[This Transcript is Unedited]

Department of Health and Human Services

Meeting of
National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality & Security

November 16, 2011

Holiday Inn Rosslyn at Key Bridge
1900 N Fort Meyer Drive
Arlington, Virginia

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030
(703) 266-8402

P R O C E E D I N G S (5:05 p.m.)

Agenda Item: Welcome

DR. FRANCIS: Linda Kloss and I are co-chairs of Privacy, Confidentiality and Security. Maya Bernstein is lead staff. She has done yoeperson’s service. We are looking at what we have done in the past and where we want to go. Hopefully, in ways that actually will link us up to the next steps.

DR. BERNSTEIN: There are a lot of slides. I am not going to talk about all of them. What we did was make a summary of where the committee has been with the idea that at the end we will have a conversation about what we should do next. We are kind of at the end of a big project.

We are thinking about what we should do next with the subcommittee and how we should best spend our time. Linda made this nice summary of what it is I am about to talk about, which is over the last six years the kind of work that the committee has been doing.

Going back to 2005, which is basically the beginning of my tenure, in February 2005, there were these series of hearings having to do with privacy and health IT. We came up with this major letter that came out in January ‘06. These are some of the themes that came out of the hearings that ended up in this home. Kind of a seminal letter from which we branched off and did other things. We picked up pieces of that letter and delved into them a little bit more. This was in June 2006. Here are some of the key recommendations.

The provider should decide how they are going to store information. Individuals should have some control over how their data is going to be used over NHIN and whether they are going to participate in the sharing electronically. Treatment should not be conditioned on participation, and some of the basic things that we know about now. We mentioned role based access criteria and contractual access criteria. We are going to come back to that.

This one that keeps coming up, which I have in yellow because it is kind of a seminal thing, is that we should apply privacy rules to any custodian of health data anywhere. It came up again today actually, not just in the health industry. We have not decided exactly what that means. We have not delved into that one some more but people have been talking about it.

Here are some other ones. State variations, strong enforcement, compensation systems, and so forth. Then there were specific things that we asked HHS to do. Some of these we have done, like funding certain kinds of research. Some of these we have done more work on. Harmonizing rules with HIPAA and trying to get a high compliance without excessive cost. Some of these are difficult and long term, but these are things that we directed recommendations specifically to the Secretary, as opposed to the more general ones that go towards industry. We moved on from there.

We particularly delved into the questions of non-covered entities. We talked again today about how HIPAA is actually quite narrow. It covers who it covers. It does not cover anyone else. We had a series of three hearings with many witnesses on well, who is it in the healthcare industry, we are still focused on the healthcare industries that are not covered even though they are in the health industry. We are not talking about bankers, although we did have financial leaders and financial institutions. We were talking about different kinds of people that you might think about during health. Like life insurers, long term care insurers, employers that are providing health in the workplace, school nurses, and people like that.

We did go onto financial institutions who are giving people loans to fund medical stuff. You pay your oncologist with your credit card; it is on your record.

We talked in particular about certain types of health care providers that are not covered either because they are taking cash only or they are not doing electronic transactions, or so forth. We discovered that there are many things that are not protected by any law.

From that we made an extension essentially of that main letter saying that, maybe the right word is reinvigorating our recommendation, that any entity that creates compiled storage transmits personally identifiable information, should be covered by some federal law.

We went on to talk about the conflict between FERPA and HIPAA. I am on slide 11. One of the things we identified in particular with school nurses, who came to talk to us, was that when FERPA, that is the Family Educational Rights and Privacy Act that covers educational records was created, they were not really thinking about the fact that schools are really like a public health entity. They have school nurses and so forth. The school nurses actually said, we would rather be regulated by HIPAA because it fits us, rather than FERPA which does not really fit us.

We talked about problems with immunizations and problems with things like identifying kids who have autism. That happened more often by being observed in schools. We talked about the difficulties sharing information back and forth between providers and schools with immunizations.

We made some recommendations that HHS should work with the Department of Education to improve HIPAA for disclosure and the guidance that is available. In fact they did publish guidance partly based on our recommendations in November of ‘08. That guidance you can find on the web site now.

We had a panel on studying the privacy rule and talking about baselines and how you might study with the effectiveness of HIPAA. We did not much do anything with that but it is there if you want to look for some of those hearings.

