[This Transcript is Unedited]

National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality & Security

September 28, 2016

Courtyard Marriott
Congressional/Monuments Room
1325 2nd Street, NE
Washington, D.C.


Table of Contents


P R O C E E D I N G S (4:10 p.m.)

MS. KLOSS: Okay, so let’s call the meeting to order. This is the Subcommittee on Privacy, Confidentiality and Security of the National Committee on Vital and Health Statistics. My name is Linda Kloss and I’m co-chair of the subcommittee and member of the full committee. I have no conflicts.

(Introductions around the table)

Agenda Item: Minimum Necessary Letter finalization

MS. KLOSS: All right. We have three items of business and the first is to review the suggested final changes or final substantive changes to the letter and then we will put that to bed, and we will go next to Mya and she’ll do the final editing and she has some citations to work on.

MS. BERNSTEIN: Not all of them are particularly substantive but since we passed the letter today, congratulations to the subcommittee for all its hard work, I changed the date on the letter to the 28th instead of the 29th. Also we corrected the date of the hearing, which is fact June 16th not the 17th. Jim had made a suggestion that we use the word “uneven” instead -and we changed that word here to be consistently implemented, which we thought didn’t imply that we were not compliant or compliant in different ways.

And then the other really substantive change was in appendix B. If you recall, there were four topics in appendix B that were for future uptake by the committee and we had a kind of a little closing paragraph or section, that looked a little bit like another recommendation and because the summary at the beginning of appendix B basically says, we’ll look to the future and figure out how best to serve the department. We just took out each of those closing paragraphs. I didn’t mark them here so I’m scrolling down – but where they were, they are no longer. And so we just the left introductory remarks.

MS. KLOSS: There were two references to this as potential future work. One in the close of the letter which referenced appendix D, and one at the beginning of appendix B. So that was enough we thought.

MS. BERNSTEIN: And so after the scope at the beginning, I remember drafting some nice language that essentially summarizes or repeats what is in the letter itself, that as part of its planning the committee will consider how it might be of assistance to the Department. We just thought that was enough to cover the whole section and leave it at that.

I still have a bunch of citations to look at. If you find anything else or I didn’t cover something that you found, some other typo or something, please let me know and we’ll finish that up. Rebecca and Debbie Jackson, their very competent staff, will put this in very quick order and we will have a published letter but it will be dated the 28th and I guess we will have Walter – Walter will be signing that letter because it was passed today.

DR. SNEAD: Not to be paranoid but is it useful to say it could help the department with additional policy formulation and guidance after the recommendations? After you’ve already implemented the recommendations in this letter. I’m just trying to avoid any reason to delay further work.

DR. RIPPEN: That title needs work, too, Issues For Further Analysis, I think we’ve decided to do that. Say, Potential Future Issues or something.

MS. BERNSTEIN: Other issues? Related issues? Tell me what you like.

MS. KLOSS: The other thing is that I don’t know if all of the solutions or all the topics are necessarily really specifically related to minimum necessary – the committee believes that further study might include –

DR. RIPPEN: It should say issues for potential future study after conclusion of —

DR. SNEAD: How about issues beyond the scope of this –

MS. BERNSTEIN: Beyond the scope of this letter or what?

DR. EVANS: This letter, yes.

DR. RIPPEN: And then I guess the only thing is that beyond the scope of the meeting but then –

MS. BERNSTEIN: This is sort of awkward

DR. EVANS: That went very well with the first two sentences. We said we thought of these however they were beyond the scope of the June hearing.

DR. RIPPEN: Beyond the scope maybe of this letter.

DR. EVANS: Or beyond the scope of the June hearing.

DR. SNEAD: Beyond the scope of the June hearing.

MS. BERNSTEIN: Well, it’s sort of like what we intended for the hearing but what actually happened in here and all these other issues arose.

DR. EVANS: No, these issues didn’t really come up.

I like beyond the scope of this letter. You know, it’s not beyond minimum necessary –

DR. SNEAD: So beyond the scope of this letter.

MS. BERNSTEIN: So Bill, you asked about whether it’s important to mention the timing.

MS. KLOSS: Could you go back to the main letter because I think it would be there.

MS. BERNSTEIN: Attachment B. Is this in the main body of the letter? So while we ae looking for the piece, Rachel Seeger has joined us and I would like her to join us at the table.

Line 107, is that the place that you meant? You want to say that. Additional important issues at 261. Then, not offering recommendations on –

MS. KLOSS: The paragraph would be the end of 260.

MS. BERNSTEIN: So here you have on the screen the paragraph that begins at line 260.

The Committee also discussed but is not offering recommendations on additional important issues relating to minimum necessary standard that were beyond the scope of this hearing.

PARTICIPANT: Would you say, were they all related to the minimum necessary?

DR. EVANS: They were related to minimum necessary but they were beyond the scope of the hearing.

DR. RIPPEN: So the one example would be minimum necessary for analytic for learning health care system. If I am improving how and using it to do that then I don’t have to do that unless it has already been with quality improvement or anything like that. If I am doing the same thing for genomics, then it is the same thing. But if I am doing research – what research uses is Common Rule. So if I said I wanted to do research on genomics and outcomes, and I usually go through IRB, I get all the data, and the minimum necessary is what data I need to do the research.

