Wednesday, October 14, 2009

HIT Standards Meeting - 10/14/09

Meeting Materials:


Please introduce yourself and state your organization and if you have any conflict on today's agenda.


NCDDP, No conflict.

And Castro.

No conflict.

Floyd Eisenberg, no conflict.

Carol Diamon, no conflict.

John Halamka, I am on the board of medical help.

[ Indiscernible ] I am on the board of the National Health.

David Blumenthal, national coordinator.

Jean E. Ferguson, but Kaiser Permanente.

This is Dixie Baker and we to implementation for health care.

This is [ Indiscernible ] health-care no complex.

Kevin Hutcheson.

Judy Murphy from Aurora Health Care, no conflict.

David McCallie, HIT vendor otherwise no complex.

[ Indiscernible ], no complex.

Chris Ross, no conflicts.

[ Indiscernible ] no conflict but a federal liaison and on the board of this HL7.

I believe we have a number of people on the telephone.

Jim Walker, [ indiscernible ] common no complex.

Kara, CMS, no conflicts.


With that, I will turn it over. Thank you for your continued hard work. I am so appreciative of the hours and hours of commitment and of the public comments that help make this dialogue inclusive and the work product all that much better. Before I turn to national coordinator, Dr. Blumenthal its a delight to welcome them to members to Welcome Carol diamond she is the managing director of the Marco Foundation and the system informations Services and it's a pleasure to welcome both you Chris and Carol to the standards committee. Thank you. With that let me turn initially to your opening comments.

Thank you, Jon, both Johns for your work and sharing this meeting. I would also like to welcome the two new members. It's amazing to me that anybody would want to join this group given how hard the people here work but it has been a testimony to the commitment of the people in this field that we still have willing bodies willing to come help us to this very complicated but important project. This is a continuing activity that is vital to the office of the National cord maker and vital to the work of performing our health-care system -- coordinator and vital to the work of performing our health-care system. Everyone is assuming that if substantial health system reform becomes possible under the new reform legislation that the kind of how the information infrastructure that is required to support that will be present and functioning when it's needed. And that is a very tall order, one that we are committed to doing our very best to put in place. And a project which rests in no small measure, the success of York deliberations in providing guidance of the standards that will make possible communication between the many entities and individuals who develop and collect and process and use health information pity you all are very much at the center of the efforts to improve our health care system. With that I would like to make a brief opening comments about a topic that was to be on your agenda but is not for logistical reasons. It's called the nationwide Health Information effort which is a resource under development for some time with in the federal government and in partnership with a number of mostly large private sector organizations that have been putting effort to create an open source the source for exchanging Healthcare Information. And we view that has a vital resource for realizing the National Health Information infrastructure that Congress expects us and the American people expect us to make available. Because of the way this nationwide Health Information Network has developed, I think it has acquired a certain public reputation of being a collaboration among the very large and a selected group of entities. Public providers of health care and users of public health care information, Department of defense, Social Security, and a number of large providers that are pioneers in the electronic health information business. Of course, the goal has always been not to develop a thing or a network that is closed or somehow a figure to of representation of the network but to create a resource to the protocols and standards and specifications that are in the public domain and are available to anybody who wishes to use the Internet to save information in a private, secure, and effective way. Because of this idea and these protocols have been developed and put into demonstration, I think that brought a cool has sometimes been less evident -- broad goal has been sometimes less of it but we want to reiterate that this is for anyone and everyone who wants to exchange information quickly, efficiently, privately, securely using an Internet based application. That means that we need to begin as we move closer to the availability of electronic health records and that meaningful use becomes better defined and includes information exchange which is required. That means we need to exhilarate the availability of the network -- accelerate the availability of the network and the specifications and Resources that constitute that network. Make those more broadly available and bring them faster into effective use. We are thinking very carefully on how to do that. That has obvious implications for the standards committee that will have to help us figure out how to make those standards and protocols and specifications available. Recently there has been a lot of discussion about making consumers -- providing consumers access to this resource. That is certainly something that we think is a long-term goal just as we think individual positions and small groups and vendors of electronic health records may also want to have access. This is a public resource, a public opportunity. Something was broadest use its is our goal. I expect you all to take to have answers, but we will be working hard to think about over the next months how to make this mission -- bring this fishing closer to reality -- vision closer to reality. I know there is a long agenda and a lot of work that you want to share with us. I know this issue in some people's minds with the discussion going on inside that NHIN and broader communities. I just wanted to make those points at the outset.

We look for to the discussion on this. All of us are driven by the requirements for the [ Indiscernible ] across a number of circumstances I notice yesterday when the were at Washington VA and they said wow, this is different and there's no distinction between home care, and patient, outpatient. And I see heads nodding around the table and across the circumstances allowing not only greater safety and quality but greater Bally, a greater efficiency and the use of resources and better and for earnings not just of the health providers but as this committee has been articulate and representing the patients themselves and their family members that may be advocating across all of those circumstances. So we look toward to that discussion and again thanks to each of the members of this committee. One of my mentors to, says an unforgiving minute in 60 seconds of the run and certainly every minute has been more than packed as we look first at the -- As a look at the first order of minutes. I would like to please take a look at the minutes for one final review. I know people have had a chance to look at that. I want to take the opportunity in front of you, David, to acknowledge your staff who has done a super human work in packing them with more than 60 seconds of a new round pick any corrections or clarifications in the minutes as you have reviewed? Hearing and we will accept those and move forward. Today we have a number of important updates. My co-chair pay one will speak more to the overview and we also segue to a discussion that is exciting and harkens to any epiphany moment that some colleagues saw. That is that we are going to have our first discussion here of implementation Andy is chairing our new implementations committee and has brought together real-world experience to inform what standards are necessary. What gaps may remain, and to identify what figures exist and how others have met those barriers or what sorts of approaches might be useful to really driving greater implementation of these sorts of health information resources, the backbone for reform and higher value health care. So we look a word to that discussion because it's not about the standards in isolation but the use of standards in practice and accelerating adoption of proposed standards and mitigating barriers and some approaches that expand that the public dialogue very broadly and allow relief ace -- really a segue to the very practical details of adoption and greater implementation. With that. Let me turn to John Halamka, an individual that all would recognize that unforgiving minute with super human endurance. Thank you for the leadership that you have provided and then look forward to your introductory comment.

As you said today is about evolution of our work and plotting the next six months so that we can make sure that implementation and adoption happens. The challenge that we have is much work has been done in the standard World, standards have been harmonized, caps have been identified. There have been movements in the industry and some adoption of product but if we did receive what you just articulated, how would we be sure that we have the tools, the technology, and for the implementation, guidance, education to make sure there is a glidepath. To make sure it's easy to do. Here is an interesting challenge back and thus be eight days we were given these use cases that were. Specific -- back in the AHIC days that if you do this exact combination of factors in defense than here is your cookbook. But in the world of ARRA there is a difference. There are a whole lot of things that might happen in the ecosystem so let's take that and breaking into usable parts. Now it's less scary, here is reusuable part one for vocabulary's and I can use that. And then when you take it too true implementation, all my God, there are different reusable parts and there is this direction that point to another reusable part that point to another usable part. If I only had the thick cookbook that gave me the whole tide on what to do life would be much easier. As they look at achieving your division how do we provide the tools and technologies to make sure that it's straightforward for people to join. We also want to make sure that will enable innovation. So this will be the delicate balance. You can achieve in dropper ability in some ways faster and cheaper by been totally prescriptive and eliminating all penalities but that also obstructs innovation. So all local I say over the next six months. From all the stakeholders in the community decided what he'd need to make adoption and implementation easier figure out where we draw the line between specificity and optionality. And you see we will see updates in a focused a lot and 2011 in 2013 and what are the gaps and vocabulary's and whether some of the elements that need to be done. We will hear on the qualities tied House so much work has been done to make some of the measures retooled to make sure that the are ARRA friendly. And Dixie has a presentation on how to make it more granular privacy is more protective. We want to go further and make sure the consumer has three significant options of what is shared at what time did so we will talk about the word and then you will hear about the framework for gathering the multistate click your input on the experience today and adopting standards and what tools might be needed for implementations. I met yesterday with the CEO from a company from New Zealand called Orion. I asked him, wouldn't it be interesting if you created a diagram of the actual standards that you are seeing in use? He said actually, for this committee I would be happy to do that. Give us the experience from North America, Europe, Asia. And off the top of your sick head, HL7 v2, X12, NCDPD, sure, I see that a lot. We have seen some emergence of a lot of the world is home grown, cobbled together very proprietary etc.. So you hope that we start seeing what the world is actually doing and where we can help try to rationalize it so that they can plug in to what he describes. We will hear more about the privacy hearing that was held. Wasn't that September 18th or something like that and then talk about our work for the next six months. So no question, our work will never be done. And I really look forward to working with all of you to be false and build on the foundations that we have created together -- to be involved and build on the foundations that we have created together.

Thank you, John, with that I think you and Jamie are up for the very first of the on the clinical operations workgroup. I appreciate your leadership, Jamie with the amount of clarity that has gone for it has been terrific as this group has discussed previously. This will likely be a work in progress but the ability to instill some clear guidance has been particularly informative speaking as a chair of my own organization and been able to see a list of directionality that is very helpful. So we thank you for that.

Thank you.


What I would like to talk about today -- what we would like to talk about today rather is a summary of some of the discussions that we have had. We have had a couple meetings since our last full committee meeting. We discussed some of the gaps that we found and some of the next steps. So very broadly, in terms of the scope of the different kinds of gaps we found that the criteria for certification really has not been something that the work group focused on. We focused on the standards themselves, the recommendations for implementing the requirements and measures that were recommended for 2011 and we really have not focused on the specific criteria for certification and we hope that the committee will join us in discussions, a broader discussion on certification criteria. We also talked quite a bit about the caps for health information exchange. In terms of health information exchange we recognize that there is a need for coordination for all the different kinds of systems that have to communicate with health information exchange services and entities in order to achieve the proposed measures for 2011. That includes standard for communication between HIEs into non EHR systems such as lab systems. We will then talk briefly about the clarification of some of the 2011 measures and gaps in some specific domains. In terms of the 2011 measures the ones that we identified in our work group discussions that we thought need more clarification were high-cost imaging with structured indications. This is one where we thought it needed basic definitions. In terms of patient access to EHR, this is something that we may have more discussion on in the committee. We felt that there is a need for defining minimum content requirements for patient access and also we have not discussed as a full committee to a great extent Direct access to the electronic help record versus providing a copy through a personal health record although the standards are provided for that we have not discussed those alternatives for this particular measure. And we also found that patients specific educational materials was not completely clear to us. So we wanted to have clarification, again, definitions for that.

On the patient access to EHR, where I work we have been using PHRs for ten years and the problem had has been with medication list, radiology departments and reports but not the actual notes of the encounter that were recorded by the condition. Of course, we know HIPAA mandates that that the patient has access to their records. When we tried to tell our physicians ten years ago that we will share every observation that you have made about every patient with the patient themselves there was some resistance. And when I said I've just met with this slightly depress obese me and the patient will see that man, the patient will see that and that is controversial. It is its clinical a summary -- is it a clinical summary? It's the patient's records. They could get access to aid but what are the minimum requirement that the institution should make available and there are many commercial vendors. What we have used in our personal health record is access to up-to-date, access to gold standard for these commercial sources of data and we do via a URL that. The standards, I use them to get at an educational material but what is the scope of educational material?

Okay. So I don't know if the minimum content requirements or something or whether you would like to discuss that.

We can open it for some discussion. I would note to Dr. Halamka's point there was an interesting reconnaissance and some had their held the record copied in its entirety and the discussion with clinicians the have been implicated with some professional believe and how they communicate and what might be potentially misinterpreted were diminished when they began to understand that the patients already have this information. And if one starts to believe this information is the patience that dialogue goes further creosote a perspective -- so from that perspective let's open up discussion on this topic.

Welcome, we welcome our chief technology officer off of the science technology. Our chief technology officer.

I want to ask those who are encountering patient requesting permission, I would like to ask if Judy or Chris or Linda. Anybody who talks to patients who are asking for data. Anybody want to share how this dialogue is happening at Aurora or anywhere else?

Yes, sure, this is Judy Murphy. Increasing people are asking to see their own records when their -- when they are hospitalized and to actually get release. In terms of personal health records we have been released elected and what we have been doing. And only lab results and its at the specific discretion of them. So if the physician chooses not to release them that is actually what we do today. We do not mandatory release them, only if the position allows that. Where we need to be going in for your patience centric, I mean, this is all about the patient and we absolutely have to make sure that we are partnering with the patient. Not seen this as our data but data that we're working on together as 18th.

This is Jim Walker -- with the perspective of Kaiser Permanente with over 3 million members online using their records actively, we find that the parts of the static records that are most accessed are the lab results, map of the medication and really that is about it. We do not allow the nursing notes on the on line, MyHealthManager is the tool that we have paid and what draws people in is the transaction capabilities of be able to do online e-Refills and communicate with the positions. That is a mix of those things and not just -- people generally don't go there to access the static record.

I would like to call on Clinton to describe some of the VA experiences and how they grappled with some of the business rules for example if the patient does not get a new diagnosis of cancer without appropriate counseling. How did you operate that?

To support Jamie's comments and we probably have had about [ Indiscernible ] veterans free new -- renew their prescriptions on line this morning initially we are very aggressive on how we ask veterans what they want next and our adoption always jumps as we released new functionality. It's a functionality that the users of the system have said that we want. The American Health Information Management System quite a few years ago did a publication that provide entities always have the need for that legal document so we will always have the VA provide a electronic health record. But we also believe a copy should be made available electronically to the veterans so that they can do what they want with that copy. We do when we hand the copy out, we do it in such a weight that it respects the clinician role in caring for the veteran and that is what we do in terms of incorporating a delay in the release of the information. So the electronic how the record will alert the condition that they have a lab or diagnosis or pathology report that is outside of normal you want to make sure that you follow up directly with the person. So there will be a delay in that information.

Let me ask a use case -- let me make the presumption, David, that this is not an ideal topic for the policy committee. Would be to provision that to the best extent possible.

It's a policy committee issue but we would welcome your reflections and recommendations.

So the questions that I have, if a patient is seeking a second opinion to what extent do they ask to the components of the record or what record to the poll when they want to share? I do know -- Is there an online second opinion program. I am trying to get my arms around the scenarios where if they want to read their record which is a basic concept, but then there is an ecosystem with a white want to proficient access to that record to a third-party -- might want to provide access to that record to a third-party or program that might help to say, people that have comparable issues that I have are thinking of the following questions to ask providers. Has anybody encountered that scenario and how does that affect the east by which we share the data.

John, can you hear me?

This is Jim Walker.

All right.

One of the things that we do is provide any non Guisinger physician raid only access as long as the patient signs an authorization that that position have access. We have hundreds of positions that have ongoing relationships with patients. I also want to say to the basic question. We regard all of the information as patient information and that does not answer the question of how to provide the information to ways that are optimally usable. And while we provide lab results and medication lists and secure e-messaging and what I think needs to be done at the national level is to do research as we do each one of the to increasing access and timeliness in a faster timeliness is to make sure that the patients say when they get this information, this really helped me, I understood it. I felt more enabled to manage my self. When you said providers are given read only access falling patient approval would you mind giving us a little to ease on what the technical standards were that were in Maybelline that? Wasn't access to a PDF viable -- plus enabling the that? Was its access to a PDF file?

