[This Transcript is Unedited]
Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201
Agenda Item: Call to Order, Welcome and Introductions
DR. COHN: I want to call this meeting to order.
This is the first day of two days of meetings of the National Committee on Vital and Health Statistics.
The National Committee is the public advisory committee to the U.S. Department of Health and Human Services on national health information policy.
I am Simon Cohn. I am the Associate executive Director of Kaiser Permanente and chair of the committee.
I want to welcome committee members, HHS staff and others here in person.
I also want to welcome those listening in on the internet, and I want to especially welcome our four new committee members whose terms began on December 1, 2006.
First is Garland Land, and, Garland, thank you for coming. This is your second meeting. Garland is currently the Executive Director for the National Association for Public Health Statistics and Information Systems, NAPHSIS, and I think we introduced you a little bit last time, but we obviously just want to recognize your previous background with public health and public health informatics in Missouri. So thank you for joining us for a second meeting and your first as actually a formal member.
Our next is Leslie Pickering Francis, and, Leslie, thank you for joining us. I didn’t get a chance to say hello to you beforehand, but we are pleased that you are here.
Leslie is the Chair and Professor of the Department of Philosophy, as well -- and we are going to have to talk about this offline -- as well as Professor of Law at the University of Utah, which I think is a very -- it seems very appropriate, I guess, but somehow surprising.
Obviously, we are very pleased to have you join us.
Leslie has testified before the Privacy and Confidentiality Subcommittee, and she brings an expertise in ethics, public health, privacy and confidentiality, consumer and patient issues to the committee. So we obviously are very pleased that you could join us, at least over the phone at the Privacy and Confidentiality Subcommittee meeting, and, obviously, we are very pleased to have you here in person. So welcome.
Dr. Larry Green is a nationally-known researcher and a professor of family practice at the University of Colorado, and, obviously, with the way the weather is outside, I don’t think you feel like you’ve probably left Denver at this point.
He is also a Senior Scholar in residence at the Robert Graham Center for Studies in Family Medicine and Primary Care located here in Washington.
So, obviously, pleased to have you joining us.
Now, finally, we have Marc Overhage, who is an internationally-recognized health informatics expert.
He is President and CEO of the Indiana Health Information Exchange, a Professor of Medicine at Indiana University, and -- head of the Regenstrief Institute.
DR. OVERHAGE: Director.
DR. COHN: Director. Excuse me. Director of the Regenstrief Institute, replacing Clem McDonald, who, as I think as you all may remember, was a former member of the committee. So we are obviously --
PARTICIPANT: Who is here at HHS.
DR. COHN: Yes, who is now in HHS, exactly.
Marc also has testified frequently before the committee and especially Standards and Security, and, obviously, we are very pleased to have you join us and look forward to your active participation.
With that, let’s have introductions around the table and then around the room.
For those on the national committee -- and this includes also the new members -- I would ask if you have any conflicts of interest related to any of the issues coming before us today, would you please so publicly state during the introductions?
And I want to begin by observing that I have no conflicts of interest today.
Marjorie.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC and Executive Secretary to the committee, and I think from those introductions, it is obvious that it is a little dangerous to testify before the committee. We may recruit you to be a member.
MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of Medicine, member of the committee. No conflicts.
DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee. No conflicts.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, member of the committee. No conflicts.
DR. WARREN: Judy Warren, University of Kansas, School of Nursing, member of the committee and no conflicts.
MR. LAND: Garland Land with NAPHSIS, member of the committee. No conflicts.
DR. VIGILANTE: Kevin Vigilante, Booz-Allen and Hamilton, member of the committee. No conflicts.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the committee. No conflicts.
DR. FRANCIS: Leslie Francis. University of Utah, College of Law and Department of Philosophy, and I have no conflicts.
MS. TRUDEL: Karen Trudel, Centers for Medicare, Medicaid Services. Liaison to the full committee. Staff to the Subcommittee on Standards and Security.
MS. MC ANDREW: Sue McAndrew, Office for Civil Rights. Privacy liaison to the subcommittee.
DR. STEUERLE: I am Eugene Steuerle from the Urban Institute, member of the committee. No conflicts.
DR. SCANLON: Bill Scanlon from Health Policy R&D. Member of the committee. No conflicts.
DR. GREEN: Larry Green, University of Colorado. No conflicts.
DR. FITZMAURICE: Michael Fitzmaurice, liaison to the national committee, and staff to the Subcommittee on Standards and Security.
DR. OVERHAGE: Marc Overhage, Indiana University and Indiana Health Information Exchange. Member of the committee and no conflicts.
DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention, liaison to the full committee.
MR. BLAIR: Jeff Blair, member of the committee. Lovelace Clinic Foundation. No conflicts.
MR. SCANLON: Good morning. I am Jim Scanlon from the HHS Office of Planning and Evaluation, and I am the Executive Staff Director for the full committee.
MS. SIDNEY: Cynthia Sidney, staff to the committee.
MS. JONES: Katherine Jones, CDC, NCHS. Staff to the executive committee.
MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, committee staff.
MS. HORLICK: Gail Horlick, CDC Atlanta. Staff to the Subcommittee on Privacy and Confidentiality.
MS. BUENNING: Denise Buenning, CMS, Office of E-Health Standards and Services, lead staff to the Subcommittee on Standards and Security.
MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics, CDC.
MS. VIOLA: Allison Viola(?), American Health Information Management Association.
DR. COHN: OK. Well, I want to welcome those in person.
Now, we want to sort of test out -- We understand that there are, hopefully, some other members who have been calling in.
Is Don Steinwachs or Paul Tang there?
DR. STEINWACHS: This is Don Steinwachs, Johns Hopkins University, member of the committee. No conflicts.
MS. MC CALL: This is Carol McCall, member of the committee. No known conflicts.
DR. COHN: Welcome.
DR. TANG: And Paul Tang, Palo Alto Medical Foundation, member of the committee. No conflicts.
DR. COHN: OK. Well, I want to thank you for joining us on the phone. Obviously want to especially welcome the intrepid souls who came all the way to Washington for this sort of snowy, wintery mix, which we’ll reflect on a little later.
But, obviously, we want to thank you for being on the phone, and we’ll do our best to, as always, speak clearly and into the microphone, which we want to remind everyone, both current members and new members, because these microphones are a little tricky, and certainly pipe up on the phone if you can’t hear us.
Now, before we move into the agenda review, I want to make a couple of opening comments, and then we’ll move to the agenda review and then do the department review.
Since our last meeting in November, our work continues at a speedy fast pace. This reflects the increasing importance and the federal intention being placed on health information technology and the role, of course, that it can play to improve the quality and reduce the cost of health care, as well as, hopefully, improve the health of all Americans.
Within HHS, Secretary Leavitt continues to consider promotion of interoperable HIT one of his key priorities, and his leadership on this issue I think we all recognize as being phenomenal.
And, of course, in all of this, the NCVHS continues to play an important role directly advising the Secretary and the department, as well as providing expertise and liaisons to other HHS initiatives, moving the vision of the NHII forward, including, of course, the AHIC workgroups.
I want to thank those of you who are actually liaison members.
This, of course, is against the backdrop of significant congressional activity this past year, and we should expect to see continued interest in the current session.
As many of you remember, we testified before the House Ways and Means Committee on HIPAA and health information technology last year.
Mark Rothstein, I think -- since our last meeting -- actually had the opportunity to testify also on HIT issues, though as a private citizen, and we should certainly be expecting continued interest in our work and thoughts as we move into this year.
Now, the NCVHS activities since November have included an opportunity to actually formally brief Secretary Leavitt and ONC on our work to define a minimum, but inclusive, set of functional requirements for the initial definition of a nationwide health-information network.
This work has been very well received both within HHS and by the industry, and we anticipate additional opportunities for such ad hoc activities as this year proceeds.
Privacy and confidentiality, as I commented, continues to move forward at what I describe as an augmented pace.
They produced the excellent report in June on privacy and NHIN. I see this document now being used in the wider health-care community as a primer, an important resource document as groups begin to deal with the issues of privacy as we move forward with extended use of RIOS(?) and the nationwide health information network.
There have been two hearings by the Privacy Subcommittee, since our November full-committee meeting, and I know Mark Rothstein will be briefing the committee later on today on issues in preparation for a letter coming out in June.
Populations had a hearing this past fall on data linkages, and assuming weather permits, we’ll have a hearing tomorrow afternoon on surge capacity, following a full committee meeting.
Quality Workgroup has been active and is forging a strong relationship with AHRQ on a variety of performance measurement and longer-term issues.
The Subcommittee on Standards and Security has been very active this year, and since our last meeting has held hearings on national provider identifier implementation issues, as well as HIPAA next steps, and we’ll be bringing a letter forward later on today on NPI implementation.
In a word -- in a phrase, there is obviously a lot going on, and this will obviously continue through the year.
DR. COHN: Let’s now move into the agenda review.
This morning, we begin with a department update. Jim Scanlon, our Executive Director, will lead off with the department perspective, followed by Karen Trudel of CMS, and, then, Sue McAndrew or do I have that wrong? That’s OK. Sue McAndrew of OCR.
Then we are pleased, I think weather permitting, to have John Loonsk -- he is the Director for the Office of the National Coordinator -- to give us an update on the work of ONC.
Following the morning break, we move in discussions of the letter on the national provider identifier.
As you know, the NCVHS has statutory responsibility to advise HHS and CMS on HIPAA implementation of which the NPI is an important piece.
After lunch, we will have discussions on privacy and confidentiality in preparation for the letter, as I commented.
Then, I think we are going to be having an opportunity to discuss the HIPAA annual report. Now, as I say that, I am looking at Jim Scanlon, hopefully, that we will have something, but we will discuss that.
Now, finally, we are hoping to have an opportunity -- I know Don is on the phone -- to discuss, I think, some issues coming out of the populations subcommittee, again, an issues paper with the idea -- and I think Bill Scanlon will help lead this conversation since he’ll be here -- in preparation, hopefully, for a letter in June, but I think the committee -- the subcommittee wants to get the views of the full committee as they begin to develop recommendations and a paper.
Now, at about 3:30 p.m., we will adjourn the full committee and break into sessions for populations as well as standards and security.
At this point, I think we are also intending to have a 5:00 p.m. to 6:00 p.m. meeting of the workgroup on the national health information infrastructure.
Dinner, I think, as we commented -- in your information is at 7:00 p.m.
Now, let me make a couple of comments, given the weather conditions outside, and I think most of you -- and those of you on the phone just be aware that we are dealing with what is described as a wintery mix of weather in Washington, D.C., which is -- best I can tell, means the likelihood of hazardous weather conditions are likely on the rise as the day progresses.
I would certainly encourage the committee -- knowing that tonight may be icy, there may be road closures, we aren’t clear whether the government will start up promptly tomorrow morning -- that any action items we should pay particular attention to trying to deal with today while we are here, while we are all together, and I would just sort of emphasize that.
The other piece is is that we do have a committee dinner tonight. Marjorie and I were talking, and, whereas, I think we want to invite members of the committee, especially those from out of town, we are going to encourage staff to make it home while you still can, and so I think there will likely be a --
DR. VIGILANTE: That is rather ominous, while you still can.
DR. COHN: Well, Kevin, you live here. I mean, maybe you would like to comment about this in a different --
DR. VIGILANTE: No, no. I think we live in a world or weather wimps here.
DR. COHN: Yes, exactly. Well --
DR. VIGILANTE: We have an eighth-of-an-inch of snow.
MS. GREENBERG: I grew up in North Dakota. Snow does not bother me, but ice does. Ice does --
DR. COHN: OK. Well, I think everyone is effectively agreeing with me in their own words.
DR. VIGILANTE(?): I agree.
DR. COHN: OK. And, Marjorie, I guess I would ask how do you want to ascertain the numbers for dinner?
MS. GREENBERG: I guess if we could just have a show of hands. I mean, for those of you who don’t know the area, the restaurant is not that far from here, and I don’t see any reason --
DR. COHN: Centrally located, yes.
MS. GREENBERG: -- why people who are staying in the hotel downtown can’t proceed with your plans, but I think it might be wiser for some of the staff maybe to get home before it gets too late and too icy, or local people.
But, anyway, so how many people would plan to be going to the dinner?
OK. Eleven, is that it? Twelve? Yes. OK. So I don’t know if we are expecting Janine or somebody will call the -- So 12, and I am sure -- I would think with the weather being as iffy as it is that they’ll understand if there’s a little change, but we were supposed to give them a number by ten o’clock.
And speaking of socials, there are pictures here from the barbeque in September, if you haven’t seen them or if you weren’t there and want to look at them. Yes, you want to feel like you were --
DR. COHN: Well, OK.
MS. GREENBERG: -- encourage me to --
DR. COHN: Well, we’ll deal with that during breaks.
Agenda Item: Update from the Department
DR. COHN: With that, why don’t we move into the department review, and, Jim, why don’t you -- if you would please lead off.
MR. SCANLON: Thank you, Simon, and good morning, everyone.
I guess we last met in November. So this is our first full meeting of the new year, and I thought what I would do is probably look ahead a little bit.
I am going to talk about the budget that the President sent up on February 5th and some of the health IT and data policy initiatives there, and a sort of a look ahead on the legislative front as well, and then there’s some specific projects that I wanted to update the committee on.
But, first of all, on the legislative front -- and I preface this by saying no one makes a living trying to forecast what Congress is going to do -- but, at any rate, there were a number of health IT bills introduced in the 109th Congress, the last Congress. Some of them involved this committee.
There were some new tasks for this committee. There were some broader health IT bills that would create grant programs and all sorts of things to promote or accelerate interoperable health IT.
And, then, there were some other bills that were directed at pretty much the federal health plans in the work forces, and they were, more or less, trying to stimulate personal health records and so on for federal health plans and so on.
And I don’t believe that there have been any bills introduced, so far, in the 110th Congress, but I think everyone -- the best intelligence is that there will be continued interest, even renewed and expanded interests in health IT in the coming year, and it will probably follow some of the bills that were introduced last year and possibly some additional issues as well.
There’ll probably be a fair amount of interest in privacy as well. Simon mentioned that Mark testified on his own behalf before a hearing in the House that was following up -- in the Senate, I’m sorry -- that was following up on a GAO report on how is the department and others -- how are we coordinating all of the privacy issues associated with the national health information network.
So we don’t have any specifics. We’ll be monitoring the situation closely, but I think we can probably look for great interest in the coming days on the Hill on health IT legislation.
On the budget side, the President’s budget for fiscal year 2008 was sent to Congress on February 5th, and it continues to support a number of health IT investments that this committee was involved in and is very supportive of, and let me update you on that.
In terms of the total budget -- this is not health IT -- the total budget for HHS is almost $700 billion. Now, that includes -- that would probably make us larger than Fortune 1, than the largest Fortune company, I think, but, at any rate, much of that is entitlements -- Medicare, Medicaid, TANIF and so on.
The discretionary part of that budget is about $68 billion. That includes funding for NIH and for CDC and FDA and so on -- and AHRQ and so on.
On the health IT side, the funding is actually continuing at levels we have seen in the past.
The budget for the office of the national coordinator -- and John will update you on this more when he gets here -- is $118 million, which is actually quite a bit more than their fiscal year ‘06 and ‘07 budget, and I’ll tell you a little bit more about what is in there, but they are continuing basically current efforts, and there would be an effort to transform the AHIC apparatus into a public/private partnership. I forget what the name being considered is. I think it is Health Care Improvement Partnership, Partnership for Health and Health Care Improvement.
But, at any rate, the idea would be-- As the Secretary has said a number of times to the AHIC itself, the idea would be to begin to transform the AHIC, which is now a federal advisory committee, to a public/private partnership, where it would have -- in essence, be able to carry out its work in that vein.
And, then, in the ONC budget, which John will tell you, there are a couple of other initiatives.
One of the initiatives that I think we are very pleased with -- and I know the committee is as well -- there will now be in the ONC budget -- we kind of placed it there -- $5 million to establish a fund within HHS for health data standards, development for mapping, for interagency standards development, assessment and mapping work.
You’ll remember that previously, this fund -- thanks to the good graces of AHRQ -- was placed in AHRQ for a three-year period, I think, Mike, and then -- but we agreed that we wouldn’t ask to absorb this any -- I mean, beyond ‘06.
So the department and OMB and everyone agree that this was a good investment. So hopefully, now -- That is $5 million. It is about the level we had in ‘06, I think.
So this will support much of the -- this supported the work on RX Norm, on Daily Med, on the mapping of the various terminology sets to each other, and we hope we’ll be able to move forward on that as well.
There was also a -- I think I talked to the group previously about the Secretary’s top 10 priorities, and I think we discussed those previously.
One of those is this concept of personalized health care, and the idea here was to bring the fruits of research and technology in health care to -- and prevention -- including pharmaco genomics and so on -- to everyday health care in the U.S., and the Secretary refers to this as personalized health care, and a big part of this will involve genomics and so on. There is some work underway here already. The AHIC has established a working group, but, for the budget, there is a $15 million initiative in the AHRQ budget that will support efforts along these lines, and a fair amount of that budget will be used for -- if I can describe -- it would undertake pioneering work into utilization of health IT for linking clinical care with research and available genomic data to accelerate clinical breakthroughs and integrate them into the everyday health care setting. So that should be an exciting and an interesting development as well.
On the population health side and population health data, most of our major HHS statistical systems and public health data systems are being funded pretty much at the level -- previous year’s level, though there is an increase in the National Center for Health Statistics of about $900,000 for a new home and hospice survey, which I think has been in the works for a while.
Otherwise, I think for most of our major surveys and data systems, I think we are continuing them at current levels, which is actually quite an accomplishment, given the pressure on domestic discretionary spending these days.
Agenda Item: Data Council
MR. SCANLON: As I said, within HHS, our Data Council is looking at how our data and statistical systems can support the Secretary’s top 10 priorities, which we discussed previously, and, in February -- I think later this week -- the Data Council will be looking at how the department can improve access and the utility of our data and statistical and analytical products, especially for policy research and program utility, and, at the meeting in February, we will be looking specifically at our various research data centers.
We have at least three research data centers in HHS, and we have other agencies who have parts of research data centers. This is in addition to public-use data files and reports and tables that the agencies produce.
The research data centers are designed to provide access to micro-level data under very protected and selected circumstances. So you can protect privacy and still allow researchers and public health workers and others to be able to analyze the data. No one walks away with any identifiable data, but you do walk away with your analysis. So you sort of achieve both purposes.
So we’ll be looking at that, and we may -- depending on what the populations subcommittee sort of sets forward in terms of recommendations and our discussion at the Data Council on Wednesday, we may decide to take some further work in that area.
That probably is the way, given the technology for -- just as we move forward on confidentiality in data, it seems that the technology moves ahead as well on the side of threats to privacy and confidentiality as well.
So there have always been -- there’s always been attention to this issue in research and statistics, and, now, we are looking ahead to the form that will take in the future.
One other thing, two other projects I think I have talked a little bit to the committee about before. We have started a project with NCHS and other statistical programs within HHS on the potential of using -- this is, again, future looking -- electronic health record data and so on for a health survey and statistical purposes.
And, again, we’ll -- I think I briefed the committee as well on this. We have started a study -- we are well along now -- looking at the quality, the comparability and utility of the income data and asset data that is collected in our major surveys. This is usually one of the major policy variables in our surveys. Most federal programs and other policy research looks at that variable as one of the dimensions, and we are well along and we are looking at about a dozen of the major federal surveys and how they collect income data, how is it comparable, what does it benchmark to and how good is it, and how could it be made more useful.
MR. BLAIR: -- income data. You are talking about the income of the patient or consumer?
MR. SCANLON: The household, yes. The household. Yes, these are household surveys, for the most part, yes.
And let me to stop there.
DR. COHN: Any questions for Jim? Mike.
DR. FITZMAURICE: Jim, do you want to mention where those three data centers are located?
MR. SCANLON: Oh, sure, sure. Three data centers in HHS. Research data centers. These are not the regular IT processing data centers.
One is at the Agency for Health Care Research and Quality, Mike’s agency. Second one is at the Center for Medicare, Medicaid Services, and a third is at the National Center for Health Statistics at CDC.
And we have a couple of other agencies that -- they don’t have full-blown research data centers, but they do have Web sites and other analytic services on the Web, for example, where you can generate your own tables. So we are going to talk about those as well, and we might be looking at how can we sort of tie these all together in a way for the department.
I might say that it is not easy to use these data centers, necessarily. Sometimes, you have to be there physically. Other times, it is a complicated sort of situation. So --
Census Bureau has one as well.
MR. BLAIR: I am not sure if you could clarify things in more detail in this area, but I think that you mentioned that for the National Library of Medicine there was $5 million allocated, and you mentioned referencing covering continuing work on RX Norm, and do you know, at this point, that -- If there is going to be continuing work on the mapping to UMLS(?) and continuing work with SNO Med(?) in concept-oriented data, it might need more. Is there a different pot of money for the mapping work or is that all within the $5 million?