MS. EVANS: Perhaps you are doing it with federal funding – Common Rule.

DR. RIPPEN: But the thing is I can get exceptions and get identifying information for research as long as I go through IRB and they it is necessary.

MS. EVANS: All of the data for genomic research comes from clinical environments, you have to have genotype and phenotype and the phenotype data is coming largely from HIPAA covered entities. So even if you have Common Rule compliance that is necessary, you also have to meet the HIPAA standards and they are subject to minimum necessary.

DR. RIPPEN: But if I am doing the research – it is my understanding, and maybe I misunderstood, I thought that if I need identifiable information for research, which I do sometimes, like I want to do clinical trial through outreach, I can get it even though it is beyond –

MS. EVANS: It does need a HIPAA waiver or you would need to move it if it is a public health use, which much genomic work is at this point.

MS. BERNSTEIN: Your IRB is also serving as a purpose.

DR. RIPPEN: Exactly, so it is not going to preclude me from getting the data.

MS. KLOSS: We are not saying it does. We are saying there are implications.

MS. EVANS: What is your concern? It is obviously triggering some fear or concern.

DR. RIPPEN: If I am doing research, I have a mechanism to ensure appropriate use and that I am getting the information that I need. I go through IRB review for it.

So I get all the information that I need – the health care system has agreed to it, to get approval to get the data. Minimum use has no impact –

MS. BERNSTEIN: They are considering it when they give you that approval.

DR. RIPPEN: As a researcher I should know what I need in order to ask for it.

MS. EVANS: If you use any phenotypic data that comes from a HIPAA covered entity, before they can give you the data under a waiver, they have to look at minimum necessary.

DR. RIPPEN: I think that is good but researchers should get only what they need to get approval for it. I guess I never experienced where minimally necessary had an impact on –

MS. KLOSS: What troubles you about it?

DR. RIPPEN: Because there is more than one standard that is playing a role in this.

MS. EVANS: There are – and sometimes FDA’s regulations go into it too, if you are doing the Kennewick research for diagnostic.

DR. RIPPEN: My issue with all of this, as you know, is that we have a Common Rule, we have protection with processes in place for researchers in that they will not get more than they need, minimal use, and also they have gone through review to make sure that they really do need that information.

So to me minimal use doesn’t impact them because they are asking through a different process. That is all.

MS. EVANS: That is not correct at all research sites. Many academic research sites are part of an academic medical center that is in a recovered entity and they are HIPAA covered entities –

DR. RIPPEN: They don’t have to go through IRBs?

MS. EVANS: No, they have to do both. They have to comply with Common Rule and they have to comply with HIPAA. Doing Common Rule doesn’t excuse the obligation to do HIPAA. So in many research environments and in public health environments, HIPAA is just an added obligation that people have to bare. So it does have implications.

We are glad at some research sites it is not a problem, but you are not representative of the research sites that –

DR. RIPPEN: So the researchers are saying that they cannot get data, that they need to do research, even if they get IRB approval because the hospitals say you don’t need it.

MS. EVANS: No one is saying they are saying anything. We are saying that minimum necessary is relevant to the access to data for research. That is all we are saying.

Ms. BERNSTEIN: Your IRB is serving the HIPAA purpose. Essentially they are doing the minimum necessary review and they believe you as a researcher, that that is the minimum necessary.

MS. KLOSS: I think we are good here. Don’t you agree?

MS. BERNSTEIN: So this is the language in the main letter, between 260 and 264, you came back to look at this so you could amend the language in appendix B to be matched appropriately. So everyone has this in their hand?

MS. KLOSS: We have that back up there to make sure that we weren’t implying anything that could cause the Department to delay –

MS. EVANS: We say, “the Committee believes that further study”, that is stronger than we now are making. We say, “The Committee identifies these as possible future issues.” I think that is what we want to say at the end of line 3. “And the Committee identifies these as potential future issues.” That is all we are doing.

MS. BERNSTEIN: That is it. This whole sentence goes?

MS. EVANS: Right. We are not saying they need to do anything.

MS. BERNSTEIN: Everybody is happy?

(Chorus of “yes”)

MS. BERNSTEIN: It now says at line 627, However, they were beyond the scope of the June hearing and the Committee identifies these as potential future issues. As part of its planning” blah, blah, blah.

MS. EVANS: Why don’t we put a period. “they were beyond the scope of the June hearing.” Then say, “The Committee identifies these as potential future issues.”

MS. KLOSS: So I think we have accomplished the changes.

MS. BERNSTEIN: The title you are happy with?

MS. KLOSS: Yes.

(Vicki Mays and Rachel Seeger join the meeting)

MS. KLOSS: We approved this today, pending those modifications that we just cleaned up. In that spirit we have to move on.

MS. BERNSTEIN: Everyone has a copy of the summary in front of them – a paper copy and you also received an electronic copy of it.

Do you want to look at it on the screen?

Agenda Item: De-identification – Outline of Recommendations for November

MS. KLOSS: I think that would be great. I want to thank Rachel for helping to pull this summary of the May 24-25 hearing together for us. She just gave us a little recap of the testimony we heard. Because we had this lag, we did not want to lose some of those pearls.

