Friday, September 18, 2009

HIT Policy Committee 9/18

The HIT Policy Committee met on September 18, 2009. I have posted the meeting materials and rough draft transcript below:

Meeting Materials:


    Welcome to the fifth meeting. This is federal advisory committee being conducted in public and there will be minutes from the committee meeting in a week or 10 days. A reminder to members of the Committee to please identify yourself as you speak so the people listening on the Telecom and over the Web know who is speaking. But he just have the committee go around the room and introduce yourselves very briefly. I will begin with Scott white.

    Good Morning everyone, scuffed white 1199 SCI you.

    Mike [indiscernible] John Hopkins.

    Judith Faulkner, the edit.

    Gail "Herald," former state repeats of different Florida.

    Rick Chapman from kindred health care.

    Christine Bechtel, a national partnership from women and families.

    David Bloom Paul.

    Real talent. Paul Ackerman.

    Art Davidson.

    Mark probes with intermountain Health Care. Jim [indiscernible]. Michael Lerner.

    Frank [indiscernible].

    Do we have any committee members on the telephone? With that I will turn it over to Dr. Blumenthal.

    Bank you Judy. They give to all of our members and members of the public were with us. We have an exciting day ahead of us, some presentations on a topic of great interest to the committee, the Austin national coordinator, and I need to the public as well. That is the issue of the privacy and security of personal health information, stored and transmitted electronically, and exchanged electronically in a health information system, and that is a power enabled by [indiscernible]. We're focusing today primarily on technology and there is a focus on this to related issues, it would be on privacy for today. I wanted to make members of the task force, and [indiscernible] putting in this day's work together, and members of the task force representing both the policy committee and the standards committee, including Paul Tang, my coach here, Dixie Baker and Steve Finley as will as those are members of the Policy and Standards committee. And as well as the -- [indiscernible] Sue Kendra and Andrew sparrow from the Office of Civil Rights, which has major authority under high-tech legislation for new authorities that are available for privacy protection.

    We are here in learning mode. We understand it importance of this issue and we understand that increase in the public interest and we understand that we have to get this issue as close to right as humanly possible in order for the benefits of electronic technologies to be realized in the practice of medicine and health care to me.

    -- generally.

    After we hear the testimony we will hear today, we will go on and studied the recommendations made by the Health Commission Technology Standards Committee just a few days ago on a standard it's related to privacy and security. Those recommendations were made to me as we -- the national coordinator. There are only recommendations, bought by any means fixed in stone but we pay close attention to our standards committee just as we will pay close attention to the testimony we have today and the public input that will follow.

    And to the comments we received constantly from interested observers and members of the public, there will be summaries, and there will be previews of today's testimony and of the standards. We will then not likely to further work, probably both within the context of today's policy committee as well as within the context of the standards committee. And I know that the standards committee is planning for their work on the privacy and security standards that they themselves recommended to us last -- and earlier this week.

    This hearing is well timed because of those recent recommendations for standards, and I wish that we could say that we planned at this hearing with foreknowledge that higher standards committee would make recommendations this week, but we are just lucky that the timing marked out the way it did, but I think it is auspices that we have this first set of recommendations on an issue that we're about to deal with today.

    We also are going to be thinking about as we go forward with other issues and other agenda items for this committee. We have done an enormous amount of work, and I am continuing to be extraordinarily grateful to all of the members who are here as well as those who could not make it today for their commitment of time and intellectual effort, and ended their tennis and productivity and serving the needs of the public through this process. Hi perhaps in our next meeting we will discuss with you and the Office of the national coordinator will sit back and consult among ourselves and members of the Committee about a next set of issues that we might want to take on within the mandate that this community has, which is it's very broad mandate for providing advice to the national coordinator. One area for example that we may want to pick about more in the future is the nationwide Health Information Network, and how that Health Information Network should be organized and governed calling for it. The office of the national coordinator is specifically tasked with developing governance for the nationwide Health Information Network, and it is likely that we will be engaged in the very near future and will making on that topic. And it is obviously a vital topic for the future of information exchange in this country.

    We will also work to coordinate the agenda with the [indiscernible] and Health and statistics. They have done that primary worked for many decades in the field of privacy and security and we will hear from one of their members today on their work, but they continue to be a resource to the federal government on the issues of data used in practice the and the exchange, and we want to coordinate our agendas going forward.

    So having said that, what I will do right now is at my cochair, Paul Tang, to go over to a specific agenda for the day and then we will die in. We are going to probably have a shorter breaks and is listed on the calendar today, but I will let Paul justify that to you and then ducked.

    Because what else is the vice chair for?

    And we all remember from the very first meeting, the first hour we all agreed and acknowledged that privacy is foundational two any initiative [indiscernible] confidentiality information. And we created pregnancy as one of the foundational categories. And we had additional sometimes calledder eight topics on which this committee is supposed to make recommendations on. So it is fitting that are forced doctors to full committee meeting deal with this topic of privacy, so this is an informational hearing, there may be other kinds of ways to get information to go through and the deliberations, and potentially make recommendations to the national coordinator in the future. That we need to address as a country if we are going to wire the country and expect to safely to its net confidentiality information to people who have that need to know.

    David also mentioned that in the recovery Act itself there are a number of new provisions on top of the hippa that we know and love so well. And Joe ONC will summarize some of these new provisions so we are all on the same page and in that context we will go forward this morning.


    Good Morning everyone, it is very exciting to be here to have a hearing on the privacy and security the HIT and I am excited to kick this off. When we were setting this up, the task force that organize this thought it would be helpful since everyone on the committee and listening might not have all of the background on privacy and security policies and laws, and the changes that came out in ARRA, to give give a bit of background for the content for the rest of the day. That is what I intend to do.

    So just from the onset, what I have heard, both David and Paul say that the [indiscernible] Russ on consumer and provider confidence in the present security protection of the information. This is critical and fundamental to our achieving meaningful use of health information technology. One of the ways that we're hoping to be able to do this is to try to leverage the technology to improve protections on the existing policies that we have today.

    All looking for is that some of the existing policies that we have today, ARRA Really builds on a foundation that has already been in place and is something that is something that we are looking to build on top of that foundation new policies to help advance our help ID and health information exchange efforts. Privacy laws, it HIPPA being the most prominent but there are other federal laws on privacy, particularly health information rules regarding substance abuse treatment information. But hippa sets a floor for privacy protection and allows state laws to exceed those protections, so there is a whole host of state privacy laws all across the country that provide additional privacy protections on top of the federal protections that exist. It also represents an challenges for folks to try to comply and understand all of those. State laws and that is something that we have been looking at and working through at ONC.

    There's also a lot of guidance in privacy and security both explaining and how folks can comply with those rules but also in December of last year, it's a privacy and security framework for the health information exchange that establishes the backbone of how privacy and security policies and practices should take place.

    This free market establishes a high-level principles for privacy and security and that is something we hoped to build on this year. We did use those principles as the basis for setting up the panels in the discussion we are having today to make sure that we're representing the whole array of privacy and security issues that are raised when we are talking about health information technology.

    And then we have a lot of privacy development topics that are ongoing, most notably the [indiscernible] coverage in which has engaged actors within 42 states and territories to look at their privacy and security policies in their state and think about how they work as we are moving to a more electronic role for the health-care industry, and how that effects and the state policies affect interstate exchange.

    And then there is ARRA and that sort of change this Foundation and the game and I will spend most of my time talking about some of this changes.

    One of the most notable changes is the changes with regard to business associates. The recovery Act has made it so that the HIPPA -- seven HIPPA privacy and security requirements now apply to business associates and they can be held accountable by HHS for complying with those requirements. It also establishes that certain entities like health information exchanges do have to engage in business associate agreements with covered entities, for exchanging that information.

    Another 1I think is the most notable of my changes is the new requirement for breach of notification of health information. What this provision did it is forever [indiscernible] business associates, and there is a breach of health information, they have to notify patients of that breech and a half to insert cases notify HHS as well.

    OCR has come out with rules in this area recently and I will talk to that of a bit and what the status is of those rules after we get through that provisions.

    What is interesting is that ARRA went beyond its covered entities and business associates and gave the Federal Trade Commission the authority to acquired breech notification for vendors of Ph are and desert bunkers entities and HIPPA came out with [indiscernible] -- those roles King out recently.

    The interesting thing for both of these is that Congress and ARRA stated that, if an entity renders protected health information unusable, unreadable, or indecipherable, that there is no requirement to notify of a breach. So this is like Steve harbor. Commission and it is not usable two someone that gets access to it and is not authorized to have access, it is a requirement to notify them in case of a breach.

    ONC works closely mid OCR in coming up with this guidance and basically states, if information is either been destroyed or appropriately and corrected, it meets this standard, and therefore if in fact there is a breach, the data is encrypted and the activity does not have to do the notification. So it pushes people to tighten security measures with respect to their information so that they don't have to comply with the breach notification requirements.

    By this is not something that is mandatory but it is encouraged.

    The recovery Act also did a whole host of changes to the rules themselves and required guidance and a lot of areas.

    They provide now that the individual has a right two restrict disclosures to a health plan for payment for health care operations if they pay out of pocket for that service. So it's an individual does not want their health plan to know about a particular service they receive, they can pay out of pocket and then request and have that request honored at the covered entity does not share that information for payment or health-care operations with a plan.

    ARRA also require that a corporate entity than the use of disclosure and repressed for personal health information to limited data sets, so this is where some types of data are stripped from the information, or if that is not possible, use the minimum necessary, and required HHS to develop Arkansans on the necessary to help compliance with that.

    Their new provisions on accounting for disclosures. The accounting for disclosures provision under the HIPPA privacy will request that an individual can request information about disclosures made of their health information for particular types of disclosures, and usually the Renan retain disclosures.

    But ARRA said was if an entity has a non electronic health record they would have to provide electronic disclosure for payment, treatment and health-care operations as well.

    This is an area where they are looking for some guidance on standards and where OCR will be coming up with the recommendations.

    ARRA [indiscernible] copy of their health information and electronic format if they have something on the electronic health record in this committee and recommendations on meaningful use does have recommendations about electronic access for consumers, so very much maligned by this requirement.

    There are a lot of changes.

    The recovery Act also prohibited covered entities and business associates from receiving remuneration for personal health information without depth person's health information, and receiving remuneration for information about products and services. There are some exceptions to these roles, but the goal here was to try to limit the ability for folks to use an individual protective health information and receive compensation in exchange for that.

    The regulations -- the statute also has some requirements for regulations to provide clear opt outs for covered entities for the individuals so the individual has a more clear opportunity to opt out of any fund-raising opportunities. And this last one is interesting and I think it is one we are taking on at RSA, due to a study and provide recommendations to Congress on privacy and security requirements Ford not covered entities. Particularly PHR benders and similar types types of organizations. So those vendors and other consumer taste -- vendors that provide consumer facing tools are not always covered by HIPPA rules because they're providing a service to that consumers, not by provider of health-care plan. So in that case these might not be covered and in that case what is the right kind of protection for those entities? How should the information be safeguarded when they are held by these types of entities? And ONC is required to work with the Federal Trade Commission and thinking through some recommendations to Congress in this area.

    One of the other key changes I think that affect the entire purpose the and HIPPA roles RFP [indiscernible] in ARRA. ARRA extended Deaf HIPPA and civil penalties -- business as as its complaint with the federal laws. It also change the civil penalty structure to increase the penalties and get more enforcement authority and [indiscernible] to the enforcement.

    In addition, to that, not just relying on the federal government to enforce hippo pools, Congress provided in the ARRA that the Attorney General have the authority to enforce it of provisions and that is something that OCR is providing some assistance with the attorney general and how to do that.

    And normally, there were some debates over the years about whether or not the individuals or employees of a covered entity could be held criminally liable for invasion of the HIPPA privacy role and some interpretations of if they could. So Congress can act and make a clear statement that in fact in place and [indiscernible] can be made liable for violation of HIPPA.

    And finally, under enforcement, ARRA required periodic audits by HHS to ensure compliance with the privacy and security rules and that is a gene that OCR is looking at right now on how best to do that.

    So those are the changes in the HIPPA rules and that structure and enforcement of those, there is a series of studies and reports that Congress had asked for in the area of privacy and security and areas of compliance with the HIPPA rules, the report on not covered entities and protection for those not covered entities as I mentioned. [indiscernible] treatment purposes which is something that GAO was looking at, and guidance on interpretation for [indiscernible] -- study on the definition of psychotherapy notes. So there are some areas where there was specific changes but there was a request by Congress for study and breasted either provide guidance or reports back to Congress and some of these areas.

    Trading and requiring OCR to do some national outreach and education. This is something that they are planning two do with respect to HIPPA and ONC has been working closely with HIPPA to provide security and privacy education even more broadly than in compliance with HIPPA rules.

    OCR is also required tap regional pride is the advisors to provide education in the region's for both providers and for consumers.

    Now how is this all want to happen? I mentioned the bridge notification regulations and I am just focusing here on HHS regulations setting that FTC is also regulating in the area of breech notification.

    HHS did a request for information in April 2009 on our guidance for how to render PHI unreadable or indecipherable. We received guidance on those and incorporated that into our final guidance which went out into the final interim will not breach the petition which was published just last month by HHS. It is an interim final rule which means that it is final, it is effective the 20 third, so next week. According to the statute, which the interim final rule was published, but it is interim final rule. So HHS is accepting comments on this rule and the comment period ends October 20 third 2009, and then HHS and OCR will be finalizing not rule it to the comments that we received.

    There will be a separate regulation on enforcement just to explain some of the enforcement provisions that were put forth in ARRA and there were some areas in which Bosier are wanted to make clear how the enforcement provisions work, although those are in effect currently, those were one of the areas that became effective right away.

    Then finally, what do regulations on the HIPPA modifications themselves. All the issues that I discussed where ARRA made some changes in the HIPPA privacy and security rules will be incorporated into a regulation, and the effective the date for those modifications under the statutes is February 2010. Self OCR is working diligently to try to come out with the proposed rule on those modifications.

    So you heard Paul tank and the Committee talk about the ARRA eight many times and I thought it would begin to put them on the screen and make folks aware of them and I did cut some out if you are familiar with them. I also added in some of the optional ones which go beyond that ARRA eight. Studies are privacy and security topics that the health piety and Policy Committee is supposed to take a look at according to ARRA.

    The first is technologies to protect the privacy of health information and promote security in the electronic health record. And this includes protection from disclosure of specific sensitive and individually identifiable health a commission with a goal of minimizing the reluctance of patients to seek care. So this is the goal of trying to consider technology. Segmenting data so that patients and providers can choose to protect certain information separately other health information.

    It also provides the use and disclosure of limited data sets. So that is one of the ARRA aid.

    And this is also related and I wanted to put it on there because privacy and security also goes to the privacy and security of data and that is infrastructure that allows for the accurate exchange of information as another area that this committee is authorized and suggested to the cat. Technology [indiscernible] I mentioned that was an area of change in the regulation that OCR would be making some modifications to the head up rules on and that is an area that this committee is expected to weigh in on. Technologies that allow individually identifiable [indiscernible] indecipherable to authorized individuals, this ties into the breach notification provision.

    Just as a note, we are required by the statute to update the Titans annually, so as technology develops and as the ability two better secure information develops, the expectation is that we would modify that guidance to reflect the changes in the technology, so that is an area which your advice would be helpful.

    And finally, this is not and that ARRA eight but one of the optional ones, that is to facilitate security access to personal health information by an individual or person assisting in the care of that individual.

    Suggest a small task for the Committee to take a look at.

    Now I wanted to turn to standards. And David started talking about the standards committee and the privacy and security recommendations that the standards committee came out with and I've wanted to touch on those and put those on reader screens and let people know that the areas where the standard developments and some of the thinking that the privacy and security worker had in making the recommendations to the full committee and in the full committee making those recommendations to ONC.

    The first thing that wanted to highlight before getting to the specific standards is that the standards that were recommended our standards for the products or platforms, but those are enablers to protect information and those standards don't necessarily protect the information themselves. They have to be part of a more comprehensive approach and tied to policies and practices for implementing those technologies and implementing those policies. So we can have a standard for authentication of a user, and then we have to make sure that the technology is available, password protection is, say that placing [indiscernible] it really has to be part of a comprehensive security in place, and with the standards committee did was suggest standards that should be, and capabilities that should be incorporated into the technology, and they are planning to go back and look now at the best practices that folks should be considering in implementing those standards.

    And so these are as defined by that privacy and security work group of the standards committee, that demeans and areas that they focus on. They have to provide products and infrastructure Standards and different domains and areas that the focus on. And I will not go through -- I will put my caveat, I am not a standard expert, I am a lawyer and Policy person although I have gotten a great education on standards in the last few years, and I understand enough I think that I could know the significance in the policy indications of many of the standards that were recommended.

    In deliberating on the standards, they were looking at lots of different things. One thing was there and making sure that there was architecture independence and we're not dictating a particular architecture by selecting security standards. They also consider the security of the standards. They wanted to make sure their work standards that were in commendable but they also wanted to think about how they were pushing the standards over time. And so they looked at our roadmap of 20 and 11, 2013 and 2015 for the security standards in 2011, they pick standards to recommended to ONC that were mature and in widespread use, standards to develop over time to go along with the elevator that we talked about for meaningful years, getting people on the elevator and try to get them started off using security standards and then trying to move them up to using more and more secure standards over time.

    A couple of ones that we're trying to highlight, for privacy and security the recommendations for both inside the organization as well as the exchange for information, which is different than the Interoperability specifications and standards that the standards committee are recommending. The Interoperability standards were for the exchange of information but not necessarily what [indiscernible] do within their organization. In this area, the committee thought it was important that the standards applied both in within the organization as well as the exchange of information to make sure there is true protections of the information.

    They also make sure that when they mentioned their work architecturally usual, they were making sure that there weren't stifling intermission and coming up with standards that dictated particular architecture, to that was something important and the transmission of security standards and having an option for the standards that could be used in that area.

    One area that they have noted that need some work, is the consent management standards. They did recommend standards in that area that gets the ball rolling and then it gets enabled a low of consumer preferences but it does not get to segmentation of that data. [indiscernible] with HITSP in those areas and the expectation is that as those standards developed they will be looking at those in considering whether to make recommendations in those areas.

    The other 1I wanted to point out is the third one, accounting and audit. This one is tied to the accounting requirements that are in ARRA and we are now looking with OCR at how those standards would work for implementing the accounting requirements that are in ARRA as OCR looks at the regulatory process for incorporating those new accounting provisions into the HIPPA privacy rules.

    So that is my knowledge, referring to the standards of Baltimore in those areas.

    And we are either working on or have been working on or will be working on informed discussions here, and I am really hoping that this committee and ONC can work together in a somewhat iterative process so we can bring issues that we are thinking about to you for consideration at have public input on some of the thinking that we are doing, and it really have this be a public discussion on how we come to the right policy and privacy and security in these areas.

    A couple of things that I wanted to let you know about because I thought they might be helpful to the committee is we have some reports on state laws in the areas of consent and access that are close to being ready for us to put out, and it provides a good basis for understanding the state law variation, and with the existing law yesterday. They're is a lot of confusion in that area and I think these reports will be helpful to clarify that.

    We have a couple of white papers that we are looking at to put out a request for proposal on this and we are close to getting going on this project but I wanted to let folks know, this is an area where the work we are doing can be helpful to you all, so we are hoping to get some comprehensive thinking on priority all in one place, so what they're looking at is doing some white papers that our objective and pull together all of their respective issues from various perspectives and disciplines on a particular topic. So for example, we have, the first two white papers that appeared going to do is two [indiscernible]. And for instance on consumer preferences, to get all the issues on the table and understand the petitions for example of whether dealing opt in purses opt out and whether you mask data or not and what kind of implication that has to practice, the input on how you collect consent or consumer preferences at the provider level versus the HIE level, any significance there, how much information and decision making consumers will take on, and it is there a point at which consumers will say, this is too complicated for, and not take the responsibility? The Human factors kind of issues, ethics issues, trying to get all the issues in one place to help inform our policy making.

    The reason I bring this to your intention is I think it can be helpful as discussion document for those who may not be as familiar with all of these issues and all of the intricacies of some of these issues, as well as because as you prioritize areas for consideration, we can then go forward and do similar white papers on topics that you prioritize, we do have that built into our project.

    So hopefully this is a way we can help provide support to you and we can provide guidance to us on party settings. An agent or the petition guidance of the practices and hopefully you can be informative to last in the area in which we can do that best.

    You have heard of David and Paul already talked a lot about this. A lot of effort and it to planning this curing and this is our first entree for this committee and privacy and security so we set this up to be fairly broadbased to cover a whole lot of issues and have this be a listening session so that the committee could make some decisions and priority settings about where to go and what issues to take on and what more information we need and how best to address these issues either through existing workers or otherwise. So I appreciate all of the efforts of the folks who helped put this together and they are planning to meet again after this meeting so that we can make recommendations back to the Committee on how to proceed and some areas for a priority setting and for taking on some issues. So I look forward to the discussion today and I would be happy to take any questions as if people have them.