MR. SCANLON: First of all, this is fiscal year ‘08. So this is more of a request than an actuality, but the idea is to -- and the $5 million would be placed in ONC, but, presumably, when ‘08 rolls around, if we get this funding, some of it would support -- wherever we are with the mapping, Jeff, at that point, and RX Norm and Daily Med.
MR. BLAIR: But all of those topics are considered to be within the $5 million.
MR. SCANLON: Well, we’ll see what the research plan would be, but, yes, yes. There are supplementary funding -- really what agencies can find on their own -- and NLM, certainly -- I won’t speak for Betsy, but NLM usually supports some of this funding anyway, even aside from this.
MS. GREENBERG: Jim, I might mention, particularly for the benefit of the new members, that one of the letters that was sent to the Secretary from this committee in November specifically encouraged that this type of funding be -- continue to be devoted to or dedicated to this type of standards work. So that is very positive.
MR. SCANLON: It worked very well in previous years. Again, we had an AHRQ ASPI fund, and even OMB liked it, and they always say no. So it must be doing something right.
DR. SCANLON: This is both a comment and a question, and it is in the context of the populations subcommittee thinking about the data needs for the 21st Century; and, Jim, I think you did a very nice job of describing the glass as half full, saying the surveys are going to be continued at current levels.
And I guess it is -- I think it is important to bring up that these current levels are not levels that we were used to, if I understand that right, that we have actually had to make some sacrifices in terms of what we are collecting.
And, then, I think, in terms of the subcommittee’s work for the future, that there is probably the reality that we really need to be collecting a lot more information, that it is really, in some respects, an investment to try and -- If we want to sort of be able to, from a public policy perspective, manage our health care system better, we need to know a lot more about how it operates, and that the need for that kind of information is going to become more and more important as we move forward.
But am I right that we are not necessarily at levels that we used to be in terms of --
MR. SCANLON: Well, I think it is -- I was talking about the ‘08 budget. We’ll be looking at -- ‘07, I should mention, for the current fiscal year, we are -- and most federal agencies are on a -- the continuing resolution, which is -- really, we are sort of straight lined at the levels of last year or some other level, and the chances are we will have a resolution like that for the rest of the year.
I think it is fair to say, though, that the needs for data are -- always exceed -- the demand for data and the needs for data always exceed the resources available and it is always a prioritization issue, and, yet, I think, folks, when the President proposed this health access tax breaks and so on for health insurance coverage, much of the analysis there was based on data from HHS surveys, from the MEPS and from other surveys. So it takes a fairly big investment to have that available, whether you use it or not, and that is kind of -- So, in a way, it is not visible ‘til you call on it, and if you haven’t made the investment already, it is too late.
So I think we really do -- To be honest, I do think we need to rethink some of the surveys in terms of -- I don’t think we are going to get a lot more money. That is just not going to happen. So I think everyone has to become prudent planners and analysts and get the best out of our surveys.
DR. STEUERLE: Just one comment and then a question.
The comment is I think when you say straight line, I think you are talking about nominal dollars, right? So --
MR. SCANLON: Yes.
DR. STEUERLE: So in real dollars, it is going down with inflation, which using three percent or four percent inflation every year that’s a real cut of about three or four percent per year. Compounded, it really starts adding up.
I hope, Jim -- and I am sure you will -- that you’ll help us think out, in terms of when we do things like our workshop on data linkages, you know, there were a number of suggestions that came through there. There is always this question of how do we integrate it in in a broader budgetary context. I certainly hope you’ll help us think about how we can be most useful to that process.
My question is a little more specific on when you talk about continuing existing surveys, there’s a number of surveys, for instance, where there are a lot of improvements could be made if we could figure out ways to integrate them with other data sets, which was part of our workshop, or where we would like something more like a better time series data or we’d like to link with wealth data.
HRS -- Health and Retirement Survey is one of the few that really does a good job, I think, on the income and wealth side, but then you only get a certain subpopulation.
So when you say continue existing surveys, does that pretty much confine them to their existing status, so Health and Retirement Survey only does 51- to 61-year-olds and you can’t link up additional years or is there flexibility within these budgets --
MR. SCANLON: Well, yes, I think -- All I was referring to was the dollar level. We always have -- and I think that is why I guess rethinking is probably not the best.
Statistical agencies tend to be fairly conservative, for a good reason. You are protecting time series, and I think we have to be a little more nimble and sort of open up things analytically. I think that is sort of what you are talking about, and even structurally for some of the surveys, and I think that is -- I don’t think the levels of funding will be much more than they are, but -- except NCHS will be getting funding for this Home and Hospice Survey, which is actually a new -- Well, I think it was done previously, but it will be done again.
So I think it is -- Certainly, Gene, I think making better use and analytic use and even design of the surveys, I think that is always open.
DR. STEUERLE: Just a related question. The President recently proposed two very major health initiatives, one of them on which I have worked, and I know your office worked was this limitation on tax --
MR. SCANLON: On tax --
DR. STEUERLE: -- exclusion.
MR. SCANLON: Yes.
DR. STEUERLE: And Treasury, as well as HHS, I am sure, worked long and hard on trying to make estimates, and, as you know, based on very, very weak data in terms of integration of what actually health insurance costs per employee projected out to the future so on and so forth.
I mean, I wonder if there is also not a play here in terms of just pushing a little bit for more research where we know there are policy initiatives or there have been policy initiatives, where we can admit a little more readily the weakness of what we had to rely on to make --
MR. SCANLON: Well, we always use secretarial and presidential initiatives as a horse to ride for more funding.
DR. STEUERLE: We are making --
DR. COHN: OK. Garland, and then we’ll move on, hopefully, to the next presentation.
MR. LAND: I know we are interested in the national surveys, but I want to make sure that we --
DR. COHN: Garland, you need to get closer.
MR. LAND: I want to make sure that we understand what I think is a real crisis coming up in terms of the vital statistics system.
With the level of funding for ‘07, and now the level funding for ‘08, the national center is faced with some very difficult decisions of what to do, because there is not sufficient money to purchase 12 months of data, and they are looking at some scenarios I don’t think anybody would favor, possibly only having seven months -- collecting seven months of data in ‘07 -- that would be birth and death data -- possibility in ‘08, if they fund ‘07 calendar-year data with ‘08 monies, then they will not be able to purchase 12 months or any data for ‘08 for mortality data, and other scenarios are just as drastic.
So we really are facing a serious crisis for the -- if we think that having birth and death data for the nation is important, which I think most of us would agree, that the money isn’t there right now, and they are really struggling with what to do about that situation.
DR. COHN: I think Jim is nodding his head.
MR. SCANLON: Yes. Well, I think Ed -- I think we have to have Ed come back and report periodically.
I have to say we have not -- The current year is ‘07, and I think we -- Since the funding available is not clear yet, though looks pretty clear, we haven’t really looked at where would we be in ‘07, but I think you are right. I think the vital-statistic system has always been -- it is little recognized for its importance. It is the foundation for all the other health statistics and there is always difficulty in funding. In fact, we ended up eliminating two components of it in the past. So --
DR. COHN: And given that we have had a couple of questions, now, as we move on to Karen, I do want to just observe that, obviously, this is an area where there have been a number of issues brought up by members of the populations subcommittee.
This may actually be something that you may want to work into a letter, hold hearings on or otherwise, if you feel that this is something that should be -- I mean, it is one thing to talk about it. It is another thing to send a letter raising the issues.
OK. Listen, thank you, Jim.
Agenda Item: Health Insurance Portability and Accountability Act of 1996
DR. COHN: And our next presenter is Karen Trudel, and, Karen, thank you.
And this time, obviously, we are having sort of a change of pace in terms of the presentations, because, rather than just a general HIPAA update, we are actually going to be looking more to a specific area that I think Karen wanted to bring to our attention. So, Karen.
MS. TRUDEL: Right. Thank you.
I am going to concentrate on a guidance document that CMS published recently that provides specific guidance for applying the HIPAA security rule to situations of remote access and remote use of electronic protected health information.
This is something of a landmark in that this is the first time since the security rule was published that we have issued formal guidance on this document.
Previously, we had provided -- we have published educational materials.
This is the first official guidance document. It was released on December 28th of last year, and I would highlight the fact that it does not change the security rule. It simply examines the backdrop of the security rule and how it specifically applies in cases of use of data remotely and remote access.
I probably didn’t need to provide this slide: Why a new guidance? Obviously, there has been enormous change in the technology. Mobile devices, BlackBerrys, the storage media have become smaller and smaller and more and more portable; and, of course, I think everyone is aware of recent security incidents having to do with either thefts of laptops with EPHI on them, thefts of media containing EPHI that were taken off a campus, reports of access by unauthorized users, problems with inappropriate destruction of EPHI that allows it to be utilized, and the original security rule was intentionally broad. So the need to bring some of these broad concepts home and distill them to a remote access scenario was pretty considerable.
In terms of what has affected the list on this slide is just the tip of the iceberg -- laptops, home PCs, PDAs, PCs in libraries and hotels and other public places, wireless access points, flash drives, smart cards. All of these things are anticipated in this guidance.
One of the Guiding Principles that we wanted to bring to people’s attention was that there is a real need to be deliberate about remote use of electronic PHI. In other words, when EPHI leaves one’s premises, there ought to be a good solid business reason for doing it, not simply because you were taking a laptop off site and it happened to have a lot of data on it.
So that is one of the things that we are trying to stress here, and that the release requires risk analysis, policy and procedures and risk mitigation strategies, just as any other security procedure or process.
Here are some example business cases for remote use of EPHI: A home health nurse updating electronic records during a patient visit; physicians reviewing refill requests at home for e-prescribing; for continuity of operations, EPHI being maintained in an off-site data center for disaster recovery.
All of these things are appropriate uses of EPHI remotely, and there are a host of others that we haven’t specified here.
Again, this is the backdrop against which we are looking at these remote-access factors, and that is risk analysis.
There is a requirement in the security rule to analyze risks and mitigation factors, and, in general, to look at size, complexity and capabilities of the entity, the technical infrastructure, the security measures and the probability and criticality of potential risks.
In terms of policy development we are talking about the normal training, compliance workforce awareness, and our guidance specifically talks about three areas: Access, storage and transmission of EPHI.
Some examples of the data access strategy and the guidance document itself presents these in matrix form, talk about things like lost passwords, unattended workstations, failure to log off public machines. We have had an incident recently with someone using a hotel computer and data being inadvertently retained.
Some of the things that we need to address are stronger authentication, clearance and training, but, specifically, again, limiting access to EPHI to users with specific requirements and authorizations, session termination. These things seem very simple and almost no brainers, but we did not get to this level of detail in the security rule, and we felt that we needed to go to this level to bring this awareness to covered entities and make sure that, as they consider their risk analysis and their mitigation strategies ongoing that they take some of these specific considerations into consideration.
Data storage strategies. Some of the risks are EPHI on lost or stolen portable devices, unauthorized use of EPHI after faulty device disposal, loss of data, viruses via portable storage.
And some of the mitigation strategies that could be useful would be procedures to track devices in location; encryption of EPHI, so that even if the file is lost it can’t be accessed; appropriate deletion and disposal procedures for media; and appropriate security policies for PDAs, smart phones, BlackBerrys, et cetera.
MR. BLAIR(?): Is this a presentation we’ll have a copy of?
MS. TRUDEL: Yes, you have. Yes.
In terms of data transmission strategies, clearly, the main risk is data being intercepted or modified during transmission and we do make a stronger point about encryption and use of open networks in this guidance than we did in the original security rule. We do talk about where it is practical and appropriate prohibiting transmission of EPHI via open networks, using secure connections for email, mandatory encryption for Web systems, et cetera.
Our next steps will be to obtain additional industry input. In the guidance device itself, we provided a feedback mechanism.
We intend to develop a proposed rule that will include at least the information that is in the security guidance, and that is specifically for the purpose of assuring that the guidance, once it is part of a rule, will take on the same strength, in terms of enforcement action, as the existing security rules themselves.
However, we are not limiting ourselves necessarily to simply codifying what is in the guidance document, and we do want to use some opportunities over the next four to six months to get some industry input. We have reached out to the Workgroup for Electronic Data Interchange, and we have talked to the NCVHS Committee on Standards and Security, and, in part of their May hearing, there will be some discussions about security, and, hopefully, not just related to this guidance document, but any other issues related to the HIPAA security rule that are felt to require either additional clarification or new specificity.
That is my presentation, and I’d be glad to take any questions.
DR. COHN: OK. I just want to start out, Karen, by thanking you for obviously bringing this up to everyone’s attention.
I know when I saw the guidance document -- and I think most of the industry considered these documents effectively being the same as a rule -- but I think it makes sense to, obviously, bring it forward in the way you have, and, obviously, I am very pleased that Standards and Security will be reviewing this.
I am also, obviously, expecting John Houston, hopefully, to join in those hearings, since you are a security expert.
Now, with that, Harry, John Houston, and, then, Jeff, and, then, Mike.
MR. REYNOLDS: Yes, Karen, I would like to commend you for doing this, all of you at CMS, because I think, as these regulations have come out, business people trying to grasp -- and there’s a difference between people that really are down in the bowels of security or down in the bowels of understanding these things may read the regulations and understand them.
But I like the terms that are used here, because it raises it more to where pretty much any business person in a company -- executive level down -- should be able to read this and get it, and I think that’s the one task that we all have as we pass these new things is trying to help people understand how to live by them in a context of their words, not a context of the words and acronyms that we love to use as we are reviewing something.
So I think this goes a long way, and we look forward to spending more time with you on it in the hearings.
But I think this really goes a long way to start having the dialogue at the business level, rather than just at a detailed standard or a detailed acronym and really puts people, you know, to some kind of sense that executives can start making the right decisions to help their companies, rather than just leave it to somebody else to try to understand what the heck is happening to them.
So thank you for the --
MS. TRUDEL: Thanks. That was our intent.
MR. HOUSTON: I think overall this guidance is very valuable. The one thing, though, after reading it, that I sort of --
DR. COHN: John, you get a little closer?
MR. HOUSTON: OK. I thought the document, overall, was really valuable. The one thing, though, after I read it, I thought to myself, You know, a lot of what is being described here is probably things that apply not just to remote use of EPHI, but, frankly, is probably applicable within the four walls of a hospital or any other covered entity, and some of them are not, but, in large measure, they are, and I think there are some things that -- some awareness that needs to be raised within industry, and I’ll give you a good example of that in one of the things that we are doing where I am at.
We are in the process of encrypting all devices on our network, because of the fact that devices get stolen, they get taken out of use. Sometimes, they are disposed of appropriately, but, sometimes, you’ve got to -- you have to use a lot of diligence to make sure that when something comes out of production that somebody is actually going through and wiping the hard drive, and I know that sounds obvious, but the practical reality is is in a lot of cases, you hear stories of people not doing that.
So I guess my point in all of this is that it almost doesn’t go far enough. I think there’s this heightened awareness to remote access, but it is -- I think a lot of the risks are -- and a lot of the things that you are describing here are things that really do have broad applicability, and I think they are things that frankly need to get a little bit of play in the industry.
And, again, I use the idea of encrypting hard drives on desk-top devices as an example. It doesn’t cost very much. It doesn’t affect performance very much, but if that device is stolen or it is taken out of production and then not disposed of appropriately, because the device isn’t encrypted, the net effect is that data can be inappropriately accessed.
So I almost want to take this a little bit further and say there’s other guidance I’d want to do that really is related and it doesn’t take much effort, I think, to extend it to that, but I think it would be really valuable in the industry.
MS. TRUDEL: Thanks.
MR. BLAIR: Karen, this is timely and appreciated, and I just wanted to -- I didn’t hear you, maybe it is on the paper. Are you receiving input from the privacy and security specifically authentication authorization issues that might be impediments to health information exchange from the prime contractor, RTI, on the privacy and security project, otherwise called the HISPIC(?) Project?
MS. TRUDEL: No, we have not had a dialogue with them at this point. I think they definitely do need to be part of the dialogue when we begin to talk about what would be in a subsequent regulation.
MR. BLAIR: OK. Because that project has already gone through stages of identifying a lot of these issues, and this is the same issues, and then coming up with solutions in January, and, now, we are coming up with implementation plans, and they won’t be finalized like until late March or early April.
The information is already there on the issues and the suggested solutions, and I think it would be unfortunate if you don’t get those until the April-May time frame, because that information really is available now from RTI, and it seems like it directly correlates to what you are doing, but I don’t know if you look at health information exchange networks as a different context. I look on it as an extension of at least what I was hearing you saying, and I think it is really relevant, because they are impediments to us moving forward with RIOS and the NHIN.
So, in short, I think that information you should be able to get from RTI. I don’t know what we need to do to -- I could encourage -- They are going to have a national meeting, actually, on March 4th and 5th here in Washington, where they are going to be reviewing a lot of the findings, as we are getting close to finishing off, and I think, at that point, a lot of that information ought to get communicated to your group.
MS. TRUDEL: We can touch base with the Office of the National Coordinator on that.
Thank you.
DR. FITZMAURICE: I want to join in the accolades to you and to CMS also on the guidance, Karen. While not having the force of regulation, it does show the current thinking of CMS on these issues, and it is kind of a brush of good win(?) to come out and tell everybody what CMS is thinking.
So I have a question. Will this guidance help the Medicare program speed up the access by Medicare beneficiaries to information about their claims, eligibility, deductible levels and year-to-date payments when accessed over the Internet?
And, then, secondly, will it help Medicare programs speed up the electronic submission of claims by providers via the Internet? Will this help form a basis for that?
MS. TRUDEL: As far as the first issue is concerned, I think that we are already well on our way with our beneficiary portal under MyMedicare.gov to providing that kind of access already, and we are using standard security procedures to accomplish that, and we are finding that it is being well received by beneficiaries. They get not only information about eligibility, they can look at claim status. They get information on immunizations or other preventive procedures that are appropriate for them, and I think that program has been well underway.
We are working on some fairly long-term PHR-type pilots that I don’t think this implicates right now, but certainly will later.
In terms of the access to Internet claims, I think this policy will inform how that occurs, but putting the infrastructure in place to do that, for us, is a significant issue, and so I don’t think this will accelerate that process at all.
DR. FITZMAURICE: Thank you, Karen.
DR. STEUERLE: I, too, am impressed by your taking charge and charging -- the law requiring it. I really like providing the guidance here and in other areas.
I just have one comment, and I have made it before with respect to HIPAA in general when we analyze risk, and that is that there are obviously two types of risk. Statisticians often call them Type 1 and Type 2 risk.
The analogy here is there is the risk, of course, that we do something and it violates somebody’s privacy, but the other risk is impose a regulation or a standard or a guidance that actually increases the risk that something useful in health care might not be done.
And I would just -- This is just a suggestion. I would suggest that any report, you always sort of list both types of risk and then basically say this is, on balance, where you came out.
I mean, here, I see no objection to what you have done here, but I always worry when we focus on the one type of risk, because I think it always leads towards lack of concern, and although I don’t see it here, in other areas where we have talked about HIPAA, I have seen where I sense that HIPAA has prevented certain information from being passed on, and, therefore, has introduced new risk to the population, and I just think it is always worth listing them both in almost any HIPAA-related report.
MS. TRUDEL: I absolutely agree that while we have specified that here, our take on security is also always trying to balance those two things, and part of the reason that we have maintained flexibility in here and not required everyone to do everything the same way is to maintain some of that flexibility, so that the other risk that you were referencing doesn’t occur, but it is probably better to be explicit about it, I agree.
DR. STEUERLE: But it also allows if somebody wants to comment back, they feel that that is an appropriate area to give you comments back as well, not that -- they probably wouldn’t anyway.
MS. TRUDEL: Right.
DR. STEUERLE: But --
MS. TRUDEL: Thank you.
DR. COHN: Well, Karen, thank you very much, and, obviously, thank you for raising it to everyone’s attention, and, obviously, we’ll be working with you and CMS to, hopefully, help move forward revisions to the security rule, and thank you.
Agenda Item: Privacy Rule Compliance Update
DR. COHN: Susan McAndrew, thank you for joining us.
MS. MC ANDREW: Thank you for having me.
I will try to keep my remarks short, and there was some strange press after my last appearance here, where some of the information seemed to have been translated in the press as being received with shock and awe, and I will try to low-key that. I mean, there’s really not much shock and awe coming out of here right now.
The complaint activity related to privacy continues apace. Through the end of January, we have received just slightly over 25,000 complaints. A little less than a quarter of those cases are still open.
We continue to develop more data related to the types of cases that we are closing, and approximately a third of all closures are the result of investigated cases. So that means about two-thirds of the cases that we receive and close are done for reasons that the case is beyond our jurisdiction or doesn’t really raise a facial(?) violation of the privacy rule.
Of the cases that we do investigate, we have taken and achieved corrective action in two-thirds of those cases. So since the beginning of our compliance program, we have actually achieved corrective action in over 4,000 cases, and we got corrective action in 1,500 cases in last calendar year alone.
So I think both the volume of cases in which we are getting corrective action continues to increase, and the percentage of those cases in which we are achieving corrective action also is increasing.