I think it is going to be important for all of us to go back and pull the testimony again and reread it. I have started to do that and it just brought home how rich it was and how much is there.

This is a great way for us to start getting back into it today. I thought before we dive into the content, if we could just kind of take a reality check at the work effort. It is exactly nine weeks between now and the next meeting, because we are at the last week of November.

What I think we should do in the spirit of pressing forward is kind of start out the way we did on this one and try to tee up what looks like the key recommendations. At least have a good outline in the recommendations to discuss in some detail with the Committee in November.

I am hoping that we will commit to pressing forward and getting as far as we can. We might surprise ourselves. I have been thinking about this and I think the way we ended up approaching the minimum necessary letter is going to work for de-identification, too, where we focus our recommendations on the short term actions that we are encouraging HHS to take. At the same time we are pulling out issues that are more complex and long term.

I just throw that out for discussion because I think if we could have some consensus about how we start boiling this ocean we will move a little faster.

DR. MAYS: Can I just ask a question? Are you wanting in the November meeting to have a set of recommendations that we would vote on or are you trying to have it just for discussion?

MS. KLOSS: I would love to have a letter.

DR. STEAD: I think the general wisdom is that anything that we have not gotten done by this meeting is actually going to be having a much better chance of receptivity if we get it out sometime early in the calendar year, when we are past the transition. Unless there is something burning that somebody needs, that is at least the guidance that I have been hearing in other quarters.

The people are not going to be in a good position to really receive and think about things at the end of November.

DR. MAYS: My understanding is that anything that is our bread and butter we should keep moving along. HIPAA is given to us and is considered our bread and butter. So I was told those things should stay on the regular track and things that are outside of that, we should not do it until later.

MS. KLOSS: We were asked to take this up.

DR. STEAD: If people who ask for it know how they will use it in the December timeframe, then by all means proceed ahead. If that is challenging to you and if the difference between December and February doesn’t matter to the people who are going to receive it, then you may do better packaging it – taking the time to package it up and land it in February.

MS. BERNSTEIN: I can give a perspective. I have a couple of thoughts about this – and I have not thought about it so much until now but I think the type of work that we are doing here is not, as far as I know, particularly effected by the transition.

The people who have asked for it, career civil servants who are going about their business, and this topic on de-identification does not fall anywhere in this spectrum, except straight up science or math or whatever we are talking about. We were asked to give guidance on this topic and I think the Office for Civil Rights would lose three months. Which may be very important to them, if we have something to say in November.

My other thought is this is an incredibly complex topic – and I have not talked to anybody else who are members of the Committee about this, but in looking at this and thinking about de-ID and the complexity of it, I would ask if the members of the Committee are confident that they feel fully informed and feel like they are ready to have something on this topic in November. It could be a report on what we have already heard at this point. We can think about how useful it is.

MS. KLOSS: I think if we don’t have a letter, and we may not, what I would propose that we do in February is tee up a substantive overview of the topic and have a discussion with all the members so we are bringing along their learning on the current issue and they will be in better shape to vote on it in February.

MS. EVANS: Since this topic is much more open to textured and requires much more research than minimum necessary did –

DR. MAYS: Really?

MS. EVANS: Yes, by far, because there is so much happening –

DR. MAYS: Don’t worry, bread and butter or not, we can’t get this done then.

MS. EVANS: There is a wide range of material. We have heard excellent testimony. I don’t see this issue – it is one that has been simmering for a couple of years. It will continue to simmer for many more years. I think it is much more important to get it right than to get it rushed. I don’t see what the importance between November and February is on this.

I think there is a real quality advantage in taking a little more time.

MS. KLOSS: There has been some new information also that has come out since the hearing, that was referenced in the hearing, that I think the subcommittee has to take a little time to review.

MS. BERNSTEIN: So simmering, I think this topic is –

MS. EVANS: Maybe that was not a study choice of words –

MS. BERNSTEIN: I am not criticizing.

MS. EVANS: — did boil up yesterday and it will continue to be an enduring issue.

MS. BERNSTEIN: That is correct but I also think there is a monotonically or not, an increasing interest in this. In the privacy community it is a hot topic –

MS. KLOSS: We have asked Rachel to weigh in but we have not let her talk.

MS. SEEGER: So with respect to timing, I think that OCR was looking for recommendations from the Committee sooner rather than later. You have a window of opportunity here where senior leadership, who will be departing in January, know these issues well because they have been embedded with them. What typically happens during the transition is you have to reeducate and that reeducation, first of all, OCR might not get a director anytime soon. Right, there will be someone who is acting. That will be a staff person.

It would be unlikely that they would take an action up until leadership comes in. So there is going to be a gap. I am delighted that the action happened on minimum necessary because we have been very eager for that.

Likewise, I think we are very eager for the de-identification recommendations as well, to happen sooner rather than later. You made an excellent point, Barbara, in that this does need rumination, but Maya, as she mentioned, this is a very hot topic within government. NIST will certainly be coming out with recommendations on this topic to federal agencies very soon.