It was remote access, it's the shadow version. It's the life of version of the EHR that they have read only access to.

I was going to answer your question to your use case the exact same way. Our method really is to providing access to the EHR to authorize providers of care. This is not something that we have done through the PHR.

I appreciate your perspective that.

Kaiser Permanente and Guisinger Do we know how they use the full record? Mostly we hear the horror stories of a really complicated illness where there is 10,000 pages all over the place and ten different doctors and the patient cannot make sense of it. But there is probably a positive story, a too. It strikes me at this point it would be useful to gather unto ourselves some solid evidence on how consumers are actually using that data or whether they truly are all confused or whether it's useful and how it's useful. A corps literally of what everyone has been saying.

So Paul Chang and Ken and I wrote a paper on this. There are two kinds of patients that are using our PHR. You have those that have a chronic illness and they feel its important to share those measurements with their doctors. To make sure the medication lists are reconciled. And then you have those that have accused episode I will be interacting a lot and I want the convenience features of been able to schedule appointments, and the subscriptions in the specialty consoles. But then after my disease has ended I will go away from the PHR for a while. Transaxle me what you see is the same thing that you described, labs and meds are important in the renewal subscription and the data appointment. And I have the of all the patients on average for all of these.

Let's just go on down is certain point --

Just briefly I wanted to note that several people the transactional pieces of the PHR are often most highly valued by the patients. Since we're talking about gaps I think we will find with that is one of the place that we have some gaps and standards that we really have not talked about. Moving into the data rum, laboratory results and so won its relatively understood -- data realm, as a and a very little standards and work to build on. There are different pieces the some of these transactional functions are not very well be involved but others like e-prescribing and prescription refills are much further along but that is important for this group because some of the standards are not as involved as the others.

And in terms of opportunities I think to offer, from the VA when the e-Prescribing went live comet 200,000 the oft the map of our capacity and a surprise there was a much lower rate of no-shows' for a clinical appointments when the consumer got to schedule themselves. So we will just come down with Linda.

Thank you paid a really quick observation in terms of how you of all other people to see that record. It is standard health information practice that has a policy that will drive the behavior of how you release information in both the paper and electronic world. The exciting piece of the electronic world is that you can do so many more solutions I think there is some interesting work that is taking place and granular consumers have consent management with real based access control and the standard World specifically related to how do we in power the consumers to be able to air traffic control which pieces of the records they want to go where. So there is an opportunity to work on standards in that area.

Thank you. This is Stan with Intermountain. Just a couple of comments. Similar to some of the others, at intermountain Health Care we provide primarily read only access to laboratory data and diagnostic reports from chest X-rays and that sort of thing. And we initially had until late in there as well so that the position would have a chance. What we found actually in practice is that the decisions did not keep up anyway. So eventually they said, you know, we actually look at it when the patient calls anyway. So we took out the delay in does blamed the results and then second -- in displaying of the results and an second about the standards relating to standards and transactions. There is actually a very rich set of transactions for requesting appointment and other things. I think the part that is clear is that it is not as widely implemented as Lab Data results Exchange but there is a very rich set of standards around appointments and scheduling and both Resource scheduling and appointments scheduling. So those things are available but they have not been implemented as widely as some of the other parts of the standards.

Terrific input and it really gets to the interface that we get between the Standards and implementation guidance.

Chris Ross.

I would like to give an example from ambulatory care. The groups that time as possible for, we are having patients that receive care from us but also receive care in other places. The majority that is happening in the primary care setting and I think it's an important piece that the committee pay attention to. So in our world our approach has been to have an identical record for the patient and their primary care giver. In the pharmacy part of our business, it's commonplace to provide online pharmacy history, medication histories, and the like and to allow refills and other kinds of control. So in some parts of the world with that it's not the center of the patient's care but is on the edge of care I think there's an awful lot of useful experience around complete transparency and portability. I think it's important.

Thank you.

Let's go to Wes.

Thanks I would like to clarify with Jamie and Jim. When they said that they provide those physicians access to the information, I was not clear on how they did it. Stewart lee Geisinger has a program of -- certainly Geisinger has a program of their own EHR system but I would think they would give them their Web access. I did not understand which approach that they used and it's important to our deliberations.

Jim, why don't you go ahead first.

Well, what I was talking about --

We need a standard for this [ laughter ]

Go ahead, Jim.

We need are ID numbers.

We provide Web access, remote access that is the only to the entire record and other forms of access because of HIPAA requirements we do different things. But the full access that the patient authorizes is read only to the Chatham system via the web -- shadow system via the web.

So the data is available on line?

Will, the shadow system exist so that we have a backup so that if the production system blows up we can still take care of patients. But we also use it for accesses that would not compromise the production system, and one of those is remote Web access.

Perfect critic thinks.

Let's go to Jamie purpose in.

I was going to answer the same access stomach cancer, they may be contacted physician -- the same access, they may be contacted physicians and other authorized providers. The Web access, the shuttle system this is a fold with -- full, real-time electronic medical system. In order not to have an impact on the life production system, we have these shadow copies. Essentially holds the full EMR and that is true for ambulatory and impatient critical.

This is Jim again. In terms of privacy and security because that position has access to the entire record, that can be 20 years old. That requires a special authorization so that the patient really understands the person accessing this may see something that happened so long ago that the patient has almost forgotten.

Before we continue around the table, I think John Halamka and Aneesh want to jump in.

We make Web access available with the appropriate credentials to our web based application but we also give patients a full access to their records. And starting next month actually the patient through the tethered PHR on our EHR could share access with another provider if they so desire. So if the provider has PHR, the patients can export their data to Google Health or Microsoft help faults and share the data for those products and then there is the rendered PDF to deliver it to an appointed attorney for others to may have legal means for requesting it.

There is a lot, and these shadows systems can be authenticated provider download in a format to export a record into their -- So I am Dr. John Doe and I am given shadow access and all of the paperwork and validation of the patient with 30 years of history and you have embarrassing stuff in there. All of that is done can I download it the record file from the shot a system into my system? And if so is there a standard by which that should be done in this the something that we as a group have been changed on?

The technical capability exists for that. It's a local policy medical record as well as medical group discussion on how this technical capabilities are employed for downloading copies for example. So there are policies having to do with encryption of copies that are being provided. So I would say that the implementation of that can vary depending on local policies. And in terms of local standards on that, I think that the standards that we have talked about here in terms of our recommendations for clinical summaries for meaningful use to not cover at this point all of the different parts of EMR that would be the provided through a standard release of information and that could be the clinical summaries that could be down loaded certainly.

Let's go to David McCallie. I want to come around.

Thanks. Hearing about these serious experience and real-world implementation is useful and this might be something that we want to formalize in the form of a questionnaire or something where we could be more precise than we can afford to do in these open discussions. What I would submit and maybe a lot of people over is that the perspective at the end game that makes most sense to me would be that the consumer gets a complete copy of their record automatically regardless of where they get their care. It had that record is available to them to how they see fit to providers in the future. And these tethered models are steps in that direction but we should de-couple get the tethered services by the provider such as the requests and prescription refills and the like from the record that you carry and keeping the for the rest of your life. We want to pull that all together and call that a PHR but that is really a very different thing. So poor resources that are reached, provider to their customers for it period of time are important. But what you take with you when you are no longer a customer of the provider is more complete record. And it just builds over time. I don't think there is any requirement that that be understandable by eight the patient. I have a tax form that I don't begin to understand but if I switch accountants they would understand it and make sure that we pick up and I did not lose any deductions permitted the same thing ought to be true for the record. We had an interesting experiment that was quite revealing inside of my company to do some circumstances we triggered on an internal collaboration suite that we used to kind of coordinate activity in the company. We triggered a, tell us your medical horror stories related to lack of access of information. And in some cases some horrendous stories of problems that occurred because the record was not available many times the problems occurred many years downstream of what the record the originally been captured. It was not sharing with a known provider, it was emergency situations or things in the patient's past that were not known to be relevant except for in retrospect, gee, if I had only known that I would not have made these mistakes and the thread keeps going as more of my colleagues recall these instances. And when I just read through them and to an informal analysis they could have been averted, sort of like the Web, we start with search and then we get the data. We need a PHR that works the same way. Start the search and then we get the data.

Thanks, David Carroll Diamond, John and Kevin and Dixie and then back to Wes and that is a terrific sick way because I cannot think of the poster that says, a quick comment tell your provider door how history.

So Carol?

This is Carol diamond. Might question parallels Aneesh's question. I am interested. John, I heard a mention that the patient can get it in number of ways but how many of you actually provide the ability of the patient to download the data in some electronic form and take it somewhere? The reason I ask it because I am struck by David's comment that it does not necessarily have to be understandable the potential that what we see as opportunities now is that other people can help the patient like the accountant, the electronic version of the accounting, help make the data understandable and use it to manage their chronic disease could I'd just think we have to be thinking about that possibility as well, I am curious, is it downloadable, is it portable in electronic format.

So the Google Health and Microsoft Health is CCR or CCD so we export the structure but it is an incomplete record. It's the summary of problems and allergies that specified by Google and Microsoft which persists of health vault or Google Health.

In addition, we do provide the capability for patience to get a download a copy of their entire medical record onto a flash drive and this is done in to encrypted files. This is a capability that is a local decision at the facility and provider of level on whether or not to offer that so it's not ubiquitous throughout all the facilities and not all physicians would offer that to their patients.

Is its a PDF?

It's an encrypted PDF right now.


On behalf of Hospice home care in skilled nursing facilities it's a little different. One was that we work very closely with the physician in hospice and home care because that is an easier thing to do. Where it becomes complex is in a skilled nursing facility where people have been there for years in the clinical records are on paper although we're working to make them electronic. We do give physicians access on amicable basis if they ask although it can get very complex because there are so many physician that deal with the 100 people in an average nursing home. So the of the complexity is that we have to deal a lot with loved ones that want to have access to the elderly parents and they might be 2000 miles away and there might be siblings in the family. They all want to know the information so we're trying to deal with that. So there is another a little dimension in the whole thing, we do not provide downloadable on the other end. We are hoping for standards and all of that that we can give access to that because with the MDS on nursing homes and Oasis on home care we have the capability of electronically giving that information if somebody is able to take it and its in the format they wanted to be.

[ Captioners Transitioning ] So much is downloadable and some of which is viewable. I think as the standards committee we need to take into account as to how these personal health records are starting to be involved. In particular and I couple of companies that are approaching the PHR space not in the typical quicken application where I applaud or download information but instead they are following the social networking site type of approach. And there is an invitation and acceptance of a relationship that is built. And there needs to be information and it and Exchange of questions as to where if I need to break the relationship, I need to download it into my record to carry it to the next relationship.

But it is an interesting new approach and how I think PHRs will be less going forward with there is a community PHR, if you will, and I create my own community of who I want to track my information. If it could be my hospital or my personal physicians or it could be have family members who are also responsible for my care as well, but it is my enclosed community. I don't know if that is a solution but it is another approach instead of being driven by the provider for the patient. The provider is the one launching the effort to bring health care providers into their world.

Thank-you, a great image for the rest of us to contemplate. Dixie Baker?

Yes. Kevins, it caused me to add one point. The point that the PHRs are taking on new models is absolutely true. And I noticed that earlier this week google health introduced a teller health capability by which a consumer would have access to a virtual Doctor which presents a new set of challenges when the talk about the EHR. If you have a streaming video of interaction between a doctor and a patient is that part of the EHR, PHR, etc.

Now on to my question. First of all, as most of you probably know, ARRA had the capability to segment information and it is attached to the first of the Big 87 capabilities, and I wanted to ask that in these chattel implementations that most of you have mentioned as well as in Kaiser's case, the downloading of the complete medical record, I am interested in knowing whether your segment highly sensitive information, or what we used to call deniable information, like STD information or mental health intermission, and that shuttling or that download and if so, how do do it.

We will go to Jenny Ferguson first. And since I am naming names, one of the comments we received on line, the people that follow the webcast, I appreciate a identification so if you could practice the comments with who this is, that would be great for those trying to follow virtually. Jamie Ferguson.

It sounds like it is becoming a stock cancer but the answer varies with local policy because they're different jurisdictional requirements for different parts of that, for example, segmentation or limiting disclosures of different kinds of information so we comply with all of those different requirements but it will vary locally.

Is it by state law or by physician? Or both?

I don't think it is by physician preference. I will have to go back and look into what the jurisdictional requirements are in order to answer questions from a medical record standpoint.

Next, let's go to John.

So our segmentation is called a locked room on the target of a nude similar to what in a chess has done with the lock box. So and the clinician can choose to segment any aspect of the medical record and then it is considered a specially monitored area. Break the glass function where you need to access what are documenting it and and email is sent to the author of the note in the privacy office of the Organization each time it is accessed. At the moment, we have not shared those monitored or locked bits of information with any teetoo provider.

The clarifying point from Judy Daniel.

At what level of detail or data can then lockdown.

Is it by note or by Day at visit? What level of Craig Larry?

At the notes level.

From his standards perspective, do you use label based access control or what?

Is proprietary, part of the application.

And the last word?

A couple of comments please. One, I think we always have to be aware that at any point in time, we will be interacting with physicians at different levels of sophistication and piety. My company believes that in 2014, the physician OASIS practices will have well less than 55 percent penetration. We hope things are better but that is what we bank. So it is important that, how we share data electronically serves as both that has the latest release of the certified software, and those that have no IT at all for summer in between. The advantage of both of the CCR and CCD formats is that they have structured data and can be printed text Julie. So this in physical block of data can be can simple by an EHR and through a standard Web wizardry printable viewable on the screen, things like that. Very important, this notion that we will ever have a uniform set of technological capabilities, it captures all of our experience in IT, and we need to make sure we are doing impedance matching between the different systems. The discussions on PHI was clarifying when John and David made some clarifications. I think we can arguably say we have seen the best patient engagement when what is called the PHR does not meet the legal definition of that. That to say it is a portal into the PHR where a patient can view all of their data but has no control over it deleting it for other things associated with the PHR.

How far they PHR will take us in terms of patient engagement. Certainly we are seeing a lot of studies now, it looks like publishable quality studies which say, with a PHR and an active program by the provider engaging the patient as opposed to simply as a resource, that a lot can come of patient engagement. Cloture can be more steady, congestive heart failure patients can monitor their status better and so forth. We always have to keep in mind that the entire population of patients includes those who are not always able or willing to enable this kind of engagement. I think carols comment about the availability of third parties, when my father's father was in terminal emphysema, we engaged a nurse who had gotten tired of doing a turn downs for an insurance company and became a patient advocate. And we paid her $35 an hour to physically read his records, talk to the insurance company and the nursing home. Just think of how much more productive she could have been if she had done on line? How many more patients she could have helped?