MR. HOUSTON: Excuse me. Can I --
MS. MC ANDREW: Um-hum.
MR. HOUSTON: Corrective action as being equivalent to voluntary compliance or -- I mean, that seems to be a new term.
MS. MC ANDREW: Well, it is -- we are closing the cases because we have achieved informal resolution. The informal resolution is because the covered entity has agreed voluntarily to come into compliance.
The way they achieve that is through providing us with some sort of corrective action. Most of the time, it is a change to their policies and procedures to make sure that whatever the incident was that it doesn’t occur. Where there was an individual involved that, for instance, did not get access, part of that corrective action is ensuring that that individual, as well, is provided the access that is required under the rule, as well as making sure that the procedures are in place, so that others dealing with that entity will get access as required by the rule.
MR. HOUSTON: Thanks.
MS. MC ANDREW: We are continuing, as I mentioned before, to work on both -- to get out a clearer message and more useful information through our Web on the enforcement actions that our office is engaged in.
We are developing a Web page that will be devoted to compliance activities. It is still in the developmental stage, but we are hoping to populate that with statistics as well as success stories and case examples of how corrective action was achieved and what problems have been solved through this kind of voluntary compliance by covered entities.
Eventually, it would also be where we would post any civil monetary penalties or other monetary settlements that are achieved through our compliance activities.
We are, as I say, still in the development stage. So ideas, suggestions are always welcome. If you have any thoughts, just please let me know, and we will see if we can work them into our plans going forward.
I would like to let you know, in addition -- just to update you on some other activities that my office is involved in on a regular basis -- we clearly are very actively involved with ONC and the AHIC on the health IT projects. We participate in the consumer empowerment workgroup, and, recently, at the last AHIC, there were recommendations for specific tasks that my office will be working on with this workgroup, including some mapping of the privacy rule to some scenarios with personal health records.
We also continue to work with the confidentiality, privacy and security workgroup under AHIC, and I expect -- certainly, following the congressional testimony on the intersection of privacy processes and how the network is going forward -- that this workgroup is going to become extremely active.
They made their virgin report to the AHIC on security and identity proofing for patients, and so, now, they have made their maiden voyage and they can -- got their feet wet, and, now, they can -- I think they are prepared to tackle more meatier issues as they go forward.
As I think I mentioned last time, we continue to work with the research communities within the department to try to harmonize the rule structures from HIPAA as well as under FDA and the common rule to make sure that all of those rules are working together and facilitating the research endeavors that are being undertaken.
Two additional areas that have gotten increasingly active, and I expect will remain active the next year probably. The first, again, comes out of the Secretary’s priority for personalized health care, and that is the intersection of privacy and genetic information.
There have been several workgroups that have been formed within the department to take a look at that as well as it is on the agenda of one of the AHIC workgroups now, and we are watching the -- there was a discrimination bill that was, I think, passed the Senate -- passed one of the Houses, I think -- which would prohibit discrimination based on genetic information in insurance and in employment situations. So we are expecting that we will be spending a lot of staff time working out what genetic information is and how to adequately protect it.
The other area that continues to be hot, in terms of activity within the department, and that is disaster and emergency preparedness activities.
So we are -- my office is also helping to staff a number of groups that are emerging within the department to make sure that emergency response is done in a way that respects confidentiality of the information while still enabling this information to be available to ensure treatment in these kinds of chaotic and often disassociated settings.
So we have a lot on our plates, and, this year has been especially challenging, given the continuing resolution and the uncertainty with future funding, and just the increasing demands on resources is always a fun juggle.
But I think all of these initiatives are extremely interesting and challenging, and we are really looking forward to keeping privacy and confidentiality in the forefront of all of these discussions.
DR. COHN: Well, Susan, you are right. I don’t think we have any shock and awe today.
Mark, John, Leslie, and, then, Jeff.
MR. ROTHSTEIN: Thank you.
I have a question and a comment.
The question has to do with the privacy rule/common rule harmonization, which, as you know, is an area that we have been interested in over the years, and we were -- Speaking for myself, I was very pleased to hear at the last -- I guess in November, when you announced that this harmonization process was in the works.
Can you give us any sense of how that is going or whether you are hitting any sort of major snags along the way to do that or whether you are optimistic that something will be done over the next six months or year or -- Can you give us more information?
MS. MC ANDREW: Other than to say that I know the group has been meeting regularly -- I think monthly is the schedule that they are on -- there has not been -- I think there is still a little -- struggling a little bit in terms of setting their agenda. As far as I know, they have not come to us with any solid proposals either for areas of guidance or --
MR. ROTHSTEIN: So when you say they, this is sort of an OHRP/OCR working group, something like that?
MS. MC ANDREW: Yes. There is a committee that is formed and it includes OHRP, FDA, NIH. I think ASPI has representatives on it as well as OCR. So it is a broad -- I am not even sure that there aren’t other research entities -- AHRQ is on it.
So it is really cross cutting. The interests are very disparate, and I know that they are -- I don’t have a precise update where you -- but I can certainly have that for the next meeting of the committee, if you would like that.
MR. ROTHSTEIN: Well, I just -- I am very anxious to see progress made, and it is something that we have heard from in hearings from members of the research community for years, and we have promised them, as a committee, that we would recommend it to the department, and, now, the department has taken our recommendation and/or from other sources is doing that, and I am anxious to have the payoff, basically.
My comment deals with your remarks regarding protecting genetic information, and, although I think that it is very important to do, just as a comment, I would say that it needs to be done in the right way, and I think a lot of what is being done, both in Congress and elsewhere, is maybe not the best way to protect genetic information, and there are many people who feel that by treating genetic information separately and regulating it separately, you further stigmatize genetic information, and, in a sense, make the problem worse, in some respects, and as anyone will quickly find when they are trying to work with this, it is also impossible to define.
And so my comment/suggestion would be that OCR and the department, more generally, not be committed to sort of this genetic exceptionalism model and be flexible in trying to achieve the same goals, but through considering other options besides another sort of separate layer of genetic-specific regulation.
MS. MC ANDREW: I just would want to clarify that, clearly, that is the major area of discussion, and I did not mean to imply, in any of my remarks, that the department has decided on or even supports genetic exceptionalism. That is clearly one of the core issues that all of these debates and these workgroups will be focused on.
MR. ROTHSTEIN: Good.
That concludes my question and comment, Simon. No additional shock and awe.
MR. HOUSTON: I was just about to comment about how I thought it was a really great thing that people were actually thinking about looking at genetics and privacy, and it actually came up in a conversation I had yesterday.
And I think that the time is ripe to understand the issue and to really be proactive in trying to establish the appropriate framework for addressing people’s reasonable concerns about genetic privacy.
I think that, in a few years -- whether it be 10 or 15 years down the road -- I think genetics are going to be so powerful in testing, and the implications, that I think if we don’t get them right now, if we don’t understand fully, then I think we are going to develop systems and things in a way that, if we had to go back and overlay a different level of understanding of genetics, that we are going to be at a real -- we are going to be trying to do a patchwork that is not going to work.
So I applaud you for that, and I think that you can’t start soon enough to work on that particular issue, and I am just glad you are.
DR. FRANCIS: I actually wanted to second Mark’s comment about a bit of skepticism about genetic exceptionalism.
But the question I had was with respect to the complaints. Are you noticing any discernible patterns that it might be useful for -- that is, as types of complaints, kinds of violations that it might be useful for this committee to know about?
MS. MC ANDREW: Actually, there have been a number of discussions with the committee about what trends can and can’t be discerned from the pattern of complaints, and I do believe part of that was a conversation that might be continued following either this meeting or tomorrow’s meeting -- if there is a tomorrow -- but, right now, I would say that we haven’t noticed -- One of the things we have gotten from the compliant data are the most frequent allegations as well as the types of entities against whom these complaints are filed most often, and neither of those categories has changed significantly over time.
So we are not really seeing -- Other than the fact that complaints concerning failure to get notice, your notice of privacy practices has tailed off since the early days, which one would expect, but not really anything unusual or startling has --
DR. COHN: OK. Thank you.
MS. MC ANDREW: You’re welcome.
MR. BLAIR: Susan, about a year ago, you introduced an individual to us -- I don’t remember his name -- who is --
MS. MC ANDREW: That was a hell of an introduction, then --
MR. BLAIR: I apologize.
DR. COHN: I think it was maybe the director of the office of civil --
MS. MC ANDREWS: Oh, Mr. Wilkinson?
MR. BLAIR: The individual was going to have responsibility for directing a program of public education for people -- for consumers and patients -- so that they would have a better understanding of the rights that exist, now, to protect -- you know, for protected health information, and I hadn’t heard anything since then about a public-education program or what has happened with that.
And, now, you can tell me the name of the individual that I apologize that I forget; but what has happened with that program for public education of the privacy rights that do exist under HIPAA regs?
MS. MC ANDREWS: I believe you are probably referring to Patrick Hadley(?), who we brought on about a year-and-a-half ago to be our outreach and public education team lead senior advisor.
As it turns out, as luck would have it, Friday is Patrick’s last day. He --
PARTICIPANT: -- the job done?
PARTICIPANT: His work is done?
MS. MC ANDREW: He has decided to move to Atlanta, and so he is -- He is down there, actually, now, and he will be leaving us as of Friday.
The efforts that he was able to accomplish while he was here included a number of consumer education activities and materials that have been posted on the Web. There have been -- We have a number of fact sheets, and he did help coordinate with the other side of the office, the Office for Civil Rights, on a fact sheet that combined the two sets of rights that the office enforces.
There is still, clearly, much more work to be done in that area, and it is, again, always something that we struggle, in terms of being able to allocate sufficient resources to, both in terms of being able to get out, as well as to develop consumer-oriented materials for the Web site, but we continue to try to move along as fast as we can in that area, but it is -- I do consider it to be a loss that Patrick has decided to put his talents to other uses, and we will miss him.
In the interim, the responsibility for heading up our public education and outreach efforts has been transferred to Linda Sanchez, who I believe some of you may know from her past work. She has a long history with the privacy rule and brings a lot of expertise to this effort. So she will be leading our public education --
MR. BLAIR: She’ll be within the Office of Civil Rights.
MS. MC ANDREW: Yes.
MR. BLAIR: And is there any plans to provide public education beyond posting the rights on a Web site?
MS. MC ANDREW: She and Patrick are tasked with coming up with a proactive outreach plan for ‘07, and when that plan is vetted, we will share that with you.
DR. COHN: Well, Susan, thank you very much.
MS. MC ANDREW: You’re welcome.
DR. COHN: Obviously, we appreciate this.
And we do believe there will be a tomorrow. The government will be open as part of it. We will, obviously, wait an see, but thank you.
Agenda Item: Office of the National Coordinator Update
DR. COHN: Our next presentation is from John Loonsk. John, thank you for joining us.
John is a Director of the Office of the National Coordinator, and his charge focuses on interoperability in standards, and it is a pleasure to see you back again.
DR. LOONSK: Good morning. Thank you, Simon.
DR. COHN: Thank you for joining us.
DR. LOONSK: It is a pleasure to be here. Thank you for having me.
I am going to give an update on several items from the Office of the National Coordinator. There is a lot going on, and I am, by no means, going to talk about everything that is going on, but I will talk about three important things.
One is the recent Secretarial actions regarding interoperability specifications from the Health Information Technology Standards Panel.
Second is the next step use cases from the American Health Information Community.
And, then, the third is an update on where we are with the Nationwide Health Information Network, which I think was one of the principal reasons you had me here today, and, then, hopefully, we can have time for questions.
Recently -- actually, December 2006 -- Secretary Leavitt accepted three HITSP -- Health Information Technology Standards Panel -- interoperability specifications. He accepted these, and, in his letter of acceptance, identified the fact that he intends to recognize them formally in December of 2007. So accepted in December of 2006 with the intent of recognizing them in December of 2007, assuming that there are only minor changes of a technical nature between those two versions.
The intent here is to have a process that roughly parallels the activities on the private sector regarding the certification commission for health information technology and its progress in moving interoperability specifications and standards into certification criteria for electronic health records and, eventually, for networks.
So what we have here is an effort by the government on the federal side to parallel basically a year’s worth of time between the availability of implementation-level guidance and when there can be an expectation for implementation of those guidance, in this case, relative to the Executive Order federal systems and contracts.
So accepted these three interoperability specifications December 2006 with the intent to recognize them in 2007.
At that point, once they are recognized, there are activities that are induced by the Executive Order that suggest that, indeed, upgrades to federal systems and new federal implementations of health information technology systems will need to incorporate those standards into them.
And, as I indicated, this is grossly an attempt to also parallel the process where a certification commission for health information technology has identified as general guidance the desire to have a year’s availability of implementation-level guidance before standards can be expected to show up in certification criteria and then be tested accordingly.
That was an important step in moving forward with a broad health IT agenda the first round of interoperability specifications from the health information technology standards panel put on a course for their involvement in federal and private systems.
Another significant action from the American health information community has been the identification of the next step use cases to move forward into the national agenda, and, if you’ll remember, the use cases are articulations of priority areas that the AHIC has been discussing, priority areas and issues, an effort to the use cases document what some of the needs are in regard to those activities, so that they can then be fed in the broad apparatus of the national agenda and the many different organizations and individuals that are participating in that can work on them and have a shared point of focus for their activities.
Last year, we had consumer empowerment, medication history and registration data. We had EHR use cases around labs. We also had the biosurveillance use case, which focused on the use of clinical-care data to support biosurveillance purposes.
In mid cycle, the community EHR working group of the American health information community identified the need for an emergency responder EHR use case.
That was advanced. We had two rounds of public comment on that, and that was actually publically posted in December of last year. That will form one of the areas of focus for the next-step activities.
Important in this use case are the ability to exchange a summary patient record in emergency situations, as well as issues around provider authentication authorization and credentialing, which were apparent, for example, post-Katrina, where access to patient information was -- while there were some electronic data available, accessing them in the context of emergency care was a challenge.
There are other enabling technologies associated with that use case, but that use case is publicly available, and, among other activities, the health information technology standards panel will be working on this use case in its next cycle.
Similarly, as I will talk about later, these use cases feed into efforts of the nationwide health information network, as well as the certification commission and other discussions as well.
The American health information community identified a new use case to be worked in the area of medication management, and, in this case, the related areas include things such as medication reconciliation, pharmacy and allergy data, monitoring of medication, ordering transmission dispensing.
Essentially, one of the needs that had been advanced to the community, both from the working groups, in terms of priority areas coming forward, and from the certification commission on health information technology, was the fact that, although e-prescribing has standards identified and has regulation associated with it, there are ancillary areas in medication management that also need to be attended to in this very important area for clinical care.
The prominence of medication use and issues in the context of clinical care raised the attention of the community to this activity. The intent is not to duplicate the work of e-prescribing and the regulations that exist in that area, but to, indeed, compliment those activities with appropriate standards and processes and issues discussion in associated areas around medication management, and it is one that received a lot of support at the community level in terms of those discussions.
There is an aspect to this as well around clinical-decision support, and I hesitate to put that on the slide, because, for many, that is evocative of a lot of different things.
I think, in this context, it is meant to suggest some really introductory issues associated with providing information to providers, to clinicians in the context of making medication decisions, and so we shouldn’t think of this as the full-blown vision for clinical-decision support that many people have, but maybe an incremental step forward in that direction.
Another area that the community approved in this next round was consumer access to clinical information, and the community still clearly puts a high premium on the role of the consumer in moving forward with the health information technology infrastructure.
We have positioned this as an extension of the existing consumer empowerment use case, and one of the things that we are attempting to do with these next round of use cases is to try to make sure that they are coordinated among the different working groups.
We have a multitude of different American health information community working groups now. They are coming forward with priorities at a significant clip. Over 120 different priorities and issues were raised in the course of their work over the last few months.
We have attempted to embody as many of those priorities into these different packages as we can in terms of advancing them, though we don’t -- and we readily admit that we can’t necessarily attend to all of them or attend to all of them in complete detail, because there are so many.
Nevertheless, by building on the existing use cases and by trying to put these in rational groupings, we think we can advance a good number of these things in the next round.
The Secretary, during the AHIC meeting, when these decisions were made, made a request that we begin to work up all of these use cases with the intent of having them primed and ready for the next round of activity as soon as that can be.
There are obviously some other activities that have working groups and have general little areas of interest, including personalized health care, which will probably also be on the agenda for next steps, but the Secretary has asked that we work all these up, and as soon as we work up this first round, we will turn around and start to work up the next round, so they are available as well.
This extension to the consumer empowerment use case references specifically lab results, as needed by the patients, list of conditions and allergies, health problems and diagnoses codes, and we have also identified a number of enabling technologies associated with these that are important in two contexts.
One, they are important in the context of this specific area, the specific use case, the specific breakthrough that is being advanced.
But, two, we have also reconciled those with the needs of the nationwide health information network in terms of standards and architecture moving forward.
And so there is a great synergy between some of the enabling technologies here and the next steps of the NHIN, as I’ll mention in a couple of minutes.
So some of the enabling technologies in this area include management of links between consumers and providers, consumer access control and how consumers can express their interests in access to their data, PHR portability methods and access auditing.
The final use case for this coming round is identified as one around quality, and we are terming this as an extension to the biosurveillance use case, because, although this is in the general area of population, formally known as secondary use, no one wants to be seen as secondary. So the general area of population data access and use for population purposes is what is referenced here.
The quality use case has a number of important associations.
One, there is the suggestion that it will need to involve a core set of inpatient and a core set of ambulatory measures -- focus on core set -- that will be advanced in this context.
Two, there is the fact that a prominent part of this is clinician access to these information. So while, frequently, people think of quality reporting as what this area is about, it came through loud and clear that clinician access to data is a critical part of this moving forward, and that will play a prominent role in the use case in the subsequent discussions.
And then there are a number of enabling technologies associated with that use case as well.
So three new use cases. Two of them are extensions of existing ones, and, then, the emergency responder EHR, which is already developed and advanced.
The third area I wanted to touch on was an update on the nationwide health information network.
We had recently a third public forum for the nationwide health information network. It was very well attended.
We also had a presentation at the last American health information community meeting, and both these events focused on two things.
One, they focused on the business models for how these type of services could become self sustaining, and the other area of attention was the software prototypes.
Now, there is a great tendency in software development to -- and in systems architecture -- to think that -- you know, software is very evocative, and I think that was both a plus and a minus of the activities that went on. So people were able to envision, indeed, some things that had been talked about very frequently in abstract ways.
But it is important to recognize as well that what had the four consortia demonstrate were really applications that were connecting to architectures -- network architectures. They are not the network themselves.
And so at the same time that we had, I think, some very compelling presentations of the work that was done, it was only a fraction of the work that was accomplished over the last year.
When we initiated the nationwide health information contract, we roughly asked that the consortia spend about 80 percent of their time on architecture issues and about 20 percent of their time on the software prototypes that validated that their architectures were viable, but, nevertheless, this was a very -- I think there was a lot of excitement at this forum. It was much more tangible than many of the architecture activities that had been carried on heretofore, and people could actually put a face, if you will, on what the kinds of services and capabilities could be when we get to this vision of having a nationwide health information network that can foster these types of activities.
Important in that is that NHIN is part of a broader cycle, and we have consistently described the fact that there are iterations to this cycle, that we are going to get at this in an iterative fashion.
We have, in some ways, gotten through most of one cycle. I wouldn’t say we’ve gotten through the complete cycle, but we have taken the first round of use cases, the breakthroughs from the community, put them into use cases, put them out to the NHIN for prototype architecture work, put them to the HITSP for standards work. We have had focused discussions on policies and regulation issues associated with those. We have talked about business deployment and sustainability issues, and we have shown a path for how they can -- these can influence next steps from a certification perspective as well. It is part of a broader process.
What we are advancing, in terms of the NHIN, is a network of networks to connect providers and consumers and interconnect state, regional and non-geographic health information exchanges.
Visually, we are focused on, to a significant degree, on the interconnection between exchanges. So it is a network of networks, and the needs for health information exchanges to be able to work with each other across some very complicated issues.
We are also focused on the ways in which those health information exchanges, to an extent, interact with provider organizations and other networks and systems that they connect up, but I think that it is important to differentiate some of these interfaces.
We think that there is an important role for the personal health record connection in this regard, but not all of these three interfaces may be dealt with completely in the same way. The needs for health exchange to health exchange connections are going to be highly specific and highly standardized, if that is going to work.
On the other hand, some of the needs, in terms of engaging provider organizations, and, potentially, consumer organizations, systems and networks, will have to have some flexibility to sustain this activity where the service provider, the group, the health exchange that is doing that connection may, indeed, lead to work to help get those groups up and running involved and participating.
And so these are different kinds of interfaces, different kinds of interconnections, and I think you’ll see, when we talk about the next steps for the NHIN, that that will play an important role.
We have also been talking about the fact that there is a need to potentially have service providers that can support health exchange, and this gets into a complicated discussion of potential acronyms and other terms, but to have successful health information exchange, a number of elements are necessary. There are business needs. There are trust needs. There are governance needs, and there are technical needs and simple service provision capabilities, and not all organizations are going to fill each of those functions.