You heard from Simson Garfinkel. Simson is leaving that effort. There was a meeting over the summer and there is a position paper, I believe, that is out on this topic for public comment.

MS. EVANS: So how does this then fit into this if there is going to be a recommendation from NIST or a framework, then how does what we do fit into that?

MS SEEGER I think that is one of your first – I don’t want to frame the letter for you – but I do think that it is one of your first considerations, that you understand that much is happening around this area and that NIST, the National Standards organization, that sets recommendations for federal agencies, is picking this up.

NIST has helped guide HHS in the development of standards for HIPAA. Whether it is risk analysis – no matter what it is. So likewise, the Department is probably – you would advise them to look at NIST guidance in this area.

DR. PHILLIPS: NIST put out the position paper you mentioned?

MS. KLOSS: Yes. They also were doing that research study on de-identification technology.

DR. RIPPEN: And so we go back to kind of what we think the buckets are. We had testimony – we talked about this other stuff – but if we are going to parse or bucket all the different topics in here, what would they be?

Then the question is do we want to – they all have to be wrapped up in one or can they be incrementally –

MS. BERNSTEIN: We will get that, for sure. But I hear what Rachel is saying about the change in leadership and the fact that they are already up to speed on this stuff. But even if we were to pass a letter the last week of November, do you think, I am putting you on the spot a little bit, so do you think that OCR would actually be able to act on it before they leave? It is very quick over December and at the end of transition.

I don’t know if you would be at that time, able to put something out. But I do think that the staff is continuing to work and would have the benefit, if we had a portion of topics. That is what Helga is about to go I the direction of, if we could focus the topics and say these are some things we have thought about that we can make some sense of preliminary ideas. Let the staff ruminate during that time.

I have to say I think it is unlikely that OCR would issue any kind of full-blown guidance during that time anyway, so there will be a change and we may have to wait for a director.

The staff, who is working on this, may have the benefit of at least a piece of this for identifying where there are gaps that we are going to next take-up. Something like that.

DR. RIPPEN: There might be an opportunity to do it even faster if we break it up and it is not very controversial. If we believe that NIST, for example, fits into the picture and how it fits, we might be able to go through the process.

MS. KLOSS: I think this is a good time to walk through the summary that we have. It is all going to come back to you. It did for me.

DR. MAYS: Do you know what NIST is going to say?

MS. SEEGER: They do think, just in looking at the transcript here, I was a little sorry – we have to slide back, right? The summary of Dr. Altman’s comments are like this. He was really offering a road map on the life cycle of data management in the process for you all. There was so much rich testimony that we heard from so many people.

I’d like to make the recommendation that that is also a piece of testimony that go back and take a deeper look at. You might not agree with everything he said –

MS. KLOSS: Before you came in we said we have to go back and reread it.

DR. SEEGER: It was tough that you had the two hearings back-to-back the way you did because I think you were smart to go with the low hanging fruit of minimum necessary, although in retrospect, it was very complex, right? You have a 22-page –

MS. KLOSS: We thought it was a little easier until we delved into it.

Okay, so let us just scroll through this and just take a look. We started with the testimony of Simson.

(Setting up slides)

MS. KLOSS: Simon, he raised – remember he described the two current methods. Concern has been raised about the sufficiency of the HIPAA de-identification methodologies. Lack of oversight for unauthorized re-identification of de-identified data, and the absence of public transparency. Then he talked a lot about work that was underway and substantiated that.

If you recall, we had a really good discussion about this. The practice of de-identification, the fact that most of health care is defaulting to Safe Harbor. All of this will start coming back to you.

Very few people who know how to do the expert method and no consistent training on how to do the expert method. Lack of tool kits. These were some really practical things that when you read through it you think oh, you could tee this up into a short-term set of recommendations that would be pretty logical.

He touched on, the next paragraph, de-identified datasets can be re-identified. We got into more detail on that and other testimony about the risk and harm and so on and so forth. Some of the methodologies.

If you recall, he just set us off on a very good overview and framing of the issues. We did not get into too much deep dive, although his slides have some methods.

DR. RIPPEN: Were the slides posted?

MS. KLOSS: Yes. All of the slides and all of the written –

MS. BERNSTEIN: If you go to NCVHS.US and you go to the Privacy Committee and look at our recent hearing. Or you can go to the calendar.

DR. MAYS: I can see the transcript.

MS. BERNSTEIN: If you go to the agenda for the hearing, usually they attach them to the speaker. So if you click the speakers name you would get some material that are attached to that speaker.

MS. SEEGER: Simson did not have slides, I don’t believe. I think that he just offered written testimony – if I remember correctly.

(Ms. Bernstein showing group how to use webpage.)

MS. KLOSS: So there were some things also that he noted in follow-up, the new research that was pertaining to technologies or de-identification software developments. I think that would be important to review.

We also had some links set that Barbara provided to our subcommittee. Daniel Barth-Jones was on that. So some other valuable information.

The first panel was policy interpretations. If you remember, we had Rubinstein, Malin and Barth-Jones.

MS. EVANS: Would you excuse me. I have to get back to Houston for my classes. We will touch base afterwards.

MS. KLOSS: So we learned more about the expert method from Bradley Malin, who is one of the experts.