    Any informational questions for Judy.

    I am sure that many of them have questions but I expect that many of them will get answered over the course of the days.

    [speaker/audio faint and unclear]

    Yes, I apologize of that because I didn't have them ready in time for folks to have them but I will make them available.

    One minor thing on your white paper, I think that is an excellent idea and IS in this committee will have some input on perhaps with those various topics will be, or are they already predetermined?

    We predetermine the first two, that we have had consumer preferences is an area that we have heard over many years and NC DHS has taught us that it wanted to take on the op in the / opt out problem, so we had areas from other advisory committees and then segmentation, which had that on because that was something in ARRA that we thought, there aren't any standards in that area and what to think through this issue so we can help influence standards in the development process. But at this point, we have not committed two other topics, and we do have funding available to do white papers and other areas, so that is where I would look for input in this community to help us prioritize what does topics should be. So there is info on that.

    Well I would hope that there are going to be the focus groups for additional study done on the topic before that white paper is produced.

    We are contracting for the white papers to be done, so we don't have that contract in place yet. We put out our request for proposal on that and we're still working to the contracting process.


    I would like some consideration given in regard to our future certification decisions we may have to make, and maybe a little more information in the form of the white papers on disclosure. And to the effect that they may or may not affect future systems capability or certifications that we want. Thank you.

    I am assuming that we don't have to make commitments on these white papers today and I and I'm assuming that the debate and discussion today will help inform some of the parties of the Committee, things that are important for the Committee to take on hand for ONC to take on. So I look forward to future discussion on what those priorities should be at some Road backing for privacy and security issues. Thank-you very much.

    Thank you, Jody. It is nice to see that material all in one place. If it is a little daunting.

    Okay. So what we -- what the task force has done is set at a series of panels, and in each case we have asked community models to play the role of moderator, that I picked it will be a moderator of light. We're just trying to keep folks on time. But what I would like to do is introduce the moderator for our first panel and that is Paul Ackerman. And let him invite the panelist two come up and begin the presentations.

    Thank you very much. Will the panelists come to the table.

    The first panoplies patient analysts control and segmentation of health information.

    If I could give you just an overview of the whole hearing, we have four panels on for different major topic areas, and each of which could take a day in themselves, so we gave them five minutes, that I will explain that in just a little bit.

    We basically wanted to try to provide a breath of perspective so that the community has the advantage of hearing multiple perspectives. It won't be a complete set but we will structure [indiscernible] complicating matters by putting it some real-life examples into the panel. So the way to get a lot of the information out at the same time is they ask us to provide the same testimony and written packet and in the packet that was hosted on the websites before today's meeting and that we will have five men at high points from each panelist, but plenty of time for the dialogue between the committee and panelist. So without combination of opportunities we are hoping to get information on the table. As David mentioned, this is the informational hearings of this is the first stage of getting information out.


    Thank you. If you are watching on the Internet and you are wondering why there are power point slides, it is because there aren't any. It will be a five minute presentation followed by questions and answers. And we have individuals on the table here that are extremely prominent in their areas, and in addition, to its very short opening statement, I will give a very short introduction which will not do justice to their background. Debra Peal. Dr.Peale is a practicing physicians and a national expert on privacy. She is the founder and chair of patient privacy rights and also a founder of the bipartisan coalition for patient privacy.

    Dr. Peale?

    Thank you for that introduction. And thank you to the Committee for giving us this opportunity to testify today on behalf of the millions of Americans who are very concerned about the problems of who controls the data in electronic systems. In fact, the control of [indiscernible] is the major concern Americans have about electronic help systems. We appreciate your service and we appreciate you having this hearing today. We do have to say that we think the card is in front of the horse, and plans have been made and work on for many years, standards, as well as the plants developed by this committee, and we think that actually the privacy issues are foundational and really belong at the beginning. Because insuring control over data is really the only way that we are going to get to a trusted help tell AI T system. And building the kind of system that Americans have been used to for the years which is to trust their doctors not to share data without their permission. So any discussion of privacy has to start with three crucial facts.

    A first one is that Americans care. Deeply about privacy and control of their information, and what we did today was drawn on the new report from AHRQ that just came out. They study people's attitudes about health ITT and research and fears about data and transmission across the system, at 20 focus groups, and that is in her notes. I'd like to summarized data. Tourist point, the majority of Americans think they should have access. Here is a universal [indiscernible] that Americans should have a say in how this information is shared and how it is used. Third point, and majority believes that no one -- it is no one's business to know about their personal health information. Not because they're concerned about a specific kind of disclosure, but as a broad principle, but it is personal information. I should have a right to keep it private.

    The last point they found was that the participants overwhelmingly want to communicate with their providers about how their data is handled and shared and for what uses, what purposes? And they automatically believe they have should have the right to correct the information.

    A further point we wanted to make was the famous California health survey of 2005 that found that 13 percent of Americans are already taking action to hide or of its data from the health-care system. Again, this was in 2005, and I don't think the same question has been asked since then, but if they were asked, I wonder if the results would be even higher because people's concerns are growing, but receding. And finally, we wanted to bring your attention to the studies done on behalf of the Institute of Medicine, done by Alan Westin, and his survey found that there is only 1 percent of Americans that would ever agree for research is to have unfettered access to their information. Further he thought that for head of the population of his having their information available even if it is unidentified and even if it has IRB approval. 87percent of Americans support research. The point is, they want to know and they want to be asked.

    Our second major point is that the right two privacy, the right to control personal health information is the national consensus. If this has been developed in all 50 states over 200 years. It follows from Hippocrates and centuries of medical ethics. But the idea that we don't have a consensus in this nation about who should control health information and about the right two privacy is not correct, and one of the things we submitted to you as part of this report is a document by Jim Piles who is a lawyer that has worked on behalf of the consumers' rights for its many years now, laying out the Constitutional Rights, that rights and common law and state law and so forth that are very high standards, and again, part of the national consensus.

    In the AHRQ report, another key finding was that the public does not support having general rules, one will one size fits all in terms of a general policy, and everyone should have the right to determine their own standards. That could news is, technologies exist now to allow that. And it hours fuller materials, not only today but are coalition has written two or three other letters to this committee and to the standards committee playing out in detail examples of privacy enhancing technologies and systems that exist now that are in use now that have been successful.

    Our third point is that privacy, beating again, consumer control over data, is the cheapest, easiest and most efficient way to ensure that data flows. The person with the clearest right and ability to say that my in focus from this hospital to this researcher is the patient. The individual. So we need to keep this in mind as we move forward and think about that distributed systems and complex ways of sharing information. The cheapest way for it to go without the need for expensive complex legal agreements is asking the patient.

    Fourthly, consumer control is one way to ensure that all the stakeholders cooperate. There is tremendous stakeholder resistance to sharing data. Stakeholders believe that they own their data, but the truth is, the only person again it can make the data out liquid who can and that data blocks and data silos is the patient. When not ask the patient? And again, I'd take as Alan Weston 's research showed, the public wants to provide data for causes and research they believe in. They want to know about it and be informed about it.

    So today we are asking you to set a really high bar for privacy. We are asking you to meet Americans expectations of what it will take to trust these systems.

    We are asking you to set this bar because the data mining and secondary and tertiary use of health information is a multi-billion dollar a year business. The data mining industries are not going to change or reform unless you give them clear direction. This is not just the case withheld with health IT, but if you take of the progress in our economy, change all the King and industries in which it was mandated. The auto industry improved fuel efficiency and tell Congress mandated it. It took Congress to get the lead out of paint. The industry does not want to change and industries today do not want to change or build an industry that is trusted.

    I guess I wanted to talk a little bit about the fact that health care is not a system. It is a two-person enterprise, and if one person is willing to walk in the room and share information, we won't have data. Data can't be compelled. And so to kind of wrap up, we are asking you to remember that people need to be able to make informed consent. They need to be what is going out to home and for what purpose and how long. They need to know in a meaningful way what they consented to and what was disclosed. -and so it is not erroneous and the good news is that systems that provide this are already here.

    As far as policy, if we are asking you for three simple ideas, three simple policies that would make the system worked, over writing policies. When, no protective health information should be exchanged without informed consent.

    Two, the patient should have a right to designate the point where the provider can send a copy of the Electronic Data at no charge.

    And three, all access to patient record should be with explicit permission and informed consent. And that means that patients have to be able two selectively segment sensitive information, and it means that we need segmentation and audit trails now so that we can prove that data is handled in a way that patients want.

    Thank you very much, Dr. Beall.

    Our next speaker was supposed to be John Rather from AARP, but unfortunately he was called away at the last minute and was unable to come, but we got a pinch-hitter. We have Devon McGraw. Around 9:00 last night we threw this job out and as you know when she is not busy helping us with the policy committee she is active at the center of Technology.

    It is not easy to do this at 9:00 at night, this was a bad week to adopt a puppy. [laughter]

    Let me tell you more about the Center for Democracy and technology. It is a non-profit public-interest organization here in D.C. funded about 15 years ago to promote democratic values and individual liberties and the digital age. The organization has a long history of expertise on the Internet and privacy issues.

    This used to be an independent organization with more than a decade of experience in advocating on health care privacy issues and about a year and a half ago, we merged the two to sort of the average the expertise of both to deal with a movement of electronic health data and electronically. So really what we tried to do is to think about and recommend a workable solutions two better protect the privacy and security of health information. Consumers definitely want privacy, I would reiterate what the press said, but they also want their data to be accessible for use in treating them access to the data themselves, so there are many issues to consider when we figure out what are those of workable privacy and security solutions.

    The wont go into detail on what we need to focus on that, I think we all appreciate that or we would not be here today. But out what I do want to respond to is the particular solution which she advocates which is giving patients more control of their data which means requiring consent for each and every use. And it is a very intuitive and appealing solution, and it absolutely doesn't surprise me that people in focus groups and surveys say, give me control of the data. I don't know of anyone, except maybe some folks in the health-care industry or health-care experts would answer those questions any differently. Control of something feels intuitively better.

    And of course, giving patients some control over their data is in fact an important element of privacy protection. So basically what I will tell you is, consent doesn't work as well to protect privacy as we would want it to and reading a comprehensive framework of rules and also putting consent in certain in instances where there is value to do so.

    Nevertheless, what I will focus on today, why informed consent doesn't work.


    All limits of consent war illustrated well and something that hit the news not too long ago which were there were reports about health and life insurers obtaining drug information from commercial data miners and using it for a range of purposes. This revelation , of course, is cause for much consternation but that data was in the hands of those entities because in each and every instance the patient consented. You have to consent to the security of for those purposes. And health care does not present us with good opportunities to provide people with eating polite to say no. That is one of the reasons why consent does not work very well to protect privacy. Equating privacy with consumer consent -- with comprehensive privacy protections because it puts the burden on the consumer and takes it off of the entity. If the industry were directed simply to solve privacy concerns with consent there would be less incentive to design and implement -- in other words, if I can rely on a consent form to authorize all potential uses and disclosures why would I bothered to design network anyway that minimizes risk to privacy or spend release scarce resources on insuring that system to incorporate the latest security technologies. Or train staff for the permitted uses of information. Let's get the patient to tell us and to authorize the use of their did have when they need health care or when they're signing up. It's easy to see how notwithstanding but the concept of control is appealing but does not work the way we wanted to prove we do not want the role of enforcement of privacy be a form that the patient signs to authorize the use of the purchase of the intermission and if it did that is the end of the inquiry. I actually was at the HIPAA summit yesterday and they were telling folks the best way to be certain that you're using information appropriately used to just give the patient to consent to it. It surprises me sometimes that this is not actually appealing to industry because in some respects some might consider it easier than figuring out how to comply with a complicated set of rules. Privacy policies are not written typically in language that people understand and a lot of people do not read them. They use general -- even if they are simply stated, they use general language. From time to time we would improve to lower your costs. Who would not sign up for that? But it does not tell you very much about how the data is used. Similarly if there are categories of information, Research, health care and prevent, Health Care Quality Improvement even trying to segmented down, there is a wealth of information that is consumed in there that the consumer is never going to fully understand. Again, if it worked well we would be one of the first groups up there at the Keating four it a matter how complicated or costly it would be. advocating for it will matter how complicated or costly it would be. Over reliance on consent does not work and does not mean there is not a rule for patient consent. It needs to be layered on top of this comprehensive framework of rules that govern how entities use and display informations. Two areas where we stand to strengthen consent would be with respect to health information exchanges particularly where the business model is in flux, and the uses and exchange of data is for more than treatment purposes. I know that Gayle mentioned opt in, opt out and I think that is an issue worth pursuing. And personal health records, we were talking about a record that is a copy of electrical medical record and for the patients to use. There is a strong case to me that individual consent over that record, that that record belongs to that individual and that public policies ought to reflect that and they don't actually at this point in a Universal way. I will provide one more example and then stop so that others can have a chance to testify and that we can take questions. Our eCommerce marketplace provides an example of why this works so much better than consent alone to stop mistrust and make sure that information can be shared. Most of us use credit cards and shop online or bank online and these systems work because we have rules in place that govern who can access that data that required to be for security to be in place and that hold the individual harmless or provide competition for them if, in fact, there are errors there is not trust because of patients' consent to each and every movement of the money that goes through the system. With that I will close in thank you for the opportunity. I apologize if this went over. It was a little disjointed but I've happy to answer your questions.

    , thank you, Deven.

    The next speaker is Marc Overhage and he's the director at Regenstrief Institute and a professor of medicine at Indiana University of School of Medicine and president and CEO of the Indiana Health Information Exchange.

    Thank you and good morning. I am pleased to be able to provide the committee of a brief case study on how our health information exchange has approached this specifically. The Indiana network for patient care provides health information exchange across the state of Indiana and along with our platform, supports held information exchange for 10 million patients and 12,000 physicians and their staff and about 50 hospitals participate in INPC along with independent laboratories and others. Patient privacy and the security of their health information have been fundamental to the health information exchange since its beginning. We have are protected privacy and security into the supper, processes and agreement with a careful attention to the balance between them. Our health information exchange and its partners, the clinicians and providers subscribe and implement the principles described in the framework specifically openness and transparency, purpose specification and minimization, collection limitation, use limitation, individual participation control, data integrity, security safeguards and controls, accountability, oversights, and remedies. So how do we try to attack that? By First of all trying to hear to these principles not only requires the health information exchange for the providers to work in concert. They must execute the INPC agreement which allows them to follow specific safeguards within their organization. These legal process and policy structures are critical to ensuring that the privacy and security of the patient's health information, providers and for patients initially through their notice of HIPAA privacy on how the intent to use the patient's did this is a primary opportunity to be informed by discussing their wishes of on the use of the sharing of data. Our technological underpinnings have been designed to support these as well the infrastructure is essentially a database model, the provider stores data for which the are the custodians and a database that they maintain a standard structure and format. The patients demographic year from the counter is used to create a GPI, global patient index in terms of the participants and not the world that links patient identification together across the different providers. The system uses that GPI to create a virtual patient records when the poor conditions are met to the bull access for a specific use case -- when the specific conditions are met to enable access for a specific use case. These highly specific conditions in sure pulpit limitations on news. I give you one concrete example. In order to create this when they go to a emergency department for acute-care first about the participants, the organization must have agreed to their contracts with the others participants that they will followed the specified safeguards internally. The INPC system has to precede a secure notification that the patient has presented for care at that this facility. And the device from which the commission is trying to access the patient's records must verifiably be present at that the city's location, that specific facility not just the health care system. The provider must often to keep themselves to the systems and must have previously been authorized by that institution or health care system to access data for that specific use case, emergency care in this example. Finally the limitation on how long that virtual record can be created for is limited to 24 hours on presumptions that very few episodes will extend beyond that time period. Different conditions would apply for different use cases, for example, creating a virtual record in the ambulatory settings or public health reporting. Anytime the virtual patient record is created an audit trail is treated permanently over a variety of data, which information from which institution in which user access the data and so on and that information is available to the patient for their proprietors providers. Providers decide which data is made available and the INPC founders have designed the INPC to recognize the importance of the provider patient relationship and we believe that the patients' understanding and control of its own data should be the topic of discussion in which the patient choices his trust to provide their care. We think this should put occur brother with the provider if the patient provider agreed that the data should not be shared it is required by in the INPC agreement. The provider then notifies the INPC of the patient's request and the INPC staff plagues the patients about the system can force the patients' desire should they choose to completely opt out or not for his Pete Peters similarly patients who identify corrections or clip -- and similarly patients who identify corrections or clarifications make sure those are in the source systems and then propagated to the exchange permitted to ensuring the security and privacy requires careful attention to all of these principles by both the providers in the health information exchange. Within a comprehensive privacy protection -- excuse me, privacy protected architecture and environment thank you for the opportunity and I look the word to the discussion.

    Thank you. The final speaker is Susannah Fox and she is a frequent and to be turned to a blog called and the most recent article is called HIPAA's broken promise.

    Thank you.

    We are funded by the Pew charitable trust which is 19th century Pennsylvania oil money and I think that's important to note because so much of what we do is studying the social impact of the Internet and goes toward ideas that are essential to policy making. And yet we do not advocate to any policy outcomes or have any positions on policy. What we do is try to provide an accurate picture of a change in population and now that we are going into our 10th year about how people use the Internet I can say that we have learned the hard way that it's important to focus on actual behavior in a hypothetical or attitudes. We have seen in the last couple years that people will say one thing and to the other -- and do another. I'm hoping to bring some insights on what we see people actually doing. I focused on how people use the Internet to get their health information. Will be sought in the early days is that patients would grow to around doctors who back then in the '90s would warn them away from using the Internet. Patients would not listen to that. The working so much from what they found on line that they would change doctors or go underground. They would work outside the system. We are seeing some of that again where people are unable to get what they want from the current health-care system for all of the reasons that Reno and so people are going outside the system creating their own ways of Catherine in Cherie Holton -- of gathering and sharing health information. We want to create a system that brings those patients and. Why not create something that allows patients to collaborate with doctors and contribute to health care. Privacy and security are foundational requirements but at the end goal, helped is the end goal -- health is the end goal. What I want to talk about is what we're seeing in our latest data is that American people have a different expectation about access to information even in the last two years. People feel that they should have access to what I think of as industrial strength information, people are, for example, in the political campaigns, watching the actual speeches. They were reading the campaign papers that were available on line, not just what was in the newspaper or watching TV. In terms of health care people are accessing medical journal articles not just waiting for the summit that is available in the media. What I would say it also is that I'm here today representing sort of a consumer police to my survey data but also are wanted to read some comments that I got on deep e-patients blog and I said what else would people want me to say? You have my prepared statement and here's what people had to say, they wrote I want in a patient at a rate that innovates the innovation in cell phones and speech iPods and just the way many people think about their cell phones. He echoes what Dr. Peel said, you that I ought to be able to get my hands on the data, show it to my experts and take it with me wherever I wanted another comment was quoting from a HHS report on e-health tools and it is, "consumers with to versus respected must have meaning full access to culturally sensitive tools and that is part of my prepared statement that talks about how mobile Internet access is the reason the differences that we see between white in adults and, please include cell phones because 80% of adults have a cell phone.

    The third and final comment that came through on the blog last night is a really interesting one and goes into what I have seen some of the previous discussions and that is the patient generated data were presentence a new pool of research data that has the potential to improve the imperative the effectiveness studies. They could health establish standards for data quality, patient generated and the outcome data. I think that is where we are going so when we talk about where we are now, we're talking about the web page where we are quick to be, we can talk about mobile, patient generated data. Were people are working outside of the system and we should welcome them in and harness the power of so many people who want to can cheapie to health care. Thank you.

    Thank you, these are some fascinating comments and also a diversity of Commons on the number of issues including the role of consent. I think now we will open this up for questions and comments from the committee -- Paul, are you handling this part?

    So I will be facilitating. So people should raise their hand if they would like to say something.

    [ Indiscernible ] light and his burden.


    The first person, Christine, do you have any comments?

    Sure, thank you to all of you for the fabulous work that you have put into this panel and I am grateful for the design of the panel that includes such a comprehensive range of refuse. I actually have a couple things. I wanted to start by asking Marc about the accounting of disclosures and I know there is a range of use out there and given the changes in ARRA and we will hear about the volume of data and canoe there be so how are you handling those changes -- and granularity and so how are you handling those changes in the second piece of that is how you are facilitating those conversations at the patient provider level so that patients can understand more about what they can understand about how their data is used and is played.

