime in the future to parties yet unknown and so I do think that that is an area where it is very opaque instead of transparent.

I just want to comment on the term “education” on this issue. You know education can mean a lot of things and I after a long professional career of trying to get patients to remember which is the good cholesterol and which is the bad cholesterol. I have a very realistic view I think of how much you can really penetrate and retain over a long period of time and something as arcane and nuanced and frankly inconsequential to the daily life of most people at his I have a very limited expectation about what an educational campaign will achieve from the consumer perspective.

I do, however, think that telling somebody what you intend to do with their information at that moment that you are interacting even if they interact with them about future use that may be construed as education perhaps but I see it more as an act of transparency for which I don’t think it is adequate for the types of uses about which we are talking.

DR. COHN: Justine has been remarkably quiet throughout this whole conversation and so I am glad she is raising her hand now.

DR. CARR; It is hard for me to think and talk at the same time. So, I have been thinking but two things about the transparency. I think it is worth noting there is active and there is passive transparency and maybe that is what you just said and I don'[t think we have been involved in active, and I think again to John Lumpkin’s point we think of transparency of where is the data going but not a lot about what is the community good and then the other thing is trust was such a profound theme in our first 2 or 3 days of hearings and as we look at the framework I guess it doesn’t say anything about trust. I guess maybe it assumes that if all these things happen trust happens but I am just struck by the fact that the important, the success rate of communities with trust and the need for a consistent building of trust with a good track record, maybe the track record comes through transparency but I just wanted to raise that of how do we incorporate the trust piece into this because that was the thing that we hear in so many of the successful stories.

DR. COHN: I guess I have a simple solution and I will leave it to Harry as he may have some additional comments but actually I thought it was a trust framework.

DR. CARR: Okay.

DR. COHN: So, maybe we just entitled the title because I don’t trust is not a single dimension. It is a summation of a lot of elements.

DR. CARR: I think it is important to get it in there.

DR. COHN: Harry and then Paul.

DR. TANG: I think in some sense, well, actually I think it is borne out by surveys that patients trust their doctors. I think we have it to lose and it is that the doctors don’t have on their shingle reseller of data but if they were to find out that is what does happen I think we will lose something we already had. So, that is sort of an important piece.

Do you go try to regulate what doctors do now with their data or do you try to stop something bad from happening which is Mark’s point so that you lose the trust?

Mark had to go gain trust for a new thing. What patients go to doctors for and expect to happen with their data is an old established thing. We just have to prevent the new bad thing.

DR. COHN: Do you think it impacts the framework at all? I don’t think it does.

DR. TANG: It in interesting because you start from a very, so remember when we were talking about education?

DR. COHN: Yes.

DR. TANG: We are not having to educate them what do we do with their data. We have to make sure that bad things don’t happen that they don’t expect which is a different starting point and I think it is part of the education process.

DR. COHN: Okay, good point.

Harry?

MR. REYNOLDS: It is interesting as you watch how other things have gained trust, you take Internet purchasing an incredible number of people use that with all the dangers of the Internet that you also hear and everything else as soon as that one screen comes up and says that you are going into a secure network we buy stuff. So, the same public that we are talking about here and talking about gaining trust somehow that happens and it is not adopted by everybody but it sure is getting a groundswell.

The second reason we talked a little bit about the Sarbanes only as a structure is you don’t see nearly as much fear out there now about whether executives or companies or anybody else is doing anything because those kind of things are in place. I am not for or against them but as we think of transparency these are industries, these are situations where trust is now occurring and people are getting involved and so trying to figure out how over time we do something like that because talking to each person about all the different things that might happen to their data ongoing is just like talking to somebody about everything that would happen in the Internet if you buy something through a secured network.

So, I mean people are doing it and they bought in and have actually done it with consent and so it is a thought. It is not a recommendation. It is how do we harness that same thinking to do it.