DR. MAYS: Do you think we should go through the slides? The text and the slides?

MS. BERNSTEIN: I don’t think we would be able to do it. I can’t get them both on the screen.

MS. SEEGER: Do you have access to the Internet?

MS. BERNSTEIN: I do.

MS. SEEGER: If you could go to Google, please. The members of the subcommittee should also note that NIST released this draft 800-188 for discussion. It is one of their special publications – on August 25th.

MS. BERNSTEIN: This is called, De-Identifying Government Datasets. It is a draft for comment. I will send this link to everybody right now.

MS. KLOSS: Rachel, you had put together a list of everybody that had given testimony each day that were hyperlinked. That might be the easiest way for you all to regain access to those materials. I know I still have mine. Would that be helpful if we just sent you the agenda with the hyperlinks, rather than having to go the NCVHS website?

DR. RIPPEN: I think that is good because then when people do have time they won’t have to look for it. If you do a de-identification NIST, it will pop up right onto the wall.

DR. MAYS: So you are going to send this with hyperlinks? Just say it again.

MS. KLOSS: Rachel, she sent hyperlinked agenda before the hearing itself.

DR. MAYS: Does it have them as slides rather than PDFs?

MS. KLOSS: If we had slides.

MS. BERNSTEIN: The people on the phone can’t hear you so if you can just raise your voices.

DR. MAYS: What I was suggesting then is if we had that, what would be easier is you can even go into each slide set and pull out specific recommendations and we each can pull what we think. It is a lot easier than a PDF.

MS. KLOSS: I think what we need to do is the way we did this last letter. Someone just needs to do a first pass. I will take that on. I will just do a first rough draft. I am not going to worry about getting it accurate, getting it right, but I have got some time next week – no, the week after next. So if we could think about a call towards the 13th, 14th of October, I can have something for us to start reacting.

Again, we will not commit to having a letter ready for approval in November but our fallback will be a briefing session with some discussion.

DR. RIPPEN: I think that would be great. I guess you will also kind of get a sense if there are things to explain – certain things of it that are too complicated.

MS. KLOSS: And how far we can go based on what we know.

MS. BERSTEIN: That is really the issue. How much can we say about which of these topics and whether we think we can make a fulsome statement or briefing. Things that we did not go into as much but we think are important or the committee thinks that OCR might want to address and are being addressed elsewhere. So this is a topic that is evolving quickly because it is boiling in the federal environment. As Rachel mentioned, in multiple places. NIST, Commission on Evidence Based Policy.

MS. KLOSS: I won’t make any attempt to incorporate all of that. I will try and playback what we know and what we heard, and then as we did in this last one then everybody added their – then it grew from 6 pages to 23.

MS. BERNSTEIN: The nature of the type of recommendations that you consider might be of a different sort than minimum necessary type. I mean we are not all going to turn into methodologist that are like Brad Malin or LaTonya Sweeney, by doing this. So the nature of those kinds of recommendations might be of a different sort.

MS. KLOSS: I don’t think that is what OCR wants from us -methodologic.

DR. RIPPEN: Have you round up high trust?

MS. KLOSS: High trust – do you want to say something about it?

DR. RIPPEN: It looks like high sales.

MS. KLOSS: They are certifying. They are certifying the experts.

DR. RIPPEN: Who is evaluating their certification?

MS. KLOSS: We invited some of those people to testify.

MS. SEEGER: So, basically, instead of them coming and testifying one of the other panelist basically presented on their behalf.

MS. KLOSS: Any other suggestions for how we go forward?

DR. RIPPEN: I think everyone should spend the time to review all this stuff. Do you want people to send you everything if they come up with anything or is it better, no. What would help you?

MS. KLOSS: What would help me is if you came back up to speed on the testimony we heard so that when you get a draft, which I am not going to be fussy about it, I am going to do it like I did last time, do a starting point, that we can really have a substantive conversation.

MS. BERNSTEIN: Do you want people to pick out the things – at the beginning of the process for minimum necessary, as I recall, we had everybody pick out those things that they thought were –

MS. KLOSS: We have the summary.

MS. BERNSTEIN: We have the summary that Rachel has picked out.

MS. SEEGER: Linda also did a lot of work drafting out what the key take aways were. Then we had, as you recall, we spent some time together putting key thoughts on a flip chart.

MS. KLOSS: So we have that too.

MS. SEEGER: You have that also.

DR. MAY: Do you want us to know what is in the NIST stuff or to know what you just gave us – the de-identifying government datasets?

MS. KLOSS: I think that the standard use of software in that report is probably quite relevant to us.

MS. SEEGER: I think that the NIST special publication that is drafted, that was just sent around to you all, will likely be very helpful for you in being able to see where the federal government is going.

So HIPAA, scalable and flexible. You have many covered entities and business associates that are very small, that don’t have a lot of resources.

Our goal for HHS, really, is to put forth methodologies that are doable for everyone in the industry, no matter how big or how small. They should not necessarily need to have a consultant come in and tell them how to do it.

MS. KLOSS: And there is software.