We spent a lot of time on thinking about sensitive health records, more than once. This was the first round. It stretched over several years. We had some additional hearings. We brought in more experts in specialty care, in general practitioners, emergency care practitioners, and other entities that were already experienced with various kinds of consumer controls over particular types of records.

It did not exactly come out this way, but sometimes I think of it as lawyers versus doctors. It actually did not work out that way. We had doctors on both sides of the case. The way I think of it is doctors want to heal people. They want to do well and want to fix people. They want all the information that they can get that will help them along with their patients, make good decisions and get good results.

Lawyers think that people have rights. Sometimes people have the right to make bad choices and as a result have bad outcomes. Doctors do not like that very much. Lawyers do not like the idea that we should tell people what to do with their records. So, we have these kinds of important ethical deeply felt conflicts that we are trying to work out.

There were some basic themes in that. That if patients do not have some control you have a reduction in trust. Then we have a public health problem because people will not tell you information that will improve their health because they do not have trust. On the other hand, if you do not have the information you cannot help them.

We struggle with these themes a lot. We did eventually come out with a letter after a lot of hard work with the committee, and discussions among the members of the committee, which I think everybody by now is familiar with.

We then extended that in the area of personal health records. The themes that we had done in the basic health IT letter in June ‘06 and the sensitive health information we extended to the concept of personal health records. We had three more hearings about that with different kinds of purveyors of different models for personal health records. We heard some similar and some different themes about what happens in the area of personal health records.

A lot of that was we need standards for this. There is a kind of a wild-west out there. The ones that are tethered to existing covered entities are one thing. If they are tethered they have rules and they tend to follow the covered entities but there are other entities that are independent and are offering personal health records. I think there was a feeling of some members of the committee in particular, that this is an area where we are kind of out of control. We do not know what is happening there and the market place is completely unregulated and maybe people are getting misled or misinformed about what is really happening with their information. We talked about the importance of protecting consumers and the importance of educating them about what is happening.

The committee produced a letter in September of ’09, with some major recommendations about how we think the world should work when it comes to personal health records. What the interaction should be with consumers when it comes to personal health records if they signed up. What they should be told. How their information should move around. How they can withdraw or move to another purveyor of a different PHR. That they should be able to take their information with them. They should be able to close it down, and so forth.

We talked about some kind of privacy and security regulations in that area, which still have not happened so much. We also talked about standards coming from the areas where we have certain expertise.

We went back and revisited sensitive information and tried to be more explicit. We made some general recommendations early on, now we are going to make some more particular recommendations. Recommendations about exactly what we meant when we said that we should have categories of sensitive information that should be treated specially. We heard from people who were experts in genetic information, mental health. For the first time we heard from people about children and adolescent records.

We identified in particular, that there were certain areas that were now in law that identified kinds of categories that you might consider like-sensitive information. One of them is psychotherapy notes. One of them is the part II data on substance abuse and treatment records. One of them is that odd provision in the HITECH Act that says if you pay cash for a service to your provider and you ask your provider not to share with your plan, then your provider is supposed to abide by that. That is the kind of self-identified by you paying in cash, type of sensitive information.

Each of these is established in law already and there are also state laws that establish different kinds of things that the states consider to be sensitive records. We recognize those. Also in our recommendations, expanded on those and said, aside from the ones that are in law there are more general categories of mental health brought more broadly. There are these areas where the entire record might be sensitive. For celebrities for example, for people who come in with gunshot wounds or for children in some cases or domestic violence victims. We made recommendations about those things.

We are up to what we have been talking about today, which is the project with the population subcommittee and the workshops that we did. We are now to the report which we have been discussing today.

I think when we think about the committee or the work of the Privacy, Confidentiality and Security Subcommittee, we have certain stakeholders who are interested in us. Our job is to make recommendations as a committee to the Secretary. We are well aware that if the Secretary does not act on our recommendations, industry is watching what we do. Some of them occasionally show up in the room to watch what we do. They do take our recommendations and some of them run with them, whether or not the Secretary actually does something with them.

So, we do not have just patients, providers, plans, the regulated entities of HIPAA, policy makers and regulators, but also vendors of products and other kinds of industry participants, exchanges and other new business models that were not even contemplated at the time of HIPAA, and so forth.