So we are identifying, in the next steps of the NHIN, some important constituent aspects, attributes that need to be participant, and some of it is having the technical and service wherewithal to advance this activity, but, clearly, a very important part is also having developed a trust at a regional, state and potentially cross-regional level to be able to support health information exchange and to have governance that can support that.
This is one of the products from this year’s work, which is a depiction of some of the kinds of services that health information service providers may be providing, and, clearly, as the discussions have gone on, there has been a lot of good interchange between what services are viable to support health information exchange, what ones may need to be there -- such as security and secure transport -- which ones may be added value, additional roles and participation that may be specific to a particular community or specific to a particular region, and there needs to be a flexibility between having some core capabilities that allow people to trust this kind of health exchange and for the health exchanges to work together at the same time that there may be -- there are needs for flexibility in terms of the types of services that may catch on, if you will, in different communities to move forward.
So the third forum, as I mentioned before, focused on prototype architecture presentations through these software manifestations. It did focus on the three use cases from last time, and core network services.
So that was, I think, important to recognize that the work that was done did have a particular emphasis in the consumer empowerment electronic health record and biosurveillance realms as per those use cases.
It did put a face on these efforts that I think was compelling and represents -- and so some really important issues came forward in the course of the discussion, and some potential approaches for how to advance this kind of exchange came forward out of this prototype architecture work, including different approaches or connection of both commercial and tethered personal health records, opportunities and approaches for ways in which consumers can manage PHR data, considerations for how consumers could express the way in which their data could be managed, even beyond their PHR, potentially, in terms of network exchange. In one model, coming forward with approaches to the exchange of access management emanating from a PHR, but potentially applied to network exchange as well.
Clearly, a need for tracking providers associated with patients, and, here, you’ll see one of those synergies between the next use cases and some of the NHIN needs as well. Routing of lab data.
There were presentations on both portal- and EHR-based retrieval of historical results. There was not a one-size-fits-all for this, and they were both important, in the end, in terms of the presentations.
Notification technologies for how new data are available, making people aware of when new data are available. Some of the work of routing non-ordering providers of care, data to non-ordering providers of care, and, then, a number of issues about the importance of comparability across provider sites, data comparability and the importance to other activities that that engendered.
We have said, steadfastly, that the approach of the NHIN is going to be incremental, that we are going to take steps to this -- this slide is from the first forum -- that we have been working on first prototype architectures and producing a number of architectural products.
We are going to, then, take the next step, which is to trial implementations, and I will talk a little bit about what that will look like in a moment, but -- and, then, move on in subsequent steps from there, each time taking the products of the previous work and applying them to the next work.
So one of the things that we have identified, in terms of the next step of trial implementations, is that we will be taking the work that has been proceeding over the course of the last year and applying it in the context of the next-step contract and the next-step procurement.
I think that this is not necessarily the complete -- it is certainly not the complete approach to addressing the incremental development of the NHIN, but it is an important tool in trying to help advance some of these areas and some of these activities that are going on now at state and regional level.
So the types of products that will become parts of the guidance for the next step include the standards that have been -- from HITSP, the security model considerations, the work that the National Committee on Vital and Health Statistics has done on recommendations in the context of privacy and confidentiality for the NHIN, the work of the confidentiality, privacy and security working group, the vast amount of public input we have received in the context of the now three NHIN fora that have occurred.
The use cases that I have mentioned and talked about before will also figure prominently into the next round of activities, the functional requirements that NCVHS has worked on in the context of helping to define in simple, declarative terms the kinds of activities that need to be carried out.
We will be coordinating with the certification criteria for ambulatory care and inpatient, and particularly network certification criteria, as they become available in the next round of the certification activity, the work on business models, and, importantly, a report that we are going to have delivered from Gartner(?) Consulting on the 2006 NHIN work. We expect it to become available in the March 2007 time frame, and focus specifically on the interfaces.
We did a pretty deep dive into some of the technology in the last year, and I think that was appropriate from a prototype architecture standpoint, but, now, in the next steps, in trial implementations, we are going to step back a little bit from that and talk particularly at the interfaces where there are great needs for standardization and needs for systems and networks to work together, and to bring, in the context of the next-step activities, some of these attributes that are necessary for health information exchange.
Obviously, providers and systems need to be engaged. Health IT adoption is a critical part of the business models that have been discussed in terms of making this sustainable. Consumers need to be involved. Security has to be provided. Governance has to be in place. Trust has to be enabled, and, then, business services and technical capabilities have to be brought to the table as well.
So the next round of the NHIN activity we have termed trial implementation. So 2006 prototype architectures, 2007 trial implementations.
We are in the midst of initiating the procurement for this activity. So there are some things that I can’t talk about in that regard, but the important concepts I can allude to, which are, one, we are going to bring together the products of the 2006 work, some of which NCVHS was critical in helping to form.
We are going to try to bring together some of the technical accomplishments of the prototype architectures. We think that those technical capabilities and some of the other businesses that are out there working in this health information exchange area need to be brought together with directly engaging state and regional health exchange.
So an important difference here is that the next round of the NHIN procurement will directly engage state and regional health information exchange and focus on the interfaces by way of moving forward with next-step activities.
We anticipate that there’ll be a request for proposals in a March-April time frame with awards made in June and July to represent the next steps of the NHIN.
So, with that, I thank you for your attention this morning, and I’d be pleased to try to answer any questions you may have.
DR. COHN: John, thank you. Quite an overview of a year’s worth of very hard work.
I guess we will start Mark and then Justine, Harry, Kevin -- actually, John and then Leslie --
MR. ROTHSTEIN: Maybe you ought to take hands of all the people who don’t want to -- Well, I’ll be brief, then.
John, as you know, the GAO report was very critical about -- 84(?), its lack of efforts in the area of privacy in the NHIN, and I notice that your presentation had a de minimis amount of privacy to report to us. Maybe you wanted to keep it private.
What is ONC going to do in terms of ratcheting up its privacy efforts before privacy falls hopelessly behind the technology developments?
DR. LOONSK: Thank you for your question, Mark, and I certainly recognize your concerns in this area, and I, in fact, have read the GAO report, and I find it to be a very -- a reasoned detailing of a vast number of activities that are going on right now in the area of privacy and security.
I think the headline certainly caught a lot of people’s attention, but, in detailed reading of the report, there actually were -- there was a listing of a great number of activities that are going on.
We have tried to articulate the fact that this is going to be an incremental and iterative activity, and I tried to point that out in the context of my comments on the NHIN. We are not going to production systems as the next round. We are going to trial implementations, partly because we still feel we need to tease out more of the issues and work more of the privacy and security and some of the other related issues as we move forward in that regard.
So the plan is an iterative one. It is one that involves a vast number of different people and organizations in bringing forward issues, some of which, to be quite honest, are at the state and regional level that they need to be addressed.
We are working to try to offer new technical approaches to how some of those things can be advanced. I think some of the work in the NIHN prototype architectures around the ways in which consumers can influence how data could be managed are very promising in terms of what they potentially offer in terms of moving things forward, but they still have to be potentially tried in trial implementations to determine whether they are fully viable. So an incremental approach, trying to bring forward the issues, trying to bring them forward.
I think what the GAO pointed out, and I think it was one of the issues that we discussed with them in fair detail, was that when you have as many people working on these varied activities as there are, that you can’t always have distinct milestones and say this is when this issue will be addressed and this is when that issue will be addressed because of the iterative nature of this, and I think that that is an area where I think the Office of the National Coordinator differed with the GAO, who really was focused on -- in terms of the message -- having distinct milestones.
We certainly are as intent as we can be on having milestones identified wherever they possibly can, but there is still an aspect of discovery that is going on in the context of what the issues are at the state and local level that need to be addressed. So it is certainly an area that is -- our attentions are heavily focused on, and there’s still a lot to do.
DR. CARR: Thanks for a great presentation.
I have a question about medication management. Medication reconciliation is, as you know, one of the national patient safety goals for JAYCO(?). So my question is is there a new work group that will be working on this and --
DR. LOONSK: No. So, essentially, I think we have seven working groups of the American health information community, and what we were starting to see was that there were common priorities coming out of different working groups and potentially being addressed in different fashions.
So these use cases attempted to bridge some of that, and a lot of the medication reconciliation issues come out of the EHR working group and needs for -- although they are frequently about presentation at a clinical care setting and how medications can be reconciled at that time relative to historical medications, what the patient is actually taking, any over-the-counter medications, et cetera.
So the principal focus for that one, I think, would be the EHR working group, but these use cases will not necessarily mean that there is one working group that is working on those issues alone.
DR. CARR: Thank you.
MR. REYNOLDS: The question I have is on the patient identity reconciliation, you mentioned it on your slide under Emergency Responders, and, then, under Medication Management.
As you know, the committee has had some hearings on matching patients to their records.
Do you see a drive towards one type of matching criteria, obviously without the prominent use of Social Security number, without an individual identifier and some of those other things, if everybody picks their own and -- So where do you see that heading? Because it is showing up consistently throughout your presentations and a lot of other presentations that are going on about the subject, but where do you see it going?
DR. LOONSK: So the focus of the prototype architecture activities and the focus of the trial implementations will obviously be trying to make health exchange work when there is no national patient identifier and Social Security number is not used in the context of that identification.
So what that begs is the identification of demographic data that are available in the context of doing that reconciliation.
We think that an important aspect of the next step work will be on the ability for health information to health information reconciliation of patients as information needs to be exchanged, and there is a goodly amount of work going on in that area.
We think that is a critical component to getting to a network of networks, so that when one health exchange is routing data through another health exchange or vice versa, that there is a -- that the shared patient attributes necessary to do a reconciliation, but that is going to be a communication. It is not a single transaction. It’s gotta be more than one transaction that occurs, and that is part of what we anticipate will be a focus for the next round of the trial implementation.
MR. REYNOLDS: Thanks.
MR. HOUSTON: Having attended the forum, I actually thought it was really interesting, and there are two themes that you really didn’t talk too much about. I saw in your notes somewhat, but I think it probably bears a little discussion, and the things I know I at least had discussions about at the forum, one was sustainability and the other one was secondary uses.
I thought there was -- At least in the circle I was in, there was a lot of discussion about both. I mean, I don’t -- What I hate to open up is a sort of a broad discussion point, but I didn’t really hear you talk about the, but, yet, they seem to be topics of interest of a lot of people.
DR. LOONSK: And there was absolutely a lot of interest in -- For the third forum, the first day was on the prototype and demonstrations of the prototype software. The second day was around sustainability of health information exchange, and there was a very robust discussion that may not have been fully captured in my slides.
Interestingly, a number of the models, indeed, pointed to a similar time point of about eight years, seven, eight years out for achieving sustainability for some of the exchange efforts, which I thought was encouraging just from the standpoint of that there was some commonality of approach in that regard.
You are right that there were a number of issues about secondary use and discussion of secondary use, and, in those business discussions, many people point to secondary use as potentially something that plays an important role in sustainability.
I think part of what needs to occur, though, is further investigation into which of the different services are indeed viable and what added value service providers can provide, how much doing data translation and mappings. Can that be a service that they can potentially sell to some of the provider -- engaged provider organizations, for example, to bring people on board and get them engaged.
And so I think there are still a number of other models, but you are right that that was one of the things that was prominently presented.
DR. FRANCIS: Obviously, one of the privacy and confidentiality issues that this does highlight is questions about data security, but I want to just underline an entirely different range of questions.
Obviously, there are questions about control over information getting into the network in the first place from a privacy and confidentiality point of view, and, related to that, in the technical architecture design, the possibility of secure envelopes within, and I would hope that there is attention, as infrastructure is being looked at, in that set of questions as well as the data security questions.
DR. LOONSK: Thank you.
I think there has been a good amount of discussion about security approaches, auditing, encryption, where -- issues around data persistence and where that occurs. So there are a number of different discussions and products in the work that has been done.
DR. COHN: OK. Now, we move to the other side of the room. Jeff and Marc. Do you have a question also, Mike and Larry -- OK.
And, then, hopefully, after that, we’ll be able to take a break. So remember, your questions, you are standing between us and the break.
PARTICIPANT: We have better questions over here.
MR. BLAIR: John, first of all, I want to express my appreciation for the fact that -- you know, it has been obvious for some time that ONC has been moving forward with a number of parallel initiatives, and what you outlined today was that, for the first time, that I was able to see how these things might converge and build on the results of each other and then go into further iterations. I really appreciated seeing that.
It is obviously going to be difficult, and it may be difficult to keep them on schedule, and it may not be as fast as we want in all areas, but the convergence, the iterations kind of gave us, for the first time, a little bit of a road map, and I really appreciated that.
One area that you mentioned that probably I had less concern about as a techie type person, until my recent experience in New Mexico with our health information exchange, is -- and this gets to the area of convergence and how this fits in, because, in some sense, while we move forward with a lot of things that you discussed, the functional requirements for the network and all of the pieces and how everything works together, we are finding that the community is very interested in the health information exchange network for different reasons than we expected, and we are finding ourselves, in order to be responsive, redefining what we are doing every few months, and it is being driven by business models.
You mentioned business models, and I would like to have a better understanding, and maybe I’ll just give two quick examples of this, because we are finding that the business case, in some cases where we thought there was one, it was weak, and we are finding that there’s business cases where we didn’t expect to find them as we try to be responsive to our community.
One of these that is especially strong and was struggling, because not all the pieces are there for us to put it together, is that as different health care institutions begin to say yes, they are signing agreements to be able to share data, they are realizing that folks outside of their health plan, health facility will now begin to have access to their health care information, and it isn’t just the technical authentication standards that are not there, it is the policies, the practices, the authorization, the authentication, this whole area, in terms of not just a covered entity, but a community-wide network for coming together with agreements on all of these. That turns out to be a major positive business-case driver for these entities.
And so that is just one example, but I am giving that example, because, I am really, really interested in how you will be constructing the business-case piece because I would think it would need to be responsive to the emerging business cases in the various health information exchange networks across the country.
So whatever you have done to begin to think out how we would do this, I would really be interested in this, because this may be driving a lot of the other pieces instead of vice versa.
DR. LOONSK: Thank you for your comments, Jeff.
I think you have pointed to a number of very challenging areas, and so one -- I think one conclusion from that, and one that we have held for some time, is that we, the country, do not know all the activities or how they will look on the Health Internet, and that, like the Internet, it is incumbent upon us to not assume that we know what it will look like completely in a number of years, and that has to flavor the way in which we pursue things, that we should not stifle certain activities unduly lest we don’t understand what the implications are relative to moving forward with that.
So the general model, I think, is to move forward iteratively, to try to be specific where one needs to be specific, but also to allow for the development to proceed, and that is a challenge.
I think there a few different aspects to the business activities. One is that the AHIC basically is making an estimate as to what activities they think have a business case when they identify a breakthrough, and they are doing it really in anticipation of the rest of the activities and in anticipation of how that plays out at times, based on the best information available, but certainly without knowing conclusively how that will look at the end of what is a cycle of activities and movement toward implementation.
But they are making an estimate. They are trying to identify breakthrough areas where services can potentially be sustainable, where there are needs for those services, even if there isn’t completely identified the relationship between entities that would cause a self-sustaining service.
So moving forward with those areas, those breakthroughs through the use cases, advancing them through the entire activity, they press on different issues in different places along the way.
At certification time, for example, there is a heavy emphasis on why the EHR vendor should implement those services. Is there a compelling case that people will want to buy EHRs that implement those services.
At the architecture level, there is the issue of how do health exchanges be able to be -- how can they be self sustaining in terms of providing services, et cetera, et cetera. So there are a number of different glimpses at that, a number of different lenses that are put on that.
But I think the simple answer is that what we are trying to do is to encourage the development as we proceed through this, recognizing that, indeed, work flows are going to change, different services are going to change, what the complete capabilities are of the Health Internet, if you will, are not completely known, and that we have to be very strategic in terms of how to foster the movement in this direction without impeding its progress.
MR. BLAIR: The philosophy that you have just expressed, I completely agree with.
Now, the only piece that I would be concerned about is that if people looked at what appeared to be positive business cases six months or nine months ago, they are shifting, and they are shifting quickly as people understand the strengths and limitations of these networks, and so if there is any way to communicate that that AHIC group would need to have current information from a diversity of health information exchange networks that are out there as we are finding out that as people understand these networks better, the perception of what the business case is is shifting significantly and quickly.
Is there some way for us to --
DR. LOONSK: We see that, too, and I think that what you’ll see in the next round of the NHIN activities is some flexibility in terms of which of the breakthroughs and which of these additional focus areas can be implemented as they move forward with trial implementations, because not only are there shifting priorities at times, but they vary, in terms of the particular region and what will work there and what will work somewhere else.
So we need to maintain that flexibility for both those reasons, and we agree with you that that is a critical aspect of moving forward.
DR. OVERHAGE: I can’t tell you how much fun it is to get to ask you questions, instead of the other way around. Now about that other deliverable --
I had a number of questions, but I guess I might role them up into one broad question, and you probably can’t answer this, but I’ll let you take a stab at it anyway.
One of the concerns that I have is there are myriad forces spinning off activities for ONC in this area, and it feels very fragmented and disconnected to me, as I look at the overall picture, and, as Jeff said, I think there is an architecture. There is a direction.
I am worried a little bit, though, that the pieces aren’t tied together enough to make real progress.
So, for example, the HITSP recommendations that you talked about, when you look at those -- and, frankly, I haven’t read them all, and I do this for a living, and I -- I mean, there’s just too much, and part of that, I think, is organization, presentation and focus that makes it harder to digest and track, but part of it is this myriad of pieces that are out there moving.
C-CHET(?), as another example, we started out and focused on electronic health record certification. We can’t quite get to interoperability yet. We’ve got to go through this other process, all right and good, and, yet, most of the data that we look at in the systems today are in laboratory systems and pharmacy systems and radiology systems and things like that, and not NEHRs or anything else that C-CHET has looked at yet.
So a very broad concern is too strong a word, I guess, but maybe the question is is do you have thoughts about how we can help corral this a little bit better, so we can actually make real progress?
I think there is broad progress being made, but I am a little worried that it is broad progress at the 100,000-foot level, and that the 10,000-foot to the ground level, there is so much diversity and so much fragmentation, I am worried that we are not going to get done what we really want to get done, although the trial implementations and things like that, I think, are a step in that direction.
DR. LOONSK: Well, thank you for your comments.
A few responses, a few points. One is that this is complicated. This is not a trivial thing, and just take the interoperability specifications, at the same time that you and others may be overwhelmed by 800 pages worth of implementation guidance, we clearly need that kind of specificity to get to a level of interoperability which is really got to show value in terms of connecting systems.
I mean, we know for some time that we have to talk about how standards are implemented, not just what standards there are, and that basically compels that level of specificity.
We also know that this health exchange is not going to be a simple thing and that we need to advance it in a way that is coordinated. We know that it is going forward at state and local levels. We know that if it goes forward without coordination, we are going to not have the kinds of security necessarily built in in every implementation that we would like. We are not going to have them be interoperable with each other, because they are going to go and do things in their own way at times to meet their own compelling needs, and so I think this is a complicated activity.
We have a number of things going on. A number of them are about discovery, and a number of them are trying to identify. If you think about the activity with the state and local implementations of HIPAA and how we still have lessons to learn from that.
We are still early in this process, and so it is a balancing of the fact that we are -- we have some time to go. We have to go through a number of iterations. Some of these processes still have to produce products, so that they can be fed into the next round, like the -- limitations and how I describe that here, and I think that things will look much more cohesive when we start to get into that cycle and start to implement those things.
But, at the same time, we are also very -- there are needs to move forward and to move forward fast, because we know that there is a lot going on, and so it is a balancing of those two things and the communication thereof.
So I think that, as things progress, you’ll start to see the way in which they start to fit together, the way in which we can take the product from one activity and feed it into the next step activity and that that is basically what coordinating is about.
DR. FITZMAURICE: I gotta say, by the end of that answer, much as I’d like to say, Gee, it is all fragment(?) and everything, it is complex and it is hard to get your mind around, but I find that quite a few minds are getting around it, and as I see us working ahead, I see us pulling in more and more things to the overall picture, not just reaching out with more and more arms of an octopus without a head. It does -- it is better coordinated than say a year ago, because we have learned more, and so I buy into your statement.
For interoperability in trial sites, it would be useful if we looked at how the codes and terms that are exchanged are understandable, understandable to clinicians at both ends of the transmission, and, indeed, we’d like their computers to be able to accurately identify the concepts and use them for information retrieval and decision support.
But sometimes we have difference in terminologies and codes, even across the named or recognized standards. So it would be useful to have a look-up tool to guide vendors and clinicians in achieving the interoperability of this message content that is exchanged.
So I want to ask you have you given consideration about how to improve the interoperability of the data elements and the name standards and the use-case information exchanges?
For example, you might encourage electronic access to the name standards, maybe for a price, make a deal with the SDOs and say, When you put them electronically, we want the vendors, the people who are making the systems work, be able to hone in on the particular standard that they need, and the terminology. Maybe electronic access to terminology services to guide vendors to the right terms and codes. There are some in DOD, NCI. National Library of Medicine may have one, and, then, you might support an analysis of the differences in terminology among the name standards with a goal of harmonizing these differences.