    Thank you for the question. I think it's fair to say that our general approach is that this is an issue between the patient and care providers because they are the custodians of the data. As you pointed out, we facilitate in our various venues where management committee discussions and other venues this broad topic of disclosure with providers which they have to deal with independent of any issues around sharing or how the information exchange in any form -- health information exchange in any form did we facility that disclosure beds are not involved in it as part of the health information exchange because we can not appropriately and to keep the patient. If somebody knocks on the health information Exchange's don't how do we know who is? That belongs with the proprietor and patient. And as a provider in the patient decide by providing the audit logs and disclosure information to the provider who can make it available to the patient.

    Can I ask -- for Deven and Dr. Peel. Both of your presentations were compelling and helpful and one of the things that the striking to me about the role of consent is when you talk to patients and their family members oftentimes what you hear and we have heard this in recent focus groups that we conducted that they overwhelmingly want to share information in the context of treatment and care coordination in particular, and the 2005 health-care survey reinforces that, I think 90% said they wanted that. I think it becomes a different conversation when it becomes privacy in the abstract and as Deven pointed out everybody wants control. So when we talk about the need to walk the right lane abruptly more of a circle that will encompassed the right level of controls for people but give them what they want which is high quality patient centered health care, I am wondering about whether the rule of consent should refocus particularly on those areas like health care operations for its the little bit more squishy, the definition and broad versus the framework built around HIPAA for treatment so Iowa eight new -- I want to ask you done like your perspective and I really hope this committee will begin today to tackle.

    So health-care operations for those of you who have not seen the definition is essentially a bit of a list of sort of what I sometimes referred to as back office activities that health-care institutions often need data for. From a consumer advocate perspective it's perplexing because some of them are really proud reworded. In order really to give hospitals and doctors and health plans a fair amount of discretion to -- I mean, health care is also a business so to some degree there is a need to use some patient data in order to function on a daily basis. On the other hand, we do not like big, broad categories to see things like Ed Ministry of activities and other things related to health care. I do have the definition in front of me but some of the prongs are more specific and others and it has always been a troublesome category. On the other hand, if consent is not a good privacy protected it without work that well and operations either. So my own view is that I would much rather provide incentives for entities to be good data stewards, such as not only is using its -- using it in full the identical forms and credentials of doctors requires use of data about how will they have provided treatment but you don't need to know that that treatment wasn't need. You just need to know that the certain pieces of data that can allow for their peers to charge with or not they were providing appropriate care. So I think it's tough because you look at that laundry list and say, oh, and? All of this stuff? Its intuitive, the control piece. But in an environment when they don't have the ability to stay know you will not get any better privacy protection of that tape in my view -- of that data in my view.

    Did you want to say something, Deborah?

    Certainly we agree with Deven that health-care operations that are a very troubling category. In fact, that is the main category of open use by providers for data for any purpose that they would want including the sale of data. So we certainly believe that again, if the health-care entities like a hospital can explain in a clear, simple way how they want to use the data and it makes sense to people, people will agree to business uses if they make sense. That is certainly the most troubling category but there are several points that I need to rebut that Deven said. The idea that consent does not work, I have no idea where that is coming from, there's no such study, there has never been any research that I know that shows that consent does not work. When you talk about consent not working you are essentially always talking about coersed consent or blanket consent and you talk about the trust in the eCommerce situation but we have no privacy over our opinion to records. I'm sure no one is -- everyone is aware of that. The problem is we do not have meaningful consent over all kinds of uses of protective health information that have nothing to do with health care. Nothing to do with health care and everything to do with business models and process from health data mining industries. If we're going to talk about consent and I have to see that consents have to be meaningful. They have to be informed. That is a legal standard, you have to know what you are consenting to and what it is for. With a would turn out to be burdensome or not and Jodi is talking about studies finally being done on that and we pointed to in our testimony today and other testimony the fact that a very detailed consents have been working extremely effectively for the exchange of sensitive data. I'm a psychiatrist, some of you know this. Everything is about privacy in mental health in particular because no one would tell us anything if they thought that was going to be broadcast. For those of you who have not heard me say this before I learned about this issue for my patients, literally when I hung out my shingle people came in and said, if I pay you cash will not disclose why information? They had already been hurt, we're talking about jobs. So we know that the NDIIC is a national open source consortium that developed consent to the exchange of mental health data. They have been doing this for eight years, the habits changed the on 4 million patients and it works fine. It has not been an obstacle whatsoever. By the way, those are standards for consent that exist that are easily translated with HL7. So the fact that they say we do not have standards is because they have blinders on. They do not want to see what is out there and working, we do have standards and things that could be used throughout the system and here's the thing, in order to insure segmentation and that we are going to be able to do genetic research we will have to have a system of consent that is trustworthy that allows sensitive information of all kinds to be segmented so we will need consent, audit trails, we will need them now. Again, to clarify patient policy rates and our coalition does not believe that we should not have data security, that we should not have a framework for trusted exchange of data and that we should not have a free report confidentiality and trusted stewards but the stewards should do what the patient says with the data. That is what stewardship is about, not what is good for the institution. So again, you cannot have -- it's meaningless to say that you have control of your data if the system is not secure could anybody can get into it. You have to have security, meaning both remarked in you have to have patients control.

    Thank you.

    Questions from Frank and then Gayle.

    Thank you.

    My name is Frank and dime a Castro neurologist. We have been buried could about patient confidentiality -- very good about patient confidentiality and in these two years it has been easier to implement the HIPAA protocols because it's more readily available but the problem with confidentiality was many years ago with third-party payers. The plan trustee and that everything they tell me can be transmitted to the insurance company and they also understand that all of the recommendations to them will also go to that insurance company. There was no consent. As a condition of being injured, they have to agree that that information -- of being insured, they have to agree that the information will go to the company. They have no control over its. Patients have lost their privacy many years ago. How do we get the genie back in the bottle?

    Patients gave consent for the information to be used for one purpose by the insurers and one purpose only, to make a determination how much they will pay the claim. The problem is the insurer's turnaround and use that data in many other ways that patients are never informed about were told about and that is quite harmful to them. For example, sharing that information with employers or acre gating and selling that the data to major employers -- aggregating and selling that data to major employers. So this gets to the code of fair information practices that was developed years ago by the predecessor to HHS, the Department of Health Education and welfare. We do not have control because our control has been stalled the next Olympic when you give consent for one purpose that should be it -- has been stolen, when you give consent for one purpose that should be it in and if they want use of the data they should come back and asking. This is the principle of single use. That is why we have no privacy. That is why we have a giant secret data mining industry. And today I brought things to pass up to you. HIPAA allows all of these entities to go ahead and use it for other kinds of purposes. Many people do not realize that HIPAA was gutted in 2002 in the control passed from the patient and individual to all of the holders of data to make the decisions when they wanted to use that information. I think this would be relevant to pass around.

    Thank you.

    What it has a single sentence --

    Thank you, Deven.

    We also have Gayle.

    I want to think Dr. Forman ball down my the mud -- -- thank Dr. Blumenthal, we have had -- This is the foundational question, not just for how we are going to move forward with electronic health records dealing with privacy but we have opened the door, but genie is out of the bottle. This is opening a conversation that really needs to be a public conversation on how we will do with the privacy and security of these records but I have a great deal of concern on the business association aspect of privacy and security and Deven, I could not agree with you more when it comes to consent. Coerced consent is the worst thing for privacy and security that I have seen. And I would like the panel to really look at the business association relationship when that data travels from the physicians office of the hospital in than is used again and again by other business associates. You can go down three or four genes before you come to that information being used out there. Being sold and been used. Individuals have a great deal of concern, this is the number-one concern that I hear, how is my information going to be used? They are also afraid that the systems will be broken into and that comes to the security aspect which I'm sure we will get into asphalt. I would like to hear some comments from the panel -- kicking to as well and I would like to hear some comments from the panel about the misuse of information. I'm about solutions. Keep the committee direction. If you were king or queen for the day, what would you do to protect this information?

    Thanks, Gayle. We have some provisions that Jodi showed this in the beginning and having said that I think we do have another problem about the we cut the Mitropoulos down the chain. I fully acknowledge it and agree with Dr. Peel that this is something that we need to get a handle on, and it's not addressed on what happens in the economic recovery legislation. Some of this is anecdotal reports that we are getting the business associates getting data from one covered entity and then they feel that he belongs to them and using it for a range of other purposes. The week to fix that is for stronger rules on what business associates can do with a tepid if the receive data that do it is not theirs -- if they receive data from the entity that is not theirs to use, but instead the they perform the function and that is the end of the story. They have data by virtue of that relationship and they cannot turn around and assume that they can use it for any other purposes. I think Bill lot is there but it's just not clear enough and has not been appropriately and force me into a lot to clarify that and improve enforcement there.

    Thank you all very much. First, Susannah, I want to reiterate the appreciation on the comments and actually been the once a meeting in London this data. I think patient reported outcomes are going to be critical in my world of cancer but also having the power to take their electronic and medical records, and the doctor or whoever scene of what this data out there could I have a question more for Deborah and Deven I would like your comments as well. It does deal with some much of the consent issues. Cancer is so linked to research and its ongoing. This is hundreds of diseases, not necessarily body parts. You mentioned genetics and it really is the molecular disease. So there's clinical research data, constant monitoring, and we are now thinking more and more that all cancers are some populations. There will be responders and not responded speed and the cancer center has put together this trouble cancer care program with the are getting their patients, they are profiling them and doing molecular profiles prepared convene the bio specimens -- they are getting be by a specimens to see what works and what does not and build a learning compared to an effective research profiles of that doctors can going and say, you fit this profile this works well for you. Subsequently it will align them with clinical trials. We will find out what molecular markers me make you a responder or not responder. All of this will require constant going back and forth between the patient the data and on a train going to be by a specimen -- and monitoring and going to the bio specimen. So do we only need one consent at the beginning to participate in large-scale programs. I see you're shaking your head in a little bit. My concern is, what point does it become so cumbersome that we really cannot conduct research on this?

    Certainly that is the biggest fear is that somehow consent will interfere with Research. What people forget is how easy and cheap technology makes it to contact people it might have made sense decades ago if you went into the system to give consent for the use of your data forever in perpetuity. Because it could be difficult to contact you, time-consuming, expensive, but people forget technology could enable you to be pinged on your cellphone. Technology eliminates most of the burdens of been in touch with people easily. So the cost to connect, the cost to consent are different now and that is part of the reason for IRBs because it was difficult to contact large numbers of patients. Guess what, it's not difficult any more with 85% of adults have cell phones and this government has proclaimed everyone of us will have an electronic health record. It will be. Easy to get informed, meaningful consent does everybody want that?

    , everyone does not want that. The people who want to give blanket consent for future research because let's say that I trust [ Indiscernible ] and I think they will do great security and have great doctors. I will be in a little bit of a shrink, I think the are wonderful, you can still do that you can still do that with consent management system speed you can give broad directives but before you give a broad directive like that you should be informed about what the potential consequences are. Not just for your life but for children, grandchildren, and relatives. That kind of thing. People will have different preferences about how often they want to be contacted or for what purposes. The ones that want to give broader directives to their own physicians or hospitals, they can do that and then those that do not want to do not have to. That was the findings of AHRQ. There is not one-size-fits-all and that is what is so fabulous. We no longer need black and white, we can do very selective segmentation's, which is on the final summit -- which is on the table finally and that is the duty of technologies and they exist today. We hope you will -- and we have submitted a list of names of panelists that can talk about these things. And there's some great ones, consent mechanisms to allow selected information to go to researchers as well. There's some great stuff out there.

    The source of the 85% has a cell phone, a lot of people do not turn it on every day and still do not know how to do text messaging. I want to clarify, their -- there is definitely variation in actions people take.

    I have a question for you, the system described, the network he described as many characteristics that some panelist said are good characteristics. So you have 12,000 physicians and 10 million patients, of those 10 million patients what proportion is that of all the patients seen by the positions? Hominy give permission to be in the system?

    Thank you. We try to do the best we can and the practical things are often challenging. We just keep trying to do the best we can. The 10 million patients -- there are only 6 million people will live in Indiana, some of those patients are dead, well, they are [ laughter ]

    That is a whole another topic in a different office.

    Some of them are folks who have transferred through the community and the Indianapolis speed hospital during the Indianapolis 500. So of those physicians it varies across the state and the central part of the state is easily 100%. In some parts of the state is as low as 50% the.

    Of those 10 million who have given consent, how many require segmentation of their information and limitation?

    We don't know the answer to how many people because that is a provider patient decisions we don't know what data was not shared in that is a good thing.

    I thought I heard you say that the information was sent to the network and then win the information -- when you got a request that limited it then it was removed.

    I will distinguish because I stumbled on my words a little there.

    There are two processes. We provide and patient decide something should not be shared, the provider does not make it available at all. There is also a process for a patient at any point to say, I don't want anybody any time to see my information and then that is --

    So if a field is blank you don't know whether it because it was not corrected or --

    That is correct.

    Thank you.


    I asked this morning for somebody to take a look at patients who were asked by their health care organization if they wanted voluntarily to give a perspective authorization of the entire record, to go from one health care organization to another for purposes of treatment and care. So they counted 125,679 patients who were asked if they wanted to do that and of that 124,017 said yes which is 90.7%. I think that is interesting -- that is 98.7%. I think that is interesting. So what they think is important is that, I think the we were seeing of doing it, Marc, that the position does not enter it and zero were if you enter it in new market as a sensitive notes and that no does not get past -- you mark it as a sensitive notes so that does not get passed. But so much is the ready, it's in the diagnosis, medication, medication interactions, imaging, it's in the notes of the imaging professional. Its in the results and even the orders. So if you don't look at the results, you can tell by the orders. It's in the group of physicians that are giving care. And so what I think is interesting is that it can be. Misleading and unfair to the patient because they think that there is technology that can go in and hide all of that stuff, and its too threaded. And second a compromise quality of care. It's not that the data should not cope with it should not be improperly used. Could we not focus so much on what data goes because I think the electronic systems would recognize that it's pretty difficult to effectively hide things. But should we instead be focusing on not penalizing the information that gets transferred but if, in fact, it is inappropriately used.

    Good comment.

    Can I add one thing? On the ground pragmatic issues, what most providers are able to do if the patient chooses, it is typically the whole encounter, what ever is. Everything up of the hospitalization is typically what the providers are able to do today.

    But that is hospitalization but if you are mixing the ambulatory and patient together a packet sprouted.

    So the physicians and counter, and they do the imaging team leader and that is the challenge.

    Thank you.

    Certainly the problem is an appropriate use of information. The question is, who decides whether that use is inappropriate? On our organization and coalitions and tend to think that the one who should decide he leaked is the individual -- really is the individual. There is no question to do that many of the health IT systems don't have the ability to do granular kinds of bloc blocking or segmenting data. There is NDIC system that allows pretty detailed segmentation. Technically there will not be a problem eventually to be able to selectively eliminate every type of reference to a particular disorder. But you are right if the person knew that the information was going to be used against them may be that type of regularity would never be needed. That is the whole purpose of why we're here and are delighted to have this opportunity to talk to you because there is so much miss use of this sensitive data. Unless the system is constructed to where misuse prevent jobs, employment, a key opportunities in life are addressed this will be a no go and we will have no data.

    Thank you.

    Okay Dr. Tang?

    Thanks to the panelists, it has been wonderful to hear the difference we've opinions -- diverse range of opinions paid a lot has dealt with HIPAA and covered entities. In some sense that this so 1996 [ laughter ]

    And to take up where Susannah talked about, the puck is going into these other places in the question is voluntary or involuntary. And we have what seems innocuous of THR, health risk assessment, social media, facebook, etc., and a lot of private health information get shared not understanding what is confidential or not and certainly outside of the realm of HIPAA and cover entities. My question to you, the NHIN is thought of -- We want the data to be an off ramp to the consumers and even in the future with mobile and all of this patient entered data it will also be an on ramp to the NHIN. So it becomes part in the scope of but we want to deal with my question to you is, to you think we have protections today for the patient entered data into the health information [ Indiscernible ] and if not, what would you propose? Just wait one second, is it the granular consent and control pact Deborah espouses -- that Deborah espouses or stricter rules and much along the lines of Deven proposed or somewhere along the middle.

    We would agree with both. What you were bringing up is a really critical point pretty you do not have a privacy or control elements to control sensitive health information wherever it is. So the protections really have to follow the information. In websites that collect and use it in surveys in someone are really misleading the public. Many of them use the data but to sell and to harm them with. So we need a system where its recognize like you were singing, covered entities and business associates are are. We believe most patients believe that because their grain to health relieve your website those people are there to health them. So there has to be the -- if I give my data for the survey issued before the purpose of providing them the results of the survey and they should not be able to turn around and sell it in other ways without consent.

    One interesting follow-up and then I would like to hear what Deven has to say. They entered it themselves implicitly then incentive to everything that they click or agree to?

    No, they are totally not informed. You know this. When you go on a website you cannot even read the party policies. They are not informed. Okay, some people are in getting savvy and understand that they cannot trust whether its Twitter or Facebook who have to deal with providing consumers of more control over information because they find out how bad they are. But they do not have a way to understand what the privacy policies are on most websites. You take Deven's teams of lawyers to tell us what the agreement actually send.

    And my fellow practitioners are the ones that right those damn things -- write those damn things. I agree with Dr. Peel here, you need both. Consumers ought to have a strong role in controlling their data. It should be voluntary whether they participate in them or not. Therefore if they want to throw their data up on some website, it's not up to me to tell them that they cannot do that but at a minimum there ought to be -- I don't want to pin it all on consent -- there ought to be some rules that govern the Internet marketplace of how they handle personal consumer data. This is actually something that we're working on here at CDT across all personal data and not just health data and we have been working on it for many years. I have folks who work with including a computer scientist who opens up the back of the computer and tells you what is going on on particular sites and what data they are collecting etc. But we have people working on consumer privacy as an overarching issue with respect to the Internet because we have no consumer privacy laws at the federal level.

    [ Captioners Transitioning ] Just so we are all aware there is other activity that we should be mindful of and ideally in coordination with.

    Just to add a comment, I said we learn the hard way some time about how survey data doesn't like it to what people are actually going to deal, and at one of the poorest health privacy conferences that I went to, I asked somebody that runs a very large website that helps people with cancer, and I asked, what is the privacy policy, and he said, our policy is that you have no privacy because -- it was Jill Feasman. But essentially, when people are facing death, but they are willing to give up their information and this is what we're talking about. So is it coerced or just practical that they are willing to say, here are my symptoms. Does anybody else have this? What is the protocol that helps you? And I think that you actually have a great opportunity to look at what else is happening in terms of adoption and behavior on line, learned from what face book learned. Look at what Twitter is working out frankly this week in terms of who has control over what you say and do online, and look at what consumers -- how consumers are benefiting. We have consistently asked questions about whether people have found benefits in the health information they find on line. That is growing. We have asked whether there has been harmed, and that is a flat minor. People are again getting quite a bit of benefit from social media from being able to search health information and gather and share it on line, and please look at that and understand that there are lots of other industry to look at besides health care which is frankly, way behind the curve.

    I would like to make one comment about that which is, people regard the Internet in a sense as a health provider now, they are seeking health information. And one thing that is different about privacy for Twitter and face book is, rights of control over personal health information about anything that exists about them. In other venues, we don't have a long history of the right to control personal information, and that is somewhat different than commercial been used, and that is when people are getting etting so concerned. It is important to understand, people are looking to the Internet and Social media for help. In the same way that they would turn to other providers. I think it is pretty logical to think that those other providers also owe them the same kind of duty and respect them not to misuse their information.

    Thank you.

    Mark probes.

    I have two quick comments and have a question. First, I am worried about absolutes and things like consent, because I think surveillance, disease surveillance, there shouldn't need to be a consent. That is public health and public safety, so I'd think they're will be things where I don't think I line up completely with absolutes around consent.

    The second one is on technology and implementation of it.

    There are times when I hear the words cheap and simple, other than when they are talking about me. I still have people that mess up with their fax machine and send the wrong information. It is still a difficult thing.

    The question I had, I have learned, I heard a lot of statistics out there. Has anyone done any surveys that would align the cost assisted with privacy and their willingness to adopt that level of privacy? Because agree to a pretty good job with the requirements that are out there today, at least I think we do as an organization personally, and Beth is incremental increase has a lot of Costa seceded with it, and has anyone done that level of survey?

    I have a response to all of this, of course. A first thing about public health is, yes it indoors as public health but if you look at the information it collects, it collects over the history of the development of Public health. It has pretty much and by statute. It started with dangerous infectious diseases, the collection of data, TB, various comments of trading infectious diseases, but typically the data collection has been, what is being collected and how it will be handled has been argued in legislatures with public debate. And there has not been [indiscernible] -- we are not opposed to public health, we are very much for public debate about abuses of information, particularly population of the public information. And I sound really absolute, and it is because I am a practicing physician and I have seen the absolutes that happened when people don't have control. Can't HHS 's own figures indicate that 600,000 people a year don't seek early diagnosis or treatment for cancelled because they are afraid they can't control the information and another 2 million don't seek treatment because they don't think it will remain private. So there are real costs to not paying to do this right up front. They could blow the whole system and never get the public's trust back if we lose it because we don't do it right in the first place. So there are real cost to not having privacy. Bad outcomes, people getting delayed care, people losing their lives. Bad outcomes are a real cost of no privacy.