We have certain kinds of themes. I think more of them are going to come out about the kinds of work that we do. We think about patient control and the importance of trust, education, and about not wanting to impede innovation of people who are developing new products and services for us as consumers, as providers, as plans, as the department, and so forth. The expansion of these health information for other, which are not particularly the health industry.

Other committee work has happened that is quite relevant and did not necessarily come out of privacy like the secondary uses discussion. For me, that is very much a privacy issue. What happens with information that is used for something other than what it is collected for. Now we are talking again, secondary uses in the community, secondary uses in all different kinds of ways for research, and so forth.

The hot topic is Web 2.0 and moving to the cloud. I think of exchanges as the cloud really. For me, something that is interesting is the fact that in privacy where in many context rules follow the data around. The rules associated with a particular kind of data are the rules associated with that data no matter where it moves, but in the privacy world it is often the case that the rules follow the custodian. For example if I’m CMS and I move data to FDA. FDA is no longer covered by HIPAA, where CMS is. If I move data then to the state, that same data might or might not be covered at the state level depending on where the state is. If the state’s the state Medicaid entity it is likely to be covered. If it is a public health entity it might or might not. Depending on where the data moves, the very same data may be covered by different rules depending on who is holding it at that moment. That is an odd thing. It may not be unique to privacy, but it is unusual.

I think the other thing that we heard some of during earlier hearings was we did go out and heard what was happening in Canada, England, Australia and Denmark. We have not done that in a while, but I think it might behoove us to look again and keep track of what is happening internationally.

Now we get to what are the major areas. Linda, Leslie and I, talked about major areas that we might find fruitful that are jumping off of things we have done before or things that are hot topics right now in industries.

One of them is this idea that we have talked about and made recommendations on which, is the amount of health information that it is not currently regulated by the health industry or by us, things that are being used in non-health context that is health information, that could be employment, insurance, financial. It could be many other sectors. Secondary uses of data, data that starts as health data of some sort or another, and moves around whether in a health context or otherwise.

DR. COHEN: Sorry to interrupt. When you are talking about identifiable health data, are you talking about data held by health departments if they are non-covered entities?

DR. BERNSTEIN: When I talk about the health industry, yes. I am talking about partly it could be statistical information, so health information. It could be registries. It could be vital records. It could be non-covered providers. It could be medical spas. It could be the test you pick up at the CVS to see whether your kid is using drugs and you send it off to Illinois somewhere. There are a lot of things that are health information, and you think of them as health industry labs and are identifiable, but it is not particular to EHRs or medical records traditionally.

Then there is the non-health industry. Some of that I gave examples of before. If I pay my oncologist with my credit card, they know at the bank that I am a cancer patient, or they are going to presume I am a cancer patient, or somebody in my family is.

You have other things, employment. When your employer is either self-insured or paying for insurance or knows something. For example your ADA request. They know something about your health. There are many places where health information appears and it is not in a medical record. Sometimes it is regulated and sometimes it is not.

So secondary uses, there is a lot of different context in which the data moves from place to place. Then it is used for something that it was not originally collected for. Sometimes that is a really good thing and sometimes the data is not appropriate to be used the way it is being used. So you get less than stellar results if you have data that was not originally collected for the purpose that it was not designed for. People can be making inferences from something that might not be appropriate to that data in some cases, in other cases it is perfectly appropriate.

Another area would be enforcement, recourse. What do you do when something bad happens essentially? What do we base what is the appropriate results in those cases.

Leslie gave me some notes about what happens in medical circuits. So you have for example, with GENA, you have prohibition employment information but it is not a very easy thing to prove. It is difficult. You have a situation where discrimination is already happened, so something bad has already happened and now somebody is trying to fix it after the fact. Prevention would be better but it is also difficult. So, are these issues that we want to take up or at least are hot at the moment in ethical/medical circles.

You have the whole area of new business arrangements, things that were not contemplated at the time of HIPAA. Vaguely they contemplated NHIN, but, the kind of exchanges we have now, maybe somebody would have thought to make them a covered entity, if anyone had thought that there would be such a thing as a business arrangement that looked like that.