The fact that the patients will vary in terms of their ability to enable these kinds of electronic sharing makes it important to keep it in mind that they take too, some sort of patient and able National networking is far easier from a network policy level than provider to provider direct transmission. It is not a substitute for that. We have to be able to send -- if a physician codes a visit with an allergy to codeine, that could be some sort of subtle comment that that is drug seeking behavior. Plenty that report to go to another provider who would have rights under HIPAA to see the data anyway, and whether the patient would like to have that report be left out or not, we need -- if the normal business of health care is to go on, we have to have information forwarded in the normal course of business regardless of whether the patient about-if I had all of the exchanges between my providers, but I would probably be dead now because I don't have the time to do it. So we have to keep in mind that the National review of patient unable cheering is not a substitute for provider to provider sharing.

And triptychs summary of points and have like to thank everyone for a wonderfully provocative discussion. And I think there are some scoping that needs to be provided to us apples from the office of the National coordinator and Policy Committee but this discussion -- Direct access versus copies that can be downloaded or yet [indiscernible] video feeds, but there is a standard on [indiscernible] not only two patients but to be as parsimonious as possible with the transmission which I think Wes had a point at resonator broadly, it needs to flow through out the normal course of business between providers.

I'd think that the point that [indiscernible] opposed to last last time which was amplified by couple of people, the need to measure the starting point, but what did that do we have to describe this, and I think the discussion provided here good testimony as to what is being done in the organizations that are directly represented and the challenge to a survey this is one that remains an open needed to determine parameters around patient access and what access in terms of how the access segment information and how they are grappling with potentially not all data sources such as the video fees that Dixie Baker pulled up. So I think there is for care that is yet to be done. Hopefully a robust in answer to your very provocative question, Jamie prison and John on framing this discussion.

Let's turn back because I no you have additional materials you wanted to share by way of your report.

Thank-you, on to page two. [laughter]

We did have other gaps that we wanted to discuss with the committee. We have a list that we found in fact the majority of that capsule account have to do with a capillary. National cross maps in SNOMED CT in both ICD and nine and 10 and a number of different concerns and implementation of in terms of RxNorm in terms of cross maps for the proprietary quotes but also the plan for moving forward with the complete federal medication terminology, the set of terminologies including implementation of NDFRT and structured product labeling. Moving on to the labs, we found some gaps in terms of LOINC and you come. And I no there is some private sector works involving a compendium of order Coates but this is clearly a captive of into it lab orders, so the orders are believed are not as much a cap for 2011 as they are for 2013 but it will take some time. We also found a need within LOINC to identify comparable test results for trending and other purposes with the specific LOINC test may be different but the results are comparable for purposes of general use.

And also, we are interested in understanding the boundary and relationship between LOINC and its hierarchy levels and SNOMED.

Also in labs we found a need for additional guidance in terms of the implementation of the UCUM for units of measure, and we discussed the need and here in the committee previously it the need for standards for both distribution of code sets and updates to the vocabulary's and the need for maintenance and management process these particularly for the subsets that are specified for use through the standards.

So this whole volume of work rarely has such significance that, as we have discussed previously with the committee, we would like to get approval to launch a sub work group to focus specifically on the set of vocabulary issues, and would also like to invite any interested members of the Committee to join that sub work group.

Let me give some examples of the kind of work ahead. Cell, RxNorm is across work of some proprietary vocabulary's and some contacts about the medication substance is, and that is fabulous, but what if you are allergic to a category of it medications or there is a drug-drug interaction, not with a chemical but with a category of chemicals? And so that is where the authority comes in and provides the category descriptor. So then you figure out how do we have RxNorm and NDFRT and all the book Kepler's working well together and Commission standards work, this may be an example work that needs to be done.

UCUM, to give you an issue there that is interesting, there are 17 Hartford Hospital's and it wouldn't it be great if Harvard work with Harvard? I know it is an extraordinary idea but just the other day, Marquette set up a phone call with me so that Harvard folks could talk to the registry folks and they said we have 17 ways of reporting labs, no standard unit of measure and LOINC coats everywhere, at how would you compare lab results, and the answer is, there isn't actually a standard unit of measure that has been incorporated into most of our laboratory systems, some one may report milligrams per deciliter and the other this furloughs per fortnight. So this is an example of work to be done.

That is why I took this job, to solve that problem. [laughter] at.

This is Stan half. And I would like to volunteer for that subcommittee.

Let's hold of our questions until the end of the presentation.

The living on into that other areas of gaps that we have discussed in the work group, in terms F. administrative gaps, we found that we lack operating rules for the X125010 transactions that to the same level that we have for the current 4010 capko one HIPAA transactions and that is a gap we have discussed. We also discussed, and Wes and went to China chime in, the need for update attachments and we previously had a discussion here in the committee about the desire for a final rule enabling electronic claim attachments within HIPAA, but we also then need to move on to a state's that are needed for the potential for cleaning attachment standards and used in the need of whether claim attachments or other mechanisms, the potential to use the entire CD a family of electronic documents for administrative purposes. And we are putting questions on hold but I will [overlapping speakers] --

At this point, because he is a member of that group --

At a risk of repeating myself from previous meetings, when it comes to claims attachments being standardized and sent, if we want to actually show short-term cost reductions in health care, there is not much more we can do it then attack that particular administrative burden. Some standard comment is, hoo rah. The specific notion of possibly modifying it, it is possible that the work that has gone on around CCD while the standard has been sitting on the shelf waiting for HIPAA action, that might constitute an ability to create less complexity by combining it with CCD. But on the other hand, I hate to start another four year cycle waiting for HIPAA approval to come out on this.


Just a couple of other areas of gaps and previously noted the need for that order messaging standards within the he group of standards and looking forward to 2013, and the point of the previous discussions, I think mostly in the last meetings on the different alternatives for Quality reporting architecture, but noted a gap in terms of implementation guidance two, particularly for QRDA and the upcoming E major standard.

And so our next steps for that work group are to work towards resolving these benefits steps. With light committee approval to move forward and launching the vocabulary of the support group to close the gaps we have stated here today and to move forward on 2013 and integrate with the ongoing development of testing efforts.

Before we move towards the approval of recommendation praised the group, let's take some comments. Carol diamond.

I just have a clarifying question. What is a meaningful use our policy objective that is driving the vocabulary gap, the identification of vocabulary gaps? In other words, what is it that needs to be done that can't be done without this vocabulary gaps being filled specific to meaningful use?

There are a couple of different areas. One is that, for the implementation of the quality measures that require some of the specific vocabulary is, particularly the cost maps from ICD to SNOMED, as well as the subsets being used, we can define a set set but there is no maintenance mechanism self-employed may want to answer on that one. Also in terms of the use of the EHR with the recommended standards included specifications for Boca there is with a transition path with a conversion .2 standards in the future, we need to enable the conversion and implementation process and that is really what some of these gaps are aimed at.

I just wanted to ask a follow-up on question Period has a determination being made for the quality measures that the underlying data will be collected collects and again, I apologize if the community has already discussed this but has that determination being made as opposed to summary statistics or numerator-denominator tidings cracks because with the business objective and policy objective is has to drive the need for some of these deeper ontology is.

I could answer that but Floyd has his card up, so I will turn it back to him.

If you could put me on the list also.

[overlapping speakers]

In response, I think in order to appropriately identified elements in the numerator-denominator, the gaps in the vocabulary are problematic. And it lab ordering was one of them. And on November second, there is a meeting at NLM hosted by Glenn McDonald to address some of those issues. And the issues and the authority to be able to provide medications and class in Edison -- identify all of the RxNorm possibilities, a class is much easier to use but we need maps from the class to the individuals and then down to the actual drugs be dispensed.

So that does help a lot. And would be required. And we are trying to move our measures now from ICD at nine, the ones that are endorsed, 25210 and SNOMED and the process of doing that requires standards.

Chris shoot?

I guess in the context of vocabulary, if it is the notion of a numerator or denominator, unless you have comparable and consistent information, he will not be able to generate those types of measures on a meaningful way. And the whole premise of comparable and consistent information is inextricably bound to [indiscernible] sense unless you are dealing with similar lists of possible values it is impossible to come up with information that will ultimately become parable. Sell it seems to me that, unless it becomes clear that having well characterized Boca delays and well characterized values sets it is crucial to establishing meaningful use.


I put the cart at because because some question that I was answering earlier. I agree with Chris and I have had that discussion with him but what I am interested in is your vocabulary's of work group where you are thinking -- were you thinking of that also to manage shelly's assets, not just a versioning but a creation of them? Currently we have in the Public Health realm, we have that Sinbad Public Health Network and in research we have CADR from the National Cancer institute. We're looking at quality measures, other silo might develop because currently most of those values sets are greeted by individual developers, so is there some way to create a national way to manage those values as and keep them up-to-date and standard so that meaning is the same in all clinical use mission and Public Health?

I will take that as a statement of volunteering for the sub work group.

Got it.

So today we have our [indiscernible] database and this and that work at CDC and [indiscernible] is doing a huge amount of work in this regard. One up with love to make from minimal and connotation perspective, it's easy for a patient to download a consistent values that, ideally no charge, that one could incorporate into products so when the duties quality measures that there are controlled the capillaries. The problems are codified and the medications are understood. And if not properly call -- has a vocabulary we invented in 1998 called be I98. And [indiscernible] mapping 982 SNOMED. So although internally we used 98, whenever we submit to quality we always cross map SNOMED in an ambiguous way. It is that kind of values that and crosswalks need for intimidation.

Let's go to Carol diamond and then Chris and will close discussion topic.

I am glad he made that comment because clearly the higher you get in the stacking of Cadbury to hire implementation and costly. It is very tedious work to adopt the committees in the systems and I think theoretically it is of course. If everything was the same it could all be reported consistently, that would be Nirvana but that is not where we are starting. And I think that one thing that would be helpful to me on the committee is, when you do this work, if you could come back with an assessment of how much that additional vocabulary clarification or requirement for adoption improves the meaningful use, the particular meaningful use major or objectives. In other words a cost-benefit ratio or proposes an alternative, which is, there is one to be crosswalk that enables people to do this from where they are.


I and new to this committee and my comments are at risk of being sort of in pertinent, but I wanted to make a process observation. Even though I haven't been on the committee I have been watching what is going on carefully and I think this issue is very critical around vocabulary's and the caps thereof. There are great benefits and great risks here, and it seems to me as though there should be a connection between the implementation work group's effort, and the standards -- the Operations Group on issues like this, because I think we will discover it very significant trade-offs between, on the one hand, having complete and totally interoperable sophisticated records which can be used by relatively small number of groups extremely well, or on the other hand, lack of adoption. So I think we can get buried deep or very broad and I think they're will be a trade-off involved. Implementation of these standards, even if they are extremely well articulated by this group, will not make it cheaper or less complicated for groups to modify their practice and so on. So I understand the desire to want To Drive in on this and I think it is a critical question but I think we need to observe what are the tradeoffs in the world world on how well people are able to take action on what we are discussing here.

Ted Plumb and Paul?

These are excellent recommendations and I think carry it on a carols reference back to the meaningful use which doesn't exist yet is very helpful. You can look more broadly at the goals of health system reform for quality assistance gains and also use those to some degree as your guidance. And sell -- and this will be an interactive process and this will not be the only time that this group will have a crack at the discussion, and I think it is important to set it at precisely the way you are doing, talk about the gaps, assess the needs for killing the gaps and consider the cost and benefits for killing those gaps. That is a very methodical and I think appropriate process.

One of the questions that our country has not focused sufficiently on board defined for obvious reasons is, if we are going to have a process continuous improvement in the value of care, it is efficiency and quality. What will be the necessary information sets that are available for comparison, across regions, countries and communities, and within facilities, and how will we understand that that information is intact comparable and accessible? Because as we know, in some of the bills, there are suggestions that high-cost regions be penalized in the United States collects they get paid some of the doubtless at this high-cost regions receive less compensation.

To establish a high-cost region is going to need to have data that is comparable across regions, and that everyone Trust, otherwise it will never fly. I'm not saying policy but it will be a long-term consideration that this group and all of us will talk about which is why I began the conversation by saying that you are in the epicenter of health care reform discussion. So this will not all be decided at once, but I think these are weighted issues and deserve a group like this to think about them carefully.

Thank-you. And the last, last word, for those on the phone, I wasn't trying to be last. This came up at the last minute.

Part of the issue that Carol raises, it is by kind of nearly call impedance matching. It is it policy committee [indiscernible] as to what gets toted in the first place in the record as opposed to how we translate or send that code along. And we, on the one hand, know that you can't manage what you can't measure, and you can't measure what you have been defined, but there is a process of adoption that takes years, we used to say 17 years. We would like to see that reduced in a few years but that is as far as it goes. So I think that it is important that we do two things, one, creative vision of where we want to go based on the experience of high and providers that Carol refers to, and we come up with a way of getting there with the other providers that evolves over time rather than it is revolutionary.

Thank-you, Wes, I think those are good summary points. And I think there is some defining work going on for us from the policy committee. But it is pretty clear to me also that there is standards work that needs to occur. And I am having those wonderful, so many to choose from moments which lead me in my day-to-day job utter confusion and the and and the stuff in efficiency does not foster adoption and the condition. We appreciate all of that discussion and again, the great counsel's work economy in this port adaptability and fostering and not suppressing innovation and supporting the ultimate goal of better value health care.

I have a recommendation for a vocabulary sub work group. Let me just ask, any objections to the recommendations of the Committee or shall we proceed in that direction to accept the committee's report? Terrific, I see heads nodding and all in favor. So I need you all for that work and thank you to those of you who explicitly or inadvertently volunteered to be part of that sub group.

And a sickly now to a discussion that I think follows wonderfully from that, and a pleasure to introduce deployed Eisenberg to lead today's update on the clinical quality work group. Floyd, thank you so much to you and all the members of the work group for their efforts.

Thank you very much. The first thing I wanted to say is, our work group has not had a formal conference or meeting, but what I wanted to do is give you an update on what has happened based on the discussion at the last Standards Committee and what the worker has done. So that is what I will be talking about. It is fairly brief and depends upon the discussion afterwards how long this takes. But the first thing was based on the update to the major credit that we talked about at the last standards committee. Seventeen of the 29 measures can be retooled. There are endorsed measure is, and we have worked with a funding source so that we can work directly with the measures Stewarts who created those measures, and approximately 53 affairs in order to have measures retooled for use by EHRs and electronic systems so they can be used for its CMS purposes as well as meaningful se. The retooling basically means that the measures will no longer look for attestation of that, for example, the hemoglobin A1C is less or greater than nine. It will now look at what is the hemoglobin and provide the value, and then make sure that that is in the record. So it is not a condition saying, yes, I met the need, it is the data coming directly out of the record. It is looking for the conditions coming from a problem list, not a condition written necessarily in a discharge or claim.