    Mark, there are some studies. Maybe now that I am aware of in the new provisions, but a couple have come out chorus, and dad and I take turns punching holes in it, but there are studies -- what are the costs of privacy? There was one that came out fairly recently about what are the costs of state laws in particular that require consent for particular pieces of data, and one is just sitting in my e-mail and box waiting for me to read it that I just got this week that gets again raises the issue of cost. I have yet to see is in the one that also took into account the cost of not doing anything terms of damage to people's trust. So ideally we could put it on the table and sort of think of, what are the incremental costs of these potentially more onerous requirements on providers versus what are the costs of not doing that? I have yet to see anything like that.

    There is also the experience in the UK. They have spent hundreds of millions or billions on the system and they had to go back to read Engineer consent up front, so there is experience around the world to look at in terms of cost and blowing trust.


    I would add to what Mark said, in addition, to public health, safety. In looking at care, that information needs to be included for all patients, not all data, but the indicators. To get back to that conformed [indiscernible] it seems to me to be a conformed conundrum, because that as the complexity of the informed consent increases, understanding goes down.

    And they work very hard to have a ninth grade reading level and that it is culturally understandable, and then we have a 12 page boilerplate on the back of it that meets federal regulations. So we don't believe that patients understand that 12 pages. That our general counsel says, he must do this, okay. So I hear a push from Dr. Peale, and Paul called it if angularity. So if it even gets smaller, if you have a health-care provider involved, it gets so complex that people don't understand it. So how to resolve this issue of a towering patience in getting patients control? But understanding that the consent process takes time and it is complex enough to cover what we understand here, very few people will understand it.

    Well, I really hoped that he will convene a panel with some of the innovators in consents so that you can see how consents will be interactive and intuitive. There is one that we have talked about and put on a list to you that works with a group of victims and families with a genetic problem and they show examples in their own group of different consent choices that people have made, and why. There are ways that this can be done in a much more visual, interactive graphs down method. They're beautiful ways that technology can help.

    Is that consent for care research?

    This section I am thinking about is about research, but it involves segmenting versus during intermission, and it walks People's three things. Even for example, I think we will find consumers will get sophisticated about consent. My kids are learning about consent management systems from face book. You are in or you are out. And if you look at example, Microsoft help vault, they have various partners. Before the dispatches shared, the [indiscernible] watches, because you want to figure out how well my heart rate is doing on my work ethic. If you want to get the information through Microsoft, you get to share on but the data that is relevant to the polls company telling you how you compare yourself to other people your age and weight. So there are mechanisms out they're beginning to teach people the concept of, you don't have to share everything to get a certain kind of help that you want, so I think we are actually further along than the mechanism committee may be aware of it.

    We only have a couple of minutes left, and I know Christina -- I guess Marquette to comment.

    He talked about conscience sharing a specific anecdote, this is within the delivery system, but a physician ordered an MRI on themselves and the result was returned to the physician's practice as the usual protocol, and he was very upset with the health care system that the result back to his practice and was available to the people. You think of all people who would be able to understand the implications, but this is a person that is supposed to be helping educate patients. As Devon said, it is challenging for attorneys and physicians who have to work with this deal done that day in and day out especially the positions that have to deal with this in difficult and stressful circumstances.

    That is very helpful.

    Connie Delaney and I would like an opportunity to speak.

    Thank you very much for recognizing my opportunity to speak and will be consistently available via phone today. I wanted to comment on several points.

    First of all, I would like to reinforce Gail's comment early on in the committee, and opportunity. And that's reflected on our commitment and responsibility to the consumer focus and being attentive and responsive, and I would hope, deeply exploratory, and how we can continue in power the consumer to have a very much shared accountability in this area of privacy as well as sharing data.

    Second, I would like to make a comment on the mark, if your presentation and responses to questions.

    I wanted to particularly supports the auditory trailed mechanism that is summarized, Mark, and I know that was a very high level summary station. But the opportunity for this community to consider the wisdom and support of the auditory requirements of the final recommendations of this committee, that also that includes [indiscernible] as Mark summarized the strong entasis on the petition requirements.

    My last comment relates to, I believe as a committee, we have an opportunity to board recommendations ultimately that actually don't accept a lot of the, if you will, the work R that we are operating under. I have the opportunity and I would certainly support the deliberations that would support truly raising the bar related to the privacy issue, and I say that because I am deeply committed, as I know that all of us R, that unless we can support the growth and ongoing trust of the public in the work that they were trying to advance, and sooner or later our efforts will depend on that level of trust that we can support.

    Thank you for allowing me to make these comments.

    Thank you very much Connie, and it we are out of time. Let me make sure -- I am sure Doctor plum the ball is about to say this, but I would like to say the key to the palace for the interesting and spirited discussion.

    I am sure that this has been educational and in and lightning for all of us and it has opened up some new inspectors and we have to be very 2009 in our thinking.

    Maybe there are some things in her past that we do not want to forget as well.

    We have a 15 minute break scheduled, and I know that we are going to be losing some people on the early side, but I think it is a lot to ask people to sit for three and a half hours without an opportunity to stretch their legs.

    So rather than a 15 minute break, I would suggest we take a five minute break and come back here at five minutes of.

    (The HIT Policy Committee Meeting is on a short break until approximately 10:55 a.m. ET).

    Can you take your seats please? We are ready to begin.

    Could I ask members of the audience, please, if you are going to continue talking, please do so outside of the room.

    Thank you. Devon McGraw is earning a lot of credits for this particular meeting, haven't done it having been thrown into the breach because of John's absence and now she's been called upon two moderate one of these sessions. Says she is seeing it from all sides, that we want to thank our panelists. I know that one of our panelists has to leave at noon, but we should be finished by then it will Devons expert monitoring. So at this point, I will turn of the gavel I wish I had over two of Devon.

    You did pretty well with the pen and the class.

    This panel is covering the topics of use of disclosure, secondary uses and data storage. Tender offers presenter is Eileen the Twiggs, which is the national director of the petition systems and technology at planned Federation of America. -- to land Parenthood Federation of America.

    Thank you, and good morning. The key for the opportunity to provide testimony to the HIT policy committee.

    Planned Parenthood is a national not-for-profit organization and would provide services to [indiscernible] R affiliate's operate more than 850 reproductive health care center is in almost every state. Each year, planned Parenthood health centers provide reproductive health care including routine GYN exams, a breast and cervical cancer screenings, contraceptive services, apportion care, STI treatment and testing and education. Planned Parenthood receives more than 3 million patients each year and the vast majority of our patients are low income. Most of them, we are their sole provider. Planned parenthood brings to bear more than 90 years of experience, providing highly sensitive confidential health care. A national initiative underway -- we understand the importance that technology brings to health care and we already have a national initiative underway. And [indiscernible] test the boundaries of the Health Information Exchange debate. Yet our patients deserve the benefits that come from health information exchange.

    Pour this reason, we are moving forward with the understanding that sensitive data will be part of the exchange, however, in order to include sensitive data, it comprehensive privacy and security framework must be developed. We appreciate that this will be a complex undertaking, situational analysis to insure that all risks, especially those with the most sensitive information are appropriately addressed.

    And and planned parenthood's world there R -- considerations for privacy and security. For is the patient often comes to specifically ensure that their family, insurer, employee or other health-care providers do not know that they have obtained R care. Second, R providers as their personal safety by coming to work every day and doing their jobs.

    Finally, physicians and individuals Hinckley Government individuals who want information to further a political agenda.

    Consider a 30 year old woman who is in an abusive marriage. She has previously received treatment at planned parenthood. Section or abortion, but whatever it is, she doesn't want her husband to know.

    Now her husband brings her to the emergency room at a local hospital with an elevated heart rate. Emergency room clinician is an anti-choice activists and she has access to the health information exchange. This could mean access to the information of her complete medical history and to the name of the planned Parenthood provider. Who determines what information is legitimately needed? How can we ensure that specific intermission will not be made known to her husband? How do we prevent the misuse of Health information be it at the expense of the patient or the provider? The stakes are high and the stigma a company's health care. The confirmation may compromise the patients and the providers of personal safety. It could lead to acts of discrimination and patients may delay or avoid seeking care if they believe their privacy will be compromised. As you can see, we have a unique role in a continuum of care and we know there are no simple solutions. We are still working through these issues ourselves. While there is much to decide, we strongly believe that there are five critical principles. First, we must protect the original understanding developed between the patient and the provider. First, we have to honor the contract. This means that the decision making authority of the Health Organization must remain at the Point of care with the patient and the provider. And this must pertain to the same level of judgment in the electronic environment that have any more traditional environment.

    Second, participants in the exchange should only access the information necessary to meet the needs that they have and to assert that patient.

    We call this the, less is more principle. To accomplish this, policies are needed to tailor the information scope exchange to the role of the party requesting it.

    The third, policy must define responsibilities with respect to health information after expenses exchange. And once expenses confidential, it is always confidential. And we have to this vessel Special attention to the use of sensitive information. Patients will expect that their information could remain confidential wherever it goes for us. First, and appropriate access must be denied. Subtly put, there must be no prying eyes. Those without a legitimate right to access whether they are medical professionals or family members, employers, insurers or politicians, must remain at bay. Lastly, we must practically detect report and penalized not complaints. In short, accountability is essential. Violations should have substantial consequences and penalties should be commensurate to the nature of misuse. This should include heightened criminal and civil liability and professional sanctions for the misuse of sensitive information.

    To achieve the real goals of health information exchange, everyone must participate. This is only possible if patients' trust have confidence in the privacy and security of the system. Most of our patients are ready [indiscernible] cannot be denied access to the promise of health information exchange. We're ready to work with this community so that all necessary protections can be developed. And we thank you for the opportunity to contribute to these important issues.

    The next presenter is John Huston. Houston is the vice-president -- this is a really long title. As president privacy and information security assistance Council and adjunct assistant professor of by informatics at the University of Pittsburgh School of Medicine and in a member of the National Committee on vital health care and statistics.

    Of Escalante, if all goes downhill from there. You do have my testimony, so I'll just go over a couple of highlights of it. And also wanted to call your attention 22 reports from [indiscernible]. This is respective to [indiscernible] and information as well as another report on data storage chip. It doesn't have a lot of recommendations in them, but I'd think there are the outstanding reports and it encompasses a lot of testimony and deliberation over a number of years. And it is great for you guys if you can't get a good understanding of what the issues R.

    As a privacy and security officer and due to my involvement in NC T BH as, I am involved in security but I also have to be pragmatic about the realities of trying to deliver health care.

    Sell either its say that that is based on that balance.

    The problem I see with privacy is it is a societal values and all of us in good faith have a different opinion of what privacy is and what it means to them. These opinions vary dramatically and when I hear testimony, you hear someone from one end of the spectrum and then someone from the other end of the spectrum and they are both right. So it is difficult to balance that. It is hard to find privacy and something that is not quantifiable. Place criteria XY and Z, and ask people to comply with them, does that organization have privacy? In reality, it may or may not. So I pick one of the dilemmas icy from a meaningful use perspective and overall is, how do you develop criteria that organizations comply with and then at the end of the day, as you can say, they have privacy. Unfortunately, I don't think that exists. So as such, I take my advice is, to do the best job we can with HIPPA and ARRA, and try to enforce bold and put a good investment mechanisms in place that are not overly prescriptive or arbitrary and we have to figure out a way for them to be effected.

    Regarding security, we have to make sure that whatever we put in place is flexible. New technologies evolve, new threats emerge daily, and provider operations vary dramatically. So as we are trying to develop criteria as to what type of security needs to be in place, we need to make sure that we are flexible. Because of the rise will law and that doing is stifle innovation and we will have problems trying to define people use in a way that people can comply with well trying to deploy Information Systems in a meaningful way.

    With regard to tax changes, and in the context of using disclosure and data storage chip, in addition, to the recommendations that they have made, are clearly think that it is absolutely vital, and to Dr. Clement dolls point this morning, we have to have some type of macro. And there needs to be a central organization that coordinates and polices and [indiscernible] regarding privacy and security. There has to be an organization in place that has to be a [indiscernible] so you can't even get into the network unless you have met some very stringent criteria, and that you make some very strong -- you enter into agreements with very strong criteria as to how you will act.

    You also need to provide mechanisms to patients to see how it has been disclosed. The idea of consent, I have heard a lot of discussion about whether there are meaningful or not, but what of the strongest vehicles to ensure that people do the right thing is often following patients to see it where information has been sent and who has seen it. So having a way for patients to see where the information has gone into has looked at it I'd think it's important. Now, ARRA allows for that at the covered entity level, but once we start to pass information across the United States, it becomes much more important and it is difficult to help patients understand where that information has gone often very transparently and with very few restrictions.

    Thirdly, I think this organization needs to be able to investigate in separate disclosures, when a covered entity may have done something bad, how do you police that? And I think an organization has to be in place to do that. And fourthly, by the gives patients can limit what information can be sent to wear if we allow them to decide what sensitive information can be restricted from disclosure, we have to allow patients to decide what they do and don't want passed across this network.

    In the end, I think it is critical that we get this right. To get it wrong with it in some form resultant ishtar. Too much access or too little access to data can cause some form of harm. Unfortunately this is not District Court for a simple solution. I have been wrestling with this for seven years on NCVHS, and it isn't easy, but we do have to get it right. Thank you.

    The queue, John. We appreciate it.

    Our last presenter is Jen the golden. Dr.Golden is director of the Minnesota Division of Health Policy, and he has been designated by the governor as the state government help ID coordinator. And we apologize that we didn't have any tax for you, but now we know who you are. Ahead.

    Good morning, the key for holding this meeting and allowing me to participate in that this disclosure and secondary uses of health information specifically as it relates to public health.

    And represent the Minnesota E health initiative which is a public-private collaboration which is for the adoption and use of health information technologies and electronic health records in particular. This initiative is guided by legislatively chartered state advisory committee with 25 representatives that broadly represent stakeholder groups with an interest in electronic health records, and has included public health from the beginning.

    Public health is concerned with threats to the overall health of the community based on the ongoing analysis of the population's health. Government health agencies provide the backbone to the public health infrastructure, but this infrastructure is also dependent upon other entities such as physician clinics, hospitals, and others and health care delivery system. It is also dependent on the public health and health science academia at universities, social services and others engaged and health-related activities, and it is critical that these entities are able to exchange commission.

    Public Health has a long history of mental minting a prepared privacy and security measures to protect information that has been collected for public health purposes.

    One of the reasons they have such a long history is because public health practice often requires the acquisition, use and Exchange of individually identified health information in order to perform the essential public health activities, including disease surveillance, outbreak investigation, the delivery of health services and public health research. Such a information is necessary for public health authorities to implement mandated activities and accomplish our public health objectives.

    Health information exchange presents a tremendous opportunity for public health to prevent disease using cutting edge technologies. And I said technologies but given in the last one we were arguing about 2,009 and 2011 and 1996, a thinkable stay with cutting edge technologies and methods.

    Into the violation of America needs to -- and hurt the quality of care but also focus on the well-being and Public Health will be critical to the focus as well. As you consider public public health roles in information exchange, but a share a few things to keep in mind.

    Tourists come at the detailed remarks for protecting the privacy of health information for public health activities will usually be extensively debated in state legislatures and tried to reflect the balance of different state concerns, and in the course of developing those remarks and policies, there are mechanisms for stakeholders to provide their input and try to compromise and find a balance between the different interests better get it represented.

    While in some cases, federal interest maybe ever. In meeting the needs of stakeholders, [indiscernible] need to have a lead role in setting and developing public policy. Public health policies -- closely connected to the local communities and able to reflect the different values and desires of the state quarters that are involved.

    Currently, public health remarks are not uniform and may not be simple.

    I will come back to that in a second. In thinking about the development of a framework for the National Health Information Network, we would ask that you keep four things in mind.

    One, Public Health has a critical role in protecting the community. Number two, public health often requires [indiscernible] immediate data to protect the public health and include the public population.

    Three, the privacy and security remarks for public health have -- reflect testicle interest and their perceptions about the public health threat, the needs and abilities of stakeholders to participate in information related to those threats, and the balance of public health goals with other important public policy goals.

    And four, that there is tremendous interest between local and state policies and these are often reflected of variations in stockholders' values and interest. So in thinking about the complexity and a lack of uniformity in public health privacies remarks, what what I say? If you look at them one by one, it is like looking at the forest and trying to look at the trees and vines, it is difficult. Minister to look at a forest, you see a wide variety of common things that applies to all of these. So when you think about the elements that apply to these remarks, you would say that some of these characteristics include trying to define the ability of the individual to participate in the decisions to collect, use or disclose identifiable data that might include consent and, the ability to opt out or the ability to not have consent at all. They're is a variety of information that needs to be provided to the individual as well.

    Second, the ability of an individual to know how and when their information has been disclosed. This may require auditing functions and it may required notifications. The ability to access and individually and and they're identifiable information, this may include the ability of the individual to access their information and a method to challenge the accuracy. The ability of an individual to challenged complaints with legal and privacy that works. That need to apply roll based access to data and the need to have limited -- in conclusion, public health is an integral component of E Health in Minnesota and the nation. With belief that population health and public health and are free markets essential to achieving use of -- achievable level in the initial definitions of meaningful use.

    Our public health needs are included in the -- should increase overtime and systems are modernized and capacities for exchange increase.

    Make you.

    Will now move into the questions from committee members. Charles?

    A comment and a question. I did get the skin at the last panel and I will make this brief.

    There was a statement made its share data with employer groups with an indication that that was inappropriate. Player group is self insured, they employer group is a covered entity because we are the business associates. It is not that we're psyched maturing debt in an inappropriate way but we're following the law.

    The second point, I was struck by [indiscernible] example of a presumably dysfunctional relationship and information coming out inappropriately and I was calling about a double-threaded that you can pretty much figure out what is going on even if certain pieces of information are hidden, so my question to the panel is, until systems can do it better job at separating a diabetes threat from a manic depressive threat, are we essentially stuck with them all in were or an all out situation or will we have a finer King Larry of privacy in the near term? or will we have a finer grained clarity of privacy?

    I deal with this all the time. TIFF and unfortunately, no matter how much you like to say that science is innocent, it is also an art. And I here time and again from positions that want or need information. And often information might be part of a psychic counter, drugs or medication or lab tests. It may have me and other contexts. What medication is the patient on? If the patient is rolled into an emergency department unconscious, a physician needs to know. If the high psychiatric unit, he might have people that, from an emergency department or intensive this who, because of a code condition have to treat a patient on estate unit and they have to treat that patient it could be catastrophic consequences. To try to understand what information is necessary at any certain time to perfect treatment is very difficult. Almost half to err on the side of more information but more accountability by these individuals so that they do the right thing, and if you have to have some way to enforce or some way to retrospectively monitored, because you can't necessarily prospectively restrict. It is definitely a balance. As I said, I struggle with it constantly as the privacy officer. I have had meetings with seven or eight positions as well as other individuals from a from a privacy perspective to talk about, how are we going to do this, or what can we do, because the lack of Information can be deadly. But that isn't mere challenge with all the time.

    I would agree with that completely. I need to the issue of accountability here and having clear understandings and transparency within the Exchange community as well as outside of it as to when information can be accessed, and for what purposes, is going to be key in making this successful, particularly while we are waiting for technology to the ball where we can get down to a more granular level of protection.

    If we don't have a common understanding of what is appropriate to be released, and what purposes, the risk to the patient communities are just too high.


    I would like to ask another question on another line. We were considering, what are the best ways to handle things? And not only do we have consent, but also, documentation and audit trails of to access this information. But let's think about the patient's perspective and go back to the basics of what the patient wants to know as well.

    Give me your opinions on what your thoughts are on a signification of patients with information is actually access to? Do you have any thoughts on perhaps that as a mechanism of really putting control in the system when you add Power the patient to know that that information has been passed, not just to request documentation later on, but to follow an audit trail after something has happened at perhaps up front, to be notified if my information is being passed to another entity, with or without consent.

    Patients definitely have a right to know when their information is being used, and for what purposes.

    My concern lies. Getting the balance of that information so that it is meaningful.

    In other words, if my expectation has a patient and I come in for care is that you are going to get my information to my insurer to get by Bill paid, I need not need to know that that use in particular has been made or when it has been made if there was a question that came back up and and we release and clarification of information. Oftentimes, there will just be a level of back and forth between a provider and insurer in terms of claims management that may be overwhelming to the patient if they are actually notified every single time a different piece of information.