In 1996, when they were creating the law, all the types of business entities that were arising, personal health records for example are another one, they were just not contemplated. The web, the cloud, all those types of things were not contemplated at the time of the creation of the legislation.

I mentioned international ideas. What are other nations doing and can we learn from their experience? The de-identified data is a really hot topic. Some of us have been involved in certain workshops about that.

The department is now pushing a lot of data out the door because the President wants to make public a lot of data. We think on the whole that is a good thing to make more data available to the public. We tend to think of each database, or each dataset, or each project that we do alone, is that data by itself identifiable and can anybody do anything with that date.

People are not really thinking about what happens if I put 100 of these kinds of datasets out there and people start looking at them together. There is a kind of mosaic affect where you can re-identify information one to the other.

That is kind of a hot topic in math circles and other folks who think about de-identification. The idea, for example, if you take out the 18 identifiers from HIPAA, under HIPAA what is a de-identified dataset, it completely falls outside the rule. It is just not covered by HIPAA anymore. You can do anything with it including re-identify that information at will, which I think is the loophole in the law. It is easier to do that nowadays. People are developing the math and the skills to do that kind of a thing. Sometimes for good purposes and sometimes for not so good purposes.

Governance is a hot top. Surveillance systems, so we think about sentinel or biosensors are the top two that we think about.

Here we are talking about could we extend what we are about to do with the community health data report and how should we extend that. What kinds of ways could we extend that? Could we cobble together or put together more formally some kind of best practices? Not just for privacy but for other things such as collection of data or other uses that are not in that report. Could we extend that?

I mentioned GENA. I put public health emergencies on there, the other day, because I happened to have a conversation with an admiral who is working in ASPR, the emergency preparedness office at HHS. She was talking about the problem of the postal service with respect to getting your antibiotic in the case of a public health emergency. It was like, how are you going to get your antibiotic. Well, the postal service is going to deliver it to you. And how is that going to happen? The postal service has to deliver it. First of all, the postal worker, who is your letter carrier, has to take the drug first, before they can go out there in the public and be exposed. They have to keep track of who are the postal workers, who are the letter carries. Also, what drug interactions or counter indications might they have for their own health and who is going to keep that data and how are we going to keep track of that. So there is a privacy issue there, along with the emergency problem there, which I have never even contemplated, which is kind of amusing..

There are other issues that come across too. Then breach notification is a hot topic. I think the remedies for breach and the way we do breach notification is kind of silly. That is my personal opinion and not that of the department. I am not that interested in breach notification but it is a hot topic. Everybody thinks that is the fix for everything. If we just tell people that their data was breached then everything is okay. Well, no, not really.

We go out there with credit monitoring. We give them credit monitoring for a year. Most studies show that what happens is really people sit on your data for more than a year and then use it. You never know and then you have problems later. Credit monitoring shifts the burden to the consumer. It is just not a very good solution. There have to be better ways to do this than notifying people that bad things happened.

Then we have the ultimate issue of the creation of a unique patient ID, which is required in the law and forbidden – it is forbidden for us to finalize one. We were very, very careful by the way, in the HIPAA report to look specifically at the appropriations language. I think in this group we sort of consider that we are not allowed to talk about it. But it is not true. We are not allowed to finalize a standard without congressional action. I don’t know if Marjorie would disagree, or Jim who tends to be a little risk adverse might think it is playing with fire to even talk about it or make recommendations for it, but in fact we could do that. We could spend money to do that. We can’t finalize a standard, is what the law says, without congressional action. I do not think there is any reason we could not study it and make recommendations about it.

Jim has said in the past that we should not spend money to do that because the committee would be spending money, but I think you could read the statue differently than that.

MS. GREENBERG: It came up yesterday at the NAHDO meeting.

DR. BERNSTEIN: There you go so. So this is sort of a long standing thing that a lot of people think would be worthwhile and that we have been avoiding talking about.

Anyway, that is kind of a list just to jog everybody’s interest and to get you thinking about what the possibilities are for where the committee might go. It would be great if you had other ideas or added to them or wanted to jump off from here. I do not know if Leslie or Linda wanted to add anything to that that I skipped over or forgot. I have been talking too long. I would rather you all talk.