As you move into the trial implementations, are these some of the considerations that you are pondering or do you think that they are beyond the scope of interest at this time and best left to the private sector to do?
DR. LOONSK: Well, I think you point to some very important issues, and I would also like to reference some of the work that is going on at the National Library of Medicine in regard to projects to relate terminologies and be assistance in that regard.
We do see that there are a number of needs out there that will need to be advanced. Clearly, as we get to more and more implementation of standards, there will be demands on services for terminology mappings and terminology accessibility.
It is one of the things that has been discussed around health information service providers that might help support a health exchange and support the NHIN is that that kind of technical capability may be a key service that they could help provide, particularly if they are offering out data mappings and message transformation to others in helping to bring them in.
We do have to be a little bit realistic, though, in terms of the amount that can be bitten off in the next round of the NHIN, and we think that there is an important area of focus for highly constraining, being very specific about health exchange to health exchange translations.
Here, the standards really need to be as well implemented as possible. I think that can offer lessons learned, so the kind of discussions you are having, that the health information service providers may, indeed, in the process of that, identify needs for terminology services that -- as those that you are alluding to, and that that could be a productive outcome, and then allow some flexibility in terms of some of the other interfaces as we move to the business model for supporting these services as well as adoption, because we know that we can’t rip and replace all the health information technology that is out there in the different participating organizations, and there will be needs for some flexibility in terms of -- for some time to come.
DR. FITZMAURICE: I guess what I am seeing is that at the AHIC and the NHIN conference, when the business case was presented, I think 50 percent of the revenue was projected to come from secondary uses of the data.
Not only do we want to have a good understanding of the information exchanges, but as that data get stored in a repository, it is more valuable and adds to the business case if it is more uniform.
DR. LOONSK: And I would note here that one of the areas that we look forward to potentially working with NCVHS moving forward is in the area of secondary uses of data, because we think this is a very important area where the technical expertise of NCVHS could be helpful in some next steps as well.
DR. GREEN: I am Larry Green, John. I am one of the four new members. I feel like I have been drinking from the fire hydrant since last December trying to get -- All of you, I presume, were once new members also.
Your presentation was enormously helpful to me. I want to thank you for it.
I would like to ask you to go back up to 30,000-, 40,000-foot level from all these interesting details.
I have been looking and reading and trying to understand the logic model here, and I would just like to hear it from you how you see the logic that leads to the conclusion that we need a national health information network.
The H -- I mean, I have been reading up and listening. I can understand why we need a national information network, and I can understand why we would have health applications in it, but as I listened to you talk about the network of networks and this thing that we have the article T-H-E in front of -- The National Health Information Network, I am still struggling for the logic that comes to the conclusion that we need The National Health Information Network sort of as a discrete thing. Can you help me with that?
DR. LOONSK: Certainly.
I think one of the issues with terminology is that if you do use a capital The or you use a term like network, that it necessarily becomes very concrete for people and that they -- on the one hand, it is something that they can associate with, but they can say this is an organizing principle that we can work around.
On the other hand, they very much see it as a physical entity which would sit somewhere and look like something and be owned by someone.
And I think that it is the -- sort of the challenge and the opportunity of moving forward with a nationwide initiative is that you need to rally people around some coordination.
It would be, I think, a tremendous loss if every region and state went about developing health information exchange differently, they didn’t learn from what others did, they weren’t interoperable, so that you could have your information be portable if you moved from one jurisdiction to another. The benefits of population data that come from multiple jurisdictions that would be impacted by complete differences in that implementation, those all would be, I think, great losses in terms of moving forward.
On the other hand, what we are trying to articulate is not a server that sits somewhere, but when we say a network of networks, we mean a network of networks. We mean by having the networks come together, use shared approaches, use common technologies for interchange, that we can knit together something that can meet security issues, meet concerns about how information can flow, add value and allow for a great flourishing of secondary-use data opportunities and other opportunities in terms of what a health information Internet could be.
So it is a challenge with the language, but we are, in this nationwide health information network, talking about an initiative, a nationwide health information network initiative that has the intent of bringing together a collaborative of networks and service providers who could work together to make for this vision.
We are not talking about a common shared server or physical network that would be run by the government or by any other single organization or entity.
And these are complicated issues and complicated challenges to articulate and communicate, but that is the vision we have been trying to articulate around the NHIN.
DR. COHN: John, thank you for those comments. I think that was a vision we also tried to instill into the functional requirements document that we produced -- recently.
I want to thank you. I think it has been a very interesting conversation.
I think you’ll all be aware that we are running significantly behind, but I thought it was an important conversation for us to all have, and I think we are all sort of in agreement with that.
John, I want to thank you.
I actually want to thank the committee members, especially note that, with this first session, we have actually engaged all of the new committee members in the conversation. So we are always very pleased at that. We don’t have shy new members. So that is great.
But, with that, let’s take about a 15 minute break.
We’ll come back at about 10 to 12 --
(Break).
Agenda Item: Subcommittee on Standards and Security Letter
DR. COHN: Will everyone please be seated? We are going to get started.
I will turn this over to Harry Reynolds and Jeff Blair for review of a letter on the National Provider Identifier --
MR. REYNOLDS: Jeff, you want to make a comment before we start or anything?
MR. BLAIR: No, not at this time. Harry, take it.
MR. REYNOLDS: All right. Since we’ve got some new members of the committee and we are going to ask you to approve a letter, I want to give you a little quick warmup, so that you are not completely -- Yes, a little warmup would be good here.
PARTICIPANT: Brace yourselves.
MR. REYNOLDS: So as a matter of fact, you can stand up and do jumping jacks while I am talking, if you want.
The National Provider ID was established so that a single provider would have a single number to be identified with in the country, and, then, institutions could have multiples defining themselves. That is what was originally set up, a two-year implementation period was put in place, and also a single implementation date for everyone was established, so there was no staging. So it was everybody running to a single goal line, and everybody had to get there, not only themselves, but they had to get there with everybody else that they work with.
So that is kind of the background of what this national provider ID is about.
We heard testimony a couple of times, and you’ll hear in the letter that we did.
On our most recent hearing, we had 16 different testifiers representing an incredible cross section of the industry, just about everybody that is involved in one way or the other.
What we clearly heard, again, is that the May 23rd deadline is not really going to be doable for everybody together to get it done. So even if a doctor got their NPI, whether or not all the payers or clearinghouses and everyone that they worked with would be ready would be questioned. So you’ll hear all this in the letter, though.
But we also felt that May 23rd should have some meaning as an implementation date, because, as we kind of looked at our lessons learned back from HIPAA and other things, if there is a due date and it is -- even if it has a transition period or anything aligned to it, if the due date doesn’t mean something and doesn’t have some kind of significance, then, as we continue to roll these out -- which those of us who are on standards and security know that we’ll be continuing to roll these out -- that was a concern to us also. So you’ll hear our statement as to what we feel about that.
We do feel there needs to be some kind of a transition period to make sure everybody works together after they do their initial things, and you’ll hear that clearly.
And we also recommend in here that we will be holding other hearings to monitor that and comment, not necessarily just monitor it, but in our hearings, we will hear from the industry as to where it is going and then make further recommendations or considerations to the Secretary, as necessary.
So that is kind of an overview to give you a sense of what we have been through, what it is and what the situation is.
And if there aren’t any questions, Simon, I’ll go ahead and read the letter you should have it in front of you.
Dear Secretary Leavitt, the National Committee on Vital and Health Statistics is responsible for assisting and advising the Department of Health and Human Services in adopting the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In that role, we have continued to monitor the health care industry’s progress toward meeting the May 23, 2007, compliance date for implementation of the national provider identifier NPI.
We last reported NPI status to you on November 29, 2006, and, at that time, concluded there were several impediments to meeting the statutory deadline.
While we have observed some progress since November, we remain skeptical that the industry will be able to meet the target date for NPI compliance.
On January 24, 2007, we again heard testimony from the health care industry and the Centers for Medicare and Medicaid Services, CMS, regarding the industry’s general readiness to implement NPI by the May 23rd deadline.
There were participants from associations representing providers, pharmacies, plans, health-care/ software vendors and third-party billing companies. All expressed a great degree of concern and agreed that many in the industry would not be able to meet the May 23, 2007, compliance date.
Two types of challenges were identified. The first is the challenge of achieving full enumeration. The second is a challenge of data exchanging and testing; 1.7 million NPIs have been enumerated, but many providers have still not applied for a number. Reasons include procrastination and/or lack of awareness of the need to obtain the number.
Despite significant outreach efforts on behalf of CMS in partnership with industry groups, some providers remain unaware of the need to obtain an NPI and the critical need to test the NPI with health plans.
Some providers believe themselves to be exempt, because they do not do electronic billing or they do not participate in Medicare. Still others who care for under-served populations may not bill for services.
Testifiers stressed that additional educational efforts in outreach are required to assure providers are aware of what they need to do to be compliant.
Many industry representatives also conceded that significant progress could still be made towards increasing the number of providers who obtain MPIs by May 23rd, but there was not unanimity, and no testifiers believe full enumeration was possible by that date.
The second challenge is software testing, and I am going to substitute information system testing in place of software has been in the recommendation. So you’ll hear that in the next sentence also.
MR. HOUSTON: Harry, one of the things I did notice when I read through it was that in your prior paragraph, you describe the second challenge of data exchange and testing. So if you want to be consistent --
MR. REYNOLDS: OK. We will make sure we make that consistent.
A significant impediment to -- whatever we change it to -- testing -- is continued lack of access to data from the national plan/provider enumeration system, NPPES.
Many plans need NPPES data to build crosswalks between legacy systems and NPIs in their own systems to ensure validation of the NPIs given to them by providers and to ensure timely processing of transactions.
In addition, providers also need to obtain the NPIs of other providers because claims require the provision of both primary billing provider and the ordering or referring provider.
For example, pharmacies need the NPI of the prescribing physician in order to submit a valid claim.
Testifiers stressed that successful implementation depends heavily upon access to NPPES data.
Testing among trading partners is critical to assuring that accurate payments are made to the right providers.
This testing would include providers submitting transactions (for example, claims) containing NPIs to plans and plans processing the transaction and creating appropriate transactions (for example, remittance devices).
Very little testing has occurred to date, and testifiers indicated that all industry segments require more time to complete testing and ensure a seamless exchange of data between trading partners.
Without this testing, providers especially are concerned that payments for their services will be substantially delayed. Delay in filling a patient’s prescription is also a possibility.
As we stated in our last letter to you on this subject, NPPES data cannot be released until HHS publishes a data-dissemination notice in the Federal Register.
We continue to strongly encourage HHS to publish this notice as delays in doing so will further impede progress toward industry compliance and improving health care system efficiency.
Based on expert testimony at the subcommittee hearings and our own public deliberations, we have the following observations and recommendations.
DR. COHN: Yes, Harry, do you want to hold up just a second to see if anybody has any comments about any of the sort of the --
MR. BLAIR: Background.
DR. COHN: -- the background information?
MR. HOUSTON: I read through it and had some little nits and things. Should I just give them, rather than trying to describe them?
DR. COHN: Yes, if they are wordsmithing stuff, I think we can --
MR. HOUSTON: There are. So --
DR. COHN: Yes, I mean, is there anything substantive or just --
MR. HOUSTON: No, I think it is --
Let me just say one thing where we are starting now, though, I think there is a little redundancy between what we are going to talk about now and what was in the prior paragraphs, at least the first two observations and recommendations. It seems like you really talked about them before. So --
MR. REYNOLDS: Yes, we agree with that --
MR. HOUSTON: But it seems like there’s a little bit of redundancy. I am not sure whether it needs -- whether that is good or bad.
MR. BLAIR: We have a breakout session this afternoon, and maybe those wordsmithing things can be accommodated at that time.
DR. COHN: Yes, I think we can -- I mean, if it is minor wordsmithing, we can take it offline. If it is major issues with the construction of the letter, we can deal with that, but I do want to, once again, remind everybody that there may not be a meeting tomorrow.
MR. HOUSTON: Oh, really?
DR. COHN: Well, given the weather reports. So I think we just need to be mindful of that as we deal with this particular issue.
DR. FITZMAURICE(?): Simon, I just want to make the point that sometimes the redundancy is intentional. We want to restate something that leads into -- observation that leads into a recommendation. So it is -- it is useful.
DR. COHN: Okay. We’ll take minor wordsmithing offline and deal with it in the final production of the letter.
MR. REYNOLDS: What we could do, Simon, is I could look at those with John at lunch, and if there is anything that is substantive, we can mention it right after lunch to make sure we move forward.
Okay. Observation one. There is a clear need for more outreach to inform providers, especially small-program and minority providers, of the need to acquire NPIs.
Education is also needed for a wider range of providers and plans, so they understand the need for sharing NPIs among their trading partners.
Recommendation one. NCVHS recommends that HHS/CMS take the lead in this additional needed education, while also enlisting the participation of organizations that represent the industry. Several of these organizations expressed a willingness to provide assistance in the effort.
Observation two.
DR. COHN: Well, why don’t we stop after each recommendation and just make sure that everybody is sort of aligned right.
Anything in relationship to that first observation recommendation?
MR. REYNOLDS: Okay. Observation Two. Industry must have access to the NPPES data. This is critical to its ability to build crosswalks and reprogram its systems to accommodate NPI-based transactions.
This is possible only if HHS publishes a data-dissemination notice describing the data that will be made available and the mechanisms for obtaining it.
Recommendation number two. NCVHS strongly recommends that HHS decides what information will be made available to the industry, issue a data-dissemination notice and make the data available at the earliest possible date. We believe this essential to the success of the NPI implementation.
One thing I didn’t explain to the group, which I’ll do quickly, is the whole thing about NPPES is that it is a national database that has the NPIs that the providers have gone out and gotten, and so it is a single place for people to go out and find out who has NPIs and what they are and so on. So I think that is what this -- and some people in the industry did build their implementation around that being available, since there had been discussion --
Okay. Moving to Observation Three. All covered entities should be able to accomplish the internal tasks needed to comply with the May 23, 2007, date; that is, providers should be able to obtain their NPIs and plans and clearinghouses should be able to complete their system changes needed to accept NPIs on HIPAA transactions.
Recommendation Three, and I am going to read it differently than it is currently formulated, so that -- also, I’ll read it slower than I would normally.
So, Recommendation Number Three. NCVHS recommends that providers obtain their NPIs, health plans and clearinghouses complete the system changes needed to accept NPIs on HIPAA transactions by the May 23, 2007, compliance date. That is how we would say it.
So what we are basically doing here -- and as I mentioned earlier, there should be substantial progress made by May 23rd, and we recommend that each individual entity should be able to do those things by May 23rd.
MR. HOUSTON: Don’t you want to state that in terms of -- the compliance deadline should be modified or some -- it is not just our recommendation, but we are recommending that the compliance deadline be sort of bifurcated, such that there is an obligation for them to get their NPIs --
MR. REYNOLDS: What we feel is that we would want to leave that up to the department --
MR. HOUSTON: How they are going to --
MR. REYNOLDS: -- actually, as to how that would be addressed.
MR. BLAIR: If I might state, I think that this was deliberately not going into those other -- this sentence. The following sentences that Harry is about to read will indicate other requirements for a later time on this recommendation, but we wanted to make a very clear statement kind of restating the compliance date of May 23, 2007. So that was the intent of this sentence.
And then the following sentences will indicate other requirements that will have extended dates.
MR. REYNOLDS: OK. Yes, Bill.
DR. SCANLON: But in changing the language, haven’t you made a recommendation, not to the Secretary, but to providers and to the clearinghouses, and -- I mean, the original sentence was to preserve the deadline, which puts a burden on providers and clearinghouses, and it is the Secretary’s prerogative to preserve the deadline --
MR. BLAIR: Maybe if we read the paragraph as a whole, the recommendation as a whole, and then maybe you could still see whether you still feel the same way that you just articulated.
MR. REYNOLDS: Bill, tell me your concern again, please.
DR. SCANLON: Well, the concern was that in changing the wording of the recommendation. The recommendation was actually directed at providers. Forgot the other part -- and that we don’t write to providers. We write to the Secretary. The Secretary creates the pressure for providers to comply by preserving the May 23rd deadline, and that the original recommendation did that. The original recommendation said to the Secretary, Don’t change the deadline.
PARTICIPANT: That is a good point.
PARTICIPANT: Yes, I see what you are saying.
PARTICIPANT: Right. The recommendation has to be addressed to the Secretary, not to the providers to comply --
PARTICIPANT: Yes.
PARTICIPANT: -- basically what you are --
MR. BLAIR: Secretary retain that deadline for that piece of it, yes.
PARTICIPANT: Which would require, and then you can state the rest of the recommendation.
MR. LAND: It seems to me that if it is going to be a recommendation to the Secretary, and we are talking about a requirement, then, the issue is what is the penalty if somebody doesn’t obtain their number by this date, and that is what -- I don’t know if that is in here or not or if that has been discussed earlier, but that is really -- the teeth behind this is what happens if a provider doesn’t do it.
DR. FITZMAURICE: It is $100 per violation, per HIPAA.
MR. REYNOLDS: Well, again, what we were hoping for is, obviously, if it stays there, whatever we decide that it is, at that point, somebody could complain to CMS that, in fact, somebody else that they are working with did not reach a certain point, and, at that point, it goes to whatever it goes through in the normal process, which is no different than now.
In other words, if May 23rd was left in place, that is exactly what would occur, and then there’d be a process and whatever that meant.
So we are trying not to be prescriptive as to what should happen, but, on the other hand, we are going to talk about a transition, too. So we want it to be -- May 23rd to mean something, but it doesn’t mean the end, and so that is what we are trying to formulate with this statement. So it’s --
DR. WARREN: I think for the new members, another way to look at this is the regulation already requires people to comply by May 23rd. So there is nothing that this committee can do to change that regulation.
What we are doing is saying that when we heard testimony, there were some things that we agreed could still be accomplished by May 23rd, and that is what this recommendation is about.
There are some other things that we believe cannot be accomplished by May 23rd, and that is what Recommendation four is about.
So it is separating those two out to be very specific, and we dialogued long and hard about how to do that.
So does that help, Bill, in understanding --
DR. SCANLON: Well, it does if it was only an observation, if we were observing that we thought these things could be done by May 23rd.
It is the idea that when we make a recommendation in a letter to the Secretary, we are telling the Secretary to do something, and so if we were to eliminate the recommendation in this case and simply make the observation that we think that providers and clearinghouses, et cetera, should do this, and can do this, then, I would -- I mean, I am just --
MR. REYNOLDS: But if we left it as a recommendation, how would you term it?
DR. SCANLON: Beg your pardon?
MR. REYNOLDS: If we left it as a recommendation --
DR. SCANLON: I would have left it the way there. It is basically telling the Secretary, Don’t change the deadline.
MR. REYNOLDS: OK. Well, for those certain tasks.
DR. SCANLON: Right.
MR. REYNOLDS: Yes.
MS. TRUDEL: I don’t know whether this would make the situation a little bit more understandable, but it might be possible to combine Observation Three and Four and have them be Three and Three A, and simply have the recommendation from Recommendation Four be the sole recommendation under those two observations.
It may be premature for me to suggest that, because we haven’t read the fourth one yet, but that is an option.
MR. REYNOLDS: Well, let’s read Observation Four and Recommendation Four. Let’s go through that, and, then, let’s come back -- You OK with that?
DR. COHN: That’s a great --
MR. REYNOLDS: Let’s do that. Yes, let’s do that.
OK. So let’s move along. So Observation Four. Any covered entities will likely not be able to complete the collaborative tasks needed to fully test NPI usage.
MS. GREENBERG: Should probably say by --
MR. REYNOLDS: I know. Yes, I had that on the other copy. Yes, by May 23rd.
OK. That is, Provider software may not accommodate the NPI on HIPAA transactions and plans and clearinghouses may not be able to complete crosswalk construction.
After hearing testimony, we are convinced that requiring complete compliance with the NPI standard on May 23, 2007, will be onerous and create widespread billing and payment problems.
Recommendation Four. NCVHS recommends that HHS publish contingency guidance similar to the one utilized for transaction and code sets and standards in 2003.
Such guidance would protect otherwise compliant covered entities from enforcement action if they develop and implement contingency plans, such as continuing to accept legacy identifiers to assure continuity of operations.
We suggest it would be prudent to institute a six-month contingency using the following conditions:
If HHS issues a data dissemination notice and makes NPPES data available to the industry prior to or on May 23, 2007, the contingency period would extend six months after that date.
If HHS issues a dissemination notice and makes the NPPES data available after May 23rd, the contingency period would start six months after the date the data is available.
PARTICIPANT: Would end.
MR. REYNOLDS: Would end six months after the datas are available.
OK. So, Karen, so now that we have read that, tell me what you are recommending again.
MS. TRUDEL: Combining Observation Three and Observation Four and have them be A and B, under Observation Three, and then having the recommendation for Observation Four be the sole recommendation under that observation.