    However, when intermission is released for purposes that a patient is not expecting, that I think that that would be an appropriate circumstance to have a patient notification.

    You want to manage the level of information so when it comes into the patient is meaningful, not just high and getting an attorney is from the health information exchange, it almost becomes meaningless. So I'd think there are no simple solutions and with any number of things, this will be a test at a balancing act.

    I think in the case of Public Health, we often require mandatory reporting for a variety of infectious diseases. And and think there are a wide radius of Ways -- we edify when we can collect information without the patient's consent that may be mandatory from an organization.

    When we collect information directly from the individual, we are required to tell the individual if they haven't done that a legal obligation to provide that intended use of that information or the ability to use R further disclose the information beyond the intended use. The benefits and risks of supplying the data and the consequences of not supplying the data, so we do try to tell individuals with that up front in a meaningful way. I am not sure if it would be helpful used it for further disclosed it beyond those activities for that patient to get that information.

    The other thing that I would say on behalf of the E Health Initiative is, after talking with a large number of integrated systems, and he were asking specifically about disclosures, and I think about uses, one of the concerns and large system has within their facilities about who we have used or access that data, if you are in a hospital, he might see four or five care providers, but there might be a legitimate reason for 40 or 50 individuals to access that data, that at the general belief of many in our health community, particularly in a hospital could be that that information baby disconcerting or confusing to a patient because they may not understand all the business operations within such an entity and it may not add even clarifying anything to those patients.

    I actually read a study where complex cases, there may be up to 250 people that may have access. So at the macro level, I think there needs to be some level of transparency so the patient sees weather information is being disclosed.

    If they were never in Washington D.C. and a provider in Washington D.C. asked for their records, they may question why that occurs.

    The same thing if they suspect that their neighbor looked at their record and their neighbor happens to work for a hospital, they are able to go to the provider and say, specifically, did this individual look at my record, that can be meaningful as well.

    And looking at that list, it can also cause a lot of distress for the patient and can actually be a lot of work that I think has no meaning. Now having said that, one of the things that the health system does and I think we are very aggressive about it, user of their system, their manager has to request access. And we send blogs and alerts every day and and manager is responsible for reviewing and individuals access. SOP that we run other types of reports such as same last name searches, like looking at a family member which is inappropriate. And also, the IP reports as well. If any of those triggers occur, the management has to go back and ask the employee why. So if we continue to look at the reports and be more sophisticated, with cash in a lot of that activity ourselves. Because of the and what happens is the employees become more sensitive to the fact that, if they look at something, they will get caught, and it cuts down on people's willingness or desire to do that.

    There are a lot of things we can do but there are a lot of balances because we could run down a road and have an enormous amount of data that has no meaning to it.

    Thank you all, I have quite the list.

    Go ahead Paul.

    Just a warning, I will put the panel on the spot. We heard about the importance of health information, but keep it local. We heard about, not too much and not too little approach, and we heard about respecting the covenant that the provider has as a patient and they are all very important.

    And we have we used the word balance on awful lot. The NCVHS report which is a good basis for a lot of our deliberations talks a lot about the key issues and prose and cons and spoke to balance.

    So the spot comes in terms of, let's get down to what Gale says practicality and somewhere along the line we have to take the next step and go through the solution or at least start making actions to reconcile these things because Dale will start exchanging.

    Let me put into three lumps. One is, which could put the burden on the patient, as Devon was saying in terms of making it a consent. And another might be the, trust but verify, and in a sense, that puts the burden on the provider with the audit log. And there might be putting the burden on the legislators say, here are the rules that everybody has to comply with.

    So I will preempt and say, well, ... of [indiscernible] where to put the majority regulations in that continuum just as a start of that direction as to where we might start talking?

    Nobody wants to answer your question. [laughter] I will start. I think you are absolutely correct that consent could be something that patients simply sign and it is very difficult to get meaningful consent to things. And I don't think regulations is necessarily a good thing either in terms of having regulators come in. This is your facility all the time and I think that can actually get in the way of trying to deliver quality health care. So I think that the one, trust but verify, is really the way we have to go. I think between internally reviewing access and the way people are accessing information, as well as providing this transparency so that the patient can't see what -- can see who has looked at what and where information has been sent, those to things sort of caused the system to achieve some reasonable balance. And we will still need to have regulations and regulators, if there are issues, and there still needs to be some level of consent for sensitive information, but these and other controls can act to mitigate and work nicely.

    Mr. Chair, I think that is a false choice that you have given us. And I think the reason is, I no you said, don't say all of them, but the reason I think it is a false choice is I think it is a need for some of these. But the give you an example. The case of infectious disease, my experience dealing with consumers is that they understand they might get that through no fault of their own. Ther pitch less concerned about data being moved for their protection with infectious diseases. When you start to get into a chronic disease, debut that more as a lifestyle choice and want more control over what information goes. Selves you need a system that can accommodate different levels of responsibilities for different purposes, different rules and different types of information. I think the system has to be sophisticated enough overtime to be able to accomplish the different options that you have provided.

    I think the one area I agree with John the most is, is difficult to do this accurately and prospectively. Key is find ways two and said all the actors in the exchange, whether it is the request your or disclose their court someone else to act appropriately. There might be a wide variety of ways, it might be a social norms for a legal structure. In Minnesota in the private industry, we have a right of action for the appropriate use of health information. We have found it cost us a big legal problem but it has made R providers think much more carefully about how they use information.

    The only thing that I would add is that I feel that there is a new player here that we haven't really considered in were three choices, which is the role of the exchange. And while I don't think the exchange has a role to play necessarily in deciding when and how information gets released, I do think that the exchange has an enormous role to play an detecting and enforcing the Community norms, however they are established. So I will say that they actually need to put a large role in terms of that accountability measures and monitoring and enforcement at the exchange levels of they can't understand how the community as all all is expecting to police their neighbors.

    Before we move to David Lansky, I will say as a process point, unless a question is directed to one of you specifically, any of you can comment, but you should feel obligated to respond to each and every question. Not that you shouldn't, but we have a shorter amount of time for this panel.

    My thinking is falling the same lines and I am thinking that I have three different ones. We can classify the data as sensitive for it to the varying degrees of sensitivity, which could classify and qualified users, and we can manage transactions between them. And each of those three levels can have some technical tools brought to bear. And I and interesting particularly, it is to be talked about and it isn't so much anymore, is one, the National Health Service for a time contemplated what they called an envelope which was the notion of the incentive Court declared data by the consumer, saying, this class of data for me is sensitive and I would like it to be treated Offline or in the fact, an envelope, all the available to certain users and that must be audible and accessed separately. And don't know if and HS pursue that or what has happened to pursuing it but I was wondering if any of you pursued that kind of solution.

    The second similar solution was to essentially have a class of users that would be permitted to pass a sensitive data in an emergency room situation, but that would also be repealed and audited properly so the appropriateness could be expected and if there are sanctions [indiscernible] reproductive health issues we are talking about, those could be made manifest. So those to solution so to speak Steve, are they related court relevant to the discussion we are having?

    I think they are absolutely on the table. I think part of the issue that needs to be discussed and decided is the levels. So for instance, in the envelope or break the glass, and I sort of view them similarly as to what the scope of the authority around how that information gets used, and to that authority lies with, because right now, HIPPA allocates responsibility for how information is used largely between the provider and the patient, and this was something that earlier panel discussed.

    But in giving a patient the authority to remove their information from the exchange altogether, maybe with the exception of the break the glass scenario, it actually may not be in the interest of fostering patient safety and quality assurance and public health activities.

    And I do think that needs to be a clear understanding at the outset by both the patient and the provider as to the types of uses that will be made, and there needs to be trust that those uses will be made in accordance with the framework that has been developed and the understandings that the patient and provider had. And think there are polls on the table but I don't think that day in alleviate -- that they alleviate the role based permissions and transactional based scope and limitations.

    I think that they are all sort of incomplete solutions to some degree. I think break the glass is good in concept and I think to some degree it is important to have the functionality, if there is a whole class of information when talking to positions that they need to ed to have access to. They may be sensitive in nature that you want to hide behind the glass, but medications and lab tests, some of them don't have any direct relationship to a particular sensitive encounter, but they are at a meeting to that position. Even something like Methadone may have multiple uses. And you need to have access to the -- making sure that you get that right. And second, if you know there is classed there that needs to be broken, how to know if it is meaningful or not? Is it just that there is something there and it needs to be broken or do you put more context there, is there a site data there, treatment related to abortion, how does the physician know when to break the glass? Or maybe it could be information about cosmetic surgery. Maybe there is never any relevance to the fact that once that person has recovered from the surgery that that occurred? Concept, break the glass makes sense, but it is not the and all-be all to how you protect sensitive information. There are limits to it, and to what Ellen said, I think you also have to be very practical and set expectations to the users as to what their obligations are.


    My question is a little more general, in dealing probably born with ethics than anything else, but it relates around the minority to majority status. I am just wondering if you have any recommendations for the committee to consider as we look at the transfer of the obligation of the stewardship of that data for individuals. Was collected when they run under 18, persist after they turned 18, as with a cat cancer survivors. 65percent of kids are on some type of clinical trial protocol, there may be delayed effects 10 years later. Subsequently, we know that some cancer survivors don't ever want to be contacted again about their cancer experience or were those records might be. And win a R, who has this, where did they get it, did their parents actually commit to this. So it is more of a general question that had you given any thought to that particular population?

    I will answer it in a different way. And I think the bigger issue will be in reversed where, once genetic testing becomes more sophisticated and advanced, and the parent has been tested port certain genetic predispositions and then the child wants to go back and understand what maybe their parents were genetically predisposed two or there issues with cancer or, should they be tested for other things, I think genetics in general will be a huge issue, at how do we appropriately manage genetic information on both primary and secondary use, it is going to be huge. And that is what I hear when I hear about children and information flow.

    We are definitely running low on time. Neal, text on my list. -- your next on my list.

    My comment is I agree with what he set about audit trails. I have had the opportunity to look at the audit trail on my own electronic health record, and every time someone runs a Quality Report for the export adverse outcomes or looks for everybody on a particular medication, to name shows up and it gets to the point where it is relatively meaningless.

    The second thing is, in relationship to the example you gave, Eileen, about the abortion, and somebody showing up in the emergency room, I haven't heard anybody talk about the temporal relationship between when an event happens and when for example, if someone had an abortion yesterday and shows up with a fever, that is relevant. If they had it a month ago or a year ago, it could be irrelevant information. So the timing between these events, if someone was hospitalized for depression 12 years ago and that shows up on their record, that may or may not be relevant, or if they were on a medication and longtime backer. So we have to figure out something around how long this data is relevant in the record, and I think that is some element we haven't really talked about.

    (CAPTIONERS TRANSITIONING). It became much more and then I think the morphing of Public Health to which take into consideration chronic disease is really something that's happening more and more around the country now because of a burden of chronic disease on the population. Where you mentioned at this dichotomy between people being able to be on a subway in be exposed to something or not verses' the elements of chronic disease, I think a chronic disease is one of the most important things that public health test to monitor right now. Number one because of the cost implication and to because we're being overwhelmed by it and part of the policy piece of public health is that it has to inform the country about the kinds of focus that we need to have. For example, and Dr. Bill mentioned are former health commissioner in New York and one of the things they did was they started to collect information on diabetes. And it's incredibly relevant to not know that for people who are in medical care in New York there over 100,000 people whose last hemoglobin is over nine which means their diabetes is wildly on official. I don't think anybody would have imagined that there were that many people who work in medical care whose diabetes was that much of control. And that allows for targeting resources and targeting interventions and other things that have to be done in a public health level. And was wondering if you comment on that piece of it. I don't really see that much of a distinction between the work we need to do around infectious disease and chronic Disease.

    I would absolutely agree with you on a couple of things but the force point on the time limited use of that is that action is in my written remarks as well. I think that's a very relevant point and a system should, the day that is what. I would say an Article that to my point on public health and the data that's been collected is usually given as misspells said under that a statutory drama that has usually been actually debated in public forums as well as a legislative bodies. And those bodies are balancing different points of view. And well and there on the relative level of importance, we absolutely agree with you that chronic disease is critical to the well-being and to the health-care cost of our citizens. However, I do believe that if you but get where citizens are right now, they do have a fundamental difference and what they are willing to provide for information about infectious disease versus chronic disease. I think that some of the types of questions that we need to think about in that case is do we need individually identified data for that? Can we use Anonymizer patient level data. Can we use more population level data? How do we need to collect. I think there might be other ways to collect that data that protect people's privacy by either making it homogenized or collecting it at a more a decree or a level that action can be very helpful in informing the policy debate. I would say that is another piece that is perhaps more unique to public health and a secondary uses then it would be to some of the discussion we've had directly around treatment of and treatment quickly, unique individual identified data for treating the patient. And public health I think you have to look at the function, what you're trying to accomplish and then decide what's the right level? It's almost like the minimum necessary to actually accomplish that public health purpose. And that's what many of the debates often focus on is what is that right level and what happens, what are the limits of not getting every last patient's name, data, address and the ability to contact them versus Anonymizer aggregate data.

    In relationship to the issue of being able to take people who are in medical care and to be able to be informed them that their diabetes is out of control and that these are people who are currently in care seems to me to be a public health issue. I don't think it's only Anonymizer and did that useful in a public health contact, you also need to in some cases be able to go back to patients and be able to understand the kinds of care that they're getting and to have a second mechanism of informing them that there are other types of care that they might need. Again, we're doing that now with the surveillance. There's only so much in doubt about it at this point. At some point, as your collecting specimens, he might need to or want to be able to go back to people and we identified people to inform them that their late [Indiscernible] of something that they might need to know about. It's not as clear-cut as that I do appreciate the fact that a lot of this of the Public Health can do can be done with Anonymizer data.

    , I've got three folks on the list here, Tim Roger and to date so let's get to that and if there's time for those who aren't on the queue, will go there and otherwise we will wrap up. The head, Jim.

    In the interest of keeping [Indiscernible] on time, I will direct my question to John. He mentioned in the early part of your remarks that macro level oversight of privacy and security for the NHL and is a member of the night giant corn and a committee of August and have a special interest and that. I'm curious, he went on in to talk about credential and authentication agreements allowing patient access to audit trail data as well as their ability to limit their data. And the ability to investigate and a proper disclosures. And while those are obvious governance issues, I'm curious as to whether you believe that those kinds of governance practices are best made at the lowest possible level. Certainly you representing a provider organization and if you would agree with that, then what would you see the role and the scope of a macro level oversight body?

    That's a good question. Nobody knows how widely information is going to be shared. I just think there needs to be some type of oversight outside of the provider context when we are passing data between providers. And if 99% of the data passes within a region, and there is a local organization that that's responsible for that exchange, then maybe you can put the responsibility at that level. However I think there needs to be a national standard and then is to be ways that that data can be abrogated in the event that there are, there is transmission that goes on beyond a region. I think at the same time provider credential Lange, I think is incredibly important because not all providers are covered under HIPAA. Even with the ARRA we have providers that are not doing it electronically for services are not covered by HIPAA, there's all sorts of batik services that in theory need to be part of the and HI and that aren't HIPAA covered entities. There has to be a way to ensure that they act appropriately. They're not business associates either. It's a dilemma that has to be national standards established and I also think that we do have enforcement mechanisms to day such as the Office of Civil Rights. And if there is, I don't know if you extend the Office of Civil Rights to have a role for investigating when a patient says, I don't know why hospital X made it to my information, I have never been a. But somehow you have to get that investigation and enforcement of the hands of the providers. I guess I don't know what level it resides at, but I think there needs to be national standards and the opportunity to ensure that it's consistent across the U.S.

    The head Jim.

    Quickly I would say that and begin about exchange would I think is different about a single provider is you now have three entities involved. You have a request, you have a disclosure and you have an exchange entity. All three of them need to do the appropriate and their activities and their actions. And one of the things that I think would be very helpful if you think about investigating an inappropriate user disclosure within that context, there might be information needs that you need to make sure that the request you're always captures when they're requesting the disclosure of is captures when disclosing, and the exchange is capturing along the way. SUR just capturing the information that would be necessary to do an investigation of inappropriate activity across those three entities and some mechanism for tried to use that information for the investigation would actually be quite helpful.

    Thank you. Roger, and then Judi and if you both, it's awful to be at the end of a less than closing on time, but the system as it can.

    I'm going to pass.

    Thank you.

    Now we are early.



    I appreciate analyst comments about chronic disease and the burden of chronic disease and the importance of managing population help but think of a great example meeting individual specific data in a population held approach is a disaster response to go what we saw of Katrina it was that all those people and the shelters and Houston had chronic diseases and needed medications. And didn't know what they were. That's another great example.

    Many thanks to our panel. We set at the beginning we weren't attempting to use this hearing to answer all of the many questions about to try to raise as many questions as we could so that we could at the end of the day, make some decisions about priorities and how to move forward in what might be some further inquiry. I feel like you've definitely done that for us today. I want to thank you very much.

    Thank you very much. This is a lot easier having other people moderate. I get to be the timekeeper. Its new, we have a half-hour break for lunch. We will be back at 12:30.

    [HIT Policy Committee Meeting on lunch break until 12:30 p.m. EDT.]

    I want to thank our panelists for being so prompt. Were prompted I'm afraid then the chairman. We have more I think very eliminating testimony to be heard. And once again, I'm pleased to be able to ask or maybe I can't ask, I'm not sure it's fair to ask you to do two. I'm going to ask Paul again to moderate. He enjoyed it so much they wanted to do it again. He begged to do it again. But I think the panelist for being here and I will let all take it away.

    Thank you very much Dr. Blumenthal. Good afternoon. I'm a last-minute moderator, Dixie who was supposed to moderate apparently is under the weather. And wasn't able to make it. That is why I moderating this panel. The panel is called models for data storage and Exchange aggregate data, a dedication and re-identification. It's a fascinating panel and the also it is absolutely fascinating. As was described before, lunch there are no PowerPoint slides. And what we're trying to do as a group is it willing information gathering. Its not like this is a deliberative process today. We're simply trying to learn information. I'm going to introduce each of the panelist. The first is Claudia Williams. Who is the director of health policy and public affairs at the. Foundation.

    Thank you for the opportunity to speak today in for given the longest time of our panel. Which took two or three lines our panel today addresses critical questions of privacy and public trust. And in particular, the architecture choices to support trust information sharing which we for a lot about already today. Remarks will focus on three key points. First, as we think about these questions we must have a framework is to touch, second ensure that policy guides technology and not by -- Vice for second and last that we consume less innovative models for protecting and sharing information because we need to do both. As a report about already today, the potential of network information to achieve a measurable health improvement is enormous. Access to the unused of critical information whether the reason lab values, this charge summers, medication history, is literally the lifeblood of health improvement that we so urgently need. But this critical information is often not available when and where it's needed. Innovations that can improve care are disseminated painfully slowly, as a teen years is the estimate and last it is. And there's and consistent delivery of proven care as we know about it 55% of which recommended. To address these issues, we will need a 21st century health improvement, and health information ecosystem. This will mean trusted it does to Richard and dynamic access to information by authorized users. Information management and architecture models that protect information while limiting complexity and cost. And feedback loops and quality research and public health to support rapid learning. The American recovery and reinvestment Act is a critical opportunity to unleash this potential. But the success of ARRA would depend in no small part on whether the public and health but dispense trust the information will be protected. In 2005. Connected for have articulated a policy framework for enabling information sharing of protecting the privacy. This primer Candace on nine core privacy principles but the fare information Pakistan's book that they give already heard about to through several and -- Presentations it -- That patients have access to areas in the control over the health information, and that security safeguards are adopted. Over the years we have seen this framework translated into very specific practices within the health sector. Just today, Markle talked about is it a favorite in his work, then fell and his comments were mentioned this overall framework as well. As we've seen this policy driven approach, we see several things. It means when data are needed, the purpose must be specified. And allow the data necessary for achieving that objective by ship go and naturally the core of the HIPAA [Indiscernible] requirements. There might have spread throughout cermet as referred but today, and did this day as close as possible to where they are captured and are shared according to specific needs with a specific purpose. In contrast a technology driven approach often start with a technical requirement and is driven by technology decisions and often comes to this critical policy matters to subside if after the fact can avoid. What does this have to be with architecture? What is at to do with technology? I'd like to what do a few examples of how these privacy principles can be the starting place for translating principles and to operational decisions about how information is shared across the health care system. These principles should guide and share the clear policies and Technology choices including how information is discovered, exchanged, analyzed, and stored. The examples are not meant to service readied made uniform solutions. Brother as illustrations. How can we use technology and architecture to reach our goals? And remember our goals are these policy principles. Let's start by looking at how the affirmation exchange. When we think about the principles of a purpose specification transparency collection limitation, and even data integrity and quality, the result is an architecture in which data are locally controlled and referred from discussion today about the psyche of keeping it close to the edges where patients and their providers are working together. And that doesn't just have important privacy protected at the bridge at all it also has critical equality and integrity attributes. When the data remains to be to that is they're not necessarily coming look into one single database, but they can still be discoverable. Using directories and other technical toast to prevent the need for disclose all of the underlying data. Marc is grab one version of the Federated Mall and in my comments there's another description of one in Tennessee but in both examples you have these attributes of local control use in architecture to protect information and keeping those kind of data storage chip and quality data quality issues as close to the source as possible.