MS. KLOSS: Thank you, Maya, for putting this together. For me, it was very helpful as a new member of the committee, to step back and walk through it.

It occurred to me that as you look at the chronology, sort of the task of the subcommittee has changed. In the earlier years it was staying one step ahead of the needs to roll out HIPAA. With HITECH, the focus specifically on the EHR and the HIE, has been carried out by ONC, a little bit more, I think freeing up the subcommittee to step back if you will, and look at the big picture. That is what we were trying to do when we put together the potential areas of inquiry.

We stopped short of doing any prioritization. We are really happy to have the Population Subcommittee here because I think it enriches the discussion, to have some discussion around the potential inquiry areas and see if we can’t knock some out or add some. We do not feel compelled to lock in a plan at this meeting because it is 5:20, it has been a very long day.

To start the discussion about where the subcommittee goes next, with the hope of over the next couple meetings, to get some ideas together that might be road mapped for the committee in 2012-2013. I think that is kind of our goal. We have a plan of action as a Subcommittee on Privacy, Confidentiality and Security.

DR. FRANCIS: Maybe a way to think about this would be three areas where we could be jumping off from.

One area where we could be jumping off from is the CHIP Report and all of the secondary uses questions.

A second jumping off actually, could be the HIPAA ten year report. With at least two of the kinds of questions that ONC is not talking about are expanding HIPAA coverage, so the whole non-covered entity issue, and enforcement.

I was just sitting here thinking as you looked at the enforcement point there is a bit in the HITECH Act about sharing damages. Nobody has said anything about that at all. But the department is supposed to develop a methodology to share fines with victims. Nobody has thought about that one at all. I do not know whether the department is or not, or whether we could find out or whatever.

DR. BERNSTEIN: I can find out, I just did not.

DR. FRANCIS: Those were two areas making HIPAA bigger and enforcing what we have got, are some areas that seem to be jump offs from the HIPAA report.

And then the third is, I guess it is in some ways related to CHIP, but it is also how we help the department with some of the kinds of initiatives that Jim was talking about earlier today, the release of data in particular.

Also he raised and did not say much more about genetic information, but that is somewhat linked into the whole area of de-identification. That is all I have to say.

DR. SUAREZ: One thing we can do is go around the table and see what other top three items are. I was thinking about my top three or four items.

The first one that came to mind is consumers and trust. Having a consorted effort to analyze and understand and unravel the status of where consumer education is regarding privacy of health information and the affect that process had on consumers. Whether it has gained or what the effect on trust is with respect to consumers trusting the system for health information.

I know that OCR for example, has been doing consumer education quite a bit. I do not know that anybody has heard about any of that work. Clearly, it is an opportunity to hear from someone like OCR about that. Anyway, that is one big area, consumers and trust, including consumer education.

Another area is advanced issues. I think that cloud computing, the health 2.0, the mobile health, all these are areas that provide unique elements on the privacy and security front. That is one field that I thought it would be helpful.

We heard a couple of things important yesterday at the NATO meeting from state health aid organizations. One big one that continues to be a problem is that whole de-identification and re-identification of data for data analysis. There is clearly the need to develop farther guidance and sort of the best practices and a resource to perform and to conduct de-identification and re-identification in a consistent manner and in a way that allows for data analysis is something they kept bringing back.

Then the other one that they mentioned was a very difficult one but it is an important one, it is identity management. The two main identifiers, they are concerned of course, they are provider identification and provider identification across systems. We have an NPI, and yesterday someone said, wouldn’t it be great if we had unique provider identifications. I thought we had one. But it does not seem to be working. So there is a problem. Actually that comes out of the HIPAA report.

The other one is clearly the patient identifier that continues to be a limiting issue, a big issue, concern on the one side the ability to have one and then the complexity that it creates and the other hand the concerns about privacy and all those things. Those were my four topics I thought would be great to focus on.

DR. COHEN: Here are mine. They are not that dissimilar from Walter’s, but a slightly different cast for me. The HIPAA privacy standard relates to individual data. But everybody thinks about aggregate data. We need a privacy standard for aggregated data the way HIPAA has been a privacy standard for individuals.

That is essentially what public health entities are grappling with when the release small area data. Enumerator based/denominator based combination, enumerator/denominator rules and particularly with implementing web based query systems and all the data that are available.