MS. SEEGER: How do we explain what you just heard in plain language for people? That, I think, really is also why we had created the expert method and Safe Harbor methodologies so that there were different pathways for different organizations.

DR. STEAD: Some very simple ideas, if I remember this right, that would play into that. Like we needed to review and update the Safe Harbor at some period, not measured in 20-year segments.

Those are very simple kind of concepts and they are essential to this idea that you need to support a diverse group. That means you need to be gently raising the floor. I think that was one of the things it seemed to me to be actionable without a lot more understanding than we have. I don’t know if there is a way to kind of tease those kind of things out.

DR. RIPPEN: From an experiential perspective, and also with regards to best practices for what the methodology is from an expert perspective. I know people were shopping for experts so they could get the waiver thing, and have everybody at the same level of de-identification or whatever. Depending on who wanted the data for what purposes, there are some interesting things there too.

So I think for both sides, an expert is an expert is an expert.

MS. SEEGER: Right. That is something for you guys to consider. The Department has been very reluctant, since HIPAA began, to offer a certification, to bless one way of doing this or compliance, period.

DR. RIPPEN: Yes, because technology changes and capability and methodology, and that is the problem.

MS. BERNSTEIN: And there are businesses that pop-up that go into the certification business. On the hole, government is reluctant to go into a business competing with the private sector. Or to even pick winners and losers among those.

DR. RIPPEN: Then do you have a role to certify the certifiers?

MS. BERNSTEIN: It could be a standardization kind of role for NIST. Often it is a meta level, they certify a lab who can certify something like that. This is a group that can tell you whether you – but it is not clear whether that is something that you want to consider in this case or not.

There are lots of possibilities for how to do this. Wouldn’t it be a dream to have software that is off the shelf and cheap that would do this. That would be the dream thing. Each dataset is unique, has different properties, and so the idea of creating software like that seems like a pipe dream.

MS. KLOSS: But practical suggestions that came out with a checklist for identifying risk and things like that. One of the recommendations that I picked out in this summary was developing identification of what re-identification is.

DR. RIPPEN: If you think about the pressures now for within the interest because Facebook, Google, and everybody, twitter, is now offering up the ability to leverage their data. Then there are going to be people who want to re-identify it because we would have to do x, y, and z with it because we want to actually link people together for research purposes.

I know, this may be outside of the scope, but again going back to what is the landscape and where is it going and the implications of that – pretty big.

MS. KLOSS: Okay, shall we continue to scroll or shall we move onto our third topic?

MS. BERNSTEIN: The next panel is discussion for the first panel. Panel 2. Some policy kind of makers. Michelle De Mooy from CDT, Jules Polonetsky, Ashley Predith, and Cora Tung Han from the FTC. Still kind of civil societyish policy maker. That sort of folk.

MS. SEEGER: So if you recall the FTC came out with a series of recommendations, really to congress, on data brokers. That gets into that this is an area that is really unregulated with non-HIPAA covered entities re-identifying data. Then it going out on being for sale.

There are 24 team data broker report is something that we included for you all in that agenda with the hypertext. The previous speaker from the Office of Science and Technology at the White House, (PCAST) put out another paper that is not referenced here on big data.

Since this time that we had this hearing ONC came out with their report to congress on non-HIPAA covered entities.

MS. BERNSTEIN: Which is a topic that this committee took up some years before with hearings that we wrote about in a letter. Almost 10 years ago, I think.

DR. RIPPEN: What are the implications of a health care system buying data outside of the system that has been re-identified. Does that then fall into anything – does it fall into HIPAA now just because of the merging?

MS. BERNSTEIN: If it is a covered entity that is the custodian of identifiable data.

DR. RIPPEN: If they bought it so –

MS. BERNSTEIN: Doesn’t matter how they got it. If it is held by a custodian who is a covered entity and it is identifiable data – maybe it is not PHI – I don’t know, I have to go through all the definitions and make sure it falls under all of them.

If it is identifiable and you are linking to individual patients or insurers or something, I don’t think it matter where you got it – where you collected it from.

MS. KLOSS: Are you going to report – maybe –

MS. SEEGER: HIPAA Covered Entity Report – Lucia will –

MS. BERNSTEIN: Lucia will talk about it tomorrow and that way you could ask her –

MS. SEEGER: She may have spoken about it the last time she provided her update. I am trying to think of when it came out. I think that I was still on detail or right when I came back.

MS. KLOSS: I just looked at it – sent it around and suggested that that might be something that our subcommittee should look at.

MS. BERNSTEIN: You can ask her about it if you have questions again.

MS. KLOSS: I have not looked at it enough to know what it says about de-identification. That is what we want to do some research on. It does reference that 10-year-old work by NCVHS, but it doesn’t reference the framework for stewardship.

MS. SEEGER: We have been having some issues with things going out that are not branded. Many of our agencies have people who are new to government and don’t think about it. They are very focused on the produce of the written word but not focused on branding it. Then it turns into a white paper.

MS. BERNSTEIN: So the day of the meeting was the day before that thing came out.

MS. KLOSS: I don’t recall.

MS. BERNSTEIN: This was the full committee meeting and it did not come out until a couple of days later.

MS. KANAAN: It is not in the minutes. I have the minutes on my computer.