    Looking at Research, an emerging approaches for research and analysis benefit from the competition of power of many is to be to the information sources. But not without necessarily the cost, time, privacy risk in quality issues that develop when creating new aggregated data bases that must collect, clean, and centralized data before they can be used. The eight and a research network is one example every distributor of health data now work. Allowing researchers to ask the same questions across multiple similarly structured data bases house to disorganizations but this is the concept of talk about at Markle about bringing the question to the data. Imagine you have a research question about yes several organizations that have a critical date on it, they're able to take that question to the on data base and return results to you. But with the returning all of the source data. With the returning of the identifiable health information. Similarly on the quality from, today many quality efforts require participants to share personal ahead file health information to analyze and but equality as it exists across the providers. But by contrast York City primary-care in commission project a different approach. Resistance is directly generate quality measures. Those are reported to bridges to excellence which is a quality improvement eight [Indiscernible] program and there's built-in mechanisms to audit so you can go back and look and say of such a such a day when assented to make, what information we do and, you can still be audit of the report but you don't need is an identify hope the information. And you can still get your important goal of quality improvement. The Public Health, the is debated initiative takes a similar approach to system service to the hospitals and clinics report simple aggregate measures underlined identifiable health information. But let's step back, as we think about this critical population health examples, it is clear that there's not a one-size-fits-all technical approach. We won't always be able to use the model that is to be business or the HMO Research Network uses as with this question to go every effort needs to start by defining what information is being shared and with what clear purpose. Guided by these answers, they can determine what information should be shared, what's the minimum necessary, and with the technical approach could be. Often when referred examples from the spokesman for innovated these models, without needed this Budget Commission but when we really sat down and that are about it, this much would do. This kind of progress analyst progress [Indiscernible] what do we really need to share to get to this goal. It doesn't say you have to shut down ago, it says you need to ask how to do it in the best way. In conclusion, as we think about this critical policy questions that lay before us, as you move into this next century of what we hope will be never information use, what are some of the key point to think about? One, we should adopt a free market based approach, requiring information sharing efforts funded by public dollars address three basic components of trusted Information sharing. CUR privacy principles, sound network design, and a strong and its and scalability. Those they must work together. To create tested information sharing. Ed two, a center that Policy guides technology by using the basic depends a share intimation principles such as purpose specification and collection immunization and actual underlying design of quality compared its effectiveness and commission exchange and public health effort. And third, let's stimulate innovative models for protecting and sharing information. I could use this to begin research networks? What kinds of questions to be as with that? How could this to pick up the see it in which a public the department generally? Let's invest in the methodology and strategy to address the analytic challenges of this to be two analysis. And develop approaches to share and use information that reduce unnecessary exposure to privacy protected architecture. Thank you.

    I look forward to the discussions.

    Thank you very much. And expect there is develop Marshall is the vice president for product strategy of the Web and the.

    Thank you very much. It's a pleasure to be with you today. I will be sending a subset of the written testimony today. Short introduction for you about web Maryland to really colored some of my perspective. It began a number of years ago with really the consumer at the center of their set of services. With that before the public portal which is under 60,000,008 Caesars' management or before are services decisions which provide health and benefit management solutions to large employers and health plans but still with the consumer user at the center of the equation. My testimony here today really by and large represents that latter division, WebMD what services which delivers early data driven services but upon a user's own press likened to a personal health record. To large employers and health plans. On the topic of the panel here today, secured data storage and Exchange, with the WebMD Personal Health record, the PHR services are provided in conjunction with our payor an employer customers. We have HIPAA associated agreements that integrate professional data sources like lab test results and claims originated data into the PHR as well as a day use agreements with the data partners that provide that David, be that the D.A. did were horses, where firms let's. The purpose behind did exchange with the PHR is to live are considered and it uses to gather customer manage and share their health data for themselves and to be able to share with others to help support better overall health care decisions. We do believe that the PHR can help achieve the objective shared by multiple stakeholders and the health care system to provide a greater continuity of care in order to improve quality and lower cost. Seven as H DA to cover entities we do support and the to the HIPAA privacy and security rules. We believe in giving our consumer users control over the other did is managed and shared. We do not share identifiable help the commission with employers although our end users can choose to share their data back with the health plans or the service providers that provide services on behalf of either the employer health plans such as disease management services. Our guiding philosophy of consumer control and choice is Claudia mention in line with the Markle Foundation and the consumer principles. A couple of additional points and I will finish up. I wanted to provide just a couple of points of be back on some of the recent publications and discussions out of the committee. And those can be found in my written testimony. The 2011 manfully his objectives and measures specify its access to consumer for the information. We certainly applaud the committee for the matrix of the meaningful use objective and measures overall. We did want to point out one discrepancy that existed in ARRA, there's the provision that consumers in a copy and get the 2011 criteria still describe access. We wanted to point that out. So that care providers certainly can rest assured that when the plan with the meaningful use criteria, they are also complying with ARRA. We believe that there are certainly some specific barriers to consumers and to date exchange and access to and we wanted to take this opportunity to point out one of them. That we hear about quite a bit from our end users and that is some of the barriers that exist for them to gain access to the laboratory test results. Uncertain not a foreign topic to you all, but just to reiterate the point that consumers cannot get their lab results directly from the reference lab but in almost all states, it has to be released by the ordering care provider. And will certainly makes sense as we look at what our health plan partners are able to do as a result of their contracts with care providers, and what many larger systems are doing such as Kaiser and release him the results to end users, we feel it's time to take another look at the legal barriers to consumers in and access to their own lack test results. I will move up be on that topic that may be a little bit of a side topic. What of the other issues that we worked very hard on it that relates to the topic here at hand, I did exchange is not just technical interoperability which I think most of the standards of work have centered around, rather semantic interoperability. We a have somewhat uniquely been at the intersection of administrative did it, let test results, the consumer, employers, peers, we see data from a variety of different sources so we in order to create its American told an action low-profile for them to drive decision support services have had to manage how that data comes in and is then interpreted so that it is acceptable for the end user. As we look ahead to the standards that are being proposed, the its, Connecticut, are X norm, like, we feel that semantic interoperability is going to need continued attention. To ensure that we are paving the way for good semantic interoperability in addition to technical interoperability. When it comes to personal have felt for its systems and certification, we do [Indiscernible] a member of the CC HIT Personal Health record working group and as a possible out records to play a role through interoperability and supporting mean for this criteria for doctors' offices and EMR Systems, a surgeon we feel there is a role for certification of personal health records and so be that through ECC HIT or through additional organizations, we certainly support that notion. With that, I will turn back over to you.

    Thank you very much. Third speaker is Kenneth [Indiscernible] who is the associate director of the National Cancer Institute.

    Thank you very much. I want to give a quick second of background on the National Cancer Institute those of you who may not be familiar with who we are. We conduct research is our primary mission within the National institutes of Health. More importantly, we said that the interface of care and interface do we unequivocally believe is going to be transformed in the 21st century as we move to the eHealth universe and health care system. Of particular relevance to this panel is we have a broad depth of experience in conducting and managing information in support of clinical trials and research both national and international in scope. We conduct public health research maintaining large time monitored cohorts that are studied both geographically and locally. We may take registries of of aggregated and identified information that have but public as the possibility assault as regulated accessibility. This long history of large-scale data acquisition management use and disclosure includes managing health information exchange between multiple entities of the virtual communities. We've had put in place but policy and technical infrastructure that supports that. We've explored more models they probably can enumerate on how to monitor come authorize, control and exchange information some of which are very familiar to members of these groups in an institutional review board. And a variety of other local pipes of access communities. What I wanted to do is spend a minute sharing of of what's in the testimony some of the lessons learned. I want to be explicit that I don't speak for the National Cancer Institute or the National institutes of Health and the Department of Health and Human Services or for any entity of the federal government. I'm going to be giving my personal comments and reflections of what we've experienced in net large-scale national [Indiscernible] The Cancer biomedical and grid and how to touch on of these things above. First and foremost, in my testimony we described the information flows where we have use of identified the identified and aggregated information and that gives to .1 that I want to make and that one size just simply doesn't fit all. We have to be absolutely cognizant as when the board of try to find a single size solutions. We need information architectures that recognize the data has to live in all of these different forms and our party, has to have the capacity to be transformed between these different pieces. Number two, definitions are important structured is key. Research collects data in highly structured ways. One of the ways we can do these transactions that I mentioned, is because of the discipline as part of the research process that leads to a public collect data in structured, and data elements and information models that lets us know and potentially where necessary control the provenance of data, who has access to a and under what circumstances. If we are going to do segmented data access, we can't do it in the absence of an commission structure. There has to be architectural fame marks around this. A lot to be crisp on this when I say architectural framework I know if it's the parents of people's mat of the. We are not say there's a specific prescribed Texaco solution to a problem. But we're saying there needs to be a semantically interoperable Famer that allows us to describe what information is, where it resides and have data about data. And it needs to be transparently accessible and only through the transparent accessibility of the date about did it can we hope to manage who has access to what. We think this is critically important. We believe the needs to be this office and facilitates the creation of be distributed trust fabric and an architectural framework that allows us to manage both attend local level and at an aggregated level information. Next point, we believe it's critical we manage appropriately the grain size of consent. We recognize the importance of consent where is practical. But we also recognize as has been discussed keep public health pieces and the expanding definition of public health that needs to be constantly considered in all of these. We also need to be constantly aware of the burden of consent as well. The bird and conform several different ways to go how aggressively do we want to be pressing sick individuals or people who are currently diseased to be provided consent or can we deal with this and other ways. Iran and to the issues in my field unfortunately of deceased individuals. And how we go about managing the consent associated with that. I think one of the exciting things about the merger arbitrage it and into dollars is empowered as to not have a one-size-fits-all and to be able to tag consent and a their blanket fashions or an individual grain size fashion depending on the specific use. A solution to dealing with this is architectural frameworks and I will apologize for my technical dive here it is to use attribute based is on context sensitive role basis for it. That's a mouthful. That being said, the mouthful that that is is actually an infinitely doable thing that we are actually have deployed in our nationwide network to the cancer biomedical and [Indiscernible] bread. At the level of individual attribute, we can actually track who can do what to what and in what context. Lastly, in the context of specific points, we believe is important that we don't create a regulatory framework to try to prohibit all possible misuses but instead, achieve a balance that punishes miss his. We think it's dangerous to assume we can ever regulate a framework for data will be misused and if we tie ourselves to the not we actually do have the potential of doing more harm than good. We believe we need to audit and enforce. Lastly, I have one emphatically, please do no harm. Why do I say that? Research lives in a very highly regulated universe today. There are many restrictions, many of the issues you all are discussing, we live with on a day-to-day basis in terms of who can access what in what circumstances with what technologies, with what approvals and with what institutional and individual consents. Please be careful as we move forward with the electronic vacation of health information that we don't player on an additional layer of bureaucracy that breaks the system that's already somewhat on its knees at times to conduct research. We need to be very careful that as new rules are passed the new regulations are put in place, that we don't have viral unintended reached [Indiscernible] that cripples the existing work in process as. And that we are experts in the boundaries of where rulemaking sets and explicit in the boundaries of existing regulatory frameworks so that we don't publicize our capacity to do things we can already do. We have a long history of indicating research and care can coexist. I . out and had a pointed out that power of pediatric research or 65% of individuals are both engaged in clinical care and in clinical research. We believe in the get a committee that that's one of the reasons do we have had a 50% approval encounter outcomes in pediatric research as opposed to it some of our other areas where we have less than five % position in clinical Research. We also believe that it's one of the reasons that we've seen things like acute lymphoblastic lymphoma move from a death sentence of about 5% survival to about 40 years ago to about on average 87% survival and some sub forms molecular types of forms of 95%. Research is this engine of information that we heard referred to earlier that will take us out of being so 2009 and unless we actually have the capacity to drive that, we will be able to move forward. Or over, if we want to achieve a learning health care system, we have to intimately joined these two universes'. Thank you.

    Thank you very much. People have questions, we will start with you, Tony and Paul next.

    Thank you. Thank you speakers. I have a question just relates to the aggregation of data. As you know we move forward with meaningful use and collection of data under a high-tech the present some interesting possibilities as we continue to refine that over the years. I wanted to get Claudia and can in a particular address this as some level but I'd like to see if you have any specific dots or guidance as we move forward in this area?

    I think the issue that your agency is already very interested in it engaged with is a question of how quality reporting could be done in a more direct not thematically as a result of using Health IT systems and PHR. I think that idea that the demonstration of achievement of meaningful use can be accomplished in a way that's embedded in the regular use of the systems, perhaps wasn't a burden on the providers and provides some idea still opportunities for the kind of data protection mechanism reporting aggregates, saving state see can go back and audits that has been more difficult to achieve in more traditional quality reporting approaches. I don't have the technical answers. I know you have questions you are tried to answer about how to accomplish that. But just to say I think it's an incredibly important area of exploration and resolution as we look forward.

    I will argue even in the definitions of when we are talking but certified electronic health records and we talk of any get clinical decision support and other activities, the availability and use of aggregated data is going to be essential. The engine that drives much of this underlying decision support is the access to end projection onto aggregated data. I do think that at some sense of irresponsibility to suggest that we need to be even careful that when we use the word aggregated it doesn't necessarily mean that information is completely the identified and there is no risk whatsoever of flavors of extracting individual information from that. I think one of the ways we deal with that are tried to do this in a clinical Research said it is to be as up front transparent, and honest with people we contribute information into these resources. To never a sure that there's never a chance that any information could be disclosed about the. Its a flavor of informed consent but I think we need to constantly explore these and figure out how we get Next Generation tools to support this.

    Thank you, Charles.

    It's hard to get questions and so I'm went to get into 41. First question in full discloser we've been working with [Indiscernible] company for five years ago a check with their security and privacy of this and we've got about 25 million members or so with access to PHR system. We haven't had one privacy or security complaint. I was wondering if you could comment on from your perspective, why you been so successful in supporting us from a privacy and security perspective?

    And to squeeze in the second one, for Ken, for my personal, looking at on ecology, and personalized Medicine, may be looking five years down the line, if you could comment on what types of things we should be thinking about from a privacy and security perspective with that expectancy impact on oncology.

    In response to the first question, when you consider the fact that I believe we began professional data feeds into the personal record on behalf of well [Indiscernible] in 2004 early 2005, even though all of us are in this room I'm sure have been working on these issues and ready for this transformation in health care for a number of years. Perhaps more than a decade. The truth is that most consumers out there at the members of a health plan or employes of an employer are just being introduced to this. So the idea of you have data on May, and you are giving me control over that data to use as I see fit, whether it's driving services or sharing with care providers, I think is something that can be and lightning, it is now. But it's also something that I think patients except pretty readily. And like you, we've been pleased with so far, is the fact that they do see value in it. They don't see it as a threat to their own privacy. A rather as an able lawyer of their privacy. That's where I'd say and I also say that we continue to work with consumers directly to really understand what their sensitivities are. And try to be mindful of it. And as we continue to increase the percentage of participants with an all the organizations that we serve, we are trying to be mindful of that. But I think it's such a new realm and so far people seem to be happy with the idea of it.

    Very quickly, I think clearly it moves the transformation is about to be happening in Canada related having detailed molecular characterization that are going to be driving treatment. I think we're going to be critically and port in medicine but I'm not sure radically in the context of fingerprints that can deal with issues associated with privacy and security are fundamentally different than some of the other issues you are going to be dealing with. I think you all have heard testimony from others and almost everyone is familiar with the ability to identify people from relatively small numbers of people, pieces of key clinical information while it may be a single piece of information in a genetic profile that would be sufficient for that, and will have to be careful as to how we facilitate people's access to this. This is one of the places I come back to that we need to punish, not prohibit. We need to regulate what are acceptable uses of this information and when people violate the acceptable uses of this information, just the same as if somebody steals by credit card, and punish them for misusing that information in all sorts of ways. I would argue if somebody steals and Mrs. Use of my genic profile and are my intervention profile, we should have the capacity to punish them.



    [Indiscernible] this question is for fill in the org area of PHR. You heard from Jodie that one of the things that both the ONC is preparing and may get some input from this committee is on the PHRs from non cover entities which your representative of. I heard you say that your main purpose for your PHRs is certain individuals and you said you are HIPAA compliant. Would there be any objection, a recommendation that PHRs by not covered entities of the same basically have the same mold and provisions of HIPAA do certainly wouldn't have all the other kinds of provisions of HIPAA be acceptable to a PHR from and not covered entity, do think?

    Since we serve as a business associate of the cover entities today, on behalf of, I'm going to venture to guess 50 organizations or so. Then I believe that we say yes because we've signed that document. That says we are. Now I know there are differing points of view as you all have heard different points of view from those who represent PHR systems that are consumer controlled. But certainly, we feel very comfortable with then the requirements of the HIPAA privacy and security rules.

    Then when you have these contracts, what are the people who contract with you expecting in return from you? With its a health plan or employer, what are they getting in return from your?

    Sure. Has a service provider to their beneficiaries they feel that a more engaged consumer has greater transparency around their health affirmation and services that are driven from that actionable did it choosing their benefit plan, looking at the hospitals in their area and which one might be best to serve their needs go looking at their treatment options or medication cost alternatives. Centering of that around their own profile. They wish the end user to be a more engaged in active consumer with their health care. They see that as having really a variety of different benefits as you might imagine.

    So there's no data aggregate or otherwise given back to any of your sponsors?

    Actually, is in written testimony, we do have aggregate data reporting that they have access to. This is the identified reporting with additional salt size drill down protections to prevent ability to enter identity. And so those are mostly in the areas of usage of the services and in a person's health risk assessment profile. But again, at the aggregate level looking population wide, to the extent that the consumer chooses to share data with the additional service providers such as disease management services, they can do so and that is a common part of the a rate of services that might be delivered.

    One comment on reef spawn a to tens couple. [Indiscernible] aggregate data is not necessarily the identified and can be we identify. How did you get over that when you're ensuring that. And we do know that employers and health plans are two of the entities that consumers have some concern over. With respect to what Ken said, how would you respond to that one?

    In fact, I feel after having watched this play out for the last ten years, that we have helped these organizations Act should provide a service where they are using the trust we have with the end user to help them fill assured they are not using that data inappropriately through us. We have no control out a cover entity might use that data otherwise as they are legally of the race to do. When it comes to our service, and addition to the identify the data that goes into the data warehouse, we also do limit on the reported side of things to look down to a 50 minimum cell size so that inference of identity is limited. That's an additional measure we take.

    [Captioners transitioning] We take claims, inform the person's health history, to the extent possible, and screening services from the clinical laboratories.

    When patients get access do they have the right to modify it?


    I believe that will -- it's a line of questioning. That was a line of questioning, absolutely.

    So, it is our belief that a consumer should not be able to alter, professionally sourced data, to be able to A denned that data, add notes or augment that information as they might see fit. But they do control, overall how that data might be seen or shared through our system.

    Now I understand -- do you have -- can you imagine circumstances and how would you balance the patient's right to "control" the data and modify it with a professional's standards, and needs? So, Ken spoke of the importance of structured data. If we're going to use distributed data sources to do clinical effective, plus marketing surveillance, disease, all kinds of public uses, we need to know the data is comparable, yet patients do have an undeniable right to access their data and increasingly it's accepted they have the right to modify it.

    Do you have a solution to that? Or an operating -- obviously you don't allow them to do it at this point, but could you imagine a situation where you could?

    As you might imagine over the last 10 years, this question has arisen a lot, as the idea of a consumer-driven concept is -- The truth is I have really yet to see much of a conflict arise in reality, in that the consumer in gathering, managing, sharing their data, is the one most incented to make sure their data is complete and accurate, and the truth is that most of the health record that's sit within the providers' offices are provided verbally by the patient, and the patient health record helps it be a more complete representation of the record. And rarely do consumers choose withhold information, at least in my experience. So in that way I really haven't seen much of a conflict.

    I will add one caveat. When patients do withhold information for purposes of privacy, and we delegate any information as private or sensitive to them, we ask they make available to care providers, have a notification that it does not does not represent all the information that may have arisen.