MS. KLOSS: As you are thinking about that, would that cover the situation then of guidance for linking databases, for merging databases.

DR. COHEN: Linking data bases, yes and no. Linking databases is a function usually of linking individual records unless you are linking individual records to aggregated data. It is after you do that.

That actually brings up a good point. You were talking about making HIPAA bigger. I would like to make it smaller. I think there is enormous misconception out there that using the HIPAA de-identification standard works. One size fits all.

People are falsely comforted by the fact that they have eliminated these 18 identifiers. Of course, when you begin data linkage there is so many ways to cross cut data. HIPAA obviously does not work. I think there is an over reliance on HIPAA and an assumption that the HIPAA standard actually de-identifies and works to protect privacy and confidentiality.

Maya brought up a great point about dealing with the inconsistency between covered and non-covered entities. I see that all the time. If we are having EHRs sending information to populate surveillance systems in public health departments, usually the surveillance systems are not covered, but the source of the data is covered. It makes it tough to do business when you have such different definitions. That is the false sense of security. The inconsistencies between the covered and non-covered, and data release standards for aggregate data, which is something that is implied but never I think explicitly defined.

MS. KLOSS: Paul, did you want to make a comment about what Bruce was talking about? Otherwise I think Jack, has a list.

DR. TANG: Just testing whether you can hear me. Yes, can I get on the list?

DR. BURKE: I am intrigued by the notion of extending the rules beyond covered entities. It picks up on what Bruce said. Too often, we find ourselves in a situation of following the rules, and in doing so revealing information to another entity, despite the business associate agreement that is not covered by the same protections.

It requires a tremendous amount of careful wording in a notice of privacy practices. It requires an incredible amount of analysis before we do it because we have an uneven playing field when we release information to an entity that is not subject to the same rules that we are.

We are careful about disclosing but we do not always find ourselves in a situation where we think we have competent hands.

DR. HORNBROOK: We have been talking about data uses for research for business and also public health, we haven’t talked about the Food and Drug Administration.

The Sentinel Network actually is going on right now where health plans with electronic medical records are scanning through those records looking for exposures to specific drugs that the FDA physicians have asked about. Then looking for specific adverse reactions or trolling for emerging signals that may indicate and adverse reaction.

They have developed some informatics algorithms for when you get a certain number of hits on some bad diagnosis, does that mean that maybe there is something going on related to the population that got the drug, versus the population that did not get the drug because they are always doing case control comparisons. This is not with any IRB approvals. It is straight through.

It is based on keeping the data locally inside the health plan before it goes out to the FDA, however, the FDA does require the data holders to be able to go into the persons chart. When they do get involved with finding a very serious drug safety problem, they will want data out of the persons chart. That includes of course Humana and United Healthcare. I am pretty sure they have samples of physicians that have agreed to participate in this as well as about 10 different HMOs.

None of us have ever heard of this. We have never had testimony about it. But it means use of people’s information for public health purposes that is seen as public health authorization for safety. You do not ask the patients whether they agree or not, you just use all the data.

DR. MAYS: I want to start with FERPA because the person that expressed to you the difficulty between FERPA and they think HIPAA is like a piece of cake in comparison, knew exactly what they were talking about.

One of the things happening is that HHS as well as state and local entities, are increasing school health clinics. The problem is that the set of guidelines that FERPA does for schools. It is so different than HIPAA. We really need to have these two in some way either meet or better information.

I cannot even begin to tell you the ways in which FERPA, I shouldn’t say it in a negative way but, the burden of FERPA is incredible when you are really trying to do the right thing. I think we would benefit the community very well. The places they are putting these school health clinics in are usually in the poor neighborhoods.

I want to go to the issue about these privacy standards for public data. One of the things that happened is that NIH has decided that if you have “X” amount of money for your grants, after that the data has to be public. There is no money to do it. We are getting in these catch 22’s with IRBs having a lot of comment about what to do in terms of that data. Yet, we are trying to work with the communities to make that data useful.

The issues of privacy and confidentiality start to fall under the IRB as opposed to some other places. It would be very helpful to again bring that under one. The IRBs often do not know exactly what territory they should or shouldn’t be in and will really overstep their boundaries.