So the Met will come from the Med list. So those are the general principles, and we have had agreement where sometimes the original endorsed measure and the PQI nature were slightly different because of adding in a sea PT to code that allows you to say that it is greater than nine, there is an agreement that as I said before, we will look for the original indorse value that is looking for the values. So that is what we're doing, the 17 selected measures are in that group as well as the approximately 53 others. And what we're doing is building on the work that HITSP has done retooling the inpatient majors and to see the work that has been accomplished so far in '86, there is a technical note called TN 906 out for public comment now. There are some revisions to that during the comment period that were recognized to be required, including a table of, when a major component was modified slightly to represent what is in the EHR and wide the major developer felt this was consistent with the original meaning of that component, that table is not in the note but it will be in the final product, because I think that table is what is key to say, here is what we're looking for and here is what is in the electronic record to provide that meeting, and that helps us get closer to meaningful use. So that is the process going on for retooling. We expect that the measures will be retooled by the end of March with a test deck on at least 38 sample patients to be able to run them through EHR and determine if we have the right percentage of poor performance is achieved, as well as the output of the measure itself.

So the major process workflow, which I think Jamie referred to as far as helping us, but the considerations for about workflow were updated based on the last standards committee discussion. They have been incorporated into that new version going to panels and and that HITSP Interoperability specification for quality I F six, and is included as a basis for the electronic testing in the HITSP connectathon will occur in January, and the showcase which will occur in March. So that is looking at the Hughes for Interoperability among different players in that system. So DP [indiscernible] statistics, they are continuing discussions today about that and we will see their final report, but there was agreement that there needs to be an analyzer corporation fabricator somewhere in this them whether it was done locally in and the HR or perhaps externally, and that is a service that needs to occur, and I will bring that out as a personal comment, for small practices because that is not something easily done by small practices.

Another update is that N QF is actively working on new measures to meet the needs of the policy committee requirements. And some of those areas include having an expert panel due in November concerning clinical decision support and how to extend the quality data set and information required to provide offer choices to extend measures to include a decision support and also have to measure effectiveness of decision support. And it triggers adherence and non adherence issues. Also 18 to be looking at EHR utilization efficiency, what can be obtained from utilization logs out of EHR to show that things have happened rather than asking for attestation, those were some of the measures when the first looked at them that this group killed were adding work for the condition that was not of value -- a group felt were adding work for that condition that was not of value.

We are also looking at a continuum of care using the plan of care model and how can that be extended for patient and used for continuation of care.

But tabulate issues were discussed by the operations group so I would bring those up here. But that is a summary of what has been have been had was planned based on the work that has been done.

Thank you for that summary and let me just ask their questions or comments.

Floyd, could you take a little bit of time to rehash the raw data purses the yes / no? , many of the components that we have previously discussed in terms of the vehicle used recommendations do we think, and in what period of time would we have a conversation about where we want raw data purses the other two, is that something that was an example of the A one C levels that was one of order are there 20 of those coming? What is the roadmap of raw data determinations versus the yes / no? When is that coming?

Okay, of the 17 nations at this community looked at, none of those have the attestation in that the CP two type notes. There were additional measures N QF was asked to retool, and I don't know the exact number but it would be like 10 to 15 that have that kind of issues where we would look for raw data, and we expect all of those with the original major developers to be retooled by the end of March, so we could reevaluate those in NQF, and we have a new process where it is reevaluating the meet ends, it is an electronic purse and to make sure it hasn't changed the meaning of the measure and make sure it is technically correct. It is in shorter process that are full endorsement for the new measure.

Are we getting not list?

I could provide that list to you.

And just to remind Your Committee of the tax on the of the five different kinds of data exchanges, to the point because you have a EHR that is detailed. It could export back to a data exchange and then send it to a registry. And we all probably know that the registry does have to have a lab data and medication data, it may not have patient identifiers but it does have a trail. Then there could be [indiscernible] that takes the data from the registry and then you have ultimately the receiver, CMS or others, then maybe a numerator or denominator that goes from detecting entity to the receiver, I don't know what CMS will require at that point.

Go ahead and comment.

Sorry. [laughter] but the long answer to your question is, maybe Floyd needs to look at both detail transmission and numerator-denominator transmission depending on where in this whole stream York actually sending the data.

Part of the concern is the receiving entity may want that calculated data, the percentage, how many in the numerator and denominator that has been the / an approved agency processing entity? And sometimes they may want the raw data or actual data, and the way that was drawn, either way, depending on the policy, that we wanted to enable that.

Did you want to comment?

John did.

I just wanted to give give a status on long-term posed acute care.

We have identified electronic quality measures for skilled nursing facilities and also of care, and I am updating working with Floyd and Janet on that. And I just found a possible source for hospice quality measures, so we will be able to put it in the matrix. I know we are not in meaningfully is but we will have the matrix to also have those types of quality measures that we can work on with you.


Just a point of clarification here, as we think about these alternatives ways of collecting and processing quality metrics, do you see any difference in the requirements for standards for the electronic health record or personal health record, whichever electronic source is the original repository, do you see a difference in the need for standards in terms of, depending on whether we used aggregate data for reporting purposes or raw data for reporting purposes?

Well, I think there are two answers to that question, and the first is, we do need a standard that allows aggregate and individual patient. And I understand that what we came out with in this committee was, it can't be the PQRIX and now coming out with the report or alternatively, QRDA. And that is a CDA document. So the draft standard QRDA on has an individual patient capability but would need to be extended if it was going to be used for a level three Quality report.

As far as the standards for the data, there are some gaps and some of them Jamie talked about, but there are some gaps in understanding both the level of detail, and there are also some harmonization issues that need to be addressed.

Let me rephrase that.

So if we are going to require for a meaningful use fourth possession or hospital's quality report data. If we reported that three registry or some other third-party agency and the data came through in terms of a greater percentage of some kind, that is one way of doing it. Another way Whitby two have some mega repository in the sky collect all of the original data from each patient with or without a to the fires, and then -- without identifiers, and then some wizard would come out and produce a number. But with the advantage of the health record, but there be different standards do you think for the data in the record, depending on which model was adopted?

I don't believe they're would be different standards, I think they would be the same either way.

Just to clarify this, between the wizard and the percentages is the debate we had a half hour ago, with what does the patient access from a policy standpoint mean with the extent of the raw data, on whether or not mycology is understood, if I wanted to access that, does that change any of the standards activities that we require, so that if the patient wants the raw data for the purpose of whatever, I don't know if that crosswalks the CCD. I am mindful of the conversation that we have a shuttle system with Kaiser which is different from the CCR-CCD, and that if this raw data is to move with how we do quality reporting enterprise level tweet enterprise level, how does that affect our question of the policy committee coming in with how does that patient access [indiscernible] and how does that set change what we have done? Idol Bel if you have the answer to that question, I am just curious.

I don't have a definite answer to that but my opinion is, transmitting it and using the same standards would be helpful because that means that many of the information being transferred is the same.

Something I would add to that, and the discussion here today was, patients accessing their information, but in cases where patients may be actually entering information into the PHR, or a device, and it is being transmitted, but I think is important is persisting the source of that information with the data. One of the things we address in our health IT expert panel once we can identify data tapes that we need for the reader ader at denominator, but the source of the data, recall that our data flow, the originator makes a difference in the meaning of that. So if it was patient entered blood pressure versus the device entered blood pressure, that has a slightly different meaning because there are different possibilities assuming the devices calibrated and all of that. And the fact it came from home has additional value to understand patient engagement and care and follow-up, as opposed to when it is done in the clinician office. So somehow those data attributes can be stored and kept along with the data. I know that didn't come up in the discussion as far as what data might be generated from the patient's side but I think that is important.

And just to add to that, RBAC broke all of the quality elements into the data types you need. So if you have a problem or certain medication, they might have certain birds like ordered or discontinued. So did data types you use for quality and the data types two for that PHR and the ones that go to EHR, they use all the same standards of the benders are creating one expert one time in one format that can be repurchased in many ways. That and think that is what everyone has tried to do. To your point, David, whether it is exporting to a local registry or -- the data coming from the EHR should come out in one way.

Let's take two more comments before we go to a break between the next two sessions.

This is David Macaulay. Floyd, just one question. I understand the need to standardize the data that is captured in the EMR and I think capturing raw data and driving from that makes sense. And I understand the need to specify the standard of what actually gets submitted to the adjudicating agency.

Is it your intention that the in between steps are standardized also, or was the Model that you put really just sort of reference implementation? For example, with a vendor be able to perform the role of state on behalf of their customers? With a third party be able to perform it? Or would you have to go through the actual state is that you had on your diagram?

Well, the reason for the diagram was that a third party could collect and manage the data, but if we wanted to make sure that the data elements that were captured were the ones that were sought, then and there needs to be standards for getting that data to the registry or the data applicator. It doesn't have to be necessarily a QRDA coming from the data source to the aggregate year, but it needs to use standard so that the aggregate your nose where it came from and what its use is.

But the applicator could be different in different settings and places, there is no standard model?

Well, this committee could recommend a standard, but right now, that was based on current practice.

So the idea is, you may or not, it may not have an EIGE, the registry could be part of EHR, so this was two your point, sort of reference model. There could be five functions but maybe sooner does everything other than the EHS problem.

I will take about 12.

That is above my pay grade. [laughter]

And Dixie Baker?

Bye question was just answered.

Carol diamond?

I have a question, it is easy in this discussion because we get very technical and talk about reporting standards and all that and sort out this site about the point here, and the point was to be able to get the provider to provide care. So I am curious in your flows and what you envision, if you envision a scenario where the provider doesn't actually get -- or his system doesn't actually get him back or generate the measure directly? And other words, if the data flies off somewhere and somebody generates it and reports it, and he drives some consequence six weeks later, as this community discussed and is it possible to envision a scenario where the provider themselves isn't that recipient of that information?

That is actually an excellent question and I don't know that we have discussed it that directly. My perception and the way that the drawing was created is that the data aggregate year would have a two-way street back-and-forth to the provider and that provider would see their outcomes and their performance, not at the end of the year when it goes on a public reporting site, but at some regular basis, and that needs to be determined.

If that aggregate and data collection assistance is providing debt decision support information that it meets to be near realtime in order for that to happen. I know that we didn't get into that level of discussion, but that is my presumption, is for that to work, to have to work in sync.


I think the issue that we all face from organization to organization it's not clear that the EHR can answer the quality questions. Many organizations have multiple EHRs yet they somehow need to respond as an organization and some quality measures will ultimately depend on community data rather than just data. So the important policy question and the flexibility that Floyd has laid out with the different possibilities.

I think that is a tremendously important point and hearkens back to some discussions that one might attribute to the EHR that might be derivative. What level of specification is there between entities when it is outside, for lack of eight better medical word, that wall. We look bored to in a point from the clinical quality work group on -- look forward to the work from the clinical quality work group on and what is actually occurring and how these might be utilized. And I think it's difficult not to have cognizance of the state in real time otherwise their accountability necessarily in a moment. On the other hand, this single person's belief that the data might be derivative from a variety of sources and In fact, even within one entity one might have a variety of different approaches for data, some of which is a derivative of those technologies that are on site and others that one subscribes to as the surface. And I think to your point Wes and before that it does have a great deal of implementation in terms of policy and the broader goal of supporting the objective of health improvement, meaningful use, and hitting that sweet spot between specificity that gives directionality but not over specificity that would suppress innovation. So I really looked forward to some discussions in the next section on implementation on how they might mitigate there's.

And to your points --

Announce yourself, John.

John Halamka. They have created a quality registry that we at steep -- as state entities can regulate and all of my various EHRs will submit using the standards that Floyd has articulated to equality registry. What is challenging is that I should say that those should be patient de-identified because we do not want any breach of confidentiality but then the test was ordered by this entity but was actually done by this NT and who is the accountable physician when there are sources of data that are outside of the physician control. So now do we identify or not identify the elements of the registry?

Does anybody disagree with accepting the report from the clinical quality work group? Let's proceed. Let's take our break here. It's now 11:05 a.m.. We were scheduled to have two sure breaks. I know people want to get some lunch -- two short breaks. Let's reconvene in one singular break today at 11:30 a.m. Thanks, all.

HIT Standards Committee Meeting on lunch break until 11:30 a.m. Eastern.

If we could go ahead and take our seats again, we will resume in just a moment.

Okay. Do we have Dixie?

The next part of our agenda -- this is John Halamka. The next part of our agenda will focus on the privacy and security workgroup and some of the experience that we have had with the policy, the privacy hearing meeting and we will also hear about implementation. We have already declared a set of standards that will keep a record confidential. And what Dixie and Steve are going to talk about is how we can have more can you rarity. And Carol and I was talking about break. It is always informed by privacy policy. This makes it very clear and it's funny that is called the privacy and security workgroup because privacy is a security and the technology used to help keep information confidential. So this is just clear that the policy committees have to work so closely with the standards committee to make sure that what we're doing is stating the parsimonious technical standards that are required to enforce whatever the policy may be. Here is an interesting challenge. In the absence of clear policy then created some standards that have the capability of enforcing all policy which to the implementation point of view, Oh, my god, I as the vendor have to support every possible variation and that could be a barrier to adoption. So just keep that up. The theme of the next group of far discussions is, let's see what you guys are thinking in terms of how to keep all the technology standards and also what policy privacy guidance would better make that body of work implementable for the vendor community.

Thank you. I would like to add the security is not just dictated by privacy policy. It's also dictated by policies regarding did data integrity which is critical as well as policy related to guaranteeing that information and services are available when you need it. There are really three aspects, the confidentiality, protection of integrity of data and ensuring that the data and services are available when and where they're needed. Okay. Thank you. Let's see, do I need to do something? Okay. I have a copy here. First we wanted to give you an update on the progress that we have made since the last meeting in September. I got well for starters. Almost well anyway.

Your anti-virus software is working better.

Yeah. We participated in the planning of the HIT policy committee privacy hearing that was held on September 18th. We also began planning for a health information technology standards committee security hearing to be held on November 19th. This is a security hearing and that is sponsored by this committee. So Jodi, if you would -- you just took a bite. It will be held at the 19th -- the 19th of this month and similar to the privacy hearing we will have testimony relating to security.

That is the whole meeting, is that correct?

Almost I think we will have some other agenda topics as well we wanted to bring make sure that we were bringing in testimony on hearing issues with the privacy hearing that was held by the policy committee. That is something that we're very focused on and something that they're helping us to prepare.