    Just couple thoughts from some of our work, that as we think about the PHR, keeping that conception that it's a copy of the data under management, initiation, the [indiscernible] except the initiation by the consumer, they get a copy of their data to manage in the tool of their choosing. Second, we have seen recent news reports showing how evidently, the quality ain't great in the country, and there's a lot of data that could benefit from transparency. Frankly, my correction using a consumer's knowledge, and think about the most operationally workable mechanism to let there be a dialogue between the patient and provider, so the patients have a opportunity to correct and improve the quality. I think that we need to see it in this way of saying there's a huge amount of information we are not capturing that could help improve data quality and a lot of it comes from the consumer.

    A very quick comment on that. In the regulated framework we have to deal with this type of issue, not typically, FDA submissions, other components, and one way its dealt with is auditing and [indiscernible] who made what changes, and then those can be reviewed by whatever appropriate authority and the credentials of that group can be evaluated as to how reliable or definitive it is. In the audit log, who made what changes allows you to theoretically be able to explore those challenges.


    Running short.

    I know Doing one, it will be a real one this time. Without -- not trying to put you on the hot seat, but we have to direct a lot of questions. You mentioned supporting -- in this committee we adopted a set of recommendations that recommended the certification be very narrowly focused on the functionalities needed to meet meaningful use in an EHR context. Even with respect to sharing data and meaningful use payments are going to physicians, we have to demonstrate they have a system certified to meet criteria. It's a narrower process than with respect to what the certification commission used as criteria. I know the PCH is pursuing certification for PSRs, but now that we more narrowly construed what we want from policy standpoint to be focused on, I guess I am curious what the role of certification in an official way would be if PSRs -- maybe a good housekeeping seal of approval, comment on that if you could.

    As a member of personal health record working group I fully agree with the limited scope of certification in ensuring a personal health record, with regard to privacy, policy, security practices, interoperability capabilities are able to support the meaningful use criteria. So I fully agree with any certification, actually focusing on that. That's certainly what I am going to be, as one member of that work group, will be pushing for. In our experience of responding to a multitude of request for proposals of health record bank initiatives, health plans who wish to have PHRs for their members, employers; that there is a desire to make sure somebody has put these systems through some rigorous testing, and they adhere to principles in practices, and to a variety of stakeholders. But I agree to a point, certification in 2010, hopefully my first year of certification -- will be focused on supporting the meaningful use, patient engagement criteria and privacy and security.


    I think both Ken, Claudia, you talked about architecture, the ability to utilize architecture as a means of increasing -- as a committee we have not said a lot about architecture. As we get further into the HIE world, states implementing programs will have to think about that. From the [indiscernible] work and CA grid, there's a lot of experience in recommending elements of architecture that are privacy enhancing and protective. I wonder how you might give us your guidance, your opinion, back to Tony's question, the quality reporting is one set of applications. Effectiveness research and federating of existing systems for a variety of reasons, like the HML research, next generation of usefulness of the health information network. We may think about having opinions about architecture fairly soon to achieve the goals we are talking about today, to propagate, tied to meaningful use in some way. Can you give your reflections on how as a policy matter we should think about architecture?

    You know, when I was writing the comments I kept on trying to skip the first part where we talked about the policy framework, and skip right to the architecture. It just doesn't work. So I think one is to really, first, establish or posit, lay in front of you what are the policy goals we are trying to accomplish and the privacy principles we are trying to put in place that would be cross-cutting across the efforts. Second, there is so much ongoing work in the area. I know there's new efforts that have been trying to reach funding across large delivery systems, using a similar architecture. There's Lot we don't know about how it use, the limits. Three things, the committee could be hugely helpful in saying here are the privacy principle and guidelines you need to think about you draw up architecture. Second, to really cultivate, use federal dollars to cultivate other models that ultimately will allow us to have a -- incredible learning opportunity, and not assume there's only one architecture that has to be centralized to accomplish that. There's a lot more to do in that domain.

    Third, there's lots of HIE efforts today using what we federated method, a lot of questions that need to be answered and I know states are busy at work trying to figure out what their models would will be. You could play a huge role. There's a meeting this Friday to -- say here's five examples of where it's working, architecture picked. Here's what they learned, let's put you together and see what -- this is working today, model ins effect, years of experience, that could help other states. The states now just setting up HIEs probably have less expertise. They didn't do it five years ago and they could really use some help, frankly.

    I am in complete agreement, I want to augment with two things. I believe policy needs to drive architecture. We need a crisp articulation that policy supports architecture that supports quality CER and important learning healthcare system uses of the information so the architecture has to account for these and have appropriate attributes necessary to support these, have the necessary attributes to support the flow of information into the resources that perform quality CER, other things, as well as the transactions necessary. It will be essential to have that be specify intoed.

    Thank you very much, that completes the time allocated to this panel. Thank you very much.

    Thank you.

    Thanks, Paul, and the panel. The next panel is going to be on Transparency, Audit, Accountability. Our privacy task force cuts across the HIT standards and [indiscernible] Steve Finley is a representative and will moderate for us.

    This panel is our next to last one. I think we have one more panel and one person on that panel. This panel deals with Transparency, Audit, Accountability, includes bob Gellman and Robin Omata. Which one of you wants to go first?

    Bob? Bob is an privacy and information policy consultant, he has years of experience, many of you know him well, working for a variety of folks, but he's now a consultant, an independent.

    Bob Gellman: Thank you for the invitation. I have a statement which covers the topics I was assigned and a few others. I have views of lots of issues in this space and I would be happy to answer any of them, but I will stick to what I was asked to talk about. I will begin with accounting. For any fully computerized system of health information it's essential there be accounting for all disclosures and all uses. Uses are internal to the facility. We've already had testimony from John Houston, that capability exists, the celebrity snooping cases show the records internal to the hospital -- this needs to be done consistently, thoroughly, important measure of accountability, protection to track down what happens with medical identity theft, a very serious problem, and for which any kind of fully commute computerized system will be --

    Patients should have online accounting for their records, I don't mean that as an abstract thing. Accounting records available, I should be able to go home from the hospital and see who saw my records while I was there. I didn't include the recommendation there should be an affirmative disclosure of accounting that I should get an e-mail whether someone looks at my record, but Gail talked about that, so I see I was too conservative in my recommendations. I think that should be available to patients who want it. There are all kinds of ways of doing it so I am not admitted to the hospital and founds to have 4000 e-mails showing all the people who saw my record.

    If records exist that patients have a right of access to them. According to HIPAA there is a limit to how long recording be maintained. If the records exist, the patient should have a right to see them, that includes accounting records not required by HIPAA. If the hospital has internal accounting records, whether or not required by law or not, patients should have a right to see them.

    Fourth point. I recognize there are costs involved in doing some of these things and I think any new requirements for accounting should be prospective only, should only apply to computerized records, not paper records. No one should be required to account for -- simply too cumbersome and expensive. If everyone is told few computer systems have to have this capability, all the capability will be added and can be operated with very little expense.

    One omission from HIPAA is that there is no requirement for accounting for consensual disclosures. If I authorize a disclosure as a patient, there is no -- a terrible omission. As records become computerized, hospitals will be asked for consent, anyone can turn them over to junk mail America to exploit for commercial value. This is exactly what will happen, patients will have no idea the 27th paper they signed authorized somebody to get copies of their electronic health records. Unless there's a record kept of those disclosures the patient will have no way to find out they authorized it and go back to that entity and say stop doing it. It's a very major omission.

    The error provision calls something I call pass the accounting buck. Doesn't have to track disclosures by business associates, instead the covered entity can give a patient a list of business associates and the patient can go pursue all of the business associates to find out what they did with their information. This is a disgusting provision; it's almost impossible for anyone to use it. There will be no accountability in the system, a patient could is spend years going to find out if they have records, disclosed them. It's completely impractical. A major hospital could have hundreds of business associates. If I start contacting them all, they will say who are you? Authenticate yourself, before I will tell you I have records. It's impossible. The legislation, this is a provision that did not belong in legislation. There are issues here, but it was handled badly and I think there are ways of dealing with this.

    Finally, and my last point on accounting, something John Houston talked about, accounting records for oversight, I won't go beyond what he said, but it should be done.

    The current HIPAA rule on transparency, what to do with notices of privacy practices asked healthcare providers to make a good faith effort to obtain a signed acknowledgesment the patient received the privacy notice. This is the worst of all possible worlds. It is a paperwork requirement that no one understands, meaningless, patient sign these all the time, they don't want them, it's meaningless paperwork requirement and ought to be eliminated. What should be done in this area, I don't think you can measure success by whether a patient gets a notice, read them or even understand them. It would be very nice if notices were understandable, if I have a recommendation it is don't let lawyers write notices. They write incomprehensible verbiage. No one can understand them. I think lawyers are rewarded for writing notices no one can understand. I am a lawyer, I get notices from banks I cannot understand though I dill jeptly read them and try to figure out what they are telling me.


    Patients, having written notices they can ask for, on websites, when most patients don't care about their privacy rights most of the time. I don't think we should force it on them. When they want to see records, have a concern, they will seek out a notice and pursue their rights. That's enough for me. I don't think we need to impose additional cost, paperwork requirements, that don't help. That's it and I will be happy to answer questions.

    Thank you, Bob, that's terrific.

    Robin Omata is a lawyer and PhD, a national practice leader in the ethics and integrity office at Kaiser Permanente, served as chief privacy officer for [indiscernible] health group.

    Thank you for the opportunity to present today, an important and difficult presentation, the privacy and security in the coming world. I am director of the Kaiser Permanente, including the Kaiser foundation health plan, medical groups, independent physician practices that can track with the health plan to meet the health plans of our membership, about 8.7 million members in nine states and the district of Columbia.

    I would like to make a few main points today, as time allows. The first is that healthcare dollars must be directed to value added invest wants that provide measurable value to patients. The covered entities are largely accomplished through the security and compliance requirements. With respect to the American Recovery and Reinvestment Act of 2009, we respectfully suggest the disclosure and accounting requirement as written does not add value to the -- as currently written. And we recommend the meaningful use measures, the HIPAA and security violation as basis for measuring security and privacy protection be revised or eliminated.

    I would like to list a few statistics on our organization to give you an overview of the scope and scale of our work that informed these comments. Kaiser Permanente owns, operates 35 hospitals in 431 buildings, we contract outside for area where we do not have hospitals. Referral needs for other ambulatory and hospital based care. We recorded over 36 million provider visits, half a million surgeries, and about 130 million prescriptions filled. Quite a bit of throughput per member, and it's significant encounters with the medical system. In the same year, about 300 members used My Healthcare Manager, an online system, to Health Connect, our health record. It allows patients to securely access their healthcare records from home, e-mail their physician, make and change appointment and view records. More than 1.6 million lab tests are viewed online, 1.4 million requests for appoint wants made.

    This is intended to give you a sense we are already connected, take very seriously not only the capabilities and functionality of the system, but the security and privacy that must be -- and we remain committed to the improvement of our systems, and the ancillaries, pharmacy, prescription systems which are not part of a single record but contribute to a unified view of the patient's record. That's all to say that there's a lot being bandied about at the EHR as a single entity, but it's many systems combining. Others have talked about legacy, home-grown systems, it's a lot of things to manage, and we are moving forward on that.

    Nevertheless, I think our care is really the focal point on improve the utility of the EHR to support healthcare deliveries measurable to the community. The overall consideration in adding features, requirements, clinical or regulatory, the ultimate benefit is to the core objective of delivering high-quality care at an affordable cost.

    I would like to right now move to the disclosure accounting requirements which we think, without further clarification as written in the law, represents a significant troubling and burdensome compliance requirement with excessive costs on covered -- without clinicians or regulators. We respectfully request the community do the following in promulgating regulations, what constitutes reportable disclosure, provide a definition of what it means to use, maintain, collect health information, through an EHR. Thirdly, to provide a definition of what constitutes an E had HR, more detailed than the current definition. To exempt disclosure under the HIPAA privacy rule between entities in an organized healthcare arrangement. We can talk about that more.

    Finally, we hope the committee could consider conducting a survey of covered entities, the costs of accounting disclosures, prior to enactment and understand the effect of the new requirement when -- covering entities. It's not a requirement, but to make it meaningful, balance the cost and the benefits.

    Now, looking at Kaiser's experience, could be as low as two to three% of admission, visits, in the regions that have a compact and comprehensive network itself. In those cases we have fewer visits going out of our system, to as many as a 100% of admissions in the healthcare -- to give you an idea of the scale of effort and activities to -- not currently tracked in the manner required under the legislation.

    In addition, depending on the interpretation, routine data exchanges for -- between covered entities in organized healthcare arrangement could be considered disclosures and would then be required for accounting as well. We would consider that burdensome and not adding value either to the patient or to our current treatment obligations.

    Based on our experience also during the calendar years from 2003 to 2008 and using the more narrow definition of disclosures prior to high tech, we believe the consumer demand for this is extremely small. We recorded fewer than 250 requests cumulative for accounting disclosures during that six-year period, for each it would amounts to one out of 300,000 patients.

    Based on our experience we believe the number of individuals who may request the accounting disclosure going forward will be very small, disproportion eats to the work effort required. We believe that significant diversion of limited capital and human resources at this critical time and stage of EHR adoption and enhancement would be unfortunate and it's possible that this miswould be enough to curtail adoption through the limitation of funds, staff resources to accomplish the work or rework to satisfy these obligations. At the very least it would represent a material -- a layer of capital costs for smaller, also larger organization who are moving more slowly towards adoption.

    For Kaiser, since we've already adopted, we're enhancing our systems, it would mean simply another cost that enters into the accounting and disclosure process, but it is a significant cost. I would like to talk a little about the incidence of the cost, the accounting process and other barriers. Given the size of the effort that is implied, we don't think it's fair to impose the entire cost of a single covered entity to finance this rework and suggest the cost be spread out more evenly across a wider range of participants. At the very least, any vendor offering a qualified EHR would have to offer products offering the required functionality, storage reports, in other words to maintain product certification. This is more easily said than done. For practice who have not yet adopted -- for those adopted, longer window, until 20 14, it still means some of that work might be spread across the vendor organization, still require a lot of retooling for the legacy and home grown systems.

    We would like to make the point this is a nontrivial cost competing with other necessary upgrades, enhancements to clinical decision-making at the point of care, and we also would like to take into consideration again what it would mean to exchange healthcare information between covered entities within organized healthcare arrangements who are essentially a group of covered entities working together to provide treatment under contract.

    Finally I would like to make points about the meaningful use provision as articulated by the HIT standards committee. We would respectfully suggest further refinements be made to the provision regarding privacy and security. Specifically the measure using confirmed HIPAA violations as a basis for measuring security and privacy be eliminated. We believe this -- that exist today or in twents 2011.

    The work of the HIT standards committee and policy committee coordinate effort to consider the applicable security standards both within the EHR itself and with regard to the exchanges or interoperability. We believe that the focus should remain on the objective security measures, attributes of the EHR, and supporting technology and not on the administrative or management system that implement this privacy and security compliance regimen for the covered entities. That concludes my remarks and thank you very much for your attention.

    Thank you very much, Robin. So, questions?

    Paul? First?

    Then Gail.

    Thank you to the panel. I think the richness of the differences gives us an ability to probe further. I would like to reflect each other's comments to give you a chance to respond to each other. For Bob, you heard both Robin and John Houston, and Neal, say there are a lot of information that would be in the audit trails, most of which wouldn't be intelligible to most people, including a lot of providers. For Rob, you heard Bob raised -- the incidents that Kaiser had to respond to from the California law, which would not have been possible if there weren't accounting, because those were inside uses. Maybe you could reflect on each other's comments in that way.

    I will make a couple of comments. With respect to the numbers of requests Kaiser has gotten for accounting. If Kaiser would like more requests I am sure I can arrange it, putting out a suggestion that people exercise their accounting rights. There's a reason they don't. A lot of people don't know about it, and the accounting records required by HIPAA today are useless. You don't have to account for uses, treatment payment and healthcare operations. For most people there's not much in the records worth asking for. On the other hand, if you go back and look at what happens with people getting access to their own records, requests were relatively unusual, everybody didn't ask for records. As soon as records became electronic, there's an explosion, and the same thing will happen with accounting, if made available.

    In terms of cost, cost is an issue, don't dismiss it blindly, but I want to know what the marginal costs are if I give you enough time to implement a requirement, and I am willing to wait a fair amount of time before you have to comply, possibly five or ten years and I want to know the costs as a percentage of cost, of computerization.

    The disclosures, I solved that by saying all uses be accounted for, what is and isn't a disclosure is no longer a concern. Not sure you like that answer, but --

    Robin: With all due respect to your framework, what is lack suggest is a fact-based decision-making process. You are asserting a number of issues or levels of consumer demand that I haven't seen really documented. In national surveys, regional, whether based on access to healthcare records, disclosures, or uses. The usual caveat, more research is needed applies here.

    We don't really trivialize or dis miss the need for being thing. The information is digitized, will move more extensively, yes, there needs to be a system in place. The window of time and the manner that is imposed is at issue. But I think equally there's a question of the cost benefit equation when many other invest wants are required equally. We do have other competing requests which are documented, mostly within our medical system, to improve and upgrade reporting systems. We don't at all dismiss the need for providing patient's records, pathways, how the information travels. At the same time, we don't want to overburden the system with something of interest, from our account, .0004% of our membership.

    We share your results exactly. 130,000 patients a day around the world and we probably get one, if that many, audit requests a month. A problem for audits, the amount of data we save is terra bytes of data.

    Also, to step back a little, say what are the remedies for patients? Strict stricter enforcement of existing HIPAA would go a long way. I am not asking for [indiscernible], to the extent patients do not feel well-served by the existing framework, may be attention to the lack of serious claims -- the providing for civil, criminal penalties, significant, and more skin in the game, patients may benefit or receive penalties or civil damages when a claim is resolved. That needs to be defined by the regulations. I think accountability is important, transparency is important. We don't dispute that. Series attention to the cost. Obviously, the committee has a very, very serious and almost imponderable level of issues to resolve. One of them has to do with prioritization of the issues, technically as well as policy, in order to assign values, whether costs or priority of attention. I don't think nationally we cannot look at how things are going to impact the system of care and where those costs ultimately go. So they go to Kaiser Permanente, end up in the patient's cost, the premium, copay, so by layering on added compliance burdens that may not result in improve wants in direct care is not really a great service.

    I just want to make one comment. I think different points of view have been well put out on the table. Congress said do more accounting when they passed IRA, and the health privacy act, I kept asking agencies, is this a problem? Nobody said it was. Whether records are used by the patient is not always the test. There are healthcare entities doing the requirements because they need it own protection, liability, controls. There are lots of reasons to do accounting --

    Another question? Gail?

    Thank you very much. I think we are getting to the heart of the issue right now. And I think I can tell you as a former elected official, that this is a critical issue right now. It's cost versus privacy, accountability, the patient'sability to track what happens to their record. The public may not be requesting their records right now, but as we move into, as the country move into's the level of EHRs we all hope are out there, this is going to become extremely important. People want to know that the system is accountable. They don't trust government, they don't trust having their very, very private sensitive information in their health record getting out and being public. This is such a issue for most people. Yes, it may be expensive, but we have to make sure we put the privacy, make that the -- the privacy and security, the foundation of anything we do.

    We talked about accountability, without having audit trails, document documentation, you have no accountability. If you want to know what happens at the end of the day, who is responsibility, you need enforcement, but you need documentation to have enforcement. I think if you are going to say you want to exempt disclosures, one of your recommendations, as defined in the HIPAA privacy rule between parts of the singel organized unit. If you don't have documentation of the trail, if somebody turns around and says who is responsible for releasing my private information, how will you find out how it happened without the documentation? People want to know there is accountability in the system. They are very reluctant to go down the road to start with. If you do away without this basic requirement, I don't believe people will allow their records to be shared anywhere. Gla well, thank you. I think we have to distinguish between the audit trail and the disclosure accounting. Audit trails exist for all electronic transactions. The ability to then aggregate that up to another level of reporting to an individual to make it Intel eligible -- intelligible, for the organization about 80 million transactions, referring to encounters, lab results, back and forth, treatment, back and forth, payment, radiology. For those transactions there are audit trails. It's bundling, connecting them to a report that then is Ms. X, tells all the electronic points at which the information went back and forth from our organization, would be what we would be now producing.

    So, I am not sure that really reassures you, but I have to say that already we have audit trails for all transactions. Whether that in itself satisfies the disclosure accounting requirements may not be sufficient for what Bob is talking about. I think it is questionable what that meaning would be for the vast majority of patients. We can understand that patients that have a very sensitive condition, that our electronic health record already segments many part of the records for psychiatric care, mental health, subs stance abuse treatment, others that might be augmented by state or federal law. To that extent one must feel somewhat reassured that the information is really hard to get at, unless there is a medical need to know that information or for which that information must be put in transit in order settle financially the treatment relationship.