The biggest was for example the use of the data that had been collected for one purpose for American Indians and then got used for another purpose and the University got sued. So, we really do need something there.

The other is disasters. Having worked with Katrina, the issue of the law that the health issues come under which, at one point we were being told that things were under the Patriot Act. As people came in and actually did assessments. I mean I needed attorneys to help us. Because we were actually doing things like collecting information that we were giving to people on a jump drive to then take to their providers. We were told for example that we were not supposed to do that. We were told that even though we were not sure we were being covered under the Good Samaritan Act, who it is that we can give that information to even among our team. The issue of privacy and confidentiality and security in a disaster is really important for the people who are actually going and try to do the work.

The other is the consumers and trust issue that Walter was talking about. I actually would like to see that also discussed very specifically in terms of vulnerable populations. Here in the department what they have to think about is the extent to which surveys are starting to drop in to the extent of which people with participate, the cost.

I think some of that is that if we understood consumer’s perspective about trust and participating in these activities, we might be better off at getting a higher level of participation and a better quality of data, particularly around things like peoples income.

There are all these issues about why people do not give us income. They do not have to even be in a vulnerable population. I think having people understand what protection they have, where did the data goes, et cetera, would be very useful.

DR. BERNSTEIN: I always am struck by my privacy colleague from the Census Bureau and they used to remind me that people are more willing to respond to survey questions about their sexual behavior than their income, which is amazing to me.

MS. MILAM: I, too, am interested in trust from a couple of different dimensions. I guess I should say exploring trust to figure out all of the different dimensions that it has.

From our prior reports we know that a privacy framework sits within it. We know stewardship framework sits within it. When you review the reports I think we have in some ways, really built out a lot of the different applications of those principals to the different domains of health.

We have done a lot with treatment and the HIPAA scenario. We have not done as much with population health. I think in our 2006 Stewardship Report, we gave specific examples of how the different elements of stewardship could be actualized in the treatment scenario.

We left population health for another day. When you think about the different domains of stewardship, de-identification is one of those domains. You talk about how to aggregate data appropriately that gets into de-identification.

Privacy messaging is part of it. The education or notice on the privacy side or a better word instead of education is informing the consumer. We need messaging and we need the best practices around data linkage.

To link data you need completely identifiable data that you are linking on the personal identifiers. How to do that in a privacy protective way when you have laws for substance abuse in mental health that do not allow your data submitters to submit that dare if you will. But there are some emerging best practices out there around data linkage.

As I see a lot of these questions sort of fit into these two frameworks we have as well as some other areas. I think we have done a lot of work that could be used to populate these frameworks and perhaps hold some hearings to fill out the rest of it. I do not think it would be a huge project.

The HIPAA report, I agree Leslie too, that there is some interesting jumping off points. I recently got to know the chief privacy officer at a large global medical device company and was interested to learn how their salesmen accompany the surgeons into surgery. How they are not HIPAA covered providers and their exposure to the information is a required by law reporting to the FDA. Any other information they take with them is incidental to that FDA reporting. I found that really interesting.

I know that there are other very large areas of HIPAA that may not have been on the radar at the time that HIPAA was passed. I think there is interest there.

I think identity management is critical. We heard yesterday at NATO both in terms of having a unique and stable physician identifier as well as a patient identifier. I have Larry’s list. It is on his list too. Those were my big things.

Now let me cover Larry’s real quick if I might. He would like to extend the learning health system report. I think he means the CHIP report in terms of issues and solutions for confidentiality, security and privacy in terms of proper use and reuse of data. I think he is probably getting into notice consent issues.

Then, Maya, one of your issues, the new business arrangements. What is needed for community learning? The patient ideas, I already mentioned.

He also indicates to explore the missing infrastructure. The infrastructure that is noted in the CHIP report, a lot of it is focused on privacy and security. He is interested in figuring out what those other components are.

DR. FRANCIS: Paul are you on the line? Do you want to weigh in?

DR. BERNSTEIN: Speak more slowly, I think it might be easier for us to hear you. Sometimes the words are running together in this room.