MS. KLOSS: So we have a plan. So Geneva, if you would do a Doodle –

(Sidebar discussion about dates)

MS. KLOSS: Thursday the 13th or Friday the 14th of October.

(Dr. Suarez returns to the meeting.)

Agenda Item: Planning for Future of Health Information Privacy Initiative

MS. KLOSS: We just finished the initial game plan for returning to de-identification work and now we are going to move to our third and final discussion point today which is to think about the planning the future of the Health Information Privacy Initiative.

This has come up a couple of times where we devote some our subcommittee time to looking at privacy of the future. When it has come up Bill has suggested that we frame it from the perspective of consumer.

I think it may be, and I saw through the Standards Subcommittee, something about looking at HIPAA futures. As I was talking to Alix, I said, isn’t that part of – might we look at this as a committee wide exercise of taking a future look where HIPAA might go, including privacy. Or do we look at privacy and confidentiality and security as an entity? Or do we do this as part of a broader HIPAA discussion?

When we talked about this earlier we said we said we might be planning ahead to doing some kind of thought leadership roundtable or something in 2017. If we were going to do that we need to map out the pre-work that would need to get done. We would need to think about where it might come in the course of the year. Now with transitions, perhaps we need to just lay that on the table and then do it as part of an overall strategic plan with the work of not only this subcommittee, but the committee as a whole.

I just wanted to start that discussion. Get us talking. We have our current chair and our incoming chair. I think our subcommittee has plenty on its plate between now and November and perhaps, and now the first quarter. The February meetings. So whatever we do is spring or summer or next fall initiative.

DR. SUAREZ: I would like to mention that the Standards Committee has been working on a very long list of priorities. One of them was called HIPAA 3.0. That means basically so the next generation of standards that actually link more closely to public health, population health, payment reform. These kind of areas that are more forward thinking, transitioning away – not away, but at least supplementally from the traditional way of handling HIPAA transactions.

We are going to have to continue to certainly, move as an industry in the HIPAA transaction mode for a while. We might next year, hear from the standard reform organizations that we are recommending formerly that we move to the next version of the standards. 70/30 as they call it.

That process will have to continue. We are going to still have claims for years to come, I am sure. But there is also this new perspective of what is the next iteration of the concept of claims taken not from a fee for service traditional perspective, but more from a pay for performance perspective of saying that there are far more claims. This is now a new way of reporting, which includes quality reports and new quality metrics that evaluate population based type of performance. That is a whole discussion on that side.

In addition to that, there is discussion on the standardsside of things like patient identifier, because now according to the new revisions in the rider that traditionally has been blocked to even mention the word patient identifier. It has changed to allow the industry to begin to look into this and there are efforts to try and go to that.

There are certainly arguments, yes, just this week we are in health IT week, the National Health IT Week. Yesterday there were presentations about if 25 percent of the reason we have information blocking, if you will, is because we can’t match the right patient that we are exchanging. So there is the patient identifier that is also coming up as a potential area for next year.

I do think that this future of this health information privacy – and the way I think of it is really part of the larger picture, but from this committee perspective, it is about in many ways, privacy and confidentiality and security. So the contribution to the larger discussion. Sort of like the HIPAA report to congress where we contribute through a different perspective.

MS. KLOSS: So we each have to do our own study but then it comes back together.

DR. RIPPEN: So I guess going back to the scope of this committee and the full committee, we talked about privacy and confidentiality. We talked about how everybody needs all the data for population health and stuff like that. If you think about where really the action is happening, it is about people – you and I, and everything else.

What I don’t hear, and again I am trying to figure out where it falls, who is responsible, is to bring along the individuals of where all this data is coming from. We always hear about HIE. HIE is a good example. Oh, we have got to take consumer involvement and then they don’t do it until the end.

Then you look at the trends of people start dissipating of surveys, dropping off, people participating in census are dropping off. Concerns about can the government be trusted with data? Kind of, who is in it for what? Again, there is so much good work that is trying to get done for the benefit everyone, but there is this disconnect potentially, between the people who we are really talking about, which is you and I, right? Kind of all of the policies and infrastructure.

I guess is it our role to consider those components? If it is, how do we actually do in a meaningful way because I do have concerns about at some point there being a tipping point. It can either slow things down or accelerate them, depending on where it goes, and whether there is any role for NCVHS to address it. I don’t know. We often don’t discuss it.

DR. MAYS: Let me also introduce some other areas because I think they are coming out of Data Access and Use. One of them is – and I don’t understand it well enough yet, there has been a change by NCHS and others, in their privacy and confidentiality interpretations. So more data is being pushed into the data centers, which is making it less accessible. I have had a conversation with Susan Queen about that.

So something is happening with this survey data particularly when there is a linkage. There is some breakdown that has acquired between AHRQ and NCHS, and it is around privacy. So now the data is in the data secure center. This seems to be a trend that is happening.

That is one of the issues that I think is going to come up that we need to address.

MS. KLOSS: It seems to so be in conflict with liberating the data.

DR. PHILLIPS: It has happened with the BRFSS data too.

DR. MAYS: This is increasing.