We are continuing to help prepare for that hearing we did a couple of updates to our certification standards that we had expected in previous meetings and I will be giving you an overview of those two minor changes that I want to make sure that you are aware of them. And then finally we really looked at the work that we have done since the work group has started and identified all of the gaps that still remain and need to be addressed until 2013. As you may recall we did not identify gaps that absolutely need to be addressed by 2011 but there are some leads that we may have on to the silicon that we are undertaking now -- 2011 that we are undertaking now. Decertification recommendations -- the certification recommended updates to wheat specified a scope as simple operation access protocol. We specified version 1.1 p a that was because the HITSP standard and IT standards accommodate legacy systems. And we learned that there has not been any implementations today that use 1.1 p and they all use 1.2 which is the recommended version. So we have changed that to specify 1.2 instead of 1.1. You will recall at the last meeting we reported that during an internal review of our recommended standards which were based on deep HITSP constructs and capabilities. We first specified Kerberos and user authentication, EUA profile, for the authentication but during the internal review we determined with that pending draft Myst standards will disallow the use of Kerberos and federal systems after 2011. So we took Kerberos and EUA out 42013 and 2015. -- for 2013 and 2015 and by leaving it in that column we had the unintended the effect of requiring Kerberos in 2011 and then requiring them to take it out in 2013. So we recommend that both Kerberos and EUA be removed from our recommendation entirely to allow the use of Kerberos in 2011 but not 13 and 15 we recommended specific certification criteria that are based on the Standard, a special publication, 800-63-1, beyond 2011. We do not want to Anchorage federal requirements on private health organizations but at the same time it is essential for there to be data exchanges VA systems between and private systems or military help systems and private systems. So the net effect of for you will see in the revised version which is posted on the HIT web site is that Kerberos is allowed in 2011 and this allowed in 2013 and 2015 and we cited this publication as implementation guidance for that system. Okay. The gaps. These are gaps that we identified. That, you know, I need to be for be. First of all, to really facilitate the exchange of information authentication of individuals as well as the authorization between enterprises, there is a need for a standard health care specific XML schema and vocabulary for representing the subject, restores, action and environmental attributes for these security assertions. Security assertions are what are used to send authorizations from Enterpris A to Enterprise B. We need subjects and actions that have been authorized as well as policies that are in place so secondly we also need similar XML schema for representing consumer consent the third thing, as John mentioned, there needs to be -- we need to be able to have some fundamental basic what I call low watermark assumptions about policy for the exchange of EHR information. It cannot just be Greenfield, anything goes. There have to be some basic assumptions to implement a national information network for there have to be certain assumptions about the protections one can assume are there with anybody who exchanges information on that -- in that community. There is a need for standard based LAN Security and privacy policies for the exchange of EHR information. Similar in sort of a foundation for those privacy and security policies that we identified as missing is a basic definition of what a HIE is speed everybody knows that they are implemented in many different ways. We need a basic definition. Here is the basic attribute that defines a HIE. And based on those attributes or assumptions these of the policy -- Security and privacy policies that we can assume. And based on those policies we can make sure that the standards that we specify can accommodate those policies. Finally there is also a need for standards were exchanges between health care Enterprises and the consumer. This is something that I think Jamie mentioned as well that is lacking. So what are we working on now? We are continuing to work with Jodi on the standards committee hearing that will be held later this month -- to be held in November. Secondly we have undertaken two efforts that are directly related to the caps that were identified. One is to identify for the policy committee where policy is needed. What kind of policy needs did they need to specify to really provide that foundation on which we can make some technological assumptions in specified standards. And then we do have ongoing communication and coordination with the policy committee on that effort. And then the other thing that we are working on is the definition of the needs and the towards a unified approach to consumer content Management and enforcement. There are a number of standards out there already on the way in terms of consumer consent. HITSP its self just published a requirements document on consumer preferences could we want to identify everything that is going on, that we can build upon and identify what gaps there may be including the whole story together and then recommend a road map for that. So that we can have effected consumer consent policy and representation of an organization. And my final slide you will see is the link to the Web portal that has the latest versions of our standard recommendations. I can tell you that someone at the meeting today mentioned that the spread sheet up there right now has five truncated cells in it and that is another correction that we will be making to make sure that every one of those cells is completely populated with the Consumer Information. Thank you for this information.

I would just add that HITSP had a two-hour briefing Mr. Day on this complex area of consumer -- yesterday on this complex area of consumer consent pick Walter was here and he led that discussion could I think good progress is being made there. I think that Jodi Daniel will give a briefing on the September 18th privacy hearing. That was incredibly useful. I think most of us were there so I look forward to that. Let us open it up to questions and comments.

A specific question for clarification, you mentioned that you are now working with the policy committee. Can you say more about what the process is for that. Also, you mentioned that you are going to provide them some guidance for where policy is needed. What is the framework for approach that is striking that guidance?

What we're doing. And I am working with Deven specifically. And although clearly privacy and security is addressed by all of their work groups, the information exchange has sort of taken the lead on that. So we're working most closely with her and in addition to that I am on the task force and I think you are on the task force as well that was put together initially to put together the policy hearing and the privacy hearing. We are continuing to work on that task force that they formed so that we can take what they learned from the privacy hearing forward. Those are the two primary ways that we are working with them. The approach that we are taking a and Devon and I discussed this and with David McCallie to identify some assumptions. Devon and her work group have concluded that really coming up with a clear definition of HIE may take more effort and may actually contribute to more confusion than if we actually states some assumptions that we use and agreed upon between the two work groups. And then we would use those assumptions. And these assumptions we really want to stay with and the technology area. So we are not -- we try very hard to avoid dictating policy but we do want to identify areas where without policy, you cannot make assumptions about the technology or the technical standards that would be applicable. That is the approach and we will come up with a list of our assumptions. Does that answer your question?

I would add that, there is good coordination between the policy committee in standards committee today between this issue, especially critical for consumers. I would save from my vantage point it's been pretty positive but it's not perfect. I think we should continue to try to improve that court nation so that we are serving the needs of ONC as best we can.

I would agree with that and say that we need to have a cross committee conversation. In other words, it's not just because right now there is an audit standard and we want to talk to the policy committee, it's because every one of these standards particularly to get to the ones that make decisions on how the data is shared and stored and transplanted are, in fact, making policies terminations. I think that health the exchange between the two committees is really critical so I would strongly recommend that.

At the same time, the requirements, the recommendations to this full committee that we still maintain the separation of domain. So our collaboration with Devon is, of course, informal and any formal recommendations that we make still need to come up to this full committee.

And the implement ability of the constructs and the most secure library in the world would be the one that never checked out its books. Although it may be secured it may not be useful. So when you look at all of the standards that we have enumerated they could be used technically to enforce any policy that would be constructed but yet for a vendor or for my own organization to implement every one of the standards would be really a challenge could it would be expensive and, in fact, it would be hard for the commission to use.

We are redoing our intranet and our security people said we will hide every single website behind eight ppm and require secure ID tokens to access it -- behind a VPN and it has lost its business value. So it's a three-way conversation of policy hoping technology and then looking at implementation and cost to come up with a happy compromise.

I think that is a good example paid what I mentioned at the beginning, security has to look at not only confidentiality hast to look at keeping patients seek and to make sure that the quality of care and the data integrity and visibility are in those areas. And the other areas is if you work in the area of security you know that complexity is the highest enemy of the facility. And as you know, John, we seek to subscribe technology standards that would be fairly easy to implement. I think that is really essential not only for these adoptions but also for security. If you have a security solution that is so complex that nobody understands it chances are that it is not secure.

I want to make one point of clarification. I don't think implementation is always just about cost. It also about the realities of using a standard that does not make determinations about the underlying applications that people are using which right now is critical in the sectors like health care. I don't want the whole implementation conversation to turn into this is difficult for this is easy. It's appropriate to set high bars and high aspirations for technology to achieve and it's important for people to compete on being able to achieve that. But the standards should not make determinations about the particular applications that are on it.

That's right.

Let's go around the table, Jamie?

Since you mentioned data integrity my question is about the integrity and traceability from the privacy and security work group. The standards that we recommended allow for a unique identification for non repudiation of origin at the document level and also allows for data integrity checking at the same levels. Is that sufficient? Is there more guidance needed? What is the key point of your work group on those issues?

The only integrity per se, standard that we have prescribed is the secure hashing algorithm and that is used for exchanges, when the exchanges and e-mail. It can also be used for data at rest. It's used for a digital, you know, a digital signature as well but not used extensively with in the Data element level. So I would say we have not really specified integrity standards at the data element level.

And just to clarify I was talking about in terms of exchange and interoperability purposes.


Secure Hash would do that, as I sent a document it was not modified. It was at send.

That is one of the things specified when you establish a secure Link, you go there on the web page has a securely. One of the variables of exchanges is to supply secure hash function.

And data integrity is something that we discussed on the call with respect to the November workgroup.

Especially with regards to attributions of the data.


This conversation reminds me, we have not talked about this in a long time. Maybe this is a question for the panel and David as well. We're doing a lot of work around the security aspect of the standards and it reminds me that the DEA is doing standards for controlled substances and we still have not been able to do that electronically. There is a second-tier level of authentication and I'm curious as we -- if we're working with them at all it so that we don't come up with the standard for them to keeping the exchange of information but the DEA will have something different in mind for their final rule on controlled substances and its security requirements from a technical standards standpoint because I know it's not something that this committee is working on but there are two different paths year that will impact the end user of a EHR type of functionality.

[ Captioners Transitioning ]

Kevin, can you do 30 seconds on what that is?

Yes, controlled substances were to survive cannot be sent electronically to the pharmacy, there must be printed and signed and handed to the patient to walk into the pharmacy, and there has been a number of Senate hearings and others on this topic where a lot has been pushed on the DEA two finalize their rules on authentication. There was initially this desire to use biometrics, and so if you were going to use the authentication tool login, he would use the authentication and IT The thinker print. And this did work out in the test vary well. -- the fingerprint. And this does not work out very much because physicians wash their hands and watch a lot of the oil off and there was powder inside of that fingerprint that caused a high degree of error as well.

So they stepped back and said, should there be a card required, if I am going to send it electronically it requires the swipe of a card. So it is getting into authentication and security requirements. And I fear that all the good work which might be doing here around this exchange of information, and might have to vary authentication saw methods on the standards for areas of this and then have a very different one for controlled substances, and this is probably an area in which David and Aneesh could help us with as well.

Well I would like to respond to that. The special publication 8631 is the authentication standard for the federal government. NITS it specifies for different levels of authentication based on strength. And it rightly, and in this committee, should do the same, you need to avoid specifying specific technologies for authentication, but rather it specifies attributes of the specifications that landed Linda its strength. Like being to avoid man in the middle attacks or replay attacks, particular types of attacks. The certification criteria that you will see in this latest change that I briefed earlier specified level to types strength of authentication, which was not -- certain passwords can be leveled two, or art, so that is the method that you use to meet that requirement but you can also use smart cards or biometrics. I don't think we want to be specifying technology to use, but rather the strengths or one or two factors for example. You want to specify the strength that is required but not a lot into a specific solution.

I might have added that this is lead over into the DOJ two avoid prosecution. There is irrefutable identification of the individual that might have originated that transaction.

Right, and that is one of our requirements.

And I can see the work we're doing is in similar fashion but I can see the work is being done in different parts.

And Napa [indiscernible] a different level of strength that we are specifying.

And we have Lisa from NITS, do you have any comments.

I haven't looked in that document and a long time. And Level two, I agree that the document does not prescribe certain mechanisms, these are the good things about increasing strength. So you are at level two, if I could remember what that was. Vision that level of strength in required at that level of consumers?

That is one of the gaps we have specified, we have a separate the address consumers but we really need to address the enterprise to consumer exchange. Level two -- IT level one is basically almost no authentication at all. It was a reasonable expectation that that is who that they claim to be and it allows for pass rates and as you well know, NITS it specifies certain attributes of the password and all the past two do with policy. But it is really the minimal level of a shared authentication.

My other question. Does 863 address identity proofing as low as authentication?

Yes it does.

Cell that is why you identity approved the person that they are that they cling to be whene'er account is set up. But it is not really something that a EHR would have implemented, so it was not specified because it is an operational issue.

At the end of the day [indiscernible] doesn't get certified so to say, 863, if you tell me if hundred 63I will look at data from a testing point of view. So [speaker/audio faint and unclear]

I want to be really clear, we are not imposing federal standards on credit institutions. To sell 863 is not the standards. As the standards is the specific certification so [indiscernible] implementation guidance. That is a good document. It has a lot of good guidance in it.

So from a certification perspective, if someone builds a [indiscernible] password mechanism composition of four, essentially a pen, I don't think that meets level two. Someone could say, I don't think that needs the spirit of level two, and that is why as a the implementation guidance but it does play in downstream in looking at the strength of mechanism.

Yes. If you look at what we prescribed, I should have made is likely that on there. But we took the attributes in the will to to avoid imposing NITS standards, but those attributes of level two and translated them into it certifications statements.


So the statements, it is protection against replay and protection against a man in the middle, and so, I think, and I would love for you to look at those and give me feedback. But I think we have what is needed there to develop test standards without specifying a government [indiscernible]. I hope.

This is David Macaulay and just to reiterate carols opening point about the need to collaborate with the standards -- the policy committee, on all of our workgroup calls, we almost inevitably within a few minutes get involved in a distinction between what is policy and what is a standard, particularly around the HIE space. I made some complaints about vagaries there and said Dixie assigned to me the job of figuring it out so I learned to keep my mouth shut. But I have learned that the HIE Policy [indiscernible] architecture neutral approach to HIE is commendable in some ways but it has the consequence that it makes it very difficult to put together a simple and very pervasive privacy model. If we have a consumer centric model will focus on that or if we have a provider regionally centric model is quite a set of issues in place. So I don't know what the solution is other than we have to do a lot more talking about convergence on an architecture or Paul apology for HIE against which the Security and privacy standards can be imposed and simplified as much as possible, because as it is now, we have this laundry list of very complex technologies like XACML and [indiscernible] and that is a lot of ambiguity to work out to build systems that people will trust.

Sell [speaker/audio faint and unclear] non repudiation -- where possible so we should be able to ping the original source and ask if the document is still current, or have I missed something, and did that ... so that you're not putting any privacy risk by doing that.

To your point about architecture, we have tried in all of our work to be architecture Mitchell and that is extraordinarily complicated because you need to forecast every possible architecture. And the answer is that we lose our architectural neutrality and we could string a number of -- connect and that will be scheduled for a future meeting and maybe back committee can say, maybe one architecture, PHR to EHR, or EHR to HIE, here is something simple and which can simplify the security measures.

Well some basic assumptions are absolutely critical here. And David will do that.

I think when you have a situation as complicated as this, you can obviously said a Standard [indiscernible] on the case by case basis. We are hoping we can get back to you with some policy recommendations and because we know the issue is pressing.

And one can anticipate all of the technologies that are going to be used to support information or support the collection and management of data in individual providers offices over time, so try to anticipate every technology and try to keep it private and secure, is a big challenge. So the solution we come up with for the immediate future will need always to be revisited, and that is why this committee is not a one year committee, but a committee that I think will endure while we are under the -- governed by the high-tech Act, and it's meaningful use requirements.

Well I would say the privacy and security policy is under meaningful use.

I just wanted to clarify that this was true in our own work, so I want to make the distinction between choosing standards that are architecture Mutual versus having policies that constrain architecture. It is a big difference. And intact, Dave Clark famously said, policy is what architecture can't do. And so [indiscernible] the objective is Tuesday, policies are necessary because there will constrain and define what the technology needs to achieve and part of that will be a constraining some architectural elements. And the standards that are selected regardless of the architecture should be architecture of neutral. Well, part of that is what are the constraints that need to be in place and that is exactly right.

A couple comments if I may. One, I just need to say that when I listen to Dixie, I know how my wife feels when she hears me talking to a colleague. Which in her case, she is bored, and in my case, I am scared. But it has to do with not having a clear understanding of what these standards are trying to accomplish and how common they are really as opposed to how much they represent an adventure into ideas of security that really haven't been widely implemented yet.