DR. TANG: It is a simple request you have done before but it just seems so much more pressing now than when in the past when we made the first recommendations which is comprehensive privacy legislation that does not have the non-covered entities missing. The reason is I would say close to 80 percent of the complications we are seeing from a privacy point of view and all other kinds of extra rules, is because of that doughnut hole. The other is I think probably half of the cost of complying with privacy is caused by the doughnut hole.

DR. BERNSTEIN: I am just going to ask, can anyone in the room hear clearly what he is saying?

DR. FRANCIS: It is weird you hear separate sounds but they do not sound like words.

MS. KLOSS: I will try to paraphrase and then Paul, you can fill in the words that I missed. You said, the priority might be to return to the concept of comprehensive privacy legislation, looking at it broadly enough so that if it were more comprehensive of view we would not have situations falling into the doughnut hole. It would lower the cost managing privacy because of all the work around for the doughnut hole. Is that correct?

DR. BERNSTEIN: And the second point? Was that the whole thing? I thought Paul had two points. Paul, do you have another point?

DR. TANG: No. That was it.

DR. BERNSTEIN: Did we get through all the committee?

DR. SUAREZ: I have one additional one. I think we have a unique opportunity early next year to assist those that are a one measure issue for the industry.

That is a regulation related to accounting of disclosures. They have received already a 435 comments to be exact. They reported the vast majority expressing strong concerns around this access report. They have expressed their intent to reassess basically where they are and what they are going to be doing next. They do have to have something in place. They have to have a rule that addressed the provisions of the Affordable Care Act related to the expansion of account of disclosures. They are going to be seeking some input. In some ways informal input but there might be an opportunity again to help provide some of that input. That is just one idea that I thought would be helpful.

First of all I think it is such a major problem and concern for the industry. Secondly, I think certainly as an advisor to the Secretary, we can help gather some of that feedback and provide some of the recommendations that they might be looking for, to assist in defining how they are going to approach this. That is just one specific topic that is very timely and it is very, very immediate.

DR. BERNSTEIN: One of those costly doughnut holes. It occurs to me that they already have 435 comments. I do not know the kind of work we do with another hearing or do we add another ten people or whatever. They have a lot of input already. I am not saying we shouldn’t respond to that but the way that this committee works, we might have a different way of approaching that problem and normal way we do it.

DR. SUAREZ: They have a lot of input about what they propose. They do not have input about what might be alternatives.

DR. BERNSTEIN: So maybe what we do is look at those comments. They are all available to the public. Maybe we need a different way of coming up with recommendations for something like that. Are there specific deadlines for that?

DR. SUAREZ: No. There are provisions in the Affordable Care Act do not set a deadline or are starting to comply. Although they propose rules of course, define deadlines for compliance.

DR. BERNSTEIN: Well proposed. Yes.

DR. SUAREZ: The proposed deadline for compliance but they were not following the Affordable Care Act.

DR. BERNSTEIN: Well there is a sort of practical political deadline about getting a final ruling during election year let’s just say.

DR. FRANCIS: So it is almost 6:00. Let’s see we have Marjorie and Hetty to go if you have things you want to weigh in on.

DR. KHAN: Just one thing I wanted to bring forward was patient consent. In the world of the explosion of data where patient consent was there was just a paper record and there was just this one paper that someone consents about, the data moves within state, across states and with the migration of data, I think patient consent is another issue.

DR. SUAREZ: Thank you for mentioning that. Tomorrow at the Standards Subcommittee, we are going to talk about some of our own agenda forward.

One of those areas that we are going to be interested in looking into in partnership with privacy and security workgroup is a subcommittee on electronic consent and electronic signature standards. That is the other major element that I think are going to be two important areas.

Now from our perspective it is more on the standards side. I think from the privacy and security perspective, it is a lot more on the policy side.

MS. KLOSS: We have always said that technology needs to follow policy. It might be an opportunity for collaboration. I would underscore from the information management standpoint the electronic signature issue is just bubbling up and is hugely troublesome and a standard that we need to get on with.

DR. FRANCIS: Here is what I am going to propose we do. Maya, Linda and I will digest this and put together a feasibility analysis and a criticality analysis.

How time sensitive is it? How hard is it and how well positioned are we to do it for each of the issues that have bubbled up to the top. We will send it around to everybody maybe within two to three weeks. Does that sound good?

(Whereupon, the subcommittee adjourned at 6:00 p.m.)