DR. COHN: Well, Karen, just make sure I understand --
MR. REYNOLDS: I don’t get --
DR. COHN: -- what you are doing is basically suggesting that we don’t move forward with Recommendation Three and that we otherwise take the Observation Three, combine it with Observation Four and --
MS. TRUDEL: Yes.
DR. COHN: -- and just have the recommendations in Four be the pertinent recommendations there.
MS. TRUDEL: Yes, in that that responds to Bill’s concern about what are we recommending to the Secretary.
DR. SCANLON: And, in response, I mean, Recommendation Three is don’t do anything. So when you leave it out, in some respects, that remains the recommendation -- OK? -- telling the Secretary, Don’t change the date, and in leaving it out, what you are doing is leave the date alone, but make -- this contingency for these other tasks.
You can go either way. I mean, you can either make it explicit all to the date or you can leave it out and it is implicit --
MR. REYNOLDS: Marjorie, then Jeff.
MS. GREENBERG: Well, you could sort of compromise between those two, I agree, but I think the idea of making this all one observation is a good one, in that, otherwise, I think it is a little confusing the way it is, but you could make this observation that is currently under Three, and, then, just, as part of the observation, say, Therefore, we see no need to change the May 23rd compliance date for accomplishing these tasks.
PARTICIPANT: That is a recommendation.
PARTICIPANT: We can’t change the date.
DR. COHN: Yes, CMS doesn’t have the authority to change the implementation date anyway.
MS. GREENBERG: OK. Well, but if -- Let’s say you did need people -- Let’s say you had come to a different conclusion. There would be something that could be done. You’d have to go to Congress, I guess? Or --
MR. REYNOLDS: Jeff, I see your hand. I’ll get to you.
MS. GREENBERG: I mean, is this not even an option at this point to change that requirement? Is there no capacity to change the requirement that people accomplish these tasks? I mean, it could be part of the contingency plan.
PARTICIPANT: It is a statute.
MS. GREENBERG: Right?
MR. REYNOLDS: It is a statute. So I don’t see how you change --
MS. GREENBERG: Hum?
PARTICIPANT: It is a statute.
PARTICIPANT: It is a statute.
MS. GREENBERG: It’s a statue -- two years after the implementation, but, then, I mean, how can you have a contingency plan at all if the statute is controlling? That doesn’t exactly make -- I am just saying if you don’t think that it is -- If you think this can be done by then, it could be explicit that -- about what you were trying to say without making it a recommendation in Three, if it is nothing that anyone could address anyway, then --
MR. REYNOLDS: Before I turn it over to Karen -- Jeff, Karen is going to make a comment on Marjorie’s statement, and then I’ll get to you.
We consider this a pivotal time as we look at standards, and that is one of the reasons we tried to mess with this Observation Three is because, with HIPAA, there is a long contingency period. With this, there is a period. We got 50/10(?) coming. We got ICD 10 coming. We got a whole lot of big change coming on here. John mentioned things. Those standards are going to have to be implemented and so on.
We were trying to discuss some kind of a -- Anytime you do a project, you need to have milestones, and, at some point, even if you don’t finish the project, if you don’t have any milestones and you keep blowing right through them, then you don’t have a plan, and so we are really, really trying -- and, again, this has been difficult to deal with because we know you got a statute that we can’t change the date. Whether or not the Secretary can change the date -- We are playing off of the fact that there can be guidance given on contingency plans and other things that we’re playing off of HIPAA, that happened.
But we are trying to keep some kind of an oomph behind May 23rd, because the next time the industry lines up again and then they line up again and then they line up again -- We heard testimony that people were just going to start ignoring -- that doesn’t matter anymore. I am going to wait -- You know, we heard people literally testify, I’ll wait ‘til the date, and then I’ll figure out what I might do, because it is probably going to take longer than that.
So I think that is the thing we are trying to deal with in this piece, and, obviously, it’s got to be an artful dealing that we are messing with, and we figured this is -- I mean, this is kind of where it hits the road and how do we do it in a reasonable way.
Jeff, you had a comment, and then Steve --
MR. BLAIR: Yes, and my comment --
MR. REYNOLDS: I’m sorry. Karen, you had a comment before that.
MS. TRUDEL: I just wanted to clarify the Secretary’s authority to publish contingency guidance comes from a part of the statute that encourages voluntary compliance and gives people who are not compliant the opportunity to become compliant and cure periods and educational opportunities.
So that is where the contingency authority comes from, but it isn’t across the board. It is not an authority to move a date. It is an authority to look upon a complaint or an enforcement action with a different context.
Ms. GREENBERG: Thank you.
MR. REYNOLDS: And, again, I think supports our position on May 23rd, as having -- still having some meaning.
Jeff, and, then, Steve.
MR. BLAIR: My comment is very much in support of what Harry just said, but let me try to make it a little bit explicit, because I think it is essential in this letter to have Recommendation Three and Recommendation Four separated and for us to actually recommend that the Secretary retain the deadline for specific functions. That is clear. That is unambiguous. OK?
And the reason is because Harry alluded to the fact of the broader context. This letter and this situation for NPI adoption and compliance is not in isolation. We have gone through the HIPAA transaction standards, which went through significant delays. This is a -- compared to other things that are coming down the pike during this next year or two, this is relatively straightforward. If this becomes the second time that the deadlines that have been set forth gets ignored, there is a precedent that will become harder and harder for us to overcome in the future.
Now, in this case, we heard from the industry, and we have tremendous respect for the industry, and we listened very, very carefully to the pieces where they could not comply, and we separated them out, and that is what Three and Four does. It separates out clearly what they are capable of doing and what they are not capable of doing by May 23rd, and, for that reason, I think it is important that we keep each of these recommendations separate and unambiguous.
DR. STEINDEL: I’d like to really just echo what Jeff just said. Harry’s eloquence a few moments ago convinced me that we do need to keep these two separate, and Bill’s comments on how we should word it convinced me that we shouldn’t change the wording.
MR. REYNOLDS: Let me make one other -- Bill.
DR. SCANLON: Could I amend my comment?
MR. REYNOLDS: Yes. Can you amend your good idea, yes.
DR. SCANLON: Right. Having heard that this is a statutory requirement, I mean, you don’t recommend to the Secretary follow the statute.
I mean, what I think I hear you saying, in terms of trying to strike this balance, is in Recommendation Three, that you want to maintain the May 23rd deadline for certain tasks and that you don’t want any contingencies for those tasks.
And, then, in Recommendation Four, what you are saying, for other tasks, that you would be willing to grant some contingencies, but for a limited time, and that is where the subtlety and the balance comes in, that you distinguish the tasks and you also put a time limit on how long you are going to be willing to be tolerant about non-compliance.
And so I think that, potentially, in Recommendation Three, since we know the Secretary doesn’t have the statutory authority to change that date, that you talk about maintain this date and not provide for any contingencies, and, then, in Recommendation Four, you talk about these other tasks, which you think may not be done, and, for them, you provide contingencies over a limited time period.
That makes sense to me.
MR. REYNOLDS: Mark, you had a question, I think, and then I’ve got some other possible language --
MR. ROTHSTEIN: I just wanted to follow up on that and raise the question of whether, in Recommendation Four, this language, Contingency Guidance, gives the impression that HHS is more flexible than we want the agency to be or the department to be, and would it be better if we said something like, instead of publishing contingency guidance, publishing enforcement guidance, and saying that, for a period of time for these external collaborative measures, enforcement will take into account blah, blah, blah, but only for a limited period of time.
By bringing in transaction code sets and making people think of the -- sort of the delays that were built in, that give the impression that I think everyone wants to give in this letter.
MR. REYNOLDS: Karen, what is your feeling on that wording?
MS. TRUDEL: I think it was originally worded that way, because it was a process that people were familiar with, and they kind of knew how it worked, but it is six of one, half a dozen of the other, because, really, what we call contingency guidance was enforcement flexibility.
MR. ROTHSTEIN: Right.
MR. REYNOLDS: Well, enforcement would probably send a more -- I don’t know. Interesting -- Let me go back to Three, Mark, and then I want to come back to Four. OK? Let me go back to Three.
What about the idea -- Recommendation Three. NCVHS recommends that HHS expect providers, plans and clearinghouses to accomplish these tasks by the May 23, 2007, compliance date. Then, it is directed --
MS. GREENBERG: Continue to expect?
MR. REYNOLDS: Just expect. Just expect.
MR. BLAIR: Well, could you say retain the current deadline? Because if you say retain, what is the current HHS deadline --
MR. REYNOLDS: No, no, no. I didn’t say that, Jeff. I said NCVHS recommends that HHS expect providers, plans and clearinghouses to accomplish these tasks by the May 23, 2007, compliance date.
MR. BLAIR: I just felt like the word expect is kind of weak. So I was just trying to get that a little stronger.
MR. REYNOLDS: What word? I didn’t understand. What word were you -- You’re saying require?
MR. BLAIR: I would feel better that -- Yes.
MR. ROTHSTEIN: Could you say that we recommend that HHS enforce the May 23rd compliance date with respect to these issues?
DR. COHN: Let me just make a general comment, because I feel that we are I think, at the end of the day, a statuary public advisory committee that, I think, among other things, is trying to represent the public interest and advise CMS the right path in terms of this implementation.
I’m getting here, in some of these conversations, that we are somehow trying to become the enforcers ourselves, as opposed to advise on the appropriate method of enforcement in all of this. So I just would have you all -- I mean, I think that we -- once again, we are advising CMS. I think we don’t serve ourselves or the country very well by trying to micro manage at too great a level specificity. So I would just advise you on that. That is just my personal feelings.
I thought Harry had some very good wording --
MR. REYNOLDS: Well, I think the word “expect” allows them to decide what “expect” means.
MS. GREENBERG: That’s why I thought “continue to expect”, because they expect it now. Right?
MR. REYNOLDS: But they expect the whole thing.
MS. GREENBERG: All right. So this is --
MR. REYNOLDS: We are modifying --
MS. GREENBERG: -- continue to expect.
MR. REYNOLDS: All right. So let me read it again.
You want continue in there? Okay. Well, no. No, I am serious. I want to know. I want to read it for approval.
MS. GREENBERG: Well, I recommended that, but this is for the members to decide.
MR. REYNOLDS: Okay. Well, let me read it with “continue” in there, and then people can -- Okay. NCVHS recommends that HHS continue to expect providers, plans and clearinghouses to accomplish these tasks by May 23, 2007's compliance date.
DR. STEINDEL: I like the original wording.
MR. REYNOLDS: You mean “expect”?
DR. STEINDEL: No, as it is written in the document.
MS. GREENBERG: Required?
DR. STEINDEL: Yes. Yes. Recommends that covered entities be required to accomplish these tasks by May 23, 2007, compliance date.
I think it is very simple, straightforward and specific, and if HHS decides they don’t want to require it, they can introduce contingency plans.
I think we are saying very bluntly there we are going to stick to that enforcement date, as NCVHS. That is our recommendation.
MR. REYNOLDS: That is a firm recommendation that that date means something.
DR. STEINDEL: Yes.
MR. REYNOLDS: OK. Anybody have a problem with going back to the original wording?
Oay. Moving on. Observation Four. We read it. We have one recommendation -- Let me read Recommendation Four again with Mark’s change.
DR. COHN: Well, I thought we were going to discuss Mark’s change. I mean, Mark is talking about changing this to enforcement --
MR. ROTHSTEIN: Flexibility --
MR. REYNOLDS: Just let me read the first sentence, so you see where it fits, and then -- So everybody --
NCVHS recommends that HHS publish enforcement guidance rather than contingency guidance. That is what we are talking about.
Karen, I’d like a comment from you before -- Steve.
DR. STEINDEL: I think we heard Karen earlier on that.
Contingency guidance in HIPAA is now a term of art, and, as Karen pointed out, it really means the same thing as enforcement, because that is what they are asking for contingency on, to allow them some guidance and leverage on enforcing things, and I think enforcement is just not a term of art, if we start using it here, it is going to be -- introduce some difficulties.
MR. ROTHSTEIN: I have no problem with that.
MR. REYNOLDS: Yes, with Recommendation Three back as it was, I would have no problem either leaving it as contingency.
So, Simon, that means that Observation Four, except for including by May 23rd at the end of the first sentence and Recommendation Four stand as is.
And, then, our last statement is, We will continue to monitor the implementation progress and report to you.
So we have a hearing in May, and we have another hearing in October. So if it were to be the -- six months. If the NPPES came out and the date started May 23rd, then six months from that is -- well, what’s that? That is -- that’s 11. So we would have had two shots at it to make comments between then and then with our two hearings that we have in place. So --
With that, Simon, except for John’s wordsmithing at lunch, which I can take a look at, I would assume --
MR. HOUSTON: Well, I think things -- my wordsmithing has gotten more minor, based upon that last -- the conversation about Observations Three and Four. So --
MR. REYNOLDS: OK. All right.
MR. HOUSTON: They’re pretty minor.
MR. LAND: You could simplify, I think, the two statements there by just saying that whenever --
MR. REYNOLDS: Get to the mike. Well, where are you? Make sure everybody knows where you are.
MR. LAND: Where you have your two different options of when the contingency period right to the start, I think you could just say whenever the NPS data is available, then, it’ll be six months after that.
MR. REYNOLDS: Well, but we want to still keep intact May 23rd. Okay. In other words --
MR. LAND: Well, but it if it before --
MR. REYNOLDS: If it is before, we have already said above, the people are only going to get to a certain point by May 23rd. So we kind of started that earlier than we said. So that is why we did it -- We want them to have ‘til May 23rd, because that is what the regulation says, or later than that, if the dissemination --
MR. ROTHSTEIN: I have a question, Harry. I am not exactly sure how to read this. The first one, suppose HHS issues the dissemination notice on April 1st --
MR. REYNOLDS: Yes.
MR. ROTHSTEIN: Okay. Does the contingency period end October 1st or November 23rd?
MR. REYNOLDS: November 23rd.
MS. GREENBERG: After what date? I read it the other way around.
MR. ROTHSTEIN: See, I am trying to figure out what that date means. So can we -- Maybe we should just put November 23rd.
MS. GREENBERG: Yes.
PARTICIPANT: Because they still may never have gotten disseminated --
MR. ROTHSTEIN: No, but in the first contingency -- the first -- If they have done it by May 23rd.
MR. REYNOLDS: No, after -- Okay. It would be --
MS. GREENBERG: You are not abbreviating the six months --
MR. REYNOLDS: No, no, gotcha. It is six months from May 23rd. Yes. Good catch. Good catch. We’ll just put the date 11-23 --
MS. GREENBERG: Would end November -- Okay --
MR. REYNOLDS: 11-23-07. Good catch. That is a good catch.
MR. BLAIR: Yes.
MR. REYNOLDS: And, then, the second one stands as is.
PARTICIPANT: Right.
MR. REYNOLDS: Simon, would you want to take a vote to approve the letter, and, then, we’ll look at the changes and if any of them are substantive, I promise we will bring it back right away.
DR. COHN: Yes, and I think we would obviously want -- Any consideration of this would need to, obviously, include the opportunity for minor wordsmithing --
MR. REYNOLDS: Yes.
DR. COHN: -- at the discretion of the Chair.
Is there a motion --
MR. HOUSTON: I’ll motion that the letter be approved with minor wordsmithing permitted.
DR. COHN: OK. Second?
DR. WARREN: Second.
DR. COHN: Okay. Any further discussion on this letter?
MR. BLAIR: The only thing I have is that if, by chance -- is there some way for the committee to -- How do I want to say this? I guess we are approving this at this point, so that if we don’t meet tomorrow, the wordsmithing then goes to what? The Executive Committee?
PARTICIPANT: No.
MR. BLAIR: Or it goes --
PARTICIPANT: It’s approved.
MR. BLAIR: It is approved, period. Okay.
DR. COHN: Yes. I think this was at the discretion of the Chair, in terms of wordsmithing.
So other questions or discussions?
OK. Well, all in favor --
(A chorus of ayes).
DR. COHN: Opposed?
Anyone on the phone want to vote?
MS. MC CALL(?): Aye. In favor.
MR. BLAIR: You have to be louder.
DR. COHN: Anybody on the phone?
MS. MC CALL(?): Yes, can you hear me?
DR. COHN: Now, I can hear you. Are you voting affirmative?
MS. MC CALL(?): In favor.
MR. BLAIR: Don’t we have some other folks on the phone? Steinwachs?
DR. COHN: I guess not. Okay. Well, with that, the motion is passed, and thank you.
MR. REYNOLDS: Thank you. Thank you, everyone.
DR. COHN: Yes.
Now, it is 12:40. Why don’t we take a break for lunch and we will reconvene at 1:30?
(Luncheon recess was taken at 12:40 p.m.)
DR. COHN: It has come to our attention that apparently at two o’clock, federal offices in the Washington, D.C. area are closing due to severe weather.
MS. GREENBERG: Predicted.
DR. COHN: Predicted.
MS. GREENBERG: Due to inclement weather, yes.
DR. COHN: Due to inclement weather.
So that may impact some of our planned subcommittee meetings and other sessions this afternoon.
Now, but I would, first of all, say that I think we will intend, unless there is a --
MS. GREENBERG: If the government reopens in the morning --
DR. COHN: Yes, what we will do is to reconvene tomorrow morning.
MS. GREENBERG: When they reopen.
DR. COHN: Yes. Well, if they open at 11 o’clock, we are probably not going to reconvene for an hour. So, basically, if they open at regular time or at 10:00 a.m., we will reconvene tomorrow morning. Anything later than that, we will, obviously, just cancel the meetings tomorrow, at least for our full committee, -- Obviously, there’s hearings scheduled for tomorrow afternoon, which all that is happening is that it is a late start to the government day. Those will obviously continue.
Now, obviously, I am looking through to sort of see what other action items we have, and the only other action item we have has to do with the HIPAA annual report. Given that we don’t actually have that in our hands yet, there is no action we can take. So, hopefully, if we can get back together tomorrow morning -- Now, hopefully, we get back together tomorrow morning, we’ll have a chance to look at that and at least provisionally approve it to put it over to the Executive Subcommittee for final revision.
PARTICIPANT: We are getting an Executive Summary
DR. COHN: I think we’ll need to review that.
Now, with that, I think what I am going to suggest is that we move forward with the agenda as we have it and ask Mark to talk briefly about issues coming up from the Subcommittee on Privacy and Confidentiality.
If, indeed, we do go on tomorrow morning, which, hopefully, we will, we will rejigger the agenda a little bit, and, Marjorie, I hope you don’t mind, but I think probably we’ll try to include some things on populations and move the agenda around a little bit, but we’ll figure that one out.
MS. GREENBERG: Should I provide this hot-line number?
DR. COHN: Oh, please. I am sorry.
MS. GREENBERG: Yes. NCHS does have a hot-line number that employees can call, but it tells what the status of government opening and closure is, et cetera. So I will share it with you. I actually wanted to prior to today, but I couldn’t figure out what it was. So I have it now. So it is 1-888-NCHS-TEL.
MR. BLAIR: Could you give us those in numbers, please?
MS. GREENBERG: 1-888- -- I frankly don’t know -- What are those numbers? NCHS-TEL. Does someone know what -- Does anyone have a phone?
(Several participants at once).
DR. COHN: Yes, and, actually, I’d like to comment, one of our new members, Laurie Green, was asking if these are sort of how meetings are usually run, and I would say that, yes, except for the emergency weather closure --
PARTICIPANT: Three seasons out of the year --
DR. COHN: Yes.
(Several participants at once).
MR. HOUSTON: Even though the particular website is not coming up right now, there is an Office of Personnel -- is it Office of Personnel Management?
PARTICIPANT: Yes.
MR. HOUSTON: Website where you can actually get the same notice off of it, and if it comes up in the room, I can give you the ERL for it, but it seems like it is either down or --
MS. GREENBERG: OPM.
MR. HOUSTON: Oh, wait. Here it goes. It is http://www.opm.gov/topics.asp, and when you come to that page, there is a selection for -- under O -- for open/close status of federal government, D.C. area, and if you click on that, it’ll actually tell you the current status of the government.
PARTICIPANT: That is a well-kept secret, isn’t it?
DR. COHN: Well, with that, now that we have talked about -- OK. We are going to transact business for the next 20 minutes, ‘til we adjourn. Mark.
Agenda Item: Subcommittee on Privacy and Confidentiality
MR. ROTHSTEIN: Yes, thank you, Simon.
MR. HOUSTON: By the way, it says right now the current status of the government is open, though.
I’ll check it at two o’clock.
MR. ROTHSTEIN: I want to bring you up to date on what the Subcommittee on Privacy and Confidentiality is doing, and about two letters that we plan to have to the full committee at our June meeting.
And for the new members, and to remind the old members as well, in our June 22nd letter to the Secretary on the NHIN, one of our recommendations addressed the issue of whether health privacy regulations should be extended beyond the three covered entities currently covered under HIPAA, and, specifically, the recommendation, which is R-12, reads, HHS should work with other federal agencies and the Congress to ensure the privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers and schools.