DR, VIGILANTE: Physician trust can clearly be eroded. I talked a little bit about this in the last session and this physician model of trust that David Cohme and others have constructed where trust has three components in that model and there is actually a validated survey tool that they have used to explore this and it is agency, whose side are you on, mine or the insurance company’s or somebody else’s? Are you competent to do what you say you can do? Technically are you competent and thirdly, do you have an interpersonal interaction with me that is suggested that engenders trust; is it condescending or not; is it transparent? Can you give me the time and the explanations that I need to make judgments, and based on how physicians fall in those categories they will actually have higher or lower trust ratings and so it is clear that this is something that is developed over time in virtue of a relationship but it is something that is not absolute that can be increased or decreased based on how you behave as an agent of that patient.

DR. COHN: Paul, I am going to let you make the last comment and then we are going to transition into sort of next steps.

DR. TANG: Harry, a thought occurred to me that I think could be a framing model. Sarbanes-Oxley is an interesting parallel for us because businesses were run. The consumer public assumed that there is an SEC; there are all kinds of these regulatory bodies. So, I am sure that they do things on the up and up and lo and behold there is all this lying that can go on underneath that you had no idea, you had no anticipation that would happen.

So, when it got blown up what we did is came back and said, “You know what you are going to take personal accountability.” We didn’t say that you are going to do this. Here are the other 500 pages of rules. We said, “There are certain business ethics you have to follow. Now, I am going to make you sign your personal name to it.”

So, instead of giving the 500 new pages of rules to whatever health care people who generate data and use it let us just give, it goes back to transparency and personal accountability, and what Harry said was and all of a sudden we are sort of our fears are allayed; we now invest in the stock market again, blah, blah, blah, but I think there may be a model. One is how they lost it because there was a certain trust in the system, because they thought there was this SEC just to pick on a name and we have done that. It went awry and we came back in and said, “Okay, we are going to ask you for sort of personal accountability for the existing rules not create a whole new set of rules.”

That may be what we are trying to do in simplicity and that is the posting thing. You are now accountable for that in a different way. We aren’t going to describe the 100 new uses you didn’t think of that happen now under NHIN. We are just going to change the accountability and transparency model.

DR. LOONSK: I just wanted to add and it may be under the accountability access that Paul is mentioning but that when you look at the consumers that participate in sharing that when they have a choice choose to allow their information to be shared, it is an access that goes somewhat beyond trust and optionality is a factor here that relates to trust but is not completely explicable through trust and in some respects there seems to be a fair amount of evidence showing that on accountability access that consumers may choose to when given the choice have engendered either whether it is trust or just willingness or acquiescence and I think it is an important consideration here because it goes to the issue of understandability and what they are understanding they are opting into in a huge way but the evidence does show that patients have very much a desire to have a choice but when they do have that choice they frequently exercise it in ways that you wouldn’t necessarily expect in terms of the freedom with which they are allowing their information to be managed.

DR. DEERING: When we talked about risk communication yesterday actually, Kevin the third aspect of that has always been control. The sense of risk and outrage is also linked to a sense of control, and I think the word “control” is behind it and all this communication and all these mitigation situations it is how much control does the individual feel that they have.

DR. COHN: Now, we have not come up with an answer nor will we in the next hour because we are only going to go for another eight minutes and we will stop anyway. I do want to remind Mark Rothstein that actually we do end on time but this clock is about five minutes fast. So, I do want to give him a deep breath and he will make his 1 p.m., flight at BWI.

I think what we have done is actually I mean this last bit of conversation I think has been extremely useful in terms of moving from the sort of high-level framing into what exactly are we talking about here and what exactly are we going to do.

I am actually seeing a number of options that I think we will let Margaret begin to sort of play with because I think what is like this sliding scale I think we are going to see a variety of things sort of down on paper that we will have a chance to reflect on and sort of see what elements make sense put together or whether we even have the right ones.