DR. PHILLIPS: This idea of the PopHealth committee about having sub-county data available from a variety of sources is going to run right into this problem while things are being pushed into ResDAC.

DR. MAYS: So whatever is going on within HHS, and this is recent in the last year, there is now a change. I even asked Susan, do people need money for these data sets? She said it is not money. She said it truly is around privacy and confidentiality. So that is an issue.

And then the other that comes up, and I don’t know if this is in the committee’s space or not, but it really has to do with the technology mobile health area. That is there is more and more wireless data. It is like now people are monitored post-surgery. There is transmission of data and information. Some people say it is being covered under HIPAA. Other people say that there needs to be a look at this because that is not secure enough.

MS. KLOSS: I would see that kind of coming – certainly one of the front and center issues if we did a future think on privacy from the personal standpoint.

DR. SUAREZ: The ONC, just a few weeks ago or maybe less, released a report on oversight of non-covered entities in which that specifically shows devices and vendors that are putting out apps and wearables – all these are products and organizations – the app developers that are collecting data from patients, clinical and medical data in many cases, are clearly outside of the HIPAA space.

So they argue for the need, in fact, of expanding the definition of HIPAA. Which is exactly what the National Committee recommended from a different perspective – the administrative transaction perspective. It is in many ways, inconsistent.

But these are the kind of topics, in reality the way I see the future discussion for health information privacy and security concept. It covers data in the hands of government and trying to make it more accessible rather than less. Data that is not covered under HIPAA, that is clearly at risk of either growing and being exposed or handled. Right now the only mechanism to control that is through some very minimal oversight from FTC – believe it or not – the Federal Trade Commission, which has some oversight on data collection.

I think it is an opportunity to really look at all these issues. Maybe one of the things that we have done is begin to have brainstorming. Some mechanism to illicit all areas of potential consideration for this future work.

DR. MAYS: One of the things I was going to suggest, particularly when it comes to some of the mHealth and wireless, is we see whether or not there can be a partnership in terms of hearing or some activity with the FTC. Because there is part of it that is not us. There are things like the service agreements and how the service agreements for things like Fitbit, and stuff like that, that people do not know what they are signing. That they don’t know that by putting it on your committing, and this is what the agreement is.

DR. SUAREZ: Nobody reads all those lengthy – they just click.

DR. MAYS: Exactly, so some of this I think, is us but – at least in terms of our space on the technology side – the federal government doesn’t produce it. But at the same time it can do a service to comment on this and give some guidance that when it is health data here are the things to think about.

When you are wearing devices or you are agreeing for example, to be monitored because apparently the wearables and the wireless are increasing, but there is not enough coverage around all the ways – even the caretaker sends the information, helps with the information – they are not covered.

DR. RIPPEN: I think the researchers are capturing certain things that I don’t think the patients knows.

DR. MAYS: I don’t think the IRBs know all the stuff that they do.

MS. KLOSS: If you recall, when we did our subcommittee work plan six months ago or so, we had suggested that the way we get our arms around this future vision for privacy, would be to tee-up a brainstorming session with the Full Committee. Try to begin by getting all the thinking’s of our group before then, and then design roundtable or some other –

DR MAYS: Some of this will come up from us for example, we are trying to figure out like as we are talking about the guidance and we have these privacy and confidentiality issues, whether we push it to you, we work with you. I think that you will see that this is going to get raised.

MS. KLOSS: So it just seemed to me the first thing you tap for we are all thinking about where we ought to take this topic is all the members of the committee. Then go back to the drawing board in terms of how you frame a roundtable or something. At least everybody is onboard with this agenda before we dive in.

DR. SNEAD: The one question will be do we want to try to, given a lot of timing issues, do we want to try and free up the majority of the November meeting – maybe even all of it – for a strategic planning session? Instead of trying to press everything in and add a strategic planning, maybe we say to what degree do we really free up November.

DR. SUAREZ: There are two action items only – there could, I guess, be two actions that the committee would need to consider for timing purposes. One is the APDs letter and the other one might be the de-identification. Those are really the only two action items and the things on request about inviting specific people.

I think the idea is a great one, too.

MS. KLOSS: It is great.

MS. BERNSTEIN: There might be some timing issues with that that are relevant to the transition. If there is a significant change in priorities in the change in administration, then you might be out of alignment with them.

DR. SNEAD: It seems to me that we are sort of at a stage in our life where we know that there are a set of trends happening that offer disruptive opportunities. If we could get our hands around how we could use these trends to overcome barriers to action. Instead of the trends being a threat, how do we actually turn them around into opportunities.

It is hard for me to believe that wouldn’t work no matter how the transition takes place. The transition will tell us what the top near-term priorities are that we would want to be able to respond to strategically. But if we don’t have some idea of understanding how to leverage these trends to our advantage we are always going to be digging out of holes.

MS. BERNSTEIN: I agree. I think it is matter of emphasis and degree sort of thing. Certainly looking at the longer view and figuring out –

DR. STEAD: How to take advantage of it in the near term.

MS. KLOSS: I like the idea of having the whole committee.

Well, we are just about at that time. On that note –

MS. BERNSTEIN: We are adjourned.

(Subcommittee adjourned at 5:35 p.m.)