But I hope at some point, and Carol identified the interaction between the policy and security committee, that we work out what is practical then as opposed to setting goals and risking something that involves changing all of the EHRs and the physicians' offices given time to do it.

And I think Doctor Bloomenthal need to go back and study the policies of Alan Greenspan more because at the ink I understood what he said this morning, and the best I know, this is a theme of the HIE no longer being the gateway to the [indiscernible]. If I could take one thing with relative solidity out of that statement that was made, it would be the old notion that there are a lot of trust and security issues at the HIE level and then had a fairly rigorous standard for exchange among the HIE, that seems to not be in favor now. And I think that is true, some of the goals like defining what N HIE is and so forth needs to be rethought in a different view of how nationwide communication is occurring.

And for the IT November 19th testimony, I imagine getting to the point, what is the level of maturity and what has been the experience [indiscernible] extraordinarily helpful to us all.

While those specified for 2011 and that we looked at, those standards, we specified those standards that we fell had been adopted by at least 25 percent of the enterprises. And that is why most of the [indiscernible] profiles I don't think it would be widely adopted.

So I'd think that is an ongoing exercise. And sent management, in my mind it is beyond 2015 right now, but we're trying to encourage the acceleration of that process because it is really important so we can move their more quickly. But our goal always and I hope you can always help us with this is to specify standards that are achievable.

Dixie, I just wanted to say that when you establish a standard vocabulary to enable SMAL and surgeons, that frightens me. Not because it is difficult, but because it identifies a change in how you use your EHR in each office that he somehow orient your user IDs to a standard hierarchy EDS user roles, and that is a long roll out.

Well, HL7 is already working on the standards.

Okay, that is just building -- a key area how far of the standards [indiscernible] follow up on what Wes was asking about. So I am saying that you will not recommend these with Kerboros and there is an important date in the middle but obviously Kerboros is identified pretty deeply into a lot of commercial applications, Windows 2000, Apple zero s, so there is, and the Unix OS, and those are not going away soon. So at some point, data has to pastors some point where Kerboros full have to be the mechanism.

We have allowed Kerboros 32013. It is only 2009 now so that standard should be the place by then. And what you said in the beginning, what we're trying to do now, and again, I encourage feedback on this, is to make a recommendation consistent with what the government is imposing on federal health systems like MHS and the veterans' association and CMS. Because we don't want there to be a disconnect, because there is a disconnect in the strength of authentication between what the federal government and IT CMS and private industry is doing, so we are trying to specify compatible solutions between the two.

Which makes sense, because I guess my comment is that between a government system in certain attributes you use [indiscernible] [indiscernible] 2015 standard of how not to use it, where Microsoft or Apple will not listen to us to modify that direction that court.

So the certified [indiscernible] certification process.

So [indiscernible] standards not just to interface?

Whether certain specifications standards that we're acidifying especially in this committee are for acidification products and [indiscernible] gasification for meaningful use reimbursement. So those systems, whenever that subset comes out to be, clear what that subset seems to be bought back certification of standards that seem to apply. That is the intent.


I have a number of thoughts and I will try to constrain it to the top couple. One is that Wes made a point about the standard and where there will be implemented and one of the Ritz I didn't hear I think what's critical is cross institutional. There are some standards being deployed in other industries or health care, but only within single institutions, and it means a whole different world. And during times we thought that enterprise software was big, today it is medium-sized. It changes the game dramatically, because we are trying to build something larger than enterprise software. And this goes a little bit towards Chris this point. I continue to struggle with the scope, and there is a shift of [indiscernible] and where are the boundaries of what we're talking about. And Keyser is an example. I don't think we are taught math for a lot to use Kerboros or TCP IP, idea of that we have or should have much say over that. So that the server that boundary comes into play, and for example, many if not all working examples of health information exchange in the country today rely on simple VPN technology for security exchange, and it works well. So now saying that we are going to impose upon this process these, some new methodologies don't clearly bring the advantages, I haven't heard that, but it goes back to the framework, [indiscernible] very elaborate approach is that we're talking about.

Wealth, we have thought through, some of our standards do relate to within an enterprise and authentication is one of them. And the strength of an individual is critical to the exchange. And then they try to pass that authenticated identity to another partner, and that partner needs to know that that person was weekly at authenticated. And let me tell you, we did it look at, for it implement stability, we did look at between organizations. A good example of that is soap which is used extensively within enterprises but not between enterprises, so it is not specified for 2011. So we looked at both of those but we feel that any security mechanism that is within an institution that could have an impact on the security as an entity with which that individual stock exchanges information is relevant here.

I think what we're trying to do is rely on technological solutions for problems that are not solvable by technology. So to take example of trust of crossed institutional authentication, and we struggle with that every day, just because an institution has to factor authentication and a process, I have no more of a level of trust Ickes and that someone who uses a userid and password for the simple reason that we have seen too many examples of that security token taped on the terminal with a lot and for a whole host of logistic reasons. So the process is far more important than the technological solution, and I don't know that we are fixing the problem by imposing strict technological direction when it what we want, as you said, we want competence that the authentication is happening and the institution stands behind what they're doing. [indiscernible] demonstrating.

Well a lot of that security is operations and that falls into that meaningful use bucket. And all we do [indiscernible] insert that mechanisms are there. We can't legislate standards to tell them how they're going to go about proving the identity when they set up an account. And all we can do is specifies instead it's for the exchange and try to make the exchange's secured but without imposing oppositional concern it's, [speaker/audio faint and unclear] constrain how the exchange, but before you were talking about constraining and how they do it inside of their walls.

If they are authenticating on identity, and it will only be used in that organization, but within that identity, they are never going to be getting access or passing access into another ordination using that identity.

[indiscernible] capacity to exchange electronic health information with another organization, we want to make sure or do what we can to make sure that the authenticated identity is at a certain level of strength.

That is certainly not the solution.

To clarify the scope of what we said about this whole committee, what we said is, the domain of all border of the organization to the border of another organization and if we are not going too mandate a system to another, normalize the flow of data as it flows over the wire. You may use 20 different systems inside, you may have a registry IT or you may not, but as it goes to the registry outside or to its EMS, it will be formalized over the wire. And to Mark's point, the one place we looked inside the border, the aspect of what we consider business best practices around security with the notion that we should probably make some statement if you are a user of EHR with the capacity to exchange data elsewhere that there should be some aspect of the technology, not a complete solution, no question, but that says something about the data integrity and IT user identification, etc. I think this will be an interesting ongoing discussion especially for the 19th, which is, as is policy, how much is behavior and how much as technology. And David has put out his card.

Let others go first.

This is David Macaulay.

I think it may be redundant to say it but in the future think that definition of boundaries around organizations will get more blurry with social networks and cloud computing and personal health records better sharing data at intimately with the EHR system, so I think it is a hard problem. And to David's point, this will not stop with a single speck. But with respect to this stuff that we have specified, picking up with what West and Mark said, we as a separate could do a better job about targeting the specifications in our work sheets, and I would imagine that in the relative Greenfield of HIE, something like XACML makes more sense of something you could achieve than it requesting retrofit pre-existing EM hour projects. So targeting these at the use case where it makes the most sense is something we should talk about.

To that point, let's take the [speaker/audio faint and unclear] if every report and audit whether it is two the office of civil rights or to the patient or whatever you standardize the audit that those outside of your organization. So if you chose internally to use a certain product, and did not capture the appropriately in the field definitions, like who was IT and [indiscernible] and exported it to NDFRT [indiscernible] clarifying such a point.

That is the same thing we talked about this morning. Whether it is the product itself that reports quality measures but our job is to specify the standards. I think ours is little bit more complex because of the complexity of the policies.


I just wanted to respond to a comment made earlier that said that is not until 2014. That is a heartbeat away.

It takes a year for people to believe that people are really serious about it. It takes about three years to roll out a revision of the product into the field. And anytime we set up any different expectation company in the and we to know we will not shut down health care so it doesn't happen.

Kevin, did you have another question?

I am not looking for public comments about what it can do, [indiscernible] via Oh and see.

[indiscernible] in forces upon private industry and upon decisions and how we could have to be implemented. It will require vendors to implement that level of security and this has been going on for years. And my understanding is, and Senator White house has championed the this and Coburn and others that are adamant that the DEA will in fact published its will before the end of this year, and they have been working on it for a number of years and my understanding is, it is coming out this quarter, although I don't know when it will be effective.

[indiscernible] don't lose sight of that because it does come out and vendor start pursuing a path, in which authentication tokens [indiscernible] zero and see if the DEA establishes that.

Cell, just as far as calling some of your fears, all and see is working and HHS is working closely with the a on the regulations. So they obviously get to say what it is they want to put in their roles but we are working closely with them, so we are aware of their progress and are working with them to try to come up with rules that are workable in health care industry and obviously we are also aware of the recommendations coming with this committee.

Judy said what I was going to say.

On the issue of what we can effect, literally, the authority that we are all exercising is conferred in the pursuit of meaningful use. And CMS has the opportunity to decide what meaningful use is. And this group is advising the national coordinator and secretary on what certification of standards should be or should enable in the record to be certified. So the electronic health record, which is the object of certification, cell with what the electronic health record cannot do to the extent that we have meaningful use that affect privacy and security, the will to some degree be directed to the electronic record rather than at the institution per say. So I think that is something that we need to -- we also got a recommendation from the policy committee that we tried to create flexibility where possible, and pay close attention to privacy and security standards and also Interoperability standards. So those are two areas where, if we are are on to constrain technology, those with BP areas where he will be messed.

[indiscernible] privacy and security side. Obviously the solution is probably the solution that gets us to meaningful use. And that requires a solution that is in commendable and enhances trust.

And I think everyone can understand that is not going to be a solution that is dictated by technology so much as by level of privacy and security that we and the public believes is sufficient for us to move forward. I don't think there'll be a single permanent solution, there will be and the evolving set of solutions that will meet the public's need in this particular area, and will have to be constantly attentive to what that perception is over time.

And Castro?

I just wanted to say, thank you for bringing us back to Interoperability and a meaningful use. It is not about the vendors and what they are one to have to go through to get through, after as a time. And we are on Iran to go somewhere. But in order to have trust by the consumer, the source of the information is the patient, and if we are going to study access is, I can turn off whether Dr. 1 gets to see a doctor to, I can do that more IT I don't trust. So that will reduce my costs [indiscernible] turned it off because the source data-if people don't trust it, they will not use it and it will not get out of this what we're spending so much time and energy doing.

Well said.

This has been a rich discussion and while we are on the subject of privacy, does your schedule allows Jody to go first?

I have crossed three meetings and arrow and I am getting pummeled.

Well let us go with your presentation and then we will follow up with today's presentation.

Although I am keen to hear that discussion about the [indiscernible].

Thank you for that option.

David, I don't know how you feel about the level of conversation that I think it has been very robust. I will attempt to frame this work briefly so that we can engage in dialogue. As you all recall at the last committee, and I believe the minutes are in more handout. We as a group decided that it would make sense to engage with the broader public on adoption experience, that will help us accelerate the adoption of standards that we are proposing. And the work of want to share with you is to discuss the output of the working groups, a charge mission mission were however you want to define it, and then a pass forward so that we can do this in no way to borrow the right process to get this information as input to our work and eventually into the [indiscernible] and our process these. If you take a minute to revisit the mission statement of the chart that the group had outlined -- do I have that clicker? Where is the technology guy. Okay. These were the members of our community who volunteered to be a part of this effort. We have had to conference calls to clarify the mission and the charge and the work plan. And I want to thank -- where is the patient's role, having an mechanism to hear that more broadly I think has been validated as the broad charge.

The outcome if the will of the community has been really about accelerating the adoption of these proposed standards, or to identify any barriers we can mitigated possible. And IT to take that one level deeper, we basically identify these three were for were streams that would help us meet this charge.

And the focus of this work streams would the two understand how to bench mark the adoption rates across IT de Purse range of settings. Second, that would have a more thoughtful, formal, however you want to discredit process for soliciting public output on what stakeholders would need from us in order to lower the barriers and the adoption of the standards.

Third is to ensure that we are inviting the degree two which these proposed standards are achieving the policies objectives. I think this thing we have heard all committee hearings long about the nexus between the policy committee charged, the standards committee charged,.

And last but not least, processed and Republicans put that to the best development of tools or other materials that would minimize or the or the adoption costs.

The mechanism -- and I want to summarize the group's work now in terms of an action plan and then revisit all of these pieces as a group. The mechanism we recommended to operationalize these charges is essentially twofold.

We would like to engage a public hearing in two weeks' time. That would be October 20 ninth. If I am not mistaken, ideally in the form that is open in public, maybe this building or wherever we can get the scheduling. And to assist in how or what manner that hearing is structured, I am thankful that Judy Murphy from Aurora had volunteered to sort of be the captain if you will of making sure that we have got the right set of Voices at the table for that public hearing and that would help us answer the questions that are outlining.

Second, I thought in simultaneous nature, and embracing my job for the president that is committing to a principle of open government for the president, that we would in parallel for the physical meeting lunch what would effectively be a two Week Online Boren or what we would refer to as structured dialogue. And crisscross has volunteered to serve as the captain of our structured dialogue effort. With the idea that it would begin with a committee hearing and would continue through a series of posts that would ask questions of the American people, stakeholders and others, for structured dialogue and input into these areas.

Now the work that would support Judy and Chris Kendra feedback, and for someone to make sure we engage on the right thing and had these two individuals be the source of our feedback. Lastly, we have to have in the worker to try to help the communication of all of this, [indiscernible] that is the work we have had of Alaska couple of weeks and introducing the last full committee, I will welcome cards and placards etc. for dialogue if this meant the mark for the charge for us one month ago.

I think you have dazzled them.

So a series of blogs created by.

An on-line forum succeeded with summary information and seeking feedback [indiscernible] multi stakeholder feedback. And we talked about it in the past, with towns is making [indiscernible] don't hear back from the income interest.

Does anyone have questions on the phone? Anyone reacting to that methodology?

I wanted to step back for the second and understand the results of the efforts you are proposing here. As I listened today, I couldn't speak up earlier but as I listened to the security conversations and PHR conversations and the general standard conversations, it seems to me that this is very important work from IT tars prospective in terms of what I would call connecting all of the docks so that as you are thinking about setting York benchmarks for adoption rates, it will be very important that you think about Paul all of these standards that are being proposed at anyone point in time and what the effect of that collective said would be, make investments and how you adjust your resources and what you mean by that and means to this organization, that is precisely that kind of feedback we want to here. And I think from the richness of this conversation this afternoon and this morning, you can sense that there are a lot of nuances and twists and turns. I had not thought about the authentication question driving all the way down to locking down in my PC when I show up in the morning. And [indiscernible]. Respond in a way that is productive and ditto for Julie's work to make sure that [indiscernible] had that same plant, so that specific input, Martin, if this idea makes sense to you as a question to the rest of the group, your ability to share your thoughts in a short e-mail to Crista or 2D on how best to praise the questions that would help you respond as a practitioner, I think you would be welcome, not to put words in their mouth.