    That's where I would call for more review and study, to say of the 100% of the 80 million transactions, which might be the most sensitive? What are the characteristics of patients who do or would ask for this information? Is it really a very specific sub-set for which we could have more knowledge in order to usefully collect and store disclosure accounting on. Per Bob's observation, perhaps there are uses for some patients that are very, very sensitive, that they want to have. For the vast majority of folks, I am not sure it's really meaningful and it's a huge encumbrance on the overall capacity of the system.



    What you were saying, Rob, the costs are quite high. The need within our system has negligible. This is probably a general question, it almost seems like we are treating all disclosures as inprompt. inappropriate. As a technical person, for me it's easier to say, these are inappropriate, log those. But when you say "all" it puts a huge administrative -- and the [indiscernible] needed by members and patient ins our area.

    Other questions?

    Anything in our group done qualitative research with consumers, the types of consumers, disclosures, transactions most likely in the future state, to Gail's point, for the public to want to receive disclosure summaries of, and is it possible to imagine reverse engineering from a better understanding of consumer requirements to a sets that would support those. If the audit functionality becomes more uniform across vendors, one could imagine a set of extraction and supporting programs, fairly dynamic, as long as every provider is capturing the underline [indiscernible] in a systemic way.

    It's possible, but that's also -- would require a high degree of granularity to get at, for example, HIV tests, blood tests for other things. You would have to drill down further into the information, and the purpose it was collected and sent.

    Sounds like from what Robin said the accounting records exist, it's a matter of translating into more useful form for patients. It's easier to account for everything rather than for some, not others, some criteria will not work as neatly as you would like and there will be questions about whether we have to do this or that, or wrong.

    Very interesting. Only to be surprised by [indiscernible] and Dr. Phil

    We were speaking this morning about -- hoping it was the one I was referring to related to a white paper, the committee needs to be somewhat more informed as to the intent of the specifics around disclosure. I do it's not as simple as you might think. I believe the majority of providers today don't understand and will have to rearchitect systems to comply with -- that be the case, so be it, but there's a cost and a timing aspect.

    One of the things, and there is a cost of value at issue. We would want to know more direction on this issue. To be informed. It may cause us to go back to work groups to focus primarily on meaningful use, maybe have to look at our certification rules to our providers solutions they might have to provide additional capability and are out years. This has lots of implications to society, also to the work we have already done here this morning.

    I don't know what availability of software is in this area. It's clear there will be a lot of changes over the next decade. If you give people enough time to do this it will not be that big a deal. I look around the Internet, see Internet companies tracking every specific activity of individuals, you click on anything, the cost of storage today for computerized information is as close to zero as it can get. Companies maintain information in the hopes of extracting a minimal amount of value, later on, because it's easy and cheap to do. I don't see why it's different to do in this area.

    One follow on for Dr. Blumenthal's -- not to debate, the reason I asked for clarification is because the intent of ARRA came with intent for formula of reimbursement for imp implementation of these programs. This goes to the definition of extent, this kind of cost was considered within the amount formulas we talked about. Certainly the technology exists, but this debate about cost/value is the critical one. The technology exists. I was seeking to get informed on the intent of the law, the legislation we are dealing with today. That will tell us the extent we will go to. The question will be in this day of reducing costs, which I believe goes to what Kaiser is doing within an integrated delivery system, the way they are able to deliver cost-effective care, they go at every issue like this, and have a very cost-efficient healthcare system. I want to balance this with reimbursement and direction to our suppliers, that's the comment.


    [indiscernible], well, the expense to go through the audit trails there, that really won't make sense to the patient, too many, and not tied together in the way the patient could interpret, I think there's several kinds of -- one is to do that. The second is the money. Third is the storage, and fourth I want to mention, the development. We get huge numbers of requests for development that will improve direct care to patients. The U.S. is almost 100,000 programmers short every year because we don't produce enough programmers. It's a question of where you put priorities. Direct patient care or this? I wanted to comment and get your opinion, sometimes we look for technical solutions when that's not it. Is the solution to this, if it happens once a month, given all the visits, to have a person trained in how to do audit trails so when the patient shows up with those questions, the person can sit down with the patient and walk through, interpret for the patient, rather than trying to do it with computer technology.

    That is not an option we would choose, both because of the enormity of what is suggested by the requirement, and why we are requesting further definition to possibly re-scope our requirement, our obligation.

    It is possible in the smaller system, I think, to do just what you are saying, but you are organization is rather large and we probably would not be able to justify that person's slot, given the few numbers of requests that would occur each month.

    I didn't think it was a 100% job.

    Right. But not to be facetious, what is asked for is to do 100% accounting, and store for everyone. We are not asked to only do that for people who ask for it.

    If I could respond to the point about the records, what makes sense. All of these records will be colonel compewterrized and I knowledge compute orized and I think it will not be that difficult to -- run them through -- when a request is received. To make the point I made before; Congress already said "do more accounting." whatever is being done today is not enough. They want accounting records for treatment, payments, operations for online health records. More accounting. I suggest going beyond that. How you pay for if, all that, clearly reasonable questions. But there's demand for more accountability in this system.


    I have only one question, and since I work for David I will stick to the one -- my question is -- for Robin Omata. It seems we are talking about audit trails versus accounting. From what I have heard from you and prior testimony, audit trails are routinely done in other words for the entity's own security activities. The question is, it seems the audit trails, there's a lot of data and accounting turns that data into information that's digestible. What I am hearing, I think, turning that into information, my question is, where is that greatest expense? Particular parts of the accounting that increase expense, make it difficult to do this because of work flow that involves the information captured, tranlz lags, not sure. What is the -- where is the biggest pain point in turning that data into information?

    We would first have to create a major project, which would scope the entire effort. I think in actual human resources it would be in the reprogramming, or the programming anew to identify and trace and then bunds bundle all of the sources of information going out, then to a new English language, plain language explanation as to what that meant. Here again, I would suggest that the granularity of the information that's even available in the auditable trails may not give a lot of satisfaction to the individual. That is another conundrum. We are not asking for clarification for the sake of it. We are asking for clarification to make sense of what will be useful to the patient. Going back to your question of where is the biggest expense, probably two-thirds in the actual development of the code, but the research on front end and back end, and the research to have an intelligible report would be the remaining one-third of the work. I think this is a really untested area, and stepping back as a consumer, yes, I would like to know where my information goes, I probably know where it doesn't go, the place when it doesn't show up. Doesn't happen often in Kaiser, but outside of our system that might be a concern. It's probably not good enough to ask on an exception basis to ask for things that don't get to a certain place, but what Bob said before, you probably don't want to work on an exception basis, because to find those you have to track everything in the first place.

    I raise the fundamental question of what is the real value of this. As you define the other parameters of the information highway, the parameters of security for the EHR, one has to say fundamentally, what are the accounting trails that consumers must have, and out of that where does this particular requirement fall? It's more than a deep dive into the healthcare records of the hospital, the physician, it's the continuum of where the information is going, the refined information that makes sense to the patient. To define first what goes on inside the covered entity, accounting, per HIPAA, height might not be the first place to start. That's why we are asking for more definition in line with the other issues you are thinking about, focusing, defining the continuum of informs information flow.

    We have to wrap up.

    Quick answers because we are out of time.

    I see the point in your statement about the focus on standards for security, privacy, not using the meaningful use criteria we proposed, adherence to HIPAA, having some unresolved conflict with regard to HIPAA, what would you say that we should do if it someone has an unresolved conflict with HIPAA and how might that be incorporated in your suggestion, just focus on what the standards of meaningful use --

    The authority of OCR and other bodies, should step up the activities and make it more swift. The current reg I men isn't timely and isn't -- that needs a look at, as well as more attention to the overlay or overlap of this committee's responsibility and OCR's future responsibility.

    One last, very quick.

    So this is really more of a comment than a question. As partners, for at least 10 years, a provider like Bob described, let's the consumer tell who looked at the record, what things they looked at, that has been very satisfying to patients. I am not technical enough to know what was involved in the programming around doing that, but it's worked very nicely.

    Thank you.

    Thank you very much, Bob, and Robin, very good testimony, I appreciate it.


    Our last speaker, witness, testifier, is a member of the committee, la Tanya Sweeney, who will talk about solutions to privacy and security problems.

    Thank you very much for hearing me and giving the address you. We put together and thought about what the panelists would say, there was this kind of gloom, at least on my end of the phone about, my God, what will happen at then education of the day, what will give hope as opposed to so much problems, you try to drill down in the debate, like Robin and Bob just had, the decisions affect lots of other things. How do I unravel and give content. That's what I thought I would address. My short answer is. Through technology design.

    I will say a little about why I say that.

    Most of you know me, but a quick explanation of what I have done. I spent a lot of time exposing fallacies in privacy mechanisms, what doesn't work. In the back of my statement I gave a list of those just related to HIPAA, but they go across other domains. If I get really good at learning how you can take innocent looking data and learn really sensitive information from it, the next question is how do you actually control what can be learned.

    The flip side of what I do is how do you prove privacy can be protected. For every experiment that gets a lot of press, there's a lot of work on the other side of the coin to make guarantees about privacy protection. What is it I can say to you from that experience? The issue of stakeholder concerns, isn't just privacy. Gail a couple of meetings ago brought up the liability of providers. Other stakeholders, affordability, all the things can be show-stoppers, actually need to be considered during technology design. That's where the sweet spot is on solutions. If we don't do it, what the normally happens now, not healthcare, us as computer scientists. We build a technology, it's not quite a proper fit for society. Society is left with the take it or leave it or try to mend it. You get the benefits or you lose the benefits if you want privacy. Always been this tug of war. That's really unnecessary, it's an unnecessary situation we find ourselves in. If the technology is actually developed with privacy concerns in it, putting the privacy concerns in are often trivial on the front end and painful on the back end. The ones on the back end aren't very nice options, usually policy, operating with a big camera and a crude pen. Horrible solutions, not elegant, don't give fine-grained control, all of which would be possible from within the technology.

    That's why I say we should focus on technology design. One thing that bothers me, I am worried about, how you take what we currently see out there, the standards, approaches, best practice I guesses and actually build on it. There's problems there, because if we just take what's there, say I approve of that, think we should accept the architectures out there that show a sign. In some sense, they are not made to fit together in a natural infrastructure. A lot of solutions that can go away won't, and will create stakeholder problems.

    I give examples, some out of privacy, saying we will use encryption to link records of a patient, so we can know which record belongs to which other patient when it's deidentified.

    It turns out encryption has vulnerabilities used that way. There's a shared key. The fact it's used by one group, part of data is a good thing. You don't want that model on a national level across all the data, especially in light of other criment script owe graphic solutions.

    A great example, the simplest problem of all, these autonomous collections of records, I justment to know where Alice's records are. How do you answer that question? In some random city, her doctor wants to know where her records are. The fact that we can't address that, that's not good. Because if you address it -- think about all the issues that came up today. I told you, you know how we will? One big control authority who will capture all the data, whatever you want to know, where Alice is, contact the authority and that authorities will give you Alice's information. That changes every discussion we had today. It tells you where the burden it. Shifts now to the central authority.

    If I alternatively told you the opposite. Every provide that wants to, on their little PC -- then isn't there a authority to identify, maybe a master patient index? That changes all the discussions today, still leaves us with a serious privacy problem. What does it mean for an authority to have a master authority index. That's what got us to the HIPAA rule.

    Technology design radically changes all the discussions today. If you put on table five different designs, ask all of the speakers to come back, now they can tell you why they like that part of that design and hate that part of that design. That's a really great discussion to have. That's the discussion I want us to have, if I had my wish list.

    I said okay, how do we get there? The problem is those five designs don't exist. They are not there. I know CMS has an RFI out, as an industry, help, how would you go about building one of these for Medicare. They will get lots of answers, but won't get us there, industry will leverage what they have, existing practices, and not necessarily know about other technologies from other areas. It's a good step, but I don't think will get us there. The question is how can we deliver that. So after me ranting and raving for months about this, mostly to Judy, a group of us academics decided we can help here, actually make a difference, in the sense that if we brought industry and stakeholders together -- the goal isn't to solve the problem, that's the ONC and -- not solve policy, that's Judy -- our goal is to make sure the technology and decisions made are really well-informed. That is, can you put together pieces of not just one answer, but five answers with interoperable pieces so one could actually have a discussion on which you can see the policy implications.

    So we did commit ourselves sufficient that we actually have a name. The advanced HIT project, will be launched on Monday, advanced We bounced it past a few people, some at this table. Everyone was very enthusiastic, including industry partners, understanding the outcomes are just white papers, publicly available. We want the public involved in the conversations. [indiscernible] at Harvard, MIT, we seek out the best people and [indiscernible] to help us, form the analysis.

    My goal was to try to leave you with hope. And if I couldn't leave you with hope, some idea of maybe we should look at architectural designs --

    Thank you for your statement, and your commitment to working on this problem. And one clarifying question. The problem you are working on, trying to design an improvement for is the privacy and security part, creek correct?

    No, my lessons from privacy are very much rooted at the best solutions, in their original technology. So if surveillance has a problem, the best answer is not a privacy add-on, you just change the way you do surveillance, so it has privacy protection.

    If Twitter is doing something that, having privacy problems, Twitter has to be changed employ it's not an add on. The idea is all of these discussions change depending on what ciemed kind of notion you have for the infrastructure. There are a lot of functions in the vision for the infrastructure that no one actually knows how to do. I mean, people can beat their head off, ideas, data in one level, and -- two good models, but how robust, and what stakeholders would scream -- it will change all the privacy issues. Some things might require -- what becomes of issue changes. Even this issue of the audit trail would change.


    Just a point of clarification, la Tana, I am too a supporter of architected solutions and we would like more innovation, but I am somewhat confused. Are you talking about this technology that would support a national exchange? With identified data?

    I am talking about -- not talking about a technology, I am not talking about me building any technology, I am not talking about me being a part of any solution, operational solution. All I am saying is that I wish today the conversation had been a different one. I wish there had been a meeting that said hey, here are five ways we could design this and here are the features we really want off of -- whatever your vision is for the national infrastructure. Here are the features and functions we expect, and your five verpdz venderses or groups present five ways to construct that. And then we sit back and ask how each of your features map into the architectures.


    I have a coup will questions. I couple questions, and this is fabulous food for thought. A thing we did a couple years ago, the consortia of work, I presume architectural design. If memory serves, IBM did one more like a big data warehouse, other folks, CSC, others, did different models, more fed fed federated, identifying options, things to accomplish the policy goals this, is what it mean fist you look at this design versus that. Am I on the right track?

    Yes, not those per se, because five years is a long time ago in the world of --

    Absolutely. So, second question, then one comment, and that fits in my three-rule, so -- my second question, can you talk about the issue of data use. What we heard a lot about, whether the discussion was about consent or audit trails, what I think a lot of it boils down to, how is data being used, really focusing on patient and consumer concerns about downstream uses. Can you talk about how architecture would design, impact the use of data, where I am getting stuck, we still -- I know you would agree, still need a policy, but can architecture design get to a policy or it just needs to be built to follow a policy around data use, for example?

    Meaningful use, the meaningful use matrix is a really great guideline about this is what we want to realize. Very clear. But the truth is, I keep saying -- the [indiscernible] in the matrix, not visibly in the matrix, you hear them in the discussion, but they are not visibly in the matrix. This gets to the notion of there are more uses than just meaningful uses. The way architecture plays in that is really interesting. I can't imagine any complete solution that doesn't enable about a billion dollar industry of data analytic that will want to work on that. There already is a data analytics industry in this area, but having an infrastructure will enable it. Is it a good thing? Bad thing? Some of those resonate with the outcome measures in the meaningful use matrix. Some of those might be other ways to save money, like identity theft, medical identity theft. Those are all policy decisions, might be part of what you think of when you think of architecture. The use, all the architectures will have.

    My very quick comment is, but very important one, is that I think we have to do it as a committee, some real work around identifying the set of policies or at least a beginning set of policies that can move us forward. If we can have the tune the to then juxtapose policies up against design, fabulous. But I want to be clear in our conversations with Congress well before high tech was passed, the wired act and others, they really wanted to see this committee, in fact, and AHIC before it, tackle privacy policies. I want to encourage us to commit, and I am sure you will talk more about the future of our work in this area, but commit to crafting that set of policies, how it builds on the work of the state of Minnesota, the wonderful folks we heard from today to begin to have the discussions, building on the work done, what the right set of policies are. Then be able to look at how they interact with architecture design. This is an area we have been debating, struckel with for year and years. This is the next best opportunity we have to really make progress.

    Can I just push one thing, Christy. I agree, too, but I think having the policies discussion in abstraction will lead to a set of policy guidelines that will be far from optimal, won't serve us well. It has to be -- the panel before, I forget who asked the question, we should start with policy, then have architecture, and I am saying work on AARC architecture. You have to balance between the two, actually finding the optimal spot. Engineers call it [indiscernible] design.

    I agree. This committee, as you proceed with your work, the group you assembled, cleecial clearly some of the best minteds in the country, we shouldn't sit here and say wow, we're going to wait for -- there are great people, Devin, joy, work with the committee and we all bring wonderful perspectives, it's an opportunity to do that, to iterate, to be coworking together at the same time with the policies, bouncing them off the architecture design.

    One sentence -- two, three, because we are on the Davis rule. That, if you do that, it actually changes what's important, earlier in the discussion people said you know what that's not what we wanted audit trails to -- no no, this is what we want, this accountability, then I know there are a set of principles we talked about on the phone, I assume those would be the kind of thing, and beefed up a bit.

    I am regrettably going to call the question at this point, we have to hear from the public.

    I also want to say we have next steps, don't have time scheduled to talk about it and I am not sure we are ready to talk about it. We have to digest the many suggestions and thoughts we have heard today.

    I do think one thing we need to do is put together, maybe reconvene the task force that put this series together, have that group propose a set of activities for the policy committee going forward.

    My own feeling is we can't propose a set of activities that will take five years to bring to completion. We have to do, have a series of short and middle-term and long-term -- a menu of things. The fact of the matter is we have a law to implement, we don't have all the time we would like. The law assumes we can get a lot of the nation's providers to be meaningful users by 2010. If we decided none of the architectures currently available are correct, I am not sure that would be very helpful to us in the short term. I think we are always going to have to move ahead with what's practical, as well as what's ideal, but let's put together say to work on it.

    At this point, Judy, I think we will thank you, la Tanya, for the thoughtful comments, you clearly have simulated us. I don't know if you made us optimists, but you simulated us.

    Judy, we are ready to hear public comments.

    This is the public comment portion of the meeting. Anybody in the room who cares to make a comment, please queue up to the mic, and those on the phone you can dial 877 -- [indiscernible], keep your comments within two minutes.

    It's me, diseb ra peel, I have taken a lot of your time. Congress does intend for outside experts to be participants in the work group and be asked to help with projects. I would like to reiterate our offer as the leading national representative of consumers interested in privacy, health technology, to help you either either participate or we have many strong members, to bring the issue of privacy, from the consumer, into this process. We just want to help. Thank you.

    Anybody on the telephone?

    I am joy -- with Georgetown universities healthcare institute. I know the meeting was primarily for information gathering, so there are a couple of pieces of information I would like to give to the imhitee. A lot of work has been done by other countries who face the same challenges. Mentioned earlier, one option of how they will deal with health information. We may or may not wish to adopt the solution, but they have white papers outlining the considerations, different options to implement that and why they reached the conclusions they did. That it would be a very useful tool for this group.

    Canada had very thorough considerations of policy solutions. They have almost an an A bawnsd abundance. They have an organized segregation of information, vendor conformance requirements, things of that nature. It is all available publicly on the Internet for free. Gla

    Thank you.

    There are no comments on the phone. Any other comments in the room?

    Judy Faulkner.

    I am not sure we are all talking about the same thing, David. When Bob and Robin were talking, you were talking about the audit trails. Correct me if I am wrong, not the EHR system, whatever is in the same package, most of them do, we do. I think the question, correct me if this is wrong, when it goes to lab Corp, whoever sees it in lab Corp, how is that brought back in. When it goes to the insurance company, who sees it, how is that brought back in? I think that was the question. I am ready to stand corrected if it wasn't.

    Thank you for that clarification. We should make sure anyone who wants to talk on the phone or in the audience is --

    There's nobody on the telephone.

    There isn't anything in the law that requires you to account -- you as a hospital to account for something somebody else did with the data. So to get a sense of the scope --

    To figure out the problem, David your system does, ours, most of the others -- I don't know where that problem is, bringing up --

    But we clearly need a working group to clarify --


    I want to express again my appreciation to all the witnesses, members of committee. We will continue to work on the problem. We have a lot of implementation to do. We didn't talk about the regulatory work that is being done to implement the high tech law as amended HIPAA, enormous amount of work to do in that area. There's additional work F it needs new congressional authority we will of course have to takes that into account as we go forward.

    Without objection, I think we stand adjourned.

    Thank you.