Now, we obviously have a conference call on August 14, and I think a lot of that conference call is going to be further a conversation about recommendations and reflection. I do know, Paul that at least this moment you are not available. So, we will have to find some way for Margaret to get information to you or from you in advance or around it or whatever and I do apologize but trying to get everybody together is not an everyday activity.

Obviously I do want you to look at the other recommendations. Obviously No. 1, I agree with you. I mean going into 1 is absolutely the right thing to do. I don’t think anybody is going to get upset about a communications recommendation. It was Mark who commented that we have seen those a number of times before but this actually is an opportunity.

Remember we are a Committee that has a history and I think what we want to do is we want to integrate previous recommendations that are applicable that make sense into this thing.

We certainly do not want to take a 90-degree turn from previous recommendations but sometimes the context is different. Sometimes it is easy to do legislation. Yes, that is right but yes, we can also do regulation that will move us in a direction that would be helpful and I want you to think about those recognizing that these are sort of different tiers of recommendations, but I do think you need to look at the remaining recommendations. Margaret I know would appreciate any edits, comments or otherwise. She is going to be doing thinking, reviewing the testimony, reviewing her notes from our comments, beginning to hopefully come up with something for a much more substantial conversation which will of course continue into later August.

Now, we talked about the agenda for August. We know we have a lot of presenters. As I said my intent is to try to finish by 12 noon on that Friday. This is one where if we start getting a lot of additional speakers we may wind up going a little longer which is fine but I would just have you hold the return a little loose in your thinking for the moment but the desire is to get everybody out by 12 noon, but certainly if you see holes and I think for example Kevin identified a whole and I mean he felt this person from New Jersey or Princeton would be a valuable presenter. So, I think we should have that person. Jerry Paltry had a conversation about Sarbanes-Oxley. I mean we sort of know Sarbanes-Oxley. So, maybe we don’t need a briefing on it, but you know there are probably valuable lessons or approaches that may be helpful as we think once again about tools and I consider that to be one of those sort of tools. I mean we are identifying. We know there are risks out there. There is discomfort and that may be a piece of a tool that may be helpful for us and I think one has to recognize that Sarbanes-Oxley in health care is optional at least as I understand it though of course a lot of health care entities are voluntarily deciding to comply, but it is just something to be aware of.

Yes?

DR. JACKSON: Just a reminder that the August 23, 24 meeting is at the Humphrey Building and take advantage of the written testimony. We had two items that were submitted for this meeting and if we get them early enough we can identify them on the agenda and make sure everyone at least knows they are available and use it as a way to get information.

DR. COHN: Yes. Now, one thing I would also like people to take a particular look at and we do want a comment, I mean we have identified that there is this sort of overlap between research and quality. Now, as I said and I have said this before and I feel a little funny mentioning it only because Group Health has a distant sort of cousin relationship with Kaiser Permanente. So, obviously I will disclose that. You all sort of know it but they have an interesting three by three table that talks about research versus quality and once again we can see at a high level saying that HHS ought to figure out with research how to clarify between operations and quality, between operations and research and quality and research or we can, you know if something like that makes sense we can actually suggest that sort of a framework or something like it.

So, I don’t know if it is right or not. I think there is an attractiveness that while it doesn’t solve all problems at least it has the offering of reducing the ambiguity that we were and you know the sort of fuzziness that we seemed to be hearing out there and so I would just have you take a hard look at that.

That is obviously not verbal testimony. It was written testimony. There may be another hundred of those like that out there. I just don’t happen to know about them but once again your feedback on that would also be very helpful.

Now, any final comments before we adjourn? Any things that need to be done before the call on August 14, for our next hearings?

PARTICIPANT: Paul is going to be working on recommendations.

DR. COHN: Yes, I think we are going to try to move down further into them which is obviously why we want to get your input as we begin to sort of draft out some of the, at least the options and the frameworks as well as obviously looking at the other recommendations.

Okay, with that keeping my promise to Mark Rothstein the meeting is adjourned.

Thank you.

(Thereupon, at 11 a.m., the meeting was adjourned.)