We have held three subcommittee hearings on the coverage issue in September, November and January. We wanted to explore the effect of a possible expansion of coverage on employers, life insurers, banks, financial institutions and other entities currently not covered by the HIPAA privacy rule. How are they regulated? What problems might they encounter, et cetera.
We also wanted to hear from health-care providers who are currently not covered entities under HIPAA, and there are quite a few, and I’ll talk about that in just a minute.
To make a long story short, we considered a variety of options and issues, and we have, thus far, decided on two areas in which we want to draft letters and recommendations for the Secretary.
And the first one deals with the use of health information in schools and the gaps and overlaps between HIPAA and FIRPA.
We heard testimony from experts at both K-12 level and also college health personnel that health-care providers and public-health officials are having a difficult time exchanging essential information about children, for example, in schools. They can’t get access to immunization data. The schools that have information can’t report it to public-health authorities, et cetera, and we want to explore the issues of both, and this goes to a point that Gene made this morning both protecting privacy and not making sure that the privacy rules have the effect of stifling the interchange of essential information for health and public-health purposes.
So, fortunately, Gail Horlick, who is an expert on national immunization policy in schools, will be able to help us draft that letter.
OK. And happy to do so, I might add.
And the other letter is on the issue of expanding coverage, and, of course, in our June letter, the purpose of that recommendation was to recognize that the HIPAA Privacy Rule and the NHIN are intended to do totally different things and we felt that if you are going to have a comprehensive system of electronic health records that we need comprehensive health privacy protections, and that is behind the reasoning in this recommendation in June.
We held hearings most recently last month and heard from a variety of non-covered health-care providers and put together a list of who might be on that group, and the number of non-covered health-care providers, frankly -- I don’t know about the other subcommittees -- it just staggered me. I didn’t realize there were so many health-care providers who are not currently covered by the HIPAA Privacy Rule.
MR. BLAIR: -- you are saying providers, it is -- or enterprises?
MR. ROTHSTEIN: No, I am talking about different types of providers. Enterprises as well, but providers.
Let me give you some examples. Employer health clinics. If you get sick on the job, some large employers, you just go down there, they treat you. They don’t charge you. They are not HIPAA-covered entities. Cosmetic medicine providers, urgent-care facilities, certain kinds of concierge medical practices, home testing laboratories, athletic trainers, massage therapists, reproductive-health counselors. The list goes on and on and on.
And, basically, what we are going to be talking about is a recommendation to the Secretary and the language that was approved in June to extend some level of privacy and confidentiality for protection to these providers, not necessarily HIPAA Privacy Rule, but some sort of coverage, and, of course, it may well require legislation, in which case we would recommend to the Secretary that the Secretary pursue such a thing with Congress.
We also may want to consider -- and, here again, I am not speaking for the subcommittee, because we haven’t really addressed this issue. We may also recommend that the Secretary undertake a more comprehensive study to determine the actual number of people that we are talking about.
We heard witnesses, but we just have sort of on-the-back-of-an-envelope kind of guesses as to how many people we are talking about would be covered, and it may be appropriate for the department to do -- You know, they’ve got a lot more resources and expertise than the subcommittee and can generate a more accurate tally of the number of providers in the various categories, and also possibly come up with the most efficient way to protect them.
There may be existing legislation, for example, that could be extended, not HIPAA, but other laws that would apply.
So, for example, blood banks are not covered entities under HIPAA, by and large. It may be that we want to regulate them through the laws that regulate blood banks, in terms of privacy, or some of these other entities.
So that is what we are contemplating doing, and we’ve got some time. The purpose of today’s briefing is just to alert you to what our current priorities are, and we’ll be meeting, perhaps, tomorrow morning to discuss these issues, as well as to plan some of our future hearings on other privacy topics.
Anybody have any questions? Yes.
MR. LAND: You mentioned FIRPA and immunizations. I hope it is not restricted to just immunizations.
One of the other big issues that public-health agencies are faced with right now is new-born hearing programs. They have registries, but they cannot get the information from the school districts when the child has been followed up and has had an audiological exam, and that is really creating a major problem for them in determining which children have been followed up and which have not been followed up.
MR. ROTHSTEIN: Yes, I thank you for mentioning that. It is a very good point. We did have a witness who spoke about that, about the inability to get those kinds of audiology reports, and that will be included as well. I mentioned immunization as just one of the other examples that we are --
But there really is a major gap between HIPAA and FIRPA, and, in some settings, you’ve got situations where both rules apply or no rule applies, and, for example, college health service -- and we heard testimony about this -- if they take care of a student, then, FIRPA applies, but if it is a staff member and they are going to bill somebody, then HIPAA applies, and if they are not going to bill anybody, then -- and it is a staff member, then nobody -- neither regulation applies. So that is what we are going to take a look at.
MR. HOUSTON: And just to make the point obvious is I think we heard as much comment about the fact I think people would just like to know what they need to comply with. They want to have clarity as to what applies, and so if it was one rule that had more broad application, I think they would be happier than having to figure out what do you do when and what applies and what doesn’t apply, and I got that sense through the testimony, too, or at least afterwards.
MR. ROTHSTEIN: Yes, we had testimony at our last hearing from the Athletic Trainers Association, and he had major problems in deciding which set of rules his group had to comply with, and many of the other witnesses were just -- They didn’t even know that they weren’t even covered.
We heard from a witness at our last hearing who is the CEO of one of the -- I think the largest home test laboratory in the country. So if you want to anonymously get tested for Hepatitis C or HIV and you buy a kit at the drug store, you mail all this stuff in, his lab is the one that tests them, and he was very proud of the fact that his lab was totally HIPAA compliant, and we suggested to him that that was a good thing to be, but it wasn’t required. and so -- I mean, there is just a lot of confusion.
Thank you, Simon.
DR. FRANCIS: Just as a new member, I might say that the overwhelming impression in some of these cases is risks to patient care of the gaps or people thinking that they can’t share information when they could or lots of confusion, and that underlies your point --
DR. GREEN: Mark, I’d like to ask a question about this committee. Does this committee work with a model of how they think health care is being delivered and is going to be delivered?
MR. ROTHSTEIN: Can you give me a little more detail on that question?
DR. GREEN: Yes, I’ll try. So let’s take the example that you used at the child in school --
MR. ROTHSTEIN: Right.
DR. GREEN: And so let’s say the child has asthma, and there is information that the school nurses have about the child and how the child is doing with their asthma, and maybe the child also sees a pulmonologist and maybe an allergist and maybe a pediatrician, and so they all have pieces of this kid’s data.
The gist I took is that this committee is looking at the fact that we are looking for a comprehensive solution that allows this kid -- my representative of the public’s interest -- to be taken really -- have great care and -- went very well without unnecessary impediments or barriers.
Has the committee or the subcommittee made explicit the model of the health-care delivery process that we think we are planning for and we are preparing for and that we are creating a national health information network for, and, if so what is it? And, if not, how do we proceed without some agreement about that?
MR. ROTHSTEIN: Simon, do you want to address that?
DR. COHN: Well, I think without -- I mean, I would certainly not tell you that I think the committee has come up with the vision of health care in the future.
On the other hand, what we have done is we have visioned out -- and there is a document called the National Health Information Infrastructure document that really -- Information for Health, which I think I would suggest to you --
MR. LAND: I think I have seen that.
DR. COHN: Yes, does provide --
MR. LAND: Isn’t that on the Web site?
DR. COHN: Yes, it is on the Web site. It was done about 1991 or ‘02 --
PARTICIPANT: No, it was done --
DR. COHN: 2001. I’m sorry. 2001-2002. Post lunch. Definitely begins to lay out a vision not of the actual mechanics of health care, but a vision where information is available to support health care wherever it needs to occur, and I would -- I mean, Mark, I don’t know if you were going to go to that one or not, but --
MR. ROTHSTEIN: Well, what I was going to say is our recommendations, typically -- and, in this context as well, usually don’t go into those sorts of systemic assumptions about health-care delivery.
What we try to do is to come up with broad recommendations that we deem to be appropriate under any system of health-care delivery.
I mean, you haven’t been around that long, but I am sure, over time, you’ll realize that it is often a very difficult process getting any recommendation dealing with privacy through the committee in a unanimous -- If we tagged onto that -- Oh, and by the way, this is what we think the health-care system should look like, too, then we might have one lead opinion and 17 separate concurring opinions.
I mean, not to be flip about it. I mean, what we need to do, I think, is try to reach agreement on sort of the broadest principles to recommend to the Secretary, and there are other people in the department who are working on the issues that you suggest.
MR. BLAIR: There is one other piece. Our scope is health information policy, and that word, information, bounds us. So we are not going beyond health information --
DR. GREEN: Just for the -- for future discussions, it is not immediately clear to me how the charge to look at information and information management can actually proceed without us making assumptions about how the information will be used, and the implications for that seem to me to be -- whether they are articulated or not -- every one of us at the table is working with a set of assumptions about how this information is going to be used, who is going to use it, where they are going to use it, how they are going to be integrated.
I accept the point that this is complicated and not the charge of the mission to prescribe the structure and the function of the health-care delivery system, but I am not sure I am yet prepared to accept the notion that we are not working without assumptions about the structure and function of the health-care delivery system and what -- As a newcomer, what I am a little worried about is I am not real thrilled about planning for the past.
MR. ROTHSTEIN: I think that is a very fair and perceptive comment, and I hope that you will hold our feet to the fire on that, and if some document comes through -- especially via the privacy and confidentiality subcommittee -- that seems to be overly sort of confined by a singular vision -- stated or unstated -- that you’ll call us on that, because it is a good point.
MR. REYNOLDS: Larry, what were the last two words of your comments? You said you couldn’t plan --
DR. GREEN: Well, I was just saying that -- Well, I was implying that it is quite a challenging proposition that we are undertaking to help plan for the information needs of a delivery system that appears to be in transformative change, and that it sounds to me as if the answer to my question is no, the committee does not have an agreed model in mind. We each bring our own individual ideas about the model to the table. We discuss things, and, somehow or other, we iron this out.
DR. COHN: Well, Larry, I think maybe I would actually maybe even frame it a little differently.
Number one is I would actually like you to look at the NHII document, because I think you actually might find it to be very interesting.
The other piece is that you mentioned in your last couple of sentences transformation of health care, and I think that the committee charge is actually a little broader than just health care, and I would have you actually think about this, as I think we are all recognizing that there is actually a transformation of health, and I think that we tend to think of it, actually, even though many of us have M.D.s after our names, you and myself included, that we really need to be thinking from that broader context.
So we can talk about personal health records or the personal dimension of the NHII, you are really thinking of something potentially a little broader, but I think we do need to engage you in this conversation, and I think you are right that -- I think there are sort of unstated either assumptions or beliefs we have about how all of this is playing out that do impact both where we choose to put our energy as well as the nature of the conversation, but I think we obviously -- this is the beginning of that conversation, not the end of it.
MR. BLAIR: Simon, I’d like to add one other thought.
DR. COHN: Sure.
MR. BLAIR: Because one of the things that caused me to really think about what you said was, you know, you would be frustrated if you felt like we were dealing with things in the past, and I think many of us have -- as we have started to look into the opportunities to provide information-system solutions, but more than information-system solutions, as Simon just mentioned, the National Health Information Infrastructure, if we are able to move forward in information infrastructure for health care, we do transform it, and we do begin to address a lot of the dysfunctional areas of health care. So we do tend to think that we are moving health care into the future, but our principal vehicle to do so is with the information -- creating a health-information infrastructure for the nation. So I don’t know if that is helpful or not.
DR. COHN: Well, we will continue -- I wanted to move onto another topic, but, Marjorie, what was your --
MS. GREENBERG: Well, again -- and I hate to end at this --
DR. COHN: Well, we are not.
MS. GREENBERG: It is such an interesting discussion -- even though it is two o’clock.
DR. COHN: Well, we are moving onto another conversation.
MS. GREENBERG: Okay. But I did want you to know what the actual OPM announcement is, and that is that everybody but emergency employees are supposed to depart at 2:00 p.m., and, as much as we feel important, I guess we not emergency employees, but, also, due to pending inclement weather -- and, then, it says road conditions are expected to deteriorate later this afternoon. It is essential to get federal workers home before dark, so transportation authorities can treat the roads.
We will continue to monitor the weather conditions and announce the status of government for tomorrow as soon as possible.
Agenda Item: HIPAA 8th Annual Report, Action February 14
DR. COHN: Okay. Now, what I was going to ask for was, obviously, knowing that we are already even a couple of minutes beyond the two o’clock time, I did want to -- assuming everyone is OK with it -- ask Maya to at least briefly discuss the document, which is the HIPAA report, and what I would suggest is that, since we haven’t seen this before, I want her to briefly reference it. You all have copies of it.
If we do meet tomorrow, it will be an action item that we’ll be considering.
If not, what we will do is to schedule a conference call. Yes -- to handle the work that we didn’t get done at this meeting.
MS. BERNSTEIN: My sense is you will not want to be voting on it tomorrow in the condition that it is in.
However, so I apologize for not having it to you earlier and for not having done this -- I dropped the ball, essentially, but I was focused on the comments that I got from the privacy, confidentiality subcommittee, which are -- Basically, all of the comments that I got were from either members of that subcommittee or staff associated with that subcommittee.
If I missed another committee member’s comments on the report, we would still, actually, like to get them.
So you are on that committee, so --
MR. REYNOLDS: And I am also on Standards and Security.
MS. BERNSTEIN: But, I mean, I count you, because I know you from my subcommittee. Yes, you have made other comments.
(Several participants at once).
MS. BERNSTEIN: If you have ever been to a Privacy and Confidentiality meeting, I think I have your comment, but if you don’t normally attend those meetings, I do not have your comments, and if you do have comments, would love to have them.
I also recognize that we have some new members of the committee who might not have had an opportunity at the November meeting to see this and are maybe seeing this for the first time.
So the main part of the discussion at the November meeting was essentially about the structure of the document, which was sort of half executive summary and half text or substantive part, which is not normally the structure of a report.
So the main part of what we have to do is to condense executive summary, so that it really is an executive summary, and I tried to do that in two pages, which you have.
There’s a couple of little notes in the margin, just for sort of dates and things that I wanted to make sure of, but, basically, this summarizes those items that are activities that happened during the reporting period for this report, which is May 2005 to November 2006.
If it didn’t happen during that time period, I left it out, basically, except for a small note at the end, which says we took a 10-year overview of HIPAA and we summarized those observations in the text of the report.
Other than that, everything that is in summary is only that which happened during that reporting period.
And then Simon made some changes to the text of the letter itself, which you also have a copy of. It is another double-sided thing.
And I have just handed you what is the current draft of the substance of the report, which needs some more work.
Essentially, I took the first real hard look at it last week, and, in addition to the structural problems, what I see is that a lot of the text of this report is borrowed language from previous reports or from other things that we have issued.
And the other thing I have noticed is that it is almost entirely procedural. It is as we issued a rule on such-and-such a date. There were so many comments. Doesn’t say what the rule says, and I am guessing that is not a real report. What a report is about is a small summary of what exactly the enforcement rule is about, instead of just how it took us -- what kind of procedures we used to get to the final rule.
So that is what I am going to try to work on, but, basically, that is sort of mostly -- I wouldn’t call it wordsmithing, but not really changing the content or the sort of topics that the report covers, but mostly organization and trying to beef it up a little with more interesting factual data about what we really did.
I also -- you’ll notice -- divided the executive summary and probably will finish the report that way into department activities, which the committee is reporting about, and the committee’s own activities, which during the November meeting actually looked over -- and thanks to Gail for her help -- looking over the transcript of that meeting to find out, well, what do we really say about this report, and there was some discussion about how much you wanted to just limit it to things that are directly related to HIPAA and how much you wanted to take the opportunity to talk about other activities that NCVHS does, such as the NHIN work and things that are not directly HIPAA related.
And you decided that you would like to take that opportunity briefly, as long as that didn’t become the center of the report. So that is still in there.
I think the other thing is, though, that, previously, no one commented on the points that I was making, in that it looks the same as previous reports.
I literally went to the 2007 report and there’s the same -- So maybe that is our -- You know, my office’s issue in drafting, and part of it is nobody commented on it, so we kind of didn’t notice before, but, now, I am noticing.
And if you want that to change, I am happy to change it in the way that you direct me.
So I will say that because the comments mostly came from the Privacy and Confidentiality subcommittee. That is where the most substantive change was made in the report, and, if you like, I can actually read out loud what the sort of paragraph in the Executive Summary says and the two paragraphs in the Substantive Report say about that.
So let me read from the Executive Summary the paragraph that now describes the privacy work.
It says, As of October 31, 2006, more than three years after the compliance date, the number of privacy complaints to the Office for Civil Rights totaled 23,268, and more than three-quarters have been closed.
About two-thirds of the closures are due to lack of jurisdiction, deficiency in the complaint or because no violation is alleged by the facts of the complaint.
Over 346 cases were referred to OCR by the Department of Justice for criminal investigation based solely on facts alleged in those complaints with no investigation by OCR.
To date, no prosecutions have arisen from these referrals. Neither has OCR yet brought a civil enforcement action.
OCR attempts to resolve problems that lead to complaints directly with the covered entities by providing technical assistance to facilitate compliance.
We applaud the focus on improving the protections at the covered-entity level. Nonetheless, prospective general improvements by a covered entity often do not satisfy the individual who makes the complaint, nor reassure the public that the law is being enforced adequately.
Commitment to aggressive enforcement on the part of federal regulators is necessary to ensure the adoption and success of the Secretary’s Nationwide Health Information Network Initiative.
I will say that this language comes directly from the June 22nd privacy letter. So the facts are the facts, and then the part that is more opinion or recommendations comes directly from the language that this committee has already --
Does anyone have any comments now on that paragraph?
OK. Let me -- I did not mark what page it is on.
OK. And then there are -- well, it is like a page. There’s three paragraphs actually on page 9 and 10 of the draft of the full letter that you have from that --
Shall I go ahead? Is that all right?
OK. So this is a section on protecting privacy and confidentiality in the National Health Information Network.
The NCVHS Subcommittee on Privacy and Confidentiality held a number of hearings in the past year focusing on privacy and confidentiality considerations in the emerging National Health Information Network.
Based on those hearings, the NCVHS submitted findings and recommendations to HHS in June 2006. The report, Privacy and Confidentiality in the Nationwide Health Information Network, is the culmination of five hearings, three in-person meetings and numerous conference calls between January 2005 and June 2006, an 18-month process of learning and deliberation.
The Subcommittee on Privacy and Confidentiality held three hearings in Washington, D.C., one in Chicago and one in San Francisco.
At each hearing, witnesses representing different constituencies concerned about the privacy and confidentiality of health information testified, including hospitals, providers, payers, medical informatics experts, experts in health law, ethicists, integrated health systems, regional health information organizations and consumer and patient advocacy groups.
We also heard testimony from representatives of nationwide health networks in Australia, Canada and Denmark.
The hearings were followed by a series of conference calls and public meetings to discuss findings and prepare this report for the committee to submit to HHS.
The report covers several topics central to the challenges for safeguarding health privacy in the NHIN environment, the role of individuals in making decisions about the use of their personal health information, policies for controlling disclosures across the NHIN, regulatory issues, such as jurisdiction and enforcement, use of information by non-health-care entities and establishing and maintaining the public trust that is necessary to ensure NHIN is a success.
In particular, the subcommittee came to the conclusion that the definition of covered entity in the current HIPAA privacy rule is outdated, as it was based on assumptions made in the 1990s that are no longer valid.
The move toward an NHIN stresses the original definitions, because new business models and new entities not contemplated at the time of HIPAA are arising, and the concept of a covered entity is inefficient and limiting.
Based on this work, the committee made the following recommendations with respect to HIPAA.
And, there, I have listed four recommendations that specifically were from that letter that specifically related to HIPAA. The other ones, I left out.
These are: HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers and schools.
The next one is HHS should explore ways to preserve some degree of state variation in health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality.
HHS should harmonize the rules governing the NHIN with the HIPAA privacy rule, as well as other relevant federal regulations, including those regulating substance abuse treatment records.
And, then, the fourth is NCVHS endorses strong enforcement of the HIPAA privacy rule with regard to business associates, and, if necessary, HHS should amend the rule to increase the responsibility of covered entities to control the privacy, confidentiality and security practices of business associates.
In presenting this report, the NCVHS acknowledged that the broad contour of the NHIN is still being determined, and the NCVHS will continue to update and refine these recommendations as the architecture and functional requirements of the NHIN advance.
So that is one little section on privacy, and it is the one that is most substantively changed. We added a bunch of information in there, some of which is descriptive, and we added the recommendations and so forth.
The rest of the report really -- there were some kind of wordsmithing changes. We added some things for clarity, but, in substance, it is really quite similar.
I know that there are people who want to get out of here, because of the weather, but if you have comments now, I’ll be happy to take a note of them. If you want to look at it overnight and give it to me tomorrow morning -- I don’t know what we are going to be doing tomorrow. So please let me know how you want to handle this.