I would just say that generally, I think this is an incredibly important effort. And it will really help us get the alignment correct, and I think if we can do that, it will then optimize the whole adoption rate and the effective use of the technology for most organizations across the country. So I just wanted to support this kind of effort, and I am more than willing to sort of freeze some questions and even join in this workgroup if possible.

Well you are more than welcome.

As we formulate the panel and who comes in to talk with us, because I will work with Judy on that, is the intent to include those who are putting a plan in place to meet the standards with those who are not at the same place as Martin is for example. Not to criticize the examples but instead talk about the challenges they are facing in a very effective way.

Ultimately, we want to help people. I will not subscribe to Chrises Debbie donor report that less than half will be there.

[indiscernible] I here people saying, of IT love this, I think we have some smart people around the table who would want to provide tax and we can all laugh at Wes when it is there.

I just wanted to come back to that DEA issue. [laughter] or maybe not. I am actually among the same lines that [indiscernible] was talking about and this brings it all together is special with the interactions with the public. And I think without using an overused term of case studies or something, it would be interesting to see because many of these standards are not newly created. We are assembling them, and so many of these are already implemented in places, and it seems to me that if we could find those places, in which whether it is to hold sac or subsets and those places, I can see it in those broad charges, I was having trouble connecting those, but to me that would really help us, are we on track or are we missing it. You're kind of the bridge to -- the work group is kind of the bridge to a lot of those things that we as a collective organization are doing.

I agree.


If I could share my enthusiasm, I always subscribe that we want as much public input as possible for this process. It strikes me that there is an opportunity, and one is beyond the interface issues which I think really were the theme of today's discussions. I think there is great opportunity there but there are two other pieces. When it is a set of questions around what people's expectations are and what they want to achieve, and frankly, what they want to avoid. That Kevin made, many of these standards are not novel. And I think one of the boxes in health care, that those people [indiscernible] I always look two health care. And these are in fact not novel standards. But they may be a novel in their application of health care, and I really hope that, during this process, and and extended dialogue beyond, with outside of health care and apply applications that may help to open up opportunities in a timely fashion, and perhaps we may be overlooking or overly complicated when our frame of reference is complicated.

Judy, take that as the jackass to how we think about panels, perhaps there could be a set of forces that have experienced these standard issues outside of health care.


Just to prove to market that I was listening to him, and a lot of the issues around adoption have to do with operational issues, he is absolutely right. It has to do with the knowledge gap and staff training, work flow, changing your workflow, really, the adoption of standards is directly dependent on things that have nothing to do with those standards. And there are lots in trade journals written about this all the time, but it is important that these things come out there, but it has to do with housing organization can't really adapt to the technology and a new way of doing business.

This is how we celebrate David Blumenthal 's role because how do we build a health-care system that achieves these broader rules of increasing quality and reducing costs and increasing customer satisfaction, it is policy and out comes driven and we have to make sure that we enable all of that in as friction less and [indiscernible] manner as possible. Not to put words in your mouth, doctor.

You can do my talking points any time.


But I was talking about how we do it without driving people crazy. You have to reduce that level of friction operationally or it won't happen. So how are you quantities that kind of information out in your public hearing and in your online form?

That have that conversation as best we can. Right presumption is that there will be a great deal of incentives and brought the back around the standards antithetical question that the purpose of which the adoption and use of them will achieve an outcome. We will likely your feedback on whether people like or to not like that outcome. This is useful to synthesize that and share that with the broader experience. I guess is that the policy committee might benefit from reading some of the outcome of this it useful. I don't know how to flow all of that out but I am fairly confident that that will be intermingled with the specific technical specs. It will be into the question of how and why we can accelerate the adoption. It will be, [indiscernible] president [indiscernible] a lot of incentives to encourage me to exchange outpatient remote monitoring data or what have you, and so we may hear about that, in some of these forums, and I know if we want to limit that or not, and I think we need to think that through.

This is Debbie downer. [laughter] I would like to say Christoph I am working very hard to come and sit in the center of the group with a debt cap on. But my concern is not so much about the technology, as long as we don't let yourselves run away with it. It is about the ability to adapt rapidly to the kind of things we are talking about. So we saw it there would be smaller practices it would be a different concern. And everything else I had to say was inconsequential.

So Kevin, tell me.

Wes was actually just touching on what I wanted to talk about and I know we have talked about the issue of small or medium-size practices. And I think that Ann's comments were very influential in what I've is about to say, because it does go back two meaningful use and it does take on different flavors. And I think that we as an organization in this particular committee, we should look at this in sexualizing how it has been in committed because there are multiple approaches and how it has been done. There are health systems that have built their on functionality to be able to reach meaningful use, and there are solutions in certain environments, and in some components of EHR, it might be too big or too heavy to get into those practices.


We keep using the phrase in this committee about the EHR and really what we're saying is, the functionality and what creates the electronic health record, not the piece of software that makes it the EHR. And we just have to keep reminding ourselves, and I think this group could help remind us of, there are multiple ways in which this criteria can be met, and maybe we should try to reach out in his public forums to try to find where these multiple ways in which it is attempting to be implemented are good examples of how to go about this.

Well said. I think the real value added is to understand in the discussion of the adoption of standards how might one essentially enable the adoption of these. And if we have feedback of the discussion of [indiscernible] available in a bad service, then that would make it easier for me to do Y. That kind of feedback, I don't know if it presents business models or any of that, but the notion that it would be great to adopt if we had X from the National Library of Medicine, I don't know, that would be useful to your in the eventual adoption of an use of these things.

With small to medium providers, I think going into a security forum, and a response time will be a challenge for them because I don't think they have grasped get the significance of going from paper to electronic, and there is a primer of sorts that we need to maybe put ahead of this IT to help them understand that while we have had HIPAA for a number of years, meeting HIPAA requirements in a paper environment is significantly different than meeting HIPAA requirements in an electronic environment, and if they are the ones least likely to grasp of the operational issues that the security requirements of line with. For instance, backups, and emergency capability. Maybe just give them an idea of the world's electronic versus the world in paper, and that is an important thing.

And I want to mention that one of the other things I have struggled with consistently from the beginning is the one dimensional list of our response, and that there are constituents out there that vary. The type of information vary is, is if a person viewing information or a data exchange? Different security focus. Is it a patient looking at the EHR or is it IT DR? Different security focus. And I would love to see the recognition of constituents so that when we have a forum, people can align with where they fit into IT instead of struggle with the big harbored centers. If you are a patient there, you already have it all, you are in heaven, you are the vision. But if you travel two South Carolina and had some medical catastrophe, it will never make it back to Harvard in terms of the context of an EHR. So I think there are different ways to break down the topics.

This is Johnna from heaven, n, and David, also from heaven, I've left my Harvard passport actually.

I had a couple things that one. Mundane but important for the record, especially for those out there listening in to the webcast of this. There will be to opportunities or three opportunities for people to weigh in on October 20 ninth. And certainly Aneesh indicated, participate in an on-line dialogue. And third, and [indiscernible] federal government, they can submit comments for the record. [indiscernible] accepting comments. So we have that old way and the new way coexisting here.

The other thing I need to do, and this is probably apparent to everyone, but I just thought of it so I thought I would share it with you, we have to make sure that we don't confound adoption of standards with adoption of electronic technologies.

You can have the enormously complex standards that are not any pediment to adoption, they might just be a big challenge to the dentist to get to the point to make them easy to use, but that doesn't mean we shouldn't challenge them. I have no idea what standards are operating in the front end of my car. I just wanted to start and not to have to pay through my nose when it doesn't. And that is high tech which car two buy to some degree. And so sometimes that is made to very narrow specifications.

And as I said, this is not the adoption of Technology.

Certainly some rich input to all of the folks in the committee and do we have any [indiscernible] since we have so much time between now and October 29 to cover any one at once to provide feedback can be looking for it and ought not anybody on the call, and please e-mail us in terms of up back folks to wait and, [indiscernible] next week Monday at the absolute lead is because we have to invite these folks and get them here.

[indiscernible] Online forum as Wolpe [indiscernible] put out some our partners on how to give input, I have been taking a lot of input here but would also lead to get input on how to structure the two [indiscernible] and structure is important and what to do that with the next couple of working days. So hopefully Judy can't put appropriateness available so that folks can communicate with us.

So do you have a plan and support of the Committee? Go forward.

Yes, we as a team.

That is terrific because this really, it's a transition of our work from our initial articulation from standards [indiscernible] [indiscernible] look forward to the results of that process.

Going back to our theme of privacy and security, we have an update on the privacy and security hearing that was recently held and appreciate Jodie Daniel on the office of coordinator been here to to provide an update.

I know we are behind schedule so I will try to be brief. As a couple of folks have already mentioned, the privacy committee -- the policy committee held a purchasee hearing on September 18th. And they have decided to organize a small task force and we have members from the [indiscernible] standards committee specifically Dixie and Steve, they were available and were working with the policy committee folks to help identify the topics, the presenters and the questions to ask, etc.

[indiscernible] so we have a lot of brain trust to pull this together, and that group is still continuing to talk as the fallout of that committee or that hearing.

But we try to do was bring together experts with difference decoder viewpoints, so we tried to come up with something that would make counterpoise on each topic area [indiscernible] every of viewpoints on that topic. So we also try to get testifies that would bring in some case studies and real-world examples of how some of these issues of how that would be implementing certain scenarios.

So as some other folks have said, a very robust discussion and very interesting issues that were raised from the input on the committee as well and the real goals were to try to gain insight from industry and consumer experts, and an opportunity to get issues on the table and start thinking through the whole variety of privacy and security issues to exist [indiscernible]. [indiscernible] privacy committee should figure out what its next step should be and will it work with this committee or the [indiscernible] or the others to try to start taking out these issues. And this task force was put together and where sort of the priest and [indiscernible] [indiscernible] what it is to proceed on and how to address those issues.

The day started out with a summary at the ARRA session to give some of level setting of what was new and privacy and security. I will not go into great detail on this topic, but just highlight a couple of the changes in the privacy and security landscape. But the result of the new HIPAA provision, it required to debility of specific provisions to business associates and some direct accountability of the business associates for complain privacy and security provisions, creating a new preached verification requirement for covered entities and business associates as well as personal health records which would be enforced by the Federal Trade commission. Create new accounting for treatment and payment of health care operations as opposed to the more limited accounting and disclosure that occurs today, and that is a topic we have talked a little bit about in this committee because of the need for standards in that area assessed by the statute. The requirement that patients have the right to electronic copies of their records, and then some changes to the enforcement provisions in the area of civil penalties, the area of who can enforce, now the state attorneys general can enforce the federal laws, and require compliance reviews by HHS and a host of other requirements.

ARRA house or a identify privacy and security projects particularly for the privacy committee to focus on an active list all of them but just to refresh folks memory, the talk about this at the very beginning of our group's formation, but some of them were technologies for segmentation of data, technology for disclosure of treatment and panic health care operations and technology for rendering individually and identifiable health information, and usable, unreadable or indecipherable to unauthorized individuals. Justin flavor of some of the changes and public areas that ARRA had put forward that we discussed at the beginning of that date.

I will go through each of the four panels will have a very briefly and highlight who was testifying and some of the things that came out.

As I said, the goal was sort of a listing session and to get issues on the table for party setting. There were no specific recommendations that came out of that meeting except for this task force to come back with a plan.

So some of the names, the first topic was patient choice control and segmentation of health information. And we had what I would say was probably the most interesting discussion from the standpoint of a very diverse viewpoint on this topic, and some telling arguments on a variety of different perspectives here.

There was a consistent theme that consumers want privacy and accessibility by them and their care givers, and the issues we're really about how to make have happened and how to actually best protect the privacy.

One of the biggest issues and debates that came out of that panel was the issue of Consumer controlled versus the comprehensive Capri work with the consent is considered appropriate but not as the sole means for protecting the privacy of information and there was a lot of debate on the topic, [indiscernible] some other themes that came up out of panel, and there was some discussion about architect privacy and security into the software and that these had to be worked together hand in hand and there was also some discussion about, there was a typo there. [indiscernible] [indiscernible] information for a particular [indiscernible] so there was a lot of discussion about that being a positive thing that the challenge is how is that feasible and can one do that and at what the police IT granular Erie.

The second panel was about use disclosure, secondary disclosure and secondary [indiscernible].

Some of the themes here were focusing on sensitive data and have bickering out how best to [indiscernible] bills for treatment purposes as well as for other purposes. We had some folks testifying on -- who were working primarily with sensitive data. And other themes, there was some concern that access two information would only be limited to what was necessary [indiscernible] there was a less is more a philosophy, and that access should be appropriately limited and not a wide-open access for any authorized user.

There was some discussion about protections following the data that is in fact, you have providers that are used to dealing with very sensitive information, the concern about when that information is appropriately released, and how it is reduced to -- when it is shared with somebody else as necessary to treat a patient.

There was discussion about enforcement really the key, and looking at information and protest privacy 100 percent, we had that conversation, but trying to figure out how to put the protection in place and being very firm on enforcement any privacy violations as a way to address the out Iris as opposed to trying to prevent 100% of privacy violations.

And then, we had someone from the Department of Health and there was discussion about how health information exchange rates is great opportunities for public health and we should be falling existing frameworks for protection with respect two information being shared for Public Health purposes including state and local intermission and any federal provisions to protect information are consistent with existing protections and frameworks that have been used in the Public Health will, is there a sense that those will work well.

Panel three, the product was models for data storage and Exchange, aggregate data and the identification and three identification. So a couple of things that came out of this panel, there was discussion about keeping data close to the source and be able to query for aggregate data rather than making the raw data always available is a way of the more privacy protected. There was a lot of discussion about PHR and Consumer control of information, and this was an area that the committee seems very interested in, but we only had one PHR vendor that was testifying that there was a lot of interest of the Committee of privacy protections in the PHR space and it seems like an area that might interest some more discussion by the policy committee.

The policy Should Drive the architecture, including having some flexibility for the architecture to develop, but this is a conversation consisting with what we had here today with how the policy should constrain some of the architectural options but not necessarily dictate the specific technology that is being used.

There was some discussion about consent posing challenges for secondary uses, and the access controls with audit capability was important. So this again went back two similar conversations of the first panel about the way to protect information versus having access control and audit to find out if there aren't any privacy violations on the back end. So again, the scene scene came up in the third panel. And again, this goes back to panel member to where we talked about enforcement being keyed, there was some discussion about not preventing on this use that trying to prevent the majority of misuse and having strong enforcement to make sure that any violators are held accountable for their infractions.

Finally, the last panel was focused on transparency, audit and accountability. There was a lot of discussion in this panel on the topic of the accounting for disclosure since that is something that is explicitly in the ARRA statute as and IT area for standards development as well as an area for policy development, and the conversation was about -- there was one panelist at was advocating about patients having ready access and transparency and accountability versus the other test fire who was accounting the cost and the fact that the experience to date has shown a very small numbers of patients request this information. So there was a lot of debate about what is the right policy with respect to accounting for disclosure and how best to do this in a way that provides the minimal burden to the providers and other covered entities that have to have lament the requirement. -- have to intimate the requirement.

So that was just in the shell of the discussions and where we are. For those that are interested in how this develops, we will have a report out from the task force at the next policy committee meeting and will continue to keep this committee included particularly working with Dixie and Steve as part of that privacy Task Force to help form this discussions.

Thank you very much. I think this is just an example of a terrific work you are doing and helping to create the nexus between the policy committees and the Office of the national coordinator and keeping the subcommittee's work directly informed.

Any questions among the committee members four 2D?

Carol diamond. I just have one question. Security standards committee has worked on access Control audit, the whole list. Has there been a time line established for when and how the policy committee is going too deliberate or discussed those items from a policy perspective that could defeat back into this community? And other rates, is there a coordinating timeline that might emerge?

The recommendations that this community came up with for 2011 were recommendations to ONC for input into Eric interim final rule. As far as out years and some of the thinking for standards and certification criteria for security might play out in the 2013 and 2015 timeframe, we don't have that specifically on the agenda but that is something that we could definitely still take.

I was actually asking about 2011, the audit for instance. When is the discussion going to take place on what is in the audit and what is in the fields and when do they have access and when can they informed the standard selection and finalization.

The task force is going to be coming up with their priority. It is one of the areas that came up particularly because of the ARRA book is audit, it was accounting for disclosures and it is actually a pressing need for us here in HHS, so I suspect that will be something that we will talk about at that time. I don't recall the conversation, and Dixie, if you want to jump in, about the specific audit provision as opposed to the accounting provision although they are obviously intertwined.

The audit is AETE, and that IG specification with the audit audit events and those [indiscernible] consistent with ASTM 's recommendation. But is in the a petition guidance that is provided.

Carol, are you asking, is there a point to be an opportunity to change what has been recommended already based on the input from September 18th, and possibly from November from the security triplex and other words, we have already forwarded some recommendations on the actual standards. Although ONC has not finalized anything yet so there is an opportunity for things to change.

Let me clarify something. For example, do I need to disclose, Jody, in treatment operations, I sent a disclosure to Lacross. It is that part of my audit log or disclosure of blogging? Who do I report it to, when do I report it, do I have to use internally to my ID System test that disclosure the Aetna standard --

That the take one step back. The standards that are recommended for this committee and that we are considering for our interim final standards rule are talking about the capabilities of the EHR technology, not necessarily how they are used. There is still -- and then there is the CMS regulation which is looking at meaningful use which is looking at how they are used. And making sure that they are being used in a meaningful way.

The questions you're asking get into even more of a layer of detail which is, when they do you have to collect or how often or look at raw or audit log or what information do you have to capture, and that has been discussed by the policy committee but it is something that could be addressed by have if the policy committee wants to take that on.

Did your question have to do with Audit Board accounting for disclosures?

Neither. It was a general question because each one of those serious has attendance policies.

That was going to be my point. There are two different areas and the activities debut audit can N EHR Arkin to contributory but not synonymous.

Carol, I think your point is a good one. There are standards -- questions about what you need as a user of that technology to do, which is the question that you are asking. And that is something we could bring up with the policy committee.

Okay, I want to make sure that we get to the public session approximately on time. We have three cards up, so we have Wes, [indiscernible] Macaulay and [indiscernible] Castro.

I am reacting more to a general spread today than the specifics, it's there. To that I think are applied. Policy drives architecture. Standards must be architecture neutral. We want certifiable Interoperability. And to certified systems that are certified to be interoperable would actually had to operate.

And and working with Carol for many years in other venues, the statement of standards must be architecturally neutral has always been a club for one person two hit another over the head with.


WE WANT TO EMBRACE THE OPPORTUNITY FOR INNOVATION, NOT DISRUPT NATURAL INNOVATION AND MARKET TENSIONS. BUT IT SHOULDN'T BE ANYMORE THAN IN THINKING ABOUT THE QUALITY AND HEALTHCARE, THE BLANKET STATEMENT THAT MIGHT DISRUPT QUALITY. I'M GLAD YOU PUT THAT ON THE TABLE. THAT IS ONE OF THE THINGS WE WILL HAVE TO contemplate. The problem is we don't know how to, we know when we see it, we don't know how to not see it. Maybe a modification. It is basis for future work, especially in the clinical operations group is that in general architectural neutral alty is desirable. Specific instances where there are policy imperatives when something needs to be achieved when they have to move outside of the boundary.

David Mc callly, I think I made this point last time, the right kind of architecture is the best enabler of innovation. If you have no architecture assumptions you just have chaos. I urge us to settle on the right kind and Jody with respect to your presentation here you do a terrific job of summarizing the points that were made. The only thing missing is the Controversy. Implies there was agreement from the panelist, it reads so nicely. So my question and I know there is not really an answer. How do these Controversies get resolved. I'm thinking in particular the fourth panel was a terrifically entertaining panel between two 100% opposite points of view, what happens with that testimony?

The goal of this as I mentioned was to get a lot of the issues out on the table. If you look at the topics they are very broad. We sort of played them off of our the principals that we have in our privacy and security frame work to make sure we were addressing the broad issues. That being said there were some significant Controversies that were raised. Like I said, the task force is going to come back with priority recommendations and the policy committee will make decisions about either forming new committee or tasking some issues to the existing committees to actually start working at the work group level on some of these issues. They might do it through hearings, might do it through group discussions. Each one might be handled differently. The goal is not to raise tissues to the table but the next step is to start, pick a few, obviously the policy committee can't address all of them simultaneously. But trying to prioritize them and start chipping away at them and coming up with significant recommendations in each areas that they prioritize. So that is the next step on the agenda. It's something we hope at least this is my vision. I'm speaking for myself. That it will be a process. As the committee is working through something, ONC or hhs is providing feed back on our thinking and using the policy committee as aey of getting stake holder in put and public input on some of these key issues.


What I would like to point out. Carol you looked to detail in some of the guidance. We are working real hard to give guidance that is so broad that it doesn't answer anybody's real question, so the cost of inter operability is a detailed conversation in between each point of act on this entire process. Without getting to a detailed specification that everybody can be comfortable with implementing from authentication to data transmission. So you know one of the frustrations I've had is when are we going to get the answers to those questions, the vendors I think want to know, what are you going the end up telling me. I don't think there is another committee down the road that's going to create that. I think we are going to end up like with HIPAA with broad guidelines we do a risk assessment to determine what we are comfortable W. we are going to cause every point to point technology interface to be a conversation in a little ip effort. I don't think it's going to be seamless, interoperable without more detailed level of specification. I risk saying that because we work real hard staying at a higher level.

Appreciate those comments. I think this discussion is one that really keys up some of the areas where we have to keep the collective knows to the grindstone. I want to thank Jody -- appreciate that terrific summary. It was useful as a report and in terms of highlighting the areas for additional work. The point that Ann Castro just made there is a team emerges about the level of detail. Describer to minimum specification, what is the minimum detail necessary to achieve a desired ends. We are debating where that rests. There maybe different uses of details that are appropriate in different context, that's something that emerged today. Also Wes -- driving architecture and constraint of architectural neutrality. I heard a theme particularly in the clinical quality and privacy and security discussions about adaptability, efficientsey, we want to do it in a way that is as facilitating as possible towards the goal of driving the use. David made a terrific point. The charge of our work is facilitating the adoption of standards. The charge of his office, reform agenda broadly is to accelerate the adoption of the electronic health record. Our goal is a piece within that goal or the other goal I feel helps to facilitate. I think there is no shortage of topical areas for additional work. The great discussions that we had to date in the clinical operations have spoke envery much to a provider centric orientation to information but those information, elements are obviously the basis for much of what can be communicated and should be shared with patients. And clearly there is a -- data in terms of how that is being used and a call for additional information to inform the discussion of what is being done and how. The modes of what can be construed as -- ranging from the things that are familiar to -- as was mentioned, extensions of social networking where there is a community -- how does our work support innovation in patient and consumer and community use of health information for better health outcomes. And in the implementation group, clearly, the opportunity to extend to -- from the review of standards that's been generated so far in support of basic transactional activity, constructed record, transportable information or operable information to the driving and reporting of quality to the privacy and security activities, what is the field experience and how do we get good feed back in terms of support for adoption of standards. What enhances adoptability. What helps to mitigate barriers. And greatly appreciate the leadership that Judy Murphy, Chris Ross, are providing in terms of the hearing and the structured on line dialogue respectively. Quoting the old computer adage, garbage in, garbage out, if we don't ask good questions we can't expect good answers. We help them -- frame those questions to help to inform the recommendations that we are really charged to provide back to Dr. Blumenthal . There is no shortage of work, let me just thank everyone for the work today for those who are following at more of a distance. I've never seen greater activity and more productive activity, virtually any context. Some ascribe, sort of government work hours, let me assure you conference calls, work with the staff and all involved has really spaned the clock and spanned all days of the week. That is greatly appreciated. Let me stop there and turn to Dr. David Blumenthal for closing comments of the session before we go to the public comment period.

Today is about evolution. I like to look at our trajectory rather than absolute position because I tell you every single standards related meeting that I have been in, you look at what I said and you said boy this is flawed, this is incomplete. This has GAAPs. But I tell you every meeting I come, the work products are getting better and better. Today we had a very rich discussions of the realities of the implementation of making sure we have a precise government policy necessary to have the fewest strongest number of security standards the right quality metrics reported in a way that reduces the burdennen on quality reporting and the right vocabulariries and tools to capture data in a codified way. Three or four years ago, we were talking about how do we get a fax from place to place. We stated where we are going and a great agenda for the next six months.

Just thank you all so much. We are so dependant on your skills and wisdom. And we know that we are not going to get it perfectly the first time that we are -- that someone used I can't remember who exactly, the analogy that I keep thinking that allows me to get rest is analogy of the escalator. We want to get as many providers as possible on the escalator of improved information use. And keep them from jumping. As they go up. And or rushing down the wrong way. So we will start where we are. Then we will try constantly to make it better. With your help, I think we will do as well as is humanly possible given all the constraints we face.

Many thanks to you for that for your leadership. With that, let me turn to Judy spur row to initiate any announcements and then kick off for the public session.

Anybody in the audience who wishes to make comments, keep your comments within three minutes. On the phone, you need to press star one to speak. If you want to dial in to make a comment it's 1-877-705-6006. We will begin with Mr. e gan in the room I'm encouraged by the implementation of the work group. That's great timing and what is needed to get from the theorys and discussions to how do we integrate this in to a national system. Some of you heard me dib what our organizations medical imaging, technology alliance is all about, I want to emphasize we are heavily involved in interoperability standards, not only dicom, integrating the healthcare enenterprise and hl7. I think that we can be a valuablable resource in terms of all the different goals that you set forth on this implementation work group. We help you with the assessment of the current state of implementation. Give you insight on how to lower the barriers that exist now insight in to future standards development. So I would put in a plea that I know this meeting is coming up on October 19th, and we would like to be a part of it and I think we can provide a good assets and resource for you. But the time is very short, so please let me know what the best way is to dive in and give you kind of the insight that you're looking for.

Thank you.

Next in line.

Good afternoon I'm Dan lody with the American health information management association, HE ma. Just about four comments and thank you for the discussion today. I love coming to this meeting even if I understand about half of what you are talking about because when you get in to the technical standards you are way beyond me. We were talking about access and data and individual's access to the record. We are in the fourth year of looking at the legal EHR and some of the implications associated with the electronic health record as a legal document and how it must be maintained and its integrity. I hope we can share that with you sometime the education appearance that's gone D the experience that's gone on with the discussions. It becomes an interesting issue to balance all of these pieces associated with the record beyond just the exchange of clinical data. There was a discussion on vocabulary and presented to this group before, Amy and we have been working on vocabulary and integration for sometime. We hope you will include us in the discussion. We would like to share what we are doing and perhaps we can help do more in that regard. I'm excited about the implementation hearings that are coming up and I really appreciate the comments of implementation of EHR systems as opposed to one system and the impact of work force in implementing that system and all the things that have to take pace. And appreciate the transparency in bringing this to the public, I hope we can participate. I appreciate the escalator, I've been using shutes and lat ladders and I think the escalator works much better.

I'm a consultant representing Sentra health. I have the pleasure of getting my hl720 year about three weeks ago. Signifying I'm not sure what. Not sure whether to be proud or not to be proud of that. I certainly had at the offset believed that 20 years would be sufficient for us to get or arms around this and truly have plug in play by now. I think there is lots of reasons why we don't. One of the concerns that I have is that our standards development process has been more of a proliferative effort, it's time to turn the tables and queue up projects for hit and sco. s to say how simple can you make it th. Yet sufficient. Make it simple but sufficient. How can we ai heave what we need to achieve ultimately. Beyond what this group is talking about, my expectations are void and dashed as I listen to the conversation around this room. I thought we were making progress in the direction of moving beyond the enterprise exchange space and starting to talk about end to end interoperability of electronic health records, that's what we need to achieve. As long as we are talking about point to point we are leaving the rest of that big scope out of the discussion. Sure point to point is important, but in end to end is at he's as important. Particularly when you listen and consider the issues as Dan brought up about legal dhr. The discussion that we had here about quality measures and how you ensure that you can trust the quality measures not at the point that you report them, but traceability back to their source. We also talked about the whole issue of patient consent. It makes no sense to go through the exercise to discover your patient consent only goes to the first point and pipet and can't be transmitted or used or applied beyond that point to point. It has to be end to end strategy. We have a lot to consider. I'm concerned about scope. The end to end is something that should be part of the discussion that we are having here. Without be laboring that further I'm encouraged by the hic policy commission to establish core requirements, privacy and security, increase specificity on interoperability -- interoperability of the hr records not of messages -- between systems. Let's see, to this end, we have proposed a simplycation strategy that many of you have seen, presented in the June time frame. We more recently developed or potentially promoted that to a standards conversion strategy, which I believe addresses many of the same issues. I think it does fit in to the implementation discuss that's going on here. I also want to mention that is actually a new work on proposal that will be introduced to iso215 when they meet next week in Durham North Carolina. We have had good response from many of the organizations that have looked at this and we believe that there is a good strategy we with employ going forward to achieve this. I'm hoping you will have an opportunity to look at that and offer feedback as appropriate, thanks.

Thank you very much for your comment.

Mr. Leery.

Thank you ma'am, Tom leery with the healthcare management. Two quick comments, one is that we are in year two of a security survey that maybe himful to your November 19th hearing on the issue of securitys. We completed the data collection and probably will be ready for public consumption by the middle of November. Second item is respect to organizations that have real world experience in public health, community health organization, enterprise and ambulatory settings with respect to having to raught to standards and the overall implementation of vhrs and other solutions I commend the Davey's award program, which is just announced two weeks ago, 2009 winners. Some fresh voices to the table as well as some folks that have been involved in that award since its early years in 1993. So thank you very much.

Thank you, there are no callers on the phone.

Okay. With that, then I think unless there is other pressing business that we are adjourned. Thanks to even for your hard work and participation and thanks to members of the public for your comments on inputs here today and on line.