I have to say that I don’t think the report, in my view, is ready to be voted on tomorrow --
DR. COHN: Yes. Well, let me tell you what my thoughts were. I’ll ask the committee for their perspective on this one.
None of you have seen this before, and, Maya, I appreciate you reading the pertinent sections, but I do think people need an opportunity at least to look at it.
Now, if the committee actually -- if the meeting occurs tomorrow, and we’ll obviously have a meeting if government is open at its regular time, but I think, given that we would have a 12 noon adjournment anyway, if we start here about 11 o’clock, start to the government, or even a 10 o’clock start, I’d say that, at that point, you probably ought to just -- you know -- this would be the end of the meeting, and other activities can occur as they might.
But if, indeed, the meeting occurs tomorrow, you can all read this tonight, bring your thoughts in.
My own view is is that if this were to be passed, it would be passed in the sense of being referred to the Executive Committee -- the Executive Subcommittee to further work it, refine the content and all that, but with no new conclusions or additional content than what you are seeing, and so that would be certainly one option, and so --
MS. BERNSTEIN: Can I just add one other thing, which I forgot to mention, which is --
DR. COHN: Sure.
MS. BERNSTEIN: Since you are talking about the conclusions. The conclusion paragraph is also exactly the same as last year.
DR. COHN: OK. But --
MS. BERNSTEIN: So if you, Simon, or the committee wants to actually make -- suggest some actual conclusions, that would be good.
DR. COHN: You know, I think we need to be careful -- We had talked about this at the last meeting about starting to go far beyond where any of our testimony, letters or deliberations, which occurred last year. Because there are some additional things I would like to put in here, but they are my good ideas generally. And I would suggest if you have additions for the cover letter, which is where we can go a little further, that is fine.
But, once again, I think what I am saying is we have an option tomorrow, if we meet, to basically adopt this, refer it to the Executive -- or not adopt this, but basically refer it to the Executive Subcommittee to complete and get out.
If we don’t have a meeting tomorrow, then I am going to suggest that what we need to do is, within the next several weeks, is to put together a conference call of the full committee to consider this as well as any other items and get this dealt with at that point.
So I think those are sort of the two outcomes, unless others have other ideas.
Marc.
DR. OVERHAGE: Being ignorant, I can ask these things.
DR. COHN: Please.
MS. GREENBERG: Talk into the microphone.
DR. OVERHAGE: Thank you.
DR. COHN: You can only ask things if you get to the microphone.
DR. OVERHAGE: I can do that.
You made the comment --
MS. BERNSTEIN: (Off mike). Stupidity.
DR. OVERHAGE: -- feels very mechanistic --
MS. BERNSTEIN: Yes.
DR. OVERHAGE: -- and it does, and, I mean, it seems to me, if I were a member of Congress, the question that I’d want to know the answer to is did we achieve any of the aims that we wrote this legislation to achieve, and this framework doesn’t really lend itself to that.
And I heard your comment about we can’t go beyond what we heard, but, on the other hand, it seems to me that there’s a level of synthesis of what we have heard that might speak to that.
And being a newbee, I can ask stupid questions, and being old me, I still ask stupid questions.
DR. COHN: No, no. Let me address it -- you know, in the cover letter, I made a couple of additions talking about moving from implementation to optimization.
And, at least from my view, and based on some work I had to do last year really trying to synthesize what has happened over the last couple of years, I am actually personally becoming convinced that we are actually -- that that transition is beginning to take place -- things like WEEDIE(?), CAQH, other things really taking the basic substrate and turning them into business opportunities, hoping to really improve administrative simplification.
Now, unfortunately, I don’t think we ever got to that level of putting it together at the full committee level, and so that is why I put it in the front cover letter, but didn’t try to stick it into the body of the text, even though that would have been my preference, and probably would have addressed your concerns a little more.
Now, Maya, you had a comment, and, Marjorie, you have a comment.
MS. BERNSTEIN: Yes. I should have mentioned, Simon did make a substantive change sort of in the middle of the third paragraph of the cover letter, as he said, talking about the move from implementation toward optimization of -- That is all I had to say.
Marjorie.
MS. GREENBERG: Obviously, I haven’t had a chance to read this yet, but I think a rather significant part of the report does deal with the lessons-learned section from the letter that was done by the committee. So, in that sense, Marc, I think there is -- there was an effort by the committee, held hearings on return on investment and all of that, and did synthesize that in this lessons-learned letter that has already been sent, but is included in here.
I would say there is one really new thing about this report. This is the seventh annual or something? For the very first time, the cover letter says, Dear Madam Speaker.
MS. BERNSTEIN: The one that I got handed, actually, last week still had Hastert’s name on it. I thought, Hum. That is not a good sign, because we haven’t looked at it in a while. So --
MS. GREENBERG: I will say, too, that --
PARTICIPANT: -- November.
MS. GREENBERG: -- if we have a conference call --
MS. BERNSTEIN: -- early November. It hadn’t happened yet.
MS. GREENBERG: If we end up voting on this in a conference call, it will be an open conference call, open to the public.
DR. COHN: Sure.
DR. TANG: Can we send out a copy to the hinterland, please?
MS. BERNSTEIN: Absolutely. I will, this evening, electronically send it to everyone.
Is that Paul?
PARTICIPANT: Yes.
DR. COHN: It is Paul.
DR. TANG: Correct.
MR. BLAIR: It is Paul in the hinterland.
MS. GREENBERG: And Carol and Don are not here --
MS. BERNSTEIN: I’ll just send it, or have your office, Marjorie, send it to the full committee, so they have an electronic copy. That might be more useful to them, because we don’t know what is going to happen tomorrow.
MS. GREENBERG: Okay.
MS. BERNSTEIN: So just everyone will have it.
DR. COHN: Yes, I actually just wanted to also further go back to Marc’s comments, because I think he actually did a great job of, I think, bringing up, I think, one of the essential issue that we were, I think, all trying to get our arms around, which it would be nice, given that this is the 10th anniversary of HIPAA, to do something that was a little more thoughtful, I think, as Marc, has described.
If we have some more time, we can certainly do that, because there may actually be some external data that really does help us begin to put some of the pieces together, some of which may not be from testimony.
But, once again, I mean, if we agree to the broad themes, and I think that a reasonable question, I think, Marc is asking is, Geez, it his moving us towards administrative simplification, and is that providing some value to the industry, I think is what you are asking, right?
DR. OVERHAGE: Better said, yes.
DR. COHN: And if we all think that that is a reasonable piece, if there is some data that we can put together, that would, I think, be a useful part of this thing, but not to be done between today and tomorrow.
Yes.
MS. BERNSTEIN: Right, and, actually, let me ask the question: It occurs to me that the requirement for this report is only to report on HIPAA, and we could confine ourselves just to that for this report in order to get it out and meet that requirement.
And I am not sure, but I don’t think there -- you know, let me ask. Is there any reason why the committee couldn’t separate the 10-year kind of lessons learned or 10-year overview that you wanted or retrospective that you want to do on HIPAA into some other document?
You can generate a document, I think, whenever you want to, if the committee agrees, and you could have more time to develop something like that.
I mean, let me -- is there any reason why we couldn’t do something like that, if you really wanted to spend more time and make it say something different?
What I am asking is do we have to use this report as the vehicle? Can we do a separate document on that --
DR. TANG: I think we can actually accomplish what Marc is proposing in the scope of this document.
For example, I do like what you wrote about privacy, because, in a sense, I thought it was forward looking. It referred, in a backward way, to say, Well, what were conditions back in 1996, this isn’t true in 2007, and here are some four things you can act on going forward to protect Americans’ health information going forward in the next 10 years.
And I think there are other similar comments in some of the other areas, whether it is security, as we just heard earlier this morning, or the streamlined way we had to deal with data standards.
So there’s a lot of ways that we can use this letter to talk about some of what we did in the past 10 years, but also how the world has changed and what needs to be done in the next five even.
So I think it is a great springboard, and Marc’s idea is a good -- a good perspective to take with this, and, as I say, as an example, I think we did that with privacy.
DR. COHN: Yes.
John Paul.
MR. HOUSTON: In terms of protocol, this is our opportunity -- I mean, in the sense that there is an obligation for us to issue this report, really, and it is issued directly to Congress -- correct? -- that this is really the one time that we have sort of the statutory right and obligation to make this report.
Otherwise, isn’t it really more protocol for any other types of reports to go to the Secretary?
So this is the one time that we can decide what subjects are related to HIPAA -- one opportunity to put those into a document and have them go to somebody other than the Secretary.
I think they need to be reasonably related to HIPAA. Then we can decide how narrowly or broadly we want to add to the document, but I think, otherwise, I think if we really wanted to do some other type of document, we need to send it to the Secretary for first consideration.
MS. GREENBERG: Well, and we will be doing an biannual report, which we do on the entire committee.
MS. BERNSTEIN: And to whom is that sent, that report? I am just --
MS. GREENBERG: That goes to the Secretary, though sometimes we send copies around.
MS. BERNSTEIN: Does the charter -- I am just asking, because I don’t know -- the charter of this group say that it advises only the Secretary or the Secretary and the Congress?
MS. GREENBERG: No, not the Congress --
DR. COHN: Yes.
MR. SCANLON: But the statute --
MS. BERNSTEIN: The statue gives us --
MR. HOUSTON: But that is the opportunity for us to -- so --
DR. COHN: Yes.
MS. BERNSTEIN: The obligation there is to report on HIPAA, not all the other activities.
MR. HOUSTON: And I agree with it, but my point is is we -- if we want to be a little expansive in looking at HIPAA and issues with re HIPAA and applicability and how it might be -- need to be amended to address some of these other current topics and issues and technologies and whatever else, and I think that is reasonably within our right to add it to this report, but, again, I think it is this report that is a vehicle --
MR. SCANLON: And some of it does. The 10-year look-back, I think, actually identifies areas that need another look as well as privacy and --
But, presumably, all of the content here has already been sent to the Secretary, for example.
MS. BERNSTEIN: Right. I mean, I appreciate that, Jim, because that is the caution I would want to make is that the report traditionally has been a report on activities that have already happened, and, to the extent that you want to look forward, there is a risk that you would be getting into areas where the committee has not acted and has not, as a committee, formed an opinion.
So that is just a little bit of a dangerous edge there.
DR. COHN: Yes.
Jeff, and then we need to wrap up.
MR. BLAIR: OK. I suspect that this would broaden the scope beyond what we are capable of doing. So I’ll mention it just in case it is possible.
Obviously, we have to do this report in terms of HIPAA.
The scope of the NCVHS has expanded far beyond that, and a lot of the things that we have done that I think that are most compelling and help the nation the most have gone beyond that, including the recommendations for the National Health Information Infrastructure, the follow-on work we have done with the National Health Information Network, responding to Congress’ directive for e-prescribing, the work that we are about to go into, maybe, with secondaries of data, for lack of a better phrase, the populations work, the quality work, the privacy work.
So my question is is there any ability for us to say, OK. Congress has asked us to produce this letter. However, essentially, the scope of NCVHS has -- we have built off of the platform that Congress has given us with HIPAA. We have expanded the committee. We have gone ahead and done what HIPAA specified, but we have begun to go far beyond that, and, somehow, this document would wind up listing the greater role of NCVHS than for Congress to just perceive us as the executor of HIPAA standards.
DR. STEINDEL: Jeff, I’d like to interject a comment. I think the latest figure is what, Marjorie? Fifty-seven years old is what this committee is?
MS. GREENBERG: 1949, going on 58.
DR. STEINDEL: Fifty-eight, and 10 of those years were HIPAA.
I think there’s a lot of history behind that and a lot of what we are doing today actually relate back to some of those early charges as well.
MS. GREENBERG: Thank you. I didn’t even pay you to say that.
(Several participants at once).
MS. GREENBERG: But we do have to close.
MR. SCANLON: Yes, let’s close.
No, the other thing is we have been including other activities beyond HIPAA, Jeff, actually for the past three or four reports, as long as it is somehow related, in terms of NHII or e-prescribing standards and so on. So we sort of took it where it was a natural path.
I don’t think we want this to be a report on committee activities --
DR. COHN: Yes, I think it is a delicate --
MS. BERNSTEIN: We could also just clearly label those.
DR. COHN: Yes, I think it is a delicate balance.
Now, Kevin has a question or a comment, and then I do need to wrap up, because Marjorie tells me we do need to --
DR. VIGILANTE: Right. And this is just about -- if there is a tomorrow.
So the Population Subcommittee has a scheduled hearing from 1:30 to 5:30 with a lot of external guests coming in to testify on the data needs for surge capacity.
So if the -- say we start late -- assuming if the government is closed, that is off. If we start late tomorrow, is the whole schedule going to be pushed back, and, therefore, ending our committee meeting or could we still hold that meeting?
DR. COHN: Let’s get this settled before we leave, but let’s finish up this thing for just a minute here, which is, Maya, you’ve gotten some input. We will obviously work with you on it. As I said, there are two outcomes. Either tomorrow we talk about it again, and, hopefully, we’ll get a chance to review it tonight, regardless, and provide input even if we don’t see each other.
If we don’t meet tomorrow as a full committee, then what’ll happen is that we’ll do a conference call, and, hopefully, look at a more refined version that has all of this together.
So, Maya, is that helpful for you?
MS. BERNSTEIN: Yes. My only concern is that having just handed this out in paper form today that may disadvantage some members of the committee who won’t be able to review it tonight, have other obligations, or, for whatever reason, can’t review tonight, and won’t be able to get back to me by tomorrow.
I don’t want to push people into -- you know --
-- because of my failing --
DR. COHN: If we act on it tomorrow, it would be being referred to the Executive Committee, okay?
MS. BERNSTEIN: I appreciate that.
DR. COHN: Now, Okay. So that is one outcome of this thing.
Now, Kevin is asking the larger question of what do we do tomorrow?
Now, first of all, if this building is open, if Washington is functioning, which I think we have every reason to expect that by noon tomorrow, if we keep our fingers crossed, that things will be functioning.
My understanding is is that the hearing will go on as planned. I mean, we aren’t pushing back this meeting and then going to start at three o’clock and go to seven or eight tomorrow night for that hearing. I mean, we are very respectful of the fact that you have gone to a lot of effort to try to schedule that.
So, as I said, the only reason that won’t happen is that there is such a storm tonight that they actually close the offices all day tomorrow.
So let’s talk about tomorrow morning.
Now, we can handle tomorrow morning a couple of different ways, and I have said a couple of different things just in the course of the last hour and a half.
Now, obviously, if the buildings are open tomorrow morning, we just continue on, and we start at eight o’clock in the morning with --
PARTICIPANT: Quality Workgroup and Privacy.
DR. COHN: With Privacy and Quality Workgroup, and then we go to a full meeting at nine o’clock.
Now, it is very clear to me that if the buildings are closed to 11, that it doesn’t make sense for us to convene and we ought to just cancel the meetings.
Now, the only thing that I need some advice on is is that --
PARTICIPANT: Excuse me, Simon. Cancel everything?
DR. COHN: No, no. Just --
MS. BERNSTEIN(?): Just the morning meeting, full committee.
PARTICIPANT: The morning meeting.
DR. COHN: Yes. I mean, if the buildings are closed to 11, the full committee is cancelled, right?
MS. BERNSTEIN: They will usually give us like a two-hour delay, but whenever your work schedule is -- right?
MR. SCANLON: It’ll be referred to, most likely, unless it is closed completely as a late opening.
MS. BERNSTEIN: A late opening.
MR. SCANLON: Whether it is -- for some folks, that’ll be nine. For some folks, that’ll be 10.
MS. BERNSTEIN: If your usual work hours are seven to four, then your start time is nine. They stagger the commute times, Simon, so that people aren’t all commuting at the same --
MS. GREENBERG: Well, I think the question is since -- I know I was talking to Justine at lunch that the majority of her subcommittee members or workgroup members were going to be on the phone, in any event.
DR. CARR: I have a new one.
MS. GREENBERG: So if we have a call-in number, can they have that call by phone?
DR. CARR: Sure. We have a call-in number.
MS. GREENBERG: We have a call-in number, right?
DR. CARR: Yes.
MS. GREENBERG: It doesn’t require someone to -- or maybe it does require someone to initiate it, but you can give me the information or something. You don’t have to make the call from this building, right? Just a leader code. Yes.
So maybe, if you want to just say the quality group is going to meet at eight o’clock by phone.
MS. MC CALL(?): Is there a dial-in number already for that? I didn’t see it on the agenda. I may have missed it.
DR. CARR: There is a dial-in number, yes. We might want to repeat it.
MS. GREENBERG: Is there a dial-in number?
I mean, do you want to go ahead with that, as a call?
DR. CARR: Sure.
MS. GREENBERG: Since it was going to be a call anyway, probably, mostly.
DR. CARR: Yes, I would like to.
MS. GREENBERG: I’ll call in.
MR. BLAIR: That number is --
DR. CARR: All right.
PARTICIPANT: The number is --
MS. GREENBERG: OK. So here is the number for Populations and Quality -- well, populations will not be meeting this afternoon, but this is for tomorrow morning, if the building is not open.
If we are opening at regular time, we’ll just come down here, but if there is a delayed opening or the building is closed or the federal government is closed, if you want to have the call, you can at 866-810-6849, and the participant code -- that is for everybody, right? -- is 953-3543.
And then I’ll just have to get the leader code.
DR. COHN: And that is for the Quality Workgroup.
MS. GREENBERG: That is for the Quality Workgroup.
DR. COHN: Yes. Now, for the full committee, if everything opens up, we are here, we start at nine o’clock, as previously specified.
If it is a delayed opening -- and I have obviously been informed by Jim and Marjorie about what delayed openings mean -- I’d say we start at 10 o’clock, and we’ll go for two hours and then adjourn. OK?
But, obviously, if it is anything beyond that, then we are just cancelling the meeting -- cancelling the full committee meeting tomorrow. Okay?
Is everybody clear about that? Does everybody --
DR. STEUERLE: Could I suggest --
DR. COHN: Gene, please.
DR. STEUERLE: For the afternoon meeting, I think you’ve got an additional problem -- people who will be traveling in need to know -- they can’t be told --
DR. VIGILANTE: We don’t have too many of those. We only have two, maybe three from CDC, but --
DR. STEUERLE: Can someone call them --
DR. VIGILANTE: We are going to have a contingency plan. We are going to send an email tonight, keep everybody posted, and then follow up in the morning.
Hopefully, they will begin their travels in the morning.
MS. BERNSTEIN: OPM will make that announcement quite early in the morning, generally --
MS. MC CALL(?): Well, how will this entire group know what the status is? What is the best way to find out?
MS. BERNSTEIN: OPM’s website? Radio?
MR. HOUSTON: There is a website you can go to, and the website is, again OPM.gov --
PARTICIPANT: (Off mike).
DR. TANG: Actually, we couldn’t hear on the phone.
PARTICIPANT: If you just go to OPM.gov --
PARTICIPANT: OPM.gov.
MR. HOUSTON: www.OPM.gov --
PARTICIPANT: That’s good enough. You can navigate --
MR. HOUSTON: Actually, if you go to status, it is even easier. So OPM.gov/status, and, from there, you would select -- there is something that talks about whether the government is open. It is under O in the index.
DR. COHN: Yes. Or for those of you who maybe are -- like to use the telephone, you can actually call the NCHS number, which is 1-888-NCHS-TEL.
MS. GREENBERG: I may have given you the wrong participant number. Got two different numbers here. I’m sorry. Did I give you the 160-5430 for quality?
PARTICIPANT: No.
MS. GREENBERG: That’s what I was afraid of. That is -- the quality is the 866-809-2782. I think I gave you --
(Several participants at once).
MS. GREENBERG: All right. I gave you the NHII.
MR. BLAIR: Start at the beginning.
MS. GREENBERG: I am completely confused now. No, what I gave you is correct.
PARTICIPANT: You -- say it one more time, just --
MS. GREENBERG: Yes. Right. I gave you the right -- It starts with 866 and it is 953-3543. Yes, I gave you the right one.
DR. CARR(?): That is the participant code for the call-in number?
PARTICIPANT: Yes.
MS. GREENBERG: Everything I gave you was correct. There are two different numbers here, and it is a little confusing, but that is correct for the quality. I just need to get the leader code.
And I think we are just cancelling out on the restaurant.
DR. TANG: So, Simon, are you going to cover the other workgroups or are we having similar calls or what is going on there?
DR. COHN: No, we are cancelling the other workgroups.
MS. GREENBERG: The only working session that will be held by phone, if not held in person, is this quality one.
DR. COHN: Yes.
DR. TANG: OK.
DR. COHN: Yes. The other workgroups will handle various conference calls to deal with the work that they would have done face to face.
OK. Well, with that, is everybody reasonably clear about what the plan is?
MS. GREENBERG: Dinner is cancelled.
DR. COHN: And those who deal with the cancelled dinner can talk among themselves and see if they still want to go out for dinner later on.
Anyway, with that, our meeting is adjourned. Thank you very much.
(Whereupon, the meeting adjourned at 2:44 